In this update, we explore the latest regulatory and legislative developments in relation to fintech and cryptocurrency in Australia and international jurisdictions. In Australia, the Australian Securities and Investments Commission (ASIC) is consulting on oversight of the newly established Australian Financial Complaints Authority (AFCA) and has extended its fintech ties with United Kingdom (UK) regulator, the Financial Conduct Authority (FCA). The Australian Prudential Regulation Authority (APRA) has released it first prudential standard regarding information security while the Australian Competition and Consumer Commission (ACCC) has supported the draft report into competition in the Australian Financial System.
While not discussed in this update, digital currency exchange providers should note that the amendments to the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) come into force on 3 April 2018. Under the changes, digital currency exchange providers will need to register and comply with anti-money laundering and counter-terrorism (AML/CTF) obligations (previously discussed here).
Please be in touch should you wish to discuss any of the below.
Fintech Fact: As reported by AFR Weekend, the Minister for Law Enforcement and Cyber Security Angus Taylor stated that there were 734 cyber incidents affecting private sector systems of "national interest and critical infrastructure providers” in the last financial year.
The ACCC has welcomed the Productivity Commission’s (the PC) draft report into competition in the Australian Financial System, focussing its opening remarks on the following three issues:
- Competition advocacy and the ACCC’s role in financial services: The PC recommended options for a regulator to advance competition in the Australian financial system and ensure robust consideration of competition in the regulatory decision making processes of an established Council of Financial Regulators. One option is that the ACCC be granted proactive functions to supplement its existing reactive role in the financial system. The ACCC believes it is well placed to utilise its focus on competition in important regulatory decisions of the financial sector.
- The ACCC’s Financial Services Unit (FSU): The ACCC has recently established a Financial Services Unit tasked with undertaking regular inquiries into competition issues in the financial system. Many of the responsibilities proposed by the PC draft report are aligned with the FSU’s mandate.
- Embedding greater transparency in decision-making and commitment to competition: The ACCC is supportive of increasing the transparency in regulatory decision making associated with the financial system.
The draft report was initially released last month as part of the PC’s 12 month enquiry into competition in Australia’s financial system (previously discussed here). Generally, the draft report identified that the current financial system lacks strong price rivalry despite competition and innovation fostering accessibility. The report also noted concern that the institutional responsibility for supporting competition in the financial system is currently too loosely shared across numerous regulators resulting in a lack of real responsibility.
The final report is set to be prepared for Government by 1 July 2018 after further submissions are received and public hearings are held.
ASIC has released Report 568 ASIC enforcement outcomes: July to December 2017, which outlines the enforcement outcomes achieved by ASIC over the second half of 2017. Commencing 63 investigations and completing 61 investigations, ASIC has taken enforcement actions in relation to corporate governance, financial services, market integrity and small business.
More notably, the report also outlines the focus areas for ASIC’s enforcement teams for the next six months. As discussed in ASIC’s Corporate Plan, these include:
- financial vulnerability of consumers at key decision points;
- inadequate risk management of rapid technological change, including digital disruption, technology-enabled offending and cyber threats; and
- cross-border businesses, services and transactions in a continually evolving regulatory environment.
ASIC has flagged cyber resilience as a key priority, indicating that there would be significantly increased regulatory scrutiny. ASIC has previously released Report 429 Cyber Resilience - Health Check and Report 555 Cyber resilience of firms in Australia’s financial markets to highlight best practices for cyber preparedness as well as Report 468 Cyber resilience assessment – ASX Group and Chi-X Australia Pty Ltd, which is a point-in-time assessment of the ASX Group and Chi-X.
ASIC recently released a draft updated Regulatory Guide 139 Oversight of the Australian Financial Complaints Authority and consultation paper setting out proposed arrangements in relation to reporting requirements, the role of independent assessors and external dispute resolution disclosure obligations.
Following the passing of the Treasury Laws Amendment (Putting Consumers First – Establishment of the Australian Financial Complaints Authority) Act 2018 (Cth) (AFCA Act) last month, AFCA will be set up by ASIC to create a new, single external dispute resolution scheme for all financial services, credit and superannuation complaints (previously discussed here). The draft regulatory guide and consultation paper were released to clarify ASIC’s policy approach and enable it to respond to any emerging issues arising from the transitionary period between now and 1 November 2018 (ie, the date that the AFCA Act is set to commence).
Responses are currently being sought until 6 April 2018.
ASIC and the UK’s FCA have signed an Enhanced Cooperation Agreement to promote innovation in financial services in both Australia and the UK. This replaces the original agreement signed in 2016 and is part of the FinTech Bridge collaboration announced late 2017 (previously discussed here).
Under the new agreement, ASIC and the FCA are able to not only information-share and refer innovative businesses to each other but refer these businesses directly to the other party’s regulatory sandbox. ASIC and the FCA have also agreed to consider co-hosting fintech and regulatory technology events, and conduct joint policy work to reach shared approaches and positions.
ASIC currently has either information sharing or cooperation agreements with the Hong Kong Securities and Futures Commission (SFC), Monetary Authority of Singapore (MAS), Canada’s Ontario Securities Commission (OSC), the Capital Markets Authority of Kenya (CMA), and Indonesia’s Otoritas Jasa Keuangan (OJK).
Under ASIC’s agreements with the CMA and OJK, the regulators have committed to sharing information in their respective markets relating to emerging market trends and the regulatory issues arising as a result of growth in innovation. Under ASIC’s agreements with the SFC, MAS and OSC, the regulators will also be able to refer to one another innovative businesses seeking to enter the others’ market.
APRA has released its first, cross-industry prudential standard on information security for consultation, designed to tackle cyber security incidents by setting minimum standards.
Draft Prudential Standard CPS 234 (draft CPS 234) extends the key Board requirements set out in Prudential Standard CPS 220 Risk Management and Prudential Standard SPS 220 Risk Management (CPS/SPS 220). Draft CPS 234 aims to address the possible exposure to information security risk across extended business environments – particularly where there are third party providers and reflects the constantly evolving nature of information security threats and vulnerabilities. Under draft CPS 234, APRA-related entities must now:
- clearly define the information-security related roles and responsibilities of the Board, senior management, governing bodies and individuals;
- establish and maintain information security capability proportionate to the size and extent of threats to its information assets, and which enables the continued sound operation of the entity;
- classify its information assets by criticality and sensitivity, and implement controls that are regularly tested to protect its information assets proportionate to the classification of those information assets;
- notify APRA of any information security incidents that materially affected, or had the potential to materially affect, the entity or the interests of depositors, policyholders, beneficiaries, or other customers; and
- notify APRA of any information security incidents that required notification to other regulators in Australia or overseas.
Draft CPS 234 will apply to authorised deposit-taking institutions, general insurers, life insurers, private health insurers, licensees of registrable superannuation entities, and authorised or registered non-operating holding companies. The proposed information security standard is part of a broader APRA project to update its existing prudential standards and guidance in respect of the management of operational risk.
Submissions close 7 June 2018.
The Basel Committee on Banking Supervision (Basel Committee) has released a report entitled Sound Practices: implications of fintech developments for banks and bank supervisors. In the report, the Basel Committee outlined ten key implications and considerations for banks and bank supervisors after carefully examining the current fintech landscape and supervisory approaches. These are:
- The nature and scope of banking risks may change as new technologies emerge: though bank supervisors must ensure they remain vigilant in maintaining the safety of the banking system, they should also be alert to the possible opportunities offered by beneficial innovations in the financial industry.
- Key risks for both incumbents and new fintech entrants include strategic risk, operational risk, cyber risk and compliance risk: supervisory programs will enhance bank governance structures and risk management processes in relation to fintech including associated new business models applications, processes or products.
- Banks, service providers and other fintech firms are increasingly utilising innovative technologies to deliver innovative financial products and services: these technologies, such as artificial intelligence, distributed ledger technology and cloud computing, are also new sources of risks. As such, banks should ensure they have risk management processes and control environments in place.
- While banks may increasingly rely on third-party service providers for operational support of technology-based financial services, the risks and liabilities remain with the banks: banks should implement supervisory programmes to ensure that banks have appropriate risk management practices and controls over these outsourced services.
- Fintech developments will impact other sectors beyond banking: banks should communicate with the relevant regulators and public authorities to ensure compliance with laws and regulations.
- Many fintechs, particularly those engaged in payments have cross-border operations: banks can enhance global safety and stability by further supervisory coordination and information-sharing where appropriate.
- Fintech has the potential to change traditional banking business models and the delivery of financial services: bank supervisors should reassess their current supervisory models and resources, including staffing and training programmes in relation to new technologies and innovative business models.
- Technologies that offer efficiencies and opportunities for fintech firms and banks can also be utilised for the improvement of supervisory efficiency and effectiveness: supervisors should investigate and explore the potential of new technologies to improve their methods and processes.
- Current regulatory, supervisory and licensing frameworks predate the emergence of technology-enabled innovation: where appropriate, current supervisory frameworks should be reviewed in light of new and evolving fintech risks.
- Some jurisdictions have improved fintech interaction through innovation hubs, accelerators and regulatory sandboxes: information sharing and learning from various approaches and practices could be used when deciding whether to implement similar approaches or practices.
There have been many developments around the world in relation to digital currencies. Broadly, regulators have started moving beyond identifying their stance on digital currencies to enforcement. Generally, it is our view that regulating the digital currency ecosystem according to the standards held by the wider financial system will promote market integrity and further legitimise initial coin offerings (ICOs) or, at the very least, the underlying payment technology as an opportunity for the existing financial system. Read more
The European Commission (EC) has released an Action Plan designed to harness the opportunities presented by innovative technologies in financial services, such as blockchain, artificial intelligence and cloud services. Key steps in the plan include the creation of a European Union (EU) FinTech Laboratory for authorities and technology providers to collaborate in, releasing the report of the Blockchain Observatory and Forum, the promotion of digitisation of information and cybersecurity, and a blueprint with best practices on regulatory sandboxes, based on guidance from European Supervisory Authorities.
The EC is also putting forward new crowdfunding rules to grow the existing platforms in the European market. Notably, the EC has proposed creating a pan-European label for crowdfunding platforms, so that a licensed platform in one part of Europe may operate in another EU nation. The Action Plan is part of the EC's efforts to build a Capital Markets Union and Digital Single Market.