ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT
2020 INTRODUCTION
Financial institutions worldwide are challenged to comply with the ever-changing regulatory landscape while leveraging the latest technologies to balance compliance, consumer-friendliness, security and expenses. The global coronavirus pandemic has made 2020 an historic year and has forced just about every organization to alter its way of doing business. For example, regulators in many jurisdictions embraced the Financial Action Task Force’s Digital Identity Guidance to permit remote customer onboarding and electronic signatures. This in turn drove financial institutions to acquire and deploy these technologies to continue to serve customers while complying with social distancing guidelines. We scanned the globe to identify recent regulations, legislation, and policies that impact banks and other financial institutions, specifically in the areas of privacy, cybersecurity, anti-money laundering, know your customer, digital identity, authentication, and electronic signatures. This report is not an inventory of all regulations. It is concentrated on those enacted during 2019 and 2020, or that will take effect in 2021 and 2022. We hope this report is a valuable resource for you and your organization. As this is our inaugural regulatory report, we welcome your comments and feedback. Your input will enable us to improve on this work for the 2021 edition. You may email us at [email protected].
Respectfully,
Disclaimer The information contained in this document is for information purposes only, provided as is as of the date of publication and should not be relied upon as legal advice or to determine how the law applies to your business or organization. It is recommended that you seek guidance from your legal counsel with regard to law applying specifically to your business or organization and how to ensure compliance. OneSpan does not accept liability for the contents of these materials or for third parties’ materials.
ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 2 EXECUTIVE SUMMARY
The year 2020 will be forever remembered for the coronavirus pandemic that affected millions of lives around the globe. The global health crisis has strained healthcare systems and medical professionals globally and its impact on just about every industry has forced companies and organizations to alter their operations.
The pandemic has also driven governments around the world to rapidly enact laws, policies and regulations to enable commerce digitally and remotely. This is one of the overarching themes of our inaugural OneSpan Global Financial Regulations Report. This report is not a catalogue of every law and regulation that every financial institution must comply with. Rather, it is concentrated on key regulations and recently enacted laws and policies that banks and other financial institutions must comply with to conduct business in the digital economy. It spans digital identity, fraud prevention, data protection, digital payments security, open banking, electronic signatures and remote online notarization, among others.
The regulatory environment in the financial sector is ever changing. While the pandemic has prioritized the move to digital services, the reality is the industry has been migrating to digital for some time. The pandemic, in turn, exposed shortcomings in security and technical infrastructure, particularly in jurisdictions and financial institutions that have been lagging in the migration to digital. As a result, we will continue to see more data privacy and data protection laws enacted throughout the world. Each will bring unique regulatory requirements for financial institutions. Additionally, open banking will become the norm throughout the industrialized world, as will e-KYC and remote customer onboarding.
To that point, one of the most significant publications of the year came from the international global money laundering and terrorist financing watchdog, the Financial Action Task Force (FATF). In March 2020, the FATF published its Guidance on Digital Identity. Although the timing of its release coincided with the onset of the pandemic, in truth the FATF’s guidance was developed over a span of two years, driven by the rapid growth in digital payments and the need to know who is really transacting. Included in the guidance are details on the best way to apply customer due diligence to digital ID systems for remote identity verification during onboarding as well as authentication for financial transactions. It also includes a description of how third-party reliance between regulated entities can be used by financial institutions to meet the requirements.
With the onset of the pandemic, the FATF’s guidance proved instrumental to regulators seeking secure, consumer-friendly solutions that would enable financial institutions to continue operations while adhering to social distancing. As an extension of this, we saw regulators in Hong Kong, Pakistan, Greece, Macedonia, Mexico and Turkey approve remote bank account openings in 2020 – a clear indicator that even processes rooted in traditional face-to-face meetings in the branch are now going digital and contactless around the globe.
We at OneSpan strive to inform our customers and partners of important regulatory changes pertaining to digital identity, fraud prevention, electronic signature, data privacy and data protection impacting the global financial services sector. As this is our inaugural annual report, we welcome your comments and feedback on how we can improve on this valuable resource in 2021.
ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 3 NORTH AMERICA
In the United States, the regulatory landscape has pushback from state regulators, including the New York been impacted by the pandemic as federal and state Department of Financial Services. policymakers and regulators have been forced to make changes to accommodate social distancing. While it was an On the payments front, the Federal Reserve published unprecedented year on this front, five key areas of interest specifications for its Fed Now service, a new federal instant stand out: data privacy and data protection, cybersecurity, payment service expected to launch in the 2023-2024 open banking, digital payments, and remote online timeframe. The Fed has also been conducting research into notarization. the development of a US central bank digital currency (CBDC). No timeframe has been announced as to whether the Fed will Data privacy and data protection remain top concerns for move forward with a CBDC. federal and state policymakers and regulators alike. In January, the National Institute of Standards and Technology (NIST) At the state level, remote online notarization (RON) has published its privacy framework. The framework is voluntary rapidly gained traction across the country, driven largely by and provides the financial sector and other verticals with best the COVID-19 pandemic. Except for a few states, laws have practices. At the same time, the much-heralded California been enacted or RON has been temporarily permitted via Consumer Privacy Act (CCPA) took effect, impacting virtually executive order by Governors, to enable notarized documents every financial institution in the state. Just two months to continue for industries such as financial services and real later, the New York Stop Hacks and Improve Electronic Data estate. In some states, this also includes electronic wills. Security Act (“SHIELD Act”) took effect. It includes breach In Canada, we are seeing similar trends in the areas of digital notification provisions, requires reasonable data security, business and digital trust. In particular, the country is making establishes standards, and provides protections from liability rapid progress in their adoption of digital identity, open for certain entities. banking, and instant payments, while permitting new use This summer, the Federal Trade Commission held a virtual cases for electronic signature and analyzing future use of a workshop pertaining to the proposed changes to the Gramm digital currency. Leach Bliley Act’s Safeguard Rule announced in 2019. The Digital identity is a key focus area. In 2019, the Financial proposed changes would require financial institutions and Transactions and Reports Analysis Centre of Canada applicable businesses to encrypt customer data, implement (FINTRAC) revised its guidance entitled, Methods to verify access controls and use multi-factor authentication to access the identity of an individual and confirm the existence of customer data. As of the publication of this report, the FTC a corporation or an entity other than a corporation. The has yet to publish the new rules. changes permitted remote or non-face-to-face onboarding Cybersecurity remains a top focus at a time where bad actors of new customers. Since that time and due to the pandemic, and organized crime rings are looking to capitalize on the banks and other financial institutions have realized this is the pandemic, the shift to remote work, and the general fear preferred method for customers to open new accounts in a and uncertainty. Modeled after the New York Department safe and secure way. of Financial Services’ (NYDFS) Cybersecurity Regulation, the The country took further steps toward Open Banking in National Association of Insurance Commissioners published January 2020, when the Advisory Committee on Open the Insurance Data Security Model Law in 2017 designed to Banking published a report entitled, Consumer-directed strengthen cybersecurity for the insurance industry. Included Finance: The Future of Financial Service. The committee in the model law is the requirement to “utilize effective recommends that the government move forward with controls, including multi-factor authentication procedures Consumer-Directed Finance (CDF) with a targeted launch for any individual accessing ‘non-public information’.” As of in the 2021-2022 timeframe. Although not included in the the publication of this report, 11 states have enacted laws with report, we anticipate the launch of CDF, if approved by the six additional states having bills before their legislatures. We government, to coincide with the forthcoming launch of the expect to see further movement among the states in the Pan-Canadian Trust Framework spearheaded by the Digital coming months. Identity and Authentication Council of Canada (DIACC). Open banking in the U.S. has been on and off over the past Also noteworthy, the Bank of Canada and Payments Canada two years. In October of this year, the Consumer Financial announced plans to update instant payment systems. A Protection Board (CFPB) issued an Advanced Notice of new high-value payment system called Lynx will replace the Proposed Rulemaking on consumer authorized access to current Large Value Transfer Goal System. The central bank financial data. This could be the catalyst for open banking. is planning to introduce the updates in Q2 2021. Additionally, Also noteworthy, the Office of the Comptroller of Currency the current Automated Clearing and Settlement System will (OCC) announced plans to grant fintech charters to non- be replaced in 2022 with a new instant payment system called depository financial institutions while exempting them from Real-Time Rail. state-by-state compliance requirements. This was met with
ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 4 Electronic signatures have seen widespread adoption in The Bank of Canada previously announced that it is financial services across Canada. One new development that developing its own central bank digital currency (CBDC). It is had not been permitted until 2020 was the use of e-signatures in very early prototype stages. Over the summer, the Bank of to sign wills. A likely pandemic inspired measure, the passage Canada issued a set of comprehensive staff analytical notes of British Columbia’s Bill 21, amending the Wills, Estates examining the design, security, privacy and use of CBDC. and Succession Act, SBC 2009, c 13 (“WESA”) made British Columbia the first Canadian jurisdiction to formally recognize electronic wills signed with e-signature technology.
LATIN AMERICA
In Latin America, open banking, data privacy and date Chile’s bill to Regulate the Protection and Processing of protection, and digital payments stood out as focus areas Personal Data and Create the Personal Data Protection in 2020. Agency continues to make its way through the legislative process. In March it was referred to the Senate Finance In March, Mexico’s central bank published the first set of rules Commission. If enacted, it will align with the GDPR and other for open banking in accordance with its Fintech Law. The international data protection standards. initial rules integrate credit bureaus and clearing houses into the open banking framework. Rules applying to banks and Brazil’s new data privacy law, the LGPD (Lei Geral de other FIs are expected in Q1 2021. Proteção de Dados Pessoais), took effect September 16, 2020. Enforcement will take effect August 1, 2021. The law is In May, Brazil published regulations for open banking in modelled after the European Union’s GDPR. the country by allowing sharing of personal data between financial institutions and by integrating existing financial Lastly, on the payments front, in December 2019, the institutions’ API systems. Brazil will roll out open banking over Central Bank of Chile published a regulatory framework for four phases, beginning in November. This will enable access implementing the country’s new Real-Time Gross Settlement across channels, products and services. (RTGS) interbank payment system for payments made in US dollars. Data privacy and data protection is an area that also saw a lot of activity. In February, the Uruguayan government issued a decree introducing new rules related to personal data privacy that supplement the 2017 law.
EUROPE
While many of the requirements for PSD2 to took effect in effect January 1, 2021. Included is the requirement to provide September 2019, the European Banking Authority delayed identification to deposit funds with an electronic money enforcement of the Regulatory Technical Standards on operator and they can only do so by using a bank account. strong customer authentication and common and secure Separately, the Russian State Duma passed amendments to communication until December 31, 2020. The UK’s Financial the Law on the National Payment System. To strengthen AML Conduct Authority delayed enforcement until rules, the amendments include a ban on anonymous online September 14, 2021. deposits to online wallets.
EU Member States were required to transpose Directive (EU) On the standards front, in June the European 2018/843 on the prevention of the use of the financial system Telecommunications Standards Institute (ETSI) published new for the purposes of money laundering or terrorist financing standards regarding electronic signatures and infrastructures. (AMLD5) into national law by January 10, 2020. One of the key The new standards define types of identity verifiers and provisions of the directive is restricting the anonymous use other technical information regarding e-KYC measures of virtual currencies, which in their brief history have been and safeguards. used for illegal activities. It also calls for better identification of The European Commission announced its intent to revise politically exposed persons (PEPs) and expands the number of the 2014 eIDAS Regulation. In July, it released an impact firms subject to AML-CTF compliance. On the heels of AMLD5 assessment for public comment with plans to extend the is AMLD6, which defines predicate offenses (e.g., criminal regulation to the private sector and promote trusted identities activities, legal liabilities and sanctions). Member states must for all Europeans. transpose the directive into national law by December 3, 2020. The impact assessment contains a roadmap with different As noted in the anti-money laundering directives above, options for the update. One option would introduce a digital currencies, including cryptocurrencies, have garnered European digital identity scheme for EU citizens to use a lot of attention from global regulators. In July, Russia’s for both public and private sector online services. In mid- Law on Digital Financial Assets was signed. The law will take September, the President of the European Commission
ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 5 proposed a new European e-identity during her State of the Digital payments remains an area of focus. In June, the Union address. This will not happen overnight as member European Central Bank announced the launch of the states will need to support the initiative and allocate funding European Payments Initiative with the aim to develop a and resources. The European e-identity would affect all unified payment system for consumers and businesses industries throughout the EU. across Europe.
Modeled after GDPR, Macedonia’s Law on Personal Data Turkey continues to modernize its financial sector. In late Protection went into force in February. Enforcement of 2019, Turkey amended its Law on Payment and Securities Macedonia’s Law for Electronic Documents, Electronic Settlement Systems, Payment Services and Electronic Identification and Confidential Services, modeled after eIDAS, Money Institutions. The law went into effect January 1, 2020 began September 1. and opens the door for open banking. Turkey has no plans to develop its own open banking system and will instead In response to COVID-19, in April the UK’s Financial Conduct adopt PSD2. Authority issued guidance on digital identity verification permitting retail financial firms to accept scanned In July, Turkey’s Regulation on Information Systems of Banks documentation and selfie match photos to verify identities. and Electronic Banking Services entered into force. Included in the regulation is the requirement for banking staff and Over the summer, the UK government launched a document customers to use two-factor authentication for customer checking service pilot. Participating private sector firms account access and transactions. Additionally, the regulation can digitally check an individual’s passport data against the addresses concerns with the security of mobile applications government database to verify their identity and help prevent offered by banks to their customers and requires banks to crime. The pilot will run through July 31, 2021. implement fraud detection and prevention tools.
MIDDLE EAST
Countries in the Middle East are modernizing their systems reload cybersecurity awareness programs and review access with a focus on cybersecurity, digital identity, digital controls, including ensuring two-factor authentication was currencies, fintech, anti-money laundering, data protection in place. and privacy, as well as putting in place regulations pertaining Presently, Iran is looking into a step-by-step integration of to cryptocurrency. Those initiatives are on top of issuing biometric payments like fingerprints and QR codes for better guidance in response to the pandemic. verification. Following the FATF’s Digital Identity Guidance and an ensuing The European Union’s GDPR-influenced Dubai Data survey to regional stakeholders, in April the Arab Monetary Protection Law 5/2020 came into force July 1, 2020. The Fund (AMF) issued new guidelines for Electronic Know Your law establishes a series of data protection principles that Customer (e-KYC). This permits remote or non-face-to-face organizations must comply with. Financial institutions should onboarding of new banking customers. have achieved compliance by October 1. Also in April, the UAE’s Dubai Courts announced that remote While many nations have concerns about cryptocurrency, online notarization is permitted for certain notary services. Qatar’s financial center regulatory authority issued an outright The Dubai Financial Services Authority published a letter on ban on it in 2020. cyber-related risk monitoring and recording in March. The letter addressed the fact that due to the pandemic more employees are working remotely; it therefore asked firms to
AFRICA
Several countries in Africa are in the process of updating their of electronic payment channels in June, which include the payment systems and defining regulations for those systems. development of electronic payment systems. In late 2019, South Africa announced plans to replace its digital There is also a continued drive to combat anti-money payment system with a new system that will expand its user laundering and terrorist financing. For example, Angola base to include low value person-to-person (P2P) consumer enacted Law Number 5/2020 which establishes new transactions and utilize QR codes for mobile payments. rules on customer due diligence applicable to cross- Ghana’s national payment system has seen a significant border transactions. increase in transactions on its platform in 2020 compared to 2019; a large portion of the increase can be attributed to As in other regions of the world, African nations have been the move away from cash to electronic payments during the focused on data privacy and data protection. Nigeria pandemic. And Nigeria published guidelines on operations published the Data Protection Regulation Implementation
ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 6 Framework in 2019 to help entities comply with the Nigeria Kenya also passed the Business Laws Amendment in 2020. Data Protection Regulation (NDPR). Kenya passed the The law introduced several significant changes to existing Data Protection Act in 2019, which regulates how and when laws to improve the ease of doing business. The law highlights personal data can be obtained, handled and disposed. In May, the use of electronic signatures and advanced electronic the Moroccan Data Protection Authority Deliberation took signatures, which have been permitted for some time but effect, which provides guidance on the processing of personal with lackluster adoption. The law was passed in March around data stored electronically and in paper form, including mail. the outset of the pandemic. South Africa’s Protection of Personal Information Act will go into full effect in June 2021. The central bank has encouraged proactive compliance ahead of next year’s deadline.
ASIA PACIFIC
Across Asia Pacific, 2020 has been a year marked by advances In June, the Hong Kong Monetary Authority (HKMA) published in open banking, data privacy and data protection, digital a circular outlining remote onboarding for individual payments, e-signature, e-KYC and remote onboarding. customers based on feedback from banks and fintech firms. The circular sets out regulatory expectations and best Open banking in Australia is making slow but steady progress practices for remote onboarding. In September, the HKMA in becoming reality for consumers. In February, the Australian outlined key principles in relation to remote onboarding Competition and Consumer Commission (ACCC) published of corporate customers. Its circular details the differences the final rules for competition and consumer data rights between individual customer onboarding and corporate and the open banking initiative applicable to consumers customer onboarding regarding customer due diligence. seeking financial services. A phased roll-out of the rules under a national open banking initiative began with the Big Four The was also a lot of activity within the region as it relates to banks on July 1, starting with sharing of “product reference data privacy and data protection. data” with accredited data recipients. Mortgage and personal loan data sharing began November 1. Unlike the EU’s PSD2, In December 2019, India introduced the Personal Data the ACCC will permit screen scraping for open banking. In Protection Bill into Parliament. It would create the first legal September, the Senate’s Select Committee on Financial framework for data protection in India and includes similar Technology and Regulatory Technology recommended a provisions of the E.U.’s General Data Protection Regulation new agency be created to regulate the Consumer Data Right such as the right to be forgotten. (CDR). Meanwhile, New Zealand is currently exploring its In January 2020, the HKMA released a proposal to review the own Consumer Data Right for open banking; currently, the Personal Data Privacy Ordinance (PDPO). The government is country is considering an open banking model similar to the reviewing and studying possible amendments to the PDPO to EU’s PSD2. strengthen the protection of personal data. COVID-19 has prompted a number of regulatory and legislative Singapore issued a consultation to amend the 2012 Personal activities in the region. In May, for example, the Australian Data Protection Law. The government wants to amend government permitted corporate contracts to be executed the law to “take into account technological advances, new using electronic documents and e-signatures. This ruling was business models and global developments in data protection extended through March 21, 2021. Australia also announced legislation.” plans to amend The Corporations Act 2001 and other relevant legislation and regulations to allow for the use of electronic In June, Japan’s National Diet passed an amendment to the signature when executing legal documents and to enable Act on the Protection of Personal Information (APPI). Rules witnessing of official documents via videoconferencing or and guidelines are expected to be released sometime in 2021, other secure technological means. and the amended APPI will officially come into force no later than June 2022. Hong Kong’s Insurance Authority extended temporary Phase 2 measures “obviate the need to conduct face-to-face meetings In August, comprehensive changes to the Personal in order to minimize the risk of infection” during the sale Information Protection Act (PIPA) went into effect. The of insurance policies. The measures have been extended to amendments to PIPA establish new definitions, clarify December 31, 2020. several existing clauses, and permit new types of personal data processing. The Monetary Authority of Singapore (MAS) encouraged FIs to actively promote the use of [non-face-to-face] digital options In September, Taiwan’s legislature introduced a bill aimed at and provide customers suitable guidance on how to use them, aligning the domestic data protection framework with the specifically for remote identity verification. EU’s GDPR. Taiwan’s goal, ultimately, is to satisfy adequacy requirements to allow cross-border data flow between Taiwan and the EU.
ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 7 Finally, New Zealand’s new Privacy Act, repealing the Privacy In July, Korea’s Financial Services Commission (FSC) Act of 1993, will officially take effect on December 1, 2020. announced plans to propose revisions to the Electronic Financial Transactions Act (EFTA) to grow payment and Digital payments is another area that retained regulators’ settlement services by expanding the roles of payment service attention this year. providers (PSPs) to include brokerage services and possibly savings accounts. In Singapore, the country’s Payment Services Act regulations went into effect in January. Taiwan approved draft amendments to the Act Governing Electronic Payment Institutions. The changes would In Australia, the Senate’s Select Committee on Financial streamline digital money transfers and allow consumers to Technology and Regulatory Technology explicitly states that send foreign currency to a mobile payment device or app. remote access to financial services and digital payments are key issues in the fintech regulatory landscape. The Australian To ease digital business, certain governments further enabled Payments Network (AusPayNet) launched a consultation the use of electronic signatures. For example, on December seeking feedback on procedures and policies surrounding 10, 2020, amendments to South Korea’s Digital Signature Act the proposed TrustID Framework, which will provide rules regarding digital identification become effective. Changes and regulations for organizations. AusPayNet describes the in the act remove certain requirements for certificates TrustID Framework as “an open, contestable framework for digital signatures, to “remove barrier to entry” for that can be used by different organisations to offer a range consumers. And recent changes under the law promulgate of interoperable identity services to individuals and private the use of various types of identity proofing technology, sector entities.” including biometric authentication and blockchain, during e-signature certification. In February, India’s National Cyber Coordination Centre announced plans to eventually implement multi-factor Finally, as part of e-KYC and remote customer onboarding, in authentication (MFA) into the digital payment legal January the Reserve Bank of India approved remote video- framework to enhance the safety of digital transactions. MFA based authentication through Aadhaar. The Video Customer could include biometrics and geolocation. Identification Process (V-CIP) is a video chat session option that lets the customer show identity documents that are Japan’s Financial Services Agency amended two separate acts checked against the issuing authority’s database. And in to strengthen crypto asset investor protection and promote June, Malaysia’s central bank published a policy document on crypto asset investment. The new regulations primarily focus Electronic Know Your Customer (e-KYC). on three key areas: regulating crypto exchanges, custodians, and products; reforming existing virtual currency terminology; and creating appropriate transaction measures. Also in Japan, the JPQR initiative (which aims to set standards for barcode and QR payments) was established by the Payments Japan Association. In June, the government began accepting JPQR applications from entities nationwide, including financial institutions.
ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 8 TABLE OF CONTENTS
NORTH AMERICA EUROPE
MIDDLE ASIA- EAST PACIFIC
AFRICA
LATIN AMERICA
Select a region to jump to that section.
ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 9 NORTH AMERICA NORTH AMERICA AFRICA
Financial institutions in North America have long been leaders in financial innovation and regulatory developments, and plans announced in 2020 by the GLOBAL FINANCIAL Federal Reserve and Payments Canada indicate an ongoing dedication to adopt potential strategies for greater financial innovation and inclusion. In fact, according REGULATIONS REPORT to Deloitte, North American banks are expected to allocate nearly one-half of IT budgets on new technology in the year 2022 alone.1 Banks in North America, often bogged down by data quality issues and archaic technology, are seeking new ways to modernize technology while exploring new data storage methods, such as integrating cloud-native platforms into existing infrastructure.
On the regulatory front, both Canada and the U.S. passed multiple laws in 2020 to further financial innovation initiatives and strengthen consumer protection. Other legislation clarified existing e-signature use and legality statutes. In the U.S., New York and California are leading the charge on consumer protection, and provinces in Canada have several ongoing consultations relating to data protection and privacy.
Perhaps the biggest news for the region is the announcement of plans for a cross-border fintech sandbox as part of the comprehensive United States-Mexico- Canada Agreement.
Regional Standards, Laws and Regulations United States-Mexico-Canada Agreement (USMCA): Plans for a Cross-Border Fintech Sandbox: On December 13, 2019, the United States published the USMCA, a broadly sweeping agreement between the U.S., Mexico and Canada, to strengthen cross-border initiatives, including digital trade and financial regulations. The passage of the USMCA is part of a renegotiation of NAFTA between the three countries. The final uniform regulations and implementation instructions for the agreement were published June 30, 2020, and the USMCA officially entered into force on July 1, 2020. The NAFTA provision that allowed preferential treatment for certain entities no longer applies under the new agreement.
USMCA Final Implementing Instructions (CSMS #43215543): On June 30, 2020, the U.S. International Trade Commission published General Note 11, incorporating the USMCA into the Harmonized Tariff Schedule of the United States. Subsequently, the USMCA implementing instructions were updated and finalized. This version of the document replaces the Interim Implementing Instructions issued on June 16, 2020.
NORTH AMERICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 11 UNITED STATES
Country Overview At the dawn of 2020, financial institutions in the U.S. were already contending with the news that China, long an economic rival, were preparing to go global with a gold-backed CBDC. An impending presidential election and social unrest have engendered general feelings of anxiety not just in the general population but among stakeholders in the private sector as well.
In efforts to keep up with China’s massive banks and regional status as a welcomed newcomer to emerging markets, not to mention address concerns CENTRAL BANK across the private sector, the Federal Reserve has announced ongoing development of a U.S. CBDC and plans for its own instant payment system. Though the U.S. is experiencing political upheaval and economic uncertainty, due in large part to the COVID-19 pandemic, the country remains one of the The Federal Reserve System is the global leaders in financial innovation and financial regulatory oversight, especially central banking system in the U.S. regarding consumer protection.
Other Federal Financial Regulatory Bodies: DATA PROTECTION AUTHORITY Consumer Financial Protection Bureau (CFPB) is an agency of the United States government responsible for consumer protection in the financial sector. Regarding rulemaking and legislation, the CFPB “implements and enforces federal consumer financial laws to ensure that all consumers have access to As of the publication of this report, markets for consumer financial products and services that are fair, transparent, the U.S. does not have a dedicated and competitive.”2 national data protection authority. However, the Federal Trade Federal Deposit Insurance Corporation (FDIC) as described on its website, Commission (FTC) has authority the FDIC “insures deposits; examines and supervises financial institutions for over most national data protection safety, soundness, and consumer protection; makes large and complex financial issues. It is possible the U.S. will have institutions resolvable; and manages receiverships.” a federal data protection authority Federal Trade Commission (FTC) protects consumers and businesses by under a recently proposed bill called preventing anticompetitive, deceptive, and unfair business practices. The FTC the Data Protection Act of 2020, but enforces laws and provides advocacy and education. Congress hasn’t voted on it yet. Financial Crimes Enforcement Network (FinCEN) is a bureau of the U.S. Department of the Treasury. Its mission as described on its website is to “safeguard the financial system from illicit use, combat money laundering and its related crimes including terrorism, and promote national security through the strategic use of financial authorities and the collection, analysis, and dissemination of financial intelligence.”
Financial Industry Regulatory Authority (FINRA) is a government-authorized, not-for-profit organization that acts as a self-regulatory organization overseeing U.S. broker-dealers.
National Credit Union Association (NCUA) is an independent organization that issues charters and serves as regulator for all federal credit unions. In addition, it insures deposits at federally insured credit unions.
Office of the Comptroller of Currency (OCC) is an independent branch of the U.S. Department of the Treasury. The OCC issues charters and serves as regulator for all national banks and federal savings associations. In addition, it supervises federal branches and agencies of foreign banks.
NORTH AMERICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 12 Regulations and Policy
1. U.S. Federal Reserve Considering Development of 5. New York 2021 Budget - DFS Expansion Digital Currency In his proposed budget for FY 2021, Governor Andrew Cuomo The Federal Reserve has been conducting ongoing research of New York called for significant expansion of oversight for the past several years into development of a U.S. central for the New York Department of Financial Services (DFS). bank digital currency (CBDC), according to Federal Reserve Some of the provisions of the proposal would strengthen the Governor Lael Brainard in a speech she made to colleagues DFS’s authority to impose larger financial penalties and civil in August 2020. A team of application developers from the penalties on entities engaged in fraud – even if the fraud is Federal Reserve Banks of Cleveland, Dallas and New York unintentional.5 The proposal would also allow NYDFS to bring are working with a policy team at what is being dubbed the actions against unlicensed financial entities. Governor Cuomo Federal Reserve Board Technology Lab. The team is examining signed the new budget into law on April 3, 2020. the “implications of digital currencies on the payments ecosystem, monetary policy, financial stability, banking and 6. Financial Crimes Enforcement Network (FinCEN) finance, and consumer protection” while also taking into • FinCEN Additional Information for Financial Institutions account that CBDCs “present opportunities but also risks in Response to the COVID-19 Pandemic: On April 3, 2020, 3 associated with privacy, illicit activity, and financial stability.” FinCEN released information to further assist financial The project findings will eventually be published and open- institutions with Bank of Secrecy Act (BSA) compliance source software deployed. An expected publication date has during the COVID-19 pandemic. To facilitate this objective, not been announced. FinCEN announced a “direct contact mechanism” for urgent issues related to COVID-19 that can be accessed online. The guidance outlines where the contact form is located on 2. U.S. Federal Reserve Publishes Specs for New Instant FinCEN’s website, but FinCEN is still encouraging financial Payment Service institutions to reach out to any standard BSA examining The U.S. Federal Reserve published specs for a new federal authorities for COVID-19 concerns. instant payment it is developing called FedNow Service. Additionally, FinCEN encourages financial institutions to According to the new specs, the platform will provide users create “innovative approaches” to meet BSA and anti-money access to instant funds every day of the year and will enable laundering (AML) compliance requirements. financial institutions an innovative instant payment solution for customers. The launch of the FedNow Service is anticipated • FinCEN Advisory on Cybercrime and Cyber-enabled Crime for some time in 2023 or 2024. It will be released in phases. As Exploiting the COVID-19 Pandemic (FIN-2020-A005): of the publication of this report, a phasing plan and timeline On July 30, 2020, FinCEN issued an advisory alerting have not been announced. financial institutions to various cybercrimes detected during the COVID-19 pandemic. The advisory provides 3. NY and California to Strengthen Financial Services guidance to assist financial institutions with combating Regulatory Enforcement various fraudulent schemes, including the targeting and exploitation of remote systems and consumer-facing The States of California and New York are planning several applications. Additionally, the advisory provides guidelines initiatives to strengthen and increase regulatory oversight in for filing with FinCEN a Suspicious Activity Report (SAR) the financial services industry. related to this advisory.
4. California Budget Act of 2020 • FINCEN Anti-Money Laundering Programs for Banks Lacking a Federal Functional Regulator: This FinCEN rule On June 29, 2020, Governor Gavin Newsom of California signed has been in development since 2016. The rule’s goal is to SB 74, a proposal that calls for a budget increase of almost implement a section of the Uniting and Strengthening $20 million for the state’s Department of Business Oversight, America by Providing Appropriate Tools Required to a provision that would add 90 additional positions to oversight Intercept and Obstruct Terrorism Act (USA PATRIOT ACT) staff, contingent on the enactment of the California Consumer of 2001. As of the publication of this report, rulemaking is in Financial Protection Law. Most importantly, the new expanded final stages. authority would give the Department leeway “to pursue unlicensed financial service providers not currently subject to • FinCEN Guidance on Frequently Asked Questions Regarding regulatory oversight.”4 This would include financial technology Customer Due Diligence (CDD) Requirements for Covered companies. The proposal also creates an Office of Financial Financial Institutions (FIN-2020-G002): On August 3, 2020, Technology Innovation. The California Assembly held a hearing FinCEN issued a response to frequently asked questions to discuss the proposal and seek public feedback on August 6, regarding customer due diligence requirements for 2020. Comments were due to the Assembly before the financial institutions. The FAQs response clarified regulatory hearing date. requirements for obtaining customer information, establishing customer risk profiles, and monitoring customer relationships to ensure compliance.
