CUBE RegNews: 18th July

Posted: 2024-07-18

FCA publishes overseas funds regime final rules  

The Financial Conduct Authority (FCA) has published policy statement (PS) 24/7, which provides the final rules and guidance for the implementation of the Overseas Funds Regime (OFR).  

Some context  

The Financial Services Act 2021 introduced the OFR to facilitate the sale of overseas investment funds to retail investors in the UK. This regime operates based on the principle of equivalence, where the Government can approve jurisdictions if they can demonstrate sufficient cooperation between the FCA and the relevant national competent authorities (NCAs) and equivalent levels of investor protection as UK-authorised schemes.  

In January 2024, the Government announced that the EEA states, including EU member states, were deemed equivalent under the OFR for UCITS funds (excluding money-market funds). Additionally, the Government expressed its intention to extend the existing Temporary Marketing Permissions Regime (TMPR), allowing funds recognised under the TMPR to be marketed to UK retail customers until the end of 2026, pending the necessary legislation.  

Key takeaways  

The final rules and guidance outline:  

• The information required from OFR fund operators during the recognition process.  
• The notification requirements and timing for changes to funds and other events post-recognition.  
• Enhanced disclosure requirements.  
• Amendments to the FCA handbook granting the FCA supervisory powers over OFR funds, including refusal of recognition applications, suspension or revocation of recognition and the use of FCA’s power of censure for schemes recognised under s. 271A.  

Note: The UK Sustainability Disclosure Requirements (SDR) do not yet apply to OFR funds. According to the FCA and HM Treasury roadmap, if the Government legislates on SDR and labelling for OFR funds (post consultation), the FCA will likely consult on related rules and guidance in 2025.  

Next Steps  

The new Handbook rules and guidance will come into effect on 31 July 2024. The opening of the OFR gateway is expected later this year, with further steps detailed in the roadmap. 

Click here to read the full RegInsight on CUBE’s RegPlatform 

Hong Kong takes steps to regulate stablecoins issuers 

The Hong Kong Financial Services and the Treasury Bureau (FSTB) and the Hong Kong Monetary Authority (HKMA) have jointly issued the consultation conclusions on the legislative proposal to implement a regulatory regime for fiat-referenced stablecoin (FRS) issuers in Hong Kong. They have also announced that they are finalising the legislative proposal and aim to introduce a bill into the Legislative Council as soon as possible. 

The proposed framework aims to achieve the following policy objectives: 

• Establish appropriate safeguards to address potential risks to monetary and financial stability posed by FRS. 
• Provide adequate protection to FRS users. 
• Maintain Hong Kong’s status as an international financial centre by implementing a regulatory regime for FRS issuers that aligns with international recommendations. 
• Promote sustainable and responsible development of the virtual asset ecosystem in Hong Kong by providing legal and regulatory clarity. 

The new legislation will introduce a licensing regime for FRS issuers including the following key features:   

• Definition of an FRS. 
• Requirement for all FRS issuers who issue an FRS in Hong Kong or actively market their issuance of FRS to the public of Hong Kong to obtain a license. 
• Flexibility in the regulatory regime’s scope and the authorities’ powers to adjust parameters related to in-scope stablecoins and activities. 
• HKMA’s powers in administering the licensing regime and enforcing it with offenses, sanctions, and an appeal mechanism. 
• Transitional arrangement to facilitate the orderly migration of eligible, pre-existing FRS issuers to the new regulatory regime. 

The HKMA will issue licensing and supervisory guidelines in due course to help applicants understand and comply with the relevant requirements. 

Click here to read the full RegInsight on CUBE’s RegPlatform 

ESAs issue second batch of DORA final technical standards 

The European Supervisory Authorities (EBA, EIOPA, and ESMA—the ESAs) have released the second batch of policy products under the Digital Operational Resilience Act (DORA). This package focuses on the reporting framework for information and communication technology (ICT)-related incidents, including reporting clarity, templates, and threat-led penetration testing. It also establishes requirements for the oversight framework’s design. 

Some context 

DORA aims to standardise rules related to digital operational resilience for 21 different types of financial entities. DORA mandates that the ESAs prepare policy products through the Joint Committee (JC) to operationalise the application. 

Timeline 

January 2023: DORA comes into force. 

June 2023: Public consultation on the first batch of policy products, covering: 

• ICT risk management framework (article 15) 
• Simplified ICT risk management framework (article 16(3))  
• Criteria for the classification of ICT-related incidents (article 18(3))  
• Templates for the register of information (article 28(9)) 
• Policy on ICT services performed by ICT third-party providers (article 28(10)). 

December 2023: Public consultation on the second batch of policy products, covering: 

• Content, timelines and templates on ICT-related incident reporting (article 20). 
• Guidelines on aggregated costs and losses from major ICT-related incidents. 
• Thread-led penetration testing (article 26(11)). 
• Subcontracting of critical or important functions (article30 (5)). 
• Oversight cooperation between the ESAs and competent authorities (Article 32(7)). 
• Oversight harmonisation (article 41(1)). 

January 2024: Delivery of the first batch of policy products. 

July 2024: Delivery of the second batch of policy products. 

Key takeaways 

The final draft technical standards align with the December consultation, except for the RTS on subcontracting which will be published later, and include the following: 

• Draft regulatory technical standards (RTS) and implementing technical standards (ITS) on the content, format, templates, and timelines for reporting major ICT-related incidents and significant cyber threats. 
• RTS on the harmonisation of conditions enabling the conduct of the oversight activities. 
• RTS specifying the criteria for determining the composition of the joint examination team (JET). 
• RTS on threat-led penetration testing (TLPT). 

 The set of guidelines includes: 

• Guidelines on the estimation of aggregated costs/losses caused by major ICT-related incidents. 
• Guidelines on oversight cooperation. 

