Shearman & Sterling LLP | FinReg | Blog | Cyber Security
Financial Regulatory Developments Focus
This links to the home page

FILTERS

The following posts provide a snapshot of selected UK, EU and global wholesale financial regulatory developments of interest to banks, investment firms, broker-dealers, market infrastructures, asset managers and corporates. 

  • UK Regulators Propose Rules for Supervising Critical Third Parties
    12/12/2023

    Following feedback to their July discussion paper, the U.K. regulators—the Bank of England, Prudential Regulation Authority and Financial Conduct Authority—have launched a joint consultation proposing rules and regulatory expectations for critical third parties. This follows concerns that the financial sector relies heavily on unregulated service providers, particularly in the IT sector, for critical infrastructure whose failure could cause systemic issues or customer issues. The Financial Services and Markets Act 2023 gave HM Treasury powers to designate an entity as a "critical third party" if its failure would pose financial stability or confidence risk to the U.K. and the regulators will have new direct powers over third parties that provide critical services to authorized firms, their service providers and financial market infrastructures. The regulators' rules would only apply to the services provided by a CTP to one of those firms. Responses to the consultation may be submitted until March 15, 2024.

    Read more.
  • UK Regulators Propose Requirements for Critical Third Parties' Services to UK Regulated Firms
    07/21/2022

    The Bank of England, Prudential Regulation Authority and Financial Conduct Authority (together, the supervisory authorities) have published a discussion paper proposing measures to supervise and enhance the resilience of critical third parties (CTPs) to the U.K. financial sector. Responses to the discussion paper may be submitted until December 23, 2022. The supervisory authorities intend to consult on proposed requirements for CTPs in 2023.

    Currently, the supervisory authorities' direct powers over entities providing critical services to U.K. authorized firms, their service providers (authorized e-money institutions, payment institutions and registered account information services) and financial market infrastructures (together, U.K. regulated firms) are limited. The Financial Services and Markets Bill, introduced to Parliament yesterday, would grant HM Treasury and the supervisory authorities' new express powers to oversee such third parties. HM Treasury will be able to designate an entity as a CTP if it provides services to U.K. regulated firms and its failure would pose financial stability or confidence risk to the U.K.

    Read more.
  • EU Distributed Ledger Technology Pilot Regime Published
    06/02/2022

    The EU has published in the Official Journal of the European Union its Regulation on a pilot regime for market infrastructures based on distributed ledger technology. The pilot regime will permit certain DLT market infrastructures to operate with exemptions from some EU financial services legislation, which may otherwise inhibit the trading and settlement of crypto-assets. The regime is intended to promote legal certainty, support innovation, preserve market integrity and ensure financial stability for the use of DLT in crypto-asset and e-money token markets.

    Read more.
  • UK Payment Systems Regulator Highlights Potential Cyber Security Risks Arising from the Situation in Ukraine
    03/01/2022

    The U.K. Payment Systems Regulator has issued a statement on the situation in Ukraine. The PSR encourages firms to reflect on how they are managing their risks related to the situation, in particular:
    • the ability of the firm to bear an attack from a sophisticated state actor;
    • whether staff are available to handle an elevated cyber risk from state sponsored and other actors; and
    • implications of sanctions for third-party suppliers, and the resilience of those suppliers.

    The PSR highlights the guidance issued by the National Cyber Security Centre on actions to take in response to the Ukraine situation, and it warns firms to remain vigilant of any cyber security threat.
  • European Systemic Risk Board Publishes Recommendation on Pan-European Systemic Cyber Incident Coordination Framework
    01/27/2022

    The European Systemic Risk Board has published a Recommendation on a pan-European systemic cyber incident coordination framework for EU national regulators. The ESRB observes that major cyber incidents may pose a systemic risk to the financial system, as they are capable of disrupting critical financial services and operations. This could in turn lead to contagion or an erosion of confidence in the financial system. The COVID-19 pandemic has also brought the threat of cyber incidents to the fore, as the number of cyber incidents reported to the ECB increased by 54% between 2019 and 2020. The Recommendation aims to build on the proposed roles of the European Supervisory Authorities under the EU's proposed Regulation on digital operational resilience for the financial sector. DORA is intended to strengthen digital operational resilience considering the risks arising from the increase in digital opportunities within the financial sector.

