CryptoTrading
CSAStrengthensRequirementsforCTPsOperatinginCanada
In a statement released on December 12th, 2022, the Canadian Securities Administrators (CSA), announced the expansion of existing requirements for crypto trading platforms operating in Canada (CTPs)
Furthermore, the CSA reminds CTPs that they are prohibited from permitting Canadian clients to trade, or obtain exposure to, any crypto asset that is itself a security and/or a derivative, and this may include stablecoins where the CTP determined that they fall under the definition of a security and/or a derivative
REQUIREMENTS
More specifically, the statement announced:
A CTP subject to securities legislation in Canada that does not provide a pre-registration undertaking (PRU) in the prescribed deadline to its principal regulator or cease operating, would be subject to all applicable regulatory options, including enforcement action.
CTPs that provide PRU will have to comply with expanded terms and conditions that will include, among other things, requirements to hold Canadian clients’ assets with an appropriate custodian and segregate these assets from the platform’s proprietary business.
ShortSelling
CSA&IIROCSeekFeedbackonShortSelling
On December 8, 2022, the Canadian Securities Administrators (CSA) and the Investment Industry Regulatory Organization of Canada (IIROC) published for comments Staff Notice 23 – 329 – Short
Selling in Canada
The Staff Notice revisits the current regulatory requirements and related initiatives with respect to short selling.
CONSIDERATIONS
Questions that should be considered by stakeholders touch various topics, including:
Tick test
Short selling and pre-borrow requirements
IIROC’s Extended Failed Trades requirements
Transparency of short selling positions
Buy-in and close-out requirements
Comments must be submitted in writing on or before March 8, 2023.
TradeSettlementCycle
CSAOutlinesStepstoSupportTransitiontoT+1
On December 15, 2022, the Canadian Securities Administrators (CSA) published for comment proposed rule amendments to National Instrument 24-101 Institutional Trade Matching and Settlement (NI 24-101) to support the transition from a two-day Canadian trade settlement cycle (T+2) to a one-day settlement cycle (T+1).
The move to a T+1 settlement cycle is scheduled to be effective in 2024, ‘at the same time as the markets in the United States move to a T+1 settlement cycle’ and this to facilitate the update of procedures and processes
AMENDMENTS
The NI 24-101 amendments include among others:
The repeal of “T+2”
The requirement for registered dealers and registered advisers to have policies and procedures in place designed to achieve institutional trade matching by 9 p.m. Eastern Time on the date of a trade (T), as opposed to the current requirement of 12 p m (noon) Eastern Time on T+1
Amendments to Form 24-101F2 Clearing Agency Quarterly Operations Report of Institutional Trade Reporting and Matching and Form 24-101F5 Matching Service Utility Quarterly Operations Report of Institutional Trade Reporting and Matching
The repeal the Exception Reporting Requirement
A reference to cyber-resilience to the system requirements
NI 24-101 Companion Policy is being amended accordingly.
As outlined in CSA Staff Notice 81-335 which was released the same day, the CSA is not amending National Instrument 81-102 Investment Funds to mandate a shorter settlement cycle.
NI 24-101 came into force in 2007 and was intended to provide a legislative framework to ensure more efficient and timely processing and settlement of institutional trades in Canada It requires institutional trading participants to establish processes and procedures that allow trade matching within prescribed limits
Comments should be submitted by March 17, 2023
ComplaintsandDisputes
AMFConsultsonUpdatedDraftRegulation
On December 8, 2022, the Québec Autorité des Marchés Financiers (AMF) released its updated Draft Regulation respecting complaint processing and dispute resolution in the financial sector (the Updated Draft Regulation).