Next steps 

The guidelines have already been adopted by the Boards of Supervisors of the three ESAs. The final draft technical standards have been submitted to the European Commission. The expected date of application of these technical standards is 17 January 2025. 

Click here to read the full RegInsight on CUBE’s RegPlatform 

EBA issues statement on the application of CRR 3  

The European Banking Authority (EBA) has released a statement encouraging institutions and competent authorities to actively engage in dialogue to ensure a smooth operational implementation of the Capital Requirements Regulation (CRR 3) in the area of credit risk for the Internal Ratings Based Approach (IRB). Institutions should: 

• Communicate to their competent authorities the targeted model landscape that will be used from 1 January 2025 onwards. 
• Assess and categorise changes coming from the implementation of CRR3 that impact the performance of a rating system according to the CDR on materiality of changes to the IRB Approach and bundle them for permission or notification. 
• Share their implementation plan in relation to the foreseen rating system updates that are linked to future EBA supervisory products. 

Click here to read the full RegInsight on CUBE’s RegPlatform 

ESAs announce launch of EU systemic cyber incident coordination framework 

In light of the Digital Operational Resilience Act (DORA) coming into effect and the recent release of the second batch of technical standards, the three European Supervisory Authorities (EBA, EIOPA, and ESMA—the ESAs) have announced their intention to establish the EU systemic cyber incident coordination framework (EU-SCICF). The framework aims to facilitate an effective financial sector response to major cross-border information and communication technology (ICT)-related incidents or related cyber threats that could have a systemic impact on the Union's financial sector. 

Over the coming months, the ESAs will initiate the implementation of the framework by setting up: 

• The EU-SCICF Secretariat, supporting the functioning of the framework. 
• The EU-SCICF Forum, working on testing and maturing the functioning. 
• The EU-SCICF Crisis Coordination, facilitating during a crisis the coordination of actions by the participating authorities. 

The ESAs will identify legal and other operational hurdles encountered during the initial set-up and report these to the European Commission. Further development will be subject to the availability of resources and other measures taken by the European Commission.    

Click here to read the full RegInsight on CUBE’s RegPlatform 

US Treasury and FSSCC publish resources on effective practices for secure cloud adoption 

The US Department of the Treasury and the Financial Services Sector Coordinating Council (FSSCC) have released a set of resources designed to help financial services institutions implement secure cloud technologies. These documents provide best practices for secure cloud adoption and operations and address the gaps identified in the Treasury's report on the Financial Services Sector’s Adoption of Cloud Services. 

These resources include: 

• Cloud Lexicon: This resource establishes a standardized language for cloud service providers (CSPs) and financial sector institutions to facilitate negotiations, security establishment, and regulatory compliance. 
• Financial Sector Cloud Outsourcing Issues and Considerations:  It provides a non-exhaustive list of key considerations for developing contractual provisions between financial institutions and CSPs to address risks, regulatory and supervisory compliance expectations when using cloud services. 
• Cloud Profile 2.0: This resource serves as a cloud security implementation plan for financial institutions, providing expectations for both financial institutions and CSPs. It allows for the development of effective practices in secure cloud implementation, with the flexibility to evolve as standards change over time. 
• Transparency and Monitoring for Better “Secure-by-Design”: This resource consists of two outputs for financial institutions with workloads running in CSP environments. The first output is a service interdependency and resilience model that combines service transparency, architecture best practices, and detailed information about how a CSP manages the resiliency of its major services. The second output proposes baseline security outcomes expected in financial institutions’ deployment of workloads running in CSP environments, making it easy for financial institutions to quickly establish secure infrastructure with minimal engineering. 

Click here to read the full RegInsight on CUBE’s RegPlatform 

Compliance professionals highlight off-channel communications as key issue in IAA survey 

The US Investment Adviser Association (IAA) has published the results of its annual Investment Management Compliance Testing survey, which was conducted in May 2024. 

With US regulators increasing their scrutiny in this area and imposing substantial fines, it comes with no surprise that 59% of respondents identified electronic communications surveillance and off-channel communications as the primary compliance issue.  

Alongside off-channel communications, the survey also examined significant areas such as advertising/marketing, artificial intelligence/predictive analytics, and alignment with the US Securities and Exchange Commission (SEC)’s examination and enforcement priorities. 

The survey involved compliance professionals from 595 investment adviser firms and provides valuable insights into top compliance concerns and testing and control practices to address core compliance topics. 

Click here to read the full RegInsight on CUBE’s RegPlatform 

Basel Committee publishes updated and new cryptoassets related standards 

The Basel Committee on Banking Supervision (BCBS) has released its final disclosure framework for banks’ cryptoasset exposures, along with targeted amendments to its cryptoasset standard. Both standards will be implemented on 1 January 2026. 

Final disclosure framework 

The final disclosure framework (DIS55) includes standardised tables and templates covering banks’ cryptoasset exposures. These require banks to disclose both qualitative and quantitative information on their cryptoasset-related activities, as well as the capital and liquidity requirements for their cryptoasset exposures. 

DIS55 will replace paragraphs SCO60.128 to SCO60.130 of the Basel Framework and will be subject to the overarching requirements of DIS10 Definitions and applications, including the scope of application, reporting location, frequency and timing of disclosures, and assurance of Pillar 3 data. 

Amendments to the cryptoasset standard 

The targeted amendments to the cryptoasset prudential standard aim to further promote a consistent understanding of the standard, particularly regarding the criteria for stablecoins to receive a preferential “Group 1b” regulatory treatment. Various other technical amendments clarify other aspects of the standard. 

Next steps 

The BCBS will continue to monitor developments in cryptoasset markets and the need to mitigate new risks. 

Click here to read the full RegInsight on CUBE’s RegPlatform