Global Regulatory Brief: Digital finance, August edition

The Global Regulatory Brief provides monthly insights on the latest risk and regulatory developments. This brief was written by Bloomberg’s Regulatory Affairs Specialists.

Digital finance regulatory developments

As technology continues to reshape financial services, regulators and policy setters are embarking on a range of digital-finance initiatives to manage risks and set appropriate standards. From stablecoins in Switzerland to asset tokenization in Singapore, the following developments in digital finance over the past month stand out:

• Singapore: MAS expands industry initiatives to scale asset tokenization
• International: Basel Committee consults on principles for banks’ management of third-party risk
• UK, US, EU: Competition authorities issue joint-statement on AI
• US: Chevron ruling could impact future AI rulemaking
• US: SEC likely to delay predictive data analytics and AI rulemaking
• UK: FCA takes first enforcement action against firm enabling crypto asset trading
• Switzerland: FINMA publish guidance on stablecoins
• EU: ESAs issue second batch of detailed policy measures under DORA

MAS expands industry initiatives to scale asset tokenization

The Monetary Authority of Singapore (MAS) announced the expansion of initiatives to scale asset tokenization for financial services.

Background: The MAS had worked in the past two years with 24 financial institutions (FIs) to pilot asset tokenization use cases under Project Guardian. These FIs span across asset managers, market operators, custodians, credit rating agencies and commercial banks. The focus areas of Project Guardian were to –

• Explore open, interoperable networks that enabled digital assets to be traded across platforms and liquidity pools;
• Establish a trusted environment through a common trust layer of independent trust anchors with risk management discipline to screen and onboard entities;
• Examine the representation of securities in the form of digital bearer assets and tokenized deposits issued by financial institution; and
• Study the introduction of regulatory safeguards and controls into financial protocols to mitigate against market manipulation and operational risk.

The pilot projects explored issuance of products for asset and wealth management, fixed income and foreign exchange.

Expanded workstreams: Building on the success of the previous industry pilots, three workstreams will be set up to foster the development of standards and frameworks across key asset classes –

• Fixed Income workstream will work with ICMA to develop protocols and data specifications building on ICMA’s Bond Data Taxonomy, and consider the types of risk factors and disclosures required in a tokenized bond offering document. Workstream members will also partner GFMA to develop standard clauses for implementing smart contracts of fixed income products.
• FX workstream, in partnership with ISDA and the Global Foreign Exchange Division (GFXD) of the GFMA, will develop FX data specifications, risk management frameworks, and FX documentation.
• Asset & Wealth Management workstream will deepen collaboration with global custodians and asset managers, focus on common data models, and model risk considerations specific to fund tokenization.

Shared ledger infrastructure: MAS identified the need for a shared ledger infrastructure that can host multiple types of tokenized financial assets while meeting relevant regulatory requirements and preserving the policy autonomy of participating jurisdictions. A Global Layer One (GL1) initiative was also launched to explore the considerations of a shared ledger infrastructure. A whitepaper detailing the design principles, objectives, considerations and potential uses of the GL1 was published.

Future direction: MAS plans to expand collaboration with more policymakers, central banks, international standards setting bodies and FIs as work on GL1 progresses.

Basel Committee consults on principles for banks’ management of third-party risk

The Basel Committee for Banking Supervision (BCBS) opened a consultation on its principles for the sound management of third-party risk in the banking sector. 

Context: The Committee seeks to promote a principles-based approach to improving banks’ operational risk management and operational resilience through effective third-party risk management, superseding its 2005 guidance on “Outsourcing in Financial Services” in respect to the banking sector. 

The intention: The new set of principles aim to reflect the evolution of a more diverse third-party services provider (TPSP) environment in the banking sector as well as banks’ increasing reliance on TPSPs due to the ongoing digitalisation and rapid growth in financial technology. They intend to provide guidance to banks and prudential supervisors on effective third-party risk management and enhance the banks’ ability to face operational disruptions and mitigate any impact from such events. 

In detail: The document focuses on twelve high-level principles in a number of categories, including: Governance, risk management and strategy; Risk assessment; Due diligence; Contracting; Onboarding and ongoing monitoring; Termination; Role of supervisors.

