Eva Dauberton
News Editor
G7 Cyber Expert Group issues recommendations for financial entities on quantum computing threats
The G7 Cyber Expert Group (CEG), led by the US Department of the Treasury and the Bank of England, has issued a public statement highlighting the potential cybersecurity risks associated with advancements in quantum computing. To address this emerging threat, the CEG recommends that financial entities take the following actions:
In the statement, CEG recommends financial entities take the following steps to address this emerging risk:
- Developing a better understanding of quantum computing, the risks involved, and strategies for mitigating those risks: This includes initiating discussions with vendors, third parties, and subject matter experts to learn about the timelines for quantum technology development, the evolving threat landscape, and existing and emerging quantum resilience technologies and approaches.
- Assessing quantum computing risks in their areas of responsibility: Financial entities should thoroughly understand these risks and determine the level of effort they need to dedicate to this issue. They should also identify specific areas where they should focus their attention.
- Developing a plan for mitigating quantum technology risks: This involves establishing governance processes, identifying key stakeholders and their roles and responsibilities, and setting milestones for key actions based on the expected deployment of a cryptographically significant quantum computer.
To note: to assist entities in preparing for the quantum threat, the Canadian Government has created a Quantum Readiness Guide.
Click here to read the full RegInsight on CUBE’s RegPlatform
CBI Deputy Director discusses information sharing under EU AML regulation
During the Future of Financial Intelligence Sharing Event in Dublin, Derville Rowland, Deputy Governor of the Central Bank of Ireland (CBI), discussed the new anti-money laundering (AML) Regulation under the EU’s AML Package. She specifically addressed the implications of partnerships for information sharing under Article 75 of the Regulation, emphasising key factors for success.
Some context
The EU AML Package, published in June 2024, aims to establish common EU rules for anti-money laundering and counter-financing of terrorism. It also introduces a new AML supervisory authority (AMLA). Article 75 of the new AML Regulation enables the sharing of certain confidential information between private sector operators under the “partnerships for information sharing” provision. This article also sets important guidelines and safeguards for data sharing.
Key takeaways
According to Rowland, for the new AML package to be successful:
- AMLA and national supervisors need to encourage and support the establishment of partnerships for the sharing of information.
- The responsibility for making Partnerships for Information Sharing work under the AML Regulation does not rest on Authorities alone. Partnerships are not possible without the private sector playing its part.
- AMLA and national authorities, including law enforcement, must collaborate to raise standards and act as a catalyst for innovative solutions – including around data sharing – to support the fight against money laundering and terrorist financing.
Supervisors must encourage and support the establishment of partnerships for the sharing of information
Rowland highlighted that AMLA and national AML/CFT supervisors must encourage the establishment of Partnerships for Information Sharing and develop clear guidance and a verification process in line with Article 75 requirements. For the CBI, it also means consulting with other organisations, such as the Office of Data Protection Commissioner and the Financial Intelligence Unit.
The private sector must play its part
Rowland stressed that the responsibility for making information sharing work under the AML Regulation does not solely rest on authorities. In compliance with Article 75, private sector operators must determine when it is appropriate to establish a partnership, select participants, demonstrate its necessity for AML/CFT compliance, and ensure appropriate documentation of information sharing.
Supervisors must act as a catalyst for innovative solutions
She emphasised the role of supervisors as catalysts for innovative solutions. She specifically mentioned Privacy Enhancing Technologies (PETs) as having the potential to revolutionise information sharing between private sector operators. Rowland mentioned the CBI’s innovation sandbox programme, which was announced in July and is now open for application.
Click here to read the full RegInsight on CUBE’s RegPlatform
CBI Deputy Governor on delivering for consumers in a complex landscape
At the recent Health Insurance Authority (HIA) Conference, Deputy Governor of the Central Bank of Ireland (CBI), Sharon Donnery, discussed the regulator’s efforts to support consumers in an increasingly complex financial landscape.
An evolving financial sector landscape
Donnery emphasised the increasing complexity in the sector, highlighting risks arising from unclear information, evolving business models, and technology-driven threats such as cyber security, fraud, and scams. Donnery also touched on the “paradox of choice” faced by consumers and the impact of an abundance of options on consumer engagement.
Empowering consumers to make informed choices.
To empower consumers to make informed decisions, Donnery outlined three key aspects that the CBI believes are crucial:
- The importance of financial services firms effectively communicating consumer information to enable timely and informed decisions.
- Improving financial literacy with the Government’s National Financial Literacy Strategy and the CBI’s commitment to collaborating with various stakeholders.
- The responsibility of consumers is to inform themselves once firms provide the necessary information and consumers have the financial literacy to understand and evaluate that information.
How the CBI is strengthening its approach to consumer protection
Donnery highlighted the CBI’s efforts to adapt its regulatory and supervisory approach to meet the evolving landscape. Initiatives such as the review of the Consumer Protection Code, the introduction of the Individual Accountability Framework, and the implementation of a new supervisory model are aimed at modernising the regulatory framework and addressing the challenges posed by the digital world.
