NOVEMBER 2021
AMEIS REGFACTS FINTECH - Related Regulatory & Compliance News
In This Issue : OSFI Consults on Technology & Cyber Risk Management Guideline..............1 FINTRAC Updates Ineligibility Criteria to Register as an MSB/FMSB.............3 Ontario Consults on New Draft Capital Markets Act........................................4 CISA’s Binding Directive on the Reduction of Exploited Vulnerabilities..........5 FCA Seeks Feedback on SDR & Investment Labels.........................................6 FSRA Ends Consultation on Draft Innovation Framework...............................7 SEC Commissioner Speaks about Cybersecurity Challenges.........................8 ACPR & AMF 2nd Joint Report On Fossil Fuel Exposure................................9 IOSCO Finalized Recommendations on Sustainability.................................9 Montreal Selected as 2nd Hub to ISSB...........................................................11 CBDC: Quesaco?...............................................................................................12
www.ameiscorp.com
OSFI Consults on Technology & Cyber Risk Management Guideline On November 9, the Office of the Superintendent of Financial Institutions (OSFI) launched a three-month public consultation on its Draft Guideline B‑13: Technology and Cyber Risk Management (the’ Draft Guideline’). The Draft Guideline is intended to help federally regulated financial institutions (FRFIs) developed greater resilience to technology and cyber risks. Divided into 5 domains, the Draft Guideline sets out the key components required for a robust technology and cyber risk management, notably: 1. Governance and Risk Management – To ensure that technology and cyber risks are governed through clear accountabilities and structures, and comprehensive strategies and frameworks, OSFI expects FFRIs to follow some principles. Key takeaways Accountability and Organizational Structure: Assign adequate responsibility and resources for managing technology and cyber risks to senior officers. Technology & Cyber Strategy: Define, document, approve and implement a strategy technology and cyber plan(s). Technology & Risk Management Framework: Establish a technology and cyber risk management framework (RMF), that should, amongst others, set out a risk appetite for technology and cyber risks. 2. Technology Operations – For a technology environment that is stable, scalable and resilient and an environment that is kept current and supported by robust and sustainable technology operating processes, OSFI expects FFRIs to meet principles relating to: Technology Architecture: Through the implementation of a technology architecture framework in accordance with business, technology and security requirements. Technology Asset Management: By maintaining an updated inventory of all technology assets supporting business processes or functions. Technology Project Management: Through the implementation of effective processes to govern and manage technology projects, from initiation to closure.
1
System Development Life Cycle: Through the implementation of a SDLC framework for the secure development, acquisition and maintenance of technology systems that perform as expected in support of business objectives. Change and Release Management: By establishing and implementing a technology change and release management process and supporting documentation to ensure changes to technology assets are documented, assessed, tested, approved, implemented and verified in a controlled manner that ensures minimal disruption to the production environment. Patch Management: These processes would help ensure the control and timely application of patches across the technology environment to address vulnerabilities and flaws. Incident and Problem Management: To effectively detect, log, manage, resolve, monitor and report on technology incidents and minimize their impacts. Technology Service Measurement and Monitoring: Through the development of service and capacity standards, and processes to monitor operational management of technology, ensuring business needs are met. 3. Cyber Security – For a secure technology posture that maintains the confidentiality, integrity and availability of the FRFI’s technology assets, FRFIs should meet the following principles: Identify: By maintaining a range of practices, capabilities, processes and tools to identify and assess cyber security for weaknesses that could be exploited by external and insider threat actors. Defend: The FRFI should design, implement and maintain multi-layer, preventive cyber security controls and measures to safeguard its technology assets. This includes data protection and loss prevention security controls. Detect: By implementing and maintaining continuous security detection capabilities to enable monitoring, alerting, and enable forensic cyber security incident investigations. Respond, Recover and Learn from cyber security incidents impacting its technology assets, including incidents originating at third-party providers.
2
4. Third-Party Provider Technology and Cyber Risk – For a reliable and secure technology and cyber operations from third-party providers, FRFIs should: Ensure that effective controls and processes are implemented to identify, assess, manage, monitor, report and mitigate technology and cyber risks throughout the TPP’s life cycle, from due diligence to termination/exit. Establish Cloud-specific requirements. 5. Technology Resilience – To ensure that technology services are delivered, as expected, through disruption: The FRFI should establish and maintain an Enterprise Disaster Recovery Framework (EDRF). The FRFI should perform scenario testing on disaster recovery capabilities to confirm its technology services operate as expected through disruption. Interested stakeholders should submit their comments by February 9, 2022.
