FinTech Global FS Regulatory Round-up - w/e 18 April 2025

ICYMI

• The Pitfalls of AI in Legal Research: A South African Perspective
• Cross Examining Cyber EP16: Cross Examining Mark Rigotti

Global

FSB: FIRE Final Report

The Financial Stability Board (FSB) has published the finalised Format for Incident Reporting Exchange (FIRE) report. This is a global common framework, developed alongside the private sector and designed for financial firms to use to report cyber and operational incidents in a standardised and streamlined manner. It is intended to promote consistency, to address the challenges of reporting to multiple authorities, and to enhance communication within and across jurisdictions. Particularly, the FSB highlights that FIRE can offer support to jurisdictions that lack a standardised reporting framework, as well as jurisdictions with existing frameworks. The FSB also reports that, given FIRE's wide applicability, it can potentially be used by third-party service providers and organisations beyond the financial sector.

Commenting on the final report, Chair of the FSB Klaas Knot highlighted the benefits of international regulatory cooperation for stakeholders and the value of public-private partnerships to tackle industry challenges. [15 Apr 2025]  #Cyber

BIS paper: Cryptocurrencies and DeFi – functions and financial stability implications

The Bank for International Settlements (BIS) has published a paper on new financial stability risks introduced by the distinctive features of cryptocurrencies and decentralised finance (DeFi). It covers blockchains, cryptoassets and DeFi applications, as well as other parallel developments such as stablecoins and new forms of central bank money.

The findings suggest that while the underlying economic drivers are not different than in traditional finance (TradFi), DeFi poses significant challenges, including new forms of information asymmetries, market inefficiencies and the risk of cryptoisation in emerging markets. The BIS proposes tailored regulatory interventions, such as embedding rules within smart contracts and strengthening the oversight of stablecoins, to manage financial stability risks. It also provides a framework for prudential regulation that can mitigate risks while fostering innovation. [15 Apr 2025]  #Crypto #DeFi

UK

FCA enforcement lead address NYU conference audience on enforcement priorities 

The FCA has published the speech delivered by Therese Chambers, joint executive director of enforcement and market oversight, at the Spring Conference of New York University's Program on Corporate Governance and Enforcement.

With regard to areas of focus for FCA enforcement, Ms Chambers stated that these include:

• 'keeping dirty money out of the financial ecosystem;
• ensuring that regulated firms are not used as vehicles for fraud;
• keeping […] markets clean; [and]
• developing a safe crypto regime that protects consumers'. [16 Apr 2025]  #Crypto

Regulatory Initiatives Grid – April 2025

The FCA has published the 8th edition of the Regulatory Initiatives Grid which sets out the planned regulatory initiatives for the next 24 months. The Grid is prepared by the Financial Services Regulatory Initiatives Forum, which is co-chaired by the FCA and the PRA/Bank of England (BoE) and is made up of representatives from the Payment Systems Regulator (PSR), the Competition and Markets Authority (CMA), the Financial Reporting Council (FRC), the Information Commissioner's Office (ICO), The Pensions Regulator (TPR) and HM Treasury (HMT).

The Grid is organised by sections, often determined by sector. The ‘Multi-sector’ section covers initiatives that span more than one sector. 'Payments and cryptoassets' is one such sector; it lists initiatives including the digital pound, open banking/smart data, and the stablecoin regime. 

Furthermore, the Grid includes additional information where changes to work programmes could have a significant impact on firms’ planning. Interactive dashboards allowing users to filter initiatives have also been published. [14 Apr 2025]  #Payments #Crypto #CBDC #DigitalPound

Europe

ESAs: Annual report 2024

The Joint Committee of the European Supervisory Authorities (EBA, EIOPA and ESMA – ESAs) has published its annual report for 2024, which provides an overview of the joint ESAs work completed during the year. The main areas of cross-sectoral focus in 2024 were joint risk assessments, sustainable finance, operational risk and digital resilience, consumer protection, financial innovation, securitisation, financial conglomerates and the European Single Access Point (ESAP). [16 Apr 2025]  #DORA #OpRes

Hong Kong

HKMA shares learnings from global and isolated local DDoS attacks and provides guidance on strengthening protection measures

The HKMA has issued a circular to provide further guidance on how authorised institutions (AIs) can enhance their defence against the growing threat of distributed denial-of-service (DDoS) attacks.  This follows its earlier circular (issued on 25 November 2022) which provided guidance on anti-DDoS protection (see our previous update).

