Payments
UKGovernmentLaunchesaCallforEvidenceonPaymentsRules
Launched on January 13, the call for evidence seeks market participants' input on the Electronic Money Regulations 2011 and the Cross Border Payments Regulation
CALL FOR EVIDENCE
Market participants would have to provide their feedback on the following areas:
Regulatory treatment of payment services and e-money
Information requirements for payment services
Rights and obligations in relation to the provision of payment services
Wider considerations in relation to the provision of payment services
Issuance and redeemability of electronic money
Responses are due by 7 April 2023.
Cryptoassets
CryptoassetAML/CTFRegime:FCA’sTipsforProperRegistration
PREPARATION OF APPLICATION
Before preparing the application:
Establish if they will be carrying out in-scope cryptoasset activity
Consider seeking independent legal/compliance advice as part of preparing an application
Review the relevant information on the FCA’ webpages as well as the registration form
Appoint a Money Laundering Reporting Officer (MLRO) / Nominated Officer with relevant knowledge, experience and training as well as a level of authority, independence and sufficient access to resources and information The FCA will assess the fitness and propriety of the MLRO/Nominated Officer
When preparing the application:
Include all required information in the business plan, this includes but is not limited to: details of the business model, roles and responsibilities of business partners (such as service providers, brokers, introducers, sub-custodians and outsourcing partners), sources of liquidity, detailed customer journey… Comprehensive and accurate description of products and services (e.g. a cryptoasset token vetting policy, detailed description of how dependent it is on external ecosystems for liquidity, custodian services and underlying smart contracts/DeFi implementations).
Demonstrate a thorough understanding of the risks from dealing in cryptoassets and design a business wide risk assessment (BWRA) that is tailored to their business model
Implement policies, systems and controls to appropriately manage and mitigate the risks identified in the BWRA
Have in place an effective framework for transaction monitoring and blockchain analysis
Provide complete information regarding its outsourcing arrangements within and outside the group, as well as within and outside the UK
Provide evidence staff training material tailored to its particular business model and associated AML/CTF risks along with its annual training plan
Ensure that the Suspicious Activity Reporting policy fully covers the company cryptoasset-related activities
DataProtection
GDPR:ICOIssuesTRATool
Released on 17 November 2022 by the Information Commissioner's Office (ICO) the updated version of the international transfers section of its Guide to GDPR, includes a new Transfer Risk Assessment (TRA) Guidance and a TRA tool.
The ICO’s TRA tool is one of transfer mechanisms that entities may use to comply with the requirements under article 46 of the UK The General Data Protection Regulation (GDPR).
REQUIREMENTS
In conducting its TRA, an organization must carry out a reasonable and proportionate analysis on the following:
Risks to people’s rights arising in the destination country from third parties accessing the information, in particular government and public bodies Risks to people’s rights arising from difficulties enforcing the Article 46 transfer mechanism.
To make a restricted transfer of personal data using ICO’s approach, concerned entities shall carefully consider in what capacity they are acting.
Controllers relying on a processor to make the restricted transfer are not required to complete the TRA; only the processor is responsible for completing the TRA.
Receiving entities sending the data to third parties may be required, where applicable, to carry out a TRA. Entities making a series of connected, repeated or similar restricted transfers, shall carry out a TRA for each restricted transfer or one TRA that covers all of them
An alternative to the ICO TRA tool is the transfer impact assessment (TIA) methodologies based on the European Data Protection Board (EDPB) guidance
ReportingandTransparency
ESMAConsultsonPost-TradeTransparency
Published on January 19, the Consultation Paper - Manual Post-Trade Transparency (CP) comprises the European Securities and Markets Authority (ESMA) additional guidance on issues related to post-trade transparency as well as on the reporting to ESMA’s Financial Instruments Reference Data System (FITRS).
This CP is of particular interest for entities subject to the post-trade transparency requirements and/or reporting such information (e g investment firms)
CONSULTATION
The CP includes the requirements relating to post-trade transparency applicable to equity, equity-like and non-equity instruments. More specifically, ESMA seeks feedback on the following areas:
The scope of instruments and transactions subject to post-trade transparency
The relevant entities in charge of the reporting and publication of post-trade transparency information
Publication of post-trade transparency information: real-time vs. deferred publication
Which post-trade transparency information has to be made public (i e reporting fields and flags)
The common aspects as well as the differences between the post-trade transparency regime and the transparency calculations in relation to the scope of instruments and transactions
Interested stakeholders are invited to provide their comments by 31 March 2023
IndustryNews
IAPPReleasesNIS2DirectiveChart
Last month, the International Association of Privacy Professionals (IAPP) published a useful reference sheet on the European Union’s NIS2 Directive
This network and information systems directive provides measures to boost the overall level of cyber security, improving resilience and incident response capabilities of public and private sectors
For latest news on cyber security topics go to Ameis’ Insights page
ISDAPublishesDigitalAssetDerivativesDefinitions
On January 26, the International Swaps and Derivatives Association (ISDA) published standardized definitions relating to the trading of digital asset derivatives, thereby providing clarity for execution and settlement of digital asset derivatives in the ISDA Master Agreement framework
The initial documentation covers non-deliverable forward and options on Bitcoin and Ether
AMFReportsonAlternativeDistributionMethods
In June 2019, the Quebec Autorité de marchés financiers’ (AMF) Regulation respecting Alternative Distribution Methods (RADM) came into force. In December 2022, a Report was published regarding specific consultations on financial products and services offered via the Internet and RADM. The purpose was to gather experiences of stakeholders – consumers, intermediaries, insurers, and FinTechs – and identify issues affecting consumer protection or impacting the growth in the distribution of financial products and services via the internet.
