InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
EU-U.S. release statement on Joint Financial Regulatory Forum
On July 20, participants in the U.S.-EU Joint Financial Regulatory Forum, including officials from the Treasury Department, Federal Reserve Board, CFTC, FDIC, SEC, and OCC, issued a joint statement regarding the ongoing dialogue that took place from June 27-28, noting that the matters discussed during the forum focused on six themes: “(1) market developments and financial stability risks; (2) regulatory developments in banking and insurance; (3) anti-money laundering and countering the financing of terrorism (AML/CFT); (4) sustainable finance and climate-related financial risks; (5) regulatory and supervisory cooperation in capital markets; and (6) operational resilience and digital finance.”
Participants acknowledged that the financial sector in both the EU and the U.S. is exposed to risk due to ongoing inflationary pressures, uncertainties in the global economic outlook, and geopolitical tensions as a result of Russia’s war on Ukraine. During discussions, participants emphasized the significance of strong bank prudential standards, effective resolution frameworks, and robust supervision practices. They also stressed the importance of international cooperation and continued dialogue to monitor vulnerabilities and strengthen the resilience of the financial system. Participants took note of recent developments relating to, among other things, recent bank failures, digital finance, the crypto-asset market, and the potential adoption of central bank digital currencies.
European Data Protection Board clarifies GDPR transfers
On July 18, the European Data Protection Board (EDPB) published an information note to provide clarity on data transfers under the GDPR to the United States following the European Commission’s adoption of the adequacy decision as part of the EU-U.S. Data Privacy Framework on July 10. The information note also addresses available redress mechanisms under the framework, as well as a new redress mechanism relating to the area of national security. As previously covered by InfoBytes, the European Commission concluded that the U.S. “ensures an adequate level of protection – comparable to that of the European Union – for personal data transferred from the EU to U.S. companies under the new framework.” With the adoption of the new adequacy decision, personal data can now be transferred securely from the EU to U.S. companies participating in the framework without having to implement additional data protection safeguards.
The information note clarified that transfers based on adequacy decisions do not require supplementary measures. However, transfers to the U.S. not included in the “Data Privacy Framework List” will require appropriate safeguards, such as standard data protection clauses or binding corporate rules. The EDPB emphasized that U.S. government safeguards put in place in the area of national security (including the redress mechanism) will “apply to all data transfers to the [U.S.], regardless of the transfer tool used.” Additionally, EU individuals whose data is transferred to the U.S. based on the adequacy decision may use several redress mechanisms, including submitting complaints with the relevant U.S. organization, while EU organizations may seek advice from their national data protection authority to oversee related processing activities. Moreover, regardless of the transfer method used for sending personal data to the U.S., EU data subjects can submit complaints to their national data protection authority to utilize the new redress mechanism concerning national security. The national data protection authority, in turn, will ensure that the complaint is sent to the EDPB, which will transmit the complaint to the appropriate U.S. authorities.
The EDPB noted that the European Commission will conduct a review of the adequacy decision one year after it enters into force to ensure all elements have been fully implemented and are effective. Depending on the findings, the European Commission will decide, in consultation with the EDPB and the EU member states, whether subsequent reviews are warranted.
FSB finalizes crypto framework
On July 17, the Financial Stability Board (FSB) released its global regulatory framework for promoting comprehensive, international consistency of regulatory and supervisory approaches for crypto-asset activities and stablecoins, while also supporting responsible innovations potentially brought by technological changes. Based on the principle of “same activity, same risk, same regulation,” FSB’s framework consists of two distinct sets of recommendations. The first set of recommendations focuses on regulating, supervising, and overseeing crypto-asset activities and markets at a high level. The recommendations establish a global regulatory baseline for promoting a framework that is technology-neutral and focuses on underlying activities and risks (FSB notes that some jurisdictions may choose to take more restrictive regulatory measures). The second set provides revised high-level recommendations specifically for the regulation, supervision, and oversight of “global stablecoin” arrangements. The recommendations also seek to promote consistent and effective regulation, supervision and oversight of global stablecoin arrangements across jurisdictions to address potential financial stability risks posed at both the domestic and international level, while further “supporting responsible innovation and providing sufficient flexibility for jurisdictions to implement domestic approaches.”
The final recommendations “take account of lessons from events of the past year in crypto-asset markets, as well as feedback received during the public consultation of the FSB’s proposals,” the announcement said, noting that central bank digital currencies are not subject to these recommendations. The FSB and sectoral standard-setting bodies (SSBs) will continue to coordinate work to promote the development of a comprehensive and coherent global regulatory framework that is appropriate for the risks associated with crypto-asset market activities, including providing more detailed guidance through SSBs and monitoring and public reporting.