    Read more.
  • European Commission Publishes New EU Cybersecurity Strategy
    12/16/2020

    The European Commission and High Representative of the Union for Foreign Affairs and Security Policy have published details of a new EU Cybersecurity strategy, which aims to enhance the EU's resilience to cyber threats and build a cybersecure digital transformation. The overall strategy is set out in a Communication, which is accompanied by two legislative proposals. The first legislative proposal is for a new EU Directive on the resilience of critical entities (the proposed CER Directive), which will enhance and repeal the existing 2008 European Critical Infrastructure Directive (Council Directive 2008/114/EC). The second proposal is for a new Directive on cybersecurity across the EU (NIS2), which would augment and repeal the existing NIS Directive (Directive (EU) 2016/1148). The Commission consulted earlier this year on proposals for each of these legislative proposals.

    Read more.
  • European Commission Proposal for Pilot Distributed Ledger Technology Regime Regulation
    09/24/2020

    The European Commission has published a proposal for a new EU Regulation on a pilot regime for distributed ledger technology. The pilot regime is intended to promote legal certainty, to support innovation, to preserve market integrity and to ensure financial stability for the use of DLT in crypto-asset and e-money token markets. The Commission has simultaneously published a proposed Regulation on markets in crypto-assets and e-money tokens. The proposed Regulations follow the Commission's consultation on an EU framework for crypto-assets, which closed in January 2020.

    Read more.
    TOPICS : Cyber SecurityFinTech
  • European Commission Proposal for Crypto-asset Regulation
    09/24/2020

    The European Commission has published a proposal for a new EU Regulation on crypto-assets. The proposed Regulation is intended to improve legal certainty in the regulatory treatment of crypto-assets, to support the development of crypto-assets, to preserve consumer protection and market integrity in crypto-asset markets and to ensure financial stability. The Commission has simultaneously published a Regulation on a pilot regime for distributed ledger technology. The proposed Regulations follow the Commission's consultation on an EU framework for crypto-assets, which closed in January 2020.

    Read more.
    TOPICS : Cyber SecurityFinTech
  • European Commission Proposals for Digital Operational Resilience Regulation and Amending Directive 
    09/24/2020

    The European Commission has published proposals for a new EU Regulation on digital operational resilience for the financial sector and a new EU Directive amending certain pieces of existing EU financial services legislation to strengthen digital operational resilience and provide legal certainty on crypto-assets. The new legislation has been proposed as a result of the risks arising from the increase in digital opportunities within the financial sector. There are currently no detailed rules at EU level on digital operational resilience, exposing the need for comprehensive and harmonized legislation governing this area.

    Read more.
    TOPIC : Cyber Security
  • European Banking Authority Seeks to Promote RegTech Use
    08/12/2020

    The European Banking Authority has opened a consultation on RegTech and supporting the use of RegTech across the EU. Responses may be submitted until September 30, 2020. The EBA intends to report on the use of RegTech in the first half of 2021. The survey is focused on financial institutions and ICT third party providers. The EBA is seeking to understand the extent and impact of RegTech for regulatory, compliance and reporting requirements of regulated firms. In particular, the EBA is looking at mapping and understanding existing RegTech solutions, identifying barriers and risks relating to the use of RegTech and analyzing how to facilitate the application of RegTech across the EU. The consultation covers ongoing monitoring of business relationships and transactions for anti-money laundering obligations, creditworthiness assessments, compliance with security standards, including information security, cybersecurity and payment services and supervisory reporting.

    View the EBA's survey.
  • European Commission Consults on Proposed Revisions to EU Cybersecurity Rules
    07/07/2020

    The European Commission has launched a consultation on proposed revisions to the EU Directive on the security of network and information systems across the Union (commonly known as the NIS Directive), which is designed to protect the security of EU network and information systems. The NIS Directive sets out, among other things, the parameters of national network and information security strategies to be implemented by Member States for providers of "essential services", which include credit institutions (as defined under the EU Capital Requirements Regulation) and financial market infrastructures.

    Read more.
  • UK Publishes Post-Brexit Cyber Sanctions Regulations
    06/17/2020

    The U.K. Government has published the Cyber (Sanctions) (EU Exit) Regulations 2020 and an explanatory memorandum. The Regulations are made under the Sanctions and Anti-Money Laundering Act 2018, which was introduced to enable the U.K. Government to implement international sanctions following its departure from the EU. The majority of the SAMLA provisions entered into force on November 22, 2018. The purpose of the Regulations is to ensure that the U.K. has an effective cyber sanctions regime at the end of transitional period (currently scheduled for December 31, 2020) as part of the U.K.'s exit from the EU.

