AMEIS RegFacts | April 2023 part 2

ArtficialIntelligence &Ethics

ExplainableAIAmongstOSFI&GRIEDGEPrinciples

TThe Explainability, Data, Governance, and Ethics (EDGE) Principles were outlined in a Report published on April 17 by the Financial Industry Forum on Artificial Intelligence (FIFAI), a group created by the Office of the Superintendent of Financial Institutions (OSFI) and the Global Risk Institute (GRI)

THE EDGE PRINCIPLES

FIFAI is composed of financial services experts (e g regulators, banks, fintechs ) brought together to advance the discussion for managing AI risks through effective regulation

The Report identifies four areas of greatest importance collectively referred to as the “EDGE” principles, more specifically:

1/ Explainability enables financial institutions to deepen trust with their customers as they understand the reason for decisions. The Report proposes that financial institutions focuses on the following:

Implement models with an appropriate level of explainability

Explainability by design or use additional techniques for models considered as black-box models.

Adopt different approaches to explainability (e g local explanation versus global explanation)

Disclosure of adequate and relevant information to help investors, regulators, and the public understand the institution’s financial health and performance and enable them to make informed decisions

Disclosure should be concise, simple, relevant, intuitive, and practical and written in plain language

Avoid excessive disclosure to mitigate detrimental consequences on the firm's security, AI integrity process and competitive advantage explainability and

Disclosures related to third-party AI models to ensure adequate disclosure to customers

2/ Data leveraged by AI enables financial institutions to, amongst others, provide targeted and tailored products and services to their customers, enhance risk analysis and improve decision making.

The data governance framework should ensure that data is accurate, reliable, complete, representative, consistent, and compliant with relevant regulations, including privacy legislation. Areas to consider include:

Data characteristics (e.g. data volume, data versioning, data agility...) and associated challenges (data quality and data aggregation)

Data Governance (data ownership, data privacy & security, regional data limitations, data centric-approach and data literacy).

Third-Party Data (data collection and data sharing).

3/ Governance leveraged by AI ensures that financial institutions have the right culture, tools, and frameworks available to support their AI lifecycle The Report states that an effective AI governance framework should:

Be holistic and encompass all levels of the organization

Clearly defined the roles and responsibilities

Include a well-defined risk appetite

Reflect the risk of use cases (including when the financial institutions transition from a rule-based to a risk-based approach)

Be flexible as a financial institution’s adoption of AI matures

4/ Ethics encourages financial institutions to consider broader societal impacts of their AI systems. To prevent or addresses issues related to bias, the Report explores various areas and suggest that:

Both legal and ethical considerations should be taken into account in the decision-making processes even though financial institutions are not affected by AI ethics.

Multidisciplinary views ( e.g., computer scientists, lawyers, financial data scientists, ethicists) should be considered while developing and using AI applications. Another suggestion is for standards setting bodies to agree upon ethical guidelines to help market participants manage their AI-related risks

Greater transparency and appropriate disclosure related data privacy and data protection forms part of financial institutions overall framework Ensure to put an emphasis on customer consent, including through a recommended approach named “consent drift” which “refers to the case where customers provide consent for data to be used for a particular purpose, however over time the same data is used for a different one” Ongoing consent management would be required in such cases

The Report also recommends that certain characteristics be taken into account for an effective regulatory framework: (i) industry recommendation on best practices; (ii) consistency across regulators (In Canada and abroad); (iii) standards around third-party risk management and/or independent review of the third parties; (iv) industry/stakeholders consultation; (v) creation of regulatory sandboxes, (vi) proportionality to account for differences in size; materiality, and organizational capabilities across financial institutions; (vii) harmonized regulatory requirements; (viii) cross border collaboration between regulators, (ix) consideration of smaller financial institutions…

Stablecoins

Fiat-BackedCrypto:OSFIConsultsonInternationalStandards

The Consultation starts on April 17 with the objective to gather feedback on mitigating the risks associated with single fiat-referenced cryptoassets arrangements and activities

The Office of Superintendent Financial Institutions (OSFI) defined fiat-referenced cryptoassets as : “cryptoassets that are pegged to a single fiat currency and backed at least one-for-one by cash and cash equivalents, or issued as a liability of a financial institution”.

