Global Regulatory Brief: Digital finance, February edition

The Global Regulatory Brief provides monthly insights on the latest risk and regulatory developments. This brief was written by Bloomberg’s Regulatory Affairs Specialists.

Digital finance regulatory developments

As technology continues to reshape financial services, regulators and policy-setters are embarking on a range of digital-finance initiatives to manage risks and set appropriate standards. From Singapore to the EU, the following developments from the past month in digital finance stand out:

• EU: Supervisory Authorities issue final drafts of detailed policy measures under DORA
• US: Securities and Exchanges Commission authorizes Bitcoin-spot ETFs
• Singapore: AI Verify Foundation proposes governance framework for Generative AI
• UK: Information Commissioner’s Office consults on GenAI
• US: Commodity Futures Trading Commission requests information on use of AI in derivatives markets
• US: Federal Trade Commission launches probe into AI partnerships
• EU: Commission unveils new package of measures on AI
• India: Reserve Bank issues checklist for use of AI in banks
• Nigeria: Central Bank places strict rules on banks after lifting crypto ban

Explore the latest regulatory insights with our outlooks, webinars, research and analysis.

EU issues final drafts of detailed policy measures under DORA

The EU Supervisory Authorities (ESAs) published the final drafts of detailed policy measures under the Digital Operational Resilience Act (DORA).

In summary: The published texts cover the detailed rules (regulatory technical standards and implementing technical standards) which, according to the DORA Regulation, were to be finalized by the ESAs by January 17, 2024. The ESAs already consulted stakeholders on earlier drafts of these rules from June to September 2023.

The details: Specifically, these detailed rules cover:

• Final draft rules on ICT risk management framework and RTS on simplified ICT risk management framework
• Final draft rules on the criteria for the classification of ICT-related incidents by financial entities
• Final draft rules on the templates for the register of information to be completed by financial entities
• Final draft rules on the contractual arrangements policy on the use of ICT services supporting critical or important functions

Timeline: The final drafts are now submitted to the EU Commission for their review and endorsement, to be followed by a scrutiny period by the EU Parliament and EU Member States before they can become law.

Closely related: The ESAs are also consulting on the second group of draft detailed rules under DORA, to be finalized by July 17, 2024. These cover the rules on conduct of the EU oversight of critical vendors, major ICT incidents reporting by financial entities, subcontracting rules and threat-let penetration testing. The consultation runs until March 4, 2024.

Go-live: DORA is set to apply in the EU from January 17, 2025.

US SEC approves spot Bitcoin ETF

The US Securities and Exchange Commission (SEC) approved exchange-traded products (ETPs) that invest directly in Bitcoin. 

Context: SEC Chair Gary Gensler, a Democrat, voted to approve along with Commissioners Hester Peirce and Mark Uyeda, both Republicans, signaling bi-partisan support. 

• In his statement announcing the decision, Chair Gary Gensler noted that the ruling of the US Court of Appeals for the District of Columbia in the case regarding Grayscale’s proposed ETP, namely that the SEC failed to properly explain its reasoning for denying the application, was behind the Commission’s decision to approve spot Bitcoin ETPs 
• However, Democratic Commissioner Caroline Crenshaw issued a statement which was harshly critical of the order, calling it “unsound and ahistorical” 

Important clarification: This SEC action is limited to ETPs holding one non-security commodity, Bitcoin, and Chair Gensler stated that it should in no way signal the SEC’s willingness to approve listing standards for crypto-asset securities. 

• The Chair also stated that the approval does not signal anything about the Commission’s views as to the status of other crypto assets under the federal securities laws.
• Further, the Chair repeated his position that the vast majority of crypto assets are investment contracts and thus subject to the federal securities laws, and that Bitcoin is a “speculative, volatile asset that’s also used for illicit activity including ransomware, money laundering, sanction evasion, and terrorist financing.”

Investment protection: The SEC action includes certain protections for investors, such as requiring investor disclosures, limiting the trading of these products to national securities exchanges, and applying existing rules and standards of conduct to the purchase and sale of approved ETPs. 

In parallel: The Commission noted that staff are separately completing the review of registration statements for ten spot Bitcoin ETPs simultaneously. The agency posits that this should help “create a level playing field for issuers and promote fairness and competition, benefiting investors and the broader market.”