    Read more.
  • European Commission Publishes Adjusted 2020 Work Program
    05/27/2020

    The European Commission has published an adjusted 2020 Work Program to reflect the unexpected challenges arising from COVID-19. The Commission still intends to deliver on the commitments made under its original Work Program, published in January 2020, but has adjusted the timing of certain actions necessary to achieve its objectives. An update on the delivery and expected timing of the objectives under the adjusted Work Program are set out in an amended version of Annex 1 on the Commission’s website.

    Read more.
  • Financial Stability Board Consults on Cyber Incident Responses
    04/20/2020

    The Financial Stability Board has launched a consultation on its proposed guidance on Effective Practices for Cyber Incident Response and Recovery. The consultation seeks input on a toolkit of cyber incident responses compiled by the FSB based on effective actions taken by organizations across the world. The consultation paper opens with a series of specific questions for respondents to consider, before setting out the draft toolkit of responses on which feedback should be given. Responses should be submitted by July 20, 2020.

    Read more.
    TOPICS : Cyber SecurityFinTech
  • European Systemic Risk Board to Evaluate Systemic Cyber-security Risk
    02/19/2020

    The European Systemic Risk Board has published a report on cyber-security risk, which it has identified as a source of systemic risk to the global financial system. The report notes that the increased digitalization and interconnectedness of the global financial system makes it heavily reliant on ICT infrastructure and vulnerable to cyber attacks. The report provides an overview of key regulatory and industry initiatives aimed at combatting cyber risk, which include: (i) the 2019 International Organization of Securities Commissions’ Cyber Task Force report on cyber regulation; (ii) the European Banking Authority’s Guidelines on management of information and communication technology and security risks; and (iii) the European Securities and Markets Authority’s 2020-2022 Strategic Orientation, which establishes the dangers of cyber threats as an area of focus for ESMA and the other European Supervisory Authorities.

    Read more.
    TOPICS : Cyber SecurityFinTech
  • European Commission Publishes 2020 Work Programme
    01/29/2020

    The European Commission has published its 2020 Work Programme, setting out the EU’s strategic priorities for the next 12 months.

    Read more.
  • UK Court Confirms Bitcoin Status as Property for Certain Proprietary Claims
    01/17/2020

    A U.K. court has granted an interim proprietary injunction over Bitcoin held in an account of a cryptocurrency exchange after it had been transferred there as part of a cyber attack on a Canadian insurance company. The judgment in AA v Persons Unknown & Ors, Re Bitcoin [2019] EWHC 3556 (Comm) was given on December 13, 2019, and following the lifting of reporting restrictions, was released for publication on January 17, 2020. In coming to its decision, the High Court adopted the analysis as to the proprietary status of crypto assets set out in the recent legal statement by the UK Jurisdiction Taskforce. Although each case will depend on the relevant facts and issues, the decision confirms that crypto assets are a form of property capable of being the subject of a proprietary injunction.

    Read more.
    TOPICS : Cyber SecurityFinTech
  • UK Conduct Authority Publishes Findings of Review of Risk Modelling and Other Portfolio Management Tools in the Asset Management Sector
    01/13/2020

    The U.K. Financial Conduct Authority has published a report on its review of how firms in the asset management sector selected and used risk modelling and other portfolio management tools. The review was undertaken to assess how firms identify and manage the risks as well as firms' ability to respond to system failures or service interruptions.

    Read more.
  • European Securities and Markets Authority Publishes 2020-2022 Strategic Orientation
    01/09/2020

    The European Securities and Markets Authority has published its Strategic Orientation for 2020-2022, setting out its longer-term objectives for regulating financial markets. The previous Strategic Orientation covered the period from 2016-2020 and so is coming to an end this year. Looking forward, ESMA aims to:
    • develop the EU Capital Markets Union by encouraging wider retail investor participation, which would assist with the diversification of funding sources and efficiency of capital markets;
    • promote sustainable finance and long-term oriented capital markets as part of the EU's commitment to meet the UN's Sustainable Development Goals by 2030;
    • examine the opportunities and risks of digitalization and technology for market participants and regulators;
    • guarantee the EU's voice in financial markets, aiming to maintain the openness of EU financial markets and develop EU co-operation with third-country authorities to ensure investor protection and financial stability; and
    • encourage proportionality, particularly with respect to SMEs and innovative companies, where ESMA may need to tailor its initiatives to meet its objectives.

