Follow us

In this regular update, we round-up FinTech-related regulatory developments for the week ending 1 April 2021.



BCBS: Publication on principles for operational resilience

The BCBS has published its Principles for operational resilience, which aim to:

  • strengthen the operational resilience of the financial sector;
  • promote a principles-based approach to improving operational resilience; and
  • foster international engagement and promote greater cross-sectoral collaboration.

The BCBS has also issued revisions to its Principles for the sound management of operational risk (PSMOR) reflecting the natural relationship between operational resilience and operational risk. The revisions aim to:

  • align the PSMOR with the recently finalised Basel III operational risk framework;
  • update the guidance where needed in the areas of change management and ICT; and
  • improve the overall clarity of the principles document. [1 Apr 2021]



FCA: Speech on AML controls at AML & ABC Forum 2021

The FCA has published a speech by Mark Steward, Executive Director of Enforcement and Market Oversight, delivered at the AML & ABC Forum 2021. Mr Steward reviewed recent significant intervention and discussed the importance of maintaining robust anti-money laundering (AML) systems and controls.

The final third of Mr Steward's speech was devoted to emerging risks. He explained that the FCA had increased surveillance of online investment promotions targeting offers from unauthorised issuers and that the regulator had developed an Unregistered Cryptocurrency Business List to help consumers and FCA authorised firms identify cryptocurrency firms that appear to be carrying on business in the UK, but are not registered with the FCA. [1 Apr 2021]




LSB call for input on CRM code for APP scams

The Lending Standards Board (LSB) has published call for input on the contingent reimbursement model (CRM) code for authorised push payment (APP) scams. This follows its full review of CRM for APP scams published in January 2021, and seeks to explore findings from this review in more detail, including that:

  • the scope of the code should more fully reflect the evolving nature and complexity of APP scams;
  • the code should recognise the wider range of participants within the payments industry; and
  • the code should more fully reflect the roles and responsibilities of receiving firms in the customer payment journey.

Feedback is requested by 26 May 2021. [31 Mar 2021]

FCA: Policy Statement on building operational resilience

The FCA has published a Policy Statement (PS 21/3) providing feedback to CP 19/32 and setting out its final rules and guidance on new requirements to strengthen operational resilience in the financial services sector. By 31 March 2022, firms must have identified their important business services, set impact tolerances for the maximum tolerable disruption and carried out mapping and testing to a level of sophistication necessary to do so. Firms will also have to identify any vulnerabilities in their operational resilience. Firms are expected to remain within their impact tolerances as soon as reasonably practicable, and by no later than 31 March 2025 when the transitional period ends. [29 Mar 2021]

PRA: Policy Statement on operational resilience

The PRA has published a Policy Statement (PS 6/21) on operational resilience: impact tolerances for important business services. PS 6/21 provides feedback to responses to CP 29/19 and sets out the PRA's final policy on:

  • new Operational Resilience Parts of the PRA Rulebook; and
  • amendments to the group supervision part of the PRA Rulebook.

In addition, a new Supervisory Statement (SS 1/21) 'Operational resilience: impact tolerances for important business services' and a new Statement of Policy (SoP) 'Operational resilience' are annexed to PS 6/21.

Under the new rules, firms will be expected to:

  • identify their important business services by considering how disruption to the business services they provide can have an impact beyond their own commercial interests;
  • set a tolerance for disruption for each important business service; and
  • ensure they can continue to deliver their important business services and are able to remain within their impact tolerances during severe (or, in the case of financial market infrastructures (FMIs), extreme) but plausible scenarios.

The new Operational Resilience Parts of the PRA Rulebook and SS 1/21 will be effective from 31 March 2022. Firms are expected to be able to remain within their impact tolerances within a reasonable time, and by no later than 31 March 2025.

The SoP clarifies how the PRA’s operational resilience policy affects its approach to four key areas of the regulatory framework in particular: governance; operational risk management; business continuity planning; and the management of outsourced relationships. [29 Mar 2021]

BoE policy on operational resilience of FMIs

The BoE has published the following policy and supervisory statements designed to improve the operational resilience of financial market infrastructures (FMIs) and protect the wider financial sector and UK economy from the impact of operational disruptions:

The requirements and expectations embed the approach set out in the consultation papers published in December 2019. The policies take effect from 31 March 2022. FMIs are expected to be able to remain within their impact tolerances within a reasonable time, and by no later than 31 March 2025. [29 Mar 2021]




PRA: Statements on outsourcing and third party risk management

The PRA has published a Policy Statement (PS 7/21) and a Supervisory Statement (SS 2/21) on outsourcing and third party risk management. PS 7/21 provides feedback to CP 30/19 and sets out final policy on:

  • the definition of outsourcing in the PRA Rulebook;
  • how the principle of proportionality applies to the expectations in SS 2/21;
  • the PRA’s expectations on governance, including under the Senior Managers and Certification Regime (SM&CR) and record keeping;
  • the PRA’s expectations for firms during the pre-outsourcing phase; and
  • the areas that the PRA expects written agreements relating to material outsourcing to address as a minimum.