NORTH AMERICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 13 7. Federal Reserve Board (FRB) and their application during the COVID-19 pandemic. The • Federal Reserve SR 20-4/CA 20-3: Supervisory Practices CFPB states that, in the wake of the pandemic, credit card Regarding Financial Institutions Affected by Coronavirus: issuers have been receiving a record amount of phone calls Customer Identification within SR Letter 13-6/CA Letter 13-3: from consumers who want services that normally require “The Federal Reserve encourages depository institutions provision of written disclosures. Consumers, for example, to use non-documentary verification methods for new “may seek to open a new account,” which under the Truth affected customers that may not be able to provide in Lending Act (Regulation Z) would require the issuer to standard identification documents, as permitted under obtain electronic signature consent from the consumer the regulation. Non-documentary methods may include during the phone call. This method could cause delays in comparison of information provided by the customer with timely financial assistance to consumers. information obtained from a consumer reporting agency, public database, or other source, or by checking references The CFPB understands this and states that it will take “a with another financial institution.” flexible supervisory and enforcement approach during this pandemic regarding card issuers’ electronic provision of 8. Consumer Financial Protection Bureau (CFPB) disclosures required to be in writing for account-opening disclosures and temporary rate or fee reduction disclosures • CFPB Announces Plan to Issue ANPR on Consumer- mandated under the provisions governing non-home Authorized Access to Financial Data: On July 24, 2020, secured, open-end credit in Regulation Z.”7 the CFPB announced plans to issue a notice of proposed rulemaking (ANPR) for later in the year that will address • CFPB E-SIGN Act Requirements and Credit Card Provisions: consumer access to financial records, and the protection The CFPB is considering amending Regulation Z to include and disclosure of confidential information. The notice the application of the Electronic Signatures in Global and allows the CFPB to further solicit stakeholders’ feedback National Commerce Act (E-SIGN Act) to consumer financial and determine the scope of data covered under the services regulations, specifically the credit card provisions in proposed rule. In addition, the CFPB “will consider whether Regulation Z. As of the publication of this report, the CFPB clarifications or adjustments are necessary with respect to has not announced rulemaking or provided a timeline for existing regulatory structures” that could be affected by rule development. This is a long-term initiative, and it is yet potential developments. unclear how the E-SIGN Act will be applied to the existing legislature. • CFPB Disclosure of Records and Information Rule: According to the CFPB Spring 2020 Regulatory Agenda, • An Overview of Regulation Z: Regulation Z is a rule the CFPB is in final rulemaking stages to further amend contained in the Consumer Credit Protection Act that the Disclosure of Records and Information Rule. The rule implements amendments made to federal mortgage was last amended and finalized in 2018 with the addition of disclosure requirements in the Truth in Lending Act (TILA). language regarding procedures used by the public to obtain information under FOIA and in legal proceedings. The new Regulation Z helps consumers make more informed amendment will address consumer information disclosure decisions by requiring credit issuers to disclose terms to and protection, specifically as it relates to the CFPB’s right to potential and existing customers during account opening. confidential information under Federal consumer The rule governs practices for specific open-end consumer financial law.6 credit accounts, including special rules for credit card accounts offered to college students. • CFPB Artificial Intelligence Initiative: In September 2019, the
CFPB’s Office of Innovation initiated three new policies “to Regulation Z applies to any person or business who offers promote innovation and facilitate compliance” in the field or uses credit, but it should be emphasized that the rule of artificial intelligence. The three policies were proposed does not generally govern charges for consumer credit. in 2018 and included the No-Action Letter Policy (NAL), the Additionally, provisions of Regulation Z do not apply when Trial Disclosure Program (TDP) Policy, and the Compliance four conditions are met: Assistance Sandbox (CAS) Policy. These policies are designed to enable financial service providers to interpret financial 1. The credit is offered or extended to consumers; compliance standards in the context of financial services 2. The offering or extension of credit is done regularly; innovation, and to streamline regulatory application and ease existing compliance requirements. The CFPB’s goal is 3. The credit is subject to a finance charge or is to encourage innovation among financial service providers payable by a written agreement in more than four and therefore increase consumer financial inclusion. installments;
• CFPB Statement on Supervisory and Enforcement Practices 4. The credit is primarily for personal, family, or Regarding Electronic Credit Card Disclosures During household purposes. COVID-19 Pandemic: On June 3, 2020, the CFPB issued a statement regarding written disclosure requirements
NORTH AMERICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 14 • CFPB Pandemic Relief Payments under Regulation E and relief payments, which [would have made] it difficult Application of the Compulsory Use Prohibition: The CFPB for government agencies to determine consumers’ issued this interpretive rule on April 27, 2020, to provide payment preferences while making payments in a guidance to government agencies distributing aid to timely manner.” consumers in response to the COVID-19 pandemic. It wasn’t • Because these one-time relief payments would not subject to the standard 30-day delayed effective date and be considered government benefits as defined in the went into effect immediately. This new rule adds language 2016 final rule (also known as the “Prepaid Accounts to the “Prepaid Accounts Under the Electronic Fund Transfer Rule” under the EFTA), “a government agency (as well Act (Regulation E) and the Truth in Lending Act (Regulation as persons acting on behalf of a government agency) Z)”, finalized in 2016. The interpretive rule stipulates that may require consumers to establish an account with certain payments issued by the government to consumers a particular financial institution as a condition of do not qualify as “government benefits” and are therefore receiving pandemic relief payments.”10 This could mean not subject to the compulsory use prohibition in the EFTA. new possibilities in the way of financial innovation, but • In other words, under the new interpretive rule, government the CFPB emphasizes that accounts opened to receive agencies may require consumers to open new accounts pandemic relief benefits could still be considered specifically for electronic fund transfers providing pandemic “prepaid accounts” through other statutes from the relief payments. 2016 final rule, and therefore possibly still covered by the compulsory use prohibition. • Application of the Compulsory Use Prohibition: What is commonly referred to as the “compulsory use prohibition” • CFPB Electronic Fund Transfer Act (Regulation E) is simply a clause within the Prepaid Accounts Rule Amendments: Regulation E implements the Electronic Fund stipulating that, “no [business] may require a consumer Transfer Act (EFTA). The Act “establishes a basic framework to establish an account for receipt of electronic fund of the rights, liabilities, and responsibilities of participants transfers with a particular financial institution as a in the electronic fund and remittance transfer systems.”11 condition of employment or receipt of a government Regulation E contains two subparts. Subpart A covers benefit.”8 rules and regulations for electronic fund transfers (EFTs), prepaid accounts, gift cards and gift certificates. Subpart • However, under the new interpretive rule, payments B covers rules and regulations for remittance transfers, that are “one-time or otherwise limited payments such as disclosure rights. In 2020, the CFPB finalized two specifically in response to the COVID-19 pandemic, not amendments to Regulation E: one that amends remittance part of any existing government benefit program” are transfer rules and another that provides an interpretive rule not considered government benefits. The rule further guiding electronic payment transfers used for pandemic states that, “For payments under this interpretation, relief payments. consumers likely would not generally be required to apply to the government for these types of pandemic
NORTH AMERICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 15 Key Highlights for Financial Institutions
1. Remittance Transfers Amendment under Regulation E 4. Federal Trade Commission (FTC) Consumer remittance transfers, or international money • FTC Identity Theft Detection Rules: Modifications to the transfers, are protected under Regulation E, which provides a Red Flags Rule and Card Issuers Rule: On December 11, statutory exception “[allowing] insured institutions to disclose 2018, the FTC began its periodic review of the Identity estimates of exchange rates and third-party fees instead Theft Rules, which include the Red Flags Rule and the of exact amounts to consumers.” That exception expired Card Issuer Rule. The public comment period closed on on July 21, 2020. Because of this, the CFPB has finalized an February 11, 2019, and staff is reviewing the comments. Staff amendment to Regulation E that would provide permanent had planned to submit a recommendation to the FTC by statutory exceptions permitting estimation of exchange rates June 2020. However, as of the publication of this report, a and third-party fees, respectively. recommendation has not been submitted.
The final rule also increases a safe-harbor threshold related • Amendments to the Safeguards and Privacy Rules under to whether a person makes remittance transfers in the the Graham-Leach-Bliley Act: The FTC is proposing normal course of business. The Rule states that “with respect amendments to the Safeguards and Privacy Rules under to both exceptions, [the CFPB] is adopting a transition the GLBA. The proposal includes several changes. Among period for insured institutions that exceed, as applicable, the them shall require financial institutions and applicable 1,000-transfer or 500-transfer thresholds in a certain year. This businesses to encrypt customer data, implement access transition period will allow these institutions to continue to controls to prevent unauthorized users from accessing provide estimates for a reasonable period of time while they customer information, and use multifactor authentication come into compliance with the requirement to provide to access customer data. The rule would apply to banks or exact amounts.”12 any business providing financial services. The FTC hosted a virtual workshop in July 2020 to gain input from industry, The CFPB has indicated that it does not intend to take academia, and other stakeholders. As of the publication of enforcement action on the statutory exception expiration after this report, the timeframe for when changes will go into July 21, 2021, in light of the COVID-19 pandemic. The final rule effect has not been provided. was published June 5, 2020. • FTC Privacy of Consumer Financial Information Rule: The 2. Financial Industry Regulatory Authority (FINRA) FTC enacted the Fixing America’s Surface Transportation • FINRA Regulatory Notice on Digital Asset Engagement: On (FAST) Act, which included a provision amending the July 9, 2020, FINRA published a regulatory notice asking Gramm-Leach-Bliley Act to create a new exception to the financial institutions to continue to report activity related annual notice requirement. On March 5, 2019, the FTC to digital assets. FINRA has asked institutions to comply announced a notice of proposed rulemaking. The comment with its request until July 31, 2021 and encouraged firms period closed on June 3, 2019. Staff anticipates sending a to continue to report digital asset activities to their Risk recommendation to the Commission by September 2020. Monitoring Analyst. Of interest to FINRA are purchases, sales As of the publication of this report, the FTC has not made an and executions of digital asset transactions; crypto mining; announcement regarding a recommendation. digital asset management platforms; and the recording of virtual coins through blockchain technology. 5. New York Department of Financial Services Budget Expansion 3. Office of the Currency Comptroller (OCC) In his proposed budget for FY 2021, Governor Andrew Cuomo • OCC Issues NPR and ANPR Regarding National Bank and of New York called for significant expansion of oversight Federal Savings Association Digital Activities Regulations: for the New York Department of Financial Services (DFS). On June 3, 2020, the OCC issued an ANPR inviting public Some of the provisions of the proposal would strengthen the comment on proposed rulemaking on regulations covering DFS’s authority to impose larger financial penalties and civil the digital activities of national banks and federal savings penalties on entities engaged in fraud – even if the fraud is associations. The comment period ended on August 3, 2020. unintentional. The proposal would also allow NYDFS to bring actions against unlicensed financial entities. Governor Cuomo • OCC Letter on Cryptocurrency Custody Services: On July signed the new budget into law on April 3, 2020. 22, 2020, the OCC published a letter stating that, “national banks may provide permissible banking services to any 6. Financial Crimes Enforcement Network (FinCEN) lawful business they choose, including cryptocurrency • NIST Privacy Framework 1.0: In late January 2020, the businesses, so long as they effectively manage the risks and National Institute of Standards and Technology (NIST) comply with applicable law.” The announcement permits released the first version of its privacy framework, known national banks to provide cryptocurrency custody services. as Privacy Framework 1.0. The framework is voluntary and
NORTH AMERICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 16 provides financial institutions and other organizations specifically tailored to help organizations follow existing with methods of improving privacy practices, meeting privacy laws such as the CCPA and the EU’s GDPR, and compliance obligations, and strengthening customer promotes forward-looking development toward relationships. The Privacy Framework has been in artificial intelligence and blockchain, among other development since at least 2018 and eventually released innovative technologies. a preliminary draft in September 2019. The framework is
Prominent State Regulations
California Idaho, Indiana, Iowa, Kentucky, Louisiana, Maryland, Michigan, • California Consumer Privacy Act (CCPA) Final Opt-Out Minnesota, Montana, Nebraska, Nevada, North Dakota, Ohio, Regulations: On August 14, 2020, draft regulations for the Oklahoma, South Dakota, Tennessee, Texas, Utah, Vermont, California Consumer Privacy Act were approved by the Office Virginia, Washington and Wisconsin. of Administrative Law and became effective immediately. Each state’s RON law provides three basic requirements: The final regulations integrate an addendum submitted by the state attorney general on July 29, 2020. The changes • Allows notarization to be completed using audio-video made to the Act include specific requirements regarding communication opting out of providing personal information. Additionally, • Require the notary authenticate the person signing businesses can deny opt-out requests made by “authorized agents on behalf of consumers”13 if signed permission from • Require recording of the audio-video communication the consumer is not provided. Any state that has not yet enacted RON law has issued emergency short-term measures, mainly to address the Federal Laws COVID-19 pandemic and issues with in-person notarization. For example, on March 26, 2020, the Governor of Alabama • 2020 Amendments to the Bank Secrecy Act/Anti-Money issued an emergency proclamation allowing notaries to Laundering Examination Manual: Federal lawmakers are use videoconferencing software to notarize and proposing several amendments to the Bank Secrecy Act confirm signatures. (BSA) that would add new rules regarding compliance programs at financial institutions. The new rule would add language to the BSA that would define an effective Insurance compliance program. Every financial institution is required In October 2017, the National Association of Insurance to have a compliance program under the Procedures for Commissioners (NAIC) adopted the NAIC Insurance Data Monitoring BSA compliance regulations. Security Model Law. According to the NAIC, the Model Law, • Procedures for Monitoring BSA Compliance: A Notice of “seeks to establish data security standards for regulators and 14 Proposed Rulemaking for Definition of Effective Bank insurers to mitigate the potential damage of a data breach. Secrecy Act Compliance Program: The FDIC, FRB, OCC The law applies to insurers, insurance agents and other entities and FinCEN issued a notice of proposed rulemaking licensed by the state department of insurance.” for finalizing a rule that would outline an effective BSA Moreover, the U.S. Treasury Department has advised states compliance program. The public comment period ended to adopt the Model Law within the next 5 years or the September 8, 2020. department will ask Congress to preempt the states.
While each state can modify the Model Law to accommodate Prominent State Laws its unique requirements, key components of the Model Law • New York Stop Hacks and Improve Electronic Data Security include requiring insurance licensees to implement a written Act (SHIELD): Data security provisions of the SHIELD Act information security program and for insurance licensees went into effect on March 21, 2020. It requires any person to consider whether certain safeguards are appropriate, or business that owns or licenses computerized data that including access controls such as multi-factor authentication, includes private information of a resident of New York to penetration testing, encryption, audit trails and other security implement and maintain reasonable safeguards to methods. protect the security, confidentiality, and integrity of the At the time of this writing, 11 states have passed laws: private information. 1. South Carolina: Act No. 171 was signed into law in May Remote Online Notarization (RON) 2018 and became effective January 1, 2019. South Carolina licensees must implement an information security As of the publication of this report, 27 states have enacted program by July 1, 2019 and must comply with third-party some form of Remote Online Notarization (RON) law. As of service provider due diligence requirements by July 1, 2020. the publication of this report, the 26 other states that have enacted RON law are: Alaska, Arizona, Colorado, Florida,
NORTH AMERICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 17 2. Michigan: House Bill 6491 was signed into law on protection, specifically on “subpar financial institutions.” In its December 28, 2018. Multi-factor authentication provisions opening brief filed with the Second Circuit Court in late July take effect on January 20, 2021. Michigan licensees must 2020, the NYDFS makes several counterarguments to OCC’s implement an information security program by January appeal, mostly to protect its authority and sovereignty over risk 20, 2022 and must comply with third-party service provider management. The NYDFS also argues that “non-depository due diligence requirements by January 20, 2023. institutions are not in the business of banking” and therefore are not considered banks, specifically under the National 3. Ohio: Senate Bill 273 was signed into law in December 2018 Banking Act passed in 1863, which continues to be amended and went into effect on March 20, 2019. The law applies by Congress when licensing a non-depository institution to insurers authorized to do business in Ohio. Companies is required. have one year to put the security measures into place. As of the publication of this report, the OCC has not filed a 4. Mississippi: Senate Bill 2831 was signed into law on April response to the NYDFS’s counterargument. 3, 2019 and became effective on July 1, 2019. Licensees were required to have multi-factor authentication in place 2. U.S. Appeals Court Decides Bitcoin Transactions Not by July 1, 2020 and must comply with third-party service Covered by 4th Amendment provider due diligence requirements by July 1, 2021. On June 30, 2020, the U.S. Fifth Circuit Court of Appeals 5. New Hampshire: Senate Bill 194 was signed into law on published the decision in a landmark privacy case that August 2, 2019 and became effective on January 1, 2020. information processed for Bitcoin transactions is not 6. Connecticut: House Bill No. 7424 was signed into law on protected by the Fourth Amendment of the U.S. Constitution. June 26, 2019 and became effective on October 1, 2020. The subject of a federal investigation, Richard Gratkowski, The law requires third-party service providers who control confessed to paying a website in Bitcoin for child pornography. non-public information to implement appropriate security He moved to suppress evidence in the case obtained through measures by October 2021. a search warrant that federal authorities served on Coinbase, a platform for trading and storing cryptocurrency. Gratkowski 7. Virginia: House Bill 13334 was signed into law on March 11, argued that the government’s seizure of bitcoin information 2020 and became effective on July 1, 2020. was unconstitutional because of a “reasonable expectation 8. Alabama: In May 2019, the Insurance Data Security Law of privacy” afforded to blockchain and cryptocurrency (Act 2019-98) was signed and officially enacted. Insurance exchange records.15 licensees must be in full compliance by May 1, 2021. However, under the “third-party doctrine,” anyone who 9. Delaware: On July 31, 2019, the Delaware Insurance Data voluntarily provides information to third parties ¬– including Security Act was signed into law. The compliance deadline banks and financial institutions – has “no reasonable was July 31, 2020. expectation of privacy.”
10. Indiana: House Bill 1372, focusing on various insurance Legislation - Federal matters, was signed into law on March 30, 2020. Chapter 27 of the law applies the National Association of Insurance • E-Sign Modernization Act of 2020: On July 2, 2020, members Commissioner’s (NAIC) model law and those provisions will of the U.S. Senate introduced this bill to streamline take effect on June 30, 2021. electronic transactions for consumers by simplifying how they would accept them. Under the Act, companies that 11. Louisiana: The Insurance Data Security Law was passed can secure a consumer’s consent may substitute paper June 2020 and the effective date of the legislation is tiered documents with electronic ones. Additionally, businesses starting Aug. 1, 2020, with compliance for all provisions by would no longer need to obtain a new consent with every August 1, 2022. hardware or software update. As of the publication of this report, a date for finalization of this bill has not been Litigation announced.
1. U.S. Banks Challenge OCC Fintech Charter Rule • Securing and Enabling Commerce Using Remote and Electronic Notarization Act of 2020 (H.R. 6364): On March 23, The New York Department of Financial Services (NYDFS) has 2020, the SECURE Notarization Act of 2020 was referred to rejected a new rule that gives the Office of the Comptroller the House Committee on Energy and Commerce and the of the Currency (OCC) authority to grant fintech charters to Committee on the Judiciary for review of certain provisions. non-depository financial institutions, such as online lenders The Act establishes standards for remote electronic and insurance companies. Fintech charters grant institutions notarization conducted as part of interstate commerce, a national lending license that exempts that institution from including recognition of these notarizations state-to-state. burdensome state-by-state compliance requirements. As of the publication of this report, the Committees have not The New York DFS has challenged that the new rule extends finished their review, and a date for finalization of the bill has beyond the OCC’s jurisdiction based on existing laws and not been announced. would undermine the DFS’s efforts to enforce consumer
NORTH AMERICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 18 • National Biometric Information Privacy Act: In August • the individual has consented to such disclosure and 2020, members of the U.S. Senate introduced a bill aimed such collection or processing of the individual’s at protecting biometric data. The law would prohibit personal data; businesses in the private sector from collecting a wealth • or, the third party collects or process the personal data of biometric data, including faceprints, fingerprints, in accordance with a permissible purpose described in retina scans, and voiceprints, without having consumer subsection (c).” or employee consent. Businesses would have to abide by several requirements under the law, including an obligation • Subsection C: Duty to Exercise Reasonable Due Diligence to safeguard biometric identifiers and other biometric Prior to Reliance on Covered Entity Representations: information the same way it would protect Social Security • “A covered entity that is a third party with respect to numbers or other type of sensitive personal information. the personal data of an individual may reasonably rely Consumers can act against businesses that violate required on representations made by the covered entity from protections, including recovery of $1,000 in damages. whom the third party received such data regarding the Data Protection Act of 2020: The Data Protection Act was notice provided to, and the consent obtained from, such introduced in the U.S. Senate in February 2020. If enacted, it individual, provided that the third party has determined, would establish a federal data protection agency. The U.S. does after exercising reasonable due diligence, that the not currently have a federal data protection authority, and covered entity is credible.” most issues related to data protection and privacy fall under • Customer Due Diligence: The law addresses identity the purview of the FTC. Authoritative abilities assigned to the verification in relation to “verified requests,” or requests data protection authority through the bill include civil action to erase personal data from customers. The law states against “covered entities” who violate federal privacy law and that financial institutions “shall make a reasonable effort the ability to impose monetary penalties for violations. As of to verify the identity of any individual who submits a the publication of this report, Congress has made no further request to exercise” the right to erasure. If a financial movement on this proposed bill. institution cannot verify the identity of a customer • Consumer Data Privacy and Security Act of 2020 (CDPSA): making an erasure request, then the financial institution Introduced in March 2020, the legislation will create a “may request that the individual provide such additional general data-privacy framework at the federal level. The information as is necessary to confirm the identity of the CDPSA addresses privacy policies, processing of personal individual; and shall only process additional information data, and customer due diligence, while reducing the provided under clause (i) for the purpose of verifying the regulatory burden on small businesses by providing several identity of the individual.” exemptions. There are a few clauses worth noting in relation • National Artificial Intelligence Act of 2020 (H.R. 6216): On to financial institutions: March 12, 2020, representatives of Congress introduced a • The law explicitly addresses financial institutions in bill to establish a national artificial intelligence initiative relation to preservation of state and local laws. Specifically, that would support education and research, and ultimately any laws that “address financial information held by authorize $391 million for a new risk assessment framework financial institutions (as defined in section 509 of the for AI systems developed by NIST. As of the publication Gramm-Leach-Bliley Act)” cannot be preempted to the of this report, a timeline for development of the new extent that they conflict with the CDPSA. Additionally, framework has not been provided by NIST. the CDPSA does not supersede the existing Electronic Communications Privacy Act. These laws must still Prominent State Legislation be followed. • California Privacy Rights Act of 2020 (CPRA): The California • In regards to third-party collection of personal data, the Privacy Rights Act of 2020 is being proposed by the proposed law states that “with respect to the personal Californians for Consumer Privacy group and will appear on data of an individual, covered entities may collect or voter ballots in the state’s November 2020 elections. The bill process such personal data without directly obtaining the would create new requirements for financial institutions and individual’s consent as required under paragraph (1)(A) if other companies processing private personal information the covered entity from whom the third party received the and allow consumers to limit the use and disclosure of personal data of the individual involved has provided the that information. individual with notice of: • the fact that the covered entity would disclose the The bill would give consumers more authority over their individual’s personal data to the third party; personal information, including the right to correct information, the right to know how long their information is • the purposes for which the third party will collect or stored, and the right to opt-out of geolocation advertising. process the personal data of the individual; The Act would also expand user rights and include unauthorized access to an email address, password, or
NORTH AMERICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 19 security question in its “private right of action” for data breaches where personal information is compromised. Should voters favor the bill in November, it will become effective on January 1, 2023.
• California Automated Decision Systems Accountability Act of 2020: On February 14, 2020, the California General Assembly introduced a bill called the Automated Decision Systems Accountability Act of 2020. The Act would require that businesses in California, including financial institutions, ensure automated decision systems (ADS) in use are consistently tested for biases during the development and use of ADS. Financial institutions covered under the bill would need to submit an ADS impact assessment to the Department of Business Oversight by March 1, 2022. Additionally, the bill calls for the establishment of an Automated Decision Systems Advisory Task Force, composed of public and private sector stakeholders, by the same date.
NORTH AMERICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 20 CANADA
Country Overview Canada, the famously amicable and perhaps more socially and politically measured northern neighbor of the United States, and the British Crown’s geographically largest territory, has been in the process of developing several pieces of legislation, frameworks, and regulatory initiatives related to financial services innovation, data privacy, and cybersecurity for the past several years.
The federal and provincial governments, especially Quebec and Ontario, have been quick to adopt sweeping legislative reforms and new laws to facilitate CENTRAL BANK greater financial inclusion for their citizens and promote financial innovation. Laws such as Personal Information Protection and Electronic Documents Act (PIPEDA) and the provincial Uniform Electronic Commerce Act, for example, further define terms related to e-signature and establish e-signature legality The Bank of Canada is the central under certain circumstances. bank for the country of Canada. Canada may be the “gentle giant” of the financial sector, but Toronto is the seventh largest financial center in the world -- just behind New York and London -- and employment there has increased 25 percent in the past five years. Financial DATA PROTECTION AUTHORITY institutions in the country stand to gain serious momentum in 2020, due in part to robust regulatory supervision and enforcement.
The Office of the Privacy Other Federal Financial Regulatory Bodies: Commissioner of Canada (OPC) Office of the Superintendent of Financial Institutions (OSFI) is an independent is the primary data protection agency reporting to the Minister of Finance that acts as the primary authority authority in Canada that supervises regulating financial institutions conducting business in Canada. and guides individuals and businesses regarding protection The Financial Consumer Agency of Canada (FCAC) is a federal regulatory agency of personal information. that assists financial institutions with consumer protection compliance in relation to federal legislation and implementing regulations.
The Financial Services Regulatory Authority of Ontario (FSRA) is an independent agency that acts as the financial regulator for the province of Ontario. The agency also offers deposit insurance to members of credit unions.
The British Columbia Financial Services Authority (BCFSA) is the primary financial regulator for the province of British Columbia. The BCFSA’s predecessor was the Financial Institutions Commission (FICOM), which was rebranded and re- established as the BCFSA in 2019.
The Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) is Canada’s financial intelligence agency that detects and prevents money laundering and terrorist financing.
The Ontario Securities Commission (OSC) is a Crown agency reporting through the Minister of Finance that enforces securities regulations for the province of Ontario.
The Canadian Securities Administrators (CSA) is an organization composed of Canada’s provincial securities regulators that facilitates effective regulation in the country’s capital markets.
NORTH AMERICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 21 Laws • Ontario Public Consultation on Privacy Protection Laws: On • Regulations Amending Certain Regulations Made Under August 13, 2020, the government of Ontario announced the Proceeds of Crime (Money Laundering) and Terrorist launch of a public consultation to facilitate improvement Financing Act (PCMLTFA) of 2019: These regulations were of the province’s privacy protection laws. The press release published in the Canada Gazette on June 10, 2020. The from the government states that the province is seeking new regulations aim to strengthen AML/CTF frameworks public comment in order to increase transparency, enhance in Canada by amending the existing amendments to consent provisions among individuals, introduce a right to the PCMLTFA to bring them in closer alignment with request information and a right to erasure, and increase international standards. A public consultation period ended enforcement oversight for the Information and Privacy in September 2018. Commissioner, among other initiatives. consent provisions among individuals, introduce a right to request information The amendments make changes to the Cross-Border and a right to erasure, and increase enforcement oversight Currency and Monetary Instruments Reporting Regulations for the Information and Privacy Commissioner, among that came into force on June 1, 2020. The other proposed other initiatives. amendments will come into force on June 1, 2021.
• Regulations Amending Administrative Monetary Penalties Regulations and Policy (OSFI) Regulations (Miscellaneous Program): SOR/2020-68: The Canadian government published new regulations in 1. Bank of Canada Announces Project to Update Instant the country’s official gazette on April 29, 2020, amending Payment Systems existing OSFI administrative monetary penalties regulations. In its 2019 annual report published May 28, 2020, the Bank of The regulations amend the Bank Act, the Trust and Loan Canada announced plans to replace its two instant payment Companies Act, and the Insurance Companies Act to ensure systems, the Large Value Transfer System (LVTS) and the accuracy when referencing existing legislative provisions. Automated Clearing and Settlement System (ACSS). The After the 2007 amendments were made to the same laws, LVTS will be replaced in the second quarter of 2021 by a the existing policies referred to several incorrect provisions new high-value payment system called Lynx, and a new and this aims to fix that. instant payments system will be launched in 2022 called Real-Time Rail (RTR). • Advisory Committee on Open Banking Report: Consumer- directed Finance: The Future of Financial Services: On Payments Canada, the instant payments operator for Canada, January 31, 2020, the Department of Finance’s Advisory detailed plans for all three systems in its Corporate Plan for Committee on Open Banking published a report that 2020-2024 multi-year roadmap: The ACSS will be replaced presents the committee’s recommendations related to by a new instant payment infrastructure for retail payments consumer-directed finance, or open banking, following a between individuals and businesses, but system planning and solicitation of feedback from the public and stakeholders in design will not begin until 2021. financial services. The report caps the end of the first phase of the government’s initiative to develop open banking in 2. Bank of Canada Launches Fintech/BIS Innovation Hub in the country. Most significantly, the committee recommends Toronto the development of a regulatory framework to enable open On June 30, 2020, the Bank of Canada announced a banking and calls for safeguards that protect consumers partnership with the Bank of International Settlement to without getting in the way of financial services innovation. establish an innovation center in Toronto. The goal of the center will be to advance and promote fintech innovation Much of the feedback also addressed KYC concerns and within the Central Banking system with a focus on digital the need for strong authorization and digital identification transformation in financial services. As of the publication of systems for online transactions. The report concludes that this report, an opening date for the new center has not the Canadian government should continue to move forward been announced. with implementing open banking. The second phase of the committee’s investigation began in spring 2020 and focuses • OSFI Updated Key Measures for Federally Regulated on governance and cybersecurity. Deposit-Taking Institutions: On July 23, 2020, the Office of the Superintendent of Financial Institutions (OSFI) updated its FAQs for federally regulated deposit-taking institutions to address issues related to COVID-19.
NORTH AMERICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 22 Bank of Canada • Bank of Canada Financial System Review 2020: In May 2020, • CBDC Adoption and Usage: Insights from Field and the Bank of Canada released its Financial System Review Laboratory Experiments: This staff note analyzes the 2020 analyzing COVID-19’s impact on the Canadian financial deployment of new payment methods and the potential system. The report outlines stressors in the financial services adoption and use of a CBDC in Canada. Staff indicates market and policies that would provide clarity in times of that one possible route is to design a CBDC that acts as economic uncertainty. “enhanced cash.” The goal is to reduce carrying costs associated with cash and to enable electronic transfers. • Bank of Canada Central Bank Digital Currencies (CBDC) Analysis: In June and July 2020, the Central Bank of Canada Canadian Securities Administrators issued a set of comprehensive staff analytical notes examining the design, security, privacy and use of CBDCs. • CSA Guidance on the Application of Securities Legislation to The Bank of Canada previously announced that it Entities Facilitating the Trading of Crypto Assets: On January is developing its own CBDC and is in very early 16, 2020, the CSA issued guidance regarding transactions prototype stages. related to crypto assets in the private sector. Specifically, the guidance seeks to “to determine whether securities • Designing a CBDC for universal access: This staff analytical legislation applies to any entity that facilitates transactions note outlines the various ways a CBDC could be designed relating to crypto assets, including buying and selling crypto using the principles of universal access. The Bank states assets.”16 The guidance also answers questions about actual that it wishes to maximize inclusion and usability and delivery of crypto assets. could accomplish this through various means, including developing a custom universal access device (UAD) for FINTRAC storing and transferring digital currency. • FINTRAC Advisory: Financial Transactions Related to The Bank also states that the UAD would be used for Countries Identified by the Financial Action Task Force online transactions, allowing individuals who don’t (FATF): Following a February 2020 statement on high-risk have access to credit or debit cards to pay with a “cash- regions subject to increased monitoring by FATF, FINTRAC like” CBDC. This means creating a UAD that would be issued an advisory on April 28, 2020, further outlining certain portable, like a wallet, and would efficiently conduct small federal directives to address compliance concerns when transactions, among other cash-like attributes. dealing with subject countries. FINTRAC advised entities to enhance customer due diligence procedures for customers • Privacy in CBDC Technology: The Bank of Canada attempting transactions with blacklisted countries. published this analytical note to outline privacy feasibility for the development of a CBDC in the country. The note • FINTRAC Guidance on Reporting Suspicious Transactions: explores the risks of operating and maintaining a CBDC On April 20, 2020, FINTRAC published updated guidance system, but it also addresses the design approach for a for financial institutions in regard to reporting suspicious privacy framework. The Bank presents several insights transactions under the existing Proceeds of Crime regarding a privacy-focused CBDC; notably, it suggests: and Terrorist Financing regulations and in light of the pandemic’s effects on the financial services industry. 1. Engineering a CBDC system with above-average privacy The guidance reflects changes made by the Regulations levels when compared to commercial products; Amending Certain Regulations Made Under the Proceeds 2. Forgoing any strategy to achieve cash-like privacy (not of Crime and Terrorist Financing Act of 2019. The guidance KYC or AML compliant); went into force on June 1, 2020.
