03 regulatory landscape&regtech

1H2020 FINSEC – DIGITAL FINANCE ACADEMY FOR SECURITY
INNOV-ACTS, Limited
H2020 FINSEC Project
The FINSEC project is co-funded from the European Union’s Horizon 2020 programme under grant
Agreement No 786727
Understanding RegTech and the
Regulatory Landscape
05/11/2019

Introducing RegTech (1)
§RegTech: Technologies that boost the delivery of regulatory
requirements
§ Considered a subset of FinTech
§RegTech delivers regulatory compliance better and in a more cost-
effective way than traditional technologies
§ It’s about new capabilities that reduce costs and provide more efficiency
§ Otherwise IT technology is used to support regulatory compliance (e.g.,
reporting) for many years
§ Motivate by cost-pressures on financial institutions (e.g., after the 2008
crises)

Introducing RegTech (2)
§RegTech can reduce a client’s regulatory and compliance costs,
automate the certain compliance tasks and reduce risks.
§Rapidly maturing over the last couple of years and attracting a lot
of attention from banks, vendors, service firms and regulators.
§ Example: Deutsche Bank, JP Morgan, Santander and HSBC have
all teams that explore RegTech investment opportunities
§ Governments are starting to collaborate with companies towards supporting
the adoption of new technologies to facilitate the delivery of regulatory
requirements.

Classification of RegTech Applications
Regulatory
Compliance
• Regulatory
Intelligence
• Regulatory
Reporting
• Compliance
&
Governance
Financial Crime
• Fraud
Detection
• Money
Laundering &
Terrorist
Financing
• Market
Abuse
Risk
Management
• Market Risk
• Operational
Risk
• Cyber Risk
KYC & Identity
Management
• KYC for
Verification
• KYC for on-
boarding
• KYC for AML
checks

Classification of RegTech Applications
Regulatory compliance:
• Help banks in gathering regulatory intelligence, mapping policies and compliance governance
• Automated data sharing with regulatory authorities
Risk management
• Detect market risks
• Monitor employee conduct for suspicious behavior
• Protect data and systems from numerous cyber risks
Financial crime:
• Help banks monitor financial transactions in real-time
• Detect fraud, market abuse, money-laundering or terrorist financing activities etc.
Identity management
• Help banks with KYC procedures
• Anti-money laundering sanctions and anti-fraud screening

Examples of RegTech Collaborations (source: BURNMARK | Alvarez
& Marsal (Jan 2018))

Digital Finance: The Impact of Regulations
ImpactoftheRegulatory
Environment
Activities
Products
Practices
Size
Target Customers
Locations
Regulatory Authorities
Applicable Laws & Regulations
Licensing Requirements
Scope of Permitted Activities
Compliance Requirements
Information Disclosure and Reporting Requirements

Regulators’ Approaches and Stance against FinTechs
Regulators
Approach
to FinTech
Proactive
PassiveRestrictive

Regulatory Approaches: (Pro)Active
§ Regulators work closely with startups and digital finance enterprises
§ In several cases proactively
§ Aiming at understanding new developments and their implications
§ Working towards defining solutions to regulatory challenges
§ Examples of Proactive Regulatory Activities:
§ Drafting regulation in collaboration with enterprises (incl. consultation)
§ Regular feedback of rationale during regulation process
§ Provision of support and consulting feedback to FinTech innovators helping them
aligning their products with regulatory developments
§ UK’s Financial Conduct Authority (FCA) is an example of pro active regulatory
authority
§ Important note: A proactive approach requires intensive use of regulatory
resources and there is a risk that agencies become overwhelmed

Regulatory Approaches: Passive
§Facilitating FinTech innovators and digital finance enterprises is
not a top priority for national regulators
§However, national regulators do not raise barriers to innovators’
efforts
§Example: The German regulator, Federal Financial Supervisory
Authority (BaFin) (https://www.bafin.de/)

Regulatory Approaches: Restrictive
§ Approach adopted by risk averse governments
§ Large bureaucracies that typically fear regulatory capture by the
industry
§ Example: United States of America
§ Multi-layered, fragmented regulatory system.
§ 5 federal agencies directly examine and supervise financial institutions, and
20+ federal agencies regulate various aspects of financial products.
§ Many parallel regulatory agencies exist in each of the individual states.
§ FinTech companies must evaluate their regulatory environment on an
individual basis in order to identify which regulatory agencies have authority
over their activities and which laws and regulations apply.