FINTRAC Updates Ineligibility Criteria to Register as an MSB/FMSB On October 15, the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) updated the categories or entities required to register as Money Service Business (MSB) or Foreign Money Service Business (FMSB). The changes reflect the recent modification of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) tightening and defining the criteria of persons/entities not eligible to register as a MSB or a FMSB with FINTRAC. The following cannot operate as MSB or FMSB: An individual or an entity convicted of certain offences Corporations. Corporations cannot register as an MSB or FMSB if its chief executive officer, president, or any of its directors is a listed terrorist or was convicted of certain offences. Partnerships and other types of entities A listed person or terrorist group
3
Ontario Consults on New Draft Capital Markets Act On October 12, 2021, the Ontario government released a draft of the Capital Markets Act (the "The Draft CMA") for stakeholders’ consultation. This release follows the recommendation of the Capital Markets Modernizing Taskforce made in its first consultation report, read our summary here. The purposes of the Draft CMA are: To provide protection to investors from unfair, improper or fraudulent practices; To foster fair, efficient and competitive capital markets and confidence in capital markets; To foster capital formation; To contribute to the stability and integrity of the financial system and to the reduction of systemic risk. The Draft CMA includes, amongst others, requirements applicable to: Recognized entities Designated of entities and other marketplaces Registration Distribution of securities Trading of derivatives Reporting issuers – disclosure and governance obligations Market conduct Ontario Securities Commission's regulatory and enforcement powers, including the authority to make rules, and provide for the Capital Markets Tribunal's adjudicative powers. If it becomes law, the Draft CMA would likely replace the Ontario’s Securities Act and the Commodity Futures Act. Comments are by email and by January 21, 2022.
4
CISA’s Binding Directive on the Reduction of Exploited Vulnerabilities On November 3rd, the Cybersecurity and Infrastructure Security Agency (CISA) released Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities, (‘the Directive’) ‘to drive urgent and prioritized remediation of vulnerabilities that are being actively exploited by adversaries’. The Directive sets out a catalog of known exploited vulnerabilities and requires federal civilian agencies to remediate such vulnerabilities within specific timeframes. Required Actions for remediation: 1. Within 60 days of issuance, review and update of internal vulnerability Key takeaways management procedures in accordance with this Directive. If requested by CISA, agencies will provide a copy of these policies and procedures. At a minimum, policies must: Establish a process for ongoing remediation of vulnerabilities that CISA identifies. Assign roles and responsibilities for executing agency actions as required by the Directive; Define necessary actions required to enable prompt response to actions required by the Directive; Establish internal validation and enforcement procedures to ensure adherence with this Directive; and Set internal tracking and reporting requirements to evaluate adherence with the Directive and provide reporting to CISA, as needed. 2. Remediate each vulnerability according to the timelines set forth in the CISAmanaged vulnerability catalog within the specific timeframe. 3. Report on the status of vulnerabilities listed in the repository.
5
The Directive applies to all software and hardware found on federal information systems, including those managed on agency premises or hosted by third parties’ vendors on an agency’s behalf. While the Directive applies primarily to federal civilian agencies, CISA strongly recommends that 'every organization' including private businesses prioritize mitigation of vulnerabilities in CISA’s Directive and sign up for notification updates to the catalog.
FCA Seeks Feedback on SDR & Investment Labels On November 3rd the UK Financial Conduct Authority (FCA) released for comment, Discussion Paper: Sustainability Disclosure Requirements and investment labels (DP21/4). Financial market actors and interested parties are invited to provide their comments on 2 main topics: Sustainability Disclosure Requirements (SDR): With a scope disclosure requirement that goes beyond climate, listed issuers, asset managers and asset owners will be required to report on their sustainability risks, opportunities and impacts. Required disclosure will include (i) consumer-facing disclosures (investment product label, investment strategy, wider sustainability performance metrics, objective of the products…) and (ii) detailed underlying disclosures (at product level, entity level). Sustainable investment labels: With the requirement for certain investment products to display a label reflecting their sustainability characteristics. The FCA proposed to map investment products into four categories namely (i) Not promoted as sustainable; (ii) Responsible and Sustainable ‘Transitioning’ categories; (iii) Sustainable ‘Aligned; ’(iv) Sustainable ‘Impact’, a category in its own right. Each category will be supported by clear definitions and criteria. Comments on DP21/4 are to be provided by 7 January 2022 to dp21-04@fca.org.uk or by filling out the online form.