PROPOSED REQUIREMENTS

OSFI is seeking views on the Financial Stability Board (FSB) High Level Recommendations on the Regulation, Supervision and Oversight of “Global Stablecoin” Arrangements which recommends that entities engaging in fiat-referenced cryptoasset arrangements or activities should be subject to comprehensive supervision and regulation.

Comments should be provided on the following:

Governance and risk management framework (e g management of material risks, establishment of contingency arrangements, AML/CTF measures, management of operational, reputational, and financial risks t )

Redemption rights, stabilization mechanism, and prudential requirements (e g Appropriate infrastructures, processes, and procedures are maintained to ensure data quality and reliability; data management systems that record and safeguard relevant data and information collected and produced )

Custody and digital wallet services (i e custodial service or digital wallet operations risk; third-party risk and third-party concentration risk)

Trading, transfer, and transaction validation (Network capacity risk,Product risk…)

Transversal risks that may affect all of the aforementioned activities (e.g. operational risk; technology risk; compliance risk; conflicts of interest;breach to data confidentiality and privacy; legal risk; reputational risk…).

OSFI will consider feedback to align its future risk management expectations with related international recommendations.

The comment period will close on June 16, 2023.

Cryptoassets

UKGovernmentProposesLegislationonCryptoPromotions

The Draft Legislation released on 27 March 2023 proposed to bring certain cryptoassets into the scope of financial promotions to improve consumers' understanding of the risks associated with cryptoasset investments and ensure a level playing field

PROPOSAL

The proposal builds on the HM Treasury consultation paper published July 2020 (see our previous update here)

The Draft Legislation will amend the Financial Services and Markets Act 2000 (Financial Promotion) Order 2005 (‘FPO’) and introduce a new type of instrument identified as qualifying cryptoasset and defined as: “any cryptographically secured digital representation of value or contractual rights that is — (a) fungible; and (b) transferable…”.

The definition of qualifying cryptoasset excludes certain instruments such as electronic money, fiat currency, digitally issued fiat currency; or a cryptoasset that cannot be transferred or sold in exchange for money or other cryptoassets, except by way of redemption with the issuer.

FCA authorised firms will have to ensure compliance with the regulatory requirements by, amongst others, highlighting the risks related to qualifying cryptoassets.

Non-FCA authorised firms will have to ensure that the promotion of these instruments is approved by an authorised firm.

Firms will have a 4-month implementation period once the Draft Legislation comes into effect.

CaliforniaConsumerPrivacyActApprovedByOAL

ESGRatings

UKGovernmentProposesToRegulateESGRatingsProviders

The HM Treasury launches its consultation on the Proposed Rules on March 30 with the aim to gather market participants’ feedback on the upcoming regulatory regime for Environmental, Social and Governance (ESG) ratings providers

PROPOSED RULES

The Proposed Rules seek to address, amongst others, issues related to :

The opacity related to the methodologies used by ESG rating providers, The approaches taken by ESG rating providers, as well as those related to conflicts of interest notably “where an ESG ratings provider also provides advice to the rated entity on how to improve that rating; or scenarios where the dialogue between a rating provider and rated entity could be improved ”

If the proposed regime becomes law, the Financial Conduct Authority will embed the requirements in its rules by taking into account IOSCO recommended key regulatory outcomes - i e , transparency, good governance, management of conflict of interest and robust systems and controls (read our previous update on IOSCO Report on ESG rating providers here for more information).

The Proposed Rules would apply, at a minimum, to the direct provision of ESG ratings to users in the UK, by both UK firms and non-UK firms.

The consultation will close on 30 June 2023.

