Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On January 30, UK’s Prudential Regulation Authority (PRA) fined a large bank £57,417,500, the second highest fine ever imposed by the PRA, for allegedly failing to properly implement Depositor Protection Rule requirements. The bank allegedly exhibited shortcomings in depositor protection like maintaining information integrity, which is relied upon by the Financial Services Compensation Scheme (FSCS) to make payments to depositors in the event of a firm failure. In addition, the PRA alleged that the bank did not identify eligible deposits for FSCS protection from 2015 to 2022. The bank also allegedly failed to notify the PRA of inaccuracies in its account of eligible FSCS-protected accounts in a timely manner or to appoint a senior manager responsible for ensuring compliance with Depositor Protection Rules. The bank agreed to settle this matter at an early stage of the PRA’s investigation.
On November 27, 2023, a large Canadian bank agreed to pay $15.9 million to accountholders in a proposed settlement agreement stemming from a class action suit in which the bank allegedly charged improper non-sufficient fund (NSF) fees. NSF fees are charges by a financial institution when they decline to make a payment from an accountholder’s account after determining the account lacks sufficient funds. Plaintiffs alleged that from February 2, 2019, to November 27, 2023, the bank charged accountholders multiple NSF fees on a single attempted transaction. In the agreement, the bank continues to deny liability. While an agreement has been reached between the two parties, the agreement has yet to be approved by the courts. A hearing has been scheduled for February 13, 2024, in the Ontario Superior Court of Justice to approve the settlement and award the payouts. Accountholders will receive their payouts, “estimated to be in the range of approximately $88 CAD,” deposited directly to their account with the bank. Under the proposed settlement agreement, the representative plaintiff will receive an honorarium of $10,000. As previously covered by InfoBytes, the FDIC warned that supervised financial institutions that charge multiple NSF fees on re-presented unpaid transactions may face increased regulatory scrutiny and litigation risk.
On December 19, INTERPOL announced the conclusion of a transcontinental police operation against online financial crime called HAECHI IV. The operation ended with around 3,500 arrests and seizures of $300 million USD worth of assets across 34 countries. Of the $300 million, about two-thirds of was hard currency and one-third was virtual assets. HAECHI IV targeted seven types of cyber scams, including voice phishing, romance scams, online sextortion, investment fraud, and money laundering associated with illegal online gambling, among others. Through INTERPOL’s stop-payment mechanism to block criminal proceeds, authorities blocked 82,112 “suspicious” bank accounts. Next on INTERPOL’s radar is a new scam in Korea that involves the sale of non-fungible tokens (NFTs) that are a “rug pull,” a crypto scam where developers abandon a project and investors lose their money. Interestingly, the UK team of the operation reported on how scammers used artificial intelligence to create synthetic content, which criminals primarily used for impersonation scams.
On December 19, 2023, the International Organization of Securities Commissions (IOSCO) published a report on decentralized finance to address market integrity and investor protection. The report includes nine policy recommendations for decentralized financial regulators to follow. Decentralized finance structures include financial products and arrangements that use a distributed ledger or blockchain technology. IOSCO’s policy recommendations on decentralized finance complement a similar report on crypto and digital asset markets, as written about on InfoBytes, here. The policy recommendations are as follows: (i) regulators should analyze decentralized finance products, services, and activities in its jurisdiction; (ii) regulators should identify the persons or entities that could be subject to its regulatory framework; (iii) regulators should use frameworks to regulate and address risks arising from decentralized finance consistent with IOSCO standards; (iv) regulators should require responsible persons to address conflicts of interest; (v) regulators should require responsible persons to address material risks, including operational and technological ones; (vi) regulators should require responsible persons to disclose information clearly to users and investors; (vii) regulators should apply comprehensive powers to decentralized financial services to detect and enforce violations under law; (viii) regulators should cooperate and share information with other regulators and authorities; and (ix) regulators should seek to understand how decentralized finance products are linked to the crypto-asset market as well as traditional finance markets. The final section of the report summarized the feedback garnered from 45 stakeholders on eight categories.
On December 9, the EU Commission announced a political agreement between the European Parliament and the European Council regarding the proposed Artificial Intelligence Act (AI Act). The agreement is provisional and is subject to finalizing the text and formal approval by lawmakers in the European Parliament and the Council. The AI Act will regulate the development and use of AI systems, as well as impose fines on any non-compliant use. The object of the law is to ensure that AI technology is safe and that its use respects fundamental democratic rights while balancing the need to allow businesses to grow and thrive. The AI Act will also create a new European AI Office to ensure coordination, transparency, and to “supervise the implementation and enforcement of the new rules.” According to this EU Parliament press release, powerful foundation models that pose systemic risks will be subject to specific rules in the final version of the AI Act based on a tiered classification.
Except with foundation models, the EU AI Act adopts a risk-based approach to the regulation of AI systems, classifying these into different risk categories: minimal risk, high-risk, and unacceptable risk. Most AI systems would be deemed as minimal risk since they pose little to no risk to citizens’ safety. High-risk AI systems would be subject to the heaviest obligations, including certifications on the adoption of risk-mitigation systems, data governance, logging of activity, documentation obligations, transparency requirements, human oversight, and cybersecurity standards. Examples of high-risk AI systems include utility infrastructures, medical devices, institutional admissions, law enforcement, biometric identification and categorization, and emotion recognition systems. AI systems deemed “unacceptable” are those that “present a clear threat to the fundamental rights of people” such as systems that manipulate human behaviors, like “deep fakes,” and any type of social scoring done by governments or companies. While some biometric identification is allowed, “unacceptable” uses include emotional recognition systems at work or by law enforcement agencies (with narrow exceptions).