Biden administration releases roadmap for National Cybersecurity Strategy
On July 13, the Biden administration published the National Cybersecurity Strategy Implementation Plan (NCSIP), outlining a roadmap for carrying out the administration’s National Cybersecurity Strategy. The strategy was released earlier this year to introduce several key pillars for countering threats to the digital ecosystem and improving the nation’s digital security (covered by InfoBytes here). Designed to build and enhance collaboration, the NCSIP identifies 65 federal initiatives assigned to various agencies with timelines for completion. According to the announcement, 18 agencies are spearheading initiatives in this “whole-of-government” plan, which also factors in “continued collaboration with the private sector, civil society, international partners, Congress, and state, local, Tribal, and territorial governments.”
Pillars include measures to:
- Defend critical infrastructure (the Cybersecurity and Infrastructure Security Agency will implement measures to update the National Cyber Incident Response Plan to, among other things, provide clear guidance to external partners on the roles and capabilities of federal agencies in incident response and recovery);
- Disrupt and dismantle threat actors (including focusing on virtual asset providers that enable the laundering of ransomware proceeds);
- Shape market forces and drive security and resilience;
- Invest in a resilient future (the National Institute of Standards and Technology will convene an interagency working group to coordinate major issues in international cybersecurity standardization); and
- Forge international partnerships to facilitate coordination with partner nations. The administration expects to update the plan annually.
CFPB, EU start talks on AI, digital finance
On July 17, CFPB Director Rohit Chopra and Commissioner for Justice and Consumer Protection of the European Commission Didier Reynders issued a joint statement announcing the start of new dialogue on consumer financial protection with a primary focus on digital developments in the financial sector and ways to improve policy and regulatory cooperation.
Chopra and Reynders stressed that there are significant implications for both businesses and households from the digitalization of the financial services sector, including impacts on pricing, customer service, competition, and privacy. They noted that financial institutions are increasingly deploying automated decision-making processes, leveraging artificial intelligence technologies, and developing and introducing new financial products and services, such as Buy Now, Pay Later. Chopra and Reynders also commented that digital payments are becoming “increasingly offered and controlled by Big Tech.” They warned these developments, if not properly regulated, “could increase consumers’ exposure to fraud and manipulation, limit their product options over time, threaten their control over their own data, and force them to accept more expensive personalized pricing for the same products and services compared to other consumers.” Chopra and Reynders also cautioned that policymakers must do more to keep pace with evolving markets and ensure consumer protection.
The dialogue will address topics relating to:
- The deployment of automated decision-making and data processing and implications for consumers;
- Risks associated with emerging credit options, including the potential risks of over-consumption and over-indebtedness for consumers who use these products;
- Measures for exploring ways to assist over-indebted consumers in managing and repaying their debt sustainably;
- Digital transformation and access to fair financial services, including to unbanked and underbanked consumers, as well as those who prioritize protecting their personal data; and
- Competition, privacy, security, and financial stability implications associated with big tech companies that offer financial services.
Chopra and Reynders will meet informally at least once per year to share insights and experiences on consumer financial issues. According to the statement, the dialogue will also involve staff discussions, bilateral meetings with subject matter experts, and roundtables with stakeholders. The cooperation and exchanges within the informal dialogue are expected “to occur in parallel with other forms of cooperation and exchanges between the European Union and the United States on various digital and financial services policies and regulations,” the joint statement said.
European Commission approves transatlantic data-transfer framework
On July 10, the European Commission adopted an adequacy decision as part of the EU-U.S. Data Privacy Framework, concluding that the U.S. “ensures an adequate level of protection – comparable to that of the European Union – for personal data transferred from the EU to U.S. companies under the new framework.” In the announcement, European Commission President Ursula von der Leyen stated that the “new EU-US Data Privacy Framework will ensure safe data flows for Europeans and bring legal certainty to companies on both sides of the Atlantic.” She explained that with the new adequacy decision, personal data can now be transferred securely from the EU to U.S. companies participating in the framework without having to implement additional data protection safeguards. The framework will be administered by the Department of Commerce. Compliance by U.S. companies with their obligations under the framework will be enforced by the FTC.
As previously covered by InfoBytes, Presidents von der Leyen and Biden announced in March 2022 that they had reached an agreement in principle on a new transatlantic data flows framework to foster cross-border transfers of personal data from the EU to the U.S. Under the framework, the U.S. agreed to implement reforms and safeguards to “strengthen the privacy and civil liberties protections applicable to U.S. signals intelligence activities.” The announcement followed negotiations that began after the Court of Justice of the EU issued an opinion in the Schrems II case in July 2020, holding that the EU-U.S. Privacy Shield did not satisfy EU legal requirements.
The DOJ released a statement welcoming the European Commission’s adoption of the adequacy decision and expressing its eagerness to collaborate with the Commission, along with representatives from European data protection authorities, to ensure the ongoing implementation of data privacy safeguards.
