Publication
Road to COP29: Our insights
The 28th Conference of the Parties on Climate Change (COP28) took place on November 30 - December 12 in Dubai.
Global | Publication | februari 2024
2024 will be a year of regulatory change for the European crypto assets and broader FinTech markets, with a number of new requirements coming to or approaching application and continued legislative work on some of the draft proposals. The June 2024 elections to the European Parliament will inevitably affect the usual regulatory and legislative processes but their results will also influence Brussels’ policy and decision-making agenda for the following years. The newly appointed College of Commissioners will need to set out their policy objectives for the upcoming four years, so it will be interesting to watch what these will be in the crypto-assets and FinTech areas.
This year will be marked with the application of the Markets in Crypto-Assets Regulation (MiCA), and the corresponding revised Transfer of Funds Regulation (TFR) implementing in the EU the “travel rule” requirements for crypto assets. There are two landmark dates to note: June 30, 2024 when the legislation will become applicable in respect of asset-referenced tokens and e-money tokens, and December 30, 2024 when the remainder of the MiCA provisions will come into effect, including requirements for crypto asset service providers, together with the TFR “travel rule.”
That said, in practice, MiCA’s application will be phased in over time – at least in some Member States - thanks to transitional requirements that include a time-limited grandfathering regime for those crypto asset service providers providing their services in accordance with national law before December 30, 2024. Which EU jurisdictions will allow such transitional provisions will become clearer towards the end of the first half of the year as Member States have until June 30, 2024 to notify the European Commission whether they will exercise this option. With ESMA having previously expressed concerns over the application of the grandfathering provisions and calling on national competent authorities to limit their duration, market participants should closely monitor developments in that area. Relevant to the compliance preparedness for market participants, intense regulatory work will continue over the coming months, setting out technical operational details of the new MiCA regime. Finally, the European Commission will be looking at the latest developments in the crypto markets, such as the activity of lending and borrowing of crypto assets, the developments concerning decentralized finance (DeFi) and non-fungible tokens (NFTs), and prospective regulatory treatment thereof. The assessment report, possibly accompanied by a legislative proposal, is due to be published by the end of the year.
The EU will also strengthen its anti-money laundering (AML) and counter-terrorist financing (CTF) framework as applicable to the crypto markets beyond what is currently applicable to “virtual asset service providers.” The relevant changes are part of the recently agreed Anti-Money Laundering Regulation (AMLR). Among other things, the AMLR will expand the scope of obliged entities to most of the crypto sector and capturing all MiCA-authorized crypto asset service providers (CASPs). Consequently, all CASPs will be required to conduct due diligence on their customers when carrying out transactions amounting to €1,000 or more and to report suspicious activity. The AMLR also introduces measures to mitigate risks in relation to transactions with self-hosted wallets. The AMLR will also introduce specific enhanced due diligence measures for cross-border correspondent relationships for CASPs. The legislation is expected to be formally adopted by April 2024 and to be published in the Official Journal in Q2 2024.
Beyond crypto assets, a number legislative initiatives are relevant to the FinTech sector. This notably includes a proposed regulation on the establishment of a digital euro (Digital Euro Proposal) and a proposed regulation on a framework for financial data access (Open Finance Proposal). The former proposal, if adopted, will set out a framework for a possible future adoption of the digital euro, but it would be up to the European Central Bank (ECB) to decide if and when to issue the digital euro. In October 2023, the Governing Council of the ECB decided to conclude the investigation phase and to move to the next phase of the digital euro project, which is the preparation phase.
On the other hand, the Open Finance Proposal is a key component of the European Commission’s objective to build regulatory foundations for a data-driven European economy. The proposed legislation, once formally adopted, will set out rights and obligations to manage customer data sharing in the financial sector beyond payment accounts, including provisions for consumers and firms to better control access to their financial data. One of its key objectives is to facilitate access to such financial data not only by financial institutions but also by FinTech firms, therefore contributing to continuous innovation in the sector.
This year, the Dutch Authority for the Financial Markets (Autoriteit Financiële Markten, the AFM) is gearing up for the implementation and coming into effect of MiCA. Serving as the national competent authority, the AFM is responsible for handling license applications of CASPs and has prepared a webpage outlining good practices for the application process. When reviewing license applications, the AFM will focus on the scope of the authorization, governance, outsourcing, segregation of funds and crypto assets, information to clients, risk management and compliance (including compliance with the Digital Operational Resilience Act, DORA). The AFM anticipates that a license application procedure will require a minimum of five months.