The Updated Draft Regulation builds on the comment received by the AMF on the previous Draft Regulation first published on September 9, 2021 with the aim to propose a framework complementing the already existing complaint processing and dispute resolution obligations imposed on financial institutions and financial intermediaries amongst others
DRAFT REGULATION
Of note, the Updated Draft Regulation:
Broadens the definition of ‘complaint’ to provide the conditions [cumulative] under which a communication should be entered in the complaint register
Changes the rules and practices relating to the simplified process for certain complaints: (i) possibility to process certain complaints verbally and (ii) option to entrust the processing of such complaints to dedicated customer services teams Although, the simplified process is only available for complaints for which processing can be completed within 10 days following receipt
Provides for the possibility, under conditions determined by regulation, of extending the time period for processing a complaint beyond 60 days following receipt of the complaint Entities (e g financial institutions or financial intermediaries) could have an additional 30 days to process a complaint
Comments should be submitted by February 6, 2023 and a coming into force is scheduled for January 1, 2024
DigitalOperationalResilience
DORAEntersIntoForceon16January2023
On 28 November 2022, the EU Council adopted the digital operational resilience for the financial sector (DORA)
On December 14, 2022, Regulation (EU) 2022/2554 on digital operational resilience for the financial sector and Directive (EU) 2022/2556 as regards digital operational resilience for the financial sector were both published in the Official Journal of the EU.
KEY OBLIGATIONS
DORA imposes obligations on both financial entities and ICT third-party service providers, including designated 'critical' ICT service providers (read our previous article here and here). It consolidates and upgrades firm's capacity to withstand Information Communication Technologies (ICT)-related disruptions and threats through, among others:
A sound ICT-risk management framework
The use and ongoing maintenance of appropriate and reliable ICT systems, protocols and tools
The identification, classification and adequate documentation of all ICT supported business functions, roles and responsibilities, as well as the information assets and ICT assets supporting those functions, and their roles and dependencies in relation to ICT risk
Protection and prevention through the continuous monitoring and control of the security and functioning of ICT systems and tools; the design and implementation of ICT security policies, procedures, protocols and tools that aim to ensure the resilience, continuity and availability of ICT systems.
Implementation of mechanisms to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents, and to identify potential material single points of failure
Implementation of a comprehensive ICT business continuity policy for timely response and recovery actions
Development and documentation of backup policies and procedures, restoration and recovery procedures and methods to ensure the restoration of ICT systems and data with minimum downtime, limited disruption and loss
Learning and evolving including capabilities and staff to gather information on vulnerabilities and cyber threats as well as ICT-related incidents. Post ICT-related incident reviews should also be put in place after the occurrence of a major ICT-related incident to help analyse the cause of the incident and identify the required improvement for the ICT operations
Implementation of an ICT-related incident management process to detect, manage and notify ICTrelated incidents
Reporting of major ICT-related incidents and voluntary notification of significant cyber threats
Requirements for the performance of digital operational resilience testing (e g testing of ICT tools and systems…)
Management of ICT third-party risk
‘Financial entity’ is defined to include a broad range of entities such as investment firms, management companies, payment institutions, banks, insurance companies and investment firms and crypto asset service providers.
DORA will apply from 17 January 2025
Anti-MoneyLaundering
EBAPublishesGuidelinesonRemoteCustomerOnboarding
Issued on November 22, 2022 by the European Banking Authority (EBA), the Guidelines apply to all credit and financial institutions that are within the scope of the Anti-money Laundering Directive (AMLD) and sets out the steps these institutions should follow to ensure to choose adequate tools for a safe and effective remote customer onboarding
HIGHLIGHTS OF KEY REQUIREMENTS
Implementation and maintenance of policies and procedures for an effective remote customer onboarding process that (i) include an explanation of the features and functioning of a solution; (ii) take into account the risks factors; (iii) distinguish which steps are fully autonomized and which steps require human intervention
Submission of the aforementioned policies and procedures to management’s approval pre-implementation assessment of the remote customer onboarding solution (i.e. adequacy of the solution, assessment of the impact of the use of such solution on a business-wide risk (ML/TF, operational, reputational and legal risks ); identification of possible mitigating measures and remedial actions )
Ongoing monitoring of the remote customer onboarding solution: policies and procedures must include information provided by the Guidelines, including a description of at least a) the steps entities will take to be satisfied of the ongoing quality, completeness, accuracy and adequacy of data collected during the remote customer onboarding process; b) the scope and frequency of such regular reviews
Identification of natural persons (e g what information is manually entered by the customer, is automatically captured from the documentation provided by the customer or is gathered using other internal or external sources…) VS legal entities (e.g. which category of legal entities they will onboard remotely, taking into account the level of ML/TF risk associated with each category, and the level of human intervention required to validate the identification information).
