September Global Regulatory Brief: Digital finance

The Global Regulatory Brief provides monthly insights on the latest risk and regulatory developments. This brief was written by Bloomberg’s Regulatory Affairs Specialists.

Digital finance regulatory developments

As technology continues to reshape financial services, regulators and policy setters are embarking on a range of digital-finance initiatives to manage risks and set appropriate standards. From cybersecurity in India to generative AI in Hong Kong, the following developments in digital finance over the past month stand out:

• US: California passes AI training data transparency bill
• India: SEBI publishes cybersecurity and cyber resilience framework 
• Hong Kong: HKMA issues generative artificial intelligence circular
• Indonesia: OJK launches digital resilience guide for banks
• Vietnam: Ministry of Public Security consults on draft data law
• Malaysia: Securities Commission implements revised technology risk management rules
• US: Agencies propose joint rule establishing data standards under the Financial Data Transparency Act
• US: OpenAI, Anthropic agree to share new models with US AI Safety Institute
• Hong Kong: HKMA reviews virtual banks and consults on new name
• EU: ESAs issue final draft measures on subcontracting under DORA

California passes AI training data transparency bill

The California legislature passed a bill which would require AI developers to make available to the public high level summaries of their training data containing a number of technical details. 

In summary: This requirement includes whether or not the dataset contains any personal information or anything protected by intellectual property rights. 

• Further, the bill would also require firms to disclose whether synthetic data, data that was created using AI, was used to train an AI system. 
• The bill was narrowed prior to passage to apply only to generative AI which can create text, images, and similar content.

Why it matters: If signed into law by Governor Gavin Newsom (D), the bill would be the most comprehensive AI training data transparency law in the United States. 

• If signed into law, the bill would take effect in 2026. 
• Legislation passed in California has an outsized effect relative to laws passed in smaller states and can at times influence the national debate around a given issue.
  

SEBI publishes the Cybersecurity and Cyber Resilience Framework (CSCRF)

The Securities and Exchange Board of India has published the Cybersecurity and Cyber Resilience Framework that sets out obligations of Regulated Entities (REs) in relation to cybersecurity and cyber resilience, as well as requirements on hosted services used by REs.

In more detail: The CSCRF is comprised of the following parts:

• Objectives (goals which a security control needs to achieve) and standards (which represent established principles for compliance with CSCRF)
• Guidelines, recommended measures for complying with the standards (with a number of guidelines being mandatory)
• Structured formats for compliance
• Annexures and references

Key details: The CSCRF includes provisions regarding data protection and localization and requires REs to:

• document and implement authentication and access policy along with effective log collection and retention policy
• design and implement network segmentation techniques to restrict access to sensitive information, hosts, and services
• implement the layering of full-disk encryption along with file-based encryption for data protection
• put in place strong data protection measures (for both at-rest and in-transit data), with industry-standard encryption algorithms
• classify data into regulatory data and IT and cybersecurity data, as defined in the CSCRF, and keep these within the boundaries of India

Cybersecurity policy: The CSCRF also includes the requirement for REs to maintain a cybersecurity policy which captures the following elements: 

• ‘identify’ critical IT assets and risks associated with such assets
• ‘protect’ assets by deploying suitable controls, tools, and measures
• ‘detect’ incidents, anomalies, and attacks through appropriate monitoring tools/processes
• ‘respond’ by taking immediate steps after identification of the incident, anomaly, or attack
• ‘recover’ from an incident through incident management and another appropriate recovery mechanisms

Looking ahead: For REs where cybersecurity and cyber resilience circulars already exist, adoption of CSCRF provisions is required by January 1, 2025. For other REs where the CSCRF is being issued for the first time, this is set for April 1, 2025.

HKMA issues generative artificial intelligence circular

The Hong Kong Monetary Authority (HKMA) has issued a circular providing Authorized Institutions (AIs) with guiding principles on the use of generative artificial intelligence (GenAI) in customer-facing applications from a consumer protection perspective.

Background: In 2019, the HKMA issued a set of guiding principles on the use of big data analytics and artificial intelligence (BDAI) by AIs, focusing on governance, fairness, transparency, and data privacy. These principles aimed to help promote the healthy development of BDAI in the Hong Kong banking sector and enhance customer confidence.

In more detail: With the increasing interest in adopting GenAI in banking operations, the HKMA has set out additional principles under each of the four major areas to ensure appropriate safeguards for consumer protection:

• Governance and accountability: The board and senior management should remain accountable for GenAI-driven decisions, ensure proper validation of GenAI models, and adopt a “human-in-the-loop” approach during the early stage of deployment.
• Fairness: AIs should ensure GenAI models produce objective, consistent, ethical, and fair outcomes, and provide customers with the option to opt out of using GenAI or request human intervention.
• Transparency and disclosure: AIs should disclose the use of GenAI to customers, communicate the purpose and limitations of the models, and enhance customers’ understanding of the model-generated outputs.
• Data privacy and protection: AIs should comply with the Personal Data (Privacy) Ordinance and relevant recommendations from the Office of the Privacy Commissioner for Personal Data.