    View ESMA 2020-2022 Strategic Orientation.
  • European Commission Launches Consultations on Digitalization in the Financial Sector
    12/19/2019

    The European Commission has launched two consultations on digitalization in the financial sector. They form part of the EU’s new Digital Finance Strategy which aims to deepen the Single Market for digital financial services, promote a data-driven EU financial sector while addressing the risks inherent in that and enhance the digital operational resilience of the financial system. 

    Read more.
    TOPICS : Cyber SecurityFinTech
  • European Banking Authority Publishes Guidelines on Technology and Security Risk Management
    11/28/2019

    The European Banking Authority has published its final guidelines on the management of information and communication technology and security risks by financial institutions in the EU. The Guidelines set out how financial institutions should comply with relevant provisions on the governance and risk management of ICT and security risks under the Fourth Capital Requirements Directive and the Second Payment Services Directive. 

    Read more.
  • European Central Bank Publishes Paper on Stablecoins
    11/28/2019

    The European Central Bank has published a paper providing an overview of the stablecoins market and looking ahead to its future development. The paper contains no binding rules or guidance and is designed for information purposes only. It outlines how stablecoins have emerged as an alternative to highly volatile cryptoassets, such as Bitcoin, by incorporating "stabilization" mechanisms that back the value of the stablecoins by tying them to underlying assets such as fiat currencies or commodities. Facebook's unveiling of its Libra stablecoin has attracted much attention from regulators, demonstrating the ongoing challenges faced by the cryptoassets. It goes on to describe the different types of stablecoins, the current status of stablecoin initiatives and considers potential use cases for stablecoins, such as transferring money without using financial institutions or cash. The ECB determines that it remains to be seen how the more innovative types of stablecoin will develop given their greater volatility and foresees that improvements in stablecoin governance may need to be made.

    Read more.
    TOPICS : Cyber SecurityFinTech
  • Eurozone Single Resolution Board Publishes Opinions on Internal Rules for its use of Personal Data
    11/22/2019

    The Eurozone Single Resolution Board has published a series of three opinions setting out its own internal rules for the circumstances in which it may restrict the rights of data subjects under Regulation (EU) 2018/1725, data protection legislation that is commonly understood as the public sector equivalent of the General Data Protection Regulation. The Regulation governs the use of personal data by EU institutions and agencies. 

    Read more.
  • Basel Committee Publishes Report on Open Banking and Application Programming Interfaces
    11/19/2019

    The Basel Committee on Banking Supervision has published a report on “open banking” and the use of application programming interfaces. The term “open banking” refers to the sharing and leveraging of customer-permissioned data by banks with third-party developers and firms to build applications and services, including for example those that provide real-time payments, greater financial transparency options for account holders, marketing and cross-selling opportunities. Application programming interfaces are software intermediaries that enable information to be exchanged between applications. 

    Read more.
    TOPICS : Cyber SecurityFinTech
  • UK Information Commissioner’s Office Consults on Application of Powers under Proceeds of Crime Act
    11/08/2019

    The U.K. Information Commissioner’s Office, the U.K.’s independent body for the upholding of information rights in the public interest, has issued a consultation paper on proposals that it be granted investigative and other powers under the Proceeds of Crime Act 2002. The proposals are in response to the increasing number of cases in which financial gains are made by criminals involved in the theft of personal data.

    Read more.
  • Committee on Payments and Market Infrastructures Publishes Toolkit for Reducing Wholesale Payments Fraud
    10/22/2019

    The Committee on Payments and Market Infrastructures has prepared a “toolkit” to assist central banks to reduce the risk of wholesale payments fraud related to endpoint security. The Financial Stability Institute at the Bank for International Settlements has also announced that it will make tutorials on wholesale payments security freely available to central banks on request.