While the number of DDoS-related cases reported by AIs have remained manageable, there have been isolated instances where a DDoS incident has resulted in service impacts and disruptions for customers.  The HKMA therefore considers it beneficial to share the key learnings from these incidents more widely for the industry’s reference.

AIs should critically review the learnings and take action (where relevant) to further enhance their risk management capabilities.  They are also highly encouraged to help strengthen the collective cyber resilience of the Hong Kong banking sector by actively monitoring the risk landscape and exchanging the latest threat intelligence through the Cyber Intelligence Sharing Platform (enhancements were made to the platform in December 2024 – see our previous update).  [16 Apr 2025]  #Cyber

HKMA issues circular to introduce three enhancements to e-banking security measures to tackle digital fraud

The HKMA has issued a circular to introduce three enhancements to e-banking security measures, designed in consultation with the Hong Kong Police Force and the Hong Kong Association of Banks.

The HKMA notes that although recent measures (such as the expansion of the Suspicious Account Alert mechanism in December 2024, see our previous update) have been effective, the modus operandi of fraudsters continue to evolve rapidly.  In particular, there are early signs of use of advanced technologies (such as artificial intelligence and deepfake) by bad actors to enhance the sophistication of their deception techniques.

The three enhancements require authorised institutions (AIs) to embrace 'e-banking security ABC', i.e. provide convenient means for customers to:

• 'Authenticate in-App' – Facilitate customers to adopt bound devices by default (instead of SMS one-time passwords), for authenticating specified internet banking activities, including logins to internet banking and high risk transactions (such as fund transfers to unregistered third parties) – to be implemented by the fourth quarter of 2025;

• 'Bye to unused functions' – Empower customers to make own choice of deactivating higher risk functions in internet banking, using a phased approach as appropriate, and starting with two functions, namely online increase of transfer limits and online registration of third-party payees – to be implemented by the third quarter of 2025; and

• 'Cancel suspicious payments' – Further enhance the effectiveness of alerts displayed under the Suspicious Account Alert Mechanism, including by adjusting their duration and content – to be implemented by the second quarter of 2025.

The HKMA will strengthen consumer education around 'e-banking security ABC' and plans to issue guidance to elevate the ecosystem’s readiness to combat the deepfake-enabled modus operandi.  [14 Apr 2025]  #AI #Deepfake

HKMA considers applicability to SVF licensees of guidance on measures to combat authorised payment scams previously issued to AIs

The HKMA has issued a circular to stored value facility (SVF) licensees regarding the earlier circular issued to authorised institutions (AIs) on 20 December 2024 on measures for preventing, detecting and disrupting authorised payment scams (see our previous update).

Since issuing the December 2024 circular to AIs, the HKMA has been in discussion with some SVF licensees regarding the applicability (subject to the business model) of some of the measures contained in the circular to SVF licensees.

SVF licensees should take note of the importance of strengthening customer protection against authorised payment scams and use the measures set out in the December 2024 circular to critically review business models to identify applicability, identify any vulnerabilities to such scams, and where these exist, take corresponding system enhancements.  There is also an ongoing need to take these measures into account in new product development.

The HKMA will review the actions taken in response to the present circular as part of its ongoing supervision.  [11 Apr 2025]  #APPFraud #Payments

Thailand

BoT to set out responsibilities of financial institutions and PSPs

The Bank of Thailand (BoT) has announced that it is in the process of preparing a notice to define the duties and responsibilities of financial institutions and payment service providers (PSPs), following the publication of the Decree on Measures to Prevent and Suppress Technological Crime in the Government Gazette. A key aspect of this legislation is the establishment of a mechanism for relevant service providers such as financial institutions, PSPs, telecommunications service providers (telcos), social media service providers (social platforms), and digital asset business operators. The BoT expects to set out the duties and responsibilities by the end of April 2025.  [13 Apr 2025]  #Payments #Crypto

SECT ready to elevate restrictions on illegal digital asset platforms

The Securities and Exchange Commission Thailand (SECT) has announced that is ready to coordinate with relevant agencies to elevate restrictions on foreign digital asset platforms engaging in solicitation or advertising services to investors in Thailand. The announcement follows the coming into force of new laws that allow the blocking process to be carried out more quickly. SECT encourages investors to use services from licensed digital asset business operators in Thailand to ensure protection under the Digital Asset Business Law.  [13 Apr 2025]  #Crypto