DECEMBER 2021
AMEIS REGFACTS FINTECH & Financial Markets Regulatory News
In This Issue : PADs: Payments Canada Consults on Proposal to Revised Rule............... 1 Incident Notification Rule : US Institutions to Notify Within 36 Hours....... 2 French AMF Applies EBA Guidelines on Risk Factors................................. 3 UK FCA’s PS21/19 on SCA-RTS Changes.................................................... 4 CSSF Clarifies that AIFs Can Invest in Virtual Assets.................................. 5 ESAP Scheduled to be Operational by End of 2025..................................... 6 EC Revises AIFMD & UCITS .......................................................................... 8 MiCA and DORA : EU Council Agrees on Proposals.....................................9 Client Funds: EBA Recommends Harmonized Treatment ........................10 Industry News...............................................................................................11 AI: Quesaco?................................................................................................. 15
WWW.AMEISCORP.COM
PADs Rule Payments Canada Consults on Proposal to Revised Rule Released on November 17, the Consultation Paper seeks to review the Pre-Authorized Debits (PADs) framework as set out in Payments Canada’s Rule H1. Rule H1 sets out the procedures for the Exchange for the purpose of Clearing and Settlement of PADs that are supported by an ongoing agreement between a Payor and/or a Payee.
PROPOSED POLICY CHANGES INCLUDE Updating the definition of ‘Commercially Reasonable’ to provide more clarity to Payees and Members Introducing one Payor PAD Agreement in lieu and place of the current two different types of Payor PAD Agreements (Electronic Agreements and Paper Agreements) Requiring Payee to use a goods and services agreement that will be distinct from the Payor PAD Agreement, with the mandatory requirement that if the goods and services agreement has been cancelled by the Payor, the Payor PAD Agreement will be subject to automatic termination Updating the rules related to one-time PADs. The one-time PAD definition will also be subject to changes Updating the Payee Letter of Undertaking to outline what type of information a thirdparty/Payment Service Provider must ensure their client includes in the Payor PAD Agreement Modifying Rule H1 Appendix II to integrate the jurisdiction of Payor PAD Agreements and clarify the requirement for authorization for Funds Transfer PADs from a joint bank account Adding requirements for Payee-initiated cancellation of a PAD Agreement Allowing recorded submission of Business PAD reimbursement claims
Feedback deadline on January 14, 2022
Interested parties should provide their feedback by January 14, 2022 to consultation@payments.ca
WWW.AMEISCORP.COM
1
Incident Notification Rule US Institutions to Notify Within 36 Hours On November 18, the Board of Governors of the Federal Reserve System (“Federal Reserve”), Office of the Comptroller of the Currency (“OCC”) and Federal Deposit Insurance Corporation (“FDIC,”) finalized the Computer-Security Incident Notification Requirements (the ‘Notification Rule’) for banking and their service providers. First introduced in December 2020, the Notification Rule expands and clarifies existing notification requirements for financial institutions, which are primarily focused on consumer protection and suspicious activity reporting.
KEY HIGHLIGHTS INCLUDE Notification requirements applicable to Banking Institutions Timing of notification to Agencies: Notification to be done as soon as possible and no later than 36 hours Method of notification to Agencies: Banking institutions are just required to indicate that a notification incident has occurred by using any form or template (email, telephone, or other similar method prescribed by the agencies) Notification requirements applicable to Bank Service Provider Timing of Bank Service Provider Notification to banking organization customers: Notice must be provided as soon as possible by the Bank Service Provider when the determination has been made that an it has experienced a notification incident. Bank Service Provider Notification to banking organizations customers: These entities must notify ‘‘at least one bank designated point of contact at each affected banking organization customer.’’ If no such contact has been designated, the financial institution’s chief executive officer and chief information officer (or two individuals with comparable responsibilities) must be notified. Definitions
A “computer-security incident” is defined in Final Rule as “an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.”
WWW.AMEISCORP.COM
2
A “notification incident” is defined as “a computer security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s — Ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business; Business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or Operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.” Requirements effective as of April 1, 2022
The Notification Rule is scheduled to take effect on April 1, 2022 with full compliance required beginning by May 1, 2022.