3. Exploring various technical privacy solutions, including • FINTRAC Special Bulletin on COVID-19: Trends in Money multi-signature and anonymization. Laundering and Fraud: In July 2020, FINTRAC issued a special bulletin examining various issues related to money • Security of a CBDC: This staff note addresses the security laundering and fraud during the COVID-19 pandemic. aspects of launching and operating a CBDC. Bank staff FINTRAC stated that suspicious transaction activity related explored the various threats facing CBDCs and the ways to the pandemic, such as large cash deposits coming the Bank of Canada can increase and retain public trust from unknown sources and large deposits being made to in relation to CBDC confidentiality and fund integrity. businesses with payment models atypical of their profile The note suggests that differing CBDC frameworks offer (bars, gyms, restaurants, etc.). Some of the trends in fraud differing levels of security and that any distributed ledger noted by FINTRAC include merchandise scams, phishing technology systems would require additional safeguards schemes, and identity fraud.17 to protect payment authenticity.
NORTH AMERICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 23 Office of the Privacy Commissioner Payments Canada • Bank of Canada Financial System Review 2020: Proposals • Payments Canada: ISO 20022 Messages for Lynx Standards: for Ensuring Appropriate Regulation of Artificial On June 15, 2020, Payments Canada published the ISO Intelligence: The OPC has developed several proposals, or 20022 messages for Lynx standards for immediate reference. recommendations, regarding the regulation of artificial Financial institutions and other vendors can use the intelligence for both the public and private sectors. The 11 messages to update applications. Financial institutions can proposals include creating laws and provisions that would: also use the standards to meet SWIFT’s ISO 20022 migration date for cross-border payments expected for the end of 2022. • Define AI for legal application;
• Adopt broader data protection principles; ISO 2022 is a global messaging standard for financial institutions that enables payment clearing using a • Create the right to opt-out of automated consistent message. ISO 20022 will be supported in the decision-making (ADS); second release of Lynx in 2021. • Increase transparency of data collection procedures • Payments Canada Rule on Exchange of Point-of-Service and practices. (POS) Delayed Authorization Debit Payment Items for the • The OPC solicited comments from stakeholders starting Purpose of Clearing and Settlement (Rule E5): Following January 28, 2020, and the public comment period ended on the conclusion of a public consultation, Payments March 13, 2020. As of the publication of this report, a timeline Canada published a new rule on point-of-service delayed for further legislative development and finalization has not authorization debit payment items for the purpose of been announced. clearing and settlement. The rule was officially implemented on January 27, 2020. Provisions of the rule remove the • OPC Proposal to Amend the British Columbia Personal requirement for immediate online connectivity. With Information Protection Act (BC PIPA): The British Columbia implementation of this rule, a merchant or business will Information and Privacy Commissioner is proposing a now be able to choose to provide a service before a payment number of legislative changes to the Personal Information transaction is authorized. Protection Act of the province in order to strength BC PIPA and enhance oversight. Further recommendations are Legislation planned for fall 2020. The BCIPC solicited public comments on the proposal until August 14, 2020. The three key • Amendments to the Ontario Personal Property Security Act aspects of the law are mandatory data breach reporting, (PPSA): Amendments to the existing PPSA to modernize enforcement, and investigations and order-making powers. the existing law as it relates to commercial activity came into force on May 15, 2020. The amendments allow for the • OPC PIPEDA Report of Findings #2020-001: On August 4, control of electronic chattel paper, which is a record “that 2020, the Privacy Commissioner of Canada issued this report, evidences both a monetary obligation and a security interest which concluded that a Canadian financial institution in or a lease of specific goods.”18 The amendments include that had been processing services to a third party service provisions that set out rules for control of electronic chattel provider in India was under compliance with obligations paper and purchasing of both electronic and tangible under PIPEDA when it made fraud claims against the chattel paper. service provider. The OPC found that the financial institution in question was not required to obtain consent from its • Canada’s Digital Charter: The Canadian federal government customers to transfer personal information. is currently developing a digital charter touting 10 principles aimed at helping guide the federal government with digital and data transformation initiatives. One of these initiatives is the Personal Information Protection and Office of the Securities Commissioner Electronic Documents Act, or PIPEDA. The charter also • OSC Compliance Update: In late May 27, 2020, the aims to modernize the existing PIPEDA legislation by Compliance and Registrant Regulation Branch of the OSC enabling innovation and enhancing individuals’ rights, announced that regulatory compliance audits that had been and enforcement and oversight. The 10 principles under postponed due to the COVID-19 pandemic would resume the digital charter mostly cover citizens’ rights to have effective that same week. The OSC stated that audits will knowledge of who is using their information and for be directed remotely, and that financial institutions and what purpose. other firms will have more time to respond to compliance deficiencies.
NORTH AMERICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 24 • The 10 principles under Canada’s Digital Charter are: • Quebec Bill Number 64: The National Assembly of Quebec introduced Bill 64 on June 12, 2020. If passed, the bill would 1. Universal Access modernize the existing personal privacy framework to more 2. Safety and Security appropriately address concerns regarding the protection of personal information by amending various public and 3. Control and Consent private sector laws to more closely align with the federal 4. Transparency, Portability, and Interoperability Personal Information Protection and Electronic Documents Act (PIPEDA) and the GDPR. As of the publication of this 5. Open and Modern Digital Government report, further movement on the bill has not been made in 6. A Level Playing Field (Fair Competition) the National Assembly or with any other legislative body.
7. Data and Digital for Good (Ethical Data Use)
8. Strong Democracy
9. Free from Hate and Violent Extremism
10. Strong Enforcement and Real Accountability
1 Jan-Thomas Schoeps, Tiffany Ramsay, Val Srinivas. “2020 banking and capital markets outlook.” Deloitte, December 3, 2019. Bit.ly/2FZWkNm.
2 “Rulemaking.” Consumer Financial Protection Bureau, 2020. bit.ly/3aLFzRg
3 “Speech by Governor Brainard on ‘An Update on Digital Currencies.’” Board of Governors of the Federal Reserve System, August 13, 2020. Bit. ly/3gdX0ew.
4 “Governor Newsom Signs 2020 Budget Act.” California Governor, June 30, 2020. Bit.ly/ 2YoXx7o
5 “Governor Cuomo Proposes Significant Expansion of Powers of New York Department of Financial Services,” February 18, 2020. Bit.ly/2CVl8oL.
6 Disclosure of Records and Information CFPB Spring 2020 Agenda. Federal Register, 2020. Bit.ly/3hJgSIc.
7 “Statement on Supervisory and Enforcement Practices Regarding Electronic Credit Card Disclosures in Light of the COVID-19 Pandemic.” Consumer Financial Protection Bureau, June 3, 2020. Bit.ly/3lsOmN6.
8 Authority, purpose, coverage, organization, enforcement, and liability., 12 CFR Part 1026 (Regulation Z) § (2018).
9 Treatment of Pandemic Relief Payments Under Regulation E and Application of the Compulsory Use Prohibition, Federal Register § (2020). Bit. ly/31hOwP7.
10 “The NAIC Insurance Data Security Model Law,” June 2020. bit.ly/2E6aagQ
11 § 1005.1 Authority and purpose., 12 CFR Part 1005 (Regulation E) § (2020).
12 Remittance Transfers Under the Electronic Fund Transfer Act (Regulation E), Federal Register § (2020). Bit.ly/2FZWkNm.
13 “Treatment of Pandemic Relief Payments Under Regulation E and Application of the Compulsory Use Prohibition.” Federal Register, April 27, 2020. Bit.ly/ 31hOwP7.
14 “The NAIC Insurance Data Security Model Law,” June 2020. bit.ly/2E6aagQ
15 Thompson, Richard M. Rep. The Fourth Amendment Third-Party Doctrine. Congressional Research Service, June 5, 2014. bit.ly/2QfEKqM.
16 “Guidance on the Application of Securities Legislation to Entities Facilitating the Trading of Crypto Assets.” OSC.gov. Office of Securities Commissioners, June 16, 2020. Bit.ly/2FMuYdD.
17 “Special Bulletin on COVID-19: Trends in Money Laundering and Fraud.” FINTRAC, July 2020. Bit.ly/ 2FJ4r0F.
18 “Keeping up with the Americans: Ontario’s Electronic Chattel Paper Legislation Is Now in Force.” Ontario electronic chattel paper legislation | Gowling WLG, May 19, 2020. Bit.ly/ 2QfalJ0.
NORTH AMERICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 25 LATIN AMERICA LATIN AMERICA AFRICA
For banks and financial institutions seeking new opportunities to expand financial inclusion efforts and attract new customers with digital banking services, GLOBAL FINANCIAL Latin America is providing a challenging yet fertile digital landscape. The regional fintech sector has only continued to grow in the wake of the COVID-19 pandemic REGULATIONS REPORT due to a larger consumer demand for mobile financial services. Digital payment applications, used largely for consumer remittance transactions from the U.S., have become increasingly popular in all five of Latin America’s largest fintech markets – Mexico, Colombia, Brazil, Chile and Argentina.
Indeed, some experts are touting Latin America as the fintech’s hottest market due largely in part to continued investment and funding in the sector. This declaration of Latin America as a rising star of open banking contradicts a rather outdated regulatory framework for various electronic services. For example, many Latin American countries promote the use of wet ink signatures instead of digital signatures, and it is the preferred method for most business: Brazil, Costa Rica and Colombia are just a few of the countries that specifically disallow electronically signed documents to be notarized.
Regulatory authorities have been slow to catch up to the progress of regional fintech business by implementing legal frameworks for digital services, but some of this is due to the widespread preference for cash among consumers living in rural areas and working in the agricultural sector. Most Central American countries are largely agricultural and while financial inclusion efforts have been moderately successful, banks and financial institutions have yet to leverage consumers’ preference for familiarity in digital transformation initiatives. With an increasing number of fintechs dedicated to modernizing Latin America’s financial sector, banks and traditional institutions such as credit unions are opting for partnering with newcomers or lobbying national governments to keep financial service providers to established entities.
LATIN AMERICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 27 BRAZIL
Country Overview Brazil is debatably the most exciting financial innovation hub in Latin America, and some experts say it is poised to emerge as a world-class financial services innovation hub. Brazil ranked 40 of 192 countries in an Artificial Intelligence (AI) Readiness Index report published in 2019 by research firm Oxford Insights, indicating that Brazil is ready to transition its economy to a technologically focused future. The country has the ninth largest economy in the world. Brazil houses almost 400 fintech startups because it’s been observed that Brazilian consumers are some of the fastest adopters of fintech in South America.1 CENTRAL BANK In January 2020, several French companies established an innovation center in Brazil to support digital startups and improve efficiency at larger firms. With so much optimism surrounding new technology and financial services innovation, The Central Bank of Brazil (BCB) it is easy to forget that Brazil’s financial services regulators are extremely vigilant is the country’s central bank and unabashed in flexing their authority over not just traditional financial responsible for monetary policy and institutions, but technology firms as well. is the national financial authority. In June 2020, Brazil’s Central Bank suspended payment services on the WhatsApp One of the bank’s primary objectives platform after the country’s banks expressed concerns about unfair competition is promoting financial inclusion in the payment system market. The Central Bank rescinded this suspension only a policy in Brazil. month later. This could be due to the larger issue of bank account usage in Brazil: half of the country’s population does not have a bank account, “corresponding to a trade volume of more than $170 million (USD) per year.”2 Brazilians value convenience, and banks in the country have a history of slow service, difficulty of access, and what some citizens say are “abusive” bank fees. DATA PROTECTION AUTHORITY Financial services regulators in Brazil will have their hands full as they transition into 2021. Due to COVID-19, it stands that digital financial services, especially those operated by companies other than traditional financial institutions, will continue As of the publication of this report, to rise in popularity. Regulators such as the Central Bank will have to balance the Brazil’s new data protection interests of the country’s banks with those of its citizens who haven’t yet been authority, officially approved brought into the financial services fold. in August 2020, has not begun legislative or regulatory functions and several administrative positions Other Financial: have not been filled. A date for The Securities and Exchange Commission of Brazil (CVM) is an independent the data protection authority’s agency acting as the capital markets authority in the country. It regulates all commencement of operations has securities markets, including financial intermediaries. not been announced. The Council for Financial Activities Control (COAF) is the national financial intelligence unit of Brazil.
The Ministry of Economy, which operates under the Office of the President, is the country’s primary financial and economic policymaker.
Laws and Regulations
1. Circular No. 3.978 of 2020: Internal AML/CTF Policies for Supervised Entities On January 24, 2020, the Central Bank of Brazil published this circular in the national gazette. The circular amends rules regarding AML/CTF internal procedures and policies for supervised entities, including banks and financial institutions, and reforms the domestic AML/CTF framework to align with international standards.
LATIN AMERICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 28 Key Highlights for Financial Institutions • Digital Document Scanning Between Individuals: In regard to document exchange between private parties, • KYC and Customer Due Diligence Procedures: Chapter the decree states that “any means of proving the five of the circular outlines KYC procedures regarding authorship, integrity and, if necessary, the confidentiality customer identification and promotes a risk-based of scanned documents will be valid, as long as chosen by approach to customer due diligence. According to Article common agreement” by the individuals. This also applies 13 of the circular, supervised entities “must implement if the document is accepted by the intended receiver. procedures designed to get to know their customers, including procedures that ensure due diligence in • Responsibility for Digitization: Regarding who is their identification, qualification and classification.” responsible for scanning documents for digitization, the Additionally, KYC procedures should account for “the process “may be carried out by the owner of the physical customer’s risk profile, including [implementing] document or by third parties.” However, the “holder” of reinforced measures for customers classified in higher the physical document is “responsible for third parties” risk categories.” conforming to decree provisions.
• Customer Identification Using Existing Data: According • Maintenance and Preservation of Scanned Documents: to Section II of the circular’s KYC provisions, supervised Digitized documents can be preserved under the entities “must adopt identification procedures that allow decree. It states that storing digitized documents will verifying and validating the client’s identity.” Natural protect them against “alteration, destruction and, when persons can be identified using the Individual Taxpayer applicable, against unauthorized access and reproduction.” Registry (CPF), and corporate and business accounts Additionally, documents without any historical value must can be identified through the National Register of Legal be preserved “until the expiry of the limitation periods or Entities. For natural persons and business clients abroad, lapse of the rights to which they refer.” the circular outlines a different set of requirements for customer identification. 3. Decree No. 10.332 of 2020: Digital Government Strategy 2020 to 2022 • Individuals Abroad: “In the case of a natural person resident abroad who is not required to register with the On April 28, 2020, the federal government issued this decree CPF, as defined by the Federal Revenue Service of Brazil, instituting Brazil’s Digital Government Strategy for the years the use of a travel document in accordance with the Law 2020 to 2022. The decree aims to digitize and modernize is permitted, and at least the issuing country, number and services, unify digital channels, and improve interoperability type of document.” of systems across the country’s public sector. The Digital Governance Committee, which was established under a • Corporate Clients Abroad: “Institutions must collect, previous decree (Decree No. 9.759 of 2019), will develop a at least, the name of the company, the address of Digital Government Strategy to modernize services. The the headquarters and the company identification or Digital Government Strategy will observe provisions in the registration number in the respective country of origin.” Brazilian Strategy for Digital Transformation (E-Digital), • Customer Qualification: Section III outlines identity which establishes the framework for government initiatives requirements for customer qualification for certain surrounding digital modernization. financial services. It states that supervised entities “must adopt procedures to qualify their customers through 4. Circular No. 4.015 of 2020 the collection, verification and validation of information, Rules for Open Banking: On May 4, 2020, the Central Bank compatible with the customer’s risk profile and with the of Brazil approved this new circular regulating the scope nature of the business relationship.” of data and services within the country’s open system. The circular lists products and services applicable under this 2. Decree No. 10.278 of 2020: Requirements for Digitization of circular as well as under Joint Resolution No. 1, including: Public and Private Documents prepaid demand deposits, savings and payments accounts, On March 18, 2020, the federal government issued post-paid payment accounts, credit operations, loans, and this decree establishing requirements for digitizing real estate financing. public and private documents. The decree also outlines implementation techniques for document digitization. 5. Joint Resolution No. 1 of 2020 Regulation for Open Banking: This joint resolution was Key Highlights for Financial Institutions approved by the Central Bank of Brazil (CBC) and the National • Public Key Infrastructure Certification for Public Monetary Council on May 4, 2020, and provides implementing Entities: According to the decree, digitized documents regulations for open banking in the country by allowing the must receive digital certification in line with standards sharing of personal data between financial institutions and in the Brazilian Public Key Infrastructure (ICP-Brasil) “in by integrating existing financial institutions’ API systems. order to guarantee the authorship of the digitization and The CDC’s open banking initiative aims to encourage the integrity of the document and its metadata.” innovation, promote competition, and increase efficiency and transparency within the national payments system.
LATIN AMERICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 29 Key Highlights for Financial Institutions 7. General Data Protection Law (LGPD)
• Consumer Consent: Financial institutions and other The Brazilian government’s national General Data entities that collect personal data can now share Protection Law (LGPD) went into effect on August 15, 2020, registration data for consumer consent purposes. after a series of delays and subsequent overruling from the However, certain types of registration data are exempted Brazilian Senate. The law was first published on August 15, from this rule, including: sensitive personal data, credit 2018. Entities that fall under the law’s scope were originally scores or ratings, and authentication credentials or other expected to comply with it by August 1, 2021. However, in information use to authenticate customer identity. late August 2020, the Senate overruled another decision from the lower house, thereby immediately enforcing • Requirements for Sharing Personal Data: Chapter four the law. The only provisions that will not be enforced until for the resolution outlines the requirements for sharing 2021 are the application of fines, which gives financial onboarding and transactional data when registering institutions some breathing room to prepare. The scope of customers for open banking API systems. Requests are the LGPD applies to entities operating in Brazil as well as comprised of three stages: consent, authentication, entities that operate outside Brazil but provide services to and confirmation. All three stages must be performed Brazilian residents. “exclusively through electronic channels” and both customer identification and consent must be obtained Key Highlights for Financial Institutions prior to personal data sharing, according to Section 1. • Consumer Right to Request Information About Personal Data: According to the law, data subjects have the right Consumer consent can only be obtained through certain to request a “complete electronic copy” of their personal means and according to Section II, it is forbidden for data from data controllers, including financial institutions. financial institutions and other entities to obtain consumer Additionally, consumers have the right to request how consent through any one of the following: a standard their personal data is being processed and used. customer agreement, a form with the agreement field filled out in advance, or based on presumption without any The new LGPD consolidates several data protection attempt to establish customer “will”. provisions spread across various pieces of legislation, • Customer Authentication: Section III of the regulations including the Brazilian Internet Act, and is in alignment state that customer authentication can be performed with the GDPR. In fact, the LGPD provides more data “only once for each valid consent”; but in the case of portability rights for subjects than the GDPR, such as the authentication of a data recipient institution or payment right to request access to information about third parties initiation service provider, customer authentication from companies who have shared information with them must be performed “once for each interface call.” The and the right to access information on personal data regulation requires a risk-based approach for customer whereabouts at specific organizations. authentication procedures and controls. • Exemptions to the LGPD: The law doesn’t apply to everyone, with several exemptions related to transactions The last stage of customer authentication is customer originating outside Brazilian jurisdiction. The LGPD confirmation of data sharing. According to Section generally applies to any entity, including a financial IV, customer confirmation is required to “occur institution, if it does any of the following: simultaneously with the authentication procedures” in 1. conducts personal data processing in Brazil; preceding sections. 2. processes personal data collected in Brazil, or 6. CVM Instruction 626 3. processes personal data in order to provide a product On June 1, 2020, rules for a regulatory sandbox aimed at or service in Brazil. improving products and services in the capital market officially went into effect after being issued by the 8. Decree No. 10.474 of 2020: The Regulatory Structure of the Brazilian Securities and Exchange Commission (CVM) on Data Protection Authority (ANPD): May 15, 2020. In short, this Instruction aims to support cryptocurrency innovation in a new regulatory sandbox by On August 27, 2020, the Executive Branch of the Brazilian clarifying legal certainty surrounding testing authorizations government published this decree, thereby approving the in the securities market. The purpose of the sandbox itself, regulatory structure for the country’s new data protection as stated in the Instruction, is to foster innovation in the authority (ANPD). The decree outlines the ANPD’s capital market, guide participants on regulatory issues responsibilities and functions, such as moderating public during the development of activities, reduce costs and consultations and analyzing and issuing regulations and maturation time of product and service development, standards. A Council of Directors will act as the rulemaking increase visibility and traction of innovative business body charged with developing standards and guidance models, and increase competition between financial service regarding data governance and data protection. providers in the securities market.
LATIN AMERICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 30 Policy and Legislation
1. Draft Bill No. 5051/2019: The Use of Artificial Intelligence in Brazil On September 16, 2019, the Brazilian Senate introduced a draft bill providing guidelines and principles for the use of artificial intelligence in the Brazilian public sector. One of the core principles established in the Bill is the protection of privacy and personal data.
The Ministry of Science, Technology, Information and Communications (MCTIC) subsequently launched a public consultation on December 12, 2019, which concluded March 2, 2020. Much of the feedback from stakeholders surrounded concerns about unfair competition from both start-up and Big Tech companies entering the financial services market and the effect of AI use on customer privacy. The draft bill has been forwarded to the Commission for Science, Technology, Innovation, Communication and Informatics (CCT) for a public hearing. As of the publication of this report, a public hearing hasn’t been scheduled.
LATIN AMERICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 31 CHILE
Country Overview When the COVID-19 pandemic first hit Latin America earlier this year, Chile was already dealing with the effects of social unrest and depreciation of the national economy. With political tensions in the country at an all-time high and an increasing unemployment rate, currently at 8 percent at the time of this writing, the country’s banks are now contending with a negative investor outlook into 2021. With that said, the country’s economy is predicted to remain relatively intact once the pandemic tapers out, and banks are finding ways to help their customers adapt by implementing measures such as debt restructuring and CENTRAL BANK reducing interest rates. Cash is still the most popular method of payment in Chile because people over the age of 45 in the country still prefer to pay cash over card, generally speaking. However, debit cards have shown in increase in popularity in The Central Bank of Chile (CBoC) is the past decade and stand to gain more popularity under COVID-19. the primary monetary authority and Chile’s banks have a new challenge to contend with in the form of the country’s policymaker and the central bank of burgeoning fintech sector. Chile is the third-highest ranked fintech hub in Latin Chile. The bank works autonomously America, after Brazil and Mexico.3 FinteChile, the country’s biggest fintech group, and separately from national is expected to grow from 75 member companies to 200 by the end of 2020. authorities, as mandated by the Fintech companies have gained traction in several financial markets that have national Constitution. historically been underserved, specifically in the small business segment.
Chile’s government has largely let the financial services sector regulate itself. Other Financial: However, Congress has taken note of the potential of fintech services to boost The Financial Market Commission the country’s economy and announced plans in 2019 to introduce a dedicated (CMF) is the country’s primary “fintech bill” to regulate the market. Now well into 2020, banks, fintech capital market and insurance companies, customers and investors are waiting with bated breath for the new bill market regulator that partners with to officially be introduced into Congress. the Ministry of Finance to develop legislation. insurance intermediaries, as well. Laws and Regulations
1. Law 21.236: Regulations on Financial Portability DATA PROTECTION On June 9, 2020, Chilean Congress passed regulations governing financial AUTHORITY portability rights for customers and legal entities acting on behalf of a customer. The law is intended to expedite banking services for customers who As of the publication of this want to move account information from one financial institution to another. report, Chile has not established a The law officially took effect on September 8, 2020. dedicated national data protection The Ministries of the Economy and Finance were required to publish clarifying authority. However, the country’s provisions of Law 21.236 within 45 days of it going into effect. As of the Transparency Council, mandated publication of this report, clarifying provisions have not yet been published by by Law 20.285/2008, oversees either ministry. compliance with transparency and information disclosure standards. Key Highlights for Financial Institutions The Council also protects the right of • Substitution of Responsible Parties: The law states that data portability access to public information. of financial information can occur one of two ways: with or without The National Standardization subrogation. In cases without subrogation, a customer wishes to terminate Institute (INN) is a non-profit existing financial services contracts with one provider and begin a new organization created by the service contract with a different provider. With subrogation, the customer government’s Production contracts a new loan provider in order to pay off a loan with the initial Development Corporation agency to provider. develop technical standards. • Identity Verification Responsibility: The law states that, in any case of data portability, it is the new provider’s responsibility “to verify the identity and legal capacity of the client who accepts the offer and grants the aforementioned mandate.”
LATIN AMERICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 32 • Identity Verification for Registry: When new entities customer’s debt information by the supplier.” These register a request for data portability in cases of contractual conditions can be met with electronic subrogation, “only the presentation of the new credit signature under the law. contract and the respective payment receipt issued in accordance with the conditions, deadlines and formalities 2. Law 21.234: Limits the Responsibility of Payment Card indicated in the regulations will be required.” Holders and Electronic Payment Users in Event of Loss, Theft, or Fraud However, the law states that entities may also “request for On May 29, 2020, the Chilean Congress passed a law limiting documents that the responsible entity deems necessary the responsibility of payment cards holders and electronic to prove the representation, capacity or identification of payment users who fall victim to loss, theft or fraud the person requesting to register the certificate.” The new (including identity theft and identify fraud), by providing provider must request this information from the initial new requirements for payment card issuers and electronic provider within 30 days of credit subrogation. transactions. The law went into official enforcement that • E-Signature Requirement: Article 32 of the law modifies same day. It places responsibility to protect customer and existing clauses within the Decree Law No. 3.475, itself a user information firmly on payment card issuers, including modification of the Stamps Law in Decree Law No. 617. financial institutions. The clause regarding certificate signing requests states Key Highlights for Financial Institutions that “the certificate request may be made in person or digitally, and must be issued, digitally or physically, • Identifiers for Customer Notice of Loss, Theft, or Fraud: as requested, within three business days following the Under new requirements, payment card issuers and respective request date. In case it is requested that the entities providing electronic payments as part of their certificate is issued virtually, it must be issued with an financial services “must provide the user, every day of electronic signature in accordance with Law No. 19.799, the year, twenty-four hours a day, channels or services on Electronic Documents, Electronic Signature and of communication, of free and permanent access, that Certification Services of said Signature.” A certificate allow to make and register [loss, theft or fraud] notices. signing request is an encrypted message sent from a By the same means of communication, and in the act supervised entity to the authority in charge of public of reception, the issuer must give the user a number, certificate registration (PKI) requesting application for a reception code or tracking identifier, and the date and digital identity certificate. time of the notice, immediately proceeding to block the respective means of payment, regarding its functionality Additionally, in cases where the portability request to make payments or electronic transactions.” includes the client’s commitment not to increase • Types of Malicious Behavior Involving Authentication subject debts above a certain amount, “both parties Credentials and Identity: The law outlines several must sign the contracts included in the offer, updated “behaviors” that qualify as fraudulent. The misuse in accordance with a new settlement certificate or the of authentication credentials and impersonation of updated corresponding debt … the credit line opening someone else’s identity are both listed as punishable acts contracts or products that have associated credit lines that could result in imprisonment and fines. must be available for signature, no later than the next bank business day from the updated delivery of the
Policy and Legislation
1. Draft Bill to Regulate the Protection and Processing of As of the publication of this report, the bill has not moved Personal Data and Create the Personal Data Protection past Finance Commission review.
Agency Key Highlights for Financial Institutions Though this bill was first introduced to the Senate in March • Establishment of Personal Data Protection Authority: 2017, it remains in draft form and only recently went to the One of the provisions of the draft bill calls for setting up Senate Finance Commission for its first review on March a data protection agency tasked with regulating and 16, 2020. Once passed, the bill will officially establish the supervising non-compliance with the law. country’s national Personal Data Protection Agency along with regulations for protecting personal data by updating • Requirements for Processing of Sensitive Personal the existing legal framework under Law 19.628. Regulations Information: The new law will outline requirements will align with the GDPR and other international data for processing sensitive personal information such as protection standards, and they will provide guiding biometrics and geolocation data. principles for data protection and data processing. Three • Requirements for International Data Transfer: Financial separate ministries are developing the bill: the Ministry institutions will have to abide by new requirements for of Economy, Development, and Tourism; the Ministry of data processing during international transfers of data. Finance; and the President’s General Secretariat.
LATIN AMERICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 33 2. BCCh RTGS Interbank Payment System Regulations • “In the same character indicated in the previous number, On December 26, 2019, after a two month public it is recorded that the BCCh’s security mechanisms consultation process, the Central Bank of Chile (BCCh) include, among others, the detection of duplicate FTTs published a regulatory framework for implementing the (through the unique identification in the TRN of the country’s new Real-Time Gross Settlement (RTGS) interbank SWIFT messages), the mechanisms access through payment system for payments made in USD. browser workstations and duplication of information stored. Likewise, there is redundancy and high availability Key Highlights for Financial Institutions of equipment, applications, communication lines and • “By way of example, it is stated that the security alternate processing site.” mechanisms of SWIFT are included in the SLS (Secure • Security Requirements for Operational Continuity and Login & Select) services that guarantee that the Security of the Communications Network: To streamline institution that is connecting to the SWIFT network, and security operations when operating through the SWIFT therefore sending messages, is the one that claims to be, or other comparable network, entities must implement and the RMA (Relationship Management Application) “advanced protection solutions on the stations that that allows SWIFT messaging exchange between the connect to the [communication network] (e.g. Multifactor parties, to authenticate the origin and destination, Authentication, Intrusion Prevention Systems and Host and verify the content of the message. Also, the SWIFT Firewall, among others).” interface software allows each participant to discriminate the accesses that he will give to each of his proxies, limiting the amounts and types of messages they can send.”