    Read more.
  • UK Court Grants Asset Preservation Order over Bitcoin
    08/20/2019

    A U.K. court has granted an asset preservation order over Bitcoin stolen in a "spear phishing" attack on a major crypto-currency trader. The decision confirms that proprietary claims over Bitcoin constitute serious issues that should be tried in the courts. Although the presiding judges did not make a final ruling on the legal questions surrounding the nature of Bitcoin ownership, it is believed that this is the first time the English courts have considered the nature of crypto-currencies as property.

    Read more.
    TOPICS : Cyber SecurityFinTech
  • UK Financial Conduct Authority Issues Response to EU Opinion on Strong Customer Authentication
    06/28/2019

    The U.K. Financial Conduct Authority has issued a statement confirming its intended approach to enforcing firms' compliance with EU "strong customer authentication" rules that will apply across the EU from September 14, 2019.

    Read more.
  • European Banking Authority Publishes Opinion on Strong Customer Authentication Under Payment Services Directive
    06/21/2019

    The European Banking Authority has published an Opinion on market approaches to payment authentication that will be deemed compliant with the new rules on strong customer authentication coming into force later this year.

    Read more.
  • European Commission Publishes Report on Implementation of Wire Transfer Regulation
    06/20/2019

    The European Commission has published a report detailing: (i) the extent to which Member States have implemented the sanctions and monitoring sections of the EU Wire Transfer Regulation; and (ii) the particular sanctioning activities that national regulators have adopted under the Regulation. The Commission was obliged to provide the report to the European Parliament and Council of the European Union under the Wire Transfer Regulation. Although Member States are not obliged to take specific steps in response to the report's findings, the Commission concludes the report by stating its intention to continue to support Member States in their implementation of the Wire Transfer Regulation and reserves the right to take further measures to ensure the Regulation is correctly implemented by all Member States.

    Read more.
  • Bank of England Publishes Report on the Future of the UK Financial System and the Bank's Priorities for the Future
    06/20/2019

    Huw van Steenis, the Bank of England financier appointed by the BoE in 2018 to review the future of the U.K. financial system, has published his "Future of Finance" report, setting out a vision for the medium-term future of the U.K. financial system and the BoE's role in supporting that. The report was based on consultations with entrepreneurs, financiers, tech firms, global investors, consumer groups, charities, policymakers and business leaders across the U.K. and overseas. In response, the BoE has published a document which sets out the actions it intends to take to deal with the challenges and opportunities identified in the report.

    Read more.
  • Basel Committee on Banking Supervision Discusses Supervisory Initiatives and Approves Implementation Reports
    06/20/2019

    Central bankers and banking supervisors of the Basel Committee on Banking Supervision met this week to discuss a range of policy and supervisory initiatives. 

    Read more.
  • International Cyber Task Force Reports on Cyber Regulation
    06/18/2019

    The International Organization of Securities Commissions has published the final report of its Cyber Task Force on cyber regulation. The report sets out how IOSCO member jurisdictions apply three recognized cyber frameworks - the CPMI-IOSCO Guidance on Cyber Resilience for Financial Market Infrastructures; the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity; and the International Organization for Standardization 27000 series standards. The Cyber Task Force does not propose that IOSCO issues any further guidance on this topic, as this could lead to duplication. The report is instead intended to be a resource for financial market regulators and firms, to raise awareness of existing cyber guidance and to encourage the adoption of good practices. The Cyber Task Force recommends that IOSCO's member jurisdictions use these standards to close any gaps in their existing cyber frameworks and that further work is undertaken to establish where those gaps are.

    View the report.
    TOPIC : Cyber Security
  • Financial Stability Board Publishes Progress Report on Cyber Incident Response
    05/28/2019

    The Financial Stability Board has published a progress report on the activities and work plan of its Cyber Incident Response and Recovery working group. The working group was established in 2018 with a mandate to develop a toolkit of practices for financial institutions and authorities in preparing for and dealing with cyber incidents.

    Read more.
    TOPIC : Cyber Security
  • UK Secondary Legislation Published to Combat Cyber-Attacks
    05/21/2019

    The Cyber-Attacks (Asset-Freezing) Regulations 2019 have been made and will come into force on June 11, 2019.