FinCEN updates jurisdictions with AML/CFT/CPF deficiencies
On June 29, FinCEN announced that the Financial Action Task Force (FATF) issued a public statement updating its lists of jurisdictions with strategic deficiencies in anti-money laundering (AML), countering the financing of terrorism (CFT), and countering the financing of proliferation of weapons of mass destructions (CPF). FATF’s statements include (i) Jurisdictions under Increased Monitoring, “which publicly identifies jurisdictions with strategic deficiencies in their AML/CFT/CPF regimes that have committed to, or are actively working with, the FATF to address those deficiencies in accordance with an agreed upon timeline,” and (ii) High-Risk Jurisdictions Subject to a Call for Action, “which publicly identifies jurisdictions with significant strategic deficiencies in their AML/CFT/CPF regimes and calls on all FATF members to apply enhanced due diligence, and, in the most serious cases, apply counter-measures to protect the international financial system from the money laundering, terrorist financing, and proliferation financing risks emanating from the identified countries.”
FinCEN’s announcement also informed members that FATF added Cameroon, Croatia, and Vietnam it its list to the list of Jurisdictions Under Increased Monitoring and advised jurisdictions to apply enhanced due diligence proportionate to the risks. FATF did not remove any jurisdictions from the list. Additionally, the announcement suggests that money service businesses refer to FinCEN’s Guidance on compliance obligations to employ adequate measures against money laundering and the financing of terrorism posed by their foreign relationships. Also noted in the announcement is that the list of high-risk jurisdictions subject to a call for action, remains the same. FinCEN reminded in the announcement that U.S. financial institutions are still broadly prohibited from engaging in transactions or dealings with Iran, and they should continue to refer to existing FinCEN and Office of Foreign Assets Control guidance on engaging in financial transactions with Burma. With respect to high-risk jurisdictions subject to a call for action — the Democratic People’s Republic of Korea and Iran — “financial institutions must comply with the extensive U.S. restrictions and prohibitions against opening or maintaining any correspondent accounts, directly or indirectly, for North Korean or Iranian financial institutions,” FinCEN said, adding that “[e]xisting U.S. sanctions and FinCEN regulations already prohibit any such correspondent account relationships.”
OFAC sanctions Mexico-based human smuggling organization
The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) recently announced sanctions pursuant to Executive Order 13581 against a human smuggling organization, and several individuals and entities in its support network. OFAC claimed the Mexico-based organization, Hernandez Salas transnational criminal organization (TCO), earns billions of dollars per year smuggling and creating false documentation for migrants. The leader of the TCO has been sanctioned, among four other supporters. OFAC reported that the individuals are currently incarcerated in Mexico and awaiting extradition to the U.S. for trial before a federal grand jury. Also sanctioned are two Mexican hotels that have taken part in the TCO’s smuggling operations. OFAC noted that the sanctions were pursued in close collaboration with Mexico’s Financial Intelligence Unit.
As a result of the sanctions, all property and interests in property belonging to the sanctioned persons subject to U.S. jurisdiction are blocked and must be reported to OFAC. Additionally, “any entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons are also blocked.” U.S. persons are also generally prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons.
OFAC sanctions Burma Ministry of Defense and supporting financial institutions
On June 21, pursuant to Executive Order 14014, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions against Burma’s Ministry of Defense and two regime-controlled financial institutions. In announcing the sanctions, OFAC explained that the Burmese military, which overthrew the country’s democratic government in February 2021, has increased its reliance on air strikes in civilian populated areas, resulting in the death of more than 3,600 civilians and displacing nearly than 1.5 million people, and that Burma’s Ministry of Defense has imported goods from sanctioned entities in Russia to support the Burmese military. OFAC detailed that the two sanctioned financial institutions, which primarily function as foreign currency exchanges, “enable Burma’s Ministry of Defense and other sanctioned military entities to purchase arms and other materials from foreign sources.” As a result of the sanctions, all property and interests in property belonging to the sanctioned persons that are in the U.S. or in the possession or control of U.S. persons are blocked and must be reported to OFAC. Additionally, “any entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons are also blocked.” U.S. persons are generally prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons, unless authorized by a general or specific OFAC license, or if otherwise exempt.
In conjunction with the sanctions, OFAC issued a Burma-related special license (See General License 5).
OFAC sanctions DPRK missile development procurers
On June 15, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions, pursuant to Executive Orders (E.O.) 13382 and 13810, against two individuals involved in the procurement of equipment and materials that support the Democratic People’s Republic of Korea’s (DPRK) ballistic missile program. According to OFAC, the missile program relies on foreign-sourced ballistic missile-related components that it cannot produce domestically. One of the sanctioned persons has collaborated with a number of individuals to purchase and procure items including those known to be used in the production of DPRK ballistic missiles. The individual’s wife is the second sanctioned individual listed as “being a North Korean person, including a North Korean person that has engaged in commercial activity that generates revenue for the Government of North Korea or the Workers’ Party of Korea.”
As a result of the sanctions, all property and interests in property of the designated persons that are in the U.S., or in the possession or control of U.S. persons, are blocked and must be reported to OFAC. In addition, any entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons are also blocked. OFAC further mentioned, “any foreign financial institution that knowingly facilitates a significant transaction or provides significant financial services for any of the individuals or entities designated today could be subject to U.S. correspondent or payable-through account sanctions.”