Global Regulatory Brief: Digital finance, June edition

The Global Regulatory Brief provides monthly insights on the latest risk and regulatory developments. This brief was written by Bloomberg’s Regulatory Affairs Specialists.

Digital finance regulatory developments

As technology continues to reshape financial services, regulators and policy setters are embarking on a range of digital-finance initiatives to manage risks and set appropriate standards. From the impact of AI on retail investment provision in the EU to growing policy attention on AI among U.S. legislators, the following developments in digital finance over the past month stand out:

• US: Senator Schumer rolls out bipartisan AI roadmap
• UK: Government issues call for evidence on cyber security of AI
• EU: ESMA issues statement on use of AI in the provision of retail investment services
• EU: EIOPA reports on digitalization in European insurance sector
• US: SEC Charges Exchange with Failing to Inform the Commission of a Cyber Intrusion
• US: House Passes Bipartisan Framework to Regulate Cryptocurrencies

Sen. Schumer rolls out bipartisan AI roadmap

Senate Majority Leader Chuck Schumer (D-NY), Sen. Mike Rounds (R-ND), Martin Heinrich (D-NM) and Todd Young (R-IN) unveiled a policy roadmap aimed at prompting legislative action to both promote AI development, while also curbing potential harms.

In summary: The roadmap represents a series of policy recommendations rather than a formal regulatory framework, specifically: 

• Senate committees to continue to work together on AI legislation and agree on “shared clear definitions for all key terms”
• Address gaps in AI-related funding between current levels and those recommended by the National Security Commission on Artificial Intelligence (NSCAI)
• Development of legislation to utilize public-private partnerships to “support AI advancements and minimize potential risks”
• Committees to work with relevant agencies to support small businesses and their AI needs
• Development of legislation to retrain, upskill and train the private sector workforce to “successfully participate in an AI-enabled economy”
• Committees to consider legislation/take action to protect children from potential AI-powered harms, explore ways to deter the use of AI to commit fraud, address online child sexual abuse material, support the deployment of AI in healthcare with appropriate guardrails. 

Looking ahead: The roadmap represents the growing focus on AI from Committees in both the House and Senate in the form of hearings and proposed legislation. Regulatory agencies will likely continue to engage in requests for information and may propose new rules specifically for AI.

UK Government issues call for evidence on cyber security of AI

The UK Department for Science, Innovation, and Technology (DSIT) has issued a call for evidence on i) the cyber security of AI and ii) a code of practice for software vendors. 

Call for views on the cyber security of AI: The Government is proposing a two-part intervention in the form of a voluntary Code of Practice that will be taken into a global standards development organization for further development and sets baseline security requirements for stakeholders in the AI supply chain. 

• DSIT wants to enable AI developers to be able to distinguish themselves from their competitors by highlighting their commitment to security and the goal is to create a market ecosystem where AI supply chain stakeholders are looking to use security as a competitive advantage 
• The rationale is that the Code and technical standard will enable cyber security companies and certification firms to help companies with testing and assuring their products and services

Draft principles: DSIT asks for views on, among other things, the inclusion of the following draft principles: 

• Principle 1: Raise staff awareness of threats and risks
• Principle 2: Design your system for security as well as functionality and performance
• Principle 3: Model the threats to your system
• Principle 4: Ensure decisions on user interactions are informed by AI-specific risks
• Principle 5: Identify, track and protect your assets
• Principle 6: Secure your infrastructure
• Principle 7: Secure your supply chain
• Principle 8: Document your data, models and prompts
• Principle 9: Conduct appropriate testing and evaluation
• Principle 10: Communication and processes associated with end-users
• Principle 11: Maintain regular security updates for AI model and systems
• Principle 12: Monitor your system’s behavior

Call for views on the Code of Practice for Software Developers: The Government is also proposing a voluntary Code of Practice for Software Vendors that sets out the fundamental security and resilience measures that should be expected of all organizations which develop or sell software used by businesses and other organizations. 

The draft Code includes guidance on how software should be developed, built, deployed and maintained, and how vendors can communicate effectively with customers that procure their software.

Draft principles: The Code of Practice is made up of 21 provisions over four principles:

• Principle 1: Secure design and development to ensure that the product or service is appropriately secure when provided
• Principle 2: Build environment security to ensure that the appropriate steps are taken to minimize the risk of build environments becoming compromised and protect the integrity and quality of the software
• Principle 3: Secure deployment and maintenance to ensure that the product or service remains secure throughout its lifetime, to minimize the likelihood and impact of vulnerabilities
• Principle 4: Communication with customers to ensure that vendor organizations provide sufficient information to customers to enable effective risk and incident management

Relevant context: These interventions come as part of the UK’s National Cyber Strategy and the wider Government work to establish an appropriate framework for AI. 

Looking ahead: The window for responses is open until July 10, 2024 and feedback will be used to inform UK government policy and next steps.

ESMA issue statement on the use of AI in the provision of retail investment services

The European Securities and Markets Authority (ESMA) published a statement on the use of Artificial Intelligence (AI) in the provision of retail investment services. 

Important context: ESMA considers the adoption of AI to still be in an initial phase but that the potential impact on firms’ behaviors and retail investor protection is likely to be significant. 