SS 2/21 sets out how PRA-regulated firms should comply with regulatory requirements and expectations relating to outsourcing and third party risk management in light of PS 7/21.

Firms will be expected to comply with the expectations in SS 2/21 by 31 March 2022. Outsourcing arrangements entered into on or after 31 March 2021 should meet the expectations in the SS by 31 March 2022. Firms should seek to review and update legacy outsourcing agreements entered into before 31 March 2021 at the first appropriate contractual renewal or revision point to meet the expectations in the SS as soon as possible on or after 31 March 2022. The PRA has said that it considers that it is no longer proportionate for firms to make every effort to comply with the indicative timeline and process for reviewing their material legacy outsourcing arrangements as set out in paragraphs 15 and 16 of the European Banking Authority Outsourcing Guidelines. [29 Mar 2021]





EU Commission consultation on instant payments

The EU Commission has launched public consultation on instant payments. The consultation seeks to:

  • identify remaining obstacles, as well as possible enabling actions the EU Commission could take to ensure a wide availability and use of instant payments in the EU;
  • enable the EU Commission to decide on whether EU coordinated action and/or policy measures are warranted in order to ensure that a critical mass of EU payment service providers (PSPs) offer instant credit transfers; and
  • identify factors that would be relevant for stimulating customer demand towards instant credit transfers.

Feedback is requested by 23 June 2021. [31 Mar 2021]




APRA Chair Wayne Byres’ speech to the 2021 AFR Banking Summit

At the Australian Financial Review Banking Summit 2021, Mr Wayne Byres (Chair of the Australian Prudential Regulatory Authority) spoke on the topic ‘Banking on an unpredictable future’. He focused on the banking sector’s resilience amidst Covid-19 and six pillars supporting that. These six pillars are: capital, credit, cash, continuity, contingency and competition. In relation to continuity, Mr Byres emphasised the need for operational resilience, and that APRA is conducting a comprehensive review of its prudential requirements in this area. The review will consider the introduction of a new prudential standard specifically focused on operational risk management, revise the existing prudential standard on Business Continuity Management (CPS 232), and other changes. [30 Mar 2021]

ACCC affirms it will ‘closely scrutinise’ acquisitions by major banks

The ACCC announced it will continue to closely scrutinise proposed acquisitions of emerging competitors by major banks.

This accompanies an announcement the ACCC will not oppose a major bank’s proposal to acquire a wholly digital bank. The digital bank has no physical branches and offers services entirely through its smartphone app.

The ACCC consulted with groups including banks, non-bank lenders, fintech, mortgage brokers, industry and consumer bodies. The interested parties consulted raised minimal concern with the transaction.

The ACCC stated this scrutiny is necessary given the “increasingly critical role” of innovative fintechs in the financial services market, particularly in challenging established banks. [30 Mar 2021]



Hong Kong

Arrest warrant issued for individual prosecuted by SFC for obstruction of search operation for suspected social media ramp-and-dump scam

The SFC has announced that an arrest warrant has been issued for Ms Zeng Lingxi who previously pleaded not guilty to two charges of obstructing SFC employees in the execution of a search warrant in May 2020 (see our previous update).

Ms Zeng was previously granted a cash bail of HK$100,000 in November 2020 and was required to notify the SFC in advance of any travel out of Hong Kong or changes in her contact information.  The Eastern Magistrates' Court issued the arrest warrant after being informed that Ms Zeng had not been in Hong Kong since 15 November 2020, and ordered the forfeiture of her cash bail.

Ms Zeng is an alleged member of a syndicate suspected of operating social media ramp-and-dump scams involving the manipulation of shares of a Hong Kong-listed company.  Fraudsters involved in such scams use different means to ramp up the share price of a listed company and then induce investors via social media platforms to purchase the shares they dump at an artificially high price.  The SFC has indicated that cracking down on ramp-and-dump scams is one of its top enforcement priorities this year (see our previous update).  [1 Apr 2021]




Joint Statement from the 7th ASEAN Financial Ministers and Central Bank Governors Meeting

MAS has published the joint statement from the 7th ASEAN Financial Ministers and Central Bank Governors Meeting, which summarises on discussions during the meeting. Attendees considered a wide range of topics, including the impact of Covid-19 on economic activities and people’s mobility; sustainable finance initiatives; the promotion of financial inclusion; and cyber resilience, in particular the launch of the ASEAN Cybersecurity Resilience and Information Sharing Platform (CRISP). [30 Mar 2021]

MAS speech: Innovation in Central Banking

MAS has published the remarks delivered by Ms Jacqueline Loh, Deputy Managing Director (Corporate Development), at the Bank for International Settlements (BIS) Innovation Summit. Ms Loh shared views on how central banks should embrace and lead financial sector innovation, and channel these capabilities towards improving sustainability and enhancing cross-border payments. [26 Mar 2021]



MAS overview of AML/CFT requirements for the DPT sector

MAS has published an infographic which provides an overview of MAS’ anti-money laundering and countering the financing of terrorism (AML/CFT) requirements and supervisory expectations for the Digital Payment Token (DPT) sector, and is intended to raise industry awareness among DPT service providers of sectoral money laundering and terrorism financing (ML/TF) risks, and provide additional information to support their implementation of effective controls.