Regulatory Sandbox
Regulatory sandbox
• Safe environment where businesses can test innovative products without immediately
incurring the normal regulatory consequences (e.g., no due process and enforcement actions).
Practical Examples:
• UK: FCA authorizes sandbox firms with restrictions (non-banks only), allowing them to test
their ideas – time & resource consuming process
• Singapore: Guidance to establish a regulatory sandbox (June 2016) without major engagement
of regulators
• Australia & Hong Kong: Effort for developing regulatory sandboxes have started
• USA: One regulator is considering a sandbox, though no safe harbors from regulation would
be available

The Payment Services Directive (PSD)
§Experiences from PSD application in 2010 –2015 and open points
§Inconsistent application of PSD and of other European regulations
in the various Member States
§Several generic exemptions in the Directive
§Many operators and unregulated intermediaries
§Lack of standardisation and interoperability of payment solutions
and security systems
§Application of different fees across EU Members

Goals of The 2nd Payment Services Directive (PSD2)
§Strengthening consumer protections
§Ease the development of new payment solutions
§Regulating new market players
§Applying uniform fees on card payments in line with regulation on
Multilateral Interchange Fees (MIF)
§Increase the level of competition
§Overcome differences between the disciplines of the EU Members
towards a digital single market
§General increase in efficiency through the standardisation of
infrastructures

PSD2 Environment: Driving Forces
Increased Digitalization
•Expanded use of
technological devices (e.g.,
tablet, smartphones)
•Change in consumer habits –
Customers seek the best
experience
•Increased use of electronic
tools that collect customer
information
Relevant Market Data
•Non-cash transactions
worldwide in2014 increased
by 9% compared to 2013
•For 2018 it is was forecasted
that the number of digital
transactions will reach +19%
compared to 2014.
•In several countries payment
card transactions have
doubled or even tripled
during the last couple of
years
Entry of new players
•Increased competition
•Over-the-top players (e.g.,
Google, Amazon, Apple)
•New TTP -third party
providers (e.g., Sofort,
Trustly)
•New business models for
banks to deal with.

PSD2: New Stakeholders
§Two new types of Payment Services Providers (PSPs) that are
conveniently called Third-Party Services Providers (TPSPs):
§ Account Information Services Providers (AISPs): Provide Payment
Users with access to all accounts relevant to them (e.g., accounts in
multiple banks)
§ Payment Initiation Services Providers (PISPs): Bridge between the
payer and the payee
§ Payers have not longer to initiate the process through their bank
§ Payees are immediately informed about the payment initiation (e.g.,
they can better administer the dispatch of a product)

PSD2: New Obligations
§The new Payment Services Providers (PSPs) (AISPs, PISPs) impose
new obligations to banks:
§ Banks should respond instantly to requests from AISPs
§ Payments through PISPs must be handled the same way as those
initiated from the banks
§ In case banks do not offer transactional services their obligation is
restricted to AISPs only
§ New standard (and API) has been developed to enable AISPs, PISPs
interfaces with the Payment Users:
§ Access to Account (XS2A)

PSD2: Scope of Transactions and Liability
§For all Transactions with the EU (i.e. both ends in the EU) PSD
imposes transparency and Information Affect Requirements
§ PSD2 extends the scope of transactions to those where only one party
resides in the EU
§ AISPs and PISPs must hold a professional indemnity insurance covering
all territories where their services are effective
§ Increased consumer protection as payment users are liable for up to
50€ per transaction (from 150€ in PSD)
§ Except for cases where the payment user has acted fraudulently or exhibited
gross negligence