Closely related: The Principles complement and expand on existing guidance, including the Financial Stability Board’s 2023 report. They aim to establish a common baseline for banks and supervisors for the risk management of third parties, while providing the necessary flexibility to accommodate evolving practices and regulatory frameworks across jurisdictions.

Next steps: Stakeholders can provide feedback on the document until October 9, 2024.

US, EU, and UK competition authorities issue joint statement on generative AI foundation models

The European Commission, the UK Competition and Markets Authority, the US Department of Justice and the US Federal Trade Commission issued a joint statement on competition in generative artificial intelligence (AI) foundation models and AI products.

Context: With AI representing a major technological inflection point, the statement outlines the importance of being vigilant and safeguarding against tactics that could undermine fair competition.

Risks to competition: The statement identifies risks that require ongoing vigilance-

• The concentrated control of key inputs puts a small number of companies in a position to exploit and influence the development of AI tools. 
• Foundation models are arriving at a time when large incumbent digital firms already enjoy strong accumulated advantages and this may entrench or extend market power in AI-related markets. 
• The widespread partnerships, financial investments, and other connections between firms related to the development of generative AI could be leveraged to undermine or co-opt competitive threats.

Principles for protecting competition in the AI ecosystem: The statement describes several common principles that can help serve to enable competition and foster innovation-

• Fair dealing
• Interoperability, by subjecting claims that interoperability requires sacrifices to privacy and security to close scrutiny.
• Choice, by scrutinizing the ways in which alternative options are restricted as well as the investments and partnerships between incumbents and newcomers.

Other competition risks: The statement underlines other risks associated with AI, such as the risk that algorithms can allow competitors to share competitively sensitive information, fix prices, or collude on other terms or business strategies in violation of our competition laws; or the risk that algorithms may enable firms to undermine competition through unfair price discrimination or exclusion. 

Consumer risks: The statement emphasizes how AI can turbocharge deceptive and unfair practices that harm consumers, and use of both consumer data and business customer data to train models can generate various risks. The statement concludes that it is important for consumers to be informed about when and how an AI application is employed in the products and services they purchase or use.  

Chevron doctrine overturn could impact future AI rulemaking

In late June, the US Supreme Court issued a ruling (Loper Bright Enterprises v. Raimondo) which significantly curtailed the ability of federal agencies to interpret the laws they administer. The Court ruled that the judiciary should make their own interpretations of ambiguous statues, rather than deferring to regulatory agencies.

Context: In 1984, a ruling by the Supreme Court in the case of Chevron v. The Natural Resources Defense Council established the principle (i.e. Chevron doctrine/deference) that when dealing with statutory ambiguities, federal courts must defer to a reasonable interpretation of the statute in question from an agency.

Why it matters: While the overturning of Chevron has considerable implications across the regulatory landscape, the impacts could be particularly acute in the AI space. 

• While the US has yet to pass any sweeping AI legislation at the federal level, the overturning of Chevron will necessitate that Congress be much more specific when drafting legislation in general, but particularly with regard to AI. 
• Given the speed of development in the AI space and the likely ambiguities that will present themselves either in the context of existing law, or yet to be enacted law, the result may be further difficulty in enacting laws and rules around AI.

SEC could delay PDA rulemaking

The SEC issued its updated rulemaking agenda and in doing so, appeared to indicate that it plans to gather more feedback on its proposal to “eliminate, or neutralize the effect of, certain conflicts of interest associated with broker dealer’ of investment advisers interactions with investors” which use “technologies that optimize for, predict, guide, forecast, or direct investment-related behaviors or outcomes.” (PDA Proposal)

In a filing, the Division of Trading and Markets along with the Division of Investment Management noted that they are “considering recommending that the Commission re-propose [the rule]”. The filing further indicated that the Commission will look to issue a second Notice of Proposed Rulemaking around October 2024.

Why it matters: The PDA Proposal as currently constructed would have covered a wide swath of technologies in use across the financial services industry. If the Commission goes ahead with the re-proposal as expected, the scope and applicability of any new proposed rules will be a focal point.

FCA takes first enforcement action against firm enabling crypto asset trading

The UK Financial Conduct Authority (FCA) has fined CB Payments Limited (CBPL) over £3.5million for repeatedly breaching a requirement that prevented the firm from offering services to high-risk customers. 