In summary: The HKMA encourages AIs to explore the use of BDAI, including GenAI, in enhancing consumer protection by identifying vulnerable customers, providing more information to customers, and issuing fraud alerts.

Closely related: The Hong Kong Monetary Authority (HKMA) and Cyberport introduced the Generative Artificial Intelligence (GenAI) Sandbox, during the FiNETech2 event, aimed at fostering AI adoption in the financial sector.

Indonesian OJK launches digital resilience guide for banks

The Otoritas Jasa Keuangan (OJK, the Indonesian Financial Services Authority) launched the Digital Resilience Guide, focusing on three key aspects of resilience to business dynamics, resilience to disruption and consumer protection. 

In more detail: The digital resilience framework focuses on three main aspects:

• Business competitiveness: This covers elements needed for a bank’s business to remain relevant in the market, such as technology adoption, talent development and organizational culture for the digital era, and consumer-oriented product development.
• Resilience against disruption: This is reflected in the Business Continuity Management (BCM) framework, consisting of three main stages – the Anticipation Stage, which involves preparing for potential disruptions or threats in the digital environment; the Withstand and Recover Stage, which is the process of managing security incidents or disruptions while ensuring the bank’s operations remain effective; and the Sustain Stage, including ongoing evaluation and development of capabilities and knowledge to enhance resilience procedures.
• Customer resilience in the digital era: Apart from taking steps to strengthen digital resilience within the bank, banks need to also educate customers to increase their awareness and guard against digital attacks.

The digital resilience framework and its related aspects have been included in the Digital Resilience Guide to serve as a reference to banks in managing operational technology disruptions or cyber incidents while minimizing customer losses, reputational damage, and financial losses.

Looking ahead: The OJK also plans to issue specific guidelines for the banking sector related to artificial intelligence implementation.

Vietnam Ministry of Public Security consults on draft data law

The Ministry of Public Security in Vietnam released a draft data law for public comment on July 1, 2024. The draft law contains data transfer requirements for core, important and other data. 

In summary: The draft law regulates the following aspects:

• The construction, development, processing and management of data
• Requirements for specific forms of data processing, applicable to both state entities and private enterprises
• The application of science and technology in data processing (including AI)
• Conditions for engaging in newly recognized data-related services, including prohibitions on offshore enterprises from rendering certain services
• Responsibilities of agencies, organizations and individuals with regards to data activities

In more detail: In particular, the draft law prescribes that data classified as core data or important data must be evaluated and approved by a competent authority before the data can be provided or transferred outside of Vietnam. 

• Core data is defined as data that has a high coverage across sectors, groups, and regions and can directly affect political security if used or shared illegally. 
• Important data is defined as data in sectors, groups, or areas that can directly endanger national security, economic activities, social stability, and public health and safety if leaked, falsified, or destroyed. 

Scope and context: The draft law is expected to have extraterritorial scope, regulating both offshore and onshore entities that are involved in data activities in Vietnam – adding to the data localization requirements that institutions need to contend with in the APAC region. 

Next steps: The consultation closes on September 1, 2024, after which it will be submitted to the National Assembly for debate and approval. The law is expected to take effect from January 1, 2026.

Securities Commission of Malaysia implements revised technology risk management rules

Malaysia’s Securities Commission (SC) has implemented its revised Guidelines on Technology Risk Management.

In summary: The new guidelines were initially released in August 2023 for capital market entities to be familiar with risk management practices, which has now been expanded beyond cybersecurity to include technology risks, among others. 

• The revised guidelines emphasize the significance of strengthening operational reliability, security and resilience against technology disruptions. 
• They also set out the SC’s expectations on risk management practices to be adopted by industry.

In more detail: The key areas covered include the change management process, third party service providers, reporting requirements, technology audit, board oversight and accountability over technology risks.

• The amendments, among others, include new requirements on submitting reports to the SC on near-miss events, performing cybersecurity assessments prior to deployment of a system, and conducting penetration testing prior to deployment of new critical systems. 
• In addition, the guidelines were also amended to specify that the SC can appoint an independent party to conduct a review on capital market entities to assess compliance, including performing a technology audit, where necessary. 
• The SC can also provide guidance to capital market entities on using artificial intelligence (AI) and machine learning (ML) in an ethical manner.

For more context: Updated FAQs are published here and the amendments are summarized here.

US agencies propose joint rule establishing data standards under the Financial Data Transparency Act

A group of nine federal agencies (including the SEC, Treasury, and FDIC, among others) issued a joint notice of proposed rulemaking (“NPRM”) to establish data standards to promote interoperability of financial regulatory data across the agencies. The joint data standards established under this rulemaking will eventually be incorporated into collections of information reported to each agency.

