AMEIS RegFacts | April 2023 part 1

BeneficialOwnershipRegistry

BillC-42IntroducesBeneficialOwnershipRegistry

The proposed legislation, if it becomes law, will implement a free and publicly accessible beneficial ownership registry of all corporations incorporated under the Canada Business Corporations Act (CBCA)

CENTRAL REGISTRY

Corporations will have to disclose certain information to a central registry maintained by the federal government.

Impacted entities will be required to certain requirements, including:

Provide the name of the individual with significant control, their address for service (if applicable), their residential address as well as any other prescribed information

Identify all individuals with significant control over the corporation and ensure, at least on an annual basis, that the information in the Register is accurate, complete and up-to-date

Determine the content and format of the information to be provided

The Proceeds of Crime (Money Laundering) and Terrorist Financing Act will be amended to reflect these requirements

Non-compliance will result in administrative sanctions and criminal penalties of up to $200,000 and/or six months imprisonment.

Bill C-42 received its first reading in Parliament on March 22, 2023.

Cybersecurity&DataProtection

SECSeeksCommentsonNewPackage

Published on March 15 by the Securities and Exchange Commission (SEC), the proposed three new sets of rules would, amongst others: (i) add new requirements addressing cybersecurity risk to the U S securities markets through Proposed Rule 10, (ii) extend the scope of entities covered by Regulation SCI, (ii) and enhance the protection of customer information under Regulation S-P

PROPOSED REQUIREMENTS

Proposed Rule 10, if it becomes law, would impose certain requirements on Covered Entities

The definition of Covered Entities includes, but is not limited, to broker-dealers that (i) maintain custody of cash and securities for customers or other broker-dealers; (ii) introduce customer accounts to another broker or dealer that maintains cash and securities

Requirements applicable to Covered

Entities

Establish, maintain, and enforce written policies and procedures that are reasonably designed to address a Covered Entity’s cybersecurity risks. These policies and procedures must at a minimum include certain elements related to (i) risk assessment; (ii) user security and access; (iii) information protection; (iv) cybersecurity threat and vulnerability management; and (iv) cybersecurity incident response and recovery.

Immediate written electronic notification of the SEC when a significant cybersecurity incident occurs or is occurring.

Provision of subsequent detailed reports about the cybersecurity incident would also have to be provided to the SEC. Such reports would have to be done by filing Part 1 Of proposed Form SCIR through the Electronic Data Gathering, Analysis, and Retrieval System (“EDGAR” or “EDGAR system”)

Completion of two types of public disclosures would have to be done using Part II of proposed Form SCIR, and this to improve transparency with respect to cybersecurity risks and significant cybersecurity incidents: (i) Plain language summary description of the cybersecurity risks that could materially affect the business and operations and how the latter would be assessed and addressed; and (ii) summary description of each significant cybersecurity incident that occurred during the current or previous calendar year, if applicable

Revision of the existing recordkeeping rules to require Covered Entities to address cybersecurity risks through policies and procedures. This includes measures to detect, respond to, and recover from a cybersecurity incident and procedures to create written documentation of any cybersecurity incident and the response to and recovery from the incident.

Requirements applicable to Non-Covered Broker-Dealers

Establish, maintain, and enforce written policies and procedures that are reasonably designed to address their cybersecurity risks

Review and assess the design and effectiveness of their cybersecurity policies and procedures, including whether the policies and procedures reflect changes in cybersecurity risk over the time period covered by the review

Provision of immediate written electronic notice of a significant cybersecurity incident affecting them to the SEC and their examining authority

Maintain and preserve versions of their policies and procedures and the record of the annual review

Proposed Regulation Systems Compliance and Integrity (Reg SCI) currently applies to self-regulatory organizations; alternative trading systems meeting volume thresholds with respect to National Market System (NMS) stocks and non-NMS stocks; exclusive disseminators of consolidated market data; certain competing consolidators of market data meeting a gross revenue threshold; and certain exempt clearing agencies.