Document authenticity & integrity (e.g. ascertain that the reproduction of an original document is reliable, ensure that tools such as Optical Character Recognition (OCR) algorithms or Machine Readable Zone (MRZ) verifications capture information in an accurate and consistent manner, verify the security features embedded in the official document where possible…)
Match customer identity as part of the verification process: Entities must amongst others ensure that (i) there is a match between the visible information of the natural person and the documentation provided; (ii) where the customer is a legal entity, it is publicly registered, where applicable; (iii) where the customer is a legal entity, the natural person that represents it is entitled to act on its behalf
PrivacyByDesignWillBecomeanISOStandardonFeb.8
The International Organization for Standardization (ISO) will adopt Privacy By Design (PbD) as ISO 31700 In 2018, the ISO formed the group, consumer protection: privacy by design for consumer goods and services, to start planning for the inclusion of PbD in its standards
Privacy by Design is a set of principles that calls for privacy to be taken into account throughout an organization, encompassing IT systems, accountable business practices and physical design and networked infrastructure
The 7 foundational principles are:
1. Proactive not Reactive; Preventative not Remedial
2. Privacy as the Default Setting
3. Privacy Embedded into Design
4. Full Functionality Positive-Sum, not Zero-Sum
5. End-to-End Security Full Lifecycle Protection
6. Visibility and Transparency Keep it Open
7 Respect for User Privacy Keep it User-Centric
The final ISO 31700 standard is more detailed, providing high-level requirements for ensuring consumer privacy is embedded into the design of a product or service, offering protection throughout the whole life cycle Two publications covering the high level requirements and use cases are scheduled to be published on January 31, 2023
CSAWarningAboutCryptoTradingRisks
Last quarter, the Canadian Securities Administrators (CSA) warned investors of the elevated levels of risk in crypto asset trading
While the CSA has regulatory oversight of crypto asset trading platforms operating in Canada, it cautions investors that registration requirements do not eliminate all risks associated with these platforms Crypto risks include price volatility, liquidity risk, online risk, and technical and cybersecurity risk
Various tools and resources, including an Investor’s Guide to cryptocurrencies, have been made available to inform investors.
Read more from AMEIS on the CSA announcement concerning pre-registration undertaking (PRU).
USAgenciesWarnsBanksAboutExposuretoCryptoRisks
On January 3, US Federal bank regulatory agencies issued a Joint Statement on the risks of crypto-assets to banking organizations.
In light of the significant volatility and vulnerability in the sector as demonstrated by the recent failures of several large crypto-asset companies, the statement alerts to a number of key risks, including:
Risk of fraud and scams
Legal uncertainties related to custody practices, redemptions, and ownership rights
Inaccurate or misleading representations and disclosures
Significant volatility in crypto-asset markets
Susceptibility of stablecoins to run risk
Contagion risk within the crypto-asset sector
Concentration risks
Lack of maturity and robustness of risk management and governance practices
Risks associated with open, public, and/or decentralized networks, including the lack of governance mechanisms and oversight
The statement calls for banking organizations to ensure that crypto-asset-related activities be performed in a “safe and sound manner, are legally permissible, and comply with applicable laws and regulations” In addition, the banking organizations should ensure appropriate risk management and monitoring to effectively identify and manage risks.
SECStressesEntitiestoRevisitCrypto-relatedDisclosure
The Division of Corporation Finance of the US Securities and Exchange Commission released guidance on how companies should revisit crypto-related disclosures to provide investors with “specific, tailored disclosure” about market events and conditions, the company situation and potential impact on investors
The guidance urges companies to consider crypto asset market developments in their filings, focusing on material impacts which may include:
Exposure to counterparties and other market participants
Risks related to a company’s liquidity and ability to obtain financing
Risks related to legal proceedings, investigations, or regulatory impacts in the crypto asset markets
Sixteen comments were provided by the Division of Corporate Finance to assist companies as they prepare disclosure documents
FCAtoDevelopaCodeofConductforESGData&RatingsProviders
To support greater transparency and trust for Environmental, Social and Governance (ESG) data and ratings services, the Financial Conduct Authority (FCA) announced the creation of a group to develop a voluntary Code of Conduct for ESG data and ratings services.