EUNewAML/CFTLegislativePackageUnderway

The Proposed Legislative Package on anti-money laundering and countering the financing of terrorism (AML/CTF) was adopted on 28 March by Committees of the European Parliament and contains three pieces of draft legislation synthesised hereunder

PROPOSED PACKAGE

The EU "single rulebook" regulation lays down rules concerning:

Measures to be applied by obliged entities including crypto-asset service providers (CASPs) (i.e. outsourcing; internal policies, procedures and controls; business-wide risk assessment; compliance functions, awareness of the requirements, integrity of employees; internal reporting )

Beneficial ownership transparency requirements (i e customers due diligence; identification and verification of the customer’s and beneficial owner's identity; timing of the verification of the customer and beneficial owner identity; identification of the purpose and intended nature of a business relationship or occasional transaction )

Reporting obligations (e g suspicious transactions, reporting of suspicious transactions by certain categories of obliged entities)

Data protection and record-retention provisions (e.g. processing of personal data: transparency and disclosure (including related to data sharing), data quality/accuracy, data protection, …).

Measures to limit the misuse of anonymous instruments including the prohibition for financial institutions as well CASPs to keep anonymous accounts, anonymous passbooks, anonymous safedeposit boxes, anonymity-enhancing coins or anonymous crypto-asset wallets as well as any account otherwise allowing for the anonymisation of the customer account holder.

Limits to large cash payments of EUR 10 000 in national or foreign currency, whether the transaction is carried out in a single operation or in several operations which appear to be linked.

The 6th AML Directive

The Directive will provide provisions on supervision and Financial Intelligence Units, as well as on access for competent authorities to necessary and reliable information (e g beneficial ownership registers and assets stored in free zones)

The Regulation establishing the European Anti-Money Laundering Authority (“AMLA”)

AMLA will have supervisory and investigative powers to ensure compliance with AML/CFT requirements The proposed regime has yet to be voted on in Plenary at the European Parliament

IncidentReporting

CyberIncidentReporting:FSBPublishesFinalReport

The Final Report was released on April 13 by the Financial Stability Board (FSB) and includes recommendations that may be relied upon by financial authorities and financial institutions (FIs) where relevant and by taking into consideration their legal and regulatory framework (see our previous update here)

FINALISED RECOMMENDATIONS

The finalised recommendations are as follows:

Establish and maintain objectives for Cyber Incident Reporting (CIR) Financial authorities should have clearly defined objectives for incident reporting, and periodically assess and demonstrate how these objectives can be achieved in an efficient manner, both for FIs and authorities

Explore greater convergence of CIR frameworks. Financial authorities should continue to explore ways to align their CIR regimes with other relevant authorities, on a cross-border and cross-sectoral basis, to minimise potential fragmentation and improve interoperability.

Adopt common data requirements and reporting formats. Financial authorities should individually or collectively identify common data requirements, and, where appropriate, develop or adopt standardised formats for the exchange of incident reporting information.

Implement phased and incremental reporting requirements Financial authorities should implement incremental reporting requirements in a phased manner, balancing the authority’s need for timely reporting with the affected institution’s primary objective of bringing the incident under control

Select appropriate incident reporting triggers Financial authorities should explore the benefits and implications of a range of reporting trigger options as part of the design of their CIR regime

Calibrate initial reporting windows Financial authorities should consider potential outcomes associated with window design or calibration used for initial reporting.

Provide sufficient details to minimise interpretation risk. Financial authorities should promote consistent understanding and minimise interpretation risk by providing an appropriate level of detail in setting reporting thresholds, using common terminologies and supplementing CIR guidance with examples.

Promote timely reporting under materiality-based triggers. Financial authorities that use materiality thresholds should consider finetuning threshold language, or explore other suitable approaches, to encourage prompt reporting by FIs for material incidents.

Review the effectiveness of CIR and cyber incident response and recovery (CIRR) processes. Financial authorities should explore ways to review the effectiveness of FIs’ CIR and CIRR processes and procedures as part of their existing supervisory or regulatory engagement.

Conduct ad-hoc data collection. Financial authorities should explore ways to complement CIR frameworks with supervisory measures as needed and engage FIs on cyber incidents, both during and outside of live incidents

Address impediments to cross-border information sharing. Financial authorities should explore methods for collaboratively addressing legal or confidentiality challenges relating to the exchange of CIR information on a cross-border basis

Foster mutual understanding of benefits of reporting. Financial authorities should engage regularly with FIs to raise awareness of the value and importance of incident reporting, understand possible challenges faced by FIs and identify approaches to overcome them when warranted.

