Priorities are changing
Moving into 2022, financial services firms will continue to implement the tail end of the post-2008 regulatory program, but the thematic focus has shifted. Regulations on sustainability and digitalization have moved to the forefront, as changing global trends have identified a need to enable, control, and supervise in both areas. The European Union’s “growth agenda” has led to the creation of the Capital Markets Union “action plan,” and post-Brexit, the UK is introducing new regulatory reviews. In the US, the Biden administration is bringing a change of emphasis in many areas, including financial services regulation. These reforms will create opportunities and challenges. Firms will need to dedicate more time to strategic planning for the long-term implications of forward policy priorities while remaining cautious about implementing new frameworks. The priorities may have changed, but the volume and pace of new legislation are as high as ever, particularly for those players operating from west to east or vice versa. There are also challenges for the regulators in managing their range of activities within the context of globalization, regulatory arbitrage, and geopolitical uncertainty.
Digital regulation continues to grow
Regulators recognize that digitalization represents an enormous opportunity for financial services and, in turn, for the consumers of those financial services. The digital revolution has been said to represent the fourth wave of globalization. For regulators, investor safety is essential, balanced by the need to promote, or at least not stifle, the growth enabled by digital innovation. New digital services are the product of technology advancement and commercial incentives. Regulators have to prioritize the safety of the consumers’ preferred digital services in each market. However, regulatory jurisdiction is a primary concern in the digital world, where data can move instantly across borders. The validity and legitimacy of “within perimeter” cryptoassets and virtual currencies must be determined in law for each regulator.
The Basel Committee on Banking Supervision (BCBS), the Committee on Payments and Market Infrastructures (CPMI), the International Organisation of Securities Commissions (IOSCO), and the Organisation for Economic Co-operation and Development (OECD) have for been scrutinizing the impact of digital assets for many years. Examples of activities so far include the Financial Stability Board’s (FSB) publication on recommendations for the regulation of ‘global stablecoin’ (GSC) arrangements, IOSCO presented a helpful description of cryptoassets, Central Bank Digital Currency (CBDCs) and stablecoin regulation is proceeding widely. However, algorithmic and other virtual currencies may be left to operate outside regulators’ rules and investor protection, as indicated by the approach taken by the UK.
Other areas relevant to securities include the use of Distributed Ledger Technology (DLT) within existing structures such as custodians and CSDs, data protection, and data storage location, with specific emphasis on Cloud usage.
Cybersecurity, data storage, and remote access are areas that have grown dramatically in significance during the pandemic and are receiving a lot of attention from regulators. Guidelines from the European Securities and Markets Authority (ESMA) on outsourcing to cloud providers apply from the end of 2022. There is ever-increasing regulatory scrutiny of outsourcing operations by securities industry firms, especially core and critical functions.
The European Union on September 24, 2020, put forward a wide-ranging proposal for digital regulation, as part of the “Digital in Europe” initiative, including the DLT Market Infrastructure Regulation (with the pilot regime), the Digital Operational Resilience Act (DORA), and the Markets in Cryptoassets Regulation (MiCA). In addition, the European Central Bank is proceeding with its plans for a CBDC. We can expect further developments as we move further into 2022. There have also been national developments in the EU, notably in Germany and France. In the UK, regulators have also put forward initiatives in cryptoassets, CBDC, and stablecoins. These policy developments will represent an essential part of the future compliance programs of regulated financial institutions and their technology providers.
On December 20, 2020, the Financial Crimes Enforcement Network (FinCEN), the US Financial Intelligence Unit (FIU), and its primary anti-money laundering (AML) regulator published a Notice of Proposed Rulemaking (NPRM) that sought to impose new recordkeeping and reporting requirements on virtual currency transactions. The NPRM was met with a torrent of comments, causing FinCEN to extend the comment period twice.
FinCEN wants to create new recordkeeping and reporting requirements for banks and money services businesses to report certain transactions in convertible virtual currencies (CVC) such as Bitcoin and virtual currencies that have the status of legal tender (“legal tender digital assets” or LTDA). In particular, the agency targets transactions involving hosted and unhosted digital currency wallets, a “wallet” being the technology that permits the owner to receive, store and send virtual currencies. Hosted wallets are associated with financial institutions, such as banks or digital currency exchanges. In these cases, they function like bank accounts, which require a financial institution as an intermediary to facilitate transactions. Wallets can also be held apart from an institution (unhosted wallets), such as in the use of standalone software applications on a party’s computer or mobile device.
