NOVEMBER 2021
AMEIS REGFACTS FINTECH - Related Regulatory & Compliance News
In This Issue : Bill 64: Québec’s Modernized Privacy Regime..............................................1 CSA Consults on Climate Related Disclosure Requirements.......................3 Payment Canada Report: Digital Payment Soared Due to Pandemic..........3 FinCEN : Bitcoin is the Currency of Choice for Cybercriminals....................4 Cyber risk, A Priority Topic for the Euro Cyber Resilience Board.................5 FTC Updates Safeguards Rule........................................................................6 FATF Updated Guidance for a Risk-Based Approach to VAs and VASPs...7 DeFi: Quesaco?................................................................................................9
www.ameiscorp.com
Bill 64: Québec’s Modernized Privacy Regime On September 21, the Québec National Assembly adopted Bill 64, an Act to modernize legislative provisions as regards the protection of personal information, which significantly changes Québec’s private sector and public sector privacy regimes. Our summary focuses on the proposed amendments to the Québec’s Act respecting the protection of personal information in the private sector which will be phased-in over the course of the next three years. Highlights of some of the key changes Requirements effective as of September 22, 2022 Appointment of a Privacy Officer. The CEO will be the Privacy Officer by default. Keyastakeaways Reporting of a ‘confidentiality incident’ on a ‘as soon possible’ basis or ‘promptly’ basis by taking into consideration the gravity of the incident. Breach should be reported to both the Commission d’accès à l’information and the affected individuals. Transfer of Commercial Transactions without consent subject to contractual agreement. Study, Research, or Statistics: Communication of personal information may be without prior consent. Requirements effective as of September 22, 2023 Firms must implement a privacy framework including the policies, procedures and practices relevant to the protection of personal information. Firms will have to conduct adequate and tailored Privacy Impact Assessment (PIA) for each acquisition, development and redesign of any information system project or electronic service delivery project involving personal information. Strengthens transparency rules. Firms must provide individuals the appropriate disclosure – i.e., purposes of the collection; means of collection; rights of access and rectification; right to withdraw consent, communication of the information outside Quebec etc... 1
Confidentiality/Privacy by default. Except for cookies, firms must ensure that privacy parameters are set by default for any technological product or service that has privacy settings. Consent. Some of the requirements include consent to be clear, free and informed. Express consent must be obtained for the use of sensitive information for secondary purposes. Individuals providing their personal information after receiving an adequate privacy disclosure are deemed to have consented to its use and its communication for the purposes indicated in the disclosure. Communication of Information Outside of Québec. Firms must conduct PIA prior to any cross-border transfer of information taking into consideration elements such as the sensitivity of the information, the purposes for which it will be used, the applicable protection measures as well as the applicable legal framework of the targeted jurisdiction. Right to be De-indexed. Individuals will have the right to demand that their personal information be de-indexed or ceased to be disseminated. Anonymized Data. Once the purposes for which personal information was collected or used are achieved, generally, the organization must destroy the information or anonymize it in order to use it for a serious and legitimate purpose. Requirements effective as of September 22, 2024 The right to data portability. An individual will have the right to request that personal information be communicated to them or another organization of their choice in a structured and commonly used format. To comply with the new privacy requirements introduced by Bill 64, as an organization you should take the necessary steps as promptly as possible considering the upcoming deadline. This includes appointing a Privacy Officer, implementing or updating the privacy framework, assessing systems to adequately set privacy safeguards etc.…
2
CSA Consults Requirements
on
Climate
Related
Disclosure
On October 18, the Canadian Securities Regulators (CSA) released for public comments Proposed National Instrument 51‑107 ‑ Disclosure of Climate‑Related Matters (the “Proposed Instrument”) and its companion policy. The aim is to provide ‘mandatory climate-related disclosures that provide consistent, comparable and decision-useful information to market participants’. The Proposed Instrument will be applicable to reporting issuers except reporting issuers that are Investment funds Issuers of an asset-backed security Designated foreign issuers or SEC foreign issuers Certain exchangeable security issuers Certain credit support issuers Concerned reporting issuers would have to comply with Climate-related Governance Disclosure Requirements through Form 51-107A Climate-related Strategy, Risk Management and Metrics and Targets Disclosure Requirements through Form 51‑107B which should also include, among others, the reporting standard used by the issuer to calculate and disclose the GHG emissions. The disclosure requirements would be phased-in. Comments are to be submitted in writing by January 17, 2022 at consultation-en-cours@lautorite.qc.ca or comment@osc.gov.on.ca
Payment Canada Report: Digital Payment Soared Due to Pandemic On September 29, 2021, Payments Canada published its annual Payment Methods and Trends report, analyzing 20 billion payment transactions made in 2020, totalling $9.4 trillion. The year 2020 was marked by the COVID-19 pandemic which influenced a shift in payment behaviours to digital and contactless payments, accelerating the decline in cash usage.