The scope of the Proposed Reg SCI would be expanded to include:

Registered security-based swap data repositories

Broker-dealers registered with the SEC and that exceed certain total assets threshold or a transaction activity threshold

All clearing agencies exempted from registration

These entities would be subject to existing requirements which include:

Implementing policies and procedures reasonably designed to ensure that their systems have levels of capacity, integrity, resiliency, availability, and security adequate to maintain operational capability and promote the maintenance of fair and orderly markets

Taking appropriate corrective action in response to systems issues

Providing notices and reports to the SEC

Disseminating information about systems issues to affected parties

Proposed Regulation S-P would require Covered Institutions to:

Adopt written policies and procedures for an incident response program to address unauthorized access to or use of customer information.

Have written policies and procedures to provide timely notification to affected individuals whose sensitive customer information was or is reasonably likely to have been accessed or used without authorization

Covered Institutions include broker-dealers, investment companies, registered investment advisers, and transfer agents

Interested market participants may submit their comment until 60 days after the date of publication of the proposing release in the Federal Register

BeneficialOwnership

FinCENIssuesGuidanceonBOIReporting

Released on March 24 by the Financial Crimes Enforcement Network (FinCEN) the materials includes an Frequently Asked Questions about the reporting requirements and two one pagers on Key Filing Dates as well as Key Questions applicable the beneficial ownership information (BOI) rules that will come into effect on January 1, 2024 (read our previous article here)

REPORTING

Certain corporations and entities created in or registered to do business in the United States will be required to report information about their beneficial owners to FinCEN.

The guidance provided focuses on issues such as:

The definition of BOI

The type of information that must be reported

The reporting timeline (Initial reports VS Updated reports VS Corrected reports)

Conditions for the disclosure of the BOI Company applicant

The format and channel for reporting

Protection and confidentiality of the BOI

The materials will be of particular interest to small businesses.

Privacy

CaliforniaConsumerPrivacyActApprovedByOAL

On March 30, the California Privacy Protection Agency (CPPA) announced that the California’s Office of Administrative Law (“OAL”) approved its proposal to implement the California Consumer Privacy Act regulations as amended by the California Privacy Rights Act

The finalized regulations are effective as of March 30 and will be made available on the CPPA website in due course

For more information on the rules, read our previous article here.

AssetManagement

UKRulesforFunds&AssetManagementSetforaReview

The Discussion Paper (DP) published on February 20 by the Financial Conduct Authority (FCA) includes some indications about how the regime applicable to funds and asset managers might change

POTENTIAL CHANGES

Possible area of changes includes:

Enhancing the rules applicable to authorised fund managers (AFMs) to, among others things, allow funds to use third-party portfolio managers and create specific contractual requirements between an AFM and a portfolio manager

Enhancing liquidity management by, amongst others, requiring firms to comply with the Liquidity Stress Testing Guidelines issued by the European Securities and Markets Authority (ESMA)

Strengthening the rules around investment due diligence This will include the requirement for portfolio managers to conduct suitability assessment as well as the requirement for fund managers to carry out due diligence

Clarifying rules for depositaries, including (i) the systems and controls that a depositary must have in place to identify breaches of the rules and constituting documents of a scheme, (ii) the resources and knowledge, skills and experience expected for a depositary; (iii) as well as actions that must be taken by a depositary when a breach is identified

Improving the fund rules to provide more detailed and clarity

Eligible assets regime for UCITS to provide some flexibility to managers, depending on the circumstances, regarding the 10% rules (i.e. possibility for funds to invest up to 10% of their portfolio into assets that do not meet the eligible markets criteria)

The DP will be of interest to, but not limited to, authorised fund managers, alternative investment fund managers, portfolio managers and depositaries of authorised funds or alternative investment funds

Comments should be provided by May 22, 2023.