This document serves to supplement existing AML/CFT requirements, and should be read in conjunction with the Notice PS-N02  and accompanying Guidelines. [26 Mar 2021]





SECT – Revised filing and filing criteria with support for electronic signatures

The Securities and Exchange Commission Thailand (SECT) has revised the rules for filing and filing applications and documents relating to the offer for sale of equity securities in a paperless form, allowing directors to certify the information in filing with electronic signature. This will take effect from April 1 2021. [31 Mar 2021]




SEC Charges New Hampshire Issuer of Digital Asset Securities with Registration Violations

The Securities and Exchange Commission (SEC) charged a blockchain company, with conducting an unregistered offering of digital asset securities. According to the SEC's complaint, from at least July 2016 to February 2021, the blockchain company, which offers a video sharing application, sold digital asset securities to numerous investors, including investors based in the US. The complaint alleges that the blockchain company did not file a registration statement for the offering, and that the offering failed to satisfy any exemption from registration. The complaint further alleges that by failing to file a registration statement, the blockchain company denied prospective investors the information required for such an offering to the public. As alleged, the blockchain company received more than $11 million in US dollars, Bitcoin, and services from purchasers who participated in its offering. [29 Mar 2021]






Five Federal Financial Regulatory Agencies Seek Wide Range Of Views On Financial Institutions' Use Of Artificial Intelligence

Five federal financial regulatory agencies requested insight on financial institutions’ use of artificial intelligence (AI). The agencies sought information from the public on how financial institutions use AI in their activities, including fraud prevention, personalization of customer services, credit underwriting, and other operations.The Federal Reserve Board, the Consumer Financial Protection Bureau (CFPB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA) and the Office of the Comptroller of the Currency (OCC) announced the request for information (RFI) to gain input from financial institutions, trade associations, consumer groups, and other stakeholders on the growing use of AI by financial institutions. More specifically, the RFI seeks comments to better understand the use of AI, including machine learning, by financial institutions; appropriate governance, risk management, and controls over AI; challenges in developing, adopting, and managing AI; and whether any clarification would be helpful. [29 Mar 2021]

CFTC Announces that Federal Court Orders UK Man to Pay More Than $571 Million for Operating Fraudulent Bitcoin Trading Scheme

The Commodity Futures Trading Commission (CFTC) announced that the US District Court for the Southern District of New York entered a default judgment against an individual, purportedly of Manchester, England, finding that he operated a fraudulent scheme to solicit bitcoin from members of the public and misappropriated customers’ bitcoin. This case was brought in connection with the Division of Enforcement’s Digital Assets Task Force.The court’s order of 2 March 2021 required the individual to pay nearly $143 million in restitution to defrauded customers and a civil monetary penalty of $429 million. The order also permanently enjoined the individual from engaging in conduct that violates the Commodity Exchange Act and CFTC regulations, registering with the CFTC, and trading in any CFTC-regulated markets.The judgment was the result of a 2019 enforcement action brought by the CFTC, which charged the individual with fraud and misappropriation. [26 Mar 2021]

FDIC’s Provides Guidance for its Rapid Phased Prototyping Initiative

The Federal Deposit Insurance Corporation (FDIC) provided information and clarification for FDIC-supervised financial institutions on the FDIC’s Rapid Phased Prototyping (RPP) initiative.The RPP initiative is a competition designed to accelerate the adoption of modern technological solutions to help the FDIC fulfill its mission. In particular, the solutions explore new ways to receive, manage, and analyze data from individual institutions, particularly community banks, without increasing compliance burdens. According to the FDIC, the lessons learned from this competition, and future FDIC tech sprints, will promote the safe and sound adoption of these technologies, helping banks and supporting consumers in the process.  [26 Mar 2021]

SEC Announces Final Rule Concerning Electronic Filing in Administrative Proceedings

The SEC adopted amendments to its Rules of Practice to require persons involved in SEC administrative proceedings to file and serve documents electronically. The final rules are effective from 29 January 2021, except for Instruction 8 which is effective from 12 July 2021. [23 Mar 2021]


Key contacts

Nick Pantlin photo

Nick Pantlin

Partner, Head of TMT & Digital UK & Europe, London

Nick Pantlin
Alex Kay photo

Alex Kay

Partner, London

Alex Kay