3
Key trends Electronic payments rose to 79% of all transactions Contactless payments increased 13% Nearly half of Canadians reported making payments on e-commerce platforms, helping push growth in E-commerce payments up 13% in volume Online transfers rose 48% in volume Credit, Debit and cash remain the top three payment methods by volume however their use declined compared to previous years In terms of total value amounts, electronic fund transfers (EFT) and cheques remain the top payment methods. From a small and medium enterprise perspective, EFT, credit cards and cheque were preferred methods of payments. EFT represented 25% of total payment value, followed by credit cards at 24% and cheques at 17% of total business expenditure
FinCEN : Bitcoin is the Currency of Choice for Cybercriminals The Financial Crimes Enforcement Network (FinCEN) published its report on threat patterns and ransomware trends for the first half of 2021. Derived from the Suspicious Activity Reports (SARs) provided by financial institutions, the report shows the increasing threat of ransomware in the U.S. financial sector, business and the public. Ransomware is explained in the report as “malicious software that encrypts a victim’s files and holds the data hostage until a ransom is paid”. Cyber criminals have adopted different approaches to targeting their ransomware victims, new methods to maximize ransomware payouts and novel ways to obfuscate their identities in the payment transactions. The report provides insights into the changing preferred payment options. Bitcoin was the most common ransomware-related payment method however threat actors are increasingly requesting payments in Anonymity-enhanced Cryptocurrencies (AECs).
4
Threat actors are also : Avoiding reuse of wallets Cashing out deposits at foreign centralized convertible virtual currency (CVC) exchanges with inadequate AML/CFT standards Converting CVC in different CVC at least once before transferring funds to another platform or service, a practice referred to as “chain hopping” Using mixing services to conceal the source of CVC Converting ransomware-related payments to other types of CVCs through decentralized exchanges lacking account or custodial relationships Overall, in the first half of 2021, the number of SARs reported exceeded those reported for the full year 2020 by 30% reaching 635 in total. In terms of total U.S. dollar value, ransomware-related SARs represented $590 million, a 42% increase compared to all of 2020.
Key takeaways
These reports are related to sixty-eight ransomware variants, of which REvil/Sodinokobi, Conti, Darkside, Avaddon and Phobos were the most common. FinCEN’s guidance for financial institutions on reporting ransomware-related incidents is available at https://www.fincen.gov/resources/advisoriesbulletinsfactsheets. Cybercrime, including cybersecurity and virtual currency considerations, is one of the U.S. national priorities for anti-money laundering and countering the financing of terrorism (see Ameis’ RegFacts news here).
Cyber risk, a priority topic for the Euro Cyber Resilience Board for pan-European Financial Infrastructures Fabio Panetta, Member of the Executive Board of the European Central Bank (ECB), recently provided introductory remarks to the Euro Cyber Resilience Board for panEuropean Financial Infrastructures (ECRB), focusing on cyber risks and the integrity of digital finance.
5
In today’s context of the pandemic which has accelerated current trends towards work-from-home, online shopping, contactless and cashless payments, Panetta highlighted the role played by financial market infrastructures in accompanying the digital transformation, adapting to new needs in the society and the economy. From the perspective of the payment systems, this digitalisation also brings risks, notably cyber risk. Panetta discussed the growing factors that are increasing financial market infrastructures’ vulnerabilities to cyberattacks, including increasing use of digital services, widespread reliance on technology, growing use and interconnectedness of third-party products and services. Cyber attacks have been singled out as the number one risk for the global financial system. The cyber threat landscape for financial market infrastructures is complex. With rising sophistication and frequency of attacks, Panetta expressed the constantly growing potential impact of cyber attacks. Panetta calls for the industry to proactively tackle cyber threats, intensify efforts, remain vigilant and continuously maintain the highest level of resilience as the financial damage and reputational impact are far higher than the monetary costs of improving cyber resilience. For more information on Cyber Intelligence and Information Sharing Initiative (CIISIEU) which facilitates the sharing of cyber intelligence and best practices: https://www.ecb.europa.eu/paym/groups/euro-cyber-board/shared/pdf/ciisieu_practical_example.pdf
FTC Updates Safeguards Rule On October 27, 2021, the Federal Trade Commission published its Final Rule to amend the Standards for Safeguarding Customer Information (Safeguards Rule) containing modifications to the existing Rule including the following provisions: 1. more detailed guidance on developing and implementing specific aspects of an overall information security program, such as access controls, authentication, and encryption
6
