BeneficialOwnershipRegistry
BillC-42IntroducesBeneficialOwnershipRegistry
The proposed legislation, if it becomes law, will implement a free and publicly accessible beneficial ownership registry of all corporations incorporated under the Canada Business Corporations Act (CBCA)
CENTRAL REGISTRY
Corporations will have to disclose certain information to a central registry maintained by the federal government.
Impacted entities will be required to certain requirements, including:
Provide the name of the individual with significant control, their address for service (if applicable), their residential address as well as any other prescribed information
Identify all individuals with significant control over the corporation and ensure, at least on an annual basis, that the information in the Register is accurate, complete and up-to-date
Determine the content and format of the information to be provided
The Proceeds of Crime (Money Laundering) and Terrorist Financing Act will be amended to reflect these requirements
Non-compliance will result in administrative sanctions and criminal penalties of up to $200,000 and/or six months imprisonment.
Bill C-42 received its first reading in Parliament on March 22, 2023.
Cybersecurity&DataProtection
SECSeeksCommentsonNewPackage
Published on March 15 by the Securities and Exchange Commission (SEC), the proposed three new sets of rules would, amongst others: (i) add new requirements addressing cybersecurity risk to the U S securities markets through Proposed Rule 10, (ii) extend the scope of entities covered by Regulation SCI, (ii) and enhance the protection of customer information under Regulation S-P
PROPOSED REQUIREMENTS
Proposed Rule 10, if it becomes law, would impose certain requirements on Covered Entities
The definition of Covered Entities includes, but is not limited, to broker-dealers that (i) maintain custody of cash and securities for customers or other broker-dealers; (ii) introduce customer accounts to another broker or dealer that maintains cash and securities
Requirements applicable to Covered
Entities
Establish, maintain, and enforce written policies and procedures that are reasonably designed to address a Covered Entity’s cybersecurity risks. These policies and procedures must at a minimum include certain elements related to (i) risk assessment; (ii) user security and access; (iii) information protection; (iv) cybersecurity threat and vulnerability management; and (iv) cybersecurity incident response and recovery.
Immediate written electronic notification of the SEC when a significant cybersecurity incident occurs or is occurring.
Provision of subsequent detailed reports about the cybersecurity incident would also have to be provided to the SEC. Such reports would have to be done by filing Part 1 Of proposed Form SCIR through the Electronic Data Gathering, Analysis, and Retrieval System (“EDGAR” or “EDGAR system”)
Completion of two types of public disclosures would have to be done using Part II of proposed Form SCIR, and this to improve transparency with respect to cybersecurity risks and significant cybersecurity incidents: (i) Plain language summary description of the cybersecurity risks that could materially affect the business and operations and how the latter would be assessed and addressed; and (ii) summary description of each significant cybersecurity incident that occurred during the current or previous calendar year, if applicable
Revision of the existing recordkeeping rules to require Covered Entities to address cybersecurity risks through policies and procedures. This includes measures to detect, respond to, and recover from a cybersecurity incident and procedures to create written documentation of any cybersecurity incident and the response to and recovery from the incident.
Requirements applicable to Non-Covered Broker-Dealers
Establish, maintain, and enforce written policies and procedures that are reasonably designed to address their cybersecurity risks
Review and assess the design and effectiveness of their cybersecurity policies and procedures, including whether the policies and procedures reflect changes in cybersecurity risk over the time period covered by the review
Provision of immediate written electronic notice of a significant cybersecurity incident affecting them to the SEC and their examining authority
Maintain and preserve versions of their policies and procedures and the record of the annual review
Proposed Regulation Systems Compliance and Integrity (Reg SCI) currently applies to self-regulatory organizations; alternative trading systems meeting volume thresholds with respect to National Market System (NMS) stocks and non-NMS stocks; exclusive disseminators of consolidated market data; certain competing consolidators of market data meeting a gross revenue threshold; and certain exempt clearing agencies.
