Global Regulatory Brief: Digital finance, November edition

The Global Regulatory Brief provides monthly insights on the latest risk and regulatory developments. This brief was written by Bloomberg’s Regulatory Affairs Specialists.

Digital finance regulatory developments

The growing role of technological innovation in financial services continues to attract the attention of regulators and policy-setters as they embark on a range of initiatives to manage risks and set appropriate standards. From Australia to the EU, the following global developments in digital finance over the past month stand-out:

• Australia: Treasury consults on proposals to regulate digital asset platforms
• APAC: BIS and APAC central banks launch cross-border transactions initiative
• Dubai: DFSA release report on cyber threat intelligence
• UK: FPC executive outlines operational resilience and cyber risk regulatory agenda
• Australia: ASIC outlines cyber risks
• US-Singapore: Initiative to make both countries’ AI governance frameworks interoperable
• EU: ESMA underlines need for coordinated approach to EU crypto regime
• US: SEC opts not to appeal decision in Grayscale spot bitcoin ETF case
• US: California establishes regulatory framework for crypto assets

Australian Government consults on proposals to regulate digital asset platforms

The Australian Government published proposals to introduce a regulatory framework for digital asset platforms. 

In summary: With approximately a quarter of Australians owning some crypto, the proposed regulatory framework applies to digital asset platforms that present similar risks to entities that operate in the traditional financial system. Specifically, the proposals aim to reduce the risk of platform collapse by lifting the standards of operation and increasing oversight. 

• Licensing regime: Individual digital asset platforms that meet a certain business thresholds will be required to obtain an Australian Financial Services Licence and need to meet all general license obligations
• Specific obligations: All digital asset platforms will need to meet specific obligations that take into account the nature of the digital asset ecosystem, such as standard form contracts, minimum standards for holding tokens, custody software standards, and standards when transacting in tokens 

Additional obligations: The draft proposals would also apply additional obligations to four specific activities involving non-financial products offered by digital asset platforms.

• Trading: The exchange of digital asset platform entitlements between account holders
• Staking: The participation in validating transactions on a public network
• Tokenization: The creation and exchange of entitlements backed by tangible and intangible assets
• Fundraising: The sale of entitlements to fund the development of products and services

Next steps: The consultation closes on December 1, 2023 and there will be further consultation in 2024. There will be a 12-month transitional period following the publication of final legislation and before the new regime takes effect. 

BIS and APAC central banks launch cross-border transactions initiative

The Bank for International Settlements (BIS) and the central banks of Australia, Korea, Malaysia, and Singapore started a new initiative – Project Mandala – to address the regulatory framework for cross border transactions. 

In more detail: The project aims to ease the policy and regulatory compliance burden through the automation of compliance procedures, provide real-time transaction monitoring, and increase transparency around country-specific policies.

• The envisioned compliance-by-design architecture could potentially enable a more efficient cross-border transfer of any digital assets including CBDCs and tokenized deposits
• It could also serve as the foundational compliance layer for wholesale or retail payment systems

Wider context: It also aligns with the Financial Stability Board’s priority actions to achieving the G20 targets for enhancing cross-border payments.

Closely related: The project was inspired by Project Dunbar that developed an experimental multiple central bank digital currency (CBDC) platform. 

Dubai regulator releases report on cyber threat intelligence

The Dubai Financial Services Authority (DFSA) announced that its Threat Intelligence Platform (TIP) has achieved a significant milestone, with over six million compromise indicators issued to users since its inception in 2020, and additionally released its first report. 

Background context: As the first regulator-led cyber threat intelligence platform in the Middle East region, the TIP is designed to safeguard and enhance the cybersecurity landscape within the Dubai International Financial Centre (DIFC).

In summary: To mark the platform’s third anniversary the DFSA released its first report on its TIP in an effort to foster the exchange of structured cyber threat information within the DIFC community and further strengthen the cybersecurity framework.

UK FPC executive outlines operational resilience and cyber risk regulatory agenda

External member of the Financial Policy Committee (FPC), Elisabeth Stheeman, delivered a speech on the threat of cyber attacks and the broader importance of operational resilience. 

Wider context: Stheeman stressed that the FPC is focused on risks that could lead to systemic operational disruption in addition to more traditional financial risks. 

• She defined operational risk as the type of risk that affects systems and processes, and good operational risk management as being the ability for companies to detect and prevent risks that could lead to operational disruption
• As financial firms have become more digital and interconnected at an operational level, the associated risks have become greater threats to the wider financial system

Cyber in focus: The risk of a cyber-attack is the most cited risk in the latest Systemic Risk Survey for H2 2023, with 80% of firms mentioning it.

• A cyber-attack could impact financial stability indirectly if there is financial contagion through liquidity stress, financial losses, and significant price moves that could disrupt market functioning
• The Bank of England and Prudential Regulation Authority already use a range of tools to assess the cyber resilience of individual firms’ important business services 
• The FPC stresses that clear baseline expectations and regular testing constitute major elements of the regulatory framework to strengthen the cyber resilience of UK financial services 

Operational resilience in focus: Stheeman observed that financial firms are making greater use of third parties; this has the potential to make firms more resilient to operational risks than using only on-site IT infrastructure. 

• UK regulators will soon publish a consultation paper with draft rules and guidance for critical third parties

Wider context: Alongside this work on critical third parties and cyber stress testing, the FPC continues to identify and monitor the channels through which operational risks could affect financial stability such as AI and the use of blockchain.