2. guidance to improve the accountability of financial institutions’ information security programs, such as by requiring periodic reports to boards of directors or governing bodies and the designation of a single Qualified Individual to be responsible for the information security program 3. exemptions for financial institutions that collect information from less than 5,000 customers from certain requirements such as a written risk assessment and incident response plan 4. expanded definition of “financial institution” to include entities engaged in activities that the Federal Reserve Board (FSB) determines to be incidental to financial activities, in particular, companies that act as “finders”, “bringing together one or more buyers and sellers of any product or service for transactions that the parties themselves negotiate and consummate” The Safeguard Rule requires financial institutions under FTC’s jurisdiction to have measures in place to keep customer information secure. A supplemental notice of proposed rulemaking was also published on October 27, requesting public comment on a proposal for a requirement that financial institutions report security events to the FTC. The request for comments includes: appropriate deadline for reporting security events after discovery whether all security events should require notification or whether notification should be required only under certain circumstances whether such reports should be made public whether events involving encrypted information should be included in the requirement whether the requirement should allow law enforcement agencies to prevent or delay notification if notification would affect law enforcement investigation
FATF Updated Guidance for a Risk-Based Approach to VAs and VASPs On October 28, 2021 the Financial Action Task Force (FATF) updated its guidance for virtual assets (VAs) and virtual asset service providers (VASPs) with changes focused on six areas: 1. Clarification of the definitions of virtual assets and VASPs 2. Guidance on how the FATF Standards apply to stablecoins 7
3. Additional guidance on the risks and the tools available to countries to address the money laundering and terrorist financing risks for peer-to-peer transactions 4. Updated guidance on the licensing and registration of VASPs 5. Additional guidance for the public and private sectors on the implementation of the “travel rule” 6. Principles of information-sharing and co-operation amongst VASP Supervisors As observed by FATF, VAs are becoming “increasingly mainstream for criminal activity”, including offenses such as computer crimes resulting in ransomware. From the perspective of combating these types of crimes, the guidance urges national co-operation relating to VAs to address cyber issues in part because of the highly-mobile and cross-border nature of VA activities. Moreover, supervisors should exchange information and co-operate, and proactively when a cybersecurity incident has potential AML/CFT impact on other jurisdictions. By the numbers This year, cyber crime and fraud have surpassed reports from 2020. Specifically in the cryptocurrency sector, data from the US, UK, Australia and Canada reveal significant increases: In the UK, £146,222,332 has been lost to cryptocurrency fraud since the start of this year up nearly 30% (October 2021) In the US between October 2020 and May 2021, nearly 7000 reports of losses amassing to more than $80 million on cryptocurrency scams (May 2021) In Australia, more than half of the total reported losses of $70 million were to cryptocurrency scams, the most commonly reported type of investment scam with 2,240 reports (Aug 2021). Losses involving Bitcoin investment scams reached $25.7 million in the first half of 2021, up 44% compared to 2020. In Canada, cryptocurrency fraud increase more than 400% between 2017 and 2020 (March 2021) According to a report by Ciphertrace, major crypto thefts, hacks, and frauds totaled $681 million by the end of July 2021, with DeFi-related losses accounting for 54% of major crypto fraud volume. The continued interest from investors in cryptoassets makes this trend a growing target for criminal activity.
8
From a regulatory perspective, the Financial Action Task Force (FATF) Guidance for a Risk-Based Approach to VAs and VASPs and related FATF recommendations (see above), provides standards for combating money laundering and the financing of terrorism & proliferation. For electronic funds and virtual currency transfers, Recommendation 16 and the travel rule requires financial entities, money services businesses to include certain information: The name, address and account number or other reference number (if any) of The person or entity who requested the transfer (originator information); The name and address of the beneficiary; and If applicable, the beneficiary's account number or other reference number. The objective is to prevent criminals and terrorists from moving funds and detecting misuse.
Product Corner DeFi: Quesaco? Short for decentralized finance, DeFi describes blockchain-based alternative finance systems. It's an umbrella term for peer-to-peer financial services on public blockchains, the most common being Ethereum. Peer-to-peer meaning that the transactions take place between users directly. In other words, DeFi facilitates the execution of financial transactions through blockchain applications without the need of a financial institution such as a bank or other intermediaries (e.g., brokerages, exchanges etc…). DeFi platforms enable users to resort to traditional transactions such as lending, earning interest, borrowing, buying insurance, trading derivatives and trading assets.
9
Ameis Regulatory Services focuses on providing regulatory and compliance support for fintech companies
About us
Complex landscape & widening gaps
We help you understand the rules that govern your activites, services and products, enabling you to meet your ongoing regulatory obligations and navigate the ever-evolving, complex regulatory landscape.
Increasing regulatory requirements and the pace of change are making it harder for you to keep up with the pressures of compliance and managing cost-effective operations.
Our team is composed of professionals with extensive experience serving the investment management, capital markets and asset servicing industries.
Investor demand for enhanced transparency and disclosure, data privacy, investor and consumer protection requirements, and AML/KYC concerns are some of the many challenges affecting the industry.
Current challenges
We provide practical and tailored solutions Review and analysis of regulatory texts Reporting Response preparation Compliance program development
Contact us Déborah Koualé, Founder deborah.kouale@ameiscorp.com
Change management Regulatory intelligence and training Ongoing compliance support Registrations
Carolyn Le Quéré carolyn.lequere@ameiscorp.com
www.ameiscorp.com