EBA Guidelines French AMF Applies EBA Guidelines on Risk Factors Released on November 24 by the French Autorité des Marchés Financiers ( ‘French AMF’), Position DOC-2019-14 (‘the Position’), applicable to entities such asset management companies, financial investment advisors. The Position includes general guidelines (identifying, assessing and categorising AML/CTF risks) as well as sector-specific ones (e.g., guidelines applicable to asset management companies in connection with their discretionary portfolio management activity and investment advisory services). AMF General Regulation
This Position, which incorporates European Banking Authority (EBA) guidelines on risk factors, sets out factors that firms should take into account when assessing the money laundering and terrorist financing (AML/CFT) risks associated with a business relationship or occasional transaction, and the manner firms should adjust their customer due diligence processes. The provisions of this Position are reflected in the French AMF General Regulation.
WWW.AMEISCORP.COM
3
PS21/19 UK FCA’s PS21/19 on SCA-RTS Changes On 29 November 2021, the Financial Conduct Authority (FCA) published Policy Statement 21/19 ‘Changes to the SCA-RTS and to the guidance in ‘Payment Services and Electronic Money – Our Approach’ and the Perimeter Guidance Manual’ (PS21/19). This policy statement is applicable to entities such as payment institutions, e-money institutions and registered account information service providers, credit institutions providing payment services and/or issuing e-money retailers, those involved in open banking initiatives.
HIGHLIGHTS OF TECHNICAL STANDARDS AND APPROACH PS21/19 includes changes to the technical standards on strong customer authentication and secure communication (SCA-RTS) which include: A new SCA exemption permitting customers not to reauthenticate with their account servicing payment service provider (ASPSP) every 90 days when accessing their account information through a third-party provider (TPP). TPPs will only need to reconfirm customers’ consent, not SCA, every 90 days. Requiring certain ASPSPs to provide dedicated interfaces to enable TPP access to customer account information for retail and SME payment accounts. Amending requirements on providing interface technical specifications, testing interfaces and fallback interfaces by ASPSPs intended to let ASPSPs innovate and launch products and services more quickly. Allowing ASPSPs with a deemed authorisation under the Temporary Permissions Regime (TPR) to rely in the UK on an exemption from setting up a fallback interface granted by an EU competent authority. PS21/19 focuses also on FCA’s approach to payment services and e-money (AD) and its Perimeter Guidance Manual (PERG) to respectively: Clarify its expectations of firms and provide further guidance regarding prudential risk management, safeguarding of customer funds and regulatory reporting Update PERG to provide additional guidance on certain exclusions from the Payment Services Regulations (PSRs) and Electronic Money Regulations (EMRs)
WWW.AMEISCORP.COM
4
AIFs & Virtual Assets CSSF Clarifies that AIFs Can Invest in Virtual Assets On November 29, the Luxembourg Supervision Commission of the Financial Sector (CSSF) published a guidance, composed of a FAQ for Undertaking for Collective Investments (UCIs). This document provides practical responses to issues related to investments in virtual assets by undertakings for collective investment in transferable securities (UCITS), alternative investment funds (AIF) and Luxembourg investment fund managers (IFM) as well as any mitigation of money laundering and terrorist financing (ML/TF) and proliferation financing.