    The U.K. Regulations put in place measures applicable to U.K. nationals, U.K. incorporated entities and certain regulated institutions that will help enforce the financial sanctions provisions of the EU's new Cyber-Attacks Regulation, which came into force on May 18, 2019. The Cyber-Attacks Regulation is designed to combat cyber-attacks emanating from outside the EU against EU institutions and Member States. Its provisions include granting the Council of the European Union the ability to freeze assets of persons or entities suspected of involvement in such attacks. In order to enforce the sanctions regime throughout the EU, Member States are required to put in place legislation specifying the penalties that will be imposed upon those found to be implicated in a breach of the EU Cyber-Attacks Regulation.

    Read more.
  • EU Council Regulation to Combat Cyber-Attacks Published
    05/17/2019

    The EU Council Regulation concerning restrictive measures against cyber-attacks threatening the European Union or its Member States came into force on May 17, 2019 and will apply directly across the EU from May 18, 2019.

    Read more.
  • UK Financial Conduct Authority Reports on Cyber Security Resilience in Financial Services
    11/27/2018

    The Financial Conduct Authority has published a report entitled "Cyber and Technology Resilience: Themes from cross-sector survey 2017-2018." The FCA compiled the report by requesting 296 firms during 2017 and 2018 to provide a self-assessment of their cyber and technological capabilities, focusing on governance, delivery of change management, managing third-party risks and the effectiveness of cyber defenses. The FCA analyzed the responses and considered data from firm's responses to recent operational incidents to produce the report.

    Read more.
  • UK Parliamentary Committee Launches Inquiry Into Operational Resilience in the Financial Services Sector
    11/23/2018

    The U.K. Treasury Committee has announced the launch of a new Inquiry into IT failures in the financial services sector. The Inquiry has been launched in response to recent IT failures at a number of financial institutions that have led to consumers being unable to access their bank accounts or becoming subject to fraud.

    The Committee will assess the causes and consequences of these recent IT failures. Among other things, the Committee will consider the extent to which such incidents are becoming more frequent, sources of concentration risk in the financial sector, the impact of legacy IT systems, the effect of outsourcing on operational resilience, best practices in responding to operational incidents and whether the U.K. regulators are able to regulate firms' capabilities for responding to such incidents.

    Written submissions can be made to the Committee by January 18, 2019. The Committee will also appoint a special advisor to provide policy advice to the Committee on the issues. Individuals interested in the role should respond to the call for Expressions of Interest.

    View the announcement.
  • Financial Stability Board Publishes Cyber Lexicon
    11/12/2018

    The Financial Stability Board has published the final Cyber Lexicon of terms related to cyber security and cyber resilience. The Lexicon is intended to assist the FSB, other international standard setting bodies (such as the Basel Committee on Banking Supervision, the Committee on Payments and Market Infrastructures and the International Organization of Securities Commissions), authorities and the private sector to address threats to cyber security and adopt cyber resilience measures. The FSB has also published an overview of responses to the public consultation, summarizing the main issues that emerged during the FSB's consultation on a draft lexicon and the changes adopted to address them.

    Read more.
    TOPIC : Cyber Security
  • European Parliament Adopts Resolution on Distributed Ledger Technologies
    10/03/2018

    The European Parliament has adopted a non-legislative resolution entitled "distributed ledger technologies and blockchains: building trust with disintermediation." Of particular relevance to the financial services sector, the European Parliament is requesting that the European Commission and other EU authorities take various steps to maximize the potential of this technology in the EU.

    Read more.
  • UK Conduct Regulator Fines Retail Bank for Failures During a Cyber Attack
    10/01/2018

    The U.K. Financial Conduct Authority has published a final notice issued to a U.K. Retail Bank for breaches of Principle 2 of the FCA's Principles for Businesses. Principle 2 requires authorized firms to conduct their business with due skill, care and diligence. The Bank was subjected to a cyber-attack in November 2016, when attackers deployed an algorithm to generate authentic debit card numbers that were then used to make unauthorized transactions. While the attack did not involve loss or theft of customers' personal data, the FCA found that the attack left the Bank's personal current account holders vulnerable to a largely avoidable incident that occurred over 48 hours.

    Read more
  • UK Financial Conduct Authority Updates Guidance on its Approach to Payment Services and Electronic Money
    07/06/2018

    The U.K. Financial Conduct Authority has updated its Approach Document on payment services and electronic money, to reflect final guidelines issued in December 2017 by the European Banking Authority on security measures for mitigating operational and security risks under the revised Payment Services Directive. The changes will affect all payment service providers. The FCA has also updated its webpage on reporting requirements for payment services providers and e-money issuers to reflect these changes. The webpage includes a link to the revised version of the FCA's REP018 (operational and security risk) reporting form.