Context: While CBPL does not undertake cryptoasset transactions for customers and is not currently registered to undertake cryptoasset activities in the UK, it acts as a gateway for customers to trade cryptoassets via other entities within the Coinbase Group. 

Financial crime control: The firm entered into a voluntary requirement (the VREQ) in October 2020, which followed significant engagement with the FCA relating to concerns about the effectiveness of CBPL’s financial crime control framework. 

• Although the VREQ prevented CBPL from taking on new high-risk customers while it addressed issues with its framework, CBPL onboarded and/or provided e-money services to 13,416 high-risk customers. 
• These funds were used to make withdrawals and then execute multiple cryptoasset transactions via other Coinbase Group entities, totalling approximately USD $226 million.

Bottom line: The material breaches went undiscovered for almost two years and resulted from a lack of care and diligence in the controls put in place to ensure that the VREQ was effective. 

• The FCA underscores the importance of having strong financial crime controls in light of the money laundering risks associated with crypto
• The enforcement action was taken under the Electronic Money Regulations 2011, representing the first time the FCA has taken enforcement action using these powers.

FINMA publishes guidance on stablecoins

The Swiss Financial Market Supervisory Authority FINMA published further guidance on the issuance of stablecoins in the Swiss financial market.  

In more detail: FINMA provides information on aspects of financial market law that arise in relation to stablecoin projects and the impact of such projects on the supervised institutions.

• FINMA draws attention to the increased risks in the areas of money laundering, terrorist financing and the circumvention of sanctions, which result in reputational risks for the broader Swiss financial centre. 
• FINMA notes that various issuers of stablecoins in Switzerland use default guarantees from banks, which means that they often do not require a licence from FINMA under banking law, creating risks for both the stablecoin holders and the banks providing the guarantee. 
• In addition, FINMA provides information on its minimum requirements for default guarantees in order to protect depositors. These also apply when dealing with stablecoins.

Important context: The guidance comes as projects seeking to issue stablecoins have gained in importance in Switzerland. 

• These projects generally seek to provide a means of payment with low price volatility on a blockchain. 
• The guidance follows guidelines issued in 2019 regarding the regulatory framework for initial coin offerings (ICOs). 

ESAs issue second batch of detailed policy measures under DORA

The EU Supervisory Authorities (ESAs) issued a second batch of detailed measures (RTS and guidelines) due to be finalised under the DORA Regulation by 17 July. 

Context: These latest texts integrate the input received during the stakeholder consultation period, which took place from December 2023 to March 2024. The package includes detailed rules on the reporting framework for ICT-related incidents and threat-led penetration testing by financial entities, as well as requirements on the design of the oversight framework for critical third-party service providers (CTPPs).

In more detail: The published texts include:

• Final draft RTS and ITS on the content, format, templates and timelines for reporting major ICT-related incidents and significant cyber threats
• Final draft RTS on the harmonisation of conditions enabling the conduct of the oversight activities
• Final draft RTS on threat-led penetration testing (TLPT)
• Final draft RTS specifying the criteria for determining the composition of the joint examination team (JET) 
• Final draft Guidelines on the estimation of aggregated costs/losses caused by major ICT-related incidents
• Final draft Guidelines on oversight cooperation between the ESAs and the competent authorities 

The ESAs also specified that the remaining RTS on Subcontracting will be published in due course.

Next steps: The final draft rules have been submitted to the EU Commission (EC) for endorsement. Once the EC endorses the texts, these will be submitted to a three-month scrutiny period by the EU Parliament and Council. 

• If no objections are raised, they will enter into force following their publication in the EU Official Journal. 
• The DORA rules are set to apply in the EU from January 17, 2025.

Closely related: The ESAs also announced that they will set up an EU systemic cyber incident coordination framework (EU-SCICF) under DORA, intended to facilitate communication and coordination among EU authorities and to liaise with other key international stakeholders, in case of cyber incidents posing a risk to financial stability. 

View the additional regulatory briefs from this month:

• Trading and markets
• Risk, capital and financial stability
• Green finance

Sign up to receive these updates in your inbox first.

How we can help

Bloomberg’s Public Policy and Regulatory team brings you insight and analysis on policy developments to help navigate the complex and fast changing global regulatory landscape. To discuss regulatory solutions, please get in touch with our specialists or read more insights from our Regulatory team.