The ESG Data and Rating Code of Conduct Working Group (DRWG) aims to develop a Code that is globally consistent and structured to meet the outcomes of transparency, good governance, robust systems and controls, and sound management of conflicts of interest
CPMI/IOSCO:ReportonFMICyberResilience
Last November, 2022 the Bank for International Settlements (BIS) and the International Organization of Securities Commissions (IOSCO) published their Level 3 assessment of cyber resilience on 37 Financial Market Infrastructures (FMIs) from 29 jurisdictions
This report raised issues of concern relating to cyber response and recovery plans, as well as resilience planning and testing:
The first serious issue of concern relates to principle 17 (operational risk), key consideration 6 that states an FMI’s business continuity plan should be designed to ensure that critical information technology systems resume operations within two hours following disruptive events. The assessment found that a small number of FMIs had not developed their cyber response and recovery plans to meet this recovery time objective.
In addition, another small number of FMIs with established plans were not able to meet the two-hour window under extreme attack scenarios
Furthermore, a number of FMIs are not conducting cyber resilience testing after a significant systems change Such testing would include backup data integrity, vulnerability assessments and penetration testing
Multiple FMIs may not be conducting comprehensive scenario-based testing
Some FMIs did not include external parties such as critical service providers
The report also provides nine observations concerning practices, metrics and testing
UpcomingRegulatoryDeadlinestoWatch
Date
25/01/2023
06/02/2023
10/02/2023
20/02/2023
Issues to Watch
Comments requested on Financial Conduct Authority (FCA) proposed Sustainability Disclosure Requirements (SDR) and investment labels
Comment period closes for the updated Draft Regulation respecting complaint processing and dispute resolution in the financial sector published by Québec Autorité des Marchés Financiers (AMF)
Deadline to submit feedback to the Bank of England on its discussion paper on Artificial intelligence and machine learning
Comments period closes for the European Securities and Markets Authority (ESMA) consultation paper on the use of ESG or sustainability-related terms in fund names
ProductCorner
Sustainability-LinkedDerivatives:Quésaco?
Information, Communication Technology (ICT) systems, generally includes all hardware, software, applications and systems that combined enable people and organizations to communicate digitally
ICT encompasses the capture, storage, retrieval, processing, display, representation, presentation, organization, management, security, transfer, and interchange of data and information.
These technological tools and resources include computers, the Internet, live broadcasting technologies (radio, television and webcasting), recorded broadcasting technologies (podcasting, audio, storage devices…) and telephony.
Financial institutions are mainly dependent on ICT third-party service providers that supply the systems/technologies used to store, process, and/or transmit data that enhances their operational efficiency
Under Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (DORA) ICT services means ‘digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services’
About us
We help you understand the rules that govern your activities, services and products, enabling you to meet your ongoing regulatory obligations and navigate the ever-evolving, complex regulatory landscape.
Our team is composed of professionals with extensive experience serving the investment management, capital markets and asset servicing industries.
Complex landscape & widening gaps
Increasing regulatory requirements and the pace of change are making it harder for you to keep up with the pressures of compliance and managing cost-effective operations.
Current challenges
Investor demand for enhanced transparency and disclosure, data privacy, investor and consumer protection requirements, and AML/KYC concerns are some of the many challenges affecting the industry.
We provide practical and tailored solutions
Review and analysis of regulatory texts
Reporting
Response preparation
Compliance program development
Contact us
Déborah Koualé, Founder & Director
deborah kouale@ameiscorp com
Change management
Regulatory intelligence and training
Ongoing compliance support
Registrations
Carolyn Le Quéré, Director carolyn lequere@ameiscorp comAmeis Regulatory Services focuses on providing regulatory and compliance support for fintech companies