Provide guidance on effective CIR communication. Financial authorities should explore ways to develop, or foster development of, toolkits and guidelines to promote effective communication practices in cyber incident reports.

Maintain response capabilities which support CIR. FIs should continuously identify and address any gaps in their cyber incident response capabilities which directly support CIR, including incident detection, assessment and training on a continuous basis Pool knowledge to identify related cyber events and cyber incidents Financial authorities and FIs should collaborate to identify and implement mechanisms to proactively share event, vulnerability and incident information amongst financial sector participants to combat situational uncertainty, and pool knowledge in collective defence of the financial sector

Protect sensitive information Financial authorities should implement secure forms of incident information handling to ensure protection of sensitive information at all times

On the same date, the FSB also released a common Format for Incident Reporting Exchange (FIRE) to foster greater convergence in CIR. It also updated its Cyber Lexicon with the inclusion of new terms:

Cyber Attack

Insider Threat

Phishing

Ransomware

Security Operations Centre (SOC)

Zero-day Vulnerability

SustainabilityDisclosure

On 12 April, the three European Supervisory Authorities (EBA, EIOPA and ESMA – ESAs) released the Joint Consultation Paper on amendments to the Delegated Regulation of the Sustainable Finance Disclosure Regulation (SFDR) (for more information on the Delegated Regulation read AMEIS ‘ ESG & Sustainability Focus Report)

KEY HIGHLIGHTS

Key highlights of the amendments include:

Extension of the list of social indicators for principal adverse impacts to include new indicators, namely: (i) amount of accumulated earnings in non cooperative tax jurisdiction; (ii) exposure to companies involved in the cultivation and production of tobacco; (iii) share of employees earning less than the adequate wage…).

Technical revision of the principal adverse impact (PAI) framework through the introduction of a new formula for the PAI indicators that did not already have them

Enhance DNSH disclosure design options as under the current requirements concerning disclosures for do not significantly harm (DNSH), investors do not have lots of opportunities to compare financial products, and investee companies have little predictability about how PAI criteria will be applied by financial market participants (FMPs)

Amendments regarding greenhouse gases (GHG) emissions reduction targets or decarbonisation through additional disclosures requirements to foster transparency and comparability between financial products (i.e. simplified disclosures through pre-contractual documents and periodic reports, as well as a third set of disclosures, more detailed and available on the website will complement).

Simplification of the template (i.e. language used in the templates to enhance comprehensibility). A dedicated “dashboard” of key information was developed to complement the more detailed information of the precontractual and periodic disclosures.

Consultation will close on 4 July 2023.

IndustryNews

ESG,Crypto&DiversityTopPrioritiesfortheOSC

Published on April 18, the Ontario Securities Commission Statement of Priorities (SoPs) for 2023/2024 focal points include:

Advancing work on environmental, social, and governance disclosure

Finalizing and implementing total cost reporting amendments

Considering broader diversity disclosure requirements

Continuing to expand investor focused education, policy, and research activities

Strengthening the Ombudsman for Banking Services and Investments (OBSI) as an independent dispute resolution service

Strengthening oversight and enforcement in the Crypto Asset sector

Clarifying the OSC’s role in overseeing the implementation of the office of the investor and the investor advisory panel of the New SRO and the Canadian Investor Protection Fund (CIPF)

The SoPs can be found in the OSC’s Annual Business Plan.

FCAProposalsforSDR&LabelsDelayedbyThreeMonths

On March 29, the Financial Conduct Authority (FCA) provided an update indicating a delay to its upcoming Policy Statement on Sustainability Disclosure Requirements ("SDR") and investment labels

The Policy Statement (PS) that will include extensive requirements to combat greenwashing (read our previous briefing here) will be published in Q3 of this year, and the proposed effective dates will be adjusted accordingly

The PS will build on comments received from stakeholders, this includes, but is not limited to:

Reconsider the approach related to marketing restrictions, refining the specific criteria for the labels and clarifying how different products, asset classes and strategies can qualify for a label.

Clarify Matters such as that primary and secondary channels for achieving sustainability outcomes are not prescribed, and that independent verification of product categorisation to qualify for a label is not required.