KEY POINTS UCITS, UCIs addressing non-professional customers and pension funds are not allowed to invest directly or indirectly in virtual assets. Assets that qualify as financial instruments, such as shares of companies active in the virtual asset ecosystem may potentially fall within the scope of eligible investments for UCITS. AIFs with an authorised AIFM may invest directly and indirectly in virtual assets under the cumulative condition that (i) the AIF markets its units only to professional investors and ii) that the authorised AIFM obtains an extension of authorisation from the CSSF. Authorised Investment Fund Manager (“IFM”) which intends to manage an AIF, regulated or not, investing in virtual assets, must obtain prior authorisation from the CSSF for the strategy “OtherOther Fund-Virtual assets”. The IFM is required to submit some information/documentation: Description of the project and of the different services providers/delegates involved Information on whether or not the investments in virtual assets will be made directly or indirectly An updated risk management policy including in particular how the risks in relation to the virtual assets are managed An updated valuation policy including the rules as to how the value of the virtual assets will be determined Description regarding the experience of the portfolio manager in virtual assets Description of how the custody of the assets will be organised by the depositary Information regarding the targeted investors and the distribution channels of the AIF The IFM’s AML/CTF analysis on the assets side
WWW.AMEISCORP.COM
5
The Responsable du Contrôle and the Responsable du Respect (RR) of supervised entities investing in virtual assets must demonstrate that they have the adequate understanding of the related ML/TF risks and the necessary framework to mitigate them. In this regard, the CSSF refers to specific guidelines including the FATF Guidance for a Risk-Based Approach to Virtual Assets and VASPs that we have previously written about here. Additional FAQs available in December 2021
A second FAQ focusing on virtual assets for Credit institutions will be published in the second half of December 2021.
ESAP Scheduled to be Operational by End of 2025 On November 25, the European Commission (EC) released a proposed regulation establishing a European single Access Point (ESAP) that will provide investors with seamless access to centralised public financial and sustainability-related company information. This would allow investors to make informed decisions. The information will be collected by collection bodies designated for the purpose of collecting the information and whose list would be included on the ESAP portal by ESMA.
KEY POINTS Part of the Capital Markets Union (CMU) action plan, ESAP will amongst others: Provide a web portal with a user-friendly interface in all the official languages of the Union including functionalities such as API, search function in all official languages in the Union, an information viewer; a notification service informing users of any new information in the portal. The search function should be done using metadata such as the name of the entity, the legal entity identifier (LEI).
WWW.AMEISCORP.COM
6
Enable anyone to have direct and immediate access free of charge to the information available in the portal. Some fees may be applicable in certain circumstances (e.g., searching for a very large volume of information). This includes access to information relevant to financial services and capital markets that is made public on a voluntary basis. Allow investors, market participants, advisors and the public at large to obtain other nonfinancial information that an entity wants to make accessible. Allow the use and re-use of information accessible on ESAP and this in accordance with the existing regulatory requirements. Format requirements
Entities would need to provide the required information in a data extractable format or a machinereadable format and by complying with the principle of data minimisation to ensure that personal data are not included, subject to exceptions. The EU Commission's proposal is currently under review by the EU Parliament and the Council of the EU.
AIFMD & UCITS EC Revises AIFMD & UCITS Published on November 25 by the European Commission (‘Commission’), the legislative proposal amends, among other things, the Alternative Fund Managers Directive (AIFMD – Directive 2011/61/EU) and the Undertakings for Collective Investment in Transferrable Securities (UCITS – Directive 2009/65/EC) Directive. The changes focus on delegation arrangements, liquidity risk management, supervisory reporting and the regulatory treatment of depositary and custody services. AIFMD alone would be amended as regards activities of loan-originating investment funds and access to depositary services across borders.
WWW.AMEISCORP.COM
7
HIGHLIGHTS OF KEY CHANGES The breakdown of the changes includes: Harmonisation of the rules for the managers of alternative investment funds (‘AIFMs’) managing loan-originating AIFs, to clarify standards applicable to AIFMs that delegate their functions to third parties. The UCITS framework will be aligned with AIFMD by requiring that UCITS management companies justify their entire delegation structure. AIFMs’ list of authorised ancillary services will be extended to include benchmark administration and credit servicing. AIFMs will be required, at the time of application for an authorisation, to provide to competent authorities with information about the human and technical resources that the AIFM will employ to carry out its functions and, where applicable, to supervise delegates. The legislative proposal is now subject to the EU legislative review process before it is agreed and published in the Official Journal of the EU. Member States will have 24 months after the entry into force of the directive to transpose the new rules into national legislation.
MiCA & DORA EU Council Agrees on Proposals On November 24, the EU Council adopted its position on two proposals, namely the ‘Regulation on Markets in Crypto Assets' (MiCA) and the ‘Digital Operational Resilience Act' (DORA). This agreed position now forms the EU Council’s negotiating mandate for negotiations with the European Parliament, with a view to reaching agreement at first reading.
WWW.AMEISCORP.COM
8
KEY HIGHLIGHTS First introduced on 24 September, the European Commission "Digital Finance Package" consists of: A digital finance strategy A renewed strategy for modern and safe retail payments Four legislative proposals: a proposal for a regulation on markets in crypto-assets (MiCA); a proposal for a regulation on digital operational resilience (DORA); a proposal for a regulation on a pilot regime for market infrastructures based on distributed ledger technology (DLT pilot regime); and a complementing proposal for a Directive amending several directives (Amending Directive). The Package will enable a competitive, innovative and digitally-resilient financial market while at the same time preserving consumer protection and financial stability. While MiCA proposal will create a framework for the issuance, and provision of services related to crypto-assets, the DORA proposal aims to strengthen the digital operational resilience for financial institutions through a stringent and robust regulation of information and communication technology (ICT) related risks. For more information on MiCA and DORA read our previous summary here.
Client Funds EBA Recommends Harmonized Treatment On October 28, the European Banking Authority (EBA) published an Opinion on the treatment of client funds under Deposit Guarantee Schemes Directive. This was published after observing disparities in the protection of client funds placed with banks by entities such as payment institutions (PIs), e-money institutions (EMIs), investment firms (IFs) throughout the EU.
WWW.AMEISCORP.COM
9
HIGHLIGHTS OF RECOMMENDATIONS Coverage of client funds placed with credit institutions Clarified that clients' funds deposited with a credit institution by EMIs, PIs and IFs must be covered by the deposit guarantee schemes (DGS) in case the credit institutions fail. This must be applicable when the: Funds are deposited on behalf of clients who are not themselves excluded from coverage under the Directive Funds are deposited for the purpose of segregating them from the account holders’ own funds as required by law Clients are identifiable This clarification will enable a harmonized application of the rules across the EU. Reimbursement of client funds Clarified, where national law allows, that DGSs are free to choose between 2 options: Reimbursement of the client funds in beneficiary accounts directly to the ultimate beneficiaries Reimbursement of the client funds to the beneficiary account of the account holder in another credit institution In `exceptional circumstances' the DGS shall be prevented from repaying client funds directly and instead be required to repay to a beneficiary account of the account holder in another credit institution. DGS contributions taking into account client funds Client funds must be considered when calculating contributions to DGS funds, with details to be set out in a revision of the EBA Guidelines on methods for calculating contributions to DGSs Advice on treatment of client funds
This Opinion follows the Commission request to the EBA to provide further technical advice on issues regarding the treatment of client funds placed with credit institutions by other credit institutions, PIs, EMIs, Ifs and other financial technology companies. The Opinion serves as the final report to the Commission with the aim to inform the Commission’s proposals for a revised DGSD, which the Commission intends to publish in Q4 2021.
WWW.AMEISCORP.COM
10
Industry News US Agencies Roadmap for Crypto-Assets Regulation On November 23, the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation and Office of the Comptroller of the Currency (collectively, agencies) published a joint statement on their crypto-asset policy sprint initiative and next steps. The analysis focused on developing common vocabulary regarding the use of crypto-assets by banking organizations, identifying and assessing key risks, and analyzing the applicability and clarity of existing regulations and guidance.
HIGHLIGHTS The sector of crypto-assets — digital assets implemented using cryptographic techniques — presents opportunities and risks for the financial system. To analyze and provide coordinated regulatory clarity, the agencies conducted a series of inter-agency “policy sprints”, bringing together various subject matter experts to analyze crypto-asset activities including: Custody of crypto-assets Facilitation of crypto-assets purchases and sales Loans collateralized by crypto-assets Payments Holding of crypto-assets on a banking organization’s balance sheet Throughout 2022, the roadmap will include providing greater clarity on: Crypto-asset safekeeping and traditional custody services Ancillary custody services Facilitation of customer purchases and sales of crypto-assets Loans collateralized by crypto-assets Issuance and distribution of stablecoins Activities involving the holding of crypto-assets on balance sheet. Further requests for information may be forthcoming on these topics.
WWW.AMEISCORP.COM
11
Crypto Activities : US Banks to Obtain Non-Objection Notice On November 23, the Office of the Comptroller of the Currency (OCC) published a letter confirming that banks must demonstrate that they have adequate controls in place before engaging in certain cryptocurrency, distributed ledger, and stablecoin activities. This letter follows the release of the interagency statement on the crypto-asset policy sprint initiative and forms part of overall initiatives to provide clarity about crypto-assets and the federal banking system.
HIGHLIGHTS Interpretive Letter #1179 provides a roadmap for banks to engage with the supervisory offices. After notifying its supervisory office of an intent to engage in cryptocurrency, distributed ledger, and stablecoin activities, the bank will receive a written notification of the supervisory office's nonobjection, before which the bank should not engage. To obtain supervisory non-objection, a bank should demonstrate the establishment of an appropriate risk management and measurement process for the proposed activities, including having: Adequate systems in place to identify, measure, monitor, and control the risks of its activities The ability to do so on an ongoing basis An understanding of compliance obligations related to the specific activities, including, requirements under federal securities laws, the Bank Secrecy Act, anti-money laundering, the Commodity Exchange Act, and consumer protection laws Subsequently the supervisory office will evaluate the adequacy of a bank’s risk measurement and management information systems and controls to provide cryptocurrency, distributed ledger, and stablecoin activities on a safe and sound basis.
WWW.AMEISCORP.COM
12
US Regulators Instruct to Monitor Use of AI On November 29, The United States House of Representatives Committee on Financial Services published their response to the request for information on financial institutions’ use of artificial intelligence (AI), including machine learning (ML). As the Committee previously outlined, “any use of AI in the financial services industry must emphasize principles of transparency, enforceability, privacy and security, and fairness and equity, with strict scrutiny on financial institutions that exhibit algorithmic bias or engage in technological redlining.”
HIGHLIGHTS To understand and analyze the issues, the Committee launched a task force last Congress on AI which examined various topics, including: How to reduce AI bias The impact of AI on capital markets AI usage by cloud computing providers This Congress, the task force continued investigations on whether emerging technologies such as AI are serving the needs of consumers, investors, small businesses, and the American public, in particular: How the use of human centred AI/ML can build equitable algorithms and address systemic racism and in housing and financial services How financial institutions increasingly relied on AI to create and authenticate digital identities of clients How governments, industry and civil society must build better AI ethical frameworks The Committee highlighted racial bias concerns in AI/ML technology, citing that models have been found to be discriminatory with some algorithm exacerbating bias on protected groups. As such, the Committee outlined the following guiding principles to AI regulation: Transparency and explainability Oversight and enforceability Safeguarding consumer privacy, including preventing cyberattacks from hackers, including foreign adversaries Promoting fairness and equity in AI usage, proactively addressing algorithmic bias
WWW.AMEISCORP.COM
13
IOSCO Completes Report on ESG Ratings & Data Products Providers On November 23, the Board of the International Organization of Securities Commissions (IOSCO) published final recommendations applicable to the regulatory framework for Environmental, Social and Governance (ESG) Ratings and Data Product Providers. The recommendations promote more transparency, thereby increasing trust in ESG ratings and data.
HIGHLIGHTS Following a prior consultation in July (read our previous article here), IOSCO sought to understand the “implications of the increasingly important role of ESG ratings and data products for financial markets”. Their work revealed that there is: Little clarity and alignment on definitions A lack of transparency about the methodologies underpinning these ratings or data products Uneven coverage of products offered, thereby leading to gaps for investors seeking to follow certain investment strategies Concern about the management of conflicts of interest when providers of ESG ratings and data products provide consulting to companies that are subject to the ESG ratings or data products A need for better communication, given the importance of ensuring the ESG ratings or other data products are based on sound information IOSCO believes that there are various areas that could be improved from the users’ perspective: Reliability of raw ESG data, contributing to enhancing the quality and consistency of ESG ratings and data products Transparency on ESG ratings methodology and ESG data products to improve user ability to understand and interpret provider outputs Reliability of ESG ratings and data products and potential conflicts of interest to help users make more informed investment decisions Communication between ESG ratings and data products providers and entities with the goal of improving transparency on how ratings are derived and reducing errors leading users to make investment decisions based on erroneous information
WWW.AMEISCORP.COM
14
In summary, IOSCO’s high-level recommendations relate to: 1. Authorities’ considerations concerning ESG ratings and data products including the adoption of procedures to ensure the issuance of high quality ESG ratings and data products using transparent and defined methodologies, to ensure decisions are independent, and to make public disclosure and transparency a priority 2. Market participants’ use of ESG ratings and data products to conduct due diligence 3. ESG ratings and data products providers’ interaction with entities subject to assessment to improve efficient information procurement and objectivity 4. Covered entities’ interactions with ESG ratings and data products providers to streamline disclosure processes
Product Corner Artificial Intelligence (AI): Quésaco? Put simply, Artificial Intelligence (AI) leverages computers and machines to mimic the problemsolving and decision-making capabilities of the human mind. Well, in practice it is ‘a bit’ more complicated than that… Alan Turing, considered as the founding father of AI, defines it as “the science and engineering of making intelligent machines, especially intelligent computer programs.” The UK Information Commissioner (ICO) defines AI ‘as an umbrella term for a range of algorithm-based technologies that solve complex tasks by carrying out functions that previously required human thinking. Decisions made using AI are either fully automated, or with a ‘human in the loop’. As with any other form of decision-making, those impacted by an AI supported decision should be able to hold someone accountable for it.’ An AI technology combines and utilises mainly machine learning (ML) and other types of data analytics methods to achieve artificial intelligence capabilities. AI can have many uses including in: Asset management to improve portfolio management, trading, and risk management practices by increasing efficiency, accuracy, and compliance Policing to target interventions Healthcare to detect early signs of illness and diagnose disease Marketing to target products and services to consumers
WWW.AMEISCORP.COM
15
Although AI can pose a risk to data privacy considering the amount of personal data organizations have to process to meet their business needs. Thus, policy makers and regulators around the globe are increasingly imposing certain limits (e.g., Bill 64 in Quebec or GDRP in the EU). Resources on AI
Want to know more about AI and what are the implications for your organization? Have a look at the UK Information Commissioner’s (ICO) Guidance on AI and Data Protection that outlines best practices for data protection-compliant AI, and provides ICO’s interpretation of data protection law as it applies to AI systems that process personal data. The Guidance also includes a toolkit providing practical support to organisations auditing the compliance of their own AI systems. You can also read our article on this Guidance. The Guidance will be of interest for those with a compliance focus (e.g., data protection officers (DPOs), general counsel, risk managers, senior management) and technology specialists, including machine learning experts, data scientists, software developers and engineers, and cybersecurity and IT risk managers. We also recommend the International Organization of Securities Commissions’ (IOSCO) Final Report providing guidance to its members on the regulation and supervision of the use of AI & ML by market intermediaries and asset managers. We also write about it here.
WWW.AMEISCORP.COM
16
Ameis Regulatory Services focuses on providing regulatory and compliance support for fintech companies
About us
Complex landscape & widening gaps
We help you understand the rules that govern your activites, services and products, enabling you to meet your ongoing regulatory obligations and navigate the ever-evolving, complex regulatory landscape.
Increasing regulatory requirements and the pace of change are making it harder for you to keep up with the pressures of compliance and managing cost-effective operations.
Our team is composed of professionals with extensive experience serving the investment management, capital markets and asset servicing industries.
Investor demand for enhanced transparency and disclosure, data privacy, investor and consumer protection requirements, and AML/KYC concerns are some of the many challenges affecting the industry.
Current challenges
We provide practical and tailored solutions Review and analysis of regulatory texts Reporting Response preparation Compliance program development
Contact us Déborah Koualé, Founder & Director deborah.kouale@ameiscorp.com
WWW.AMEISCORP.COM
Change management Regulatory intelligence and training Ongoing compliance support Registrations
Carolyn Le Quéré, Director carolyn.lequere@ameiscorp.com