The Dutch government has unveiled its vision on artificial intelligence (AI) applications, developed by the ministers for Digitalization and Economic Affairs and Climate. Recognizing the potential for positive and negative impacts, the government establishes four core principles, prioritizing the safe, fair, and values-driven development and application of generative AI that contributes to human welfare and sustainable prosperity. With a commitment to a values-driven approach, the government aims to position the Netherlands as a leader in Europe and globally, promoting innovation through responsible generative AI applications. The approach involves partnering with both Dutch and European entities to create and implement innovative generations of generative AI, thereby supporting regulations and awareness at the national, European, and global levels. The objective is to foster collaboration among government, industry, citizens, and academia to actively manage and promote international cooperation in the realm of generative AI.
The AFM and the Dutch Central Bank (De Nederlandsche Bank, DNB) consistently urge market parties to prepare for the forthcoming implementation of DORA. DNB underscores that while certain requirements are still not final, market participants should have initiated preparations for DORA implementation. DNB lists a number of steps that market parties can already take to ensure timely compliance with DORA, which includes performing a gap analysis and developing an activity plan. The AFM has published two guides that should assist market parties on becoming ‘DORA-proof.’ These guides provide, among other things, that financial institutions should begin assessing their IT-risk management framework and strategy and get started on an information register, exit strategy and a review of contractual arrangements.
The UK government published its final proposals on the UK’s future financial services regulatory regime for crypto assets in October 2023, closely followed by the publication of Financial Conduct Authority (FCA) and Bank of England (BoE) discussion papers on their proposed rules to implement Phase 1 of the regime (for fiat-backed stablecoins). While the government has now confirmed that crypto assets are to become regulated in an expansive way, the draft secondary legislation is yet to be published (expected in 2024) and much of the detail will be set out in the regulators’ rules, which will need to be consulted on in due course, so there is still a considerable way to go before the industry can really start to plan for the new regime. Follow-on consultation papers from the FCA and BoE on the stablecoins regime are expected around H2 2024.
On the contentious side, we saw the FCA focusing its enforcement efforts in this area in 2023 on unregistered crypto ATMs. A crypto ATM is a kiosk that allows a person to purchase bitcoin and other cryptocurrencies by using cash or debit card. They are deemed a crypto asset exchange provider and must be registered with the FCA and comply with the Money Laundering Regulations.
AI was also a hot topic in 2023, with a government white paper in August setting out a new approach to regulating AI aimed at facilitating the safe and innovative use of AI in industries including financial services, and a joint BoE, Prudential Regulation Authority (PRA) and FCA feedback statement (FS2/23) in October providing a summary of responses to their discussion paper on AI and machine learning. Although the regulators did not, in FS2/23, provide any policy proposals or signal how they are considering clarifying, designing and/or implementing current or future regulatory proposals on this topic, we can expect to see further industry engagement on the topic in 2024.
Another area to watch is operational resilience. Since the FCA’s new operational resilience regime entered into force in March 2022, in-scope firms should have been carrying out their mapping and testing exercises as they have until March 31, 2025 at the latest to show they can remain within their “impact tolerances” for each of their important business services. And in December 2023, the FCA, PRA and BoE launched a joint consultation (PRA CP26/23 and FCA CP23/30) on operational resilience and critical third parties (CTPs) to the UK financial sector, which sets out the regulators’ proposed requirements and expectations for CTPs. The consultation closes on March 15, 2024, and further consultations are expected from the regulators in due course on their oversight of, and use of disciplinary measures over, CTPs. From a contentious perspective, we saw enforcement in 2023 in connection with outsourcing and cybersecurity arrangements, and we expect these areas, and operational resilience more broadly, to continue to be a focus for enforcement in 2024.
And finally, in November 2023 the UK government published its response to its earlier consultation on a proposed approach to delivering a Digital Securities Sandbox (DSS), noting that it intends to largely retain the approach on which it consulted. The DSS is the first financial market infrastructure sandbox to be established under powers granted by the Financial Services and Markets Act 2023. At the end of 2023, the statutory instrument setting up the DSS was laid before Parliament: the Financial Services and Markets Act 2023 (Digital Securities Sandbox) Regulations 2023. Expect to hear more on the DSS in 2024!