Australia securities regulator chair outlines cyber risk agenda

The Australian Securities and Investment Commission (ASIC) Chair, Joe Longo, addressed the rising threat of cybercrime and the reliance on third-party service providers in a speech. 

In summary: Longo underlined the impossibility of having impregnable systems and therefore the importance of having thorough and comprehensive risk management to deal with significant cyber security incidents. In other words, ASIC considers every system to be vulnerable and should make preparations accordingly. 

Reliance on third-party providers: Longo outlines how the failure for firms to manage third-party and supply chain risk presents a serious weakness to the wider financial system. 

• ASIC finds that there is often a disconnect between board oversight, reporting, identification, implementation of controls, and risk assessments   
• ASIC expects boards to consider cyber security as a top priority and to develop robust response and recovery plans and ensure that incident response testing is embedded  

Looking ahead: ASIC will publish results later this year from the cyber pulse survey to measure cyber resilience in Australia’s corporate and financial markets. 

US and Singapore make their AI governance frameworks interoperable

Singapore and the US have made their artificial intelligence (AI) governance frameworks interoperable, representing the first such successful country-to-country mapping by both countries. 

Wider context: The interoperability of the AI governance frameworks was announced at the inaugural US-Singapore Dialogue on Critical and Emerging Technologies (CET Dialogue). 

• Both countries welcomed the announcement as a step forward in international alignment for the promotion of trustworthy and responsible AI innovation 

Closely related: The Singapore and US Governments announced two additional AI initiatives during the CET Dialogue.

• Establishment of a bilateral AI Governance Group to advance shared principles and deepen information exchanges for safe, trustworthy, and responsible AI innovation
• Deepening research and technical collaborations in AI with a focus on AI safety and security including testing, validation, and certification, as well as to develop their respective workforces

ESMA underlines need for coordinated approach to the MiCA regime

The European Securities and Markets Authority (ESMA) issued a letter on the need for coordinated action across Member States to ensure a smooth and effective application of the Markets in Crypto Assets Regulation (MiCA).

In more detail: The letter is addressed to the President of the Economic and Financial Affairs Council (ECOFIN), Nadia Calviño, and states that while MiCA is a step forward it will not provide the same level of investor protection that exists for traditional financial investment products.  

• The letter underscores that ‘forum-shopping’ – wherein crypto-asset market participants benefit from divergences in the implementation and enforcement of the MiCA rulebook – could reduce the effectiveness of the new regime
• To ensure a level playing field, ESMA and the national European regulators are progressing the delivery of technical standards to supplement the primary legislation 

Two key areas: ESMA considers that coordinated action from EU member states is required in two key areas:

• NCAs need to establish as early as possible their supervisory procedures related to the authorization regimes set out in the MiCA Regulation, including simplified authorization procedures for entities already permitted to provide crypto-asset services under national law
• Due to concern that there may be extensive use of the grand-fathering clause for entities already providing crypto-asset services, ESMA invites member states to consider as soon as possible reducing the duration of the grandfathering clause to a maximum of twelve months

Closely related: ESMA also issued a statement clarifying the timeline for MiCA and encouraging market participants to begin preparing for the MiCA regime. 

• MiCA rules on the provision of crypto-asset services will not enter into application until December 2024
• Due to the grand-fathering clause, holders of crypto-assets and clients of crypto-asset service providers may not benefit from full rights and protections afforded to them under MiCA until as late as July 1, 2026 
• ESMA encourages market participants to make adequate preparations that will reduce the risk of disruptive business model adjustments 

US SEC opts not to appeal decision in Grayscale spot bitcoin ETF case

The Securities and Exchange Commission (SEC) decided to not appeal a July ruling which characterized the Commission’s dismissal of Grayscale’s application for a spot bitcoin exchange traded fund (ETF) as “arbitrary and capricious”. 

Main takeaways: The commission, to date, has denied all spot bitcoin ETF on the premise that the applicants have not been able to sufficiently demonstrate that they are able to protect investors from market manipulation. 

• Following the commission’s decision to not appeal, Grayscale filed a new registration statement where it stated its intent to list shares of its Grayscale Bitcoin Trust on the NYSE 
• As of this writing, a final order by the DC Circuit Court of Appeals on how the commission must treat Grayscale’s application is pending 
• The order could open up a dialogue between the regulator and Grayscale which may help pave the way for approval

California establishes regulatory framework for crypto assets

California Gov. Gavin Newsom (D) signed into law new measures to regulate California’s crypto asset industry. 

Wider context: California is home to nearly a quarter of the blockchain companies in North America, and following the collapse of FTX in 2022 lawmakers wanted to draw up new rules to regulate the space in the absence of federal action. 

Main takeaways: Newsom included language in his signing statement indicating that the measure may have to be revised. 

• The crypto licensing bill (AB 39) was packaged with another bill (SB 401) which would crack down on crypto kiosks, a bill which Newsom also signed into law 
• The licensing bill sought to replicate New York’s system and included various safety, documentation, and fee requirements for a cryptocurrency business to obtain a California license
• The kiosk bill places restrictions on the machines, capping transaction values and limiting any charges to a maximum $5 or 15% of the transaction 

Response: While consumer advocates hailed the bills as important for fighting fraud, industry groups pushed back on both bills. 

View the additional regulatory briefs from this month:

• Trading and markets
• Risk, capital and financial stability
• Green finance

Sign up to receive these updates in your inbox first.

How we can help

Bloomberg’s Public Policy and Regulatory team brings you insight and analysis on policy developments to help navigate the complex and fast changing global regulatory landscape. To discuss regulatory solutions, please get in touch with our specialists or read more insights from our Regulatory team.