Details: The rulemaking, required under the Financial Data Transparency Act of 2022 (“FDTA”), directs the agencies to jointly establish data standards for data collected by each agency. The FDTA requires these standards to include the use of a common nonproprietary legal entity identifier that is available under an open license for all entities required to report to the Agencies. The FDTA also requires that the joint data standards, to the extent practicable: 

• Render reported data machine-readable;
• Enable high quality data through schemas, with accompanying metadata documented in machine-readable taxonomy which clearly define the semantic meaning of the data;
• Ensure that a data element or data asset that exists to satisfy an underlying regulatory information collection requirement be consistently identified as such in associated machine-readable metadata;
• Be nonproprietary or made available under an open license; 
• Incorporate standards developed and maintained by voluntary consensus standards bodies; and
• Use, be consistent with, and implement applicable accounting and reporting principles.

Following adoption of the joint data standards, the FDTA directs each agency to issue individual rules incorporating the standards into specific collections of information under existing regulatory reporting requirements.

Timeline: Comments must be received by October 21, 2024.

OpenAI, Anthropic agree to share new models with US AI Safety Institute

The U.S. Artificial Intelligence Safety Institute within the Department of Commerce’s National Institute of Standards and Technology reached agreements with OpenAI and Anthropic to facilitate formal collaboration on AI safety research, evaluation and testing. 

Why it matters: The Memorandum of Understanding (MOU) with each firm provides for the US AI Safety Institute to gain access to new major models from each firm prior to and after their release to the public. 

• Policymakers have expressed concerns over how models operate, how they are trained, and the underlying training data. 
• These agreements signify efforts to address some of those concerns. 

HKMA reviews virtual banks and consults on new name

The Hong Kong Monetary Authority (HKMA) published a report reviewing the operations and impact of virtual banks (VBs) in Hong Kong. 

In summary: The review assessed the achievement of policy objectives, market acceptance, and financial performance of VBs since their inception in 2020. 

Background context: Following the issuance of a revised “Guideline on Authorization of Virtual Banks” in 2018, the HKMA granted banking licenses to eight VBs which commenced their business in 2020. The HKMA considered it timely to assess their operations and impact on the Hong Kong banking system. 

In more detail: The report found that VBs have met the policy objectives of promoting fintech, enhancing customer experience, and financial inclusion. 

• Despite initial challenges due to COVID-19, VBs have gained 2.2 million depositors by the end of 2023. 
• However, none have achieved profitability as at end of 2023, although their operating income increased seven-fold, and net losses reduced by 15% from FY2021 to FY2023. 
• Some of the VBs have already demonstrated good growth momentum and are progressing steadily towards profitability through continuous service innovations, whereas some have undertaken a major shift in business strategy or group restructuring initiatives with an aim to enhancing business performance, thereby accelerating the pace to profitability. 

Looking ahead: The HKMA considers that the current structure of the VB sector is appropriate and that the existing number of VBs is ideal, with no intention to issue additional VB licences at this time. 

• In light of the recent developments of the VBs, the current requirement that a VB should primarily deliver retail banking services is considered no longer appropriate or necessary and will therefore be removed. 
• The HKMA will continue to monitor the operations and development of the eight VBs closely and provide guidance in the process of their development of new products and services, and provide policy clarity as and when necessary.

Closely related: A public consultation is under way to rename “Virtual Bank” to “Digital Bank” to better reflect their operations – “digital” is a broader term that has connotations of “Internet” and “technology”, and thus seems to better reflect the use of the latest financial technologies and innovations by VBs.

ESAs issue final draft measures on subcontracting under DORA

The EU Supervisory Authorities (ESAs) published the final draft regulatory technical standard (RTS) specifying how to determine and assess the conditions for subcontracting information and communication technology (ICT) services that support critical or important functions under the Digital Operational Resilience Act (DORA).

In more detail: The final draft rules focus on ICT services provided by ICT subcontractors that support critical or important functions, or material parts of them, specifying the requirements throughout the lifecycle of contractual arrangements between financial entities and ICT third-party service providers. 

Requirements for financial entities include assessing the risks associated with subcontracting during the pre-contractual phase, including the due diligence process, and subsequently monitoring the implementation and management of the contractual arrangements. 

Context: This draft RTS was part of the second batch of DORA detailed policy measures which were due to be finalized by the ESAs by July 17 2024, and which were published on that date.

Next steps: The final draft rules have been submitted to the EU Commission (EC) for endorsement. Once the EC endorses the texts, these will be submitted to a three-month scrutiny period by the EU Parliament and Council. 

• If no objections are raised, they will enter into force following their publication in the EU Official Journal. 
• The DORA rules are set to apply in the EU from January 17, 2025.

View the additional regulatory briefs from this month:

• Trading and markets
• Risk, capital and financial stability
• Green finance

Sign up to receive these updates in your inbox first.

How we can help

Bloomberg’s Public Policy and Regulatory team brings you insight and analysis on policy developments to help navigate the complex and fast changing global regulatory landscape. To discuss regulatory solutions, please get in touch with our specialists or read more insights from our Regulatory team.