LATIN AMERICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 34 COLOMBIA
Country Overview In September 2020, the Colombian Ministry of Finance and Public Credit unveiled rules for a fintech regulatory sandbox it launched in early 2019, to the delight of both banks and consumers. Up until the launch of the sandbox, movement on fintech policy and legislation in the country was slow-moving and modest. But with the reveal of its Development Plan for 2018-2023, Colombia’s government has asserted its dedication to increase financial inclusion and has become a respectable challenger to the regional fintech giants, such as Brazil and Mexico. After a 61 percent growth in of fintech business in the private sector for 2019, CENTRAL BANK Colombia officially has the third largest fintech industry in South America. Mobile growth in Colombia in 2019 topped a whopping 147 percent, according to numbers from the SFC.4 In contrast, ATM use and payment terminal use increased The Central Bank of Colombia is the 13 and 22 percent, respectively. And before the pandemic, approximately 80 primary financial policymaker and percent of Colombian adults had deposit accounts with a bank. central bank of the country, issuing Indeed, Colombians don’t seem to be wanting for access to bank accounts with currency and regulating exchange more of them onboarding during the COVID-19 pandemic than all of 2019.5 Much rates. One of the bank’s primary of this increase was due to a mandate for individuals to have bank accounts in functions is to promote financial order to receive pandemic-related federal aid. The country’s largest banks as inclusion. It is a member of the well as fintech newcomers answered the call, accounting for most of the new international Financial customer acquisition. The private fintech sector seems to be expanding more Inclusion Alliance. quickly than national authorities can develop regulations and standards, with more than 120 startups registered for the regulatory sandbox in 2020.6 As of the publication of this report, a dedicated fintech law has not been announced by DATA PROTECTION any financial authority. Instead, there seems to be a focus on sub-sectors within AUTHORITY fintech and issuing guidelines specific to those subsectors, such as payments and crowdfunding.
The Superintendence of Industry and Commerce (SIC) is a government regulatory agency Other Financial: that ensures fair competition and The Financial Superintendence of Colombia (SFC) is an independent government promotes economic growth in the agency that monitors and supervises the financial, insurance, and securities private sector. Among its functions markets in Colombia, including implementing and enforcing financial data are issuing technical standards and protection measures. The agency also provides investor protection. ensuring compliance. The SIC is divided into six departments, three The Ministry of Finance and Public Credit is the government ministry responsible of which are Consumer Protection, for implementing financial policies approved by Congress and developing its own Personal Data Protection, and policies geared toward financial inclusion. Technical Regulation.
Laws and Regulations
1. Circular 026 of 2019 On November 8, 2019, the SFC issued a circular outlining new requirements for the use of mobile devices and security measures to protection consumer financial information. The circular is in line with the Superintendence’s goal to promote new digital technologies to reduce risks associated with the use of cash.
LATIN AMERICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 35 With the circular, the SFC repealed instructions issued in 3. Circular No. 5 of 2020 Circular Letter 093 of 2010 with four new requirements: On June 17, 2020, the SIC issued a circular tied to Decree 682 • Cybersecurity Mitigation at Physical Facilities: “1) Restrict of 2020 with instructions on the collection and processing the use of mobile devices or personal communication of personal data on days where value-added taxes are elements to financial institution officials in areas where exempt. Decree 682, issued in response to COVID-19, deposits, payments and withdrawals are made, or in any primarily applies to retail consumers or “final consumers” area where the financial institution identifies the need to and excludes transactions such as office leasing. restrict business hours to the public; Circular No. 5 complements the decree and became effectively immediately. • Consumer Mobile Use: 2) Authorize the use of mobile devices by financial consumers while at financial Circular No. 5 instructs entities to: institution facilities, such as bank branches; • Comply with all applicable personal data protection • Consumer Disclosure for Expressing Concerns: 3) regulations and laws Demand the publication of instructions on the officials • Implement SIC recommendations on advertising, or areas responsible for receiving deposits, payments marketing and electronic commerce, including the Guide and withdrawals, without prejudice to having a way for on the Processing of Personal Data for the Purposes of consumers to express concerns; Electronic Commerce and the Guide on the Processing • Police Escort with Cash Withdrawals: 4) Inform of Personal Data for the Purposes of Marketing consumers about the possibility of National Police escort and Publicity; in cases of certain cash withdrawals.” • Inform consumers about personal data collection;
2. Circular 029 of 2019 • Guarantee enhanced liability over the treatment of sensitive personal data and to not condition any On December 11, 2019, the SFC issued a circular promoting consumer service on the consent to collection of the adoption of technologies such as blockchain, artificial sensitive personal data. intelligence, and augmented reality to better provide financial services to consumers, and it outlines security 4. Resolution 32821 of 2020 requirements for biometric authentication. It calls for modifications to several chapters of the country’s existing On July 1, 2020, the SIC published a resolution regarding Basic Legal Circular, which is the set of general rules the implementation of multiple legal measures in response governing financial institutions in Colombia. to the COVID-10 pandemic. The resolution mandates the resumption of verification procedures established under Financial institutions have until June 2021 to comply item 11 of Article 58 of Law 1480 of 2011. The item in question with the new security standards. Prior to that, financial outlines requirements surrounding verification compliance institutions have until December 2020 to notify customers procedures and the means of electronic communications to of the ability to enable recurring payment registration be used in compliance matters. with debit cards or with third parties that charge savings, checking and/or credit cards.7 • Electronic Communications and Signature Use: “The servers and contractors of the Delegation will use the The circular also covers: technological means in all the actions, communications, • Cloud Computing Data Collection: The first modification notifications, and will allow the parties, lawyers, third calls for changes to Subnumeral 3.5 of Chapter VI, the parties and intervening parties to act in the compliance “Rules relating to the use of cloud computing services” verification process through the media technologies section of the Basic Legal Circular. The changes available, without requiring unnecessary formalities. address the type of cloud services available, the type of The memorials, powers and other communications information collected for processing, and the security may be sent and received by mail electronic avoiding controls for data protection in “virtualized environments” presentations or personal or additional authentications or cloud applications. of some kind. The PDF format will be used for written documents sent or received by electronic media. The • Biometric Use in Financial Services: The circular calls parties, lawyers, third parties and participants in the for integrating instructions for implementing and using compliance verification procedures must provide biometric technology as part of financial services. The [an] email address to receive communications and specific change modifies Chapter 1, Title 2 of Part 1 of the notifications. For the signatures of the orders and other Basic Legal Circular. actions by the judge, officials and secretary, digital • Data Portability: The circular also calls for standards for signature will be used.” the exchange of information when carrying out monetary operations such as electronic transactions. This change calls for modifying Subnumeral 3.2.3.4 and Subnumeral 3.2.4.6. of Chapter 1, Title 3 of Part 1 of the Basic Legal Circular.
LATIN AMERICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 36 5. Circular 008 of 2020 1. “Misleading or fraudulent means cannot be used to On August 18, 2020, the SIC issued a circular outlining collect and process personal data. instructions for personal data collection and processing 2. The person must be informed of the specific purpose of within the framework of biosafety protocols issued by the data collection. 3) Data can only be collected for purposes Ministry of Health and Social Protection. The circular applies for which they are required. to supervised entities, including financial institutions, in situations in which certain biosafety protocols must be 3. Data other than those expressly required by the carried out. Ministry of Health and Social Protection should not be collected. The circular also covers: 4. Except in cases expressly provided by law personal • Personal Data Collection and Processing Standards: data may not be collected without the prior, express and There are five standards for data collection informed authorization of the owner.”8 and processing:
Laws and Regulations
1. Fintech Regulatory Sandbox Rules: Decree 1234 of 2020 In September 2020, the Ministry of Finance and Public Credit issued a decree to “promote innovation in financial services through the establishment of a regulatory sandbox for companies dedicated to implementing financial technology innovation.”9 The Decree allows exemptions from general requirements of the General Finance Statute, Decree 2555 of 2010. One of the exemptions would allow financial credit-related operations for unlicensed companies.
LATIN AMERICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 37 COSTA RICA
Country Overview While most countries in Central America have managed to maintain stable economies moving into 2021, Costa Rica is facing a 23 percent unemployment rate, the highest it’s been in decades. The COVID-19 pandemic has hit the country particularly hard compared to countries of comparable population size and GDP ranking, and some recently shot-down government measures, including increasing income and property taxes, have exacerbated already high emotions among the public. The country has seen an uptick in social upheaval and general malaise and distrust among private sector stakeholders. CENTRAL BANK This might come as a surprise for a country recently recognized by the international Organization for Cooperation and Economic Development The Central Bank of Costa Rica for its progress in digital transformation.10 According to the OECD, digital (BCCR) is the primary monetary technology use in Costa Rica is well above average compared to other Latin authority and policymaker in American countries and the national government has done a well-informed Costa Rica. job of implementing digital transformation policies to streamline public sector operations while promoting innovation in the private sector. In just the past two years, it has formed a national digital transformation strategy and implemented Other Financial Authorities: modernization plans for various government agencies.
The General Superintendency of Additionally, the fintech sector in Costa Rica is growing, with 25 fintech start- Financial Institutions (SUGEF) is ups in the country, the majority comprised of SaaS companies providing 11 the national agency supervising services for financial institutions. Like most governments in the region, Costa financial institutions to ensure Rica doesn’t have a dedicated regulation establishing open banking rules and compliance with national and hasn’t announced plans to develop one as of the publication of this report. This international financial regulations. is puzzling, because while digital innovation is high, opening a bank account in Costa Rica can be difficult. The barrier to entry for a opening a personal account The General Superintendency of requires a copy of a passport, current bank statements and an explanation of Securities is the primary securities fund sourcing.12 Consumers could benefit from rules de-regulating the account market regulator. opening process for adults.
For the time being, Costa Rica is prioritizing its dedication to modernize its public services and operations, and there is very little on the books for financial institutions looking for guidance on digital transformation, innovation DATA PROTECTION and cybersecurity. AUTHORITY
Laws and Regulations The Agency for the Protection of Individual’s Data (PRODHAB) is the 1. INTE/ISO/IEC 27103: Guidance on Cybersecurity Standards: Security national data protection authority, Techniques and Application Security charged with data law compliance and regulatory development. On February 21, 2020, the Information Security Committee of INTECO approved guidance meant to facilitate compliance with the existing ISO The Ministry of Science, Technology Standard 27103 of 2018, which provides best practices and techniques for and Telecommunications (MICITT) cybersecurity applications. is a state body governing and promoting compliance with Policy and Legislation a number of public policies, including the creation of a digital 1. Ministry of Finance Hacienda Digital of the Bicentennial transformation framework. On February 19, 2020, the Ministry of Finance published the Hacienda Digital of the Bicentennial, its official plan to modernize its processes and services as part of the national digital transformation strategy. The Ministry of Finance specifically wants to “strengthen fiscal stability by improving the efficiency of public expenditure management and operation performance” in tax administration and trade facilitation.
LATIN AMERICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 38 2. PRODHAB Notification on National Privacy Strategy • On July 20, 2020, PRODHAB issued a press release updating stakeholders and the public on development of its National Privacy Strategy, which aims to implement recommendations issued in late 2017 by the Organization for Cooperation and Economic Development (OECD). According to the press release, the strategy outlines possible solutions to privacy issues including safe harbor provisions, and personal data protection provisions in cases of cross-border transfers of data.
PRODHAB announced plans to present the strategy for stakeholder review and public consultation. As of the publication of this report, a consultation schedule has not been announced.
LATIN AMERICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 39 EL SALVADOR
Country Overview Perhaps because it is the smallest country in Central America – not to mention one of the most densely populated countries in the world – but “fintech” and “financial inclusion” may not come to mind when you think of El Salvador, a country known primarily for raw production. Though the country has been grappling with low GDP growth and will face certain GDP contraction moving into 2021, fintech development and the national government’s dedication to create a more financially inclusive economy poise El Salvador for exciting developments in digital banking. CENTRAL BANK Of El Salvador’s approximately 6.5 million people, roughly 30 percent have a formal bank account, meaning 70 percent of the population has limited access 13 The Central Reserve Bank of El to financial services. However, of the 30 percent that do have bank accounts, 34 Salvador is the central bank of El percent prefer to carry out transactions digitally and another 9.2 percent prefer Salvador. The bank was privately alternative payment methods. Still, 44 percent prefer to conduct transactions owned until it became a public in-person at bank branches. The numbers, while showing a growing preference entity through the Central Banking for digital banking, demonstrate the specific challenge facing banks and other Reorganization Law. The Bank is a providers of digital financial services: providing services to low-income people member of the Alliance for or people living in rural areas who may not have the necessary technology to Financial Inclusion. conduct digital transactions or open a digital banking account. With that said, banks continue to go digital in El Salvador, and the national government and Central Reserve Bank are trying to keep up. Several initiatives Other Financial Authorities: have been announced, including plans for a national data protection and cloud The Superintendence of the computing law. Financial System (SSF) is the Like most countries grappling with the speed of digital financial services, El primary supervisor and enforcer Salvador doesn’t have a dedicated fintech law to guide private and public sector of all Central Bank provisions stakeholders. The passage of a fintech law will be crucial to the country’s financial overseeing financial institutions inclusion initiative. operating in El Salvador. DATA PROTECTION
Laws and Regulations
DATA PROTECTION 1. Technical Standards for the Registration, Obligations and Operation of AUTHORITY Entities that Perform Operations of Sending or Receiving Money through Subagents or Administrators of Subagents (NRP-19) As of the publication of this report, On September 20, 2019, the Standards Committee of the Central Bank passed El Salvador has not established a these new technical standards, which repealed the Technical Standards for dedicated national data the Registration, Obligations and Operation of Entities that Perform Money protection authority. Sending or Receiving Operations (NRP-12). The standards establish the legal framework for money transfers while encouraging financial inclusion and promoting best AML/CTF practices by integrating an “administrator of subagents and its network of subagents”, referring specifically to businesses carrying out operations for money transfer companies. Ultimately, the regulations aim to establish provisions for third parties carrying out money transfer operations on behalf of an obligated party to promote the availability of fintech services.
The new standards apply to “legal persons” in El Salvador that carry out money transfers in “a systemic or substantial way, by any means, on their own or with business entities, nationally and internationally.” This means money transfer activity that is “significant activity within the entity’s business operations”.
LATIN AMERICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 40 2. Electronic Commerce Law • Electronic Invoice: Article 18 states that electronic On October 29, 2019, the national Legislative Assembly invoices issued by service providers will be granted the introduced the Electronic Commerce Law, which aims to same tax and accounting validity and a conventional establish a legal framework for “electronic relations of a invoice, “as long as they comply with the relevant commercial, contractual nature” carried out digitally, such legislation, tax regulations and its regulatory provisions.” as electronic commercial transactions. The law applies to • Information Security and Confidentiality: Article 20 both public and private sector entities and includes the states that service providers must use “specialized exchange of contractual goods or services through digital standards” and available technology to “provide security channels. Applicable businesses operating outside of and confidentiality to personal and credit information national territory will be regulated by Salvadoran authorities provided in the platforms used for electronic commerce.” according to international conventions or treaties. The law Additionally, relevant personal data protection provisions outlines 29 provisions and establishes three provisions for should be followed, including the Law for the Regulation legal governance: the principles of functional equivalence, of Information Services on the Credit History of technological neutrality, and non-repudiation, which grants the People. the same legality and value to electronic documents as physical documents. • Acknowledgment of Receipt: Providers must also confirm receipt of the payment or services acceptance The law officially entered into force October 29, 2020. by “sending an acknowledgment of receipt via email or other electronic communication means that the user has indicated.” Key Highlights for Financial Institutions
• Use of Technology for Written Verification: Article 8 of 3. Revised Technical Standards for the Start of Operations the new law establishes that the obligation for written and Operation of Electronic Money Providers (NASF-07) verification within the context of e-commerce “will On August 19, 2020, the Rules Committee of the Central be considered fulfilled when it is carried out through Reserve Bank approved technical rules for the registration electronic support” and stored for later use. For contracts and operation of electronic money providers operating that must be signed by “intervening parties”, the same within national territory. The new rules regulate the requirement is fulfilled through electronic signature, in requirements and processes for the authorization of accordance with the Electronic Signature Law. electronic money provider services while facilitating financial inclusion. Entities that must comply with the • Error in Electronic Commercial Communications: rules include electronic money provider companies, as Article 10 establishes rights relating to errors during well as banks, cooperative banks, and savings and credit e-commerce communications. It states that when companies interested in providing electronic money an error occurs “at the time of entering the data in a services. commercial communication,” the payer or initiator has the right “to withdraw said communication or send a Key Highlights for Financial Institutions message communicating the mistake to the addressee” • Authorization for the Start of Operations and or payee as long as the transaction or payment hasn’t Registration of a Provider Company: Article 4 of the been accepted. new rules outlines several requirements for registration • Validity and Effectiveness of Contracts Concluded of electronic money provider companies related to Electronically: Article 14 of the law states that contracts incorporation, calling for 11 different types of contractual concluded by electronic means “will produce all the and business documents that must be notarized effects provided by the legal system when consent and and/or signed. the other legal requirements necessary for its validity” are • Operating Model Requirements: Article 5 of the rules met. It also says that consent must be obtained through outlines eight minimum requirements for operation of an an “automated” system. electronic money service. They include: • Confirmation Process and Personal Data Verification: • A general technical description of technology to be Article 16 of the law states that customers must be used in operations; afforded the opportunity to “verify, modify and confirm” commercial orders or transactions by establishing • A mechanism of identification and a method of a number of variables -- such as payment or order registering customer information to provided services; destination and verifying personal data. • A method of providing security keys to customers and a • Obligation to Provide Proof of Transaction: Article 17 of notification procedure for denial of service; the law provides obligations for entities to provide proof • A mechanism to guarantee the linking of an electronic of payment to users. It states that “once the transaction money register to a single natural person. has been made, [the service provider] will send the user an electronic proof of payment.”
LATIN AMERICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 41 • Information Security: Article 6 states that electronic • Contracting Services: Article 41 outlines specific money service providers are required to manage responsibility regarding electronic money providers’ information security in accordance with two sets of obligations to contracting services, including existing technical standards approved by the Central information security of contractor customers, and refers Bank’s Standards Committee: the Technical Standards to the Technical Standards for Information Security for Security Management Information (NRP-23) and the Management (NRP-23). Technical Standards for the Continuity Management • Minimum Content of the Contracts with Electronic System of the Business (NRP-24). Money Providers and Participants: Article 30 of the • Electronic Money Services Provider Obligations: Article new rules establishes minimum requirements when 28 states that providers must comply with several participants sign electronic money service contracts, obligations, some of which are related to participant including the identification of contracting parties; identity. provision of an electronic platform that will support service through mobile devices; and the obligation to • Item A states that providers must “comply with the comply with legal and regulatory frameworks procedures, measures and internal controls” instructed regarding AML/CTF. by suppliers, or the banks providing the service, including due diligence and KYC policies.
• Item B adds the requirement for client confidentiality.
Policy and Legislation
1. Update to the Special Law Against Cyber Crimes On October 27, 2020, the Commission for Public Security and Combating Narco-Activity announced plans to create an inter-agency technical table as part of an initiative to update the Special Law Against Cyber Crimes. The announcement comes after the Commission received a report about violent crimes from the Institute of Legal Medicine by the Supreme Court of Justice.
The report suggested the classification of new types of digital crimes, including “undue or illicit exposure of personal information, spoofing of websites for the extraction of personal data, non-consensual transfer of assets, crimes related to electronic signatures, digital harassment against legal and natural people, data hijacking and identity theft.”
The Commission also announced plans to establish a technical team representing the Cybersecurity Committee and other public and private institutions. The team will be in charge of presenting a draft bill to the Commission.
LATIN AMERICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 42 GUATEMALA
Country Overview Because it shares a border with three other Latin American countries, including Mexico, and because it is the most populous country in Central America, Guatemala has the largest economy in Central America. Its economy relies primarily on agricultural production and the exportation of coffee, bananas, and raw sugar, among other crops. However, though Guatemala’s economy is stable, the country’s economic landscape is complex and Guatemalans grapple with issues related to income inequality, unregulated employment practices, and remittance standards. The national government is not as well equipped or well CENTRAL BANK funded as comparable administrations because the government receives on average between nine and 11 percent of annual GDP earnings.14 The government’s limitations to provide quality services, including financial services, has created a The Bank of Guatemala is the public lack of incentive to pay taxes or self-regulate. central bank of Guatemala. In this context, it’s perhaps no surprise that the use of financial services, much less digital financial services, is not yet widespread in Guatemala though it is Other Financial Authorities: growing at a rapid pace. According to the country’s plan for financial inclusion, only 44 percent of adults have a deposit account and just over 13 percent have a The Superintendency of Banks bank loan, meaning that more than half the population does not use regulated (SIB) is the primary financial financial services products. Approximately half a million people use mobile services regulatory for the country financial services, an underwhelming amount when you consider the country has of Guatemala. The Bank issues 17 million people. legislative decrees and standards aimed at increasing financial Additionally, Guatemalan migrants make up a large portion of electronic money inclusion and protecting consumers. transfers to the country and there is no centralized national remittance transfer system for migrants to use. They primarily rely on fintech applications. In fact, according to research from MIT’s Digital Lab published in May 2020, there’s an great opportunity for digital financial services to meet the financial needs of DATA PROTECTION smallholder farmers, should providers be able to establish trust.15 AUTHORITY In the past year, the national government has launched a financial inclusion plan aimed at streamlining financial services and providing greater access to digital As of the publication of this financial services, such as promotion of remittance transfers through the digital report, Guatemala does not have voucher apps. Additionally, a digitization plan for micro-, small, and medium-sized a dedicated data protection and businesses has been launched because one of the greatest barriers to electronic privacy authority or a data protection transaction use is the lack of a digital POS system to conduct transactions. The law governing basic principles of data government’s financial regulators have said they will continue to roll out various privacy. Plans for the development regulatory and legislative initiatives into 2021 with the goal of attaining greater and passage of a data protection law financial inclusion for consumers. have not been announced.
Laws and Regulations
1. Decree 6-2020: Authorization of Electronic Check Use On March 18, 2020, the Congress of the Republic of Guatemala issued a decree authorizing the use of electronic checks in response to the COVID-19 pandemic. The decree makes several amendments to the national Code of Commerce to allow for the use of electronic checks in order to promote international best practices and modernize the financial system. Most significantly, the amendments grant the same legal validity to electronic checks as physical checks, particularly during clearinghouse transactions.
LATIN AMERICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 43 Key Highlights for Financial Institutions procedures must include, at least, the methodologies, tools or models for measuring technological risk” • Authorization of Electronic Checks: Article 611 addresses in addition to IT systems, IT security, cybersecurity, the legal validity of electronic checks. It states that “the disaster recovery plans, and information processing and copy of the paid digital check issued by the bank, with outsourcing. the proof that it is a true copy, will have the same legal effects, efficacy, validity, binding force and evidence • Information Security Management: Article 17 of the as the physical checks.” Article 611 also clarifies check resolution outlines methods for information security that truncation processing and stipulates that banks must “guarantee the confidentiality, integrity and availability acquire digitized copies of paid physical checks before of the data, as well as to mitigate the risks of loss, undue destroying them. extraction and corruption of the information.” The methods including the “identification and classification 2. Monetary Board Resolution JM 42-2020: Amendments of information according to criteria of sensitivity and on the Regulations for the Administration of criticality.”
Technological Risk • Financial Operations and Services Through Electronic On April 24, 2020, the Central Bank of Guatemala issued a Channels: Article 19 of the resolution states that resolution passed by its Monetary Board that establishes financial institutions providing digital financial services technological risk requirements for companies providing should implement basic security measures to protect financial services. The new requirements apply to banks, information and IT systems. financial institutions, and offshore companies providing • Mechanisms for the protection and control of IT financial services. infrastructure, information systems and databases, with Key Highlights for Financial Institutions respect to cybersecurity management.
• Introduction of Pseudonymized Information: Several co • Security measures for the exchange of information that Technological Risk Policies and Procedures: Regarding is backed by a digital certificate, data encryption or technological risk (defined as “the contingency that other mechanism that can guarantee the authenticity, the interruption, alteration or failure of IT systems” are confidentiality, integrity and availability of the harmful to public and private financial institutions), information. Article 3 of the resolution states that “policies and
Policy and Legislation
1. MSME Digitization Plan 2019-2022 for multiple financial inclusion initiatives. These include On October 23, 2019, the Ministry of Economy launched a modification of the regulation on mobile financial services, digitization plan that aims to support approximately 15,000 a draft law on electronic money and its implementing micro-, small-, and medium-sized businesses in adopting regulations, an electronic signature disclosure campaign, best digital practices to enhance products and services. The and a comprehensive framework for fintech development. plan calls for the Ministry and its technology partners to However, as of the publication of this report, no legislative support business into late 2022. movement has been made on the aforementioned initiatives (i.e., no public consultations, etc.) and an update 2. National Financial Inclusion Strategy for Guatemala ENIF to the implementation timeline hasn’t been announced. 2019-2023 On October 31, 2019, the Ministry of Economy in partnership 3. Letter of Understanding on Cooperation Matters for the with the SIB and the Bank of Guatemala published plans for Creation of the Notarial and Forensic Electronic Stamp Guatemala’s National Strategy for Financial Inclusion. The On January 10, 2020, the Ministry of the Economy and the strategy, to be implemented through 2023, aims to develop Association of Lawyers and Notaries of Guatemala signed sustainable economic growth and improve quality of life by this letter of understanding to create electronic forensic and fostering greater access to financial products and services. notarial stamps. The new stamps will allow active registered The document presents a high-level overview of financial lawyers and notaries to use a virtual wallet, accessed inclusion plans. It outlines approved laws and regulations through a Bar and Notaries Association portal, to purchase that support financial inclusion, discusses the Monetary sets of electronic stamps to use on electronic documents. Board’s approval for the creation of the national Financial Virtual wallet holders would deposit more money once Inclusion Commission (COMIF), details strategic elements they run out of stamps. The stamps will be identified by a of implementing the strategy, and presents a timeline specific color depending on the amount purchased.
LATIN AMERICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 44 Ultimately, the use of electronic stamps would get rid of judicial requirements for printed documents and could be a precursor to wider use for commercial sector transactions.
4. Implementation of Institutional Advanced Electronic Signature (Digital Certificate) On September 1, 2020, the Ministry of the Economy announced the requirement for the Registry of Secured Transactions to begin sending and receiving documents using the Institutional Advanced Electronic Signature, the public digital certificate that can be used in addition to QR codes to strengthen transaction security, effective immediately. Documents covered by these plans include registration of incorporation, modification, extension, cancellation and execution of security interests, issuance of query reports and issuance of certifications.
LATIN AMERICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 45 HONDURAS
Country Overview Honduras, known to its international partners as an industrious exporter of textiles and other natural resources, is experiencing a period of relative financial and political stability after years of enacting reforms to various laws aimed at stoking foreign investment and aligning with international standards, such as the Basel core principles. Banks largely remained unregulated prior to Hurricane Mitch in 1998, but that soon changed thanks to their significant contribution to the financial system as whole, providing 95 percent of total assets.16 The country’s banking sector is relatively small compared to other Latin American countries of CENTRAL BANK comparable size and economic status, comprised of 15 private regional banks that have received the majority of foreign investment. The Central Bank’s supervisory and enforcement powers were strengthened through the adoption of a risk- The Central Bank of Honduras is based supervisory model that amended financial sector laws between 2004 and responsible for maintaining national 2013.17 The project modernized the Central Bank with the introduction of new currency stability and developing technologies and helped bring Honduras back into stable economic standing. monetary policy. However, recent regulatory development in Honduras related to fintech and digital transformation has been minimal, at best; the country doesn’t have a dedicated fintech law or a national data protection law, though it DATA PROTECTION has launched promotion for its financial inclusion initiative targeted toward AUTHORITY women. In early 2019, the Honduran National Congress had announced plans to develop and imminently approved a Law on the Protection of Confidential Personal Information, but as of the publication of this report, further legislative The National Civil Registry is the development has not moved forward and further announcements have not government agency in charge of been made. In fact, some legal experts conclude that Honduras’ “bank secrecy issuing identification documents principle” suppresses open banking development in the country. Additionally, the to Hondurans and protecting Financial Services Authority, the regulatory agency that would potentially oversee sensitive personal information. fintech operations and enforce rules in the country, has made not made any The agency manages the civil legislative updates related to digital financial services in 2020. registration system. The lack of regulatory action from national authorities is puzzling, considering a large portion of the Honduran population understands the value of digital The Institute for the Access to financial services. By 2017, digital wallet use in Honduras had risen 71 percent Public Information is a regulatory from the two years prior. A majority of the transactions were remittances between government agency that ensures urban areas to rural areas. public access to information and Though the country’s economic outlook remains stable in the aftermath of protects the data rights of citizens. COVID-19, profitability across all sectors has taken an economic hit, including the commercial banking sector.18 Banks and financial institutions in Honduras stand to gain new customers and new technologies, should the national government and regulatory authorities prioritize digital transformation and financial inclusion moving into 2021 and beyond.
Other Financial Authorities
The National Commission of Banks and Insurance (CNBS) is the primary authority governing the financial and insurance sectors in Honduras. The Commission’s functions include drafting regulations and promoting financial inclusion. The Fintech and Technological Innovations Committee (CFIT) works under the Commission to support regulatory and technical initiatives related to fintech.
The Financial Services Authority (FSA) is the primary regulatory agency for the financial services industry outside of the scope of the Banking Act and Insurance Act. The agency is also the main regulatory body developing anti-money laundering rules in Honduras.
LATIN AMERICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 46 Laws and Regulations 2. CNBS Circular No. 023/2020 On June 12, 2020, the CNBS issued a circular regarding 1. Decree No. 33-2020: Law to Aid the Productive Sector and several regulatory matters related to information and Workers in the Face of the Effects of the Pandemic Caused communication technology management. Some of the by COVID-19: Electronic Signature Reform items in the circular clarify new modifications and existing On April 3, 2020, the National Congress published a law electronic signature requirements. to provide various types of assistance to workers in the Key Highlights for Financial Institutions production sector in response to the COVID-19 pandemic. The new law amends articles 7 and 27 of the Electronic • Rules to Regulate the Signature in Electronic Format Signature Law to allow government institutions to use of the National Commission of Banks and Insurance technology equivalent to the advanced electronic signature (GTI Resolution No. 977): On March 6, 2020, the National for signing documents. Commission of Banks and Insurance approved rules for regulating the electronic signature formation of the The law went into force the same day it was published. Commission.
• Standards of the Electronics Management System of Key Highlights for Financial Institutions the National Commission of Banks and Insurance (GTI • Article 7 Amendment: Requirement of Advanced Resolution No. 978): Along with the rules to regulate Electronic Signature: The amendment to Article 7 of the the CNBS’s electronic signature, the Commission also Electronic Signature Law grants equivalence to other approved standards for the operation of its Electronics types of electronic signature that are not the certified Management System (SGE). advanced electronic signature. This type of technology could include: 3. Recommendation to CNBS to Enable Advanced Electronic Signature 1. A hybrid of technologies based on Public Key On June 8, 2020, the Information Technology Management Infrastructure (PKI), biometric signature, or an equivalent; and Communication agency sent a memorandum 2. Electronic signature systems that operate in a cloud; to the National Commission of Banks and Insurance recommending the enablement of a “Window Electronic 3. Two-factor authentication systems; Correspondence” as a “digital channel for receiving 4. Biometric systems, including photographic media; documentation sent by supervised institutions, as well as other natural and legal persons that have not yet been 5. Other electronic signature technologies that may trained in the use of the national Electronic Management develop in the future. System (SGE).”