The scope of the Proposed Reg SCI would be expanded to include:
Registered security-based swap data repositories
Broker-dealers registered with the SEC and that exceed certain total assets threshold or a transaction activity threshold
All clearing agencies exempted from registration
These entities would be subject to existing requirements which include:
Implementing policies and procedures reasonably designed to ensure that their systems have levels of capacity, integrity, resiliency, availability, and security adequate to maintain operational capability and promote the maintenance of fair and orderly markets
Taking appropriate corrective action in response to systems issues
Providing notices and reports to the SEC
Disseminating information about systems issues to affected parties
Proposed Regulation S-P would require Covered Institutions to:
Adopt written policies and procedures for an incident response program to address unauthorized access to or use of customer information.
Have written policies and procedures to provide timely notification to affected individuals whose sensitive customer information was or is reasonably likely to have been accessed or used without authorization
Covered Institutions include broker-dealers, investment companies, registered investment advisers, and transfer agents
Interested market participants may submit their comment until 60 days after the date of publication of the proposing release in the Federal Register
BeneficialOwnership
FinCENIssuesGuidanceonBOIReporting
Released on March 24 by the Financial Crimes Enforcement Network (FinCEN) the materials includes an Frequently Asked Questions about the reporting requirements and two one pagers on Key Filing Dates as well as Key Questions applicable the beneficial ownership information (BOI) rules that will come into effect on January 1, 2024 (read our previous article here)
REPORTING
Certain corporations and entities created in or registered to do business in the United States will be required to report information about their beneficial owners to FinCEN.
The guidance provided focuses on issues such as:
The definition of BOI
The type of information that must be reported
The reporting timeline (Initial reports VS Updated reports VS Corrected reports)
Conditions for the disclosure of the BOI Company applicant
The format and channel for reporting
Protection and confidentiality of the BOI
The materials will be of particular interest to small businesses.
Privacy
CaliforniaConsumerPrivacyActApprovedByOAL
On March 30, the California Privacy Protection Agency (CPPA) announced that the California’s Office of Administrative Law (“OAL”) approved its proposal to implement the California Consumer Privacy Act regulations as amended by the California Privacy Rights Act
The finalized regulations are effective as of March 30 and will be made available on the CPPA website in due course
For more information on the rules, read our previous article here.
AssetManagement
UKRulesforFunds&AssetManagementSetforaReview
The Discussion Paper (DP) published on February 20 by the Financial Conduct Authority (FCA) includes some indications about how the regime applicable to funds and asset managers might change
POTENTIAL CHANGES
Possible area of changes includes:
Enhancing the rules applicable to authorised fund managers (AFMs) to, among others things, allow funds to use third-party portfolio managers and create specific contractual requirements between an AFM and a portfolio manager
Enhancing liquidity management by, amongst others, requiring firms to comply with the Liquidity Stress Testing Guidelines issued by the European Securities and Markets Authority (ESMA)
Strengthening the rules around investment due diligence This will include the requirement for portfolio managers to conduct suitability assessment as well as the requirement for fund managers to carry out due diligence
Clarifying rules for depositaries, including (i) the systems and controls that a depositary must have in place to identify breaches of the rules and constituting documents of a scheme, (ii) the resources and knowledge, skills and experience expected for a depositary; (iii) as well as actions that must be taken by a depositary when a breach is identified
Improving the fund rules to provide more detailed and clarity
Eligible assets regime for UCITS to provide some flexibility to managers, depending on the circumstances, regarding the 10% rules (i.e. possibility for funds to invest up to 10% of their portfolio into assets that do not meet the eligible markets criteria)
The DP will be of interest to, but not limited to, authorised fund managers, alternative investment fund managers, portfolio managers and depositaries of authorised funds or alternative investment funds
Comments should be provided by May 22, 2023.