Sanctions for breach of the law will range from a low of €7.5 million or 1.5 percent of a company’s global total revenue to as high as €35 million or 7 percent of revenue. Once adopted, the law will be effective from early 2026 or later. Compliance will be challenging (the law targets AI systems made available in the EU), and companies should identify whether their use and/or development of such systems will be impacted.
On December 4, the Financial Stability Board (FSB) published a report titled “Enhancing Third-Party Risk Management and Oversight: A Toolkit for Financial Institutions and Financial Authorities,” as summarized in this press release. The report provides a toolkit that: (i) defines common terms to improve consistency among financial institutions, including “third-party service relationship,” “service provider,” and “critical service,” among others; (ii) outlines tools for financial institutions to identify critical third-party services and manage potential risks throughout the service lifecycle, onboarding and monitoring of service providers, and reporting incidents, among others; and (iii) outlines tools for financial authorities to manage third-party risks, including how to identify third-party dependencies and potential systemic risks. In preparing the report, the FSB received public feedback over the past summer regarding risk concerns stemming from outsourcing and third-party service relationships.
On December 8, participants in the EU-U.S. Joint Financial Regulatory Forum met, including officials from the Treasury Department, Fed, CFTC, FDIC, SEC, and OCC, and issued a joint statement. The statement regarded ongoing dialogues from December 4-5 and focused on six themes: “(1) market developments and financial stability; (2) regulatory developments in banking and insurance; (3) anti-money laundering and countering the financing of terrorism…; (4) sustainable finance; (5) regulatory and supervisory cooperation in capital markets; and (6) operational resilience and digital finance.”
The joint statement acknowledged how risks to the EU and U.S. financial sectors have been mitigated in recent months, e.g., inflation risks, although lingering concerns remain regarding the impact of increased interest rates, high levels of private and public sector debt, and the ongoing geopolitical situations. Participants reaffirmed the significance of strong prudential standards for banks, effective resolution frameworks—particularly across borders—and robust supervisory practices, along with effective macroprudential policies. Finally, the conversations covered recent cryptoasset market changes and updates on regulatory and enforcement initiatives in the U.S.
On November 16, the International Organization of Securities Commissions (IOSCO) released a report titled “Policy Recommendations for Crypto and Digital Asset Markets” for centralized financial bodies to put forth parallel, global policies on crypto assets, including a country’s stablecoin.
IOSCO’s report aims to protect retail investors from illegal crypto-asset market activities, including regulatory non-compliance, financial crime, fraud, market manipulation, and money laundering that have led to investor losses. The report puts forth 18 policy recommendations summarized within six key themes: conflicts from firms doing too much at once; market manipulation, insider trading, and fraud; cross-border risks and regulatory cooperation; operational and technological risks; and retail access, suitability, and distribution. ISOCO maintains its principles on global regulation are within the “same activities, same risks, same regulation/regulatory outcomes.” IOSCO also mentioned it plans on releasing a second report on decentralized finance before the year’s end.
On November 6, the Bank of England and the Financial Conduct Authority (FCA) requested feedback on their proposal to regulate a form of cryptocurrency known as stablecoins. Stablecoins are a cryptoasset that “maintain a stable value relative to a fiat currency by holding assets as backing” and fall within the UK Government’s plan to regulate them for future retail payment use. In addition to retail use, the Bank of England and FCA’s wish to regulate stablecoins is meant to “prevent money laundering… and safeguard financial stability.”
The Bank of England published a handy road map with similar regulators on how to best navigate rolling out new technological payment innovations, such as the digital pound. Each of the financial regulators provided two white papers: (i) the FCA’s discussion paper outlines how the FCA can regulate cryptoassets under the Financial Services and Markets Act 2000, including providing information on backing assets, custody requirements, and allowing overseas stablecoins used as a form of tender in the UK; and (ii) the Bank of England’s discussion paper examines proposed regulations for sterling-dominated stablecoins in the hopes of becoming widespread for retail use. Furthermore, this paper details proposed regulations for everyday use, including money transfers and providing digital wallets.
Both regulators’ comment period is open until February 6, 2024.
On November 2, the UK Financial Conduct Authority (FCA) finalized guidance informing individuals and firms regarding the communication and promotion of cryptoassets. The final guidance follows a consultation period that closed on August 10.
In UK law, Section 21 of the Financial Services and Markets Act 2000 prohibits any person from, in the course of business, communicating a financial promotion – an invitation or inducement to engage in investment activity – unless such person is an authorized person, the content is approved by an authorized person, or another exemption applies. The guidance describes the application of the financial promotion oversight regime to “qualifying cryptoassets” and expresses the expectation that all “cryptoasset financial promotions must be fair, clear and not misleading.”
The guidance reiterates that it “does not create new obligations for firms but relates to firms existing regulatory obligations” and that persons and firms that act in accordance with the guidance will be considered “as having complied with the rule or requirement to which that guidance relates.”