AMEIS RegFacts | January 2023

CryptoTrading

CSAStrengthensRequirementsforCTPsOperatinginCanada

In a statement released on December 12th, 2022, the Canadian Securities Administrators (CSA), announced the expansion of existing requirements for crypto trading platforms operating in Canada (CTPs)

Furthermore, the CSA reminds CTPs that they are prohibited from permitting Canadian clients to trade, or obtain exposure to, any crypto asset that is itself a security and/or a derivative, and this may include stablecoins where the CTP determined that they fall under the definition of a security and/or a derivative

REQUIREMENTS

More specifically, the statement announced:

A CTP subject to securities legislation in Canada that does not provide a pre-registration undertaking (PRU) in the prescribed deadline to its principal regulator or cease operating, would be subject to all applicable regulatory options, including enforcement action.

CTPs that provide PRU will have to comply with expanded terms and conditions that will include, among other things, requirements to hold Canadian clients’ assets with an appropriate custodian and segregate these assets from the platform’s proprietary business.

ShortSelling

CSA&IIROCSeekFeedbackonShortSelling

On December 8, 2022, the Canadian Securities Administrators (CSA) and the Investment Industry Regulatory Organization of Canada (IIROC) published for comments Staff Notice 23 – 329 – Short

Selling in Canada

The Staff Notice revisits the current regulatory requirements and related initiatives with respect to short selling.

CONSIDERATIONS

Questions that should be considered by stakeholders touch various topics, including:

Tick test

Short selling and pre-borrow requirements

IIROC’s Extended Failed Trades requirements

Transparency of short selling positions

Buy-in and close-out requirements

Comments must be submitted in writing on or before March 8, 2023.

TradeSettlementCycle

CSAOutlinesStepstoSupportTransitiontoT+1

On December 15, 2022, the Canadian Securities Administrators (CSA) published for comment proposed rule amendments to National Instrument 24-101 Institutional Trade Matching and Settlement (NI 24-101) to support the transition from a two-day Canadian trade settlement cycle (T+2) to a one-day settlement cycle (T+1).

The move to a T+1 settlement cycle is scheduled to be effective in 2024, ‘at the same time as the markets in the United States move to a T+1 settlement cycle’ and this to facilitate the update of procedures and processes

AMENDMENTS

The NI 24-101 amendments include among others:

The repeal of “T+2”

The requirement for registered dealers and registered advisers to have policies and procedures in place designed to achieve institutional trade matching by 9 p.m. Eastern Time on the date of a trade (T), as opposed to the current requirement of 12 p m (noon) Eastern Time on T+1

Amendments to Form 24-101F2 Clearing Agency Quarterly Operations Report of Institutional Trade Reporting and Matching and Form 24-101F5 Matching Service Utility Quarterly Operations Report of Institutional Trade Reporting and Matching

The repeal the Exception Reporting Requirement

A reference to cyber-resilience to the system requirements

NI 24-101 Companion Policy is being amended accordingly.

As outlined in CSA Staff Notice 81-335 which was released the same day, the CSA is not amending National Instrument 81-102 Investment Funds to mandate a shorter settlement cycle.

NI 24-101 came into force in 2007 and was intended to provide a legislative framework to ensure more efficient and timely processing and settlement of institutional trades in Canada It requires institutional trading participants to establish processes and procedures that allow trade matching within prescribed limits

Comments should be submitted by March 17, 2023

ComplaintsandDisputes

AMFConsultsonUpdatedDraftRegulation

On December 8, 2022, the Québec Autorité des Marchés Financiers (AMF) released its updated Draft Regulation respecting complaint processing and dispute resolution in the financial sector (the Updated Draft Regulation).

