Follow us

In this regular update, we round-up FinTech-related financial services regulatory developments for the week ending 14 April 2023.


Recent updates from Herbert Smith Freehills include:



FSB: Report on cyber incident reporting; format for incident reporting; and Cyber Lexicon

The Financial Stability Board (FSB) has published a report setting out recommendations to achieve greater convergence in cyber incident reporting. The report identifies commonalities in reporting frameworks and details practical issues associated with the collection of cyber incident information from financial institutions and the onward sharing between financial authorities. It also sets out 16 recommendations to address these issues with a view to promoting best practices in cyber incident reporting.

The FSB has also published a common format for incident reporting exchange (FIRE). The aim of FIRE is to collect incident information from financial institutions that authorities could use for information sharing. The report provides feedback from the consultation on FIRE and outlines the potential benefits, risks and costs, and next steps.

Finally, the FSB has updated its Cyber Lexicon, which was developed to support the work of the FSB, standard-setting bodies and other international organisations to address cyber security and cyber resilience in the financial sector. The updates are also part of the FSB’s work to achieve greater convergence in cyber incident reporting. A number of new terms have been added and some existing definitions have been clarified. [13 Apr 2023]



BIS: Research papers

The Bank for International Settlements (BIS) has published two research papers:

  • The tokenisation continuum. This bulletin is a primer on tokenisation and its key elements, including the tokenisation of traditional assets and the benefits and challenges to tokenisation. It explains how tokenisation can reap gains through transaction automation and new types of asset transfer; it also raises economic, legal and technical issues that define a 'tokenisation continuum' that represents the trade-offs involved in the tokenisation of traditional assets.
  • Stablecoins versus tokenised deposits: implications for the singleness of money. This paper evaluates two models of private tokenised money - the digital bearer instrument model, and the non-bearer instrument model. [11 Apr 2023]




ICO: Response to HMG’s AI White Paper

The Information Commissioner’s Office (ICO) has published its response to HM Government’s (HMG's) White Paper on artificial intelligence (AI). The response sets out the ICO's views on: the role of regulators; the proposed statutory duty and suggested AI principles; the format of proposed guidance; the design of the proposed sandbox; and the cost implications of the proposals. Further, the ICO:

  • requests clarification on the respective roles of HMG and regulators in issuing guidance and advice;
  • notes the need for collaboration to ensure that the AI White Paper principles are interpreted in a way compatible with data protection principles;
  • suggests that, in order to inform prioritisation, HMG undertakes research to identify the type guidance that AI developers would most value; and
  • similarly, research should also inform the design of the proposed AI sandbox. [13 Apr 2023]
FCA to lead GFIN Greenwashing TechSprint

The FCA has announced that it will join 13 international regulators so far participating in the Global Financial Innovation Network's (GFIN's) first Greenwashing TechSprint event. The GFIN is made up of over 80 international organisations; it focuses on supporting financial innovation in the interest of consumers. The objective of the TechSprint is to develop a solution to help regulators and the market effectively tackle the risks of greenwashing in financial services.

UK-based firms are able to apply to participate from 17 April 2023, with the application window remaining open for four weeks. The TechSprint will launch on 5 June 2023, culminating in a showcase day this September. [11 Apr 2023]

FCA/PRA/BoE: Survey of third party providers - CBA for the CTP regime

The FCA, the PRA and the Bank of England (BoE) have released survey to help with their analysis into the costs and benefits (CBA) of a potential critical third-party (CTP) regime in the UK. The voluntary survey is targeted at service providers to the UK financial services industry; it asks respondents to provide cost estimates based on the regime as outlined in Discussion Paper 3/22 - Operational resilience: Critical third parties to the UK financial sector (DP3/22).