Cybersecurity
FATFGivesTipstoTackleRansomwareAttacks
Released on March 14 by the Financial Action Task Force (FATF) the Report on countering ransomware financing “analyzes the methods that criminals use to carry out their ransomware attacks and how payments are made and laundered”
TRENDS AND PROPOSED ACTIONS
Common methods & trends include:
Big game hunting: Organisations of high-profile entities that are more likely to pay a ransom in order to resume business operations or avoid public scrutiny
RaaS : in this case, criminals provide ransomware software kits on the Dark Web or outsource elements of ransomware attacks (distribution of malware, exfiltration of data )
Double-Extorsion: ransomware operators exfiltrate the victim’s data before encrypting it and then threaten to publish the stolen data if the victim does not pay a ransom
Triple-Extorsion: ransomware operators seek money from the victim first targeted but also from a victim who might have been impacted by the disclosure of the first victim
Multiple-Extorsion: Involves more than two extortion methods It is based on double-extortion using encryption and exfiltration but includes additional pressure tactics (e.g. distributed denial of service DDoS).
FATF proposed actions to counter ransomware attacks
The Report proposes a number of actions that can be taken to tackle ransomware and related laundering, more specifically:
Implement the relevant FATF Standards and enhance detection This includes the FATF Standards on virtual assets service providers or VASPs (read our previous article here) Detection of ransomware attacks should also be accompanied by timely reporting regarding suspicious transactions as well as voluntary reporting of incidents by affected parties/victims
Promote financial investigations and assets recovery reports. Recommendation that competent authorities use and adapt traditional law enforcement techniques as well as virtual assets specifictechniques to conduct such investigations
Adopt a multidisciplinary approach to tackle ransomware. Identification and assessment of money laundering risks related to ransomware. Coordination mechanisms across relevant competent authorities (law enforcement, AML/CFT, cyber-crime authorities and non-traditional partners such as cybersecurity or data protection agencies)
Support partnerships with the private sector. Mechanisms that support partnership between the public and private sector with the inclusion of VASPs and other non-traditional partners
Improve international cooperation, through bilateral, regional and multilateral mechanisms (e g using liaison offices and establishing clear 24/7 contacts points)
FATF Report Countering Ransomware Financing: Potential Risk Indicators, issued the same date, should be read together with the FATF Report Countering Ransomware Financing
IndustryNews
OSFIShares2023-24DepartmentPlan
The Office of the Superintendent of Financial Institutions (“OSFI”) recently issued its 2023-24 Departmental Plan (the Plan), which sets out its planned initiatives for the coming year
Key highlights of the Plan include:
Culture and Enabler Initiatives: Finalize and implement a three-year Culture Change Action Plan; develop and implement a new multi-year Human Capital Strategy… Risk, Strategy and Governance: Enhance environmental scanning tools to advance OSFI’s assessment of risks and trends; implement a risk appetite and framework to ensure risk-based decision making; and implement an enhanced governance structure to enable timely, transparent, and risk-intelligent decision making.
Policy Innovation: Develop policy instruments on stablecoin and starting to build the Digital Regulatory Incubator; and reviewing publications and releasing new guidelines and frameworks for key risk principles
Data Management and Analytics: Further the Data Collection Modernization initiative, which aims to modernize the definition, collection, transformation and use of regulatory data; and develop and execute an enterprise data literacy strategy to make data and analytics an integral part of OSFI’s operations and decision making
Crypto-AssetsPartof2023FederalBudget
On March 28, 2023 the Government of Canada released its 2023 budget, proposing further measures to protect Canadians from emerging risks linked to crypto-assets In the context of the failure of FTX and Signature Bank, Budget 2023 announced:
The Office of the Superintendent of Financial Institutions (OSFI) will consult federally regulated financial institutions on guidelines for publicly disclosing exposure to crypto-assets Federally regulated pension funds will be required to disclose their crypto-asset exposures to OSFI
FCAAddressesPaymentsFirms
The Letter to payments firms was published on March 16 by UK’s Financial Conduct Authority (FCA), highlighting concerns of insufficient robust controls, presenting “unacceptable risk” to financial system integrity Payment firms include Payment Institutions, Electronic Money Institutions and Registered Account Information Service Providers
The FCA sets three outcomes and associated priorities to be attained by payment firms:
1.
