March Global Regulatory Brief: Digital finance

As technology continues to reshape financial services, regulators and policy setters are embarking on a range of digital-finance initiatives to manage risks and set appropriate standards. The following digital finance policy developments represent a sample of wider regulatory and policy coverage available to Bloomberg Terminal customers. Run REGS <GO> to find out more or contact your Bloomberg representative:

• EU: Eurosystem publishes Appia roadmap for tokenized finance
• Japan: JFSA publishes updated AI discussion paper
• UAE: Central Bank issues guidance on AI and ML
• Singapore: MAS consults on operational and third-party risk management

Eurosystem publishes Appia roadmap for tokenized finance

The Eurosystem has published the roadmap for “Appia,” a strategic initiative to shape the development of a European tokenized wholesale financial ecosystem anchored in central bank money. The roadmap outlines a long-term approach to integrating distributed ledger technology (DLT) into financial market infrastructures, with a blueprint expected by 2028. Appia complements the Eurosystem’s forthcoming “Pontes” solution for DLT-based settlement in central bank money.

Context

Appia builds on the Eurosystem’s 2024 exploratory work on new technologies for wholesale central bank money settlement. It forms part of a broader strategy to ensure that, amid increasing tokenization of financial assets, central bank money remains the anchor of the monetary system. Pontes, scheduled for launch in Q3 2026, will provide a DLT-based solution for settling wholesale transactions in central bank money.

Key takeaways

• Strategic objective: Appia aims to develop an integrated, innovative and resilient European tokenized financial ecosystem, while preserving the role of central bank money.
• Scope: Focuses on wholesale financial markets, where tokenization could streamline issuance, trading, settlement, custody and servicing through DLT-based platforms and smart contracts.
• Two-track approach:
  • Pontes – operational DLT settlement solution (from 2026)
  • Appia – broader, long-term strategic framework to shape tokenized market infrastructures and standards
• Blueprint by 2028: The Eurosystem intends to publish a detailed vision for the ecosystem in 2028, informed by stakeholder engagement and practical experimentation.
• Infrastructure design: Appia will assess alternative DLT configurations, including single shared networks versus multiple interconnected networks, with an emphasis on common standards and European governance.
• Policy and stability considerations: The initiative seeks to safeguard monetary policy transmission, financial stability and payment system efficiency, while enhancing Europe’s competitiveness, resilience and strategic autonomy.

Next steps

The Eurosystem has invited feedback from stakeholders and published a questionnaire alongside the roadmap. Analytical and practical work under Appia will proceed in cooperation with market participants, public authorities and academia. The initiative is expected to conclude with the publication of a comprehensive blueprint in 2028, while Pontes will be launched in the third quarter of 2026 and progressively enhanced thereafter.

JFSA publishes updated AI discussion paper (V1.1)

Summary

The JFSA has released the AI Discussion Paper (Version 1.1), updating the 1.0 edition based on insights from the 2025 Public-Private Forum on AI, summarizing the current use of AI in financial institutions, related challenges, and issues concerning risk management, governance, and regulatory interpretation. While the analysis remains preliminary and subject to change as technology and the business environment evolve, the JFSA intends to use these perspectives as a starting point and continue deepening discussions—flexibly and collaboratively with stakeholders—on concrete measures going forward.

Context

In March 2025, the JFSA published the AI Discussion Paper (Version 1.0) to support the sound use of AI in the financial sector and to facilitate constructive dialogue with industry stakeholders. From June to December of the same year, the JFSA held the “JFSA Public-Private Forum on AI”, where participants shared knowledge and discussed the state of AI utilization, risk management and governance practices related to AI, and situations where clarification of regulatory applicability is necessary. Based on the insights obtained through this Forum, the JFSA has now updated Version 1.0 and released it as AI Discussion Paper (Version 1.1).

Key takeaway

1. Risk mitigation for customer-facing AI services is evolving, and a shared viewpoint is emerging across financial institutions. The JFSA structures its guidance into four phases: (1) Design & pre‑implementation testing, (2) Customer explanations & warnings, (3) Post‑launch verification & monitoring, and (4) Governance.
2. Regulatory interpretation is being clarified, including the JFSA’s view that securities firms may provide customer conversation data (including non‑public information) when outsourcing AI system development to related subsidiaries. The JFSA and industry groups will continue examining specific use cases to develop clearer interpretations and industry practices.
3. Practical AI adoption is accelerating, with top management now leading concrete efforts to improve operational efficiency and create new business opportunities through sound AI usage.
4. High-quality data is essential for effective AI. Purpose‑driven data preparation, agile implementation structures, and risk‑based approaches are increasingly recognized as effective, with industry‑wide knowledge‑sharing expected to progress.
5. Examples of risk‑mitigation measures for customer‑facing services include careful design, strong governance, transparent customer communication, and continuous monitoring to ensure safe AI use.

Next steps

The Discussion Paper outlines financial institutions’ AI use and challenges, noting its analysis is preliminary. The JFSA will deepen discussions, adapting flexibly with stakeholders as technology and business environments evolve. The JFSA welcomes comments on the paper.

Central Bank of the UAE issues guidance on AI and ML

The Central Bank of the UAE announced the issuance of its Guidance Note on the Consumer Protection and Responsible Adoption and Use of AI and ML by Licensed Financial Institutions (LFIs). It outlines governance, fairness, transparency, human oversight, data protection and ongoing monitoring principles to ensure AI systems are deployed safely, ethically and in line with existing regulatory obligations, while supporting innovation in the financial sector. Further highlights include regulatory priorities relating to bias mitigation, algorithmic transparency, model monitoring, and the preservation of fair customer outcomes.

Key points

• Governance & Accountability: LFIs should implement proportionate AI governance frameworks under board and senior management accountability, with clear oversight, reporting, risk integration and maintained inventories of AI models aligned with regulatory standards.
• Fairness & Non-Discrimination: LFIs must ensure AI systems are fair, ethical and non‑discriminatory by using representative data, conducting regular bias testing and operating in line with consumer protection obligations and institutional codes of conduct.
• Transparency & Explainability: LFIs should clearly disclose AI use and decision‑making in understandable formats, provide explanations and redress mechanisms for customers, consider opt‑out rights for high‑impact decisions, and communicate accessibly across relevant languages.
• Human Oversight: LFIs must apply proportionate human oversight to AI systems, enable challenge and redress, maintain accountability for outsourced models, continuously monitor performance, and retain the ability to suspend AI use through human intervention.
• Data Management Requirements: LFIs must ensure AI data is high‑quality, lawful and secure, embed privacy‑ and security‑by‑design, test for robustness and resilience, and where feasible use AI to support fraud detection and financial crime compliance.

MAS consults on operational and third-party risk management

Summary

MAS has released two parallel consultation papers in March 2026 proposing significant updates to its operational resilience regime:

1. Revised Guidelines on Operational Risk Management (ORMG), which replace the 2013 guidelines and introduce enhanced expectations for governance, proportionality, change management, and disclosure; and
2. New Guidelines on Third‑Party Risk Management (TPRMG), which supersede outsourcing guidelines and extend requirements to all third‑party arrangements.
   Both consultations close on 20 April 2026.

Context

The financial sector’s increasing digitalization, reliance on external service providers, and heightened cyber and operational vulnerabilities prompted MAS to modernize both its operational risk and third‑party risk frameworks. ORMG incorporates the Basel Committee’s revised operational risk principles, while TPRMG aligns with international work by the FSB and BCBS on third‑party and supply‑chain risk. Both guidelines reflect MAS’ strategic shift toward an integrated, resilience‑focused supervisory model.

Key takeaways

1. Scope and proportionality
   • ORMG: Applies to all FIs, with proportional implementation based on size, risk profile, and complexity.
   • TPRMG: Applies to all third‑party arrangements (not only outsourcing), with proportionality based on service materiality and FI complexity.
2. Governance expectations strengthened
   • Both consultations heighten board and senior‑management responsibilities.
   • ORMG: Requires a dedicated senior‑management ORM committee, robust risk appetite/tolerance, and integrated operational‑risk frameworks.
   • TPRMG: Board must approve TPRM strategy, materiality assessments, risk appetite for disruption, and ensure independent review/audit.
3. Group‑wide and cross‑border oversight
   • FIs under MAS consolidated supervision or owning critical information infrastructure must ensure both ORMG and TPRMG expectations apply to branches/subsidiaries (including overseas).
4. Operational Risk Framework Enhancements (ORMG)
   • Modernized principles covering governance, risk taxonomy, policies, KRIs, scenario analysis, change‑management lifecycle, and reporting obligations.
   • D‑SIBs/D‑SIIs must publicly disclose ORM frameworks, significant loss events, and publish their codes of conduct.
5. Comprehensive Third‑party Risk Lifecycle Requirements (TPRMG)
   The TPRMG introduces detailed expectations across the full lifecycle:
   • Risk assessment: includes materiality, substitutability, data sensitivity, supply‑chain dependencies.
   • Due diligence: covers financial viability, technology risk, BCM/DR, governance, legal compliance, and subcontractor reliance.
   • Contracting: requires mandatory clauses for audit/inspection rights, access to information, incident reporting, data confidentiality, termination rights, and MAS access.
   • Ongoing monitoring: requires multidisciplinary oversight groups, periodic due diligence, performance metrics, and monitoring of concentration risk.
   • Termination: mandates exit plans, orderly transition arrangements, and scenarios where MAS may direct termination.
6. Sub‑Contractor Oversight and Supply‑Chain Risk (TPRMG)
   • Strong new requirements to manage risks from sub‑contractors, including prior notification, mapping, and contractual cascading of controls.
   • Pass‑through (layered) subcontracting is not prohibited but requires enhanced oversight and mitigation.
7. Register of Third‑Party Arrangements (TPRMG)
   • FIs must maintain a comprehensive third‑party register and submit it semi‑annually, covering all material arrangements and (where possible) material sub‑contractors.
   • Banks/merchant banks continue to comply with Notices 658/1121 via a single consolidated register.
8. Disclosure and reporting obligations
   • ORMG: D‑SIBs/D‑SIIs must publicly disclose ORM frameworks and significant loss events; formal disclosure policies required.
   • TPRMG: FIs must notify MAS of adverse developments (including branch/subsidiary incidents) and ensure service providers cooperate with MAS.
9. Transition and implementation
   • Both ORMG and TPRMG propose a 6‑month transition period post‑issuance for FIs to update frameworks, agreements, controls, and disclosures.

Next steps

• Consultation responses due 20 April 2026 via FormSG links in both papers.
• MAS will finalize both guidelines, after which a six‑month compliance window will begin.