To maintain the positive legal status of the documents • Article 27 Amendment: Recognition of Identities, and verify issuer authenticity, the window “will sign the Electronic Signatures and Foreign Certificates: The receipt of correspondence with an advanced electronic amendment to Article 27 of the Electronic Signature signature and authenticate the sender with a two-factor Law has changed the law to grant legal equivalency to system” which would grant the equivalence of an advanced electronic signatures “created or used” outside national electronic signature. territory; they now hold the same status as signatures “created or used” in Honduras, should the signature be The use of the Electronic Correspondence Window as found reliable. This same legal effect goes for electronic a digital channel for documentation receipt sent by signature certificates issued by foreign Certificate supervised institutions was approved on June 18, 2020. Authorities. Any agreement between parties to use a specific type of electronic signature is enough to provide cross-border recognition. The law now provides a list of “trusted” entities that would be considered reliable electronic signature providers or users.
• “Public or private sector entities may designate one or more people responsible for certifying the corresponding authorizations to ensure the fluidity of your operations by electronic media. These people will have the character of notaries. Designated persons must be communicated to the Institute of Property. The State entities must consider valid the certifications carried out by these means and shall have the effects indicated in Article 7 of the Law on Electronic Signatures.”
LATIN AMERICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 47 MEXICO
Country Overview The United States’ southern neighbor happens to be a regional hotbed for fintech firms and financial services development. Mexico boasts a record $8 billion of investment in fintech start-ups, more than 16 percent of fintech investment in the region. Like Brazil, Mexico attracts fintech investors because of its large population and the extremely important role financial inclusion plays for Mexican customers. The fintech trend only stands to grow, according to the Inter-American Development Bank, which reported 441 fintech startups operating in the country as of September 2020.22 CENTRAL BANK Banks, on the other hand, have faced a starkly different outcome from effects of the COVID-19 pandemic. The banking sector suffered its first casualty in June 2020 when Banco Ahorro Famsa filed for Chapter 11 bankruptcy in the U.S.21, The Bank of Mexico (Banxico) is and the Bank of Mexico expressed concerns that the country’s economy would the central bank of Mexico and continue to take a hit into 2021.22 the country’s primary monetary authority. Like most central banks, On top of these challenges, the financial inclusion landscape of Mexico is it maintains the financial stability of extremely varied and financial access remains low for a large percentage of the the country and promotes use of the population. According to fintech accelerator Catalyst Fund in an April 2020 report, national currency. 50 percent of Mexican adults don’t have bank accounts and the same amount have access to the Internet. Banks and fintechs in Mexico don’t seem to be partnering on solutions either, creating a fragmented financial services market. This could be why cash is still king in Mexico: approximately only 4.1 percent of adults have used a mobile money account in the past year.23 And though the DATA PROTECTION federal government published a National Digital Strategy in 2013, few initiatives AUTHORITY have been launched to execute its objectives.
With that said, the regulatory landscape for the financial services sector in Mexico The National Institute of remains robust, with the Central Bank of Mexico passing dozens of regulations in Transparency for Access to the past few years, many of which supervise the growing fintech sector. With the Information and Personal Data effects of the COVID-19 on the country’s banks is expected to exacerbate into 2021, Protection (INAI) is the independent Mexico’s financial services sector hinges on the economy’s speedy recovery and data protection agency of Mexico. banks’ dedication to modernize and digitize services. The INAI is constitutionally mandated to defend and expand the right of access to public information Other Financial and the protection of personal data. The Secretariat of Finance and Public Credit (SHCP) houses the country’s finance ministry and operates as a member of the federal executive cabinet. The SHCP is the head of the Office for the Treasury and Public Credit. The Secretariat of the Economy (SE) is the federal government office The National Banking and Securities Commission (CNBV) is an independent responsible for all matters related to agency operating under the Secretariat of Finance and Public Credit and is the Mexico’s economy and commercial executive authority supervising Mexico’s financial system. The CNBV is technically industries. Additionally, the SE issues autonomous and regulates financial institutions and banks to ensure national guidelines regarding privacy notice financial system stability. requirements in partnership with the INAI. Laws and Regulations
1. Fintech Law 2020 Regulations In April 2018, Mexico officially enacted its Law to Regulate Financial Technology Institutions, which requires financial institutions and fintech firms to establish APIs to enable sharing of data and to expand data access to consumers. In June 2020, the federal government expanded on the Fintech law by issuing new data sharing requirements that will ensure safe and secure interoperability between banks and electronic money institutions. The types of data covered under the law are aggregated data, open data, and transactional data.
LATIN AMERICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 48 Key Highlights for Financial Institutions 2. CNBV Communication No. 18/2020 on the Obligation to Establish Verification Mechanisms for the Identity of • Circular 2/20: General Provisions Applicable to Credit Clients Reporting Agencies and API Switches: On June 2, 2020, the Bank of Mexico published a regulation that On March 31, 2020, the CNBV published a circular regarding establishes standards for API use by credit institutions, credit and financial institution obligations to establish the including technical standards for interoperability. It identity of certain clients. The circular doesn’t provide any should be noted that most of the regulations apply new guidelines or advice; it extends the deadline to comply solely to the exchange of open and aggregated data, with ID verification requirements to November 30, 2020. not transactional data. However, because requirements Institutions were initially required to comply by call for API approval no matter what kind of data is March 31, 2020. exchanged, there is an exception for transactional data. All types of data exchange operations must have a digital 3. SCHP and CNBV Provisions on the Standardized APIs certificate approved by the Bank of Mexico. Referred to in the Law to Regulate Financial Technology Institutions • Exception for Transactional Data: The regulation states that financial entities falling under its scope that would On June 4, 2020, the SCHP and the CNBV published like official certification for the exchange of transactional general provisions establishing rules for API operations for data must accomplish two objectives: financial institutions with the goal of expanding financial inclusion, improving consumer protection, and promoting 1. Obtain approval from the Bank of Mexico for market competition. The provisions address data access for transactional data exchange operations data subjects and data controllers and provide technical 2. Send proposals that present different types of guidelines for security and data access related to transactional data to the Bank of Mexico within user identification. 360 days (May 2021) of publication of Circular 20/20. Key Highlights for Financial Institutions The Bank of Mexico will eventually release general provisions surrounding transactional data sharing • Data Protection: Data controllers are required to among financial entities through APIs. The new establish a security policy that integrates data encryption provisions will also address customer consent. to minimize risk to personal data. Chapter 3, Article 4 of the provisions state that a security policy should • Mechanisms for Authentication and Identification: include processes for “encryption of the information As part of the proposals regarding transactional stored and of the channels [data is sent through], as well data, financial entities should include methods for as the methods for authentication and identification” authentication and identifying customers during that comply with the technical guidelines of the new applicable transactions as part of a work plan. The provisions. The guidelines in Annexes 1 and 2 don’t regulation states that the work plans must include outline the types of authentication and identity proofing “measures to prevent the transmission of Aggregated methods that comply with the law, but any methods Data from allowing the identification of personal data used should comply with requirements outlined in or transactions of people” and “the authentication Annexes 1 and 2 of the provisions. mechanisms to verify that the third parties that intend to access the API are Recognized Entities with which they • Public Key Certificates: “The data provider must use the have formalized Interconnection Contracts.” HTTPS protocol, with the aim of ensuring the encryption of information during communication exchanges.” Data • Authorization of Transactional Data: Regarding providers are required to use digital certificates issued transactional data, the regulation states that “once by Certified Authorities. The digital certificate must be the clearinghouse or SIC in question has obtained based on X.509 international standard for public key authorization from the Bank of Mexico to exchange the infrastructure, using the TLS cryptography protocol in Aggregated Data and, where appropriate, the Open force at the time of implementation. Financial Data in accordance with the previous article, it must submit a request for additional authorization • Security of Access: Under the new provisions, data to exchange the Transactional Data that result from controllers may use digital tokens to identify applicants for the requirements that the Bank of Mexico establishes a maximum of 30 days after the initial request for services. through general resolutions issued for that purpose, in It says that data controllers “may identify [the applicant] which may establish additional requirements for while maintaining the validity of the token of access for said exchange.” one maximum of 30 days for the consultation of data” by using API keys or OAuth 2.0 standardized API keys.
LATIN AMERICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 49 • Employee Identification and Authentication: The Additionally, remote identification during account general provisions require data controllers to establish opening “is limited to bank accounts Level 4, leaving “mechanisms of identification and authentication aside the Level 3 accounts referred to in the current rule, [for] the staff responsible for the management of APIs thus having a deregulation.” Level 3 and Level 4 accounts under the principle of least privilege”. On that principle, have different requirements for the types of identification API managers should only have access to necessary documents required, as well as a difference in monthly information for the management of API systems. transaction limits.
• Biometric Validation for Existing Clients: In order to 4. CNBV Communication No. 45/2020 on Regulatory streamline the credit request process for those who are Facilities Regarding Face-to-Face Identification for Credit already customers of the credit institution, the regulation Institutions stipulates that customers must provide only biometric On June 20, 2020, in response to the COVID-19 pandemic information to verify against biometric validation records and its effects on credit institutions’ customers, the CNBV from any authority that already has the customer’s issued a communication outlining regulatory specifications biometric information on file, such as the National surrounding face-to-face identification for credit institutions Electoral Institute. that became effective immediately. The specifications apply • AML/CTF Regulatory Compliance for Non-Clients: The to any credit institution regardless of whether it’s affiliated identity verification process for new applicants who are with a trade association. not yet customers of the credit institution to which they are applying must comply with AML/CTF regulations. Key Highlights for Financial Institutions According to the regulation, “When it is identified that the applicant is not a client of the institution, the process • Legal Entities Applicability: Legal entities acting shall comply with the regulation regarding the Prevention on behalf of applicants are now covered under the of Money Laundering and Financing Terrorism.” facility. This means legal entities will now be able to
independently authorize remote account openings Additionally, applicants who are not already credit and remote credit requests. The facility states that, “the institution clients must do a video call as part of the opening of accounts and the granting of credits in a identity verification process. The regulation also allows for remote way also applies to legal entities, in addition to artificial intelligence to record video calls for later use. individuals for whom it was already applicable.”
5. Circular 37/2020 on Virtual Assets at Credit Institutions and Additionally, legal entities acting as applicants will be subject to the same identity verification process as Financial Technology Institutions natural persons and will be required to use FIEL, the • On September 30, 2020, the Bank of Mexico issued a country’s national e-signature platform to verify identity. circular addressed to credit institutions and financial technology institutions regarding virtual asset operations. • KYC Client Categorization: Remote, or non-face-to- The circular makes amendments to a previous circular, face, identification is divided between existing clients Circular 4/2019, which issued general rules for virtual of an applicable credit institution and those who are asset operations. After an analysis period in which the not yet customers, or new customers. This is because bank issued a public consultation and received feedback, customers are categorized into risk-based levels based on it amended the circular to stipulate that institutions Mexico’s tiered KYC system. The communication states, applicable under the general provisions must comply “The identification and non-face-to-face contracting with certain specifications when contracting with third process is divided between those who are clients of parties. Additionally, institutions must seek guidance and the credit institution and those who are not, making it clarification on third-party involvement with virtual more expeditious for those who are already clients of the asset operations. institution, by virtue of the fact that it already has the file of the client and would only have to update it, depending on the financial product you hire.”
LATIN AMERICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 50 Policy and Legislation
1. Payment Services Act (PSA) 2019 The FAQ stipulates that all companies participating in the Communication 344/19 on Strengthening Data Protection regulatory sandbox must obtain customer consent and Regulation with Adherence to European Instruments inform customers of the inherent risks of participation.
On September 23, 2019, the INAI published a 6. INAI Opinion on the Need for Impact Evaluation on the communication reinforcing the agency’s dedication to Intention to Transfer Personal Data bringing national personal data protection regulations in On January 23, 2020, the INAI issued its opinion regarding line with European standards and conventions, including to transfer of personal data and interoperability between Convention 108 and the GDPR. data processing authorities. The INAI outlines 10 points in its opinion, all related to INAI data protection authority and 2. Cobro Digital Collection and Payment Platform (CoDi) personal data protection obligations. The INAI asserts in In October 2019, the Bank of Mexico officially launched its its opinion that the Secretariat of the Economy denied its “request to pay” platform for mobile devices called Cobro request to allow for the transfer of personal data between Digital, or CoDi. The platform will allow users to make wire public financial authorities. transfers on mobile devices through the country’s interbank electronic payment system (SPEI). Users use QR codes or As of the publication of this report, a timeline for the impact physical terminals enabled with near-field communication evaluation has not been announced. technology (NFC) to make transfers or purchases of up to $8,000 pesos ($400 USD). The bank aims to increase 7. UIF Communication No. 074 on the National Risk financial inclusion in Mexico with the development and Assessment (NRA) and The Strategy to Combat Money launch of CoDi. Laundering and Terrorist Financing
Adoption of CoDi has lagged thus far. Of the more than 5 On September 21, 2020, the federal government published million users who have download the app, approximately this communication outlining the benefits and goals for 250,000 have used it to make payments as of early October the national risk assessment and strategy (ENR) to combat 2020.24 With that said, numbers have been slowly but money laundering and terrorist financing. The strategy was steadily increasing since its launch. presented by the Financial Intelligence Unit (UIF), which operates under the Secretariat of Finance and Public Credit (SHCP). 3. UIF Guidance on New Vulnerable Activity Operations with Virtual Assets: In October 2019, the Ultimately, the communication underlines Mexican Financial Intelligence Unit (UIF) issued guidance related to financial authorities’ dedication to further AML/CTF operations with virtual assets, considered a “new vulnerable initiatives by expanding provisional authority, developing activity” under Article 17 of the Federal Law for the and issuing rules for AML/CTF safeguard compliance, Prevention and Identification of Operations with Resources responding to threats of corruption, and aligning national of Illicit Origin, which was updated in 2018. The guidance objectives with international initiatives by signing treaties provides technical instructions for virtual asset operations and conventions. and defines virtual asset operations as a vulnerable activity requiring a separate set of security obligations 8. CNBV Annual Overview of Financial Inclusion 2020 from institutions. On September 27, 2020, the National Banking and Securities Commission (CNBV) released its annual overview 4. INAI Agreement on Access to Information and Protection of financial inclusion in Mexico. Along with providing data of Personal Data that delves into financial infrastructure and consumer On November 28, 2019, the INAI published an agreement protection, the overview outlined recent regulatory updates outlining the code of ethics on the protection of personal related to remote account opening and open banking. data. Simultaneously, the previous agreement that had amended guidelines relating to persona data protection was repealed. This agreement became effective November 29, 2019.
5. Guidance for Financial Technology Institutions On December 2, 2019, the federal government released a FAQ to provide clarity to the general public regarding a regulatory sandbox for financial technology institutions, and guidance on how customers can request temporary authorization to participate in the sandbox.
LATIN AMERICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 51 PARAGUAY
Country Overview Amid the COVID-19 pandemic, financial institutions in Paraguay have the upper hand in regulatory matters related to digital banking, account opening, and digital currency, thanks in large part to market-friendly regulation and low taxation. Commercial banks are the lead financial services providers in the country, but cooperative institutions, specifically, drive the market for the development of electronic wallets. Co-op banks also have a significant part in implementing the regulatory framework for financial institutions offering electronic money and non-bank transfer services.25 CENTRAL BANK A country’s economy tends to be healthy when its banks are healthy. Paraguay’s economy, which was already on a strong path to recovery, has seen a GDP decline of only 1.2 percent in 2020 and experts predict a 4 percent GDP increase for 2021.26 The Central Bank of Paraguay is Paraguay’s poverty estimate hovers between 30 and 50 percent, and financial the country’s primary monetary inclusion efforts in the country appear to be minimal. Less than 32 percent of the authority and issues the country’s adult population have bank accounts and only 7 percent have credit cards.27 And currency. One of its main objectives with only 65 percent of the population having internet access, it’s no wonder that is to promote and expand financial digital banking and fintech haven’t taken off yet in Paraguay the way they have in inclusion. The Bank is unique in other Latin America countries, such as in neighboring regional fintech hub Brazil. that its office houses the country’s Banking Superintendent. However, in June 2020, the country’s Chamber of Fintech announced plans to carry out a study on the country’s fintech sector and possibilities for creating a fintech regulatory framework. The study has been on the books since the Chamber was created in 2017, but Paraguay still lacks fintech regulation that DATA PROTECTION would help start-ups that have already been operating for years but can’t expand AUTHORITY services due to the absence of specific provisions. According to S&P Global, the regulatory landscape and scope of supervision in Paraguay’s banking sector is As of the publication of this report, “limited” and the country’s operational risk standards haven’t caught up with Paraguay has not established a other regulatory frameworks in comparable regions.28 national data protection authority. Paraguayan authorities have reacted swiftly to the effects of COVID-19 by actively Activities related to electronic legislating on issues such as electronic transactions, electronic signatures and commerce under the Electronic personal data protection. However, Paraguay hasn’t shown a commitment to Commerce Law fall under the financial inclusion that would further reduce its poverty rate, made clear by its jurisdiction of the General Direction non-action on fintech regulation. of Digital Signature and Electronic Commerce of the Ministry of Industry and Commerce (MIC). Laws and Regulations
1. Communication on Delivery and Follow-Up of Files On June 30, 2020, the Central Bank of Paraguay issued a communication on delivery and follow-up of documents during processing. The communication states that the Bank, along with the Superintendency of Banks and Superintendency of Insurance will implement five requirements for document processing. Requirement number 2 calls for the use of digital signatures by bank operators:
1. “The processing and / or procedures must be channeled through electronic means (email), attaching the documentation in PDF format, with clearly legible images. The file must be scanned, have a presentation note, duly signed and clarified by the senders responsible, foliated (per file) with number and letter, in the upper right corner of the page, starting from the note, and up to a maximum 10 megabytes. If the documentation requires more capacity, they must divide and send in another shipment, giving continuity to the leaflet and in which the reference of the presentation that is being supplemented is clarified.
LATIN AMERICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 52 2. Upon receipt of the document, the sender will be For the follow-up of the file, the same procedure notified via email, serving as acknowledgment of receipt established in Requirement 1 (previously referenced) the date and the [digital] signature of the operator must be used. The presentation in printed format of responsible for the registration sent by the same means. everything sent electronically, must be carried out in accordance with the custom once the preventive 3. Applications received after 12:30 p.m. will be registered measures adopted have been lifted.” beginning at 8:30 a.m. the next business day.
Policy and Legislation
1. Draft Bill on Personal Data Protection 2. Draft Bill on Trust Services for Electronic Transactions, Paraguay’s first personal data protection bill, S-198418, Electronic Document and Electronic Transmissible was introduced in the national Senate on March 21, 2019. Documents Since then, the bill has gone through dozens of Senate On September 18, 2020, the federal government presented discussions and various commission reviews. The Law on the draft bill on trust services for electronic transactions, the Protection of Personal Data outlines basic principles electronic documents, and transmissible electronic for the protection of personal data and the basic rights documents. If passed, the law will repeal existing Law No. attributed to personal data protection, such as the rights to 4017/2010, or the Digital Signature Law, with the goal of informed consent and access to personal data. The bill sets integrating regulations related to electronic trust services, itself apart from other national personal data protection such as digital identity proofing, digital seal, digital bills in that it explicitly provides rights regarding access timestamp, and certified delivery services. The bill is part of and use of credit information. But, like most personal the country’s Digital Government Agenda requiring laws data protection bills, it will also establish the nation’s first to increase public trust in electronic transactions and was dedicated personal data protection authority. expedited largely due to effects of the COVID-19 pandemic and environmental concerns. As of the publication of this report, a timeline on finalization of the bill has not been provided and it remains in legislative Key Highlights for Financial Institutions development with the Senate. • eIDAS Influence: The bill states that the new regulations Key Highlights for Financial Institutions will make references to several regulations surrounding electronic transactions and documents: The European • Credit Information Provisions: The law provides two Union’s eIDAS Regulation, the UNCITRAL model Law on provisions for basic rights regarding credit information Electronic Trade, the UNCITRAL Model Law on Electronic in cases where personal data is processed. Firstly, Signatures, and the UNCITRAL Model Law on Electronic credit information is defined as positive or negative Transferable Documents. information “related to the credit history of natural and legal personal data about credit, commercial and other • Electronic Signature Legality: The bill states that activities of a similar nature, which serves to correctly electronic signatures are legally recognized. For example, and unequivocally identify the person, their address companies, such as financial institutions, that offer and commercial activity.” Sources of credit information remote e-signature services, “should apply procedures include “state bodies and entities,” as well as pension of specific management and administrative security fund administrators. In other words, the law applies to and use systems and products reliable, including secure public sector entities as well as private companies like electronic communication channels to ensure that the financial institutions. electronic signature creation environment is reliable and is used under the exclusive control of the signatory.” The bill provides for the right to information access from credit information companies such as financial • Article 102: Electronic Operations in the Financial Article 102 of the bill outlines specific institutions. Companies are obligated to provide data and Other Fields: provisions surrounding electronic operations in the subjects the following information when requested: financial sector. The article states that operations • Consultation performed on your credit information; involving payments, money transfers, account opening, financing, wealth management, and electronic money • The company that will provide the data; management are subject to electronic identification using • The purpose for using the credit information data; “electronic identification cards issued under an electronic identification system with [a] high security level.” • The rights afforded to data subjects. • Electronic Signatures Supervision: In addition, qualified Additionally, the bill also provides a time limit for the electronic signatures will be regulated by the Central storage of credit information of five years. Bank or other financial authority such as the National Securities Commission.
LATIN AMERICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 53 3. MIC Digital Payment for Retailers - Agreement with Bancard In September 2020, the Ministry of Industry and Commerce (MIC) announced plans to work with payment acquiring firm Bancard to streamline digital payment operations for small merchants. Small businesses will now be able to accept payments via QR code, which will be generated by an associated app.
4. Financial Inclusion Bill On October 12, 2020, the Congressional Legislation and Codification Commission rejected a bill introduced that would have given “domiciled individuals” in Paraguay the ability to open bank accounts in local currency. The rejection opinion is a hurdle for financial inclusion advocates. However, financial institutions in the country can comfort themselves with the fact that the bill was rejected due largely in part to give them more control over who can and cannot open bank accounts, particularly savings accounts. Commission authorities stated that to require account openings by law could be detrimental to private financial services.
The rejection of the bill suggests that Paraguayan authorities and lawmakers would rather adopt a hands- off approach when it comes to financial inclusion and imposing account opening requirements.
LATIN AMERICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 54 URUGUAY
Country Overview For being one of South America’s smallest countries, both in geographic size and population, Uruguay has made an international name for itself as a technologically and culturally progressive stronghold with big plans for the future. According to the U.S. Embassy in Uruguay, it ranks first in a number of desirable traits, including prosperity, security, lack of corruption and peace. More than half of its 3.5 million residents live in or near the metropolitan capital of Montevideo, where the majority of banks operating in the country are located. The country’s banking system has stabilized in recent years thanks to a thriving agricultural CENTRAL BANK sector and is classified a high-income country by the World Bank.
The COVID-19 pandemic has had little effect on Uruguay’s economy29. The country The Central Bank of Uruguay is has vastly improved its financial inclusion framework over the past few decades the country’s primary monetary while significantly decreasing the number of citizens living in extreme poverty. In authority and currency issuer, 2016, the poverty line was at 6 percent, an unprecedented number for the country. and the main supervisor of the Uruguay’s progressive economic initiatives and stable growth have made it what national banking system. The some are calling “the Silicon Valley of South America.”30 For every 100 residents Bank regulates and supervises all there are 147.3 mobile phones, and more than 70 percent of Uruguayans use the financial institutions in Uruguay. Internet. These numbers must have been at the forefront of the government’s The Superintendence of Financial collective mind when it passed the Financial Inclusion Law in 2014, but some Institutions operates under the financial institutions have pushed back on the law’s requirements.31 They seem to Central Bank and enforces all be in the minority, however; many financial institutions are now partnering with financial institutions in the country. fintech companies such as SaaS providers to come up with digital solutions that more closely align with financial inclusion and security objectives.
Ultimately, Uruguay’s government is pro-market and pro-innovation, a winning combination for financial institutions that want to modernize services while DATA PROTECTION maintaining regulatory compliance. AUTHORITY
The Regulatory and Control Unit Laws and Regulations of Personal Data (URCDP) is the national data protection authority 1. Decree 64/2020: Regulations Referring to the Protection of Personal Data in Uruguay. On February 21, 2020, the Uruguayan government issued a decree introducing new rules related to personal data privacy. These supplement Law No. 19.670 (Articles 37, 38 and 40), which was issued in 2017 and is know as the Law on Accountability and Budgetary Execution Balance Exercise. The decree makes changes to security measures and incident reporting, and establishes the requirement for a Data Protection Officer for businesses processing large amounts of personal data. It also repeals articles 7 and 8 of Decree No. 414/009, passed in August 2009. The decree mandates the URCDP to act as the enforcing body tasked with compliance, auditing and evaluation of implemented measures.
Key Highlights for Financial Institutions
• Security Measures: Article 3 of the decree states the following in regards to developing and implementing security measures. Specifically, it calls for security officials to “assess the adoption of national and international standards in the field of information security, such as the Cybersecurity Framework prepared by the Agency for the Development of Electronic Management Government and the Information and Knowledge Society.” It also calls for appropriate data breach procedures that “minimize the impact of such incidents within the first 24 hours after they are verified.”
LATIN AMERICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 55 • Privacy by Design: Article 8 of the decree establishes 2. Communication No. 2020/115 on Money Laundering and technical and organizational measures that will help Terrorism Financing Risk Prevention Policies: Know Your companies such as financial institutions comply with Client Modification: personal data protection rules. The seven measures are: On July 3, 2020, the Central Bank of Uruguay published 1. Dissociation, pseudonymization, and data minimization a communication modifying regulations regarding risk techniques; prevention methods for money laundering and terrorism financing that operates under Know Your Customer (KYC) 2. Mechanisms to ensure data subjects’ rights; principles. The rules became effective immediately. 3. Documentation of data subject consent for data processing; The communication outlines three new mandates for the “sale of numismatic articles”: 4. Documentation of data storage; 1. Provide the full name of the natural or legal person, valid 5. Adoption of contingency plans that include information identity document for natural persons and Unique Tax security measures; Registry number for legal persons. 6. Functional analysis and data architecture models; 2. For purchase amounts exceeding $3,000 USD, or its 7. Other measures established by the Regulatory and equivalent in other currencies, customers must complete Control Unit of Personal Data (URCDP). the “Occasional Customer Identification Card” and present the documentation detailed in it.
3. Patrons, or customers that carry out a series of
transactions totaling more than or equal to $15,000 USD,
must complete the Habitual Client Identification Card and present the documentation detailed in it.
Policy and Legislation
1. Uruguay 2020 Digital Government Plan • Universal Digital ID: One of the plans objectives calls for In September 2019, the Agency of Electronic Government “universalizing” the national digital ID to enhance security and the Information and Knowledge Society published the for digital services. The three steps to reach this objective Digital Government Plan for the Uruguayan government. are outlined as: The agenda establishes a national digital policy framework 1. “Promote a digital ID ecosystem to respond to different to be implemented through several initiatives, programs levels of security and devices” by implementing RootCA and projects. The government wants to streamline digital and SSO in state agencies. services for a variety of distribution channels including mobile devices. The plan is divided into six objectives. 2. Enable Mobile-ID and Cloud-ID services to facilitate Ultimately, the goal is to create a trustworthy digital citizens’ use of digital identity. government that is transparent and efficient. 3. Expand the use of the digital ID in the elderly.” Key Highlights for Financial Institutions
• Digital Transformation Regulatory Framework: The • Modernize the Regulatory Framework: The plan also government’s plan outlines the following as its end goals calls for modernizing the regulatory framework for digital for the new digital strategy: government services. This objective lists three steps for implementation: 1. An integral regulatory framework to guides digital transformation regulation; 1. Evolve the national legal framework concerning new international standards such as GDPR. 2. A consolidated institutional framework for agency and external organization collaboration; 2. Promote a wider awareness of personal data protection rights. 3. A technological infrastructure built for a high demand for services that also implements the required security 3. Establish best practices on privacy by design in all measures to protect citizens’ data. stages of software developments, and promote its adoption by public and private institutions. • Promotion of Mobile Platform Use: In its plan, the government states that it will “promote the intensive • Cybersecurity Enhancement: The cybersecurity objective use of technologies such as the Internet, mobile devices, of the plans call for enhancing measures through shared platforms and the use of data and information” as three actions: part of its digital transformation initiative.
LATIN AMERICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 56 1. Create a National Cybersecurity Operations Center with Key Highlights for Financial Institutions a public-private partnership model. • New Technology Innovation and Integration: The first 2. Promote adequate levels of cybersecurity in private objective calls for promoting competition across financial sector computer systems. markets. The Bank will align compliance objectives with international standards to promote adoption of best 3. Create a cybercrime Research and Analysis Lab. practices at the payment system level. It will also analyze and monitor operational costs of the payment system to • AI Strategy for Digital Government Public Consultation: promote competition and access. The government of Uruguay launched a public consultation in 2019 asking for feedback on an AI strategy On the consumer end, the Bank is promoting “the legal for digital government services. After an analysis of and regulatory changes necessary for the operation of proposals and a second public consultation stage, the electronic checks as well as the digitization of checks” as final document was published in September 2019. The well as data portability between financial institutions. final document reports on the risks and benefits of AI use within Uruguay’s digital government framework. • Regulations and Security: The roadmap also calls for However, the objectives outlined in the report also the Bank to create conditions for the development identify the need for private sector involvement in the and integration of new products of technologies by development of an AI regulatory framework and other streamlining the regulatory process. The goal is to more AI initiatives. quickly and efficiently adopt new technologies and products for market use. 2. Roadmap of the Payment System in Uruguay 2020-2022
In March 2020, the Central Bank of Uruguay published its Additionally, the roadmap calls for governmental payment system agenda and roadmap for 2020 through dedication to enhancing cybersecurity and data 2022. The document provides lines of action that aim to protection within the national payment system. modernize the country’s payment system while protecting consumers, promoting competition, and preventing money laundering and terrorism financing. The roadmap presents three main lines of action to accomplish the bank’s goals.
The roadmap does not provide a timeline for an annual work schedule, but states that one would be provided to users and agents “in due time.” However, “specific measures and products” will have their own corresponding development schedules.
