In this month’s update we cover the FCA’s new webpage on money laundering regulations, ESMA’s extension to the recognition of UK CCPs in a no-deal Brexit scenario, the European Commission’s framework for operational resilience and cryptoassets and the EU-UK future relationship on data protection and financial services.

General

Digital operational resilience framework for financial services: European Commission consultation and proposal for a Regulation

The European Commission has published a consultation paper on a digital operational resilience framework for the financial services sector. The Commission notes that the financial sector is the largest use of information and communications technology (ICT) in the world, accounting for around a fifth of all ICT expenditure. The increasing level of digitalisation of financial services coupled with the presence of high value assets and (often sensitive) data make the financial system vulnerable to operational incidents and cyber-attacks.

The Commission is consulting on:

  • targeted improvements of ICT and security risk management requirements across the different pieces of EU financial services legislation;
  • harmonisation of ICT incidents reporting: rules on reporting should be clarified and complemented with provisions facilitating a better monitoring and analysis of ICT and security-related risks;
  • the development of a digital operational resilience testing framework: this assessment could look into setting key requirements to perform digital operational resilience testing while maintaining flexibility and proportionality to address specific needs of financial actors by virtue of their size, complexity and scale of operations;
  • specific rules enabling better oversight of certain critical ICT third-party providers which regulated financial institutions rely on, and outsource functions to; and
  • specific arrangements to promote: a) effective information sharing on ICT and security threats among financial market participants; and b) better cooperation among public authorities.

The deadline for submitting responses to the consultation is 19 March 2020. Alongside the consultation, the Commission has also published a roadmap on a proposal for a Regulation on digital operational resilience for the financial sectors (DORFS). The deadline for comments on the roadmap is 16 January 2020 and the Commission plans to adopt the proposal for a Regulation in Q3 2020. See our update of 18 December 2019 for the Financial Conduct Authority’s (FCA) and Prudential Regulation Authority’s consultation papers on strengthening operational resilience in the financial services sector.

Regulatory framework for cryptoassets: European Commission consultation and proposal for a Regulation

The European Commission has published a consultation paper on an EU framework for markets in crypto-assets. The Commission notes that cryptoassets are one of the major applications of blockchain for finance and have the potential to bring significant benefits to both market participants and consumers. In particular, initial coin offerings (ICOs) and security token offerings (STOs) allow for a cheaper, less burdensome and more inclusive way of financing for small and medium-sized companies, by streamlining capital-raising processes and enhancing competition. Since its publication of the FinTech Action Plan in March 2018, the Commission has been closely looking at the opportunities and challenges raised by cryptoassets.

Among other things, the consultation:

  • contains questions aimed at gaining feedback on the use or potential use of cryptoassets, for example, whether the consumer feels sufficiently well informed about their rights, risks and opportunities when dealing with cryptoassets;
  • seeks feedback on whether and how cryptoassets should be classified at EU level in the absence of an existing common classification. For the purpose of the consultation, the Commission defines a crypto-asset as “a digital asset that may depend on cryptography and exists on a distributed ledger”;
  • discusses cryptoassets that fall under existing EU legislation (those that qualify as “financial instruments” under MiFID II and those qualifying as “e-money” under the Electronic Money Directive II). There are detailed questions designed to assess the legislation applying to security tokens such as MiFID II, Market Abuse Regulation, UCITS etc.; and
  • discusses the treatment of cryptoassets not covered by existing EU legislation.

The deadline for submitting responses to the consultation is 19 March 2020. Alongside the consultation, the Commission has also published a roadmap on a proposal for a Regulation establishing an EU framework for markets in cryptoassets. The deadline for comments on the roadmap is 16 January 2020 and the Commission plans to adopt the proposal for a Regulation in Q3 2020.

Money laundering Regulations: FCA’s new webpage

The FCA has published a new webpage on the Money Laundering and Terrorist (Amendment) Regulations 2019 (SI 2019/1511), which came into force on 10 January 2019. The new Regulations update the UK's anti-money laundering (AML) regime (MLRs) to incorporate international standards set by the Financial Action Task Force (FATF) and to transpose the EU’s Fifth Money Laundering Directive (MLD5).

The FCA’s webpage highlights some specific new areas that firms need to comply with. Among other things, these include:

  • high-risk factors: amendments to Regulation 33 of the MLRs requires firms to include new additional high-risk factors when assessing the need for enhanced due diligence, and seek additional information and monitoring in certain cases;
  • reporting discrepancies to Companies House: Regulation 30A is a new requirement for firms to report to Companies House discrepancies between the information the firm holds on their customers compared with the information held in the Companies House Register;
  • duty to respond to requests for information about accounts and safe-deposit boxes: coming into force on 10 September 2020, new Part 5A imposes duties on credit institutions and the providers of safe custody services to respond to requests for information, via a central automated mechanism; and
  • businesses carrying out certain cryptoasset activities will need to comply with the MLRs in relation to those activities from 10 January 2020, and to register with the FCA during 2020. See our update of 20 November 2019 for more detail on the FCA’s role as the AML and CTF supervisor for cryptoasset business.

See our in-depth article for more information on the key changes introduced by MLD5 and the steps firms should take to prepare for implementation.

Brexit

ESMA extends recognition of UK CCPs in a no-deal scenario

The European Securities and Markets Authority (ESMA) has published a press release announcing that it has extended the temporary recognition decisions for the three central counterparties (CCPs) established in the UK to 31 January 2021. The temporary extension was due to expire on 30 March 2020. The three CCPs established in the UK are LCH Limited, ICE Clear Europe Limited and LME Clear Limited.

This is to reflect the publication (in the Official Journal of the European Union) of the Commission Implementing Decision (EU) 2019/2211 which extends the expiry date of the Implementing Decision (EU) 2018/2031 of the European Commission on the equivalence of the UK CCP legal framework. Implementing Decision (EU) 2018/2031 determines that in the event of a no-deal Brexit the regulatory framework applicable to CCPs in the UK is equivalent under European Market Infrastructure Regulation. The temporary recognition decisions would take effect on the date following the Brexit date, under a no-deal Brexit scenario.

Future EU-UK relationship on data protection and financial services: European Commission slides

The European Commission has published slides outlining internal preparatory discussions on the future EU-UK relationship relating to personal data protection and co-operation and equivalence in financial services. The purpose of the slides is to assist in preparing the negotiating directives and take into account member states’ views. The Commission will present its recommendation after the UK’s withdrawal from the EU.

The slides make clear that adequate personal data protection is an essential prerequisite for future relations. In particular, the Commission states that for personal data protection in a future partnership, there must be Commission adequacy decision(s) if conditions are met and provisions in the EU-UK agreement on the cooperation between regulators. The Commission has stated it will endeavour to finalise an adequacy assessment by the end 2020 and will prioritise assessment in the context of law enforcement.

Regarding cooperation and equivalence in financial services, the Commission states that the future relationship should be approached with high ambition with regard to its scope and depth, but it cannot amount to obligations/benefits of membership. The Commission sets out principles including that autonomy on equivalence should not be restricted by any Free Trade Agreement. The slides state that there are around 40 equivalence areas and these are all to be assessed. The Commission states that it will use best endeavours to finalise assessments by June 2020.