AMEIS RegFacts | May 2023 part 1

ThirdPartyRiskManagement

OSFIFinalizesThirdPartyRiskManagementGuideline

On April 28, the Office of the Superintendent of Financial Institutions (OSFI) published the final version of Guideline B-10 : Third-Party Risk Management Guideline which sets out OSFI’s expectations for managing risks associated with third-party arrangements.

GUIDELINE PRINCIPLES

OSFI first released a draft revised Guideline B-10 on third party risk management framework (TPRMF) for consultation in April 2022

The Guideline is organized around 11 principles that shall be taken into account by a federally regulated financial institution (FRFI), namely:

The FRFI is ultimately accountable for managing the risks arising from all types of third-party arrangements.

The FRFI should establish a TPRMF that sets out clear accountabilities, responsibilities, policies, and processes for identifying, managing, mitigating, monitoring and reporting on risks relating to the use of third parties

The FRFI should identify and assess the risks of a third-party arrangement before entering the arrangement and periodically thereafter

The FRFI should undertake due diligence prior to entering contracts or other forms of arrangement with a third party, and on an ongoing basis proportionate to the level of risk and criticality of the arrangement

The FRFI is responsible for identifying, monitoring and managing risk arising from subcontracting arrangements undertaken by its third parties.

The FRFI is responsible for identifying, monitoring and managing risk arising from subcontracting arrangements undertaken by its third parties.

Throughout the duration of the third-party arrangement, the FRFI and third party should establish and maintain appropriate measures to protect the confidentiality, integrity and availability of records and data

The FRFI’s third-party arrangements should allow the FRFI timely access to accurate and comprehensive information to assist it in overseeing third-party performance and risks The FRFI should also have the right to conduct or commission an independent audit of a third party

The FRFI’s agreement with the third party should encompass the ability to deliver operations through disruption, including the maintenance, testing, and activation of business continuity and disaster recovery plans The FRFI should have contingency plans for its critical third-party arrangements

The FRFI should monitor its third-party arrangements to verify the third party’s ability to continue to meet its obligations and effectively manage risks.

Both the FRFI and its third-party should have documented processes in place to effectively identify, investigate, escalate, track, and remediate incidents to maintain risk levels within the FRFI’s risk appetite.

This Guideline also includes six expected outcomes for FRFIs to achieve through effective third-party risk management (read our previous update here for more information).

The updated Guideline will be effective on May 1, 2024.

CyberResilience

OSFIGuidelineAgainstSophisticatedCyberAttacks

April 21, the Office of the Superintendent of Financial Institutions (OSFI) published Implementation Guide 1.0 : Intelligence-led Cyber Resilience Testing (I-CRT) Framework that provides the methodology and process to follow when conducting an I-CRT assessment

GUIDELINE

As outlined by OSFI : “the overall objective of the I-CRT assessment is to regularly evaluate a FRFI’s cyberresilience posture by identifying cyber threats and associated possible remedial actions.”

The I-CRT Framework provides guidance on the following:

I-CRT assessment criteria and cadence

Roles and responsibilities (FRFI and FRFI Control Group, Control Group Coordinator, Regulator, Threat Intelligence service Provider and Red Team)

Risk management (I-CRT phases, I-CRT risk owner,Operational secrecy,Independent service providers)

I-CRT process (Initiation phase,Threat Intelligence phase, ExecutionClosure phase)

The Guideline shall be read in conjunction Guideline B-13, Technology and Cyber Risk Management (read our previous piece here).

CryptoTracing

EUEndorsesLegalFrameworkforCryptoTracing

On April 20, the European Parliament announced the first initiative to regulate the tracing of crypto-asset transfers.

The Proposal for the recast of Regulation EU 2015/847 expanding traceability requirements to crypto-assets (the “Legislative Proposal”) forms part of the European Commission Action Plan for a sound and comprehensive EU legal framework to tackle money laundering and terrorist financing

KEY PROVISIONS

Key provisions of the Legislative Proposal includes:

1/ Obligations on the payment service provider of the payer (i.e. information accompanying transfers of funds; transfers of funds within the Union and transfers of funds to outside the Union)

2/ Obligations on the payment service provider of the payee (i e detection of missing information on the payer or the payee; transfers of funds with missing or incomplete information on the payer or the payee and assessment and reporting)

3/ Obligations on intermediary payment service providers (i e retention of information on the payer and the payee with the transfer; detection of missing information on the payer or the payee; transfers of funds with missing information on the payer or the payee and assessment and reporting).