    The FCA will expect payment services providers to comply with the EBA guidelines, which cover issues such as operational and security risk management framework governance, the use of models, outsourcing and how functions, processes and assets should be identified, classified and risk-assessed. The EBA guidelines also cover security of data integrity, systems and confidentiality as well as physical security and asset control and communication of the security measures to payment service users. PSPs will be expected to report at least annually to the FCA on their operational and security risk management frameworks.

    Read more.
  • UK Regulators Seek Views on Improving Operational Resilience of Firms and Financial Market Infrastructures
    07/05/2018

    The Bank of England, the U.K. Prudential Regulation Authority and the U.K. Financial Conduct Authority have published a joint discussion paper entitled "Building the UK financial sector’s operational resilience." The Discussion Paper is aimed at opening a dialogue with the financial services industry on achieving what the Authorities view as a "step change" in the operational resilience of firms and Financial Market Infrastructures and at generating debate about the expectations regulators and the wider public might have of the operational resilience of financial services institutions.

    While the existing regulatory framework already supports operational resilience, the BoE, PRA and FCA are together considering the extent to which they might supplement existing policies, to improve the resilience of the financial system as a whole and increase the focus on operational resilience within firms and FMIs.

    Read more.
  • UK Financial Policy Committee Outlines Steps to Reduce Risks to the UK's Financial Stability
    07/03/2018

    The Bank of England has published a Financial Stability Report, dated June 2018, and a record of the Financial Policy Committee Meeting held on June 19, 2018. The Report sets out the FPC's view of the U.K.'s financial stability, the resilience of the U.K.'s financial system and the risks posed to each of those. Where applicable, the Report also notes the steps that the FPC is taking to address the risks. The record of the meeting provides a summary of issues discussed by the FPC in June.

    Read more
  • Financial Stability Board Issues Consultation on Developing a Cyber Lexicon
    07/02/2018

    As part of its work on the protection of financial stability against the malicious use of information and communication technologies, the Financial Stability Board has published a draft cyber lexicon for consultation.

    In March 2017, the FSB was asked by the G20 Finance Ministers to review and produce a stock-take report on the existing regulation, supervisory practices and guidance on cyber security in the financial sectors of G20 jurisdictions. The G20 welcomed the FSB's stock-take report in October 2017 and asked the FSB to continue its work and to develop a common lexicon of cyber terms.

    The FSB stresses that the lexicon is not intended for use in the legal interpretation of any international arrangement or agreement or any private contract. The use of the cyber lexicon will not be mandatory. Its purpose is to support the work of the FSB, standard-setting bodies, national authorities and private sector participants to address, and develop guidance on, cyber security and cyber resilience in the financial sector. In particular, the aim of the cyber lexicon is to create a cross-sector common understanding of relevant cyber security and cyber resilience terminology and to facilitate assessment and monitoring of financial stability risks in cyber risk scenarios.

    Read more.
    TOPIC : Cyber Security
  • UK Prudential Regulator Sets out Expectations on Firms' Exposures to Crypto-Assets
    06/28/2018

    The U.K. Prudential Regulation Authority has published a "Dear CEO" letter, addressed to the Chief Executive Officers of banks, insurance companies and designated investment firms. The purpose of the letter is to remind firms of their relevant obligations under the PRA rules and to communicate the PRA's expectations regarding firms' exposures to crypto-assets.

    Crypto-assets have exhibited high price volatility and relative illiquidity and may also be vulnerable to fraud and manipulation, which raises concerns about potential misconduct and poses issues for market integrity. The PRA's letter does not define crypto-assets, but the Financial Conduct Authority uses this term to refer to any publicly available electronic medium of exchange that features a distributed ledger and a decentralized system for exchange. The FCA recently published a "Dear CEO" letter outlining best practice for firms in handling the financial crime risks that crypto-assets can pose.