On the Consumer Protection Code review, she mentioned that the CBI will publish a revised Code and feedback statement in 2025.
On the new supervisory model to be implemented from January next year, She added that while it will maintain a risk-based approach, it will also incorporate a more integrated approach to supervision. Integrated teams will oversee all aspects of the CBI’s mandate, working in collaboration with specific areas of supervisory expertise such as conduct, financial resilience, and governance.
Click here to read the full RegInsight on CUBE’s RegPlatform
CFTC issues no-action letter providing further relief from OCR Final Rule
The Division of Market Oversight (DMO) of the Commodity Futures Trading Commission (CFTC) has issued a no-action letter that extends the current no-action position for reporting obligations under the ownership and control reports final rule (OCR Final Rule).
Since 2014, the DMO has taken a no-action position regarding reporting entities’ obligations under the OCR Final Rule and has issued several letters to that effect. This new no-action letter extends the previous position to address ongoing compliance difficulties related to certain OCR reporting obligations, as identified by reporting parties and market participants.
These obligations include:
- The timing of OCR form filings
- Certain information required for reporting trading account controllers and volume threshold account controllers on Form 102
- The reporting threshold that triggers the reporting of a volume threshold account on Form 102, the filing of refresh updates for Form 102
- Responses to certain questions on Form 40
Commissioner Summer K Mersinger has expressed support for the extension but reiterated her previous comment on the matter, “I urge staff and the Commission to develop and issue an OCR proposed rulemaking soon—so that staff is not compelled to issue yet another extension when this one expires a year from now.”
Click here to read the full RegInsight on CUBE’s RegPlatform
CFTC fines Merrill Lynch Commodities $1.5 million for violating position limits
The Commodity Futures Trading Commission (CFTC) has ordered Merrill Lynch Commodities, Inc (MLCI) to pay a civil monetary penalty of $1.5 million for exceeding the federal and ICE Future US position limits in contracts related to natural gas futures traded on the New York Mercantile Exchange. MLCI was also penalised for swap dealer supervision and position limit monitoring failures.
The order also requires MLCI to cease and desist from further violations of the Commodity Exchange Act (CEA) and CFTC regulations as charged, and comply with conditions and undertakings specified in the order.
“Federal and exchange position limits are important guardrails that help ensure the integrity of our markets and entities must comply,” said Director of Enforcement Ian McGinley. “Additionally, swap dealers must comply with the business conduct standards in the CEA and CFTC regulations, including diligently supervising their employees and agents and monitoring for position limit violations.”
Click here to read the full RegInsight on CUBE’s RegPlatform
SEC fines Merrill Lynch and Harvest Volatility Management for exceeding clients’ designated investment limits
The Securities and Exchange Commission (SEC) has fined Harvest Volatility Management LLC and Merrill Lynch, Pierce, Fenner & Smith Inc for exceeding clients’ designated investment limits over a two-year period beginning in March 2016. This led to clients paying higher fees, being subjected to increased market exposure, and incurring investment losses. To settle the SEC’s claims, Harvest and Merrill have collectively agreed to pay $9.3 million in penalties and disgorgement as part of separate settlements.
Mark Cave, Associate Director of the SEC’s Enforcement Division, commented, “Today’s action holds Merrill and Harvest accountable for dropping the ball in executing these basic duties to their clients, even as their clients’ financial exposure grew well beyond predetermined limits.”
Click here to read the full RegInsight on CUBE’s RegPlatform
23 entities and individuals penalised by SEC for failing to report holdings and transactions
The Securities and Exchange Commission (SEC) has imposed penalties totalling more than $3.8 million on 23 entities and individuals for their failure to timely report information about their holdings and transactions in public company stock. This also includes charges against two public companies for contributing to filing failures by their officers and directors and for failing to report their insiders’ filing delinquencies as required.
“To make informed investment decisions, shareholders rely on, among other things, timely reports about insider holdings and transactions and changes in potential controlling interests,” said Thomas P Smith, Jr, Associate Regional Director of the SEC’s Division of Enforcement. “Today’s actions are a reminder to large investors that they must commit necessary resources to ensure these reports are filed on time.”
Click here to read the full RegInsight on CUBE’s RegPlatform
EC announces initial signatories of EU AI Pact
The European Commission (EC) has announced that over a hundred companies have become the initial signatories of the EU Artificial Intelligence (AI) Pact and its voluntary pledges. According to the EC statement, the signatories include firms from various sectors, including banking.
Some context
The EU AI Pact supports the industry’s voluntary commitments to begin applying the principles of the AI Act, which came into effect on 1 August and will fully apply in two years, with some exceptions.
Participating companies commit to at least three core actions:
- Implementing an AI governance strategy to promote the adoption of AI within the organisation and work towards future compliance with the AI Act.
- Mapping high-risk AI systems, identifying those likely to be categorised as high-risk under the AI Act.
- Promoting AI literacy and awareness among staff, ensuring that AI development is ethical and responsible.
Click here to read the full RegInsight on CUBE’s RegPlatform