Global Regulatory Brief: Digital finance, October edition

The Global Regulatory Brief provides monthly insights on the latest risk and regulatory developments. This brief was written by Bloomberg’s Regulatory Affairs Specialists.

Digital finance regulatory developments

The growing role of technological innovation in financial services continues to attract the attention of regulators and policy-setters as they embark on a range of initiatives to manage risks and set appropriate standards. The following global developments in digital finance over the past month stand-out:

• India: SEBI introduces guidelines to boost cyber security framework for exchanges
• UK: Competition regulator publishes report on AI foundation models
• Hong Kong: SFC issues first warning on unregulated virtual asset trading platform
• UK: UK confirms data bridge with US
• Saudi Arabia: SAMA launches first cyber anti-fraud program
• Hong Kong, Israel: HKMA and Bank of Israel publish joint report on Project Sela
• Europe: Parliament publishes briefing on non-EU countries’ approach to crypto-asset regulation
• US: SEC reviewing Bitcoin exchange traded products
• US: OMB to issue federal agency guidance on artificial intelligence
• US: New York State issues proposed guidance for Coin-listing and Greenlisted Coins

SEBI introduces guidelines to boost cyber security framework for exchanges

The Securities and Exchange Board of India (SEBI) introduced guidelines to strengthen the cyber security and cyber resilience framework for stock exchanges and other market infrastructure institutions (MIIs) such as clearing corporations and depositories.

Important context: SEBI considers MIIs to be systemically important as they provide infrastructure necessary for the smooth and uninterrupted functioning of India’s securities market in areas such as trading, clearing, and settlement. As such, these MIIs are required to have a robust cyber security framework.

What has happened: SEBI has decided to issue guidelines for strengthening the existing cyber security and cyber resilience framework of MIIs given the growing interdependence among MIIs. These updated guidelines include, among other things, the following requirements:

• MIIs shall maintain offline, encrypted backups of data and regularly test these backups
• MIIs shall maintain regularly updated “gold images” of critical systems in the event they need to be rebuilt
• MIIs should understand which data or systems are most critical for providing critical services, as well as any associated interdependencies
• MIIs should engage Dark Web monitoring services to check for any brand abuse

Next steps: MIIs are required to put in place systems for implementation of the guidelines and the provisions come into force with immediate effect.

UK competition regulator publishes report on AI foundation models

The UK Competition and Markets Authority (CMA) published its report on AI Foundation Models (FMs) following its initial review.

What this means: Specifically, the CMA has set out proposed ‘guiding principles’ that aim to ensure consumer protection and healthy competition are at the heart of responsible development and use of FMs. These draft principles are:

1. Accountability – FM developers and deployers are accountable for outputs provided to consumers.
2. Access – Ongoing ready access to key inputs, without unnecessary restrictions.
3. Diversity – Sustained diversity of business models, including both open and closed.
4. Choice – Sufficient choice for businesses so they can decide how to use FMs.
5. Flexibility – Having the flexibility to switch and/or use multiple FMs according to need.
6. Fair dealing – No anti-competitive conduct including anti-competitive self-preferencing, tying or bundling.
7. Transparency – Consumers and businesses are given information about the risks and limitations of FM-generated content so they can make informed choices.

What next: This will kick off a significant programme of engagement with various stakeholders across industry and the public sector, and the CMA plans to publish an update on the principles, and how they have been received and adopted, in early 2024.

Hong Kong SFC issues first warning on unregulated virtual asset trading platform

Hong Kong’s Securities and Futures Commission (SFC) issued a statement warning that an unlicensed virtual asset trading platform (VATP) entity is promoting its products and services to the Hong Kong public through social media influencers as well as over-the-counter virtual asset money changers.

What this means: The SFC has notified the relevant promoters to request they cease promoting the platform and its services. The SFC will take enforcement action against individuals and entities who fail to abide by the VATP regime administered by the SFC.

UK confirms data bridge with US

The UK government established the US and UK data bridge and laid adequacy regulation to give effect to this decision.

What this means: The term ‘data bridge’ is the UK government’s preferred public terminology for ‘adequacy’, and describes the decision to permit the flow of personal data from the UK to another country without the need for further safeguards.

• The UK Government has determined that the UK Extension to the EU-US Data Privacy Framework does not undermine the level of data protection for UK data subjects when their data is transferred to the US
• This decision is based on the determination that the framework maintains high standards of privacy for UK personal data

Next steps: Adequacy Decision enters into force on October 12, 2023 and is subject to review every four years.

Saudi Arabia launches first cyber anti-fraud program

The Saudi Central Bank (SAMA) launched the first edition of the Cyber Anti-Fraud Program (CAFP).

In more detail: The program spans three-months and aims to train and develop a cohort of trainees, drawn from SAMA and local banks, through intensive cyber fraud education and on-the-field training. The CAFP seeks to embed best international standards and practices with regard to cyber fraud training.

Broader context: The announcement of the program comes as Saudi Arabia looks to bolster its financial sector talent and strengthen its cyber fraud prevention and detection capabilities.