The Updated Draft Regulation builds on the comment received by the AMF on the previous Draft Regulation first published on September 9, 2021 with the aim to propose a framework complementing the already existing complaint processing and dispute resolution obligations imposed on financial institutions and financial intermediaries amongst others

DRAFT REGULATION

Of note, the Updated Draft Regulation:

Broadens the definition of ‘complaint’ to provide the conditions [cumulative] under which a communication should be entered in the complaint register

Changes the rules and practices relating to the simplified process for certain complaints: (i) possibility to process certain complaints verbally and (ii) option to entrust the processing of such complaints to dedicated customer services teams Although, the simplified process is only available for complaints for which processing can be completed within 10 days following receipt

Provides for the possibility, under conditions determined by regulation, of extending the time period for processing a complaint beyond 60 days following receipt of the complaint Entities (e g financial institutions or financial intermediaries) could have an additional 30 days to process a complaint

Comments should be submitted by February 6, 2023 and a coming into force is scheduled for January 1, 2024

DigitalOperationalResilience

DORAEntersIntoForceon16January2023

On 28 November 2022, the EU Council adopted the digital operational resilience for the financial sector (DORA)

On December 14, 2022, Regulation (EU) 2022/2554 on digital operational resilience for the financial sector and Directive (EU) 2022/2556 as regards digital operational resilience for the financial sector were both published in the Official Journal of the EU.

KEY OBLIGATIONS

DORA imposes obligations on both financial entities and ICT third-party service providers, including designated 'critical' ICT service providers (read our previous article here and here). It consolidates and upgrades firm's capacity to withstand Information Communication Technologies (ICT)-related disruptions and threats through, among others:

A sound ICT-risk management framework

The use and ongoing maintenance of appropriate and reliable ICT systems, protocols and tools

The identification, classification and adequate documentation of all ICT supported business functions, roles and responsibilities, as well as the information assets and ICT assets supporting those functions, and their roles and dependencies in relation to ICT risk

Protection and prevention through the continuous monitoring and control of the security and functioning of ICT systems and tools; the design and implementation of ICT security policies, procedures, protocols and tools that aim to ensure the resilience, continuity and availability of ICT systems.

Implementation of mechanisms to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents, and to identify potential material single points of failure

Implementation of a comprehensive ICT business continuity policy for timely response and recovery actions

Development and documentation of backup policies and procedures, restoration and recovery procedures and methods to ensure the restoration of ICT systems and data with minimum downtime, limited disruption and loss

Learning and evolving including capabilities and staff to gather information on vulnerabilities and cyber threats as well as ICT-related incidents. Post ICT-related incident reviews should also be put in place after the occurrence of a major ICT-related incident to help analyse the cause of the incident and identify the required improvement for the ICT operations

Implementation of an ICT-related incident management process to detect, manage and notify ICTrelated incidents

Reporting of major ICT-related incidents and voluntary notification of significant cyber threats

Requirements for the performance of digital operational resilience testing (e g testing of ICT tools and systems…)

Management of ICT third-party risk

‘Financial entity’ is defined to include a broad range of entities such as investment firms, management companies, payment institutions, banks, insurance companies and investment firms and crypto asset service providers.

DORA will apply from 17 January 2025

Anti-MoneyLaundering

EBAPublishesGuidelinesonRemoteCustomerOnboarding

Issued on November 22, 2022 by the European Banking Authority (EBA), the Guidelines apply to all credit and financial institutions that are within the scope of the Anti-money Laundering Directive (AMLD) and sets out the steps these institutions should follow to ensure to choose adequate tools for a safe and effective remote customer onboarding

HIGHLIGHTS OF KEY REQUIREMENTS

Implementation and maintenance of policies and procedures for an effective remote customer onboarding process that (i) include an explanation of the features and functioning of a solution; (ii) take into account the risks factors; (iii) distinguish which steps are fully autonomized and which steps require human intervention

Submission of the aforementioned policies and procedures to management’s approval pre-implementation assessment of the remote customer onboarding solution (i.e. adequacy of the solution, assessment of the impact of the use of such solution on a business-wide risk (ML/TF, operational, reputational and legal risks ); identification of possible mitigating measures and remedial actions )

Ongoing monitoring of the remote customer onboarding solution: policies and procedures must include information provided by the Guidelines, including a description of at least a) the steps entities will take to be satisfied of the ongoing quality, completeness, accuracy and adequacy of data collected during the remote customer onboarding process; b) the scope and frequency of such regular reviews

Identification of natural persons (e g what information is manually entered by the customer, is automatically captured from the documentation provided by the customer or is gathered using other internal or external sources…) VS legal entities (e.g. which category of legal entities they will onboard remotely, taking into account the level of ML/TF risk associated with each category, and the level of human intervention required to validate the identification information).