Responses are requested by 17 May 2023. The regulators plan to consult further on the CTP regime later in 2023. [11 Apr 2023]




EU level

EPRS 'at a glance' briefings: MiCA and the recast transfer of funds regulation

The European Parliamentary Research Service (EPRS) has published 'at a glance' briefings on the markets in crypto-assets legislation (MiCA) and on the recasting of the transfer of funds regulation in view of the upcoming April plenary. The briefings summarise the background to, and development of, the proposed legislation, and summarise the EP's position. [13 Apr 2023]

ESMA: Overview of planned CPs 2023 

The European Securities and Markets Authority (ESMA) has published an overview of its planned Consultation Papers (CPs) for 2023. The topics covered by forthcoming CPs include the Digital Operational Resilience Act (DORA) and the Markets in Crypto-Assets (MiCA) legislation.  [12 Apr 2023]



EP: Debate in plenary scheduled for MiCA & regulation on Information accompanying transfers of funds and certain crypto-assets

The European Parliament (EP) has updated its procedure file to explain that a debate in plenary on the Markets in crypto-assets (MiCA) Regulation has been scheduled for 18 April 2023. The EP has also published its amendments on the related European Commission's (EC) proposal for a regulation on information accompanying transfers of funds and certain crypto-assets which is forecast for plenary on 18 April 2023. [12 Apr 2023] 



ESRB held its 49th regular meeting and published risk dashboard

The European Systemic Risk Board (ESRB) General Board held its 49th regular meeting on 30 March 2023 to discuss risks to financial stability in the EU. Among the key takeaways from the meeting is that ESRB plans to publish a report in Q2/2023 on crypto-assets and decentralised finance (defi) and their possible systemic implications.

The ESRB has also published its risk dashboard, a set of quantitative and qualitative indicators of systemic risk in the EU financial system, for the first quarter of 2023. [11 Apr 2023]






The Banque de France (BdF)/Autorité de contrôle prudentiel et de résolution (ACPR) has published a discussion paper (DP) on possible regulatory approaches to DeFi. The DP provides an analysis of the structure and risks of disintermediated finance and its various components before formulating different regulatory framework scenarios, some of which are alternative, others complementary. The DP's executive summary explains:

The main idea developed in this paper is that the regulation of disintermediated finance cannot simply replicate the systems that currently govern traditional finance. On the contrary, regulations must take into account the specific features of DeFi. Moreover, such regulation should not be conceived as a monolithic block, but rather as a combination between traditional financial regulations and regulations inspired by other economic sectors.

Feedback to the BdF/ACPR DP is requested by 19 May 2023.  Responses will inform the ACPR's positions on the value of, and procedures for, regulating disintermediated finance. In particular, the paper is intended to contribute to ongoing discussions European level as the MiCA Regulation provides for a report to be drawn up within 18 months of MiCA's entry into force. This forthcoming EU report under MiCA will assess, among other things, the value of and  procedures attached to a European regulation on disintermediated finance.





APRA provides an update on the implementation of new operational risk standard

The Australia Prudential Regulation Authority (APRA) has released an updated timeline for the implementation of the new cross-industry Prudential Standard CPS 230 – Operational Risk Management. CPS 230 is designed to strengthen the management of operational risk in the banking, insurance and superannuation industries.

In response to feedback received during the consultation period, APRA intends to:

  • move the effective date for the new standard to 1 July 2025; and
  • provide transitional arrangements for pre-existing contractual arrangements with service providers, with the requirements in the standard applying from either the next contract renewal date or 1 July 2026, whichever is earlier.

APRA also plans to release a final version for CPS 230, together with draft supporting guidance, in mid-2023. Further information regarding APRA’s proposals in relation to Operational Risk Management for all APRA-regulated entities can be found here. [13 Apr 2023] 



Hong Kong

SFC Interim Head of Intermediaries gives keynote speech on securities regulation in Web3 era, discussing SFC's stance in relation to DeFi and centralised VATPs 

The SFC has made available a keynote speech delivered by its Interim Head of Intermediaries, Mr Keith Choy, at the Hong Kong Web3 Festival 2023 regarding securities regulation in the Web3 era.

Mr Choy reiterated that the SFC recognises the opportunities presented by Web3 and fully supports the use of novel technologies to deliver financial services and products in Hong Kong.  He discussed the SFC's regulatory stance and policy initiatives in relation to decentralised finance (DeFi) and centralised virtual asset trading platforms (VATPs).


  • Potential challenges with regulating DeFi include identifying who should be accountable when things go wrong, in particular in light of the pseudonymous nature of DeFi and the cross-border nature of DeFi products.
  • The SFC's view is that as long as a DeFi activity falls within the scope of the Securities and Futures Ordinance, it will subject to the same regulatory requirements applicable to a traditional finance activity.  The person operating or performing the DeFi activity would therefore be subject to the SFC's licensing requirements and regulations.
  • To understand who to hold to account, the SFC will look at the substance of the DeFi arrangements (on a case-by-case basis after understanding the inner workings of the DeFi protocol) rather than how they are labelled, as some DeFi protocols may be decentralised in name only.

Proposed new VATP regime

  • The SFC looking to implement a new licensing regime for centralised VATP platforms which enable trading in non-security tokens.  When the regime comes into force on 1 June 2023, all centralised VATPs operating in Hong Kong, regardless of whether they offer trading in security tokens or non-security tokens, must be licensed by the SFC.  The SFC will review responses received on its consultation paper on the proposed regulatory requirements for VATP operators, which closed on 31 March 2023, with a view to implementing a robust regime which is fit for purpose and strikes a balance between investor protection and support for innovation.
  • The proposed regime incorporated the existing regulatory requirements under the current opt-in regime, with certain amendments to account for market developments (including the recent crypto-related failures) and lessons learnt from operating the existing regime.  The SFC proposes to relax the professional investor licence condition to allow VATPs to serve retail investors subject to additional guardrails.  [14 Apr 2023]



Acting Secretary for Financial Services and the Treasury discusses Government's plans to further develop Hong Kong's financial market 

The Acting Secretary for Financial Services and the Treasury, Mr Joseph Chan, gave his opening remarks at the special meeting of the Legislative Council Finance Committee on the estimates of expenditure for financial services and the key areas of work.

Mr Chan noted that in the coming year, the Financial Services Branch will focus on both safeguarding Hong Kong's financial stability and further developing its financial market. In relation to fintech, this will include:

  • Setting up a Green Technology and Finance Development Committee: The Financial Secretary will oversee this, with the aim of promoting green finance application and innovation.
  • Continuing to leverage fintech: The Government will continue to explore the use of fintech to improve the bond issuance process and consider policy initiatives to promote the wider use of tokenisation technology in Hong Kong's capital market.  It will also continue with various fintech infrastructure projects, such as "e-HKD" and "e-CNY" and enhancement of the Commercial Data Interchange. In addition, the Financial Secretary will set up a Task Force on Virtual Assets Development to spearhead the next steps in relation to virtual assets.

Mr Chan also discussed various initiatives in relation to promoting financial inclusiveness and nurturing talent.  [12 Apr 2023]





RBI Master Direction on Outsourcing of IT Services

Following a consultation exercise in 2022, the RBI has issued a Master Direction on the Outsourcing of IT Services. The RBI explains that the underlying principle of the Direction is to ensure that outsourcing arrangements neither diminish an RE's ability to fulfil its obligations to customers nor impede effective supervision by the RBI.

The Direction comes into effect from 1 October 2023.  [10 Apr 2023]





CFTC charges New York resident with fraud and misappropriation in digital assets trading scheme

The CFTC has filed a civil enforcement action in the US District Court for the Eastern District of New York against a New York resident. The CFTC’s complaint charges the individual with fraudulently soliciting retail investors to invest in a digital asset trading fund and with misappropriating at least $1 million in investor assets. In its continuing litigation, the CFTC seeks restitution, disgorgement, civil monetary penalties, permanent trading and registration bans, and a permanent injunction against further violations of the Commodity Exchange Act (CEA) and CFTC regulations, as charged.

Commenting, Director of Enforcement Ian McGinley said: “As today’s action demonstrates, the CFTC is unrelenting in holding bad actors accountable and protecting retail investors from fraud in the digital asset space.” [11 Apr 2023]




Ukraine-related sanctions information

Regular updates on sanctions and other developments that may impact businesses with interests or operations in Ukraine and/or Russia are available on our FSR and Corporate Crime Notes blog here.



Karen Anderson photo

Karen Anderson

Consultant, London

Karen Anderson
Cat Dankos photo

Cat Dankos

Regulatory Consultant, London

Cat Dankos

Key contacts

Karen Anderson photo

Karen Anderson

Consultant, London

Karen Anderson
Cat Dankos photo

Cat Dankos

Regulatory Consultant, London

Cat Dankos
Karen Anderson Cat Dankos