HKMA and Bank of Israel publish joint report on Project Sela

The Hong Kong Monetary Authority (HKMA), the Bank of Israel (BOI), and the Bank for International Settlements Innovation Hub (BISIH) published a joint report on ‘Project Sela’ regarding the technical feasibility of a retail central bank digital currency (CBDC).

What this represents: Project Sela is the first collaborative project between the two central banks on the fintech front and aims to demonstrate the technical feasibility of a retail central bank digital currency (CBDC) architecture.

• The initiative aims to promote competition and innovation in digital payments by allowing non-bank payment intermediaries to connect directly to the CBDC ledger of the central bank
• The creation of a proof-of-concept prototype showcases how the technical implementation of the proposed architecture can incorporate strict cybersecurity, legal, and policy requirements
• The project provides practical insights into the cybersecurity, technical and policy aspects of a retail CBDC implementation

Next steps: The project will inform the ongoing consideration of whether to introduce an e-HKD in Hong Kong, and may assist other central banks in their own evaluations of different retail CBDC architectures.

European Parliament publishes briefing on non-EU countries’ approach to crypto-asset regulation

The EU Parliament published a briefing on the regulation of crypto-assets in non-EU countries and the potential implications for the EU.

What you need to know: The briefing provides details on the EU’s approach to crypto-asset regulation and the state of play in other non-EU countries when it comes to passing legislation to regulate crypto-assets.

• This reflects concerns that the lack of global regulatory standards for crypto-assets will prevent the proper fulfillment of the intentions behind the MiCA legislation

Wider context: The EU recently adopted a regulatory framework for markets in crypto-assets (MiCA) that will regulate crypto-asset markets. MiCA focuses on stablecoins, strict transparency and governance rules, and prudential rules.

• MiCA is part of an overarching EU digital finance strategy that also comprises a complementary regulation for a DLT pilot regime for market infrastructure, which establishes a scheme to trade and settle transactions involving financial instruments in crypto-asset form

SEC reviewing multiple filings around Bitcoin exchange traded products

During a senate hearing on oversight of the SEC, Chair Gary Gensler confirmed that the Commission is reviewing “multiple filings around Bitcoin exchange traded products”, while also reviewing the decision handed down in August by the US Court of Appeals Washington DC Circuit on Grayscale’s application for a spot bitcoin exchange-traded fund.

In more detail: The court found that the Commission’s rejection of Grayscale’s application was “arbitrary and capricious” because “the Commission failed to explain its different treatment of similar products” (referencing bitcoin futures ETFs).

Why it matters: The Commission is expected to issue determinations on a number of spot bitcoin ETF applications in October and the court’s rejection of the Commission’s denial of Grayscale’s spot bitcoin ETF raises questions about how the Commission will proceed with the other applications it has received.

OMB to issue federal agency guidance on artificial intelligence

The Office of Management and Budget (OMB), which is responsible for overseeing the implementation of the president’s vision across the executive branch, including developing and executing the federal budget and overseeing agency performance, issued a draft memo on agency requirements for the use and management of artificial intelligence by federal agencies.

In more detail: According to the draft memo, OMB has laid out roughly ten requirements for agencies, ranging from the appointment of a Chief AI Officer, to the issuance of a publicly available AI strategy, to convening an AI governance board which would look to establish boundaries around the use of generative AI.

What is next: Comments from agencies were due back to OMB by September 8th, with a proposal expected to be published for public comment in the Federal Register some time in October. Additionally, President Biden is expected to issue another Executive Order on AI in the next few months.

Why it matters: These efforts underscore how seriously the administration is taking AI and establishing effective policies and procedures around its use.

NYS DFS issued proposed guidance for coin-listing and greenlisted coins

The New York State Department of Financial Services (DFS) issued two proposals to update existing guidance related to virtual currencies. The first would update the procedure for coin listings, and the second updated the agency process for adding coins to the Department’s “greenlist”. DFS first created its virtual currency licensing regime in 2015 (the BitLicense) and has continued to update the framework over time.

In more detail: The proposed guidance regarding coin listings would increase the risk assessment standards for coin-listing policies as well as create tailored enhancement requirements for retail consumer facing products/services as well as create new requirements around coin-delistings. Comments are due to DFS by October 20. Similar to the original agency guidance from 2020, the proposal provides a framework within which virtual currency entities can create and seek agency approval of firm specific self-certification policies for the listing of new coins.

“Greenlisted” coins are coins issued by an entity which has a demonstrated record consistent with “safety and soundness and the protection of customers, including broad marketplace adoption” or the coin is a stablecoin approved by DFS for issuance in New York. The new greenlist guidance provides that entities licensed under 23 NYCRR Part 200 or chartered under New York Banking Law as a limited purpose trust company, no longer require agency approval to list coins included on the greenlist. Entities which decide to list greenlisted coins will be required to provide advance notice to DFS prior to beginning support, and also have a department approved coin-delisting policy.

View the additional regulatory briefs from this month:

• Trading and markets
• Risk, capital and financial stability
• Green finance

Sign up to receive these updates in your inbox first.

How we can help

Bloomberg’s Public Policy and Regulatory team brings you insight and analysis on policy developments to help navigate the complex and fast changing global regulatory landscape. To discuss regulatory solutions, please get in touch with our specialists or read more insights from our Regulatory team.