Document authenticity & integrity (e.g. ascertain that the reproduction of an original document is reliable, ensure that tools such as Optical Character Recognition (OCR) algorithms or Machine Readable Zone (MRZ) verifications capture information in an accurate and consistent manner, verify the security features embedded in the official document where possible…)

Match customer identity as part of the verification process: Entities must amongst others ensure that (i) there is a match between the visible information of the natural person and the documentation provided; (ii) where the customer is a legal entity, it is publicly registered, where applicable; (iii) where the customer is a legal entity, the natural person that represents it is entitled to act on its behalf

PrivacyByDesignWillBecomeanISOStandardonFeb.8

The International Organization for Standardization (ISO) will adopt Privacy By Design (PbD) as ISO 31700 In 2018, the ISO formed the group, consumer protection: privacy by design for consumer goods and services, to start planning for the inclusion of PbD in its standards

Privacy by Design is a set of principles that calls for privacy to be taken into account throughout an organization, encompassing IT systems, accountable business practices and physical design and networked infrastructure

The 7 foundational principles are:

1. Proactive not Reactive; Preventative not Remedial

2. Privacy as the Default Setting

3. Privacy Embedded into Design

4. Full Functionality Positive-Sum, not Zero-Sum

5. End-to-End Security Full Lifecycle Protection

6. Visibility and Transparency Keep it Open

7 Respect for User Privacy Keep it User-Centric

The final ISO 31700 standard is more detailed, providing high-level requirements for ensuring consumer privacy is embedded into the design of a product or service, offering protection throughout the whole life cycle Two publications covering the high level requirements and use cases are scheduled to be published on January 31, 2023

CSAWarningAboutCryptoTradingRisks

Last quarter, the Canadian Securities Administrators (CSA) warned investors of the elevated levels of risk in crypto asset trading

While the CSA has regulatory oversight of crypto asset trading platforms operating in Canada, it cautions investors that registration requirements do not eliminate all risks associated with these platforms Crypto risks include price volatility, liquidity risk, online risk, and technical and cybersecurity risk

Various tools and resources, including an Investor’s Guide to cryptocurrencies, have been made available to inform investors.

Read more from AMEIS on the CSA announcement concerning pre-registration undertaking (PRU).

USAgenciesWarnsBanksAboutExposuretoCryptoRisks

On January 3, US Federal bank regulatory agencies issued a Joint Statement on the risks of crypto-assets to banking organizations.

In light of the significant volatility and vulnerability in the sector as demonstrated by the recent failures of several large crypto-asset companies, the statement alerts to a number of key risks, including:

Risk of fraud and scams

Legal uncertainties related to custody practices, redemptions, and ownership rights

Inaccurate or misleading representations and disclosures

Significant volatility in crypto-asset markets

Susceptibility of stablecoins to run risk

Contagion risk within the crypto-asset sector

Concentration risks

Lack of maturity and robustness of risk management and governance practices

Risks associated with open, public, and/or decentralized networks, including the lack of governance mechanisms and oversight

The statement calls for banking organizations to ensure that crypto-asset-related activities be performed in a “safe and sound manner, are legally permissible, and comply with applicable laws and regulations” In addition, the banking organizations should ensure appropriate risk management and monitoring to effectively identify and manage risks.

SECStressesEntitiestoRevisitCrypto-relatedDisclosure

The Division of Corporation Finance of the US Securities and Exchange Commission released guidance on how companies should revisit crypto-related disclosures to provide investors with “specific, tailored disclosure” about market events and conditions, the company situation and potential impact on investors

The guidance urges companies to consider crypto asset market developments in their filings, focusing on material impacts which may include:

Exposure to counterparties and other market participants

Risks related to a company’s liquidity and ability to obtain financing

Risks related to legal proceedings, investigations, or regulatory impacts in the crypto asset markets

Sixteen comments were provided by the Division of Corporate Finance to assist companies as they prepare disclosure documents

FCAtoDevelopaCodeofConductforESGData&RatingsProviders

To support greater transparency and trust for Environmental, Social and Governance (ESG) data and ratings services, the Financial Conduct Authority (FCA) announced the creation of a group to develop a voluntary Code of Conduct for ESG data and ratings services.