    Read more.
  • European Supervisory Authorities Make Recommendations to Address Risks in EU Securities, Banking and Insurance Sectors
    04/12/2018

    The Joint Committee of the European Supervisory Authorities has published a report on risks and vulnerabilities in the EU financial system. The ESAs are the European Securities and Markets Authority, the European Banking Authority and the European Insurance and Occupational Pensions Authority. The ESAs make recommendations for policy actions by the ESAs, national regulators and financial institutions. A summary of the risks and recommendations contained in the report is set out below.
    • To combat cyber risks, the ESAs recommend that financial institutions should continue to improve IT systems, explore risks in the context of information security and take steps to resolve risks surrounding connectivity and outsourcing to third-party providers. The ESAs will continue to keep these risks under review. ESMA is launching a supervisory project on cloud computing outsourcing and will continue work to address supervisory convergence. The EBA is developing guidelines on the management of information and communication technology risks. EIOPA is conducting a qualitative exercise on cyber risk with national regulators and the industry.
    Read more
  • US Federal Financial Institutions Examination Council Issues Joint Statement Regarding Cyber Insurance
    04/11/2018

    The U.S. Federal Financial Institutions Examination Council members released a joint statement with respect to cyber insurance and its role in risk management.  FFIEC members include the U.S. Board of Governors of the Federal Reserve System, the U.S. Office of the Comptroller of the Currency and the U.S. Federal Deposit Insurance Corporation. The statement and corresponding press release note that the frequency, sophistication and severity of cybersecurity incidents are increasing. As a result, general insurance policies may not provide adequate coverage in the event of a cybersecurity event and cyber insurance options are increasing and evolving in response to these factors.  The statement highlights that cyber insurance options vary greatly, and can be in the form of either a standalone policy or an endorsement to an existing insurance policy.  The statement cautions, however, that cyber insurance should be viewed as a risk mitigation tool and not as an alternative to sound internal controls, policies and procedures to guard against cybersecurity events.  The statement notes that institutions, in considering cyber insurance, should assess their existing cybersecurity risk framework to determine the potential impact and magnitude of residual risk.  In weighing cost and benefits of cyber insurance, the statement suggests that institutions should consider involving multiple stakeholders in the decision-making process, perform adequate due diligence to fully understand available policies and coverage options and incorporate cyber insurance into their annual budgeting processes.

    View full text of the FFIEC statement.
    TOPIC : Cyber Security
  • European Central Bank Consults on Cyber Resilience Oversight Expectations for Eurozone Financial Market Infrastructures
    04/10/2018

    The European Central Bank has launched a consultation on draft "cyber resilience oversight expectations" for financial market infrastructures.

    The CROE use, as a basis, the Guidance on Cyber Resilience for Financial Market Infrastructures that was published jointly in June 2016 by the Committee on Payments and Market Infrastructures and the Board of the International Organization of Securities Commissions. FMIs were required to implement immediately that Guidance, which was supplemental to the Principles for Financial Market Infrastructures published in 2012 by IOSCO and the Committee on Payment and Settlement Systems. The PFMIs were adopted by the Governing Council of the ECB in June 2013. In developing the CROE, the ECB also took into account existing international guidance documents, in particular the Cyber Security Framework published by the U.S. National Institute of Standards and Technology, the ISO/IEC 27002 good practice standard for information security, the COBIT 5 framework for the governance and management of enterprise IT, the Information Security Forum's Standard of Good Practice for Information Security and the U.S. Federal Financial Institutions Examination Council's Cybersecurity Assessment Tools.

    Read more.
  • UK Financial Conduct Authority Publishes its 2018/19 Business Plan
    04/09/2018

    The Financial Conduct Authority has published its Business Plan for 2018/19 which sets out its key priorities for the coming year. The FCA confirms that it will continue to focus on issues relating to the U.K.'s withdrawal from the EU by working with the Government, ensuring appropriate transition measures for EEA firms, working towards operational readiness and cooperating at international level.

    The FCA divides the remainder of its priorities into cross-sector priorities and sector priorities. There are seven cross-sector priorities: firms' culture and governance; financial crime and anti-money laundering; data security, resilience and outsourcing; innovation, big data, technology and competition; treatment of existing customers; long-term savings, pensions and intergenerational differences; and high-cost credit. There are seven sector priority areas: wholesale financial markets; investment management; retail lending; pensions and retirement income; retail investments; retail banking; and general insurance and protection. The FCA also published Sector Views for each of these sectors which provide an FCA view of how each sector was performing as of mid-2017.

    Read more
View All (500+)