PSD2 Main Impacts
New Entrants
•Agile and Flexible Market Players (beyond banks)
•No need to maintain sophisticated IT infrastructure or comply with complex laws
Business Model Evolutions
•Shift from profit generated payments to value added services
•Market Competition and Profitable Services
Improved Customer Experience and Expectations
•Based on enhanced value-added services comprising customer-centric functionalities
•Changes in the conventional customer-payment relationship based on AISPs
Organizational Impact
•New IT infrastructure emphasizing Open APIs and Security
•Upgrades to computational capacity

What is GDPR?
§GDPR is the European Union’s new data protection law.
§Replaces the Data Protection Directive (Directive”), which has
been in effect since 1995.
§Preserves many of the principles established in the Directive, it is
a much more ambitious.
§Gives individuals greater control over their personal data and
imposes many new obligations on organizations that collect,
handle, or analyze personal data.
§Gives national regulators new powers to impose significant fines
on organizations that breach the law.

When did it take effect?
§Takes effect on May 25, 2018. The GDPR actually became law in
April 2016, but given the significant changes some organizations
will need to make to align with the regulation, a two-year
transition period was included.
§Organizations should not expect any grace period from regulators
beyond May 25, 2018.

GDPR: The Six Key Principles (1)
Transparency, fairnesss, and lawfulness in the handling and use of personal data:
•You will need to be clear with individuals about how you are using personal data and will also need a
“lawful basis” to process that data.
Limiting the processing of personal data to specified, explicit, and legitimate
purposes.:
•You will not be able to re-use or disclose personal data for purposes that are not “compatible” with
the purpose for which the data was originally collected.
Minimizing the collection and storage of personal data
•Minimize to that which is adequate and relevant for the intended purpose.

GDPR: The Six Key Principles (2)
Ensuring the accuracy of personal data and enabling it to be erased or rectified
• You will need to take steps to ensure that the personal data you hold is accurate and can be
corrected if errors occur.
Limiting the storage of personal data
• You will need to ensure that you retain personal data only for as long as necessary to achieve
the purposes for which the data was collected.
Ensuring security, integrity, and confidentiality of personal data.
• Your organization must take steps to keep personal data secure through technical and
organizational security measures.

GDRP Applicability
§Applies to processing of anyone’s personal data, if the processing
is done in the context of the activities of an organization
established in the EU (regardless of where the processing takes
place).
§Applies to processing of personal data of individuals who reside in
the EU by an organization established outside the EU, where that
processing relates to the offering of goods or services to those
individuals or to the monitoring of their behavior.
§Global Impact: The EU is often viewed as a role model on privacy
issues internationally, so we also expect to see concepts in the
GDPR adopted in other parts of the world over time.

Does my data processing falls in the scope of GDPR?
§ The GDPR regulates the collection, storage, use, and sharing of “personal
data.”
§ Personal data is defined very broadly under the GDPR as any data that
relates to an identified or identifiable natural person.
§ “Personal data” includes any data that relates to an identified or
identifiable individual.
§ Examples: Online identifiers (e.g., IP addresses), employee information,
sales databases, customer services data, customer feedback forms,
location data, biometric data, CCTV footage, loyalty scheme records,
health and financial information and much more.
§ Broad definition - can even include information that does not appear to
be personal (e.g., such as a photo of a landscape without people –
where that information is linked by an account number or unique code
to an identifiable individual)

What if you are processing data on behalf of others?
§You still need to comply with the GDPR!
§GDPR applies to organizations that collect and process data for
their own purposes (“controllers”) as well as to organizations that
process data on behalf of others (“processors.”)
§This is a shift from the previous data protection Directive, which
applied primarily to controllers.

The risks of non-compliance
§For the last several decades, European privacy laws have generally
not included significant fines for breaches.
§That will change dramatically under the GDPR.
§The maximum fine for serious infringements will be the greater of
€20 million or four percent of an organization’s annual global
revenue.
§GDPR empowers consumers (and organizations acting on their
behalf) to bring civil litigation against organizations that breach the
GDPR.