LATIN AMERICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 57 1 Mencia, Isabelle. “Fintech in Brazil: No Signs of Slowing Down.” Colibri Content, March 12, 2020. Bit.ly/2I5LpmD. 2 Gadioli, Camila Spinelli, and Leonardo Rodrigues Tavares Meirinho. “‘Banco Maré’: Brazilian Cryptocurrency Targeting Social Impact.” Lexology. Motta Fernandes Advogados/Terralex, September 30, 2019. Bit.ly/361cv6E. 3 Brown, Allan. “‘Why Chile May Become LatAm’s No. 1 Fintech Hub.’” BNamericas, April 30, 2020. Bit.ly/386oCBY. 4 “FinTech Regulation in Colombia.” Timbi. Timbi Blog, May 29, 2020. Bit.ly/3mTHZSY. 5 Aldaya, Francisco Miguel. “COVID Catalyzes Financial Inclusion in Colombia.” S&P Global Market Intelligence. S&P Global, June 23, 2020. Bit.ly/3kYPrLY. 6 Daza, Maria-Leticia Ossa, Matthew Vitorla, and Gabriela Montoya Jurado. “Colombia Launches Regulatory Sandbox for Fintechs.” Willkie.com. Latinvex, October 14, 2020. Bit.ly/2GtvaPJ. 7 “Superfinanciera Promotes Security Standards in Transactions and a Better Customer Experience in the Digital Ecosystem.” ColombiaFintech. com. Superintendencia Financiera de Colombia, December 17, 2019. Bit.ly/3esYFh5. 8 Cardona, Diego, and Andres Meza. “External Circular 008 of August 18, 2020, through Which the Superintendency of Industry and Commerce Issues Instructions for the Adequate Collection and Processing of Personal Data within the Framework of the Implementation of Biosafety Protocols Ordered by the Ministry of Health and Social Protection.” Philippi Prietocarrizosa Ferrero DU & Uría, August 20, 2020. Bit.ly/386Bw2S. 9 Daza, Maria-Leticia Ossa, Matthew Vitorla, and Gabriela Montoya Jurado. “Colombia Launches Regulatory Sandbox for Fintechs.” Willkie.com. Latinvex, October 14, 2020. Bit.ly/2GtvaPJ. 10 “OECD Highlights Costa Rica’s Progress in Digital Transformation.” BNamericas. The Costa Rica News, October 14, 2020. Bit.ly/2I4G6nn. 11 Barquero, Randall, Alejandro Vasquez, Monica Arias, and Ana Carolina Alvarez. “Fintech 2020: Costa Rica.” PracticeGuides.Chambers.com. Chambers & Partners, March 2, 2020. Bit.ly/3lbSuAJ. 12 “Why Is Opening a Bank Account in Costa Rica so Difficult?” CostaRicaLaw.com, December 17, 2019. Bit.ly/2JuKfS4. 13 “Digital Banking on the Rise in El Salvador.” Temenos.com. Temenos, November 19, 2019. Bit.ly/2TQmKoC. 14 “The World Bank in Guatemala.” WorldBank.org. World Bank, September 4, 2020. Bit.ly/34XU97i. 15 Cardoso, Cauam, and Jonars Spielberg. “Assessment of Potential Opportunities for Use of Digital Payments for Smallholder Farmers in Guatemala’s Western Highlands.” D-Lab.MIT.edu. MIT Digital Lab/MIT, May 2, 2020. Bit.ly/34ZEPqJ. 16 “Honduras - Banking Systems.” PrivacyShield.Gov. U.S. Dept. of Commerce. Accessed November 3, 2020. Bit.ly/2JFUPGd. 17 “Enhanced Stability in Honduras’ Financial Sector.” World Bank, June 24, 2014. Bit.ly/38bnjS5. 18 Zorrilla, Raul. “Digital Wallet Transactions Show Strong Expansion in Honduras.” BNamericas, April 13, 2017. Bit.ly/365r48Z. 19 “Fintech Act Marks Two Years in Mexico with Record Investment.” Mexicanist, September 27, 2020. Bit.ly/3kTDoiW. 20 “Fintech: Innovations You May Not Know Were from Latin America and the Caribbean .” IADB.org. IDB/Finnovista, 2017. Bit.ly/3kTAhaN. 21 Appleby, Peter. “Banks on Edge as COVID-19 Marks First Bankruptcy.” MexicoBusiness.news. Mexico Business, June 29, 2020. Bit.ly/3mXe9wV. 22 Campero, Mariana, and Linnea Sandin. “The Covid-19 Pandemic Threatens Mexico’s Economy.” CSIS.org. Center for Strategic and International Studies (CSIS), May 27, 2020. Bit.ly/2I22gqb. 23 Reynaga, Eduardo Ortiz, and Maelis Carraro. “Fintech in Mexico: Why Many Low-Income People Stay Excluded.” BFA Global. BFA Global, June 12, 2020. Bit.ly/368NDK0. 24 “CoDi Platform Statistics.” Estadísticas de la plataforma CoDi®, February 11, 2020. Bit.ly/3jXhE4o. 25 Cardoni, Juan Manuel Gustale. “Shifting Winds in Latin America: Tackling Financial Inclusion in Paraguay: Banks with Souls and the Role of Public Financial Institutions as a Means to Reach the Underserved.” Latin America Policy Journal Seventh Edition 2018 (2018). Bit.ly/3ep8NYf. 26 “The World Bank in Paraguay.” WorldBank.org. World Bank, April 20, 2020. Bit.ly/2TS26nQ. 27 “Paysafecard Continues Expansion in South America with Launch in Paraguay.” BNamericas.com. Paysafecard, April 27, 2020. Bit.ly/38aB9Ev. 28 Gunning, Gavin. “Global Banking Country-By-Country Outlook 2020: The Calm Before The Turn?” SPGlobal.com. S&P Global Ratings, November 18, 2019. Bit.ly/3k56T0c. 29 “The Economic Context of Uruguay.” Nordeatrade.com. Nordea, October 2020. Bit.ly/2TTxxyj. 30 Van Oost, Marcel. “FinTech in Uruguay: The Silicon Valley of South America.” LinkedIn. LinkedIn, June 13, 2020. Bit.ly/38c8SNV. 31 “Two pro-Cash Petitions Protesting Uruguay’s Cashless Law: ‘Ley De Inclusión Financiera’.” CashMatters.org. Cash Matters, May 28, 2019. Bit.ly/32gM5g6.
LATIN AMERICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 58 EUROPE EUROPEAN UNION (EU) AFRICA
The European Union, a political and economic group of 27 European states, has created several regulatory authorities and developed countless bills to modernize GLOBAL FINANCIAL and maintain its digital economy. In 2019 and 2020, the EU has doubled-down REGULATIONS REPORT on several technological initiatives aimed at broadening financial inclusion and strengthening regulatory collaboration across all EU regions. From the Digital Services Act Package to the ePrivacy Regulation update, the EU has the most comprehensive and robust regulatory initiatives and frameworks for technologically advanced financial services of any international governing body in the world.
Regulatory Bodies Central Bank: The European Central Bank (ECB) is the central bank for the Eurozone, the 19 EU countries that have adopted the euro. The ECB’s main objective is to safeguard the purchasing power of the euro and maintain financial stability in Europe, though it gives occasional guidance regarding consumer data protection and privacy.
Other Financial Agencies:
The European Banking Authority (EBA) is the EU’s primary regulatory authority based in Paris. The EBA supervises financial institutions across the European banking sector and develops regulations to safeguard financial institutions from risks and address vulnerabilities.
The European Investment Bank is a publicly-owned EU financial institution that was established as a “policy-driven bank” advancing various EU projects and programs, mostly related to social initiatives.
Other EU Agencies:
The European Commission (EC) is the executive branch of the EU that sustains EU treaties, proposes legislation and manages day-to-day operations of the EU.
The European Union Agency for Cybersecurity (ENISA) is the EU’s dedicated cybersecurity agency with jurisdiction across Europe. The agency was mandated by the EU Cybersecurity Act and established in 2004. The agency develops and disseminates cross-sectoral cybersecurity policies.
The European Data Protection Board (EDPB) is the EU’s data protection agency with supervisory jurisdiction over 27 member states; Iceland, Liechtenstein and Norway are the most recent members. The EDPB’s oversight includes supervision of uniform GDPR application and compliance. It accomplishes this by cybersecurity coordination between member states.
The European Data Protection Supervisor (EDPS) is another independent EU data protection authority. Headed by an elected supervisor, the EDPS’s goal is to ensure personal data protection and privacy when any EU institution processes personal information; it also advises EU institutions on personal data processing.
EUROPE - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 44 Regional Standards, Laws and Regulations
European Commission European Banking Authority
• Action Plan for a Comprehensive Union Policy on Preventing • Opinion on obstacles under Article 32(3) of the RTS on Money Laundering and Terrorist Financing: The European Strong Customer Authentication (SCA) and Common and Commission adopted an action plan for an AML/CTF policy Secure Communication (CSC): The SCA requirements for framework on 7 May 2020. Public consultation seeking online transactions and contactless payments developed by feedback on the plan was launched the same day, and the the European Banking Authority officially went into effect on deadline for comments was August 26, 2020. On 19 August 14 September 2019. Some of the rules include a requirement 2020, the European Banking Authority responded to the for two-factor authentication (2FA) on remote payments action plan with its own technical points for policymakers to to verify cardholder identity at checkout and the agency’s consider. The EBA suggests creating an EU-level supervisor right to decline any authorization requests from businesses position to complement existing national AML/CFT authority oversight, and incorporating EU AML/CFT law into national that don’t have the technological or operational support to law.1 implement SCA. Understandably, these requirements have financial institutions and Payment Service Providers (PSPs) • White Paper on Artificial Intelligence: “A European Approach concerned and confused; perhaps more disconcerting is to Excellence and Trust”: The Commission stated that the evidence that many small businesses aren’t aware of the finance sector’s application and implementation of artificial significant changes the new SCA requirements will impose intelligence (AI) poses significant cybersecurity risk.2 It’s upon them. The EBA’s initial enforcement deadline for the worth noting that an earlier draft of this white paper called regulations was subsequently pushed back to 31 December for a ban on facial recognition technology, but this wasn’t addressed in the official version published in February 2020. 2020, with some of the provisions coming into force in 2021. Instead, the EC states that the use of facial recognition technology is already authorized under EU data protection However, since the initial delay was announced in October and privacy rules. The EC is now signaling for public 2019, financial services stakeholders and market participants discussions regarding facial recognition. have continued to express concerns regarding compliance with the new requirements in time for the enforcement • Report on the Safety and Liability Implications of Artificial date. Stakeholders have requested further delay into 2021 in Intelligence, IoT, and Robotics: On 23 March 2020, the order to test technology solutions and the implementation European Commission released a white paper focused on government’s role in developing artificial intelligence of the 3D Secure 2.0 platform being used for compliance consumer standards. The paper poses questions regarding with the new rules. product safety and liability rules to address issues arising from AI systems. Some of the issues discussed include On 4 June 2020, the EBA published an opinion in changing the existing regulatory framework to address response to these concerns. The agency decided not to changes brought on from AI systems. further delay the enforcement date and clarified these issues: authentication procedures for APIs, mandatory The EU currently has two product safety and liability redirection at the point-of-sale, multiple SCAs, 90-days re- regulations that apply across the private sector: the EU authentication, account selection, and additional checks on Product Liability Directive and the EU General Product consumer consent. Safety Directive (GPSD). Both apply to financial institutions, but it’s worth noting that the financial sector has its own set As of the publication of this report, the EBA’s enforcement of regulations specific to the industry’s issues. date of 31 December 2020, still stands.
European Data Protection Board The report makes several recommendations in relation to AI product safety and liability. They are: • The Draft ePrivacy Regulation: On 3 June 2020, the
• Including software in product regulation; Presidency of the Council of the European Union published a progress report on the proposed draft ePrivacy Regulation. • Identifying “high-risk” AI systems and subjecting them to The regulation will replace the Privacy and Electronic a more stringent regulatory framework; Communications Directive (Directive 2002/58/EC). • Requiring risk assessment for products; Regulation proposals were rejected last year by the EU’s Transport, Telecommunications and Energy Council. • Requiring vendors to address risks associated with faulty training data; The regulation’s objective is to ensure privacy and security of • Reversing the burden of proof, strict liability and insurance. all data transferred via electronic means.
EUROPE - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 45 A progress report from the Presidency of the Council of the European Central Bank (ECB) EU from June 2020 stated that subsequent deliberations • European Payments Initiative: On 2 July 2020, the ECB on the draft regulation were canceled. As of publication of announced the launch of the European Payments Initiative, this report, updates on a timeline for development have not previously known as the Pan-European Payments System been announced. However, it is unlikely that the regulation Initiative. The 16 European central banks that decided to will be finalized before early 2021, at the earliest. move forward on the initiative aim to develop a unified • Proposed Regulation Concerning the Respect for Private payment system for consumers and businesses across Life and the Protection of Personal Data in Electronic Europe. Plans call for a payment card and digital wallet Communications: On 21 February 2020, the Presidency covering online and in-store payments, person-to-person of the Council of the EU published a revised part of the transactions, and cash withdrawals. The new system aims to proposed regulation regarding the Respect for Private replace the Single Euro Payments Area (SEPA). Life and the Protection of Personal Data in Electronic • Cyber Information and Intelligence Sharing Initiative (CIISI- Communications. This repealed Directive 2002/58/EC EU): At the fourth meeting of the Euro Cyber Resilience (Regulation on Privacy and Electronic Communications), Board on 27 February 2020, the ECB announced the launch better known as “the Draft ePrivacy Regulation.” The most of a new cybersecurity initiative to facilitate the sharing significant revision proposed by the EU Council Presidency of cybersecurity threat information between government is that it introduces the possibility to rely on the financial entities. The creation of the initiative will also “legitimate interest” to do two things: process electronic increase cybersecurity threat awareness and prevent communications’ metadata, and place cookies or similar cyber attacks. technologies on end-users’ terminals, subject to specific conditions and safeguards. ETSI
• Electronic Signatures and Infrastructures (ESI) – Certificate The proposed regulation is not the same as the GDPR. This Profiles (EN 319 412-1): In July 2020, the ETSI standards proposed regulation is an update to the existing ePrivacy organization published new standards regarding electronic legal framework and strives to more closely align with the signatures and infrastructures. The new standards define GDPR, but there are several key differences. In fact, the different types of identity verifiers and other technical proposed regulation could be considered a complement information regarding eKYC measures and safeguards. The to the GDPR and in some cases overrides the GDPR in standards aim “to maximize the interoperability of systems regards to privacy-related issues. issuing and using certificates” in both EU jurisdictions and
the international environment. Should the regulation pass, it would be effective
immediately and would likely result in further repeal of UNESCO national laws tied to the previous directive. • Elaboration of a Recommendation on the Ethics of Artificial • Repeal of Regulation on Privacy and Electronic Intelligence: UNESCO recently published the revised draft Communications (Directive 2002/58/EC): Should the of a new document giving recommendations on the ethics proposed regulation regarding the Respect for Private of artificial intelligence. UNESCO held the second meeting Life and the Protection of Personal Data in Electronic of its Ad Hoc Expert Group from 31 August to 4 September Communications and Repealing Directive be approved, 2020, following stakeholder consultations. it would repeal the existing Regulation on Privacy and Electronic Communications Directive 2002 (ePrivacy The recommendation, a two-year process that began in Directive). The goal of the new regulation is to modernize November 2019, aims to build on a preliminary study on current standards, so EU countries will most likely repeal the ethics of AI previously released by UNESCO’s World their own national directives tied to Directive 2002/58/EC. Commission on the Ethics of Scientific Knowledge and • Guidelines 06/2020 on the interplay of the Second Payment Technology (COMEST). The study emphasizes that there is Services Directive (PSD2) and the GDPR Version 1.0: These currently no global framework covering the development guidelines were officially adopted for public consultation and application of AI in a human-centered approach. by the European Data Protection Board on 17 July 2020. The guidelines further clarify existing legislation within the PSD2 The second draft is expected to be adopted at UNESCO’s and GDPR related to explicit consent, the processing of General Conference in November 2021. silent party data, the processing of specific sets of personal data, and data minimization, transparency, and security. The public comment period for Version 1.0 ended September 17 2020.
EUROPE - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 46 Legislation
European Commission
• The Digital Services Act: In January 2020, the European Commission announced the launch of the Digital Services Act package, a sweeping long-term initiative to “reshape Europe’s digital future and to propose an entire package of new rules.” The Act will address legal responsibilities of digital platforms regarding user content and detail measures to safeguard users.
As of the publication of this report, the Commission has not officially published its proposal for the new Act. However, a public consultation seeking feedback was issued in March 2020 and closed on 8 September 2020.
Litigation
EU High Court Clarifies Rules for Cross-Border Transfer of Personal Data
On 23 July 2020, in the wake of the Court of Justice of the European Union’s Schrems II judgment, the European Data Protection Board (EDPB) adopted a Frequently Asked Questions document to “provide initial clarification and give preliminary guidance to stakeholders on the use of legal instruments for the transfer of personal data to third countries, including the U.S.” The EDPB stated that the document will be updated, and further guidance provided, as it continues to examine and consider the judgment.
Essentially, this would give the appropriate European authorities, namely the EU, grounds to block cross-border data transfers. The decision clarifies that data controllers have an obligation to conduct risk assessments prior to the transfer of personal data and determine whether appropriate safeguards can be ensured by the recipient of the data outside the EU. Data controllers that cannot confirm appropriate safeguards will be required to suspend or end the transfers of personal data.
The ruling has had a resounding effect on the EU’s private sector, especially during COVID-19 when most consumers have been conducting personal business remotely.
EUROPE - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 47 ALBANIA
Country Overview The country of Albania may be small, but it’s GDP growth is mighty. According to Deloitte, the transition economy’s GDP growth has remained steady since 2016, outperforming Macedonia, Bosnia and Herzegovina, and Serbia. Part of this steady growth can be attributed to the strengthening of financial regulatory oversight for banks and other financial institutions. The Albanian Financial Supervisory Authority (AFSA) is highly active in legislating for consumer protection, financial literacy and licensing, which has extensively broadened Albania’s financial inclusion and financial services markets. CENTRAL BANK With that said, the COVID-19 pandemic has negatively affected some of these markets; Albania is still one of the poorest countries in Europe and has only 12 commercial banks composing its financial services network. According to AFSA, The Bank of Albania is the central the insurance market in particular has been hit hard, with an almost 30 percent bank of Albania headquartered in decrease in premiums across a number of insurance types.4 Despite this, the Tirana. The bank was created under European Bank for Reconstruction and Development has predicted that Albania’s the Constitution of Albania and its GDP growth will continue into 2021 with a whopping 12 percent increase, most of primary objective is to maintain which can be attributed to the country’s services sector. price stability in the country. While Albania’s government hasn’t launched any forward-looking technological initiatives in regard to financial institutions, the country is on track for a more Other Financial Bodies: robust regulatory system and investor participation -- should expansion of its banking network and GDP growth remain on track. The Albanian Financial Supervisory Authority (AFSA) is an independent Key Highlights for Financial Institutions regulatory authority supervising the financial services sector in 1. Law No. 4/2020 On Automatic Exchange of Financial Accounts Information the country. The public entity was On 30 January 2020, the Albanian Parliament adopted this law to ratify the established in 2006 to oversee non- “Convention on Mutual Administrative Assistance on Tax Matters” and to adopt banks in the sector, including the the “Multilateral Agreement on the Automatic Exchange of Financial Accounts insurance and securities markets. Information agreement.” The agreement obligates regulated financial institutions to report specific account information annually to Albanian tax authorities, due by May 30 each year. Any accounts subject to standard due diligence procedures must be reported. More broadly speaking, the law will DATA PROTECTION help Albania exchange information with 82 other countries to combat money AUTHORITY laundering and terrorist financing.5 The law became effective on March 12, 2020.
The Information and Data 2. IDP Guidelines on the Protection of Personal Data in the Fight Against Protection Commissioner (IDP) COVID-19 of Albania is the primary data On March 20, 2020, the Information and Data Protection Commissioner issued protection authority in the country. guidance regarding the impact of COVID-19 on personal data protection and The Commissioner delegates duties provided guidance on regulatory compliance. The Commissioner stated that to several functional departments, all entities should comply with Law No. 9887, the personal data protection including a Department of Internal law passed in late 2008. The Commissioner further stated that the pandemic Services and Finance, a Department does not provide a lawful reason “to disregard the right of each citizen to the of Personal Data Protection, and a protection of their personal data and therefore to disregard their private life.” Department of Right to Information. Such a breach of trust would be a violation of the country’s constitution.
3. IDP Guidelines on Processing of Personal Data in Specific Sectors in the Framework of Measures Adopted Against COVID-19 Subsequent to issuance of the Guidelines of Protection of Personal Data in the Fight Against COVID-19, the IDP issued a second set of guidelines on 4 June 2020. The guidelines are specific to processing of various types of personal data, including geolocational data and data gained from contact tracing. The guidance applies to entities in both the private and public sectors.
EUROPE - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 48 BELARUS
Country Overview In the wake of the COVID-19 pandemic, Belarus is grappling with recovery from an already dire economic situation. The country has faced persistently decreasing revenues and weak fiscal growth, creating a deficit that has created public debt exceeding 60 percent.8 In 2020, GDP has had a negative four percent growth rate. Despite this, investment in small and medium-sized enterprises (SMEs) has increased steadily since 2016, and commercial banks in the country have strong financial standings. According to the European Investment Bank, commercial CENTRAL BANK banks in Belarus represent approximately 85 percent of total financial assets and approximately 73 percent of GDP.
The National Bank of the Republic Most recently, Belarus has boosted its commitment to consumer data protection of Belarus is the central bank of by passing a dedicated data protection law. Belarus located in Minsk. One of the bank’s goals is ensuring payments systems in the country remain stable Other Organizations and Financial Bodies and reliable. The Ministry of Finance of the Republic of Belarus is a government agency that works with the Central Bank to develop legislation and financial sector plans.
DATA PROTECTION The State Committee for Standardization of the Republic of Belarus (BELST) AUTHORITY is the public standards authority charged with technical regulation and standardization in the country. While the Committee mostly oversees standards As of the publication of this report, related to construction and energy efficiency, it supervises cash register licensing Belarus does not have a dedicated and operations as well, including “cash equipment, payment terminals, automatic data protection authority. However, electronic devices, [and] vending machines.” Additionally, the Committee oversees the Operations and Analysis Center cash acceptance and “bank cards as a means of implementing settlements” Under the President of the Republic when selling goods, performing work, rendering services, carrying out gambling of Belarus (OAC) in Belarus is business, lottery activities and operating electronic interactive games. involved with some oversight of personal data protection issues. The agency is primarily charged Key Highlights for Financial Institutions with regulation and protection of classified information. The OAC is 1. Belarusian Personal Data Law (BPDL Draft Law) comprised of three divisions: the The BPDL categorizes personal data based on the type of information being National Center for Digital Services, processed: biometric personal data, genetic personal data, and special the National Center for Data Peering, personal data.9 The law’s primary objective is to regulate the protection of and SOOO Belarusian Cloud personal data in Belarus. The draft law sets the legal framework for processing Technologies, or beCloud. data and for communication between consumers and the data processor. The The Law on Personal Data (BPDL), law is influenced by the Russian Federal Law No. 1520FZ on Personal Data. The in draft form at the time of this requirements relating to the collection and processing of personal data; the report, would mandate a personal scope of data subjects and operators’ rights and obligations; the approach to data operator to assign a special cross-border transfers; and the protection of personal data are all similar to unit or person to “arrange collection, those provided in the Russian Law on Personal Data. processing, distribution and The draft Law on Personal Data was adopted in the first reading by the lower provision of personal data.”6 The chamber of Belarusian Parliament in June 2019. As of the publication of this draft law also mandates creation report, the law has not been officially enacted and timeline for enforcement of a new personal data protection hasn’t been announced. authority that would issue permits for cross-border data transfers and enforce legislation on personal data protection, among other duties.
EUROPE - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 49 2. Information Protection Law No. 455-Z Amendments 3. Information Security Concept 2019 (ISC) In March 2020, amendments to the existing Information Belarus Parliament adopted a new Information Security Protection Law, passed in 2008, entered into force. Concept (ISC) on 18 March 2019, based on a resolution from The law requires employees that create information the Belarus Security Council. The ISC qualifies “information protection systems to have higher education in the sphere sovereignty” as “the indispensable and exclusive right of of information protection security or other higher or the state to independently shape the rules of ownership, professional-technical education and undergo training use and administration of national information resources; on the issues of technical and cryptographic information to conduct independent foreign and domestic information protection. The law also stipulates that respective policy; to shape the national information infrastructure; employees and departments should secure information [and] to ensure information security.” The new policy has in the information systems they create. Should protective provisions influenced by the UN General Assembly and measures not be taken, the law allows for third-party OSCE recommendations that provide a comprehensive organizations to step in. approach to information security. Experts believe the adoption of the ISC is the country’s response to cyber attacks from Russia.
EUROPE - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 50 BOSNIA AND HERZEGOVINA
Country Overview Bosnia and Herzegovina is one country but operates under two self-regulating economic zones that have experienced modest economic growth in the past decade. The country’s main impediment to greater financial stability is its weak investment in the private sector. Household deposits declined in March 2020 and continued to do so through October 2020. According to Fintech Switzerland, Bosnia and Herzegovina is the fifth most at-risk country for public and private sector cyber breaches in a ranking of 32 European countries. CENTRAL BANK Financial institutions in Bosnia and Herzegovina may have a difficult time navigating a landscape tailored for state-run financial institutions, but some The Central Bank of Bosnia recent progress in AML/CFT regulatory frameworks shows the country is and Herzegovina is the primary dedicated to improving its digital economy. supervisory banking authority for the country. The primary objective of EU Removes Bosnia and Herzegovina from High-Risk Country List for the central bank is to maintain price AML/CFT stability in the country. As of 9 July 2020, the country is officially not on the EU list of high-risk countries that have strategic deficiencies in the regime of preventing money laundering and combating terrorist financing, which represent a significant threat to the EU’s Other Financial Bodies: financial system. The EU had kept Bosnia and Herzegovina on the list of high- The Banking Agency of the risk countries, which has caused difficulties in the implementation of financial Federation of Bosnia and transactions because banks operating in the EU were obliged to carry out special Herzegovina (FBA) is one of the procedures when it comes to money sent to the country, or from the country to primary regulatory authorities for the the EU. banking sector in the country along with Bosnia and Herzegovina Accede to Convention 108+ the Banking Agency of the Republika Srpska. The country’s financial sector The Council of Europe announced on 2 July 2020, that Bosnia and Herzegovina operates under two different economic signed the Protocol amending the Convention for the Protection of Individuals zones, one being the Federation of with Regard to Automatic Processing of Personal Data (Convention 108 Bosnia and Herzegovina, the other Amending Protocol). The CoE highlighted that Bosnia and Herzegovina became Republika Srpska. the 35th and 36th countries to sign the Convention 108 Amending Protocol.
Key Highlights for Financial Institutions The Banking Agency of the 1. FBA Advisory to Users of Financial Services Republika Srpska (BARS) is one of the primary regulatory authorities On 2 September 2020, the FBA issued guidance titled “Information for users for the banking sector in the of financial services.” The agency makes several recommendations to users Republika Srpska zone of Bosnia and regarding contractual obligations when conducting business with financial Herzegovina. The agency develops institutions, including non-banks. The FBA also advises users of their rights regulations and legislation applicable when transferring payment security instruments as part of loan repayment to financial institutions. guarantee. The guidance also provided online user forms for several functions, including filing complaints.
2. OSCE Guidelines for a Strategic Cybersecurity Framework in Bosnia and DATA PROTECTION Herzegovina AUTHORITY IOn 10 October 2019, the Organization for Security and Co-operation in Europe (OSCE) presented guidelines for a strategic cybersecurity framework in Bosnia The Personal Data Protection and Herzegovina. The document is the first of its kind for the country and will Agency (PDPA) is the national data set a framework for a comprehensive and strategic approach in responding to protection authority in Bosnia and serious cybersecurity threats in a more systematic manner. Herzegovina. As of the publication of this report, a timeline for development of a framework has not been announced, though the first industry to have a solid cybersecurity framework could be energy. The sector dealt with several cyber breaches in 2019 and accounts for most of the country’s GDP, making it a high priority for cybersecurity policymakers.
EUROPE - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 51 FRANCE
Country Overview As a global center of art, science, and philosophy, France has become one of the wealthiest countries in the world. It is a founding member of the European Union, one that helped launched the euro in partnership with other EU member countries. France has largely begun to privatize its public sector by selling off numerous holdings in multiple industries, including insurance and banking. The three largest financial institutions are co-op banks. Additionally, some of the largest banks in the world are based in France, along with the world’s largest CENTRAL BANK insurance company.
The regulatory landscape for banking activities in the country is cultivated by The Bank of France is the three sets of regulations and rules: EU law, national legislation, and regulatory independently run central bank authority regulations, such as those issued by the European Central Bank and the of France. The Bank oversees French Prudential and Resolution Control Authority (ACPR). While EU law has had multiple government and public the largest impact on banking and payment regulations in France, the country’s accounts as well as public securities ministers and financial authorities have laid out plans to bring French consumers auctions of the European Central further into the digital payments fold. Bank. The Bank is a member of According to JP Morgan, cards are the dominant payment method preferred by the Eurosystem of central banks. e-commerce customers, accounting for approximately 54 percent of transactions. The Observatory for the Security of This method of online spending is expected to increase at an annual rate of Payment Means is a unit operating almost 16 percent by 2021. Digital wallets such as PayPal are also popular. under the Bank of France. Consumers have concerns about the security of digital wallet transactions, especially when they can rely on a highly regarded domestic interbank payment system. The adoption of PSD2 in the country has already brought new players into the open banking and fintech space and has brought a new level of security for bank account information and third-party providers.
To ensure enhanced security and safeguards for consumer protection, France is preparing to implement a national digital identity card framework, expected to be launched in summer 2021. Until then, France’s regulators in the banking and technology sectors will actively pursue several projects to further modernize financial services for French citizens.
Other Financial Authorities
The French Prudential Supervision and Resolution Authority (ACPR) is an independent arm of the Bank of France that supervises banks and insurance companies in the country. The ACPR is composed of three main committees; the Supervisory College, the Resolution College and the Sanctions Committee, in addition to several consultative bodies.
The Ministry of the Economy and Finance, informally known as Bercy, performs multiple functions related to the growth and stability of the country’s economy. Primarily, the Ministry drafts taxation laws, oversees national funds, and develops regulations supervising the public and private sectors.
The French Competition Authority is the national competition regulator of France and an independent administrative authority. The agency’s main purpose is to counteract anti-competitive practices in private markets.
The National Commission on Informatics and Liberty (CNIL) is the national data protection authority in France.
The National Information Systems Security Agency (ANSSI) is the national computer security agency of France operating under the Secretariat-General for national Defense and Security (SGDSN). Both agencies help the Prime Minister carry out defense and national security responsibilities.