The ESG Data and Rating Code of Conduct Working Group (DRWG) aims to develop a Code that is globally consistent and structured to meet the outcomes of transparency, good governance, robust systems and controls, and sound management of conflicts of interest

CPMI/IOSCO:ReportonFMICyberResilience

Last November, 2022 the Bank for International Settlements (BIS) and the International Organization of Securities Commissions (IOSCO) published their Level 3 assessment of cyber resilience on 37 Financial Market Infrastructures (FMIs) from 29 jurisdictions

This report raised issues of concern relating to cyber response and recovery plans, as well as resilience planning and testing:

The first serious issue of concern relates to principle 17 (operational risk), key consideration 6 that states an FMI’s business continuity plan should be designed to ensure that critical information technology systems resume operations within two hours following disruptive events. The assessment found that a small number of FMIs had not developed their cyber response and recovery plans to meet this recovery time objective.

In addition, another small number of FMIs with established plans were not able to meet the two-hour window under extreme attack scenarios

Furthermore, a number of FMIs are not conducting cyber resilience testing after a significant systems change Such testing would include backup data integrity, vulnerability assessments and penetration testing

Multiple FMIs may not be conducting comprehensive scenario-based testing

Some FMIs did not include external parties such as critical service providers

The report also provides nine observations concerning practices, metrics and testing

UpcomingRegulatoryDeadlinestoWatch

Date

25/01/2023

06/02/2023

10/02/2023

20/02/2023

Issues to Watch

Comments requested on Financial Conduct Authority (FCA) proposed Sustainability Disclosure Requirements (SDR) and investment labels

Comment period closes for the updated Draft Regulation respecting complaint processing and dispute resolution in the financial sector published by Québec Autorité des Marchés Financiers (AMF)

Deadline to submit feedback to the Bank of England on its discussion paper on Artificial intelligence and machine learning

Comments period closes for the European Securities and Markets Authority (ESMA) consultation paper on the use of ESG or sustainability-related terms in fund names

ProductCorner

Sustainability-LinkedDerivatives:Quésaco?

Information, Communication Technology (ICT) systems, generally includes all hardware, software, applications and systems that combined enable people and organizations to communicate digitally

ICT encompasses the capture, storage, retrieval, processing, display, representation, presentation, organization, management, security, transfer, and interchange of data and information.

These technological tools and resources include computers, the Internet, live broadcasting technologies (radio, television and webcasting), recorded broadcasting technologies (podcasting, audio, storage devices…) and telephony.

Financial institutions are mainly dependent on ICT third-party service providers that supply the systems/technologies used to store, process, and/or transmit data that enhances their operational efficiency

Under Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (DORA) ICT services means ‘digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services’

About us

We help you understand the rules that govern your activities, services and products, enabling you to meet your ongoing regulatory obligations and navigate the ever-evolving, complex regulatory landscape.

Our team is composed of professionals with extensive experience serving the investment management, capital markets and asset servicing industries.

Complex landscape & widening gaps

Increasing regulatory requirements and the pace of change are making it harder for you to keep up with the pressures of compliance and managing cost-effective operations.

Current challenges

Investor demand for enhanced transparency and disclosure, data privacy, investor and consumer protection requirements, and AML/KYC concerns are some of the many challenges affecting the industry.

We provide practical and tailored solutions

Review and analysis of regulatory texts

Reporting

Response preparation

Compliance program development

Contact us

Déborah Koualé, Founder & Director

deborah kouale@ameiscorp com

Change management

Regulatory intelligence and training

Ongoing compliance support

Registrations

Ameis Regulatory Services focuses on providing regulatory and compliance support for fintech companies