Singapore proposes Model AI Governance Framework for Generative AI

Singapore’s Artificial Intelligence Verify Foundation (AIVF) and Infocomm Media Development Authority (IMDA) have developed a draft Model AI Governance Framework for Generative AI that builds on the Model Governance Framework that covers Traditional AI and was last updated in 2020. 

Important context: The growing global consensus that consistent principles are required to create a trusted environment to contain the risks associated with using generative AI has led to the proposed framework. 

In summary: The framework proposes to look at nine dimensions to foster a trusted ecosystem, including accountability, data, trusted development and deployment, incident reporting, testing and assurance, security, content provenance, safety and alignment R&D and AI for public good. 

The aim: The proposed framework aims to facilitate international dialogue between policymakers and industry stakeholders, and encourage responsible innovation.

Timeline: The proposed framework is open for comments and views from the international community before the finalization in mid-2024.

UK Information Commissioner’s Office launches consultation series on generative AI

The UK Information Commissioner’s Office (ICO) launched the first of a series of consultations on generative Artificial Intelligence (AI) specifically to examine how aspects of data protection law should apply to the development and use of AI. 

Important context: Generative AI models are being used across the economy to create new content across a wide range of sectors. 

In more detail: This first consultation from the ICO examines when it is lawful to train generative AI models on personal data scraped from the web. The ICO is seeking views from a range of stakeholders, including developers and users of generative AI, legal advisors and consultants working in this area, civil society groups and other public bodies with an interest in generative AI.

Looking ahead: The first consultation is open until March 1, 2024, and future consultations to be launched in the first half of 2024 will examine issues such as the accuracy of generative AI outputs.

US CFTC issues Request for Information on use of AI in derivatives markets

The US Commodity Futures Trading Commission (CFTC) issued a Request for Information related to the use of AI in markets regulated by the Commission.

Context: The request comes as regulators across the federal government work to develop guidance and propose rules around the use of artificial intelligence in their respective jurisdictions.

• The Commission noted that this request was spawned in part by their own ongoing efforts to understand and regulate the use of technology in derivatives markets, but was also pushed along by President Biden’s October 2023 Executive Order on artificial intelligence. 

Implications: While there are no immediate implications, the information gleaned from this process will be used to inform future guidance and rulemaking, similar to the 2023 predictive data analytics proposal from the SEC, which also started out as a request for information.

Theme developing: Governance, controls, and conflicts of interest are concerns when it comes to AI for both the CFTC and the SEC. There are similarities between the SEC’s proposal to regulate the use of predictive data analytics in investor interactions, and the CFTC’s request for information. These themes are expected to reappear in the work underway at various different agencies. 

US FTC launches probe into AI partnerships, investments

The Federal Trade Commission (FTC) issued compulsory Section 6(b) orders to Amazon, Anthropic, Microsoft, and Google’s parent company, Alphabet.

Why 6(b)? Section 6(b) of the FTC Act authorizes the Commission to conduct studies which gather information to allow regulators to better understand market trends and current business practices. Findings from these studies often help inform future Commission actions.

Competitive concerns? The Commission explained that its inquiry is focused on corporate partnerships and investments with AI providers and the broader impacts on competition in the space. FTC Chair Lina Khan has expressed that it is key to ensure smaller firms are not getting squeezed out of the AI market by larger players, thereby limiting competition. 

EU Commission unveils new package of measures on AI

The EU Commission has unveiled a new package of measures on AI to prepare for the implementation of the Artificial Intelligence Act following the political agreement reached in December 2023.

AI Office: Team within the EU Commission that will play a leading role both in the development and coordination of AI policy, and in the supervision and enforcement of the AI Act. The decision to establish the AI Office enters into force with immediate effect with operations commencing in the following months.

• The AI Office will be established within the Commission and will implement the future AI Act at EU level and will supervise the rules for general-purpose AI models and systems.
• It is intended to become a central coordination body for AI policy at EU level and cooperate with other Commission departments, EU bodies, Member States and the stakeholder community.
• It will have an international vocation and promote the EU approach to AI governance and contribute to the EU’s international activities on AI.
• More generally, the AI Office is expected to build up knowledge and understanding on AI and foster AI uptake and innovation. The decision to establish the AI Office enters into force immediately.

AI factories: This will be part of the EU’s supercomputers Joint Undertaking activities. This proposal will now need to be agreed by the EU Parliament and EU member states before it becomes law. The objectives are:

• Acquiring, upgrading and operating AI-dedicated supercomputers to enable fast machine learning and training of large General Purpose AI (GPAI) models
• Facilitating access to the AI dedicated supercomputers, contributing to the widening of the use of AI to a large number of public and private users, including startups and SMEs
• Offering a one-stop shop for startups and innovators, supporting the AI startup and research ecosystem in algorithmic development, testing evaluation and validation of large-scale AI models, providing supercomputer-friendly programming facilities and other AI enabling services
• Enabling the development of a variety of emerging AI applications based on General Purpose AI models

EU AI start-up and innovation communication: This outlines additional key activities:

• Additional overall public and private investment of around €4 billion until 2027.
• Accompanying initiatives to strengthen EU’s generative AI talent pool through education, training, skilling and reskilling activities.
• The acceleration of the development and deployment of Common European Data Spaces, made available to the AI community to train and improve their models.
• The ‘GenAI4EU’ initiative, which aims to support the development of novel use cases and emerging applications in Europe’s 14 industrial ecosystems, as well as the public sector. Applications include robotics, health, biotech, manufacturing, mobility, climate and virtual worlds.

European Digital Infrastructure Consortiums: The Commission is also establishing, with a number of member states, two European Digital Infrastructure Consortiums (EDICs): 

• The ‘Alliance for Language Technologies’ (ALT-EDIC) aims to develop a common European infrastructure in language technologies to address the shortage of European languages data for the training of AI solutions
• The ‘CitiVERSE’ EDIC will apply state-of-the-art AI-tools to develop and enhance Local Digital Twins for Smart Communities

Communication on AI use at the Commission: The Commission also adopted a Communication outlining the Commission’s own strategic approach to the use of Artificial Intelligence. 

• It includes concrete actions about how the Commission will build institutional and operational capacity to ensure the development and use of trustworthy, safe and ethical AI. 
• The Commission is also preparing to support EU public administrations in their own adoption and use of Artificial Intelligence.

RBI issues checklist for use of AI in banks

The Reserve Bank of India (RBI) has offered a ten-point checklist for banks to refer to when designing and using AI.

Risks related to using AI: Deputy Governor of the RBI, M Rajeshwar Rao, said that many AI models operate in a black box which make decoding for audit and supervisory review a challenge. He also highlighted the risks and vulnerabilities such as data poisoning, unexpected behavior and bias predictions, which financial institutions should be careful about. 

Ten-point checklist: Mr Rao said that financial institutions looking to deploy AI-based models would need to consider fairness, transparency, accuracy, consistency, data privacy, explainability, accountability, robustness, monitoring and updating, as well as human oversight.

Other concerns: Mr Rao also mentioned that only a few organizations globally would have large enough datasets to train generative AI models, and this could give rise to issues relating to market power, competition, and cross-border concerns.

Nigeria places strict rules on banks after lifting crypto ban

Nigeria’s central bank has released inaugural guidelines for banks opening cryptocurrency accounts, while retaining its ban on them holding or trading in virtual assets on their own behalf. 

In summary: The rules flesh out the regulator’s decision in December to lift its prohibition on banks operating accounts for crypto service providers.

Wider context: Nigeria joins other African regulators in extending oversight of cryptocurrencies, spurred by a string of corporate collapses capped by the bankruptcy of Bahamas-based exchange FTX in April. The continent’s most populous nation has seen a surge in virtual currency adoption, in part fuelled by the steep decline of the nation’s fiat currency.

Important details: Only naira-based accounts will be permitted and there will be no cash withdrawals, the central bank said. The restrictions also bar clearing third-party checks through crypto accounts and will limit withdrawals to two per quarter.

View the additional regulatory briefs from this month:

• Trading and markets
• Risk, capital and financial stability
• Green finance

Sign up to receive these updates in your inbox first.

How we can help

Bloomberg’s Public Policy and Regulatory team brings you insight and analysis on policy developments to help navigate the complex and fast changing global regulatory landscape. To discuss regulatory solutions, please get in touch with our specialists or read more insights from our Regulatory team.

The Global Regulatory Brief provides monthly insights on the latest risk and regulatory developments. This brief was written by Bloomberg’s Regulatory Affairs Specialists.

Digital finance regulatory developments

As technology continues to reshape financial services, regulators and policy-setters are embarking on a range of digital-finance initiatives to manage risks and set appropriate standards. From Singapore to the EU, the following developments from the past month in digital finance stand out:

• EU: Supervisory Authorities issue final drafts of detailed policy measures under DORA
• US: Securities and Exchanges Commission authorizes Bitcoin-spot ETFs
• Singapore: AI Verify Foundation proposes governance framework for Generative AI
• UK: Information Commissioner’s Office consults on GenAI
• US: Commodity Futures Trading Commission requests information on use of AI in derivatives markets
• US: Federal Trade Commission launches probe into AI partnerships
• EU: Commission unveils new package of measures on AI
• India: Reserve Bank issues checklist for use of AI in banks
• Nigeria: Central Bank places strict rules on banks after lifting crypto ban

EU issues final drafts of detailed policy measures under DORA

The EU Supervisory Authorities (ESAs) published the final drafts of detailed policy measures under the Digital Operational Resilience Act (DORA).

In summary: The published texts cover the detailed rules (regulatory technical standards and implementing technical standards) which, according to the DORA Regulation, were to be finalized by the ESAs by January 17, 2024. The ESAs already consulted stakeholders on earlier drafts of these rules from June to September 2023.

The details: Specifically, these detailed rules cover:

• Final draft rules on ICT risk management framework and RTS on simplified ICT risk management framework
• Final draft rules on the criteria for the classification of ICT-related incidents by financial entities
• Final draft rules on the templates for the register of information to be completed by financial entities
• Final draft rules on the contractual arrangements policy on the use of ICT services supporting critical or important functions

Timeline: The final drafts are now submitted to the EU Commission for their review and endorsement, to be followed by a scrutiny period by the EU Parliament and EU Member States before they can become law.

Closely related: The ESAs are also consulting on the second group of draft detailed rules under DORA, to be finalized by July 17, 2024. These cover the rules on conduct of the EU oversight of critical vendors, major ICT incidents reporting by financial entities, subcontracting rules and threat-let penetration testing. The consultation runs until March 4, 2024.

Go-live: DORA is set to apply in the EU from January 17, 2025.

US SEC approves spot Bitcoin ETF

The US Securities and Exchange Commission (SEC) approved exchange-traded products (ETPs) that invest directly in Bitcoin. 

Context: SEC Chair Gary Gensler, a Democrat, voted to approve along with Commissioners Hester Peirce and Mark Uyeda, both Republicans, signaling bi-partisan support. 

• In his statement announcing the decision, Chair Gary Gensler noted that the ruling of the US Court of Appeals for the District of Columbia in the case regarding Grayscale’s proposed ETP, namely that the SEC failed to properly explain its reasoning for denying the application, was behind the Commission’s decision to approve spot Bitcoin ETPs 
• However, Democratic Commissioner Caroline Crenshaw issued a statement which was harshly critical of the order, calling it “unsound and ahistorical” 

Important clarification: This SEC action is limited to ETPs holding one non-security commodity, Bitcoin, and Chair Gensler stated that it should in no way signal the SEC’s willingness to approve listing standards for crypto-asset securities. 

• The Chair also stated that the approval does not signal anything about the Commission’s views as to the status of other crypto assets under the federal securities laws.
• Further, the Chair repeated his position that the vast majority of crypto assets are investment contracts and thus subject to the federal securities laws, and that Bitcoin is a “speculative, volatile asset that’s also used for illicit activity including ransomware, money laundering, sanction evasion, and terrorist financing.”

Investment protection: The SEC action includes certain protections for investors, such as requiring investor disclosures, limiting the trading of these products to national securities exchanges, and applying existing rules and standards of conduct to the purchase and sale of approved ETPs. 

In parallel: The Commission noted that staff are separately completing the review of registration statements for ten spot Bitcoin ETPs simultaneously. The agency posits that this should help “create a level playing field for issuers and promote fairness and competition, benefiting investors and the broader market.”

Singapore proposes Model AI Governance Framework for Generative AI

Singapore’s Artificial Intelligence Verify Foundation (AIVF) and Infocomm Media Development Authority (IMDA) have developed a draft Model AI Governance Framework for Generative AI that builds on the Model Governance Framework that covers Traditional AI and was last updated in 2020. 

Important context: The growing global consensus that consistent principles are required to create a trusted environment to contain the risks associated with using generative AI has led to the proposed framework. 

In summary: The framework proposes to look at nine dimensions to foster a trusted ecosystem, including accountability, data, trusted development and deployment, incident reporting, testing and assurance, security, content provenance, safety and alignment R&D and AI for public good. 

The aim: The proposed framework aims to facilitate international dialogue between policymakers and industry stakeholders, and encourage responsible innovation.

Timeline: The proposed framework is open for comments and views from the international community before the finalization in mid-2024.

UK Information Commissioner’s Office launches consultation series on generative AI

The UK Information Commissioner’s Office (ICO) launched the first of a series of consultations on generative Artificial Intelligence (AI) specifically to examine how aspects of data protection law should apply to the development and use of AI. 

Important context: Generative AI models are being used across the economy to create new content across a wide range of sectors. 

In more detail: This first consultation from the ICO examines when it is lawful to train generative AI models on personal data scraped from the web. The ICO is seeking views from a range of stakeholders, including developers and users of generative AI, legal advisors and consultants working in this area, civil society groups and other public bodies with an interest in generative AI.

Looking ahead: The first consultation is open until March 1, 2024, and future consultations to be launched in the first half of 2024 will examine issues such as the accuracy of generative AI outputs.

US CFTC issues Request for Information on use of AI in derivatives markets

The US Commodity Futures Trading Commission (CFTC) issued a Request for Information related to the use of AI in markets regulated by the Commission.

Context: The request comes as regulators across the federal government work to develop guidance and propose rules around the use of artificial intelligence in their respective jurisdictions.

• The Commission noted that this request was spawned in part by their own ongoing efforts to understand and regulate the use of technology in derivatives markets, but was also pushed along by President Biden’s October 2023 Executive Order on artificial intelligence. 

Implications: While there are no immediate implications, the information gleaned from this process will be used to inform future guidance and rulemaking, similar to the 2023 predictive data analytics proposal from the SEC, which also started out as a request for information.

Theme developing: Governance, controls, and conflicts of interest are concerns when it comes to AI for both the CFTC and the SEC. There are similarities between the SEC’s proposal to regulate the use of predictive data analytics in investor interactions, and the CFTC’s request for information. These themes are expected to reappear in the work underway at various different agencies. 

US FTC launches probe into AI partnerships, investments

The Federal Trade Commission (FTC) issued compulsory Section 6(b) orders to Amazon, Anthropic, Microsoft, and Google’s parent company, Alphabet.

Why 6(b)? Section 6(b) of the FTC Act authorizes the Commission to conduct studies which gather information to allow regulators to better understand market trends and current business practices. Findings from these studies often help inform future Commission actions.

Competitive concerns? The Commission explained that its inquiry is focused on corporate partnerships and investments with AI providers and the broader impacts on competition in the space. FTC Chair Lina Khan has expressed that it is key to ensure smaller firms are not getting squeezed out of the AI market by larger players, thereby limiting competition. 

EU Commission unveils new package of measures on AI

The EU Commission has unveiled a new package of measures on AI to prepare for the implementation of the Artificial Intelligence Act following the political agreement reached in December 2023.

AI Office: Team within the EU Commission that will play a leading role both in the development and coordination of AI policy, and in the supervision and enforcement of the AI Act. The decision to establish the AI Office enters into force with immediate effect with operations commencing in the following months.

• The AI Office will be established within the Commission and will implement the future AI Act at EU level and will supervise the rules for general-purpose AI models and systems.
• It is intended to become a central coordination body for AI policy at EU level and cooperate with other Commission departments, EU bodies, Member States and the stakeholder community.
• It will have an international vocation and promote the EU approach to AI governance and contribute to the EU’s international activities on AI.
• More generally, the AI Office is expected to build up knowledge and understanding on AI and foster AI uptake and innovation. The decision to establish the AI Office enters into force immediately.

AI factories: This will be part of the EU’s supercomputers Joint Undertaking activities. This proposal will now need to be agreed by the EU Parliament and EU member states before it becomes law. The objectives are:

• Acquiring, upgrading and operating AI-dedicated supercomputers to enable fast machine learning and training of large General Purpose AI (GPAI) models
• Facilitating access to the AI dedicated supercomputers, contributing to the widening of the use of AI to a large number of public and private users, including startups and SMEs
• Offering a one-stop shop for startups and innovators, supporting the AI startup and research ecosystem in algorithmic development, testing evaluation and validation of large-scale AI models, providing supercomputer-friendly programming facilities and other AI enabling services
• Enabling the development of a variety of emerging AI applications based on General Purpose AI models

EU AI start-up and innovation communication: This outlines additional key activities:

• Additional overall public and private investment of around €4 billion until 2027.
• Accompanying initiatives to strengthen EU’s generative AI talent pool through education, training, skilling and reskilling activities.
• The acceleration of the development and deployment of Common European Data Spaces, made available to the AI community to train and improve their models.
• The ‘GenAI4EU’ initiative, which aims to support the development of novel use cases and emerging applications in Europe’s 14 industrial ecosystems, as well as the public sector. Applications include robotics, health, biotech, manufacturing, mobility, climate and virtual worlds.

European Digital Infrastructure Consortiums: The Commission is also establishing, with a number of member states, two European Digital Infrastructure Consortiums (EDICs): 

• The ‘Alliance for Language Technologies’ (ALT-EDIC) aims to develop a common European infrastructure in language technologies to address the shortage of European languages data for the training of AI solutions
• The ‘CitiVERSE’ EDIC will apply state-of-the-art AI-tools to develop and enhance Local Digital Twins for Smart Communities

Communication on AI use at the Commission: The Commission also adopted a Communication outlining the Commission’s own strategic approach to the use of Artificial Intelligence. 

• It includes concrete actions about how the Commission will build institutional and operational capacity to ensure the development and use of trustworthy, safe and ethical AI. 
• The Commission is also preparing to support EU public administrations in their own adoption and use of Artificial Intelligence.

RBI issues checklist for use of AI in banks

The Reserve Bank of India (RBI) has offered a ten-point checklist for banks to refer to when designing and using AI.

Risks related to using AI: Deputy Governor of the RBI, M Rajeshwar Rao, said that many AI models operate in a black box which make decoding for audit and supervisory review a challenge. He also highlighted the risks and vulnerabilities such as data poisoning, unexpected behavior and bias predictions, which financial institutions should be careful about. 

Ten-point checklist: Mr Rao said that financial institutions looking to deploy AI-based models would need to consider fairness, transparency, accuracy, consistency, data privacy, explainability, accountability, robustness, monitoring and updating, as well as human oversight.

Other concerns: Mr Rao also mentioned that only a few organizations globally would have large enough datasets to train generative AI models, and this could give rise to issues relating to market power, competition, and cross-border concerns.

Nigeria places strict rules on banks after lifting crypto ban

Nigeria’s central bank has released inaugural guidelines for banks opening cryptocurrency accounts, while retaining its ban on them holding or trading in virtual assets on their own behalf. 

In summary: The rules flesh out the regulator’s decision in December to lift its prohibition on banks operating accounts for crypto service providers.

Wider context: Nigeria joins other African regulators in extending oversight of cryptocurrencies, spurred by a string of corporate collapses capped by the bankruptcy of Bahamas-based exchange FTX in April. The continent’s most populous nation has seen a surge in virtual currency adoption, in part fuelled by the steep decline of the nation’s fiat currency.

Important details: Only naira-based accounts will be permitted and there will be no cash withdrawals, the central bank said. The restrictions also bar clearing third-party checks through crypto accounts and will limit withdrawals to two per quarter.

View the additional regulatory briefs from this month:

• Trading and markets
• Risk, capital and financial stability
• Green finance

Sign up to receive these updates in your inbox first.

How we can help

Bloomberg’s Public Policy and Regulatory team brings you insight and analysis on policy developments to help navigate the complex and fast changing global regulatory landscape. To discuss regulatory solutions, please get in touch with our specialists or read more insights from our Regulatory team.