EUROPE - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 52 Regulations and Laws governed by the tools provided for by the GDPR,” unless the EU makes a decision to recognize an adequate level of 1. Ordinance No. 2020-534 Relating to Various Banking protection from the United Kingdom. Provisions 3. Draft Law No. 3408 to Ratify Ordinance No. 2020-115 to On 7 May 2020, the Minister of the Economy and Finance presented this ordinance to the Council of Ministers. Strengthen the National System for the Fight Against The ordinance specifies how the EBA’s recommended Money Laundering and Terrorist Financing contactless payment ceiling increase should be On 12 February 2020, the French government submitted implemented. The EBA’s call to raise the ceiling to 50 Draft Law No. 3408 ratifying Ordinance No. 2020-115 to euros was also announced in May 2020 in response to the strengthen the national system for the fight against money COVID-19 pandemic. laundering and terrorist financing to the National Assembly. Ordinance No. 2020-115, together decrees No. 2020-118 and The order allows financial institutions and payment service No. 2020-119, constitutes the main transposition of the 5th providers to increase the contactless payments ceiling until Anti-Money Laundering Directive into national law. one month after the end of the state of health emergency, which was reinstated in October 2020. It also stipulates The PACTE law– Law No. 2019-486 on business growth and payment service users will not pay for the increase in transformation passed in May 2019 – previously transposed contactless payments, whether that be through fees or some AML/CFT responsibilities that apply to digital assets other means. service providers. Ordinance No. 2020-115 seeks to enhance France’s national AML/CFT framework and protect the Legislation and Policy economy by broadening legal scope, clarifying various obligations of applicable entities, enhancing customer due 1. Joint Information Committee Consultation on Digital diligence requirements and reclassifying the risk profile for Identity remote identification of certain customers. In late 2019, the Joint Information Committee of the French National Assembly began work on a consultation seeking Key Highlights for Financial Institutions public feedback on digital identity, with a focus on ethics, • Decree No. 2020-118: On 12 February 2020, the Ministry trust, security, inclusion of citizens and protection of their of Economy and Finance passed Decree No. 2020 118 for rights. Starting in summer 2021, France will be required to transposing EU Directive 2018/843 strengthening the begin providing French citizens with a national electronic national system for the fight against money laundering identity card, under the European eIDAS regulation. and terrorist financing. Specifically, the decree puts an end Consequently, CNIL acknowledges that France Connect, to the obligation to verify [client] identity prior to opening the digital identity device that allows online users to an account and simplifies the procedures for verifying the authenticate their identity through an existing public client’s identity for entering into a business relationship service account, is not a sufficient solution for certain remotely. It also provides details relating to the use of cases. Thus, the Ministry of the Interior and the National third-party services and their obligations to combat money Agency for Secured Titles (ANTS) is developing a separate laundering and the financing of terrorism. smartphone solution called Alicem, which will allow for The decree entered into force on 13 February 2020. It grants certified online authentication on mobile devices. The a grace period of one year to certain issuers of electronic goal is to allow users to securely verify their identity online, money instruments for products presenting a low risk of particularly with the use of facial comparison software. money laundering and terrorist financing to comply with Passport holders and those with residence permits enabled provisions in Article 8 of the decree. with electronic chips will be the first to be able to use the application, followed by those with a national electronic Methods of Identity Verification identity card starting in summer 2021. Article 3 of the decree amends certain subsections by 2. CNIL Announcement on the Application of GDPR During modifying language related to identity verification. It also the Post-Brexit Transitional Period stipulates that should entities not be able to verify client identity by standards means, they can apply two of any of On 31 January 2020, CNIL published an announcement the following measures to stay in compliance: addressing questions and concerns surrounding the protection of personal data during the Brexit • Obtain a copy of a document mentioned in Article R. 561- transition period. 5-1 of the decree;
Most significantly, CNIL states that “no additional formalities • Implement measures to verify and certify the copy of for organizations in France or the United Kingdom are an official document or an extract from the official necessary until the end of the transition period,” which register mentioned in Article R. 561-5-1 by a thirdparty, is 31 December 2020. At the end of the transition period, independent of the person to be identified; “transfers of personal data to the United Kingdom must be
EUROPE - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 53 • Require that the first payment be made from or to an 6. Draft Law No. 3054 to Ratify Ordinance No. 2020-534 account opened in the name of the client with a person Concerning Various Provisions in Material Banking established in an EU member state, a state party to the On 3 June 2020, the National Assembly passed Draft Law Agreement on the European Economic Area, or in a No. 3054, which ratifies previous Ordinance No. 2020-534, country imposing equivalent AML/CFT obligations; an order that entered into force 9 May 2020. It specifies • Obtain direct confirmation of the client’s identity from how the EBA’s recommended contactless payment ceiling an approved third party; increase should be implemented. The EBA’s call to raise the ceiling to 50 euros was also announced in May 2020 in • Use a service certified as compliant by ANSII or a response to the COVID-19 pandemic. certification body authorized by ANSII; The new draft law ratifies Articles 1 and 2 of the ordinance to • Collect an advanced or qualified electronic signature further clarify conditions for implementation. or a valid advanced or qualified electronic seal based on a qualified certificate; or, use a qualified electronic 7. ACPR Consultation on Artificial Intelligence registered delivery service bearing the identity of the Governance of Artificial Intelligence Algorithms in the signatory or the creator of the seal and issued by a Financial Sector: On 11 June 2020, the ACPR issued a qualified trust service provider registered on a national consultation seeking public feedback on the governance trust list. of artificial intelligence algorithms in the financial sector, • Decree No. 2020-119: On 12 February 2020, the Council of composed of a discussion paper and questionnaire. This Ministers approved Decree No. 2020-119. Like Decree No. consultation was issued after a previous public consultation 2020-118, the decree aims to strengthen the national system that began in 2018. It continued with exploratory work that for the fight against money laundering and the financing asked financial industry stakeholders to clarify issues of AI of terrorism by transposing and amending text from EU governance, through interviews and technical workshops Directive 2018/843. covering three areas, all within the context of machine learning: However, this decree specifically addresses data portability 1. the work against money laundering and the financing of relating to beneficial owners registered with the Registry terrorism; of Commerce and Companies (RCS). It also addresses expanded obligations of TRACFIN, the AML/CFT unit within 2. internal AI models, specifically for credit scoring; the Ministry of Finance. 3. and customer protection.
4. Competition Authority Consultation in Fintechs The discussion paper was subject to public consultation In May 2020, the national Competition Authority launched until 4 September 2020. a consultation on fintechs as part of an inquiry into new technologies used within the financial sector, specifically Key Highlights for Financial Institutions payment activities. The deadline for stakeholders to send • Recommendations for Algorithm Design of AI: The feedback ended 19 June 2020. discussion paper suggests that financial institutions particularly pay attention to several aspects during the The consultation posed a series of questions related to the algorithm design phase. These include: development and implementation of fintech to payment activities. It gives an overview of how new technologies 1. Integration into business processes: Determine whether have impacted payment activities through cloud services, an AI component replaces a critical function due to its blockchain, electronic wallets, and cryptocurrency. operational role or the risk of compliance and confirm it Additionally, it explores the fintech landscape and the is technically satisfactory according to an appropriate ML emergence of new players and services, such as Apple Pay lifecycle methodology. and Google Pay. 2. Security and outsourcing: Risks associated with the The Authority has not yet released the results of the outsourcing of models, hosting or skills techniques should consultation. be assessed, as well as more generally third-party risks.
5. CNIL Advisory on the Anonymization of Personal Data 3. Initial validation process: Initial validation functions often On 19 May 2020, CNIL published an advisory addressing need to be redesigned when developing an AI-based the anonymization of personal data. The advisory informs algorithm intended to complement or modify an the public and stakeholders about anonymization best existing process. practices. 4. Continuous validation process: Once a machine learning There are two main takeaways from the advisory: 1) The algorithm is deployed in production, its governance also GDPR does not have a general anonymization obligation. presents new challenges to adequate processing of data, The methods given in the advisory do not align with predictive performance, absence of instability, and validity any existing GDPR regulations. 2) Anonymization and of explanations of system decisions. pseudonymization are not the same.
EUROPE - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 54 5. Audit: Internal or external audits of systems based on AI The new management methods for the migration plan are in finance should be composed of two parts: analysis detailed in the observatory’s 2019 annual report. and testing. 10. Ministry of the Economy: Mission for the Digital • Four Principles of AI Algorithm Development: The ACPR Transformation of the Economy proposes four principles for evaluating AI algorithms and tools: adequate data processing, performance, stability On 8 August 2020, the Ministry of the Economy and the and explainability. Ministry of Industry, along with the Secretary of State for Digital Transition and Electronic Communications, • Regulatory Conformity: Regulatory compliance as it announced the launch of the digital transformation mission relates to development of AI algorithms is composed of for large groups. two aspects: compliance with regulations relating to the protection of privacy or personal data, starting with the The digital transformation initiative targeted toward large GDPR, and the regulatory constraints specific to each companies aims to benefit the national economy through use case. the creation of multiple projects. The announcement outlines the five major projects, or priorities:
8. Third-Party Risk and Outsourcing • Support the transformation of skills and training; Financial institutions use different types of third-party • Support the emergence of a European ecosystem dealing providers to develop their AI. Issues related to outsourcing with data sovereignty; of skills, project management and control works are particularly significant in AI. The authority suggests best • Simplify and strengthen the collaboration between practices for addressing these challenges, including start-ups and large groups; conducting a risk analysis that addresses reversibility of • Participate in protecting French sovereignty in the outsourced solutions, outsourcing design and production e-payment market; services, and purchasing services such as cloud hosting. • Develop a joint strategy on Artificial Intelligence (AI). Additionally, the authority states that any decision to outsource or use a third party for any other type of service A steering committee was expected to meet in fall 2020, must be preceded by a risk analysis. The decision needs and a presentation on the progress of various working to take the results of the analysis into account. There are groups will take place in March 2021. A report is expected to three governance principles that should be respected when be published by the end of 2021. working with third parties: 11. AMF Description of Digital Assets Provider (DASP) 1. ensure documentation and traceability of work; Requirements 2. guarantee the financial institution access to source In September 2020, the AMF published a description of code and models, even when these are developed the requirements of registration for digital asset service or hosted externally; providers under the PACTE Law. DASPs that began activity 3. offer the same guarantee to the supervisor in order to before the law entered into force are required to register by enable an audit covering systems, software code and data. 18 December 2020.
9. Support for Contactless Payments and Deployment of SCA 12. CNIL Deliberation No. 2020-091: Adoption of Guidelines On 1 July 2020 the Observatory for the Security of Payment on the Application of Article 82 of Law on Information Means issued a press release confirming its support for the Technology, Data Files and Civil Liberties implementation and use of contactless secure payment On 17 September 2020, CNIL published guidelines methods. It also outlines the measures the observatory addressing the application of article 82 of the Law on is taking to support the deployment of strong customer Technology Data Files and Civil Liberties. The deliberation authentication for online payments. repeals Deliberation No. 2019-093.
Most notably, the observatory states that it is inviting The guidelines address all operations involving transmission businesses in the payment chain to actively resume their of users’ electronic personal data, and access to said data contribution to the migration plan to implementing strong stored on user “terminal equipment,” such as mobile authentication for internet payments for the equipment phones, tablets, computers, etc. Specifically, the guidelines of carriers, the upgrading of technical infrastructure and address best practices for the use of cookies and tracers the connection of traders. Management systems for the and the collection of user consent. migration plan are reviewed to integrate flexibility into Most notably, in regards to data privacy, the reading and the migration trajectory, which could be activated by writing of any information stored or consulted in terminal the observatory to take into account repercussions of equipment is protected, whether or not it is personal the pandemic. The migration will be accompanied by data within the meaning of the GDPR. Additionally, the compliance monitoring. provisions of paragraph 3 of article 5 of the ePrivacy
EUROPE - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 55 directive and, consequently, article 82 of the Law on IT, Data consumer to a version of his online interface which is Files and Civil Liberties, are applicable to such operations different from the one to which he initially wanted to regardless of whether the data is personal or not. access, unless he has expressly given its consent to this effect. When the consumer is redirected after having • Q&A on the Amending Guidelines and the CNIL given his consent, he must be able to continue to easily “Cookies and Other Tracers” Recommendation: CNIL access the version of the professional’s online interface to has also released a Questions and Answers document which he initially wanted to access.” to address questions regarding the new guidelines and 3. Subject entities are “prohibited to apply, for reasons recommendations. linked to the location, on national territory, of the consumer’s residence, of their payment account, of 13. Draft Law No. 114 to Adapt Various Legal Provisions Related the payment service provider or of the issuance of the to Economic and Financial Matters payment instrument, different conditions for payment On 6 November 2020, a draft law to adopt various EU transactions carried out by consumers using the means provisions related to economic and financial matters was of payment accepted by this organization, when: introduced to the national Senate. The draft makes multiple amendments to the national Consumer Code. Some of the • The payment transaction is carried out by means of a matters being amended relate to geo-blocking, or denying payment service mentioned in 1° to 7° of II of Article L. services based on geographic location. 314-1 of the Monetary and Financial Code. • The authentication requirements are fulfilled in Key Highlights for Financial Institutions application of Article L. 133-4 of the same code. • Unjustified Geo-Blocking: Draft Law No. 114 amends a • The payment transaction is made in a currency that the subsectionof the Consumer Code to enhance safeguards organization accepts. against “unjustified geo-blocking”. Geo-blocking is the restriction of electronic content and/or services based on 14. Bill No. 3574 on Regulating Contactless Mobile Payment geographic location, which can be viewed as discriminatory. The newly amended subsection stipulates there will be On 17 November 2020, a bill to regulate contactless administrative fines for any breach of EU Regulation mobile payments was submitted to French Parliament for 2018/302, passed by the EU Council in February 2018. The review. The Bill’s goal is to protect consumers’ freedom of regulation addresses unjustified geo-blocking and other choice and promote fair competition in the contactless discriminatory geo-location practices, such as denying mobile payments space, mostly in response to technology services based on consumer nationality, residence or place giants moving into the development of mobile payment of business. EU Regulation 2018/302 amended European applications. Composed of seven articles, the Bill establishes Commission Regulations No. 2006/2004 and EU 2017/2394 administrative definitions and establishes principles for and Directive 2009/22/EC. consumer protection. The national government recognizes the need for legislation that “will make it possible to set Under the subsection, subject entities will be found in an important milestone in convincing [France’s] European breach if: partners to jointly improve and expand consumer 1. They block or limit customers’ access to an online protection at European Union level in digital services.” interface; or if the business redirects customers without Once approved, the Bill would apply to operating system their consent to a different version of the interface than suppliers and any “useful” service for contactless that which they initially wanted to access. This would mobile payment. be in violation of the prohibitions provided for in Article Key Highlights for Financial Institutions 3, as would applying general conditions of access to • Consumer Protection and Access: Article 3, Sections 1 and goods and services in disregard of Article 4 or applying 2, stipulate that application providers must ensure “equal discriminatory payment conditions in violation of Article ergonomic access to the consumer, that [they] can 5. This applies only to consumers operating within the EU exercise [their] freedom of choice” of contactless internal market. payment application. • New amendments to Subsection 12 provide various 1. Mobile devices with tools to facilitate the use of obligations related to geo-blocking. Specifically, the contactless payment applications must provide those amendments state the following: tools free of charge to the consumer, “regardless of the 1. Subject entities and professionals are prohibited “to payment application” they choose. block or limit a consumer’s access to his online interface, 2. All consumers have the right to install any third-party through the use of technological or other measures, for contactless payment application of their choice. reasons related to the place of residence in the national territory of this consumer.” • Fair Competition: Article 4 of the Bill states that any mobile operating system provider is “required to make available to 2. Subject entities and professionals are prohibited “to any payment service provider, credit institution, electronic redirect, for reasons related to his place of residence, a
EUROPE - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 56 money institution, payment institution or agent within 15. Directorate-General for Competition, Consumer Affairs the meaning of EU Directive 2015/2366” all contactless and Fraud Control Communication on the Consequences mobile payment services under “fair, reasonable and non- of Brexit discriminatory conditions.” On 23 November 2020, the Directorate-General for Competition, Consumer Affairs and Fraud Control (DGCCF) However, there are some exemptions to Article 4 outlined issued a communication addressing the consequences of in Article 6: Brexit on consumers and French businesses. It answers a 1. An operating system supplier is not subject to the access number of questions regarding consumer rights, digital and obligation if it establishes that this system has less than 2 mobile services, and data portability. million registered users in the European Economic Area internal market during the last financial quarter. This user Most importantly, the communication states that pending threshold must be assessed on the date of the subject an agreement between the UK and the EU, it is “impossible access request. to determine precisely which consumer protection rules will be applicable in the future to consumer rights in their 2. The operating system supplier may refuse to grant relations with British companies.” The directorate states the user access provided for in Article 4 if the supplier that it will continue to address the issues posed in the can provide documented proof that granting access communication as the transition period moves forward. threatens the security of consumer payments.
3. The operating system supplier may not, in any case, refuse an access request in accordance with Article 4 if the applicant or agent representing the payment, credit, or electronic money institution consents to guarantee said access to the consumer in writing. This guarantee “will not be able to prejudice the consumer” and it doesn’t exempt the operating system supplier from obligations set out in Articles 3 and 6.
Key Highlights for Financial Institutions • Informing Users Before Consent Collection: The guidelines stipulate that at a minimum, users should be informed of the following before obtaining their consent:
1. The identity of the data controller for reading and writing operations;
2. The purpose of the data reading or writing operations;
3. How to accept or refuse tracers;
4. The consequences attached to a refusal or acceptance of tracers;
5. The existence of the right to withdraw consent.
EUROPE - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 57 GERMANY
Country Overview Of the 27 EU member states, Germany is a leader when it comes to influencing regional financial regulations. In fact, the current presidency of the European Council is held by Germany, and the country is undoubtedly a shot-caller in the EU legislative process. Germany’s central bank, the Deustche Bundesbank, is the most influential member of the European System of Banks, due to its unmatched stability and size. The European Central Bank is located in Frankfurt. Germany’s strong economy, the largest in Europe, and consistently high GDP rank, along CENTRAL BANK with its technologically and scientifically advanced research sectors, make it a breeding ground for socially minded businesses.
The Deutsche Bundesbank Germany has a reputation for being a cash-dominated economy and its cash (BBk) is the independent central usage was still high as late as 2018, with 67 percent of all consumer-to-business bank of Germany. The Deutsche transactions being done with cash. However, the payments infrastructure in Bundesbank is considered the most Germany is robust with approximately 165 million cards, 1.1 million electronic influential member of the European terminals, and a well-established processing landscape. 9 It’s inescapable, in fact, System of Central Banks and has that non-cash payments are growing. The country’s mobile e-commerce market helped shape the Euro system. has expanded at a double-digit rate, driven by increasing smartphone use and the emergence of digital wallet payment options.10 But while more than 71 percent of Germans own a smartphone, consumers are still concerned about the risks of Other Financial Authorities mobile transactions. The Federal Financial Supervisory Cash use in Germany is expected to continue to decline at a fairly rapid rate Authority (BaFin) is Germany’s into 2022, approximately 30 to 50 percent if development follows that of other main financial regulatory authority European countries (Sweden, for example, will see an even steeper decline in cash working independently under the use during this time period). The bad news for German banks in all of this is the Federal Ministry of Finance. inevitable decline in revenue generation in the payments sector. With increased competition from big tech and long-serving legacy companies headquartered in the country, private banks, particularly commercial banks, will have to re-tool their DATA PROTECTION payments strategies. AUTHORITY
Laws and Regulations The Federal Commissioner for Data Protection and the Freedom of 1. BaFin General Ruling on the Arrangement of the Storage of Data and Information (BfDI) is the national Virtual IBAN data protection authority in Germany On 9 July 2020, BaFin announced a ruling regarding data storage by credit for telecommunications providers. institutions during the issuance of international bank account numbers (IBAN) However, in addition to the BfDI, with a German country code to payment services companies for disclosure to there are multiple data protection end consumers. authorities for all 16 states, each The ruling mandates credit institutions to immediately record every virtual responsible for enforcing EU data IBAN they issue directly or indirectly to a payment service provider in the file protection laws and regulations. system in accordance with Section 24c KWG of the national Banking Act. The Federation of German Credit institutions must only file the required information under Section 24c of Consumer Organizations (VZBV) the KWG file, where the payment service provider’s end customer is considered is an independent consumer rights to be an authorized person or beneficial owner and not just because virtual organization representing 42 IBAN use has been identified. consumer associations in Germany. Virtual IBANs do not have an assigned account and are only used to set The organization is non-governmental payment flows, unlike “real” IBANs. The dispositions directed credit institutions and works with legislators and the to express their feedback on the general decree in writing to BaFin by October private sector to protect consumers. 2, 2020.
EUROPE - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 58 Legislation and Policy
1. BfDI Consultation on Anonymization of Personal Data 3. Association of German Private Banks Response to EU Under GDPR Anti-Money Laundering 4.0 Document: On 9 March 2020, On 10 February 2020, the BfDI launched a consultation on the Association of German Private Banks responded to the the anonymization of personal data under the GDPR. The EU Commission’s 2020 Roadmap, which addressed issues purpose of the consultation was to assess whether the related to increased legal harmonization, establishing anonymization of data constitutes processing within the a clear basis for transaction monitoring and restarting context of existing data protection laws and establishing suspicious transaction reporting, authority structure and the legal basis for processing anonymized data. The cooperation. deadline for the consultation was 9 March 2020. The The document, titled Anti-Money Laundering 4.0, outlines BfDI published a position paper after the consultation proposals that private banks in Germany are promulgating ended titled “Anonymization: A location determination in relation to EU anti-money laundering initiatives within between the GDPR and TKG” that clarifies anonymization the context of a changing legal framework. requirements. Key Highlights for Financial Institutions 2. BaFin Guidance on Crypto Custody Businesses • Weaknesses of the Current Prevention Policy: The On 3 March 2020, BaFin issued guidelines regarding the Association expresses that the current prevention policy authorization of crypto custody businesses. The guidelines has a number of deficiencies caused largely by “inadequate provide basic guidance for applications for authorization harmonization of the legal framework and to the scope of and guidance on the contents of applications for supervisory responsibilities and powers at EU level.” The authorization, including IT requirements and prevention of main flaws as the Association sees it are an overemphasis money laundering and terrorist financing. on formal requirements, such as data collection on the Key Highlights for Financial Institutions customer (KYC). • Applications for Authorization, Including E-Signature and Additionally, the Association believes the definition of “a Electronic Document Submission: In its guidance, BaFin person acting on a customer’s behalf” is interpreted too advises applicants for crypto custody business to consult broadly or doesn’t necessarily fit within the context of the notice from the Deutsche Bundesbank on the granting trading and correspondent banking. It states that “there of authorization to provide financial services, issued in July are practical difficulties in the EU with setting uniform 2018. Furthermore, it is possible that further authorization requirements for establishing identities” regarding what requirements will have to be met depending on the nature data to collect dependent upon the role involved as well as of the business. The guidance states that “provided that the what sources are used for data verification. And under the specific business model is not limited to providing custody, EU Anti-Money Laundering directive, there are no formal management and backup services for cryptoassets within requirements. In summary, “by increasingly focusing on the meaning of section 1 (11) no. 10 of the KWG, but rather sanctioning obliged entities because of formal errors, we to financial instruments under Annex 1 Part C of Directive are progressively losing sight of the effective pursuit of 2014/65/EU (MiFID II), an authorization requirement for serious criminals.” other banking business or financial instruments within the • Proposals for Optimizing the Fight Against Money meaning of the KWG may also apply.” Laundering: The Association makes several proposals for Additionally, the application to operate a crypto custody enhancing anti-money laundering initiatives in Germany business must be signed by “persons authorized to and the EU. These include: represent the undertaking.” The application may be • Fully Harmonizing the Legal Requirements for Identifying submitted digitally in accordance with requirements of Customers: The Association states that a uniform legal section 3a of the German Administrative Procedure Act. If framework is required to implement the technical and relevant statutory provisions don’t require submission of organizational requirements necessary for KYC processes. the original or a wet ink signature, then documents and It states that this should be established “in the form of an declarations related to the application may be submitted in EU regulation specifying precisely and exhaustively what a simple digital format. data needs to be collected and what data sources should • Contents of Applications for Authorization: The guidance be used for this purpose.” It also states that it should be on the contents of applications for authorization of crypto assessed whether a risk-based approach is appropriate for custody business provide various IT requirements. Among identity verification purposes. It states that it considers “a the requirements is the mandate to provide details of any rules-based approach to collecting and verifying data to significant outsourcing and of any cloud solutions used. be clearly preferable.” It further states that any partners involved should be • Improving the Collection and Provision of Data on indicated and their respective roles outlined. It states that BaFin’s previous guidance notice, “Guidance on outsourcing Beneficial Owners in Transparency Registers: A second to cloud providers,” should be taken into consideration. proposal focuses on improving data collection on
EUROPE - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 59 beneficial owners in transparency registers, which the Key Highlights for Financial Institutions Association argues should be enhanced. It states that • Risk Management: The notice states that obligated parties requiring obliged entities, such as financial institutions, must have an effective risk management system that to collect beneficial owner data is outdated and that includes a risk analysis and internal security measures. existing requirements should be adjusted and set out Crypto custody businesses, specifically, must take into in an EU regulation. account the risk factors listed in Annexes 1 and 2 of • Strengthening the Legal Framework Governing the Money Laundering Act. All risk analysis must be Transaction Monitoring: The Association underscores the documented and monitored for updating purposes. importance of transaction monitoring and asserts that • Customer Due Diligence: The notice outlines the general “it is important to intensify cooperation with other requirements for customer due diligence. They include: obliged entities in the financial sector and with competent authorities,” and that a clear legal basis is • The identification of the contractual partner and, if required at the EU level. applicable, the person representing them;
• Restructuring the Treatment of Suspicious Cases: In • The clarification and identification of the beneficial this proposal, the Association addresses the approaches owner; for responding to suspicious transactions or account • The collection and evaluation of information about the openings by pointing to the UK’s Joint Money purpose and nature of the business relationship; Laundering Intelligence Taskforce (JMLIT) and its method. It uses a joint examination approach that requires a • The determination of whether the contractual partner or dialogue between operational law enforcement and beneficial owner is a politically exposed person; financial institutions. • The continuous monitoring of the business relationship and the updating of the recorded documents, data and 4. Introduction of the Increase in Payment Limit for Girocard information. System and Credit Cards: On 15 April 2020, the German Banking Industry Committee Regarding the outsourcing of CDD, the notice states that announced the introduction of an increased limit for third-party transfers require a contractual agreement. The Girocard system contactless payments, or payments made third-party company or person may have headquarters without entering a PIN, effective immediately. The limit was outside of Germany (with the exception of high-risk increased to 50 euros per purchase and was initially started countries), but must fulfill all obligations stipulated by as part of a pilot program for customers in Hamburg, Kassel, nationally applicable provisions. Frankfurt and Munich. The increase was expected to take months to be implemented at dealers in other regions. 6. Draft Law to Implement EU Directive 2019/713 and Replace Framework Decision 2001/413/JI of the Council It should be noted that the new policy still requires On 2 September 2020, the Ministry of Justice and Consumer cardholders to re-enter the PIN after five transactions or Protection introduced a draft law amending the national after a total of a maximum of 150 euros. Criminal Code in order to implement EU Directive 2019/713 of the European Parliament and the European Council of 5. Money Laundering Information for Crypto 17 April 172019, on combating fraud and counterfeiting in Custody Businesses connection with non-cash means of payment. The draft law On 14 May 2020, BaFin issued a notice providing money also replaces EU Framework Decision 2001/413/JI. The EU laundering information for institutions that provide crypto directive contains minimum requirements for the definition custody business as newly obliged entities under the of criminal offenses and penalties to combat fraud and national Money Laundering Act. BaFin issued this notice counterfeiting in connection with cashless payment. It to provide further clarification to the implementation entered into force on 30 May 2019. of the fourth EU money laundering directive, which was implemented 1 January 2020. The German Ministry of Justice and Consumer Protection is expected to implement provisions of the directive into The information is intended to provide guidance to the the national law by 31 May 2021. The provisions will expand new crypto custody businesses about their obligations criminal offenses of counterfeiting payment cards, checks under the Anti-Money Laundering Act. BaFin establishes and bills of exchange. It will also create a criminal offense for three pillars of money laundering prevention: risk theft or embezzlement of payments cards. management, customer due diligence, and suspicious transaction reporting. Key Highlights for Financial Institutions
• Forgery as a Criminal Offense: The new draft law aims to penalize fraudulent forgery and falsification of physical cashless payment instruments.
EUROPE - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 60 7. Interpretation and Application of the Money all crimes will classify as possible money laundering or Laundering Act financing of terrorism. On 10 September 2020, BaFin published the Interpretation Banks could see some negative repercussions from the and Application Guidance from May 2020 related to the implementation of these new 6th AMLD requirements, German Money Laundering Act. The guidance applies to primarily that banks could be penalized for minor instances payment institutions and electronic money institutions, of theft or fraud. Additionally, the new law would require including payment initiation services and account financial institutions that alert relevant authorities to information services as well as agents and e-money agents. suspected money laundering to keep the information The guidance includes information relevant to strictly between themselves and law enforcement. Financial responsibility, customer due diligence obligations, general institutions often share this information with one another principles, internal safeguards, identity verification, the as a way to “track” individuals suspected of carrying out appointment of an anti-money laundering officer and a fraudulent transactions and closing those communication deputy, risk assessment and risk management, including channels could dampen existing internal safeguards. internal safeguards. BaFin expects payment institutions As of the publication of this report, an expected date of final and electronic money institutions to review and observe adoption has not been announced. the guidance as part of their own assessment process and decision making. There are no legally binding regulations in 9. BaFin Application Note 18/11/2020 the guidance. On 5 November 2020, BaFin released a guidance document Key Highlights for Financial Institutions on regulatory issues on the comparability of fees related to payment accounts, payment account switching, and access • Verification of Identity: Section 5 of the draft law provides to payment accounts with basic features, as defined the guidance on identity verification and KYC procedures. provisions of Section 47 of the Payment Accounts Act. It gives guidance for on-site verification using qualified documents as well as remote identity verification and 10. New Draft of the ePrivacy Regulation qualified electronic signature use. Regarding remote On 5 November 2020, the German Presidency of the identity verification, the draft law states that “an identity Council of the European Union created a new draft of the check can also be carried out using electronic proof of proposed ePrivacy Regulation. The latest draft would allow identity in according with Section 18 of the Identity Card Act for the processing of online communications metadata or in accordance with Section 78 of the Residence Act. during “natural or man-made disasters” and for “monitoring
epidemics.” Previously, the provision for processing general In accordance with the aforementioned methods of metadata was not included. electronic identity verification, obliged entities may use qualified electronic signatures, including those from Statement on ePrivacy Regulation: On 9 November contract partners. Validation of qualified signatures used 2020, the national Consumer Federation (VZBZ) issued a to check identity must also be recorded. Additionally, when statement promoting the advancement of the ePrivacy facilitating the identification requirement, there are two Regulation negotiations between the federal government possible deviations to keep in mind: expired identification and the European Commission. The draft law is finally documents, which can be risk-based in the case of older moving forward in the legislative process. people or in mobility-restricted customers, and a change of • Draft Law on Introduction of Electronic Securities surname, in which case a civil status certificate may (Blockchain): On 8 November 2020, the Ministry of Finance be sufficient. introduced a draft law on the introduction of electronic securities into the German securities market, with the goal 8. 6th AMLD Implementation Bill Introduction to Parliament of modernizing national securities law and the associated On 14 October 2020, the 6th AMLD Implementation Bill supervisory law. The new law on electronic securities will was introduced to the German Federal Council. The bill, be known as eWpG. It will provide a suitable electronic called the Draft Act for the Effective Prosecution of Money replacement of the existing paper document used for Laundering, will transpose the EU’s 6th Anti-Money securities business, such as transferring facts under Laundering Directive into the national legal framework and property law. in some ways will surpass the requirements set by Brussels.
The 6th AMLD, for those unfamiliar, aims to enhance anti- The new regulation also expands the supervisory powers money laundering and counter financing of terrorism by of the Federal Financial Supervisory authority, which will improving the cooperation among the 27 EU member monitor the issuance and the maintenance of decentralized states. registers as new financial services in accordance with the The most significant change the new law will bring about new law. is the prosecution of money laundering derived from any criminal activity as opposed to activity directly related to fraud or terrorism. This means the proceeds of any and
EUROPE - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 61 ITALY
Country Overview Italy - a unique peninsular country, juxtaposed by the snowy Alps to the north and Mediterranean islands to the south ¬- is primed for a booming e-commerce market where consumers will hold the keys to success for financial institutions and banks in a country where mobile payment has become the norm. According to JP Morgan, mobile e-commerce reigns supreme in Italy and mobile payments are the primary method of spending for most consumers . Mature markets such as Germany, the United Kingdom and France have begun to slow in their mobile CENTRAL BANK e-commerce growth, but Italy is just getting started and is expected to grow 14 percent by the end of 2021. Italians have also begun to embrace the use of digital wallets, with one on three online purchases being paid with digital The Bank of Italy is the country’s wallet technology. central bank. The bank’s main function is to ensure the stability National regulatory authorities and government bodies have begun to recognize and efficiency of Italy’s financial the increased demand for mobile and online banking services in recent years, system. The bank pursues its goals with the development of a more fintech friendly environment that fosters digital through secondary legislation, innovation and clarifies the adoption of various EU regulations and standards, controls and cooperation with such as PSD2. Consob, Italy’s securities regulator, is particularly progressive in its governmental authorities. approach to adopting fintech technology, launching several consultations in the past few years.
