ThirdPartyRiskManagement
OSFIFinalizesThirdPartyRiskManagementGuideline
On April 28, the Office of the Superintendent of Financial Institutions (OSFI) published the final version of Guideline B-10 : Third-Party Risk Management Guideline which sets out OSFI’s expectations for managing risks associated with third-party arrangements.
GUIDELINE PRINCIPLES
OSFI first released a draft revised Guideline B-10 on third party risk management framework (TPRMF) for consultation in April 2022
The Guideline is organized around 11 principles that shall be taken into account by a federally regulated financial institution (FRFI), namely:
The FRFI is ultimately accountable for managing the risks arising from all types of third-party arrangements.
The FRFI should establish a TPRMF that sets out clear accountabilities, responsibilities, policies, and processes for identifying, managing, mitigating, monitoring and reporting on risks relating to the use of third parties
The FRFI should identify and assess the risks of a third-party arrangement before entering the arrangement and periodically thereafter
The FRFI should undertake due diligence prior to entering contracts or other forms of arrangement with a third party, and on an ongoing basis proportionate to the level of risk and criticality of the arrangement
The FRFI is responsible for identifying, monitoring and managing risk arising from subcontracting arrangements undertaken by its third parties.
The FRFI is responsible for identifying, monitoring and managing risk arising from subcontracting arrangements undertaken by its third parties.
Throughout the duration of the third-party arrangement, the FRFI and third party should establish and maintain appropriate measures to protect the confidentiality, integrity and availability of records and data
The FRFI’s third-party arrangements should allow the FRFI timely access to accurate and comprehensive information to assist it in overseeing third-party performance and risks The FRFI should also have the right to conduct or commission an independent audit of a third party
The FRFI’s agreement with the third party should encompass the ability to deliver operations through disruption, including the maintenance, testing, and activation of business continuity and disaster recovery plans The FRFI should have contingency plans for its critical third-party arrangements
The FRFI should monitor its third-party arrangements to verify the third party’s ability to continue to meet its obligations and effectively manage risks.
Both the FRFI and its third-party should have documented processes in place to effectively identify, investigate, escalate, track, and remediate incidents to maintain risk levels within the FRFI’s risk appetite.
This Guideline also includes six expected outcomes for FRFIs to achieve through effective third-party risk management (read our previous update here for more information).
The updated Guideline will be effective on May 1, 2024.
CyberResilience
OSFIGuidelineAgainstSophisticatedCyberAttacks
April 21, the Office of the Superintendent of Financial Institutions (OSFI) published Implementation Guide 1.0 : Intelligence-led Cyber Resilience Testing (I-CRT) Framework that provides the methodology and process to follow when conducting an I-CRT assessment
GUIDELINE
As outlined by OSFI : “the overall objective of the I-CRT assessment is to regularly evaluate a FRFI’s cyberresilience posture by identifying cyber threats and associated possible remedial actions.”
The I-CRT Framework provides guidance on the following:
I-CRT assessment criteria and cadence
Roles and responsibilities (FRFI and FRFI Control Group, Control Group Coordinator, Regulator, Threat Intelligence service Provider and Red Team)
Risk management (I-CRT phases, I-CRT risk owner,Operational secrecy,Independent service providers)
I-CRT process (Initiation phase,Threat Intelligence phase, ExecutionClosure phase)
The Guideline shall be read in conjunction Guideline B-13, Technology and Cyber Risk Management (read our previous piece here).
CryptoTracing
EUEndorsesLegalFrameworkforCryptoTracing
On April 20, the European Parliament announced the first initiative to regulate the tracing of crypto-asset transfers.
The Proposal for the recast of Regulation EU 2015/847 expanding traceability requirements to crypto-assets (the “Legislative Proposal”) forms part of the European Commission Action Plan for a sound and comprehensive EU legal framework to tackle money laundering and terrorist financing
KEY PROVISIONS
Key provisions of the Legislative Proposal includes:
1/ Obligations on the payment service provider of the payer (i.e. information accompanying transfers of funds; transfers of funds within the Union and transfers of funds to outside the Union)
2/ Obligations on the payment service provider of the payee (i e detection of missing information on the payer or the payee; transfers of funds with missing or incomplete information on the payer or the payee and assessment and reporting)
3/ Obligations on intermediary payment service providers (i e retention of information on the payer and the payee with the transfer; detection of missing information on the payer or the payee; transfers of funds with missing information on the payer or the payee and assessment and reporting).
4/ Obligation of cryptoasset service providers (CASP)
Obligations on the CASP of the originator (i.e. information accompanying transfers of crypto-assets and transfers of crypto-assets).