4/ Obligation of cryptoasset service providers (CASP)

Obligations on the CASP of the originator (i.e. information accompanying transfers of crypto-assets and transfers of crypto-assets).

Obligations on the crypto-asset service provider of the beneficiary (i.e. detection of missing information on the originator or the beneficiary; transfers of crypto-assets with missing or incomplete information on the originator or the beneficiary and assessment and reporting).

5/ Information, data protections and record-retention

The Legislative Proposal must be formally endorsed by Council, before publication in the EU Official Journal

CryptoRegulation

EUAdoptsMICARegulation

The Regulation on Markets in Cryptoassets ("MiCA”) was approved by the European Commission on 20 April 2023 (read our previous update here)

MICA covers the offering and admission to trading of cryptoassets as well as the provision of services in relation to cryptoassets.

PROPOSED RULES

MICA has four main objectives:

Provide a sound legal framework for cryptoassets not covered by existing financial services legislation

Support innovation, promotes cryptoassets and the use of distributed ledger technology (DLT) more broadly, and foster fair competition

Protect consumers, investors and market integrity

Enhance financial stability

The new regulation would apply to cryptoassets that are asset-referenced token (ART), electronic money token (EMT) and utility token; and would:

Establish transparency and disclosure requirements for the issuance and admission to trading of cryptoasset (e g content and form of the crypto-asset white paper; marketing communications; notification of the crypto-asset white paper; and, where applicable, of the marketing communications )

Provide the rules for the authorisation and supervision of crypto-asset service providers and issuers of ART and issuers of EMT (e g application; content and form of the crypto-asset white paper for assetreferenced tokens; modification of published crypto-asset white papers for asset-referenced tokens )

Regulate the operation, organisation and governance of issuers of ARTs, issuers of EMTs and cryptoasset service providers (e g ongoing information to holders of asset-referenced tokens; complaint handling procedure; prevention, identification, management and disclosure of conflicts of interest; information to competent authorities…)

Provide consumer protection rules for the issuance, trading, exchange and custody of crypto-assets, as well as measures to prevent market abuse to ensure the integrity of crypto-asset markets (e.g. reserve of assets; custody of reserve of assets; investment of reserves of assets; rights on issuers of assetreferenced tokens or on the reserve assets; acquisitions of issuers of asset-referenced tokens; classification of asset-referenced tokens as significant asset-referenced tokens….).

MICA is yet to be adopted by the Council of the European Union. Once adopted, the text will enter into force 18 months after its publication in the Official Journal of the European Union

AMFPublishesAnnualStatementOfPriorities

On April 27, 2023, the Autorité des Marchés Financiers (AMF) released its Annual Statement of Priorities 20232024.

Key priorities includes:

Publication of a model framework for the responsible use of artificial intelligence in the financial industry

Continuous efforts in monitoring the crypotasset ecosystem

In collaboration with the Canadian Securities Administrators (CSA), the AMF will continue its work to develop a framework for the registration of cryptoasset trading platforms that are subject to securities legislation.

Continuous efforts to tackle offers of illegal products on social media and the Internet by optimizing the approaches for detecting such activities, particularly in the cryptoasset ecosystem.

Analysis of comments on the draft Regulation to amend Regulation 91-507 respecting Trade Repositories and Derivatives Data Reporting.

Analysis of comments on the draft Regulation to amend Regulation 24-101 respecting Institutional Trade Matching and Settlement in order to facilitate the transition to a T+1 settlement cycle.

Publication of a new guideline on the capital and liquidity requirements for cryptoasset exposures applicable to financial services cooperatives, trust companies, savings companies and other institutions

Further targeted consultations with market participants and members of the fintech ecosystem to better understand the opportunities for and barriers to innovation

Cross-cutting supervisory work on the digital transformation of financial institutions, focusing on two key areas that includes cyber risk.

Creation of the first specialized team dedicated to environmental, social and governance (ESG) issues.

Publication of a new guideline on climate change-related risks that will cover prudential aspects of governance and risk management as well as sound commercial practices and disclosure to the regulator.

CSAReportsonOversightofSROsandIPFs

Staff Notice 25-310 was released by the Canadian Securities Administrators on April 20 to report on its key activities in 2022 with the aim to meet its “efforts to achieve transparency and to foster public confidence in the regulatory framework”.

The Staff Notice outline CSA’s activities and discussion on various areas, notably:

IIROC’s market surveillance infrastructure

Order Execution Only Service Levels

Joint CSA and IIROC Staff Notice 23-329 Short Selling in Canada

IIROC upcoming proposal to update Guidance Note GN-3600-21-002 Review of Advertisements, Sales Literature and Correspondence, dated October 14, 2021.

