August Global Regulatory Brief: Digital finance

The Global Regulatory Brief provides monthly insights on the latest risk and regulatory developments. This brief was written by Bloomberg’s Regulatory Affairs Specialists.

As technology continues to reshape financial services, regulators and policy setters are embarking on a range of digital-finance initiatives to manage risks and set appropriate standards. The following digital finance policy developments represent a sample of wider regulatory and policy coverage available to Bloomberg Terminal customers. Run REGS <GO> to find out more or contact your Bloomberg representative to learn more:

• USA: Chair Atkins Outline’s SEC Approach to Crypto
• South Africa: Regulators issue cloud computing and data offshoring guidance
• Indonesia: launch AI regulatory framework and data authority
• India: RBI submits report on framework for responsible AI adoption in the financial sector

SEC chair Atkins outline’s SEC approach to crypto

SEC Chair Paul Atkins announced the launch of “Project Crypto”, a Commission-wide initiative to implement the recent recommendations of the Presidential Working Group’ Report on Digital Assets. The goal of Project Crypto is to align the agency’s rulebook with the needs of the digital asset markets. Project Crypto signals a shift toward a regulatory approach that prioritizes on-chain infrastructure, legal clarity, and responsible innovation for participants in the crypto asset market. 

Key directives: 

• Asset Classification and Distributions: Develop public guidelines to help market participants determine whether crypto assets are securities, commodities, or stablecoins. Propose tailored exemptions, safe harbors, and disclosures for token distributions.
• Tokenization: Provide guidance and regulatory relief for firms seeking to tokenize traditional instruments like stocks and bonds, with a goal of bringing tokenized securities activity back onshore and ensure U.S. market participants can issue and trade these products under a workable framework.
• On-Chain Trading and Reg NMS: Reexamine elements of Regulation NMS to support on-chain trading of tokenized securities and reduce distortions that inhibit market innovation.
• Trading Venues and Licensing Structure: Create a framework that permits crypto asset securities and non-securities to trade side-by-side on SEC-regulated platforms. Explore a unified licensing model to support integrated “super-app” platforms combining trading, custody, and related services.
• Custody and Market Access: Modernize custody rules to reflect crypto-specific risks, expand the pool of compliant custodians, and reaffirm the right to self-custody. Address constraints created by prior SEC guidance and enforcement posture.
• On-Chain Innovation and Regulatory Flexibility: Establish clear regulatory space for decentralized finance protocols and non-intermediated systems. Explore a principles-based “innovation exemption” to allow novel crypto business models to launch under limited, risk-aligned conditions.

Broader context: These directives mark a clear departure from the SEC’s prior enforcement-first approach and signal a coordinated shift toward regulatory clarity, competitive neutrality, and onshoring digital asset innovation.

South Africa issues cloud computing and data offshoring guidance

The Financial Sector Conduct Authority (FSCA) and Prudential Authority (PA) have issued a joint communication to guide financial institutions on risk mitigation when using cloud computing or data offshoring. The Authorities are expected to develop a Joint Standard to formalise requirements and ensure sector-wide consistency.

The only current regulatory framework-related instruments/documents focused on cloud computing that have been published and relates to banks is 3.3.1 Directive 3 of 2018 – Cloud computing and the offshoring of data.

Key points and proposals:

• The scope of financial institutions that will be subject to the Joint Standard is still under consideration, but the intention is to ensure alignment and uniformity across the financial sector as far as possible.
• Interim expectations include: 
  • Adopting a risk-based approach aligned to institutional risk appetite, with appropriate governance, strategy, and due diligence measures.
  • Boards and senior management must oversee policies, data governance frameworks, and legal compliance for cloud/offshore arrangements.
  • Financial institutions must ensure confidentiality, integrity, and availability of data, and address contractual enforceability.
• Supervisory capability on cloud/offshore risks will be enhanced in 2025–2026 through routine supervision.

Next steps:

• The Directive mentions that the relevant Authorities (FSCA and PA) are considering whether policy interventions are necessary and “have commenced a process of formulating a regulatory instrument focused on introducing requirements pertaining to the use of cloud computing and data”. 
• The draft regulatory instrument will be published for public consultation in due course.

Indonesia to launch AI regulatory framework and data authority

Indonesia is taking significant steps to govern its digital economy by finalising a comprehensive regulatory framework for Artificial Intelligence (AI) and establishing its first national Personal Data Protection (PDP) Authority this month. The forthcoming AI regulation, developed in partnership with the UK, will establish a national roadmap and focus on governance in six key sectors, with a draft expected for public consultation in August. Concurrently, the new PDP Authority will be responsible for enforcing the country’s 2022 data protection law, including monitoring compliance, imposing sanctions, and overseeing cross-border data transfers.

In more detail:

• AI Regulatory Framework: The new AI rules will be issued as a presidential regulation and are being developed in collaboration with the UK. The framework will establish a national AI roadmap targeting governance across six key sectors, including financial services, e-commerce, health, and education. Its policy focus is on strengthening the entire AI ecosystem by addressing digital infrastructure, data governance, talent development, investment, and ethical considerations.
• Personal Data Protection (PDP) Authority: The establishment of the national data watchdog, mandated by the 2022 Personal Data Protection Law, is expected to be finalised this month. The PDP Authority will have wide-ranging powers, including formulating data protection policies, monitoring compliance, and imposing administrative sanctions. Critically, it will also oversee and approve cross-border data transfers, a key function as Indonesia negotiates bilateral data-sharing agreements.

Next steps: The formal establishment of the Personal Data Protection Authority is expected to be finalised this month; the newly formed data authority will begin its work formulating specific data protection policies and establishing its compliance and enforcement mechanisms. The Ministry of Communication and Digital (Komdigi) is expected to release the initial draft of the presidential regulation on AI for public consultation, with the draft scheduled to be submitted for a formal review by the Ministry of Law and the State Secretariat by September.

RBI Committee submits report on framework for responsible AI adoption in the financial sector

In December 2024, the Reserve Bank of India (RBI) constituted a committee to develop a Framework for Responsible and Ethical Enablement of Artificial Intelligence (FREE-AI). On August 13, 2025, the RBI’s FREE-AI Committee released a blueprint to enable AI innovation across banks, Non-Banking Finance Companies (NBFCs), Payment System Operators (PSOs), and FinTechs, while safeguarding consumers and financial stability.

In more detail:

The framework is anchored in seven Sutras (e.g., Innovation over Restraint; Understandable by Design; Accountability) and operationalised through two interlinked frameworks—Innovation Enablement (Infrastructure, Policy, Capacity) and Risk Mitigation (Governance, Protection, Assurance). Together, these are translated into 26 time-bound recommendations, each specifying actions, implementing entities, and indicative timelines.

Innovation Enablement Framework – structured with recommendations to unlock AI’s potential responsibly, including:

• Sector data infrastructure: A financial-sector data Digital Public Infrastructure integrated with IndiaAI Kosh – India Datasets Platform, established under the IndiaAI Mission.
• AI innovation sandbox: A shared testing environment without regulatory relaxations.
• Bridging the digital divide: Shared compute “landing zones” for smaller Registered Entities, backed by an indicative ₹5,000 crore fund.
• Indigenous AI models: Sector-specific models tailored for India’s linguistic and financial diversity.
• Integration with DPI: Leveraging AI alongside existing DPIs to advance inclusion.

Risk Mitigation Framework – structured with recommendations to ensure safe adoption, covering:

• Governance: Board-approved AI policies, lifecycle oversight, AI inventories, dependency mapping, and a graded liability framework that keeps REs liable but allows supervisory tolerance for first-time errors where safeguards are in place.
• Protection: Customer awareness, disclosures, grievance redressal, human override, strengthened cyber resilience, and the ability to terminate AI instantly if needed.
• Assurance: Incident reporting , AI inventories and a sector-wide repository, and calibrated audits, applied proportionately to the risk profile of use cases.

Looking ahead: The 26 recommendations lay out a roadmap for implementation — specifying what changes are required, who should implement them (RBI, other regulators, REs, industry bodies, government agencies), and the timeframe (short, medium, or long term). These recommendations are expected to guide the development of the final framework by the RBI and a possible phased roll-out of the FREE-AI framework.