Ensuring customers’ money is safe by Establishing safeguards including
a.
i) documented processes for identifying “Relevant Funds”
ii) adequate reconciliation procedures
iii) performing due diligence
iv) conducting annual audits of safeguarding arrangements
b. Improving prudential risk management through
i) appropriate liquidity risk management
ii) meeting capital requirements, taking into account considerations of the firm’s particular financial risks
iii) reviews of risk appetite and risk indicators
iv) scenario planning and stress-testing
v) financial resource planning on an ongoing basis
c Creating and maintaining wind-down planning that is practical, usable and up to date
2.Ensuring the firm does not compromise financial system integrity by a. Putting in place systems and controls to “identify, assess, monitor and manage money laundering risk”, including
i) KYC and risk-based due diligence
ii) robust and effective methodology for business-wide risk assessments
iii) regular review of risk assessments and control frameworks as threats evolve
iv) detailed and tailored policies and procedures
v) effective systems and controls to identify and manage sanctions exposure and risk
b Addressing weaknesses in systems and controls to prevent fraud, including
i) customer education
ii) industry information sharing
iii) regular review of fraud prevention systems and controls
iv) appropriate customer due diligence during onboarding and ongoing basis
3. Meeting customers’ needs, ranging from the provision of high quality products and services, competition and innovation and implementing the principle of “Consumer Duty”
In addition, the letter underscores three priorities that are important to achieve the above outcomes:
Governance and leadership Operational resilience
T2OfficiallyReplacedTARGET2onMarch2023
Between 17 and 20 March 2023, the migration to the Eurosystem’s real-time gross settlement (RTGS) successfully took place (see our previous article on the subject here). Settling payments for monetary policy operations, bank to bank and commercial transactions, the first day of the T2 wholesale payment system settled approximately 400,000 transactions.
UpcomingRegulatoryDeadlinestoWatch
Date
10/05/2023
22/05/2023
31/05/2023
Issues to Watch
Discussion period ends for the UK Financial Conduct Authority’s discussion paper
DP23/1: Finance of positive sustainable change, relative to governance, incentives and competence
Deadlines for comments on the UK Financial Conduct Authority’s discussion paper
DP23/2: Updating and improving the UK regime for asset management
Consultation period closes on Canada’s Office of the Superintendent of Financial Institutions (OSFI) Culture and Behaviour Risk Guideline
ProductCorner
The FATF defines a virtual asset service provider (VASP) as: “ any natural or legal person who is not covered elsewhere under the Recommendations and as a business conducts one or more of the following activities or operations for or on behalf of another natural or legal person:
Exchange between virtual assets and fiat currencies
Exchange between one or more forms of virtual assets
Transfer of virtual assets
Safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets. Participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset. (FATF Updated Guidance on VA & VASP - read our summary).
Financial institutions (FIs) and designated non-financial businesses and professions (DNFBPs) are excluded from this definition.
FATF provides practical guidance to determine whether or not an entity is a VASP; such determination must be done by taking into account the underlying financial services offered, not the entity’s own terminology regarding its activities or the technology used to conduct its activities
About us
We help you understand the rules that govern your activities, services and products, enabling you to meet your ongoing regulatory obligations and navigate the ever-evolving, complex regulatory landscape.
Our team is composed of professionals with extensive experience serving the investment management, capital markets and asset servicing industries.
Complex landscape & widening gaps
Increasing regulatory requirements and the pace of change are making it harder for you to keep up with the pressures of compliance and managing cost-effective operations.
Current challenges
Investor demand for enhanced transparency and disclosure, data privacy, investor and consumer protection requirements, and AML/KYC concerns are some of the many challenges affecting the industry.
We provide practical and tailored solutions
Review and analysis of regulatory texts
Reporting
Response preparation
Compliance program development
Contact us
Déborah Koualé, Founder & Director
deborah kouale@ameiscorp com
Change management
Regulatory intelligence and training
Ongoing compliance support
Registrations
Carolyn Le Quéré, Director carolyn lequere@ameiscorp comAmeis Regulatory Services focuses on providing regulatory and compliance support for fintech companies