Cybersecurity

FATFGivesTipstoTackleRansomwareAttacks

Released on March 14 by the Financial Action Task Force (FATF) the Report on countering ransomware financing “analyzes the methods that criminals use to carry out their ransomware attacks and how payments are made and laundered”

TRENDS AND PROPOSED ACTIONS

Common methods & trends include:

Big game hunting: Organisations of high-profile entities that are more likely to pay a ransom in order to resume business operations or avoid public scrutiny

RaaS : in this case, criminals provide ransomware software kits on the Dark Web or outsource elements of ransomware attacks (distribution of malware, exfiltration of data )

Double-Extorsion: ransomware operators exfiltrate the victim’s data before encrypting it and then threaten to publish the stolen data if the victim does not pay a ransom

Triple-Extorsion: ransomware operators seek money from the victim first targeted but also from a victim who might have been impacted by the disclosure of the first victim

Multiple-Extorsion: Involves more than two extortion methods It is based on double-extortion using encryption and exfiltration but includes additional pressure tactics (e.g. distributed denial of service DDoS).

FATF proposed actions to counter ransomware attacks

The Report proposes a number of actions that can be taken to tackle ransomware and related laundering, more specifically:

Implement the relevant FATF Standards and enhance detection This includes the FATF Standards on virtual assets service providers or VASPs (read our previous article here) Detection of ransomware attacks should also be accompanied by timely reporting regarding suspicious transactions as well as voluntary reporting of incidents by affected parties/victims

Promote financial investigations and assets recovery reports. Recommendation that competent authorities use and adapt traditional law enforcement techniques as well as virtual assets specifictechniques to conduct such investigations

Adopt a multidisciplinary approach to tackle ransomware. Identification and assessment of money laundering risks related to ransomware. Coordination mechanisms across relevant competent authorities (law enforcement, AML/CFT, cyber-crime authorities and non-traditional partners such as cybersecurity or data protection agencies)

Support partnerships with the private sector. Mechanisms that support partnership between the public and private sector with the inclusion of VASPs and other non-traditional partners

Improve international cooperation, through bilateral, regional and multilateral mechanisms (e g using liaison offices and establishing clear 24/7 contacts points)

FATF Report Countering Ransomware Financing: Potential Risk Indicators, issued the same date, should be read together with the FATF Report Countering Ransomware Financing

IndustryNews

OSFIShares2023-24DepartmentPlan

The Office of the Superintendent of Financial Institutions (“OSFI”) recently issued its 2023-24 Departmental Plan (the Plan), which sets out its planned initiatives for the coming year

Key highlights of the Plan include:

Culture and Enabler Initiatives: Finalize and implement a three-year Culture Change Action Plan; develop and implement a new multi-year Human Capital Strategy… Risk, Strategy and Governance: Enhance environmental scanning tools to advance OSFI’s assessment of risks and trends; implement a risk appetite and framework to ensure risk-based decision making; and implement an enhanced governance structure to enable timely, transparent, and risk-intelligent decision making.

Policy Innovation: Develop policy instruments on stablecoin and starting to build the Digital Regulatory Incubator; and reviewing publications and releasing new guidelines and frameworks for key risk principles

Data Management and Analytics: Further the Data Collection Modernization initiative, which aims to modernize the definition, collection, transformation and use of regulatory data; and develop and execute an enterprise data literacy strategy to make data and analytics an integral part of OSFI’s operations and decision making

Crypto-AssetsPartof2023FederalBudget

On March 28, 2023 the Government of Canada released its 2023 budget, proposing further measures to protect Canadians from emerging risks linked to crypto-assets In the context of the failure of FTX and Signature Bank, Budget 2023 announced:

The Office of the Superintendent of Financial Institutions (OSFI) will consult federally regulated financial institutions on guidelines for publicly disclosing exposure to crypto-assets Federally regulated pension funds will be required to disclose their crypto-asset exposures to OSFI

FCAAddressesPaymentsFirms

The Letter to payments firms was published on March 16 by UK’s Financial Conduct Authority (FCA), highlighting concerns of insufficient robust controls, presenting “unacceptable risk” to financial system integrity Payment firms include Payment Institutions, Electronic Money Institutions and Registered Account Information Service Providers

The FCA sets three outcomes and associated priorities to be attained by payment firms:

1.