Commissione Nazionale per le In the wake of the COVID-19 pandemic, however, banks, financial institutions Società e la Borsa (CONSOB) is the and payment services providers in Italy have had to contend with new AML government authority responsible requirements while maintaining effective remote onboarding services for for regulating the Italian securities customers. Italy’s consumers, who are still recovering from a particularly hard-hit market, including the stock economy after the 2008 financial crisis, are wary of continued use of traditional exchange, Borsa Italiana. banking services. This will continue to be a challenge in 2021 and beyond, and it will be up to the country’s economic authorities to continue to press for a more open and robust fintech market to solve some of these issues. DATA PROTECTION AUTHORITY Other Financial Authorities The Italian Competition Authority (AGCM) is an independent non-governmental organization in charge of enforcing consumer protection laws and The Garante per la Protezione Dei anti-trust regulations. Dati Personali, or the Garante, is the national data protection authority in The national Financial Intelligence Unit (FIU) is an independent organization Italy. The Garante is composed of an established under Legislative Decree 231 of 2007 that analyzes financial elected Council and an Office of information with the goal of preventing money laundering and combatting 162 members. terrorist financing. The Bank of Italy issues the regulations and rules governing the FIU. The Digital Italy Agency (AgID) is a governmental agency that manages the implementation of the Laws and Regulations Italian Digital Agenda’s objectives 1. Legislative Decree No. 36 of 2020 to Amend PSD2 Implementation Law in line with the EU Digital Agenda. On 25 May 2020, the national government published a legislative decree The agency defines regulations, amending the PSD2 implementation law that was previously implemented. standards and guidelines to The law amends the PSD2 transposition to provide more leeway to payment effectively provide online services service providers, including providing a right of recourse in the case of to citizens. unauthorized payment transactions. The amendments became effective 10 May 2020.
EUROPE - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 62 2. Bank of Italy Communication on Contactless Cards Key Highlights for Financial Institutions Characterized by Technological Asymmetry • Identity Verification: Article 27 of the measures outlines On 28 July 2020, the Bank of Italy issued a press release three methods for digital identity verification: on contactless cards characterized by technological asymmetry. The communication highlights that some 1. Electronic identification and authentication processes debit cards in the market do not have the contactless based on credentials that meet requirements from functionality for the domestic network. In such cases, the Article 4 of EU Commission Regulation 2018/389 of card automatically uses the international network. The Bank 27 November 2017, by the subject who delivers the of Italy asked banks, payment institutions and electronic advanced electronic signature to the same identified money institutions to directly contact both affiliated user pursuant to Article 19 of the Legislative Decree No. merchants and the holders of this type of card to illustrate 231 of 21 November 2007; the characteristics and the methods of operation of these 2. Electronic identification and two-factor authentication instruments, including the charges applied. processes based on credentials already issued to the In addition, intermediaries were asked to adopt a broader user within the Public Management System of the strategy to replace cards without domestic network access Digital Identity of citizens and businesses referred to in with others which allow customers to exercise the right Article 64 of the Legislative Decree No. 82 of to choose their payment network by 31 December 2021. A 7 March 2005; similar request was made to the manager of the domestic 3. Electronic identification and authentication processes network for debit cards. based on credentials of at least “significant” level, under a notified electronic identification scheme, subject to 3. Approval of Additional Requirements for the Accreditation notification concluded with positive outcome, pursuant of Certification Bodies to Article 9 of EU Regulation No. 910 of 2014. On 29 July 2020 the Italian Data Protection Authority
approved regulations to implement additional Notably, the mandatory retention period for requirements for the accreditation of certification bodies. authentication data for “subjects that provide advanced Article 43 of the General Data Protection Regulation (GDPR) electronic signature solutions” is 20 years. provides that the issue of certifications on data protection is • Amendment to Legislative Decree No. 231: Article 27 carried out by bodies accredited to perform these functions. also amends Legislative Decree No. 231 of 2007 to add In Italy, the legislator has entrusted the task of accreditation additional acceptable methods for identity verification of to Accredia. Accreditation must take place on the basis of customers. The amendment says to include the “addition the following: of identification of the customer and verification of their • Requirements contained in the international technical identity on the basis of documents, data or information standard EN-ISO/IEC 17065:2012. obtained from a reliable and independent source among the methods which satisfy customer due diligence • Additional requirements established by the national obligations. The same measures are implemented for the privacy authorities, on the basis of a common model executor, also in relation to the verification of the existence defined by the European Data Protection Board (EDPB). and extent of the power of representation by virtue of which they operate in the name and on behalf of the 4. Law No. 120 on Implementation of Urgent Measures for client.” Simplification and Digital Innovation On 11 September 2020, the national government • Remote Identity Verification: In cases of remote identity passed a law officially recognizing urgent measures for verification, financial institutions’ obligation to identify “simplification and digital innovation” previously outlined customers is considered fulfilled, when the following in Decree-Law No. 76, which became effective 16 July 2020. methods have been pursued: Law No. 120 added several amendments in Annexes 1 and 2 • For customers in possession of a digital identity, with a to the original text and officially recognizes the measures as level of guarantee at least significant, within the system national law. referred to in Article 64 of Legislative Decree No. 82 of Decree-Law No. 76 was presented partly in response to 2005, and the related regulatory implementation, as well the effects of the COVID-19 pandemic and covers various as a: aspects of public and private sector services. Financial • Digital identity with a level of guarantee of at least institutions, including banks, are directly addressed in significant, issued under an electronic identification Article 27 on the measures for the simplification and regime included in the list published by the European dissemination of the advanced electronic signature and Commission pursuant to Article 9 of EU Regulation digital identity for access to banking services. No. 910 of 2014
EUROPE - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 63 • Certificate for the creation of a qualified obligation of identification. This method of identification electronic signature and verification of identity can only be used with reference to reports relating to card payments and • Digital identity identified by means of electronic similar devices, as well as payment instruments based identification procedures that are safe and regulated on digital or IT telecommunication devices, with the or authorized or recognized by the Agency for exception of cases in which such cards, devices or Digital Italy. instruments can be used to generate the information • For customers who, prior to electronic identification necessary to make a direct transfer or direct debit to based on credentials that ensure the requirements and from a payment account. set out in Article 4 of the EU Commission Regulation 2018/389 of 27 November 2017, arrange a transfer to a payment account in the name of the person subject to
Legislation and Policy
1. Guidance for Preventing AML of Financial Crimes Related The document, among other things, makes considerations to the COVID-19 Emergency on the impact of the application of the blockchain to the On 15 April 2020, the Italian Financial Intelligence Unit fintech and payment sector and recommendations relating published a document providing general guidance to to the provision of a central bank digital currency as well payment operators on preventing anti-money laundering as proposals related to digital identity. The deadline for of financial crimes related to the COVID-19 pandemic. The feedback was 19 July 2020. document, among other details, highlights the importance of monitoring remote activities, particularly online, and 3. Proposals for a National Strategy on Artificial Intelligence highlights the important role electronic payment On 2 July 2020, the Ministry of Economic Development methods play. published a document outlining proposals for a national adoption strategy for artificial intelligence technology. The 2. Consultation on National Strategy for Blockchain and 82 proposals focus on three topics of interest: an analysis Distributed Registers of AI use in the global, European, and national (Italian) On 17 June 2020, the Italian Ministry of Economic markets, the fundamental elements to compose the Development launched a consultation on “Proposals strategy, and proposed governance for national AI use and for the Italian strategy on technologies based on shared recommendations for the implementation, monitoring and registers and blockchain”. The proposals, which contain communication of the national strategy. The document will the guidelines to allow the development of the technology be the basis of the national strategy for AI moving into 2021 based on shared registers and blockchain, define the and beyond. context of the national strategy and aim to offer a valid contribution to the European debate. 4. Technical Documentation for Sending Aggregate AML Reports Via Infostat-UIF Portal These proposals aim to achieve the following objectives: On 15 December 2020, the Italian Financial Information • Provide a regionally competitive regulatory framework; Unit published the technical support documentation for sending aggregate anti-money laundering reports through • Increase public and private investments in blockchain the Infostat-UIF portal, as it relates to the Provision for and distributed ledger technology (DLT) and related Sending Aggregate Anti-Money Laundering Reports issued technologies, such as the Internet of Things and 5G; by the UIF on August 25, 2020. Among other things, the UIF • Propose use of new technology to correctly direct states that the new provisions apply to reports referring to investments to the national economy; transactions relating to the month of January 2021, which must be sent by 2 April 2021. The reports referring to the • Improve efficiency and effectiveness of public months up to December 2020, as well as any replacement administration through the adoption of decentralization; submissions relating to these periods, will be sent via • Promote European and international cooperation through previous procedures and schemes. the adoption of the common European infrastructure by Starting from the reports referring to the transactions EBSI (European Blockchain Systems Infrastructure); relating to the month of January 2021, investment • Use technology to facilitate the transition to circular companies with fixed capital (SICAF) and banks, payment economy models, in line with the 2030 agenda for institutions and electronic money institutions with sustainable development; registered offices and their central administration in another EU country required to designate a central contact • Promote information on and awareness of blockchain and point in Italy are required to submit these documents. DLT among citizens.
EUROPE - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 64 5. Notification to UK Intermediaries in Relation to Brexit 6. Italy’s National Cashless Plan On 15 December 2020, the Bank of Italy issued a On 2 December 2020, the Italian government announced communication for intermediaries in the UK, which the start of a national cashless plan developed by the states that with the completion of the UK’s exit from the government to encourage the use of credit cards, debit European Union, at the end of the transition period on 31 cards and payment apps, as well as to modernize the December 2020, UK intermediaries must cease operations country and encourage the development of a streamlined in Italy unless they have obtained a new authorization. digital system. From 8 December 2020 to 31 December The Bank has invited intermediaries to conclude, if not 2020, ten purchases with credit cards, debit cards, debit already finalized, the plans for an orderly management of cards and Satispay received a 10 percent refund, up to a Brexit and expects that operators have already provided maximum of 150 pounds ($203 USD), to be accredited in the information to their customers about the impact of Brexit first months of 2021. and managed the transition. It also highlights that starting from 1 January 2021, cashback The Bank also advised that the tools and channels of will make it possible to receive a 10 percent refund on the assistance and communication, including those via the amount of purchases made with cards or payment apps Internet, be kept active after the end of the transition in shops, bars, restaurants, supermarkets, large retailers, period. artisans and professionals and specifies the requirements to obtain the refund. • Important Information for Clients of UK-Based Financial Intermediaries Operating in Italy: On 9 November 2020, the Bank of Italy invited the clients of financial intermediaries that are based in the UK but operating in Italy to check that they have received adequate and complete information regarding Brexit. The notice underscores the importance of contacting the intermediary as soon as possible to obtain information on the possibility of continuance of existing relationships.
EUROPE - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 65 KOSOVO
Country Overview Although Kosovo’s economic growth has outperformed its geographic neighbors in the past decade and has been largely inclusive, it has not been sufficient enough to provide enough jobs, particularly for women and youth, or to significantly reduce the high rates of unemployment. Financial growth in the country relies heavily on remittances to fuel domestic consumption but has recently shifted to more investment- and export-driven growth.
CENTRAL BANK To continue to grow and fully reap the benefits of joining the EU, Kosovo needs to increase productivity and create more quality jobs. This will require addressing infrastructure bottlenecks and creating an environment more conducive to The Central Bank of Kosovo is the private sector development. Financial institutions and banks could benefit from primary prudential authority in active yet indirect roles in government policymaking and legislating. the country. The Bank’s primary objective is to maintain financial stability in the country and develop Recently Enacted Regulations, Standards and Laws monetary policy. As of the publication of this report, no regulations, standards, or laws have been enacted in Kosovo within the past year, whether it be new legislation or DATA PROTECTION amendments to existing legislation. AUTHORITY
Upcoming Regulations, Standards and Laws The Information and Privacy Agency (IPA), formerly known as the National As of the publication of this report, no announcements have been made Agency for the Protection of Personal regarding upcoming regulations, standards, or laws in Kosovo. data, is the primary data protection authority in the country, as mandated by the national Data Protection Law (Law No. 06/L-082). The agency is responsible for monitoring the legitimacy of data processing and access to public documents.
EUROPE - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 66 ICELAND
Country Overview The financial markets in Iceland have been in rapid transition during the last decade. Banking supervision, which is in the hands of the central bank, has been strengthened during this long transitional period, except for a brief period during the 2008 crisis. Iceland has in recent years achieved high growth, low unemployment, and a remarkably even distribution of income. Iceland’s economy has diversified into manufacturing and service industries in the last decade, particularly within the fields of tourism, software production, and biotechnology. CENTRAL BANK Following the privatization of the banking sector in the early 2000s, domestic banks expanded aggressively in foreign markets, and consumers and businesses The Central Bank of Iceland is the borrowed heavily in foreign currencies. Subsequently, the country’s three largest reserve bank and primary prudential banks collapsed marking a sharp GDP decrease in 2009. Since the collapse policymaker in Iceland. The Bank is of Iceland’s financial sector, government economic priorities have included an independent institution owned stabilizing Iceland’s currency, the krona, implementing capital controls, reducing by the government. The Financial Iceland’s high budget deficit, containing inflation, addressing high household Supervisory Authority (FSA) used debt, restructuring the financial sector, and diversifying the economy. to be the singular financial services Iceland could now be on the verge of a new era of financial innovation; regulator and supervisor in Iceland. information technology is one of the fastest growing sectors of the Icelandic However, the FSA and the Central economy. Iceland’s IT market exports services and solutions such as data Bank of Iceland merged in early management systems, workflow systems, communications solutions, wireless 2020 under the Central data systems, and Internet solutions, among others. Bank moniker. Currently, there are no regulations in Iceland governing fintech businesses, and the government has warned against using and trading cryptocurrency altogether. Because Iceland is part of the Agreement on the European Economic Area, which DATA PROTECTION AUTHORITY enables the European Union to extend its single market to member states of the European Free Trade Association.
The Icelandic Data Protection Authority (IDPA) is the supervisory FATF Makes AML/CTF Recommendations to Iceland in Report authority in Iceland whose duties are to protect personal information. In September 2019, the Financial Action Task Force (FATF) published its Follow-Up The authority was mandated under Report and Technical Compliance Re-Rating for Iceland after further evaluation of Act No. 90/2018, the Law on Data the country’s AML/CTF practices and implementation of FATF recommendations. Protection and the Processing of FATF noted that while Iceland has made strides to become largely or fully Personal Data. compliant with FATF recommendations regarding financial institution secrecy laws, customer due diligence, and the reporting of suspicious transactions, among other areas, the country is still lacking in some key areas. FATF further states that Iceland has not covered all DNFBP sectors (for instance, dealers in precious metals or stones). In addition, while initial work to understand the risk profile of DNFBPs has commenced, risk-based supervision is not carried out across all DNFBPs. FATF further stated that it will continue enhanced follow-up with Iceland to ensure further technical compliance and to strengthen the country’s AML/CTF measures.
EUROPE - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 67 Key Highlights for Financial Institutions
1. Ministry of Justice Regulation for National Risk Assessment 2. Ministry of Finance and Economic Affairs Draft Regulation for Money Laundering (NRA) on the Independence of Credit Card Systems and On 7 June 2019, the Ministry of Justice published this Processing Units regulation in the Official Gazette. The passage of the On 1 February 2020, the Ministry of Finance and Economic regulation follows a public consultation that ended March Affairs published the implementing regulations and 8, 2019. The regulation provides a national risk assessment instructions for EU Regulation 2015/751, the Regulation framework for money laundering and terrorist financing. on intermediate fees for card-based payments. The EU The assessment is in line with the FATF’s recommendations regulation stipulates that payment card systems and for Iceland from October 2019 and deals with the processing units shall be independent with regard to several risk assessment rules: the obligation to conduct accounting, planning and decision-making processes. operations risk assessments; information and data useful to risk assessment; risk classification and weighting; and monitoring and control of risk assessment.
EUROPE - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 68 MACEDONIA
Country Overview Economic growth strengthened in North Macedonia in 2019, marked by a 3.6 percent annual GDP growth, and the country continues to see an uptick in transaction accounts and electronic payments. At the end of 2019, 17 deposit taking institutions operated in Macedonia. Fourteen banks are privately owned while the Macedonian Bank for Development Promotion is the only state-owned bank.
CENTRAL BANK Additionally, the government of Macedonia has made plans to further its dedication to financial inclusion through a deal with Mastercard. The partnership will promote open collaboration with governments, banks, mobile network The National Bank of the Republic operators, universities and other partners to shape the services. In addition to the of North Macedonia (NBRNM) is digital identity service, Mastercard will also support other e-government initiatives the central bank in Macedonia. The and promote related best practices from other geographies. bank’s primary functions are to According to a recent World Economic Forum white paper, collaboration across create and oversee monetary policy, the public and private sectors in Macedonia offers the potential to create new regulate the country’s payment models of secure, useful digital identity that build on a commitment to the system, and grant licenses for responsible handling of personal information, giving consumers control over what financial services. data is used and how it is used.
Other Financial Bodies: Macedonia Partners With Mastercard for Digital Identity Service The Securities and Exchange Commission of the Republic of The government of Macedonia announced in February 2020 plans to partner with North Macedonia (MSEC) is the Mastercard to build a suite of digital identity services, including digital document primary securities market authority signing and verification. These e-KYC applications will support remote account in the country. One of the primary opening for new bank accounts, as well as prepaid and postpaid mobile phone objects of the Commission is to accounts. Digital identity standards for the new services are influenced by the facilitate economic growth and EU’s eIDAS framework, as well as new digital identity guidelines recently enacted development across the by the Macedonian government. private sector. At the time of this report, a timeline for development has not been announced officially, but it is expected to be a multi-year initiative.
DATA PROTECTION AUTHORITY Key Highlights for Financial Institutions
1. Law on Personal Data Protection 2020 The Personal Data Protection Agency (PDPA), formerly known On 16 February 2020, the Republic of North Macedonia adopted the Law on as the Directorate of Personal Personal Data Protection and it went into force on February 24, 2020. The law Data Protection, is the primary regulates personal data protection and establishes a right to privacy during data protection authority in personal data processing. The law harmonizes with the GDPR and introduces North Macedonia. The PDPA is the following new standards for personal data processing based on GDPR an independent agency that principles: lawfulness, fairness and transparency; limitation of the purposes of implements data protection laws. personal data processing; minimum volume of data; data accuracy; limitation 12 The country’s Data Protection of retention period; integrity and confidentiality; and accountability. The Law mandates that registered passage of the law also marked a name change for the Directorate of Personal data controllers, which includes Data Protection to the Personal Data Protection Agency. financial institutions, appoint a data According to the law, data controllers in violation of the law’s standards could protection officer. face penalties to total annual income, ranging between 2 and 4 percent. Additionally, there are specific provisions for data subjects in cases of rights violations related to data protection.
EUROPE - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 69 2. Law for Electronic Documents, Electronic Identification and Confidential Services In April 2019, the Law for Electronic Documents, Electronic There are new regulations for trust services and electronic Identification and Confidential Services replaced the identification schemes to be separately registered, and the existing Law on Data in Electronic Form and Electronic introduction of electronic registered delivery services. Signature. Enforcement for the new law began 1 September 2020. The new law is harmonized with EU Regulation No. 910/2014 on electronic identification and trust services for electronic transactions in the EU single market (eIDAS). The new law provides clarification on electronic signatures by differentiating between the types of electronic signatures: simple electronic signature, advanced electronic signature and qualified electronic signature.
EUROPE - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 70 MOLDOVA
Country Overview
Moldova’s NCPDP Suspends Activity in Wake of COVID-19 Pandemic The National Center for Personal Data Protection (NCPDP) announced 6 August 2020 the agency would be suspending all activity because several employees in its Prevention, Surveillance and Records unit tested positive for COVID-19. In light of this, the agency extended its deadline for data controllers to examine submitted notifications by 45 days. The notifications were submitted during the CENTRAL BANK “one-stop shop” period beginning at the end of June through August 2020. The announcement notes that communication with the public will be done primarily through electronic means. The National Bank of Moldova (NBM) is the central bank for the Moldova and Latvia Sign Agreement on Personal Data Protection Republic of Moldova. The bank On 18 December 2019, the NCPDP and Latvia’s State Data Inspectorate finalized operates under the supervision of an agreement for collaboration and cooperation in the field of personal data the Parliament of the Republic of processing. According to a press release from the NCPDP, the agreement allows Moldova, and its primary goal is to for greater cooperation between the two agencies “that will create favorable maintain price stability in conditions for ensuring effective protection of personal data of citizens of Latvia the country. and Moldova.”
This recent addition is one of 14 other national collaboration agreements the Other Financial Bodies: NCPDCP has signed.
The National Commission on Financial Markets (NCFM) is the supervisory authority for non- Key Highlights for Financial Institutions banking financial entities and the 1. NCPDP Draft Decision on Establishing Cases of Personal Data Processing in securities market. The authority Which Notification Is Not Required passes regulations with supervision from the national Parliament. On 29 July 2020, the NCPDP launched a public consultation on a draft decision related to cases of personal data processing in which notification of processing to the data subject is not required. The consultation deadline was 10 August 2020.
2. NCPDP Opinion on Processing of Personal Data in the Context of the DATA PROTECTION AUTHORITY COVID-19 Pandemic in the Republic of Moldova In February 2020, the NCPDP issued an opinion regarding personal data processing in light of the COVID-19 pandemic. The opinion emphasizes the The National Centre for Personal risks and challenges to personal data protection and individual rights to Data Protection (NCPDP) is privacy, especially in regards to health information. It makes several assertions the national data protection about personal data protection principles as a way to “fight” the COVID-19 authority in Moldova. The agency’s pandemic and directs subject entities to the Statement of the European Data establishment was mandated under Protection Board (EDPB) on the processing of personal data in the context the adoption of the 2007 national of the pandemic. The NCPDP states that “data operators [should] take the personal data protection law, which necessary measures to ensure that the rights of data subjects are respected.” was repealed in 2011 and replaced with an updated PDP law. The 3. NBM Regulation regarding On-Site Inspections for Non-Bank Payment agency’s main objective is to protect Service Providers and the Criteria for Applying Remedies and Sanctions citizens’ rights to privacy in relation On 11 December 2019, the National Bank of Moldova Executive Board approved to personal data processing and a new regulation outlining procedures and expectations for on-site inspections cross-border transfer of personal for non-bank PSPs. The regulation stipulates that on-site inspections verify data. compliance with national Law No. 114/2012, the Law on Payment Services and Electronic Money, and its associated regulations. The regulation details the types and frequency of on-site inspections, the rights of NBM inspectors and non-bank providers, and the criteria for establishing sanctions and taking other action against non-compliant PSPs.
EUROPE - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 71 4. NBM Regulation on the Activity of Non-Bank Payments Service Providers On 16 August 2019, the National Bank of Moldova Executive Board approved a new regulation that repeals the Regulation on the Activity of Electronic Money Issuers and Non-Bank Payment Service Providers, Law No. 123/2013. The regulation went into force on 30 September 2019, and non- bank PSPs subject to the new regulation had six months to become fully compliant.
The regulation outlines various requirements for licensing, organization and governance, account reporting, and internal risk management related to information and communications technology (ICT).
EUROPE - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 72 MONTENEGRO
Country Overview Montenegro is a small, open economy aspiring to join the EU by 2025. It is also an economy vulnerable to external shocks, as it relies heavily on capital inflows from abroad to stimulate its growth. The regulatory framework of the financial market in Montenegro is segmented and divided among three regulators:
1. The Central Bank of Montenegro supervises banks, MFIs, and institutions dealing with leasing, factoring, purchase of receivables, and credit- CENTRAL BANK guarantee operations.
2. The Insurance Supervision Agency carries out the supervision of insurance companies, while the Capital Market Authority supervises investment and The Central Bank of Montenegro pension funds. Additionally, the CMA supervises the capital market itself, i.e., (CBCG) is the independent the work of the stock exchange and authorized dealers on the market. national bank in Montenegro with supervisory and regulatory 3. Finally, the oversight of payment systems is organized within the Central Bank authority over financial institutions. through a separate organizational unit. Montenegro does not issue its own currency because it adopted the euro as its primary national currency Key Highlights for Financial Institutions in 2002. The CBM’s main duties support establishing the national 1. CBM Law on the Prevention of Money Laundering and Terrorist Financing banking system and developing On 27 December 2019, the national Parliament adopted a new law on anti- monetary policy. The bank also money laundering and counter-terrorist financing measures. The new law calls passes regulations that apply to for stronger measures at financial institutions when implementing AML/CFT banks, micro-finance institutions, measures, such as identity verification and transaction monitoring. The new and non-bank financial service law entered into force immediately. providers that conduct business related to leasing, factoring, and 2. CBM Law on Credit Institutions credit-guarantee operations. On 2 December 2019, the Parliament of Montenegro adopted a new law that supervises and governs credit institution management and operations. The comprehensive law contains an article related to data verification during Other Financial Bodies: decision procedures related to qualifying holding applications. The Insurance Supervision Agency 3. CBM Deposit Insurance Law (ANO) supervises insurance companies in Montenegro. On 2 December 2019, national Parliament adopted a new law regulating deposit insurance in credit institutions. Under the article for “Right to Guaranteed Deposit Payout in Exceptional Cases,” the law requires that credit institutions verify and confirm the identity of third parties requesting a guaranteed deposit payout. DATA PROTECTION AUTHORITY
The Agency for Personal Data Protection is the primary authority on personal data protection in Montenegro as established by the Personal Data Protection Law initially adopted in 2008.
EUROPE - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 73 NORWAY
Country Overview The Norwegian banking sector is characterized by a few very large commercial banks, some regional banks and several small savings banks. At the end of 2018, the Norwegian banking sector consisted of 125 banks. In addition, there were 14 subsidiaries of foreign banks operating in Norway. The market share of the branches of foreign banks were 21 percent and 38 percent in the retail and domestic corporate markets, respectively.
CENTRAL BANK As more and more people are using banking services online, the number of physical branches has decreased significantly over the last several years. Mobile payment solutions have been well received by Norwegian households and are Norges Bank is the central bank becoming increasingly popular. of Norway. The bank’s primary Norwegian banks also strongly support the progress in the stability and objective is to promote and governance of the European financial sector, as well as the increasing maintain economic stability in the harmonisation of regulation and supervision throughout Europe, to ensure a country. The bank also manages level-playing field and improve the functioning of the market economy. Norway is The Government Pension Fund of not a direct member of the EU but participates in the EU’s internal market under Norway, one of the largest sovereign the European Economic Area Agreement (EEA). According to this agreement, wealth funds in the world. Norway is obliged to implement all EU directives and regulations that relate to financial institutions and markets, such as the CRR/CRD, MiFID, Prospectus Directive, Solvency II etc. This ensures Norwegian financial institutions the same Other Financial Bodies: rights and obligations as institutions established within the EU. The Financial Supervisory Authority of Norway (Finanstilsynet) is a government agency operating Recently Enacted Regulations, Standards and Laws under the Ministry of Finance that supervises financial companies As of the publication of this report, no regulations, standards, or laws have within Norway. been enacted in Norway within the past year, whether it be new legislation or amendments to existing legislation.
Upcoming Regulations, Standards and Laws DATA PROTECTION AUTHORITY As of the publication of this report, no announcements have been made regarding upcoming regulations, standards, or laws in Norway.
The Norwegian Data Protection Authority is the national agency responsible for implementing and managing the Personal Data Act 2000 and the primary data protection authority for the country. The agency independently operates under the Ministry of Government Administration and Reform.
EUROPE - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 74 RUSSIA
Country Overview In light of the COVID-19 pandemic, many economies across the globe are expected to dive into recessions. Russia is one of them. Prices for crude oil, Russia’s largest export, have plummeted since the start of the year, while oil demand is expected to decline by an unprecedented 8 percent in 2020.
In March 2020, the Central Bank of Russia (CBR) announced a comprehensive package of measures designed to support businesses, consumers, and the CENTRAL BANK financial sector in the face of the coronavirus outbreak. The measures included special refinancing rates, favorable conditions for specific types of loans, and a decision to postpone the introduction of tighter rules for banks. For The Central Bank of the Russian consumers affected by the pandemic, the CBR allowed banks and microfinance Federation is also known as the organizations to restructure their loans, forgo penalties, and avoid foreclosures Bank of Russia. The bank operates on collateral. independently and is tasked with According to the World Bank, economic growth in the country is expected to maintaining the stability of the continue to decline through the end of 2020 and will rebound somewhat in 2021. national currency. The central bank’s authorities were significantly expanded in 2013. The bank’s Key Highlights for Financial Institutions regulatory and supervisory functions now include investment and 1. Federal Law on Digital Financial Assets pension funds, insurance, clearing, A law on “digital financial assets” was signed by President Vladimir Putin on 31 microfinance institutions and the July 2020, introducing a legal definition for “digital currencies”, which covers securities market. cryptocurrencies, and sets out procedures for issuing, circulating and recording their transfers. The law recording and circulation of digital financial assets and relations in connection with circulation of digital currency. The law will officially take effect on 1 January 2021. It was substantially revised after its first reading DATA PROTECTION by the Russian State Duma. AUTHORITY These changes to digital assets follow amendments to the law “on the national payment system.” Russians must now provide “identification” or “simplified As of the publication of this report, identification”, which includes a person’s whole name, to deposit funds with an Russia does not have a dedicated electronic money operator and can only do so using a bank account, according data protection authority. The to the law. Federal Service for Supervision of Communications, Information 2. Amendments to the Law on The National Payment System Technologies and Mass Media On 20 July 2020, the Russian State Duma passed amendments to the existing has jurisdiction over all data law on the national payment system that ban anonymous online deposits to protection matters. online wallets. The goal of the new law is to strengthen anti-money laundering rules. As a part of the new law, all cash deposits on these platforms will be ceased, which will leave users with only one option, to make top-ups with bank transfers. This means that they will have to identify themselves by linking bank accounts. This is also helpful to the process of limiting illicit financial activity by allowing authorities to have a look at the sources of the funds. This law also covers transport and travel cards and people now need to make online transactions for sending money to metro cards.
3. Federal Bill on Artificial Intelligence (Bill No. 896438-7) A new draft bill, popularly backed by Russia’s IT community, was introduced in the Russian State Duma in early 2020 on implementing an experimental legal framework in Moscow for the development of artificial intelligence (AI) projects. The bill is aimed at stimulating the introduction of new technologies in the market and providing workable regulations for anonymized data. The bill went into effect in July 2020 and will remain in force for five years.
EUROPE - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 75 4. Federal Law on Experimental Regulatory Regimes in 5. Amendments to the Federal Law on Counteracting the Digital Innovations and on Amendments to other Acts of Legalization of Criminally Obtained Incomes and the Russian Federation Financing of Terrorism In July 2019, the Ministry of Economic Development of the On 1 March 2020, amendments to the national law on Russian Federation introduced a draft Federal Law “on counteracting money laundering and terrorist financing experimental regulatory regimes in digital innovations and were enacted officially. The Law provides, among other on amendments to other Acts of Russian Federation”. The things, that the lottery operator is entitled to require draft law aims to determine the procedure for initiating, another organization, such as another lottery operator establishing and monitoring implementation, and or credit organization, to carry out the identification or determining the results of implementing experimental simplified identification of a customer participating in legal regimes in digital innovation. It would allow persons the lottery. engaged in the development and implementation of digital innovations to implement their practical applications and test them.
President Vladimir Putin signed the law in July 2020.
EUROPE - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 76 TURKEY
Country Overview The timing of the regulation is closely tied with the release of the Financial Action Task Force’s Digital Identity Guidance. The regulation permits banks to use remote identification methods to digitally onboard new customers (i.e., “non face- to-face” account opening) to determine the identity of the client.
It is highly likely that the Financial Crimes Investigation Board (Mