Regulating digital finance

The pandemic has been a technological catalyst. It has caused change on a greater scale and at a faster pace than any firm's planned ICT1 strategy or any regulatory initiative. Initial lockdown measures to manage the pandemic caused years of change to take place in months, as firms moved to, and continue to operate, large-scale remote working.

The pandemic has also provided added impetus to governments' and regulators' plans to encourage moves towards digital finance and the widening use of technology. Regulators are attuned, though, to the risks of new technologies and increased digitalization, as well as the benefits.

• A focus on customers
• Moves to digital identity
• Data — a fundamental building block
• IOSCO investigates AI/ML
• Regulating digital assets and DLT
• Different approaches to access by retail investors

The Malaysian government's "Digital Economic Blueprint" outlines (PDF 2.6 MB) 22 strategies, to be implemented over 10 years to 2030, and is expected to attract new investments in the digital sector, from within and outside the country. The strategies include measures relating to Islamic finance, financial literacy and FinTech start-ups.

The European Commission has issued a wide-ranging package of measures, aiming to enable and support the potential of digital finance in innovation and competition, while mitigating the risks. The package comprises a Digital Finance Strategy, draft regulations on digital operational resilience (see chapter 5) and on markets in crypto-assets, and a pilot regime on market infrastructure based on distributed ledger technology (DLT). The long list of actions includes:

• Harmonized rules on customer onboarding
• An interoperable cross-border framework for digital identities
• An oversight framework for critical third-party ICT providers, such as cloud service providers
• Clarity on how financial services rules should apply to artificial intelligence applications
• An open finance framework
• Protections for digital finance customers.

In January 2021, the Luxembourg parliament adopted a draft law that will modernize its law on dematerialized securities by expressly recognizing the possibility of using secure electronic registration mechanisms, including distributed ledgers, for the purpose of issuing dematerialized securities. Germany has passed a new law that legalizes the use of DLT in the securities sector. Previously, all securities issuers and holders have been required to record them on paper certificates. This will now be replaced by a simple entry in a central securities depository, which can be maintained by a bank. And Brazil has seen its first crypto-asset based deal in infrastructure.

The trend in digitalization - doing more things in a digital way rather than on paper or face-to-face - has accelerated rapidly. There has been an increase in online investment tools, and communications are becoming more immediate. Online descriptions of services and products can be dynamic and customized, and therefore more engaging and educative. The use of internet platforms and social media has changed the way financial products are marketed and distributed, providing new opportunities for domestic and cross-border offerings.

The International Organization of Securities Commissions (IOSCO) is developing a set of policy measures to address and mitigate the risks posed by online cross-border marketing and distribution. The measures, expected by end-Q3 2021, will also contain guidance on effective enforcement approaches.

The pandemic has accelerated trends in the digitalization of client onboarding. Given social distancing measures, firms increasingly turned to digital know-your-customer (KYC) checks to facilitate more remote customer onboarding approaches. The use of different forms of digital identity (ID) is spreading and policymakers' interest is increasing. Regulators are attuned to both its benefits and risks.

Digital ID facilitates mass data infrastructures, leverages scale and reduces operating costs. It is not perfect - verification issues can persist - but it can be underpinned by a robust KYC methodology. Use of digital ID has similar issues to traditional methods - identification, authentication and consent - but the issues manifest themselves in different ways. Access to quality and quantity of data is necessary for building robust authentication. Cross-border issues are significant and require global co-operation. A digital ID can include data about payments and transactions made by that person, but this raises additional data privacy concerns. It can help firms to identify and tackle financial crime, but if an ID is stolen, it could increase the opportunity for criminal activity.

Despite these challenges and risks, the appeal of digital ID is that it provides a more consistent and robust approach, departing from subjective processes. Potential funders of smaller capital-raising firms could use it to reduce the work required at the identification phase of onboarding. However, a digital ID requires co-operation between regulators and industry to maximize the benefits and mitigate the risks.

Some countries are already acting. Singapore has developed national digital ID infrastructure based on a trusted ID system that extracts data from a golden data source and provides a straightforward onboarding process, supporting people through their life cycle. India has brought 1.5 billion people onto a public data infrastructure and Estonia has introduced a DLT-based public digital ID system, alongside extensive online provision of state services. Culture is a key variable in rolling out such programs. Acceptance of the need to embrace digital ID requires customer trust in the form of the ID, understanding of how it will (and will not) be used, trust in the data attached to the ID and trust in the entity handling the data.

Fundamental building blocks underpinning all technologies and digitalization are infrastructure and data. In chapter 5, we comment on the need for firms to ensure the integrity of databases, to have the expertise to store and analyze them, and to have in place good governance and controls. In this chapter, we consider the need both to protect customers' and market confidential data and to share them, to be able to deliver services more efficiently and across borders. Switzerland and Austria have adopted data standards, while other regulators are inclined to leave it to industry.

Governments, regulators and industry grapple with the legal issues around the transfer of customer data between entities and across borders, but in some jurisdictions the industry is being encouraged to embrace "Open Finance". Open Finance is the term used to describe data-sharing principles to enable third-party providers to access customers' data across a broader range of financial sectors and products, including savings and investments.

The exchange of both personal and non-personal data through (open) application programming interfaces can facilitate industry-wide innovation and increase the agility of businesses in responding to changes in customer needs and expectations. However, it could also give rise to new or amplified risks such as data security, cyber risks, interoperability challenges, and liability, ethical and broader consumer protection issues. Increased data sharing, especially if combined with artificial intelligence and machine learning (AI/ML) tools, could increase financial exclusion.

In its June 2020 consultation (PDF 390 KB), IOSCO observed that ethical concerns may arise where the data that AI/ML models use are biased because data cleaning, transformation and anonymization were not adequately considered. The models may then behave in a biased way (for example, exhibit social biases) and potentially recommend undesirable outcomes. IOSCO's Fintech Network has warned firms to be careful when developing or deploying AI/ML tools that use large pools of alternative, non-traditional datasets, such as satellite data or twitter feeds. It has identified five primary themes that could underpin the ethical use of AI/ML techniques:

• Beneficence - "do good": ensure the model is being used or is acting in good faith, in the best interest of investors and with market integrity
• Non-malfeasance - "do no harm": be able to understand and interpret AI/ML-based decisions to identify where misconduct may be taking place
• Human autonomy, including auditability: ensure humans have power over what the model can and cannot decide
• Justice: ensure accountability at senior level for the actions of the model and understand the level of transparency needed to demonstrate justice
• "Explain-ability": ensure the outcomes arising out of the models can be explained

Firms can mitigate unintended ethical risks and challenges arising in the use of such tools by focusing on risk management over the electronic-to-electronic data cycle and on their culture, accountability, knowledge, expertise and operational resilience.

IOSCO is also working on appropriate regulatory frameworks for the supervision of asset managers and market intermediaries that utilize AI/ML. It has proposed six measures that reflect expected standards of conduct, which are equally applicable to any technology:

1. Governance and designated senior management responsibilities
2. Development, testing and ongoing monitoring of techniques
3. Adequate staff knowledge and skills (to develop, test, deploy, monitor and oversee controls, and so that compliance and risk management functions can understand and challenge algorithms, and conduct due diligence on any third-party provider)
4. Operational resilience (including managing relationships with third-party providers, monitoring their performance and conducting oversight)
5. Transparency and disclosure of the use of AI/ML
6. Appropriate systems and controls (to ensure that data are of sufficient quality and breadth to prevent biases)

Crypto-assets have been a focus of regulators around the globe for some time, with regulatory initiatives focused on the assets themselves, the trading of them or both. A debate has begun on whether the role of fund administrators regarding crypto-assets and digital currencies needs to be further articulated. The Cayman Islands government, for example, introduced the Virtual Asset (Service Providers) Act, 2020, which became effective in October 2020 and provides a framework for the regulation of the provision of virtual asset services. It is being rolled out in a phased approach, with the first phase involving the registration of entities providing virtual asset services.

The European Commission has published proposals to introduce a regulatory regime to regulate crypto-asset markets and to regulate the issuers of certain forms of asset backed crypto-assets, known as "stablecoins". The proposed regulation on markets in crypto-assets (MICA) aims to clarify the application of existing EU rules to crypto-assets and will introduce a new, harmonized legal framework for crypto-assets covered by existing rules. It defines three different types of virtual assets.

The definition of financial instrument will be amended to clarify beyond legal doubt that such instruments can be issued via DLT. The Commission has also proposed a regulatory pilot that will provide a safe environment (a "sandbox" approach) and evidence for a possible permanent EU regulatory regime for DLT. The regulation limits the size of the issuance or trading of transferable securities on DLT market infrastructure and excludes sovereign bonds. Trading on DLT infrastructures will be subject to market abuse, data reporting and transparency rules.

The Isle of Man Financial Services Authority is considering the island's response to these proposals and how these changes may be reflected in its own regulatory perimeter. The UK government has sought views and evidence on the merits of regulating UK-based issuers of stablecoins. And the Swiss Financial Market Supervisory Authority (FINMA) has consulted on the application of DLT.

The government in Hong Kong (SAR), China has consulted on a new regulatory framework that will require centralized virtual asset exchanges to apply for a licence from the Securities and Futures Commission (SFC), whether they are operating in the jurisdiction or target Hong Kong investors. Licensees will be allowed to offer services to professional investors only. All virtual asset trading platforms will be regulated under either the existing opt-in framework introduced in 2019 or the proposed new licensing regime. Affected businesses will need carefully to consider the scope of permissible activities under the licence, what resources and experience they require, and whether they have adequate risk management and compliance procedures in place.

Supervisors are increasingly turning their attention to the ability of retail investors to access crypto-assets and their growing use within investment funds, but they are adopting different approaches. The South African Financial Sector Conduct Authority (FSCA) has expressed reservations and in Canada, although regulatory applications from investment funds that wish to hold crypto-assets and digital currencies have been successful, it is difficult to make them available to the public. On the other hand, the Cyprus Securities and Exchange Commission (CySEC) looks positively at crypto-funds, in line with a national strategy that favors regulating products, activities and uses of DLT, including crypto-assets. In October 2020, Cyprus saw the launch of its first actively-managed investment fund focused on the cryptocurrency markets.

The Division of Examinations of the US Securities and Exchanges Commission (SEC) notes that various activities related to the offer, sale and trading of digital assets that are securities ("digital asset securities") present unique risks to investors. The Division encourages firms to consider the many distinct features of DLT when designing their regulatory compliance programs. The Risk Alert also provides observations made by Division staff during examinations of investment advisers, broker-dealers and transfer agents - which may assist firms in developing and enhancing their compliance practices - and indicates areas of focus for the Division's future examinations.

The European Securities and Markets Authority (ESMA) has again reminded EU consumers that some crypto-assets are highly risky and speculative and that they must be alert to the high risks of buying and/or holding these instruments, including the possibility of losing all their money. It also highlights that crypto-assets come in many forms but most remain unregulated in the EU. This means that consumers buying or holding these instruments do not benefit from the guarantees and safeguards associated with regulated financial services.

The Spanish Comisión Nacional del Mercado de Valores (CNMV) is expected to publish a Circular in 2021 on the marketing and publicity of crypto-assets. Meanwhile, it has clarified that UCITS² are able to invest in financial instruments with profit linked to cryptocurrencies not including an implicit derivative, provided the market price of the instrument is determined daily by a third party. Also, non-UCITS funds can invest directly, or via other funds, in cryptocurrencies. However, investors must be warned of the risks.