Obligations on the crypto-asset service provider of the beneficiary (i.e. detection of missing information on the originator or the beneficiary; transfers of crypto-assets with missing or incomplete information on the originator or the beneficiary and assessment and reporting).
5/ Information, data protections and record-retention
The Legislative Proposal must be formally endorsed by Council, before publication in the EU Official Journal
CryptoRegulation
EUAdoptsMICARegulation
The Regulation on Markets in Cryptoassets ("MiCA”) was approved by the European Commission on 20 April 2023 (read our previous update here)
MICA covers the offering and admission to trading of cryptoassets as well as the provision of services in relation to cryptoassets.
PROPOSED RULES
MICA has four main objectives:
Provide a sound legal framework for cryptoassets not covered by existing financial services legislation
Support innovation, promotes cryptoassets and the use of distributed ledger technology (DLT) more broadly, and foster fair competition
Protect consumers, investors and market integrity
Enhance financial stability
The new regulation would apply to cryptoassets that are asset-referenced token (ART), electronic money token (EMT) and utility token; and would:
Establish transparency and disclosure requirements for the issuance and admission to trading of cryptoasset (e g content and form of the crypto-asset white paper; marketing communications; notification of the crypto-asset white paper; and, where applicable, of the marketing communications )
Provide the rules for the authorisation and supervision of crypto-asset service providers and issuers of ART and issuers of EMT (e g application; content and form of the crypto-asset white paper for assetreferenced tokens; modification of published crypto-asset white papers for asset-referenced tokens )
Regulate the operation, organisation and governance of issuers of ARTs, issuers of EMTs and cryptoasset service providers (e g ongoing information to holders of asset-referenced tokens; complaint handling procedure; prevention, identification, management and disclosure of conflicts of interest; information to competent authorities…)
Provide consumer protection rules for the issuance, trading, exchange and custody of crypto-assets, as well as measures to prevent market abuse to ensure the integrity of crypto-asset markets (e.g. reserve of assets; custody of reserve of assets; investment of reserves of assets; rights on issuers of assetreferenced tokens or on the reserve assets; acquisitions of issuers of asset-referenced tokens; classification of asset-referenced tokens as significant asset-referenced tokens….).
MICA is yet to be adopted by the Council of the European Union. Once adopted, the text will enter into force 18 months after its publication in the Official Journal of the European Union
AMFPublishesAnnualStatementOfPriorities
On April 27, 2023, the Autorité des Marchés Financiers (AMF) released its Annual Statement of Priorities 20232024.
Key priorities includes:
Publication of a model framework for the responsible use of artificial intelligence in the financial industry
Continuous efforts in monitoring the crypotasset ecosystem
In collaboration with the Canadian Securities Administrators (CSA), the AMF will continue its work to develop a framework for the registration of cryptoasset trading platforms that are subject to securities legislation.
Continuous efforts to tackle offers of illegal products on social media and the Internet by optimizing the approaches for detecting such activities, particularly in the cryptoasset ecosystem.
Analysis of comments on the draft Regulation to amend Regulation 91-507 respecting Trade Repositories and Derivatives Data Reporting.
Analysis of comments on the draft Regulation to amend Regulation 24-101 respecting Institutional Trade Matching and Settlement in order to facilitate the transition to a T+1 settlement cycle.
Publication of a new guideline on the capital and liquidity requirements for cryptoasset exposures applicable to financial services cooperatives, trust companies, savings companies and other institutions
Further targeted consultations with market participants and members of the fintech ecosystem to better understand the opportunities for and barriers to innovation
Cross-cutting supervisory work on the digital transformation of financial institutions, focusing on two key areas that includes cyber risk.
Creation of the first specialized team dedicated to environmental, social and governance (ESG) issues.
Publication of a new guideline on climate change-related risks that will cover prudential aspects of governance and risk management as well as sound commercial practices and disclosure to the regulator.
CSAReportsonOversightofSROsandIPFs
Staff Notice 25-310 was released by the Canadian Securities Administrators on April 20 to report on its key activities in 2022 with the aim to meet its “efforts to achieve transparency and to foster public confidence in the regulatory framework”.
The Staff Notice outline CSA’s activities and discussion on various areas, notably:
IIROC’s market surveillance infrastructure
Order Execution Only Service Levels
Joint CSA and IIROC Staff Notice 23-329 Short Selling in Canada
IIROC upcoming proposal to update Guidance Note GN-3600-21-002 Review of Advertisements, Sales Literature and Correspondence, dated October 14, 2021.