6
FSRA Ends Consultation on Draft Innovation Framework The Financial Services Regulatory Authority (FSRA) of Ontario closed its consultation period on the Innovation Framework on November 18, 2021. The proposed framework: Sets out guiding principles and approach to innovation Describes the regulatory review process to make innovations easier for new entrants and industry incumbents Promotes a test and learn environment (TLEs), which will help introduce new products, services and business models The framework outlines a five-step process to manage and deliver innovation: 1. Opportunity intake - discovering and exploring innovation opportunities 2. Prioritization and management - assessing, prioritizing and selecting innovation opportunities 3. Definition and solutioning - validating and assessing regulatory tools to address the opportunities 4. Risk assessment and testing - scrutinizing potential uncertainties and risks 5. Communication and measurement - outreach and communication The FSRA also sets out process for assessing risk: 1. Identify risk actors - who is accountable for the risks and who would be impacted? 2. Understand liabilities - where does the liability and responsibility exist? 3. Assess associated risks - to whom does the risk have proportionate impact? 4. Assess risks-benefit balance - what are the potential benefits against the potential risks? 5. Identify uncertainties - what assumptions, biases, informational gaps and uncertain risks? Lastly, the framework promotes the TLEs which would temporarily allow market participants to offer products, services, or new business models to consumers for a trial period within a “special and time-limited regulatory context”, enabling innovators to gauge market response. From a regulatory viewpoint, this will provide the opportunity to identify early-stage innovations while observing unintended consequences and potential complexities in complying with regulation. 7
The auto insurance sector will be the first to access the new testing environments. The FSRA is an independent regulatory agency created to improve consumer and pension plan beneficiary protections in Ontario. The agency protects Ontarians by regulating entities such as loan and trust companies, health service providers (related to auto insurance), and professionals such as Financial planners and advisors.
SEC Commissioner Challenges
Speaks
about
Cybersecurity
In a speech on October 29, 2021, the US Securities and Exchange Commissioner (SEC), Elad L. Roisman, spoke about cybersecurity in the context of protecting investors, maintaining fair, orderly, and efficient markets, and facilitating capital formation. Indeed, market integrity and a stable growing economy rely on secure data and security. He emphasized the challenging position faced by SEC registrants in dealing with cyber threats and stressed that while the SEC is only one part of the cyber regulatory landscape, the industry has specific areas on which to focus. Roisman outlined some of the regulatory requirements and guidance addressing cybersecurity challenges, including: Safeguarding customer records and information in network storage Privacy notices and safeguard policies Public company cybersecurity disclosures “Safeguards Rule” - requiring registered broker-dealers and investment advisers to implement adequate written policies and procedures designed to protect customer data. Roisman concludes that “cybersecurity will only become more important in our personal and professional lives” and offers a few areas of focus for registrants to start in the short term, namely identifying providers and experts that a registrant should call in the event of a cyber-incident and conducting table-top exercises to proactively prepare for an incident. 8
ACPR and AMF Second Joint Report on Fossil Fuel Exposure In December 2020, the Autorité de contrôle prudentiel et de résolution (ACPR) and the Autorité des marchés financiers (AMF) published a report on the monitoring of climate commitments of French financial institutions, including banks, insurers and asset management companies. The second report published on November 3rd, continues the analysis with an assessment of exposure to fossil fuels (oil and gas), and focusing on non-conventional hydrocarbons. This second report examined developments in the policies of French financial players and its main findings were that while financial institutions updated and completed their thermal coal policy in 2020, they did not sufficiently implement increased policy transparency and comparability. There are disparities in the measurement of exposure to coal-related companies and estimates for oil and gas exposures remain “very fragile”. For fossil fuels, market participants are encouraged to “put in place robust, transparent and comparable policies on all fossil fuels in a timely manner”. The report provides further details on the main features of oil and gas policies and the methodological approaches to measuring exposures for bank, insurance and asset management industry participants.