FinCEN wants to implement reporting changes for deposits, withdrawals, exchanges of virtual currencies, payments, and other transfers, that involve unhosted wallets and hosted wallets where the institution which hosts it is in a country that does not have adequate anti-money laundering (AML) regulation and oversight, which FinCEN calls an “otherwise covered wallet.” FinCEN proposes to create a “Foreign Jurisdictions List” to identify the countries in which hosted wallets would be considered “otherwise covered wallets.”
The new reporting requirement is based on the regulatory framework used for Currency Transaction Reports (CTRs), which report large deposits or withdrawals of cash. Cash has a physical presence that easily calls out unusually large amounts of it when presented or withdrawn, which presents a significant logistical problem when transporting it. The CTR filing is made easy because it requires a human being to physically hold it. Additionally, apart from some major currencies (most notably the US dollar), cash has limited utility outside the issuing country or bloc; one often must visit a currency exchange or similar to give cash usability when outside its home country.
CVC transactions do not contain identifying information other than wallet addresses, and the state of global AML regulation of virtual currencies is less uniform than other AML regulations. CVCs enjoy a level of anonymity and a lack of regulatory control similar to cash.
Unlike a traditional banking system, FinCEN can prohibit providing banking services to specific institutions or countries under its USA PATRIOT Act Section 311 powers. Such an ability to ban transacting with specific counterparties is an impossibility in a world of unhosted wallets, enabling individuals to bypass the banking system and transact without a financial intermediary (much like cash). The primary hurdle to setting up a virtual currency exchange in many countries is purely technical, as such firms are not currently uniformly subject to licensing, registration, or AML regulatory requirements. Even when such provisions exist, the lack of a physical presence makes detecting and identifying an unlicensed exchange more challenging than that of a brick-and-mortar equivalent.
The existing suspicious activity reporting regime used for cash and non-cash transactions and behavioral red flags seems a poor fit for virtual currencies. CVC and LTDA transactions are inherently point-to-point. This contrasts with the international banking system enabled by the SWIFT network, where each message often provides a much broader view of the end-to-end transaction chain. The practical implications beyond identifying structuring to avoid reporting requirements transfers out of line with the information established as part of the customer due diligence and identifying counterparty wallets hosted in sanctioned countries, identifying suspicious behavior is exceptionally challenging. Gathering the information proposed in the NPRM is one step to improve this.
While using a CTR-like regulatory framework may be like trying to put a square peg into a round hole, it’s probably the best fit among the currently available AML tools.
Legal Tender Digital Assets (LTDA)
Although several LTDAs have been proposed or are in development, none have reached actual production. While few implementation details have emerged, it would not be surprising to see privacy features implemented for the coins from Russia and China (not to mention a lack of cooperation with western law enforcement investigations), making tracing transactions more difficult. In that regard, the use of an LTDA would be a red flag in and of itself, like the concerns surrounding the use of privacy coins (FinCEN refers to these as “anonymity enhanced coins” in the NPRM).
Additionally, Russia’s proposed cryptoruble and China’s DCEP (currently in development) will be issued by the central government and not mined. The central governments can create and destroy their LTDA assets as they see fit. In that regard, the central government can act as a virtual currency mixer if it wishes to, by destroying coins sent to one party, then creating new coins for another involved in the same pattern of activity (particularly those promulgated, promoted, or permitted by the state, but prohibited by other governments, such as receiving payment for goods shipped to sanctioned parties).
The US government has banned transactions in the Venezuelan petro (now inactive) and Iran’s cryptorial as part of its economic sanctions programs. Whether it will be practical to do the same for the cryptoruble and DCEP is open to debate. Assuming that transactions in at least some LTDAs will be legal at some point, it seems prudent to regulate them similarly to CVCs, even if some present additional challenges.
Most of 2022 is likely to be dominated by supervisory and policy actions designed to address the impact of the COVID-19 pandemic. After that, we will see regulators returning to several key agendas already in motion and in various stages of development: conduct risk, climate risk, digital, operational resilience, data protection, cybersecurity, and financial crime. A recurring theme across the post-pandemic regulatory landscape will be the need for supervisors and standard setters to identify and collect new, standardized data sets that can inform policymaking which allows the new frontiers of technology, sustainability, and ESG to expand while also maintaining appropriate levels of resilience and risk sensitivity. For firms, the immediate challenge will be to maintain risk and compliance standards, implement digital transformation and at the same time settle on an efficient set of operations that accommodate more remote and flexible working and can be responsive to similar crises in the future. An additional factor in the coming period, compared with previous post-crisis phases, will be the extra priority that firms must give to sustainability, diversity, inclusion, and wider corporate responsibility.
Written By: Allen Moy, Senior Consultant