FinTech looks set to be a key theme for 2024 in the UAE, with the authorities and regulators continuing to embrace crypto and blockchain. The Dubai Financial Services Authority (DFSA), which regulates financial services in the Dubai International Financial Centre (DIFC), started the year by publishing a new Consultation Paper 153 entitled “Updates on the Regulation of Crypto Tokens” which contained positive amendments to its regulatory framework. For instance, the DFSA will now permit staking to be offered to Professional Clients and Market Counterparties and for foreign funds with investments of up to 10 percent of gross asset value (GAV) to be offered in the DIFC. We expect that the DFSA will continue to cautiously refine its regime to adapt to market demands.
The Virtual Asset Regulatory Authority (the VARA) which regulates Virtual Assets in Dubai (excluding the DIFC), has started issuing operational licenses to a number of players. We expect that 2024 will see a number of large Virtual Asset exchanges obtain fully operational licenses from the VARA and start offering their services as a regulated financial institution. Meanwhile, the Financial Services Regulatory Authority (the FSRA) which regulates financial services in the Abu Dhabi Global Market (the ADGM) continues to attract blockchain infrastructure players given its already tried-and-tested regime. The ADGM Registration Authority also published a framework governing distributed ledger technology (DLT) foundations in order to attract blockchain foundations and decentralized autonomous organizations (DAOs). We expect that the ADGM will continue to attract key blockchain infrastructure players, particularly those focused on tokenization, as well as those looking to explore use cases for DLT foundations.
FinTech continues to be an active theme in both Hong Kong and Singapore, with both authorities set to further develop their regulatory frameworks around digital assets. The Hong Kong Monetary Authority started the year off by publishing a second consultation in relation to a new stablecoin regulatory regime, which follows the introduction of such a framework in Singapore in 2023, which is likely to be further developed this year.
Singapore is refining its conduct requirements in respect licensed digital payment token service providers as well as a contemplated extension of regulated activities under the Payments Services Act. Similarly, Hong Kong regulators are continuing to publish guidance to existing licensed intermediaries in relation to their activities in the digital asset space, be it investment advisory, brokerage or asset management. Both jurisdictions are actively promoting (for example, through Project Guardian in Singapore or the tokenized government bond issuances in Hong Kong) efforts to tokenize real-world assets.
Türkiye's FinTech sector, fueled by its young and unbanked population, has seen rapid growth in 2023, with Turkish FinTech companies continuing to draw significant investment impacting the country’s M&A landscape. This expanding market also includes the Turkish crypto sector, which has been a particularly dynamic segment. As a result, Türkiye is about to introduce its first-ever legislation to regulate the cryptocurrency sector. This pioneering move is set to unfold through a series of amendments to the existing Capital Markets Law No. 6362 that will be supplemented later by subsequent secondary legislations.
The legislative push is driven by several factors. Primarily, Türkiye's position as a global leader in crypto adoption is noteworthy, with over half of Turkish adults ages 18-60 owning cryptocurrencies. However, this large investor group currently operates without any legal safeguards. The introduction of comprehensive crypto legislation is seen as a crucial step for Türkiye to exit the Financial Action Task Force's (FATF) “grey list.” The anticipated result of this legislation is a clearer, more stable framework for the cryptocurrency sector in Türkiye, expected to entice further investments and spur innovation within the sector.
The increased use of AI by investment advisors and broker-dealers continues to be met with scrutiny by the US Securities and Exchange Commission (SEC). In August 2021, the SEC issued a release requesting comments on the use of digital engagement practices (DEPs). This was followed by a new release in July 2023 that proposed rules and amendments designed to address conflicts of interest associated with the use of predictive data analytics and AI by investment advisors and broker-dealers. This release applies to “covered technology” which term is defined very broadly to include technology that “optimize for, predict, guide, forecast, or direct investment-related behaviors or outcomes.”
In a somewhat related matter, online brokerage firm, Robinhood, recently settled an administrative enforcement case brought by the Massachusetts Secretary of State. The settlement included payment of a US$7.5 million fine and a consent order that limits Robinhood’s use of certain “gamification” practices such as confetti and other “celebratory images” to celebrate trading frequency, push notifications that highlight specific lists or features that simulate games of chance.
Similarly, in the horizon scanning space, SEC Chair Gary Gensler noted he was nervous about the risks that AI posed for the financial markets. Specifically, Gensler seems to be concerned that a handful of AI providers will dominate the financial space resulting in a “monoculture” that will be both less robust and possibly lead to financial instability.