IOSCO Finalized Recommendations on SustainabilityRelated Expectations On November 2nd, the Board of the International Organization of Securities Commissions (IOSCO) published its Final Report on Recommendations on Sustainability-Related Practices, Policies, Procedures and Disclosure in Asset Management. With global ESG assets “on track to exceed USD 53 trillion by 2025”, as per Bloomberg Intelligence, the asset management industry continues to develop new sustainability-related products targeting both institutional and retail investors. With this growth, a number of challenges have been identified, including the need for “consistent, comparable, decision-useful information” and the risk of greenwashing. 9
Greenwashing refers to misrepresenting the practices and/or features of sustainability-related investment products. Investors may be misled as to the impact of a product, resulting in damaging expectations and undermining confidence in the market segment. Regulatory and supervisory expectations and requirements cover four major areas: 1. Governance — governance disclosures, whether they are climate-related or refer to the governance structures that determine an asset manager’s strategies, business plans and product offerings, provide valuable information to clients to help them evaluate an asset manager’s commitment to sustainability. 2. Investment strategy — sustainability-related risks and opportunities are factored into an asset manager’s investment strategy and process. Transparency in this process is important to enabling clients’ ability to evaluate the sustainabilityrelated claims made by the asset managers. 3. Risk management — requirements for oversight of the processes to assess and manage sustainability-related risks, that can manifest in financial risks such as credit, market and liquidity risk. Asset managers may also be exposed to reputation and business risks when they do not meet their investors sustainability expectations. 4. Metrics and targets — measuring and monitoring sustainability-related risks to help investors understand the risks and opportunities including the impact of sustainability-related investment decisions. The report also includes a review of survey responses on financial and investor education and an overview of the challenges associated with the proliferation of sustainability-related products. Responses to the survey showed that financial and investor education can play a role in sustainable finance, including providing support to investors who want to consider social and environmental impacts in their investments. Among the many challenges identified, are: Data gaps at the corporate level and the lack of a consistent framework Proliferation of data and ESG rating providers and the lack of reliability and consistency Lack of consistency in terminology potentially leading to confusion over terms used to describe ESG strategies
10
Lack of consistency in labelling and classification,differing across jurisdictions both in terms of “scope and the degree of compulsion” Different interpretations of materiality, including the concept that sustainabilityrelated topics “may become more material over time in response to changes in companies’ operating environments and investor expectations” Gaps in skills and expertise Evolving regulatory approaches, potentially exacerbating the above challenges Overall, the Report proposes five recommendations that securities regulators and/or policymakers, should consider to improve sustainability-related practices, policies, procedures and disclosure in the asset management industry: Set expectations for asset manager practices, policies, procedures in respect of material sustainability-related risks and opportunities and their related disclosure Improve product-level disclosure to help investors understand sustainabilityrelated products and material sustainability-related risks Supervise and enforce compliance with regulatory requirements and address breaches of requirements Develop common sustainable finance related terms to ensure consistency throughout the industry Promote financial and investor education relating to sustainability
Montreal Selected as Second Hub to ISSB On November 3, 2021 the International Financial Reporting Standards (IFRS) Foundation announced that it will set up offices for the new International Sustainability Standards Board (ISSB) in Montreal, Canada. The ISSB's mission will be to address the current challenges related to ESG reporting by providing investors and companies with standards for reporting sustainability measures. Frankfurt has been named as the headquarters of the ISSB. IFRS was established to develop globally accepted accounting standards, providing transparency and enabling investors and other market participants to make informed economic decisions. 11
Product Corner CBDC: Quesaco? A Central Bank Digital Currency (CBDC) is “a digital form of central bank money that is different from balances in traditional reserve or settlement accounts” (CPMI-MC (2018)). A CBDC is virtual money backed and issued by a central bank and would constitute an alternative to cryptocurrencies and stablecoins. Central banks around the world, including the BoC have taken increased interest in CBDC for various reasons including improving financial inclusion and payment efficiency. Payments Canada offers an educational series on CBDC that explores the global, economic and social implications of a CBDC issuance in Canada as well as the potential impact on the payments industry. The series also outlines the differences between CBDC, cryptocurrency and conventional bank notes.
Stay up-to-date with REGFACTS, INDUSTRY NEWS & TRENDS by Ameis Regulatory Services. 12
Ameis Regulatory Services focuses on providing regulatory and compliance support for fintech companies
About us
Complex landscape & widening gaps
We help you understand the rules that govern your activites, services and products, enabling you to meet your ongoing regulatory obligations and navigate the ever-evolving, complex regulatory landscape.
Increasing regulatory requirements and the pace of change are making it harder for you to keep up with the pressures of compliance and managing cost-effective operations.
Our team is composed of professionals with extensive experience serving the investment management, capital markets and asset servicing industries.
Investor demand for enhanced transparency and disclosure, data privacy, investor and consumer protection requirements, and AML/KYC concerns are some of the many challenges affecting the industry.
Current challenges
We provide practical and tailored solutions Review and analysis of regulatory texts Reporting Response preparation Compliance program development
Contact us Déborah Koualé, Founder deborah.kouale@ameiscorp.com
Change management Regulatory intelligence and training Ongoing compliance support Registrations
Carolyn Le Quéré carolyn.lequere@ameiscorp.com
www.ameiscorp.com