Ensuring customers’ money is safe by Establishing safeguards including

a.

i) documented processes for identifying “Relevant Funds”

ii) adequate reconciliation procedures

iii) performing due diligence

iv) conducting annual audits of safeguarding arrangements

b. Improving prudential risk management through

i) appropriate liquidity risk management

ii) meeting capital requirements, taking into account considerations of the firm’s particular financial risks

iii) reviews of risk appetite and risk indicators

iv) scenario planning and stress-testing

v) financial resource planning on an ongoing basis

c Creating and maintaining wind-down planning that is practical, usable and up to date

2.Ensuring the firm does not compromise financial system integrity by a. Putting in place systems and controls to “identify, assess, monitor and manage money laundering risk”, including

i) KYC and risk-based due diligence

ii) robust and effective methodology for business-wide risk assessments

iii) regular review of risk assessments and control frameworks as threats evolve

iv) detailed and tailored policies and procedures

v) effective systems and controls to identify and manage sanctions exposure and risk

b Addressing weaknesses in systems and controls to prevent fraud, including

i) customer education

ii) industry information sharing

iii) regular review of fraud prevention systems and controls

iv) appropriate customer due diligence during onboarding and ongoing basis

3. Meeting customers’ needs, ranging from the provision of high quality products and services, competition and innovation and implementing the principle of “Consumer Duty”

In addition, the letter underscores three priorities that are important to achieve the above outcomes:

Governance and leadership Operational resilience

T2OfficiallyReplacedTARGET2onMarch2023

Between 17 and 20 March 2023, the migration to the Eurosystem’s real-time gross settlement (RTGS) successfully took place (see our previous article on the subject here). Settling payments for monetary policy operations, bank to bank and commercial transactions, the first day of the T2 wholesale payment system settled approximately 400,000 transactions.

UpcomingRegulatoryDeadlinestoWatch

Date

10/05/2023

22/05/2023

31/05/2023

Issues to Watch

Discussion period ends for the UK Financial Conduct Authority’s discussion paper

DP23/1: Finance of positive sustainable change, relative to governance, incentives and competence

Deadlines for comments on the UK Financial Conduct Authority’s discussion paper

DP23/2: Updating and improving the UK regime for asset management

Consultation period closes on Canada’s Office of the Superintendent of Financial Institutions (OSFI) Culture and Behaviour Risk Guideline

ProductCorner

The FATF defines a virtual asset service provider (VASP) as: “ any natural or legal person who is not covered elsewhere under the Recommendations and as a business conducts one or more of the following activities or operations for or on behalf of another natural or legal person:

Exchange between virtual assets and fiat currencies

Exchange between one or more forms of virtual assets

Transfer of virtual assets

Safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets. Participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset. (FATF Updated Guidance on VA & VASP - read our summary).

Financial institutions (FIs) and designated non-financial businesses and professions (DNFBPs) are excluded from this definition.

FATF provides practical guidance to determine whether or not an entity is a VASP; such determination must be done by taking into account the underlying financial services offered, not the entity’s own terminology regarding its activities or the technology used to conduct its activities

About us

We help you understand the rules that govern your activities, services and products, enabling you to meet your ongoing regulatory obligations and navigate the ever-evolving, complex regulatory landscape.

Our team is composed of professionals with extensive experience serving the investment management, capital markets and asset servicing industries.

Complex landscape & widening gaps

Increasing regulatory requirements and the pace of change are making it harder for you to keep up with the pressures of compliance and managing cost-effective operations.

Current challenges

Investor demand for enhanced transparency and disclosure, data privacy, investor and consumer protection requirements, and AML/KYC concerns are some of the many challenges affecting the industry.

We provide practical and tailored solutions

Review and analysis of regulatory texts

Reporting

Response preparation

Compliance program development

Contact us

Déborah Koualé, Founder & Director

deborah kouale@ameiscorp com

Change management

Regulatory intelligence and training

Ongoing compliance support

Registrations

Ameis Regulatory Services focuses on providing regulatory and compliance support for fintech companies