Distributed ledger technology (DLT) permits the digital representation of finance, with the internet, codes and cryptography as its structure. Regulatory responses complement the industry’s growing DLT adoption for continued market safety and soundness.

• The EU’s recent consultation on a framework for cryptoassets covered topics such as cryptoassets qualifying as Markets in Financial Instruments Directive (MiFID II)1 financial instruments, DLT market infrastructure and a separate regime for markets in cryptoassets. A legislative proposal is expected before year-end 2020.
• From May, Japan’s amended Financial Instruments Exchange Act permits and regulates cryptoassets with securities characteristics.
• In June, Thailand’s Ministry of Finance launched a live ‘1-baht’ script-less retail DLT bond. Philippines’ Bureau of the Treasury followed in July with its ‘Bond.PH’ retail treasury bond. Both transactions illustrate how DLT’s characteristics, such as immutability, are utilised in live deals.
• In July, Luxembourg’s government submitted a bill to recognise “secure electronic recording systems” like DLT for issuances of dematerialised securities. It builds on other changes to complete a DLT/digital-conducive capital market environment.
• In August, Germany’s Federal Ministry of Finance and Federal Ministry of Justice and Consumer Protection published a draft law for bearer digital bonds, proposing they qualify as securities within the scope of existing regulations while leaving flexibility for other digital securities to be introduced. The draft law will need to enter the legislative process.

As more mainstream financial institutions launch cryptocurrency-related services, regulators are requiring high standards of crypto-related compliance.

• In January, Germany’s BaFin adopted a new regulatory regime for cryptoassets with its implementation of the EU Fifth Anti-Money Laundering Directive. Any virtual asset service providers (VASPs) targeting Germany’s market will require a German licence.
• In June, the Financial Action Task Force (FATF) published its review of the revised standards for VASPs. Thirty-five jurisdictions have implemented the revised standards and 15 jurisdictions advise that they have introduced the Travel Rule for VASPs. The next FATF review will take place by June 2021.
• In August, the Monetary Authority of Singapore concluded its consultation for powers to issue ‘prohibition orders’ against undesirable VASPs and persons, as well as enforcement powers against any VASP targeting the Singapore market.

New business models and market structures are made possible by digital assets, stablecoins/private digital currencies and central bank digital currencies (CBDCs). Globally, interest in single fiat-backed stablecoins and private digital currencies like Libra continues.

• In March, the International Organization of Securities Commissions (IOSCO) published a report on global stablecoins, highlighting the implications for securities market regulators. It follows the Bank for International Settlements’ October 2019 report that identified public policy challenges inherent in global stablecoins, including financial stability, monetary policy and fair competition.
• Different drivers are motivating growing levels of CBDC activity. For example, Cambodia’s Bakong would be its national payment gateway, while Sweden’s and China’s retail CBDCs would extend digital central bank trust into the payment space. Thailand and Singapore are other economies on wholesale CBDC field pilots, with the European Central Bank, Federal Reserve and Bank of Japan investigating.
• The G20 priority to enhance cross-border payments includes non-bank access to payment systems, interlinked systems and new infrastructure to introduce future dynamics.

Legal and regulatory environments are also increasingly clear for participants adopting crypto and digital assets.

However, compliance adherence is complex and evolving, as with the FATF Travel Rule, and business ecosystems can be unfamiliar. Participants require new tools and expertise to balance growth and risk management. Additionally, as digital transactions generate data, participants must also heed data regulations.

"Increasing cyber attacks and security concerns are prompting national authorities to require access to in-scope data"
Boon-Hiong Chan, Global Head of Market Advocacy, Securities Services at Deutsche Bank

The economic power of data and data analytics is recognised by both public and private sectors. Japan, India and China are among major economies that are updating/ have updated their data legislation.

• In February, an Indian Joint Parliamentary Committee panel sought public comments on the draft Personal Data Protection Bill, which proposes relaxing data localisation requirements and allowing sensitive personal data (including financial information) to be transferred cross-border, although a copy must be stored in India.
• In June, Japan enacted amendments to the Act on the Protection of Personal Information (APPI), strengthening the rights of data subjects. The APPI is expected to come into force in 2022.
• In July, India’s Ministry of Electronics and Information Technology released a draft report – and consultation up to 13 September – on a non-personal data governance framework. Goals include unlocking economic value from data and addressing privacy concerns over anonymised personal data. Recommendations from the report include mandated “open data access” covering commercial and financial transactions, uses of government data, and extraterritorial effects.
• China’s draft Data Security Law, published in July, includes data security protection obligations, authorities’ access to data for national security, fostering usage of government data to develop the digital economy, opening of government data and extraterritorial effects. Data privacy should be further enhanced by the Personal Information Protection Law, with a draft expected shortly. Additionally, the groundbreaking Civil Code, which is effective from 1 January 2021, will strengthen the protection of personal rights and information.

Increasing cyber attacks and security concerns are prompting national authorities to require access to in-scope data, regardless of where it is stored.

• Regulators’ concerns are reflected in IOSCO’s May consultation on outsourcing principles for operational resilience, which covers security, confidentiality of information, and regulator’s access to books and records, including the ability to obtain relevant information promptly. Consultation ends in October.
• Existing access requirements include the US Securities and Exchange Commission 17a-4 Rule for broker-dealers to preserve records in non-rewritable, non-erasable (WORM) format.
• The October 2019 Hong Kong Securities and Futures Commission circular, with rules on external electronic data storage, is also live (with an end of 2020 compliance date). It requires preservation of regulatory records and includes further requirements for the exclusive storage of records by a provider based outside Hong Kong.

Restrictions on data flows across borders mean authorities are actively initiating mechanisms that enable a more free flow of data that is essential to commerce and finance. These initiatives include:

• The ‘Osaka Track’, launched under Japan’s G20 leadership in 2019, which seeks to promote “data free flow with trust”, and aligns with the World Trade Organization’s rules for electronic commerce.
• Other initiatives include the multilateral APEC Cross-Border Privacy Rules, the voluntary ASEAN Certification approach, bilateral equivalence such as that between the EU and Japan, and the ASEAN Model Contractual Clauses approach, similar to the Standard Contractual Clauses used in the EU for data transfers to non-EU jurisdictions.

Data and privacy regulations are important considerations for data-related business models and products. Participants also need to pay attention to their nexus with areas like cybersecurity, outsourcing, civil laws, cross-border flow mechanisms and digital assets to navigate them. Privacy-preserving technologies – like Homomorphic – could help manage some of these risks, yet they add to regulatory considerations.

Data localisation requirements mean tailoring infrastructure and enterprise controls that can result in some loss in synergies and robustness of risk frameworks. Restrictive data practices’ implications on data sets need to be factored in.

Extraterritoriality increases compliance infringement and penalty and reputation risks, and this set of regulations needs the focus of senior management. Working with expert cross-discipline teams can turn data compliance into an effective business enabler and competitive differentiator.

Sources

¹ See https://bit.ly/3lJ0Iks at eur-lex.europa.eu