• ESMA states that firms’ decisions remain the responsibility of management bodies, irrespective of whether those decisions are taken by people or AI-based tools
• ESMA is looking to provide initial guidance to investment firms utilizing AI, in light of their key obligations under MiFID II and to emphasize the imperative to always prioritize clients’ best interests

Key risks: ESMA lists four key risks associated with AI-

• Lack of accountability and oversight (over-reliance)
• Lack of transparency and explainability
• Security, data privacy
• Robustness, reliability of output, quality of training data, algorithmic bias

MiFID II requirements: The ESMA statement aims to provide firms utilizing AI technologies with guidance to ensure compliance with key MiFID II requirements, particularly those pertaining to organizational requirements, conduct of business requirements, record keeping and the general obligation to act in the best interest of the client.  

SEC charges exchange with failing to inform the Commission of a cyber intrusion

The Securities and Exchange Commission (SEC) announced a $10 million settlement of charges against the parent company of a U.S.-based exchange for causing the failure of nine wholly-owned subsidiaries to timely inform the SEC of a cyber intrusion as required by Regulation Systems Compliance and Integrity (Regulation SCI). 

Important context: According to the Commission’s order, in April 2021, a third party informed the parent company that it was potentially impacted by a system intrusion involving a previously unknown vulnerability in the company’s virtual private network (VPN). 

• The company investigated and was able to determine that a threat actor had inserted malicious code into a VPN device used to remotely access its corporate network 
• However, the order found that company personnel did not notify legal and compliance officials at its subsidiaries of the intrusion for several days in violation of its own internal cyber incident reporting procedures 

Bottom line: The SEC alleges that this failure resulted in a failure to properly assess the intrusion and fulfill their independent regulatory disclosure obligations under Regulation SCI.

• This required them to immediately contact SEC staff about the intrusion and provide an update within 24 hours unless they immediately concluded or reasonably estimated that the intrusion had or would have no or a de minimis impact on their operations or on market participants

House passes bipartisan framework to regulate Cryptocurrencies

The U.S. House of Representatives passed H.R. 4763, the “Financial Innovation and Technology for the 21st Century Act”. The bill passed on a bipartisan basis, 279-136 with 71 Democrats voting along with nearly all Republicans to support the measure. The bill lays out regulatory jurisdictions for both the SEC and the CFTC relative to digital assets.

What would the bill do?
The legislation gives the CFTC jurisdiction over digital commodities, while the SEC would have jurisdiction over “digital assets offered as part of an investment contract”. The bill also creates a process for permitting secondary market trading of digital market commodities if those commodities were initially offered as a part of an investment contract. 

Disclosure and Consumer Protection
Under the legislation, developers of digital assets would be required to provide disclosures related to a project’s operation, ownership, and structure. Further, institutions which serve customers directly, including brokers, dealers and exchanges would be required to:

• Provide “appropriate disclosures to customers”
• Segregate customer funds from firm funds
• Seek to reduce conflicts of interest “through registration, disclosure and operational requirements”

What is next?

The prospects for the bill in the Senate are far from certain with many predicting the bill is unlikely to move through the upper chamber. 

• The bill was sharply criticized by SEC Chairman Gary Gensler, as well as the White House. Gensler argued that the bill “would create new regulatory gaps and undermine decades of precedent regarding the oversight of investment contracts”; while the White House issued a Statement of Administration Policy (SAP) opposing the passage of the bill, saying that “in its current form (H.R. 4763) lacks sufficient protections for consumers and investors who engage in certain digital asset transactions.” 
• The White House also said that the Administration is eager to “work with Congress to ensure a comprehensive and balanced regulatory framework for digital assets, building on existing authorities…”
  

EIOPA reports on digitalization in European insurance sector

The European Insurance and Occupational Pensions Authority (EIOPA) published a report analyzing the level of digital transformation in Europe’s insurance sector. 

Context: The report is based on responses to EIOPA’s 2023 digitalisation market monitoring survey, and insights from a dedicated Eurobarometer poll. 

Key findings: The level of digitalisation varies from insurer to insurer and is largely still in its early stages. Nonetheless, EIOPA finds the following themes: 

• The use and consumer-preference for digital-only distribution channels is still well below that of physical or hybrid ones, particularly in the life insurance sector
• Communication by phone, email or in person are the most popular methods at the moment but the use of chatbots is expected to rise significantly, particularly in light of the emergence of generative AI
• Most insurers are active on social media and use it to interact with, educate and advertise to consumers
• Most insurers have active commercial relationships with big tech firms, with nearly 80% using them for cloud storage services
• Almost a quarter of life insurance respondents and half of non-life insurance respondents already use AI. Most current solutions have been developed in-house for simpler tasks with more explainable algorithms that retain human oversight, but the expectation is that the use of AI will increase considerably in the coming years
• Other technologies, such as the internet of things, blockchain and parametric insurance, are currently only used by a small number of insurers
• There has been a growth in the cyber insurance market since 2021, despite most products excluding certain risks
• Insurers see acquiring adequate talent and skills as central to implementing successful digital solutions

Looking ahead: The findings of the report will support EIOPA in evaluating the risks and benefits of digitalization for the market and customers, assessing and designing regulatory measures, and improving supervisory convergence and oversight.

View the additional regulatory briefs from this month:

• Trading and markets
• Risk, capital and financial stability
• Green finance

Sign up to receive these updates in your inbox first.

How we can help

Bloomberg’s Public Policy and Regulatory team brings you insight and analysis on policy developments to help navigate the complex and fast changing global regulatory landscape. To discuss regulatory solutions, please get in touch with our specialists or read more insights from our Regulatory team.