IIROC’s continuous work to review applications for new membership from crypto-asset trading platforms
Ongoing discussions with IIROC regarding cybersecurity incidents
MFDA continuous focus on cybersecurity
The potential exclusion of cryptoasets from the Canadian Investor Protection Fund (CIPF) Coverage Policy
CBDCs:ECBReportsonDigitalEuro&BoCConsultsonDigitalCAD
User’s digital euro access, holdings and onboarding
Distribution of a digital euro, based on common rules, standards and procedures
On April 24, the European Central Bank (ECB) and the euro area national central banks provided a Progress Report on the investigation phase of the digital euro project, launched in October 2021. Three areas were covered: 1 2 3
Digital euro services and functionalities provided by supervised intermediaries
It is the third Report published by the ECB since the launch of this project; two previous reports presenting the first two sets of digital euro design and distribution options were published in September 2021 and December 2022
The outcome of this investigation phase will be reviewed by the Governing Council later this year.
Of note, the European Commission is planning to propose a regulation to establish a digital euro in the second quarter of 2023 (read our previous update here).
The Bank of Canada (BoC) is also reflecting on its own central bank digital currency (CBDC) as it launched a public consultation on May 8 to gather Canadians' views on a potential future digital Canadian dollar (Digital CAD)
ReviewofAImodels-DevelopmentsintheBroaderMarket
On May 4, the UK’s Competition and Markets Authority (CMA) announced the launch of its initial review of AI models, with the view of understanding the impact on competition and consumer protection Three themes are explored
1) Competition and barrier to entry in the development of foundation models,
2) The impact of these models on competition in other markets, and
3) Consumer protection.
On the same day, the US announced among other topics:
1) Actions to promote responsible AI innovation, including public assessment of existing generative AI systems and policies on the use of AI systems, thereby leading by example to mitigate AI risks and take advantage of AI opportunities
2) A National standards Strategy for Critical and Emerging Technology focused on four key objectives
a) Investments in standards development,
b) Participation of the private sector industry and academic research community,
c) Development of workforce, and
d) Integrity and inclusivity, based on participation and responsiveness to market and societal needs
UpcomingRegulatoryDeadlinestoWatch
Date
16/06/2023
30/06/2023
Issues to Watch
OSFI consultation period ends on international recommendations related to, and risks posed by, fiat-referenced cryptoasset arrangements and activities
By this date, asset managers, life insurers and FCA-regulated pension providers should make their first public climate-related disclosures (as per FCA PS21/24)
ProductCorner
UtilityToken:Quésaco?
A utility token is intended to provide digital access to a good or service, available on a distributed ledger technology (DLT) such as a blockchain-based infrastructure, and can only be used in the issuer’s network. Ether is a typical example of a utility token.
A utility token must be distinguished from :
Security tokens: which are tokens that refer to a security and provide rights for example in the form of ownership rights and/or entitlements similar to dividends For example, in the context of capital raising, asset tokens may be issued in the context of an Initial Coin Offering (ICO) Bitbond is a typical example of a security token
Payment/exchange/currency tokens: often referred to as crypto-currencies typically do not provide rights but are used as a means of exchange (e.g. to enable the buying or selling of a good provided by someone other than the issuer of the token), for speculative purposes or for the storage of value. Examples of such tokens include Bitcoin or Ether.
Stablecoins are a relatively new form of payment/exchange token that is typically asset-backed (by physical collateral or crypto-assets) or is in the form of an algorithmic stablecoin (with algorithms being used as a way to stabilise volatility in the value of the token).
Source : IOSCO Final Report on Investor Education on Crypto-Assets (2020)
About us
We help you understand the rules that govern your activities, services and products, enabling you to meet your ongoing regulatory obligations and navigate the ever-evolving, complex regulatory landscape.
Our team is composed of professionals with extensive experience serving the investment management, capital markets and asset servicing industries.
Complex landscape & widening gaps
Increasing regulatory requirements and the pace of change are making it harder for you to keep up with the pressures of compliance and managing cost-effective operations.
Current challenges
Investor demand for enhanced transparency and disclosure, data privacy, investor and consumer protection requirements, and AML/KYC concerns are some of the many challenges affecting the industry.
We provide practical and tailored solutions
Review and analysis of regulatory texts
Reporting
Response preparation
Compliance program development
Contact us
Déborah Koualé, Founder & Director
deborah kouale@ameiscorp com
Change management
Regulatory intelligence and training
Ongoing compliance support
Registrations
Carolyn Le Quéré, Director carolyn lequere@ameiscorp comAmeis Regulatory Services focuses on providing regulatory and compliance support for fintech companies