IIROC’s continuous work to review applications for new membership from crypto-asset trading platforms

Ongoing discussions with IIROC regarding cybersecurity incidents

MFDA continuous focus on cybersecurity

The potential exclusion of cryptoasets from the Canadian Investor Protection Fund (CIPF) Coverage Policy

CBDCs:ECBReportsonDigitalEuro&BoCConsultsonDigitalCAD

User’s digital euro access, holdings and onboarding

Distribution of a digital euro, based on common rules, standards and procedures

On April 24, the European Central Bank (ECB) and the euro area national central banks provided a Progress Report on the investigation phase of the digital euro project, launched in October 2021. Three areas were covered: 1 2 3

Digital euro services and functionalities provided by supervised intermediaries

It is the third Report published by the ECB since the launch of this project; two previous reports presenting the first two sets of digital euro design and distribution options were published in September 2021 and December 2022

The outcome of this investigation phase will be reviewed by the Governing Council later this year.

Of note, the European Commission is planning to propose a regulation to establish a digital euro in the second quarter of 2023 (read our previous update here).

The Bank of Canada (BoC) is also reflecting on its own central bank digital currency (CBDC) as it launched a public consultation on May 8 to gather Canadians' views on a potential future digital Canadian dollar (Digital CAD)

ReviewofAImodels-DevelopmentsintheBroaderMarket

On May 4, the UK’s Competition and Markets Authority (CMA) announced the launch of its initial review of AI models, with the view of understanding the impact on competition and consumer protection Three themes are explored

1) Competition and barrier to entry in the development of foundation models,

2) The impact of these models on competition in other markets, and

3) Consumer protection.

On the same day, the US announced among other topics:

1) Actions to promote responsible AI innovation, including public assessment of existing generative AI systems and policies on the use of AI systems, thereby leading by example to mitigate AI risks and take advantage of AI opportunities

2) A National standards Strategy for Critical and Emerging Technology focused on four key objectives

a) Investments in standards development,

b) Participation of the private sector industry and academic research community,

c) Development of workforce, and

d) Integrity and inclusivity, based on participation and responsiveness to market and societal needs

UpcomingRegulatoryDeadlinestoWatch

Date

16/06/2023

30/06/2023

Issues to Watch

OSFI consultation period ends on international recommendations related to, and risks posed by, fiat-referenced cryptoasset arrangements and activities

By this date, asset managers, life insurers and FCA-regulated pension providers should make their first public climate-related disclosures (as per FCA PS21/24)

ProductCorner

UtilityToken:Quésaco?

A utility token is intended to provide digital access to a good or service, available on a distributed ledger technology (DLT) such as a blockchain-based infrastructure, and can only be used in the issuer’s network. Ether is a typical example of a utility token.

A utility token must be distinguished from :

Security tokens: which are tokens that refer to a security and provide rights for example in the form of ownership rights and/or entitlements similar to dividends For example, in the context of capital raising, asset tokens may be issued in the context of an Initial Coin Offering (ICO) Bitbond is a typical example of a security token

Payment/exchange/currency tokens: often referred to as crypto-currencies typically do not provide rights but are used as a means of exchange (e.g. to enable the buying or selling of a good provided by someone other than the issuer of the token), for speculative purposes or for the storage of value. Examples of such tokens include Bitcoin or Ether.

Stablecoins are a relatively new form of payment/exchange token that is typically asset-backed (by physical collateral or crypto-assets) or is in the form of an algorithmic stablecoin (with algorithms being used as a way to stabilise volatility in the value of the token).

Source : IOSCO Final Report on Investor Education on Crypto-Assets (2020)

About us

We help you understand the rules that govern your activities, services and products, enabling you to meet your ongoing regulatory obligations and navigate the ever-evolving, complex regulatory landscape.

Our team is composed of professionals with extensive experience serving the investment management, capital markets and asset servicing industries.

Complex landscape & widening gaps

Increasing regulatory requirements and the pace of change are making it harder for you to keep up with the pressures of compliance and managing cost-effective operations.

Current challenges

Investor demand for enhanced transparency and disclosure, data privacy, investor and consumer protection requirements, and AML/KYC concerns are some of the many challenges affecting the industry.

We provide practical and tailored solutions

Review and analysis of regulatory texts

Reporting

Response preparation

Compliance program development

Contact us

Déborah Koualé, Founder & Director

deborah kouale@ameiscorp com

Change management

Regulatory intelligence and training

Ongoing compliance support

Registrations

Ameis Regulatory Services focuses on providing regulatory and compliance support for fintech companies