ChatGPT:WhenAIBecomesaThreattoPrivacy

Last month the Italian Data Protection Authority (Garante per la protezione dei dati personali) announced a temporary ban on the processing of Italian users’ data by Open AI over multiple concerns relating to privacy

Among the points raised:

Lack of information to users and data subjects whose data are collected by Open AI

Lack of a legal basis for the massive collection and processing of personal data in order to ‘train’ the algorithms

Information made available does not always match factual circumstances, leading to the processing of inaccurate personal data

Lack of age verification mechanism, exposing children to information that may be inappropriate to their age

Other European countries, including France, Spain and Germany have launched procedures to examine Open AI and assess its alignment with European data protection laws and principles In Canada, the Office of the Privacy Commissioner announced on April 3 the launch of an investigation into Open AI, responding to concerns on the collection, use and disclosure of personal information without consent

UpcomingRegulatoryDeadlinestoWatch

Date

30/04/2023

10/05/2023

22/05/2023

31/05/2023

Issues to Watch

Comment period closes for UK’s HM Treasury Consultation on the future financial services regulatory regime for cryptoassets

Comment period ends for the UK Financial Conduct Authority’s discussion paper DP23/1: Finance of positive sustainable change, relative to governance, incentives and competence

Deadline for comments on the UK Financial Conduct Authority’s discussion paper

DP23/2: Updating and improving the UK regime for asset management

Consultation period closes on Canada’s Office of the Superintendent of Financial Institutions (OSFI) Culture and Behaviour Risk Guideline

ProductCorner

CyberIncident:Quésaco?

A cyber Incident is a “cyber event that adversely affects the cyber security of an information system or the information the system processes, stores or transmits whether resulting from malicious activity or not. ”

Common examples of cyber incidents include:

Denial of Service (DoS) : defined as the prevention of authorised access to information or information systems; or the delaying of information system operations and functions, with resultant loss of availability to authorised users

Phishing : defined as a digital form of social engineering that attempts to acquire private or confidential information by pretending to be a trustworthy entity in an electronic communication

A cyber incident is to be distinguished from a

Cyber attack : defined a malicious attempt to exploit vulnerabilities through the cyber medium to damage, disrupt or gain unauthorized access to assets.

Data breach : defined as the [breach] of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to data transmitted, stored or otherwise processed.

Put in other words, an incident is a precursor to a breach and refers to any activity that compromises an institution's cyber security while a breach is the confirmation that protected data have been accessed unlawfully.

Source: FSB Cyber Lexicon

For additional information on cyber regulations and guidelines:

On March 27, 2023, Canada’s House of Commons completed its second reading of Bill C-26, an Act respecting cyber security and the protection of critical cyber systems in the federally regulated private sector (read our previous update here)

In July 2022, the Office of the Superintendent of Financial Institutions published Guideline B-13 on Technology and Cyber Risk Management to support federally regulated financial institutions (FRFIs) in developing greater resilience to technology and cyber risks. These guidelines will take effect on Jan 1, 2024 (read our previous update here).

In July 2022, the Investment Industry Regulatory Organization of Canada (IIROC) published a Cybersecurity SelfAssessment Tool to help small and medium-sized IIROC firms identify areas of strength and weakness based on information security practices. This tool and other guides are available on their website.

About us

We help you understand the rules that govern your activities, services and products, enabling you to meet your ongoing regulatory obligations and navigate the ever-evolving, complex regulatory landscape.

Our team is composed of professionals with extensive experience serving the investment management, capital markets and asset servicing industries.

Complex landscape & widening gaps

Increasing regulatory requirements and the pace of change are making it harder for you to keep up with the pressures of compliance and managing cost-effective operations.

Current challenges

Investor demand for enhanced transparency and disclosure, data privacy, investor and consumer protection requirements, and AML/KYC concerns are some of the many challenges affecting the industry.

We provide practical and tailored solutions

Review and analysis of regulatory texts

Reporting

Response preparation

Compliance program development

Contact us

Déborah Koualé, Founder & Director

deborah kouale@ameiscorp com

Change management

Regulatory intelligence and training

Ongoing compliance support

Registrations

Ameis Regulatory Services focuses on providing regulatory and compliance support for fintech companies