December Global Regulatory Brief: Digital finance
The Global Regulatory Brief provides monthly insights on the latest risk and regulatory developments. This brief was written by Bloomberg’s Regulatory Affairs Specialists.
Digital finance regulatory developments
As technology continues to reshape financial services, regulators and policy setters are embarking on a range of digital-finance initiatives to manage risks and set appropriate standards. From operational resilience in the Philippines to critical third parties in the UK, the following developments in digital finance over the past month stand out:
- Philippines: Central Bank issues guidance on operational resilience
- China: Cyberspace Administration publishes call for global cross-border data flow cooperation
- UK: Financial regulators issue policy statement on critical third parties regime
- EU: Commission adopts final rules on Registers of Information under DORA
- US: CFTC advisory committee advances recommendation on tokenized non-cash collateral
The Philippines Central Bank issues guidance on operational resilience
Bangko Sentral ng Pilipinas (BSP) has issued the ‘Guidelines on Operational Resilience’, aimed at the financial institutions it supervises. The guidelines aim to strengthen FIs’ ability to manage and mitigate the impact of disruptions on their critical operations, including natural disasters and technological advancements.
In more detail: The guidelines require FIs to integrate operational resilience with existing governance structures and related risk management processes, such as operational risk management, business continuity management, cyber resilience, third-party risk management, and recovery plans.
- FIs must identify ‘critical operations’, which, if disrupted, would cause material harm to their customers, their business, and/or the financial system.
- They must also set tolerance levels for disruption or how much disruption they can handle while still delivering critical operations. FIs need to ensure that they remain within their established limits.
The guidelines make reference to the Basel Committee on Banking Supervision “Principles for Operational Resilience”.
What’s next? The guidelines will be implemented in phases to ensure smooth transition and implementation.
- FIs must submit to the BSP an accomplished self-assessment questionnaire within one year from the circular’s effective date.
- This will guide them in identifying areas for improvement and preparing action plans for their operational resilience frameworks.
- The operational resilience framework must then be implemented as part of an FI’s existing risk management system within either two or three years of the effective date of the circular, depending on type of FI.
Cyberspace Administration of China publishes call for global cross-border data flow cooperation
The Cyberspace Administration of China (CAC) has published a call for global cross-border data flow cooperation.
In more detail: The CAC noted that countries are primarily concerned with risks related to national security, public interests, personal privacy, and intellectual property; it believes that the international community should fully respect the different policies and practices adopted by various countries and regions based on their specific conditions, to acknowledge concerns regarding data security and development and to work toward building consensus on cross-border data flow rules through consultation among countries and regions.
The CAC makes the following suggestions for governments, including:
- Encouraging electronic cross-border data transmission to meet the needs of business and social activities
- Respecting the regulatory differences of various countries and regions in cross-border data flows and supporting free data flows that do not violate national security, public interests, and personal privacy
- Supporting the establishment of negative lists [‘white lists’] for managing cross-border data flow to promote efficient, convenient and safe cross-border data flow
- Working together to create a data flow and usage environment that is open, inclusive, secure, and non-discriminatory and promoting the orderly and healthy development of the digital economy
- Enhancing the transparency, predictability, and non-discriminatory nature of measures managing the cross-border flows of various types of data, as well as the interoperability of policy frameworks
- Engaging in international cooperation in the field of cross-border data flows
- Opposing overstretching the concept of national security on data issues
Call to action: While no specific next steps or timelines are attached, the CAC noted its readiness to carry out and deepen exchanges and cooperation in the field of cross-border data flows with all parties based on this initiative, and has called on all countries and regions to respond to and endorse the initiative through bilateral, multilateral, or regional agreements and arrangements.
UK financial regulators issue policy statement on critical third parties regime
The Bank of England, Prudential Regulation Authority, and the Financial Conduct Authority (collectively ‘the regulators’) published the final rules under the UK Critical Third Parties Regime, which gives further detail of how they intend to assess, designate, and supervise Critical Third Parties (CTPs).
Intention: The objective of the regulators is to manage risks to the stability of, or confidence in, the UK financial system that may arise due to a failure in, or disruption to, the services that a CTP provides to regulated firms.
What this means for CTPs and regulated firms: The regime covers the rules that a CTP would be subject to in respect of the services it provides to firms, including the requirements applicable to CTPs in relation to the material services they provide to firms.
- This includes in relation to testing, information sharing, notifications to regulators etc.
- For regulated firms, the regulators state that the CTP regime does not impose additional, explicit requirements or expectations on them, but complements their existing requirements and expectations relating to operational resilience and third party risk management.
Next steps: The final rules for CTPs will take effect from 1 January 2025, after which the regulators may recommend third parties to HM Treasury for an ultimate decision on which firms will be designated as CTPs.
EU adopts final rules on Registers of Information under DORA
The EU Commission has adopted the final Implementing Technical Standards (ITS) on the DORA Registers of Information that EU financial entities need to maintain in relation to contractual arrangements on the use of ICT services provided by ICT third-party service providers. The rules have been published on the EU Official Journal and will enter into force 20 days following publication.
Context: The draft rules issued by the EU Supervisory Authorities (ESAs) were initially rejected by the EU Commission, which proposed amendments in order to give companies a choice between the use of the LEI and the European Unique Identifier (EUID) when listing their ICT third-party services providers in the registers. The final adopted rules provide the choice between the LEI and the EUID for the identification of ICT third-party services providers, while they clarify that only the LEI should be used for identification of providers not established in the EU, and that financial entities should be identified by means of LEI.
Closely related: The ESAs announced that the first submission deadline for national competent authorities (NCAs) to submit the Registers of Information under DORA will be 30 April 2025, meaning that EU financial entities will be required to submit the registers to their national authorities ahead of the April 2025 deadline.
Go-live: The DORA rules are set to apply in the EU from January 17, 2025.
CFTC advisory committee advances recommendation on tokenized non-cash collateral
The U.S. Commodity Futures Trading Commission’s (“CFTC”) Global Markets Advisory Committee advanced a recommendation to expand the use of non-cash collateral through the use of distributed ledger technology (“DLT”). The recommendation provides a legal and regulatory framework for how market participants can apply their existing policies, procedures, practices, and processes to support use of DLT for non-cash collateral in a manner consistent with existing margin requirements.
In more detail: The recommendations note that, despite broad eligibility to serve as regulatory margin, existing transfer mechanisms for certain non-cash assets make the use of such assets impractical for many firms. They suggest that the use of DLT-based infrastructure in an institution’s back-office functions or the tokenization of assets on a distributed ledger would alleviate these burdens. To facilitate these use cases, the Committee recommends that:
- a CFTC registrant using DLT-based infrastructure as part of its internal books and records should be able to rely on its normal processes to assess relevant operational risks;
- a CFTC registrant looking to accept eligible non-cash collateral in tokenized form should be able to satisfy relevant requirements by applying its existing policies, procedures, and practices; and
- the use of DLT for these purposes need not affect the character of the relevant asset, and as such, no new rules or guidance should be necessary in order to permit its use.
Important context: Recommendations by advisory committees are not official Commission policy. However, because advisory committees are viewed as domain experts and are sponsored by sitting commissioners, the Commission often adopts their recommendations at a later date.
View the additional regulatory briefs from this month:
Sign up to receive these updates in your inbox first.
How we can help
Bloomberg’s Public Policy and Regulatory team brings you insight and analysis on policy developments to help navigate the complex and fast changing global regulatory landscape. To discuss regulatory solutions, please get in touch with our specialists or read more insights from our Regulatory team.