Regulation by enforcement continues to be prevalent – especially by the SEC – in the crypto space. Headlines that drew widespread attention were primarily focused on the SEC’s aggressive pursuit of cases and enforcements involving unregistered offerings, NFTs and unregistered exchanges. The SEC has accelerated its efforts to bring enforcement cases against cryptocurrency platforms on the basis that some of the tokens sold on such platforms constitute securities. The SEC’s cases seek to subject these markets to the SEC’s regulatory requirements relating to broker-dealer and exchanges. For a further review of notable case law and enforcement actions that will shape US securities laws in 2024, see our analysis. We expect to see even further ramp-up in enforcement and regulatory actions with respect to US securities laws in the crypto space in 2024.
In early January 2024, New York Governor Kathy Hochul unveiled a sweeping consumer protection agenda, one of the first planks of her 2024 State of the State. Governor Hochul announced her plans to propose legislation to require BNPL providers to obtain a license to operate in the state, and to authorize the New York State Department of Financial Services to propose and issue regulations for this rapidly growing industry.
This announcement is aligned with other government actions taken at the end of 2023 related to BNPL, including the Office of the Comptroller of the Currency’s guidance for banks related to BNPL lending. The same is true of a recent letter from a group of Democratic senators to Consumer Financial Protection Bureau (CFPB) Director Rohit Chopra, urging BNPL oversight. The proposed legislation and regulations have not yet been introduced, but it appears from the press releases that New York is building on efforts that several other states have started.
Prior to New York’s announcement, California was leading the way in the BNPL space, having already incorporated BNPL products under its California Financing Law (CFL). Since 2020, California regulators have made it clear that all BNPL plans are considered “loans” under the CFL, and therefore BNPL providers must have a license in order to issue them. With these licenses, BNPL providers are subject to rules and regulations regarding how BNPL loans can be marketed, how much interest can be charged and how debts can be collected from consumers.
Other states have also taken a cue from California and started to examine their own regulations (or lack thereof) in the BNPL sector. For instance, in Massachusetts, small loan companies and retail installment finance companies must have a state license to operate, and regulators have yet to say whether all BNPL providers – big or small – will likewise be required to obtain a license. In Oregon, regulators have said that they are working with several other states to monitor the BNPL industry and consider action, including the potential creation of BNPL-specific state statutes, which would provide regulatory oversight of BNPL products.
What is arguably most striking about Governor Hochul’s announcement is that she is touting this as an effort to establish “nation-leading regulations” for the BNPL industry. That may be an accurate assessment and description given the dual-pronged approach New York appears to be pursuing: licensing plus substantive regulation. Where California already requires providers to obtain licenses to issue loans, New York appears to be taking a dual-pronged approach by focusing on licensing and regulation. This is something new – the combination of a licensing regime plus BNPL-specific state regulation – although it is not yet clear what the scope of the licensing and regulatory regimes will look like, and if all BNPL providers, regardless of size, will be covered.
In addition, we predict that the consumer protections that the proposed legislation and regulations will likely introduce will include disclosure requirements, dispute resolution and credit reporting standards, late fee limits, consumer data privacy, and guidelines to curtail dark patterns and debt accumulation and overextension. These are all concerns that the CFPB and Director Chopra have repeatedly voiced about the BNPL sector. In some ways, New York appears to have gotten ahead of the CFPB in terms of this approach, as the CFPB has yet to issue interpretive guidance or rules to ensure that BNPL providers are subject to similar baseline protections Congress has already established for credit card companies. We do expect that to come this year, however, and we would imagine any such guidance or rules will look very similar to what New York will apparently propose. The CFPB has also started to subject at least some of the largest BNPL providers to supervisory examination, whether through self-identification of BNPL providers to the CFPB, or on a compulsory basis.
We would not be surprised to see other states – especially those that routinely take the most progressive stance on consumer protection – follow New York’s lead here, especially as this sector continues to rapidly grow and consumers are increasingly turning to BNPL as a low-cost alternative to traditional credit products to pay for everyday and big-ticket purchases. Regardless of the approach FinTech companies take to regulated markets – whether becoming a chartered institution or remaining as they are – they can increase their potential for success by having solid risk management controls in place.
If you would like to discuss any of the topics covered, please do get in touch via one of the contacts below.
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2023