The RADM covers the offering of insurance, financial planning, claims adjustment and mortgage brokerage products and services It applies to firms operating digital spaces, such as websites or mobile apps, that are fully transactional on a self-directed basis
Highlights of stakeholder comments:
1 Consumers are concerned about low levels of financial literacy Internet-provided services need to be regulated, ensuring protection of consumers choosing this distribution method In addition, an offered policy should be available at all times to the consumer.
2. Intermediaries expressed concerns over clients’ understanding of risk and representatives' understanding of scope of responsibility. Some expressed that a full needs analysis is sometimes necessary.
3. Insurers acknowledged greater facility to comply with the regulatory framework for simple products such as property and casualty insurance versus more complex life insurance products. However, the requirements preclude products and services from being offered on mobile apps which cannot accommodate all information requirements Other insurers raised concerns over the prescriptive rules-based regulation, certain grey areas of interpretation and the burdensome process that impacts consumer experience and product innovation
4 FinTechs viewed the regulation as an enabler of robust digital spaces, protecting consumers They also favoured investments in cyber security Comparing distribution through representatives versus digital spaces, FinTechs observed differences in sales pressure and expressed the view that needs analysis could be completed upon client request
Following this report, the AMF will conduct further consumer focus groups and form working groups to address comments raised.
NISTProposesGuidanceonAIRiskMitigation
On January 26, the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) released a new Guidance and a Companion Playbook on artificial intelligence (AI) risk management.
The Guidance further explains some foundational notions such as the risk, tolerance and prioritization of risk, which may include harm to people, organizations and the ecosystem.
It also outlines the challenges of managing these AI risks, notably:
Measuring the risks related to third-party software, hardware and data
Monitoring emergent risks
The lack of reliable metrics
Different risks according to the stage of the AI lifecycle
The opaque nature of AI
The difficulty to systematize a human baseline activity and
The difference of risks in the real-world versus test environments
The Guidance also outlines characteristics of trustworthiness in AI systems, including valid and reliable, safe, secure and resilient, accountable and transparent, explainable and interpretable, privacy-enhanced, and fair with harmful bias managed.
To manage AI risks and responsibly develop trustwork AI systems, the Guidance explains that organizations should rely on four functions: govern, map, measure and manage.
The Guidance may be used on a voluntary basis by organizations designing, developing, deploying or using AI systems to help manage the many risks of AI technologies.
UpcomingRegulatoryDeadlinestoWatch
Date
06/02/2023
10/02/2023
20/02/2023
Issues to Watch
End of consultation period for Quebec’s Autorité des Marchés Financiers Draft Regulation respecting complaint processing and dispute resolution in the financial sector
Deadline to submit feedback to the Bank of England on its discussion paper 5/22 on Artificial Intelligence and Machine Learning
Comment period closes for the European Securities and Markets Authority consultation paper on the use of ESG or sustainability-related terms in fund names
ProductCorner
TIAorTRA:Quésaco?
Under the EU GDPR, personal data may be transferred to a country outside the EU/EEA by meeting the requirements set out in article 46 of the regulations
Controllers or processors may transfer personal data to receivers outside the EU/EEA: “only if [they have] provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available” (art.46 (1)). Such safeguards are listed in article 46 (2) of the regulations and include the following:
Binding corporate rules
Standard data protection clauses adopted by the Commission of a supervisory authority
An approved code of conduct
An approved certification mechanism
In June 2021, the European Data Protection board (EDPB) published its final recommendations on the lawful transfer of personal data in third countries EDPB’s transfer impact assessment (TIA) contains a total of 6 steps organizations must take, namely:
Know/map their transfers
Verify the transfers tools
Assess the effectiveness of the transfer tools
Identify and adopt supplementary measures that are necessary to bring the level of protection of the data transferred up to the EU standard of essential equivalence.
Take procedural steps for the adoption of the supplementary measure identified
Re-evaluate at appropriate intervals the level of protection afforded to the personal data you transfer to third countries and to monitor if there have been or there will be any developments that may affect it.
UK ICO’s TRA tool is an alternative to the approach taken by EDPB.
About us
We help you understand the rules that govern your activities, services and products, enabling you to meet your ongoing regulatory obligations and navigate the ever-evolving, complex regulatory landscape.
Our team is composed of professionals with extensive experience serving the investment management, capital markets and asset servicing industries.
Complex landscape & widening gaps
Increasing regulatory requirements and the pace of change are making it harder for you to keep up with the pressures of compliance and managing cost-effective operations.
Current challenges
Investor demand for enhanced transparency and disclosure, data privacy, investor and consumer protection requirements, and AML/KYC concerns are some of the many challenges affecting the industry.
We provide practical and tailored solutions
Review and analysis of regulatory texts
Reporting
Response preparation
Compliance program development
Contact us
Déborah Koualé, Founder & Director
deborah kouale@ameiscorp com
Change management
Regulatory intelligence and training
Ongoing compliance support
Registrations
Carolyn Le Quéré, Director carolyn lequere@ameiscorp comAmeis Regulatory Services focuses on providing regulatory and compliance support for fintech companies