FEBRUARY 2021
AMEIS REGFACTS FINTECH - Related Regulatory & Compliance News
In This Issue : UK's ICO New Data Analytics Toolkit Released..............................1 UK's ICO Clarifies Requirements for Transfer of Data to the SEC.....................................................................................................2 US's Agencies Proposed Rulemaking on Notification Requirements for Computer-security Incidents..............................3 Market Insights : ISDA's Legal Guidelines for Smart Derivatives Contracts and BISIH 2021/22 Work Programme ...........................................................................................................4
www.ameiscorp.com
UK's ICO New Data Analytics Toolkit Released Following the UK's Information Commissioner's Office (ICO) Guidance on AI and data protection published last year, ICO recently released its new data analytics toolkit for organisations considering using data analytics.
Key Takeaways: 1) The toolkit is addressed to organisations that are at the beginning of their data analytics project lifecycle. 2) The toolkit does not provide an exhaustive or definitive list of issues to consider, thus organisations should use the toolkit taking into consideration their specific activities and projects. 3) Questions that organisations should respond to are divided into 4 themes, namely : Lawfulness (DPA 2018, GDPR...) Accountability and governance Data protection principles Data subject rights
As a starting point, the toolkit is designed to help organisations consider the risks, rights and freedoms in the context of data protection law. It provides a definition of data analytics considering it to be : “the use of software to automatically discover patterns in data sets (where those data sets contain personal data) and use them to make predictions, classifications, or risk scores.” The toolkit takes users through a brief series of questions to help orient them to relevant considerations. After responding to these questions, the user receives a summary guidance report on nextsteps and appropriate measures to implement data protection principles. The toolkit is mainly useful for organisations at the beginning of their data analytics project lifecycle and organisations should not rely on the latter to ensure effective and full compliance with data protection regulatory requirements.
1
UK's ICO Clarifies Requirements for Transfer of Data to the SEC The letter dated as of 11 September 2020 but published on ICO's website on January 19, 2020, clarifies that SEC UK regulated firms must comply with the rules on international transfers set out in Chapter V of the GDPR when transfering data to the SEC.
Article 44 of the GDPR posed the general principle that : 'all provisions in this chapter shall be applied in order to ensure that the level of protections of natural persons guaranteed by this Regulation is not undermined'. ICO is expecting UK firms and the SEC to use the transfer tools provided in the GDPR and to rely on the derogations provided in the regulations, including Article 49, on a case by case basis. Indeed, Article 49.1 (d) authorizes the transfer of personal information by SEC regulated UK firms to the SEC when the transfer is necessary for important reasons of public interest. ICO determined that : There are important reasons of public interest embedded in the UK law. Both SEC and the FCA are signatory of the FSB and recognized IOSCO Objectives and Principles. Thus, SEC regulated UK firms compliance with SEC rules helps prevent financial crimes. Transfers of data pursuant to Article 49 must meet the necessity principle. meaning that transfers must be of "strict necessity" for important reasons of public interest. SEC requests must be strictly necessary and proportionate to ensure regulatory compliance.
Key Takeaways: Companies must ensure compliance with the requirement under article 49 of the GDPR but also continue to comply with their other GDPR obligations. UK-based firms should undertake appropriate impact analysis to identify the cases to which the derogation related to the transfer tools applies. UK-based firms must implement the relevant processes and procedures to ensure that the necessity principle is consistently met. UK-based companies subject to SEC regulation must provide privacy notices to their clients regarding, among others, potential transfers to the SEC.
2
US' Agencies Joint Proposed Rulemaking On Notification Requirements for Computer-security Incidents The Office of the Comptroller of the Currency, the Federal Reserve System and the Federal Deposit Insurance Corporation provided notice of proposed rulemaking concerning notification requirements for computer-security incidents for banking organizations and their bank service providers. The proposed rulemaking was submitted for comments in January 2021 and, if finalized, would require banking organizations and bank service providers to notify regulators upon the occurrence of an incident, such as a data breach, as soon as possible and no later than 36 hours, with the expectation that only general information about what is known at the time of incident be communicated. A banking organization would be required to notify its primary federal regulator in the event of a “notification incident,” defined as 'a computer-security incidentKey that takeaways a banking organization believes in good faith could materially disrupt, degrade, or impair (i) The ability of the banking organization to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business; (ii) Any business line of a banking organization, including associated operations, services, functions and support, and would result in a material loss of revenue, profit, or franchise value; or (iii) Those operations of a banking organization, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.' A banking organization and a bank service provider would be allowed to use any communication means, including technological, to send the information to its primary federal regulator, information that would be subject to the confidentiality rules. In addition, a bank service provider would be required to notify at least two individuals at affected banking organization customers immediately after the occurrence of a computer security incident that it believes could disrupt, degrade, or impair services provided for four or more hours. Interested stakeholders must provide their comments by April 12, 2021.
3
Market Insights ISDA Released Legal Guidelines for Smart Derivatives Contracts: FX Derivatives These guidelines aim at providing guidance to firms designing and implementing technological solutions for foreign exchange derivatives (“FX”) and include an overview of the legal and documentary framework used for FX transactions. It also outlines certain issues that should be considered by developers.
BISIH - 2021/22 Work Programme Released The Bank for International Settlements' Innovation Hub (BISIH) published its 2021/22 programme, focusing on six key areas related to innovative financial technology: Suptech and Regtech : AI/ML, market monitoring, data analytics. Next-generation financial market infrastructures : Capital markets projects, foundational digital infrastructures, tokenisation of assets, cross border payments and payment infrastructures. Key takeaways Central bank digital currencies: Wholesale and general purpose CBDC, inhouse DLT capacity. Open finance : APIs in the open banking context and related data issues. Cyber security Green finance The goal of the BISIH is to investigate the technological and practical feasibility of particular designs and products.
Stay up-to-date with REGFACTS, INDUSTRY NEWS & TRENDS by Ameis Regulatory Services.
4
Ameis Regulatory Services focuses on providing regulatory and compliance support for fintech companies
About us
Complex landscape & widening gaps
We help you understand the rules that govern your activites, services and products, enabling you to meet your ongoing regulatory obligations and navigate the ever-evolving, complex regulatory landscape.
Increasing regulatory requirements and the pace of change are making it harder for you to keep up with the pressures of compliance and managing cost-effective operations
Our team is composed of professionals with extensive experience serving the investment management, capital markets and asset servicing industries.
Investor demand for enhanced transparency and disclosure, data privacy, investor and consumer protection requirements, and AML/KYC concerns are some of the many challenges affecting the industry.
Current challenges
We provide practical and tailored solutions Review and analysis of regulatory texts Reporting Response preparation Compliance program development
Contact us Déborah Koualé, Founder deborah.kouale@ameiscorp.com
Change management Regulatory intelligence and training Ongoing compliance support Registrations
Carolyn Le Quéré carolyn.lequere@ameiscorp.com
www.ameiscorp.com