Key GDPR Terms (Article 4) (1)
“Controller”
•Natural or legal person,
public authority, agency or
other body
•Alone or jointly with others,
determines the purposes and
means of the processing of
personal data.
“Processor”
•Natural or legal person,
public authority, agency, or
other body
•Processes personal data on
behalf of the controller.
“Personal data”
•Any information relating to
an identified or identifiable
natural person (“data
subject”)
•An identifiable natural
person can be identified,
directly or indirectly, in
particular by reference to an
identifier such as a name, an
identification number,
location data etc., or to one
or more factors specific to
the identity of that natural
person.

Key GDPR Terms (Article 4) (2)
““Processing”
• Any operation or set of operations
which is performed on personal data
or on sets of personal data, whether
or not by automated means
• Collection, recording, organisation
structuring, storage, adaptation or
alteration, retrieval, consultation,
use, disclosure by transmission,
dissemination etc.
“Pseudonymisation”
• Processing of personal data in such
a manner that the personal data can
no longer be attributed to a specific
data subject without the use of
additional information,
• Provided that such additional
information is kept separately and is
subject to technical and
organisational measures to ensure
that personal data are not
attributed to an identified or
identifiable natural person.

AML (Anti-Money Laundering)
§Money laundering:
§ Act of concealing the transformation of profits from illegal activities
and corruption into ostensibly "legitimate" assets.
§ Criminals attempt to account for the proceeds without raising the
suspicion of law enforcement agencies

AML (Anti-Money Laundering) Methods (1)
Cash is broken into smaller deposits of money, used to defeat suspicion of money laundering and to
avoid anti-money laundering reporting requirements
Structuring
Physically smuggling cash to another jurisdiction and depositing it in a financial institution, such as
an offshore bank
Bulk cash
smuggling
A business typically expected to receive a large proportion of its revenue as cash uses its accounts to
deposit criminally derived cash. Service businesses (e.g., parking structures, strip clubs, tanning
salons, car washes, arcades, bars, restaurants, and casinos) are best suited to this method.
Cash-intensive
businesses
Under- or over-valuing invoices to disguise the movement of money (e.g., in the art market)
Trade-based
laundering
Trusts and shell companies disguise the true owners of money. Trusts and corporate vehicles,
depending on the jurisdiction, need not disclose their true owner
Shell companies
and trusts

AML (Anti-Money Laundering) Methods (2)
Money is deposited in a controlled foreign corporation offshore, where minimal records are
kept, and then shipped back as a foreign direct investment
Round-tripping
Criminals buy a controlling interest in a bank, preferably in a jurisdiction with weak money
laundering controls, and then move money through the bank without scrutiny.
Bank capture
An individual walks into a casino and buys chips with illicit cash. The person cashes in the
chips and claims the proceeds as gambling winnings. Likewise money can be spent on
gambling, preferably on high odds games (e.g., betting on every possible outcome)
Casinos and Other
Gambling
Unregistered employees without written contracts and pay them cash salaries
Black salaries
Legalize unreported assets and cash in tax havens
Tax amnesties

EU’s AML (Anti-Money Laundering) Directives
§ Fourth and latest iteration of the EU's anti-money laundering directive (AMLD
IV)
§ Published on 5 June 2015 - Brings the EU's anti-money laundering laws more in
line with the US's
§ Lack of harmonization in AML requirements between the US and EU has complicated the
compliance efforts of global institutions that are looking to standardize Know Your Customer
(KYC)
§ AMLD IV promises to better align the AML regimes by adopting a more risk-based
approach compared to its predecessor, AMLD III
§ Fifth Money Laundering Directive (5MLD)
§ Will come into force on 10 January 2020
§ Destined to address a number of weaknesses in the European Union's AML/CFT
regime that have come to light since the enactment of the Fourth Money
Laundering Directive AMLD IV).

AMLD IV Risk Based Approach
§Member States required to evidence that they have taken
appropriate steps to identify, assess, understand, and mitigate
AML/CTF risk
§ “National Risk Assessment”
§Obliged entities (“designated persons”) are already required to
evidence that they have taken steps to identify, assess,
understand, and mitigate AML/CTF risk
§ Considering risk factors such as customer, product, geography, and
channel
§ This requirement and the factors for consideration are more explicit in
AMLD IV.

AMLD IV Customer Due Diligence
§In AMLD III obliged entities are required to take:
§ Enhanced measures where the customer risk is considered greater
§ Simplified measures where the risks are considered lower
§AMLD IV prescribes minimum factors to be taken into account
before applying simplified CDD:
§ Evidence why they have considered the risk to be low enough to apply
simplified CDD (SCDD)
§ Avoid a blanket approach of applying SCDD where customers fall into a
certain category
§ Detail the factors where the enhanced measures will be considered

AMLD III/IV Customer Due Diligence (Review)
§ Risk-based Assessment
§ Procedures should include how and when in the process the firm identifies client and transactional risk:
§ Client Risk – “Know Your Customer”
§ Individual Transaction Risk – “Know Your Customer’s Business”
§ Start: assess client AML risk at the start of the relationship and Transaction Risk when
instructed on a particular piece of business
§ Middle: re-assess (if appropriate) through the course of the deal – has anything changed?
§ End: Finalise the risk assessment just before the deal is sealed and cash changes hands
§ List potential “red flag” indicators, risk factors & questions to ask during the risk assessment
process
§ Control what happens when red flags/risks are identified
§ State examples/type of evidence which should be held
Risk Level of Due Diligence
Low Simplified/Standard
Medium Standard
High Enhanced

AMLD IV Ongoing Monitoring
§The Fourth EU AML Directive is more prescriptive with
respect to the on-going monitoring of customers:
§Specific in outlining factors for consideration/evidencing in
conducting risk assessments for each customer
§Details how these risk assessments must be kept up-to-date
§Reinforced requirement to undertake a risk based
approach:
§Obliged entities must be able to evidence the rationale behind
the risk rating applied to each customer

AMLD IV Politically Exposed Persons
§Definition of PEPs extended to include domestic PEPs
§ Obliged entities have to review their customer registers to ascertain if
they need to reclassify and apply enhanced CDD to any existing
customers as PEPs under the new definition
§ Obliged entities will be required to monitor the risk posed when a
person ceases to hold the title yielding PEP status for a period of at
least 18 months, as opposed to the current obligation of 12 months

AMLD IV Beneficial Ownership
§Explicit requirement for legal persons, including companies, to
hold adequate, accurate, and current information on their own
beneficial ownership.
§ Information must be made readily available to both competent
authorities (CBI) and obliged entities on request.
§ Applies also to trustees, who will be required to disclose their status to
obliged entities.

AMLD IV Third Party Equivalence
AMLD III: Specifies “White list” of
jurisdictions where AML/CTF
legislation is considered equivalent
to the EU
AMLD IV: List of equivalent
jurisdictions will be rescinded, and
obliged entities will therefore need
to perform a risk assessment on
countries where they do business
outside of the EU

AMLD IV Policies – Procedures – Data Protection – Record
Keeping
§ AMLD IV introduces a provision in respect of policies & procedures:
§ Data protection elements are considered within AML/CTF policies &
procedures for sharing of customer information
§ Target: Balance between robust controls and the protection of the rights of
data subjects
§ AMLD IV provides clarity as to the application of AML/CTF rules for
subsidiaries in third countries where AML/CTF legislation is deemed
deficient, or non-equivalent:
§ The AML/CTF legislation applicable in the regulated entity’s home Member
State or equivalent standard should be applied
§ Maximum retention period for CDD documentation after the business
relationship has ended, set at 5 years
§ Can be extended by up to 10 years if provided for under local legislation

AMLD IV Financial Intelligence Unit
§Strengthen the cooperation between Financial Intelligence Units
(FIU) of the Member States in respect of exchanging information.
This extends to FIUs:
§ Access to financial, administrative and law enforcement information
§ Take early action in response to requests from law enforcement
authorities within the Member State
§ Establish an operational analysis and strategic analysis function within
the FIU

03 regulatory landscape&regtech

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to 03 regulatory landscape&regtech

Similar to 03 regulatory landscape&regtech (20)

More from innov-acts-ltd

More from innov-acts-ltd (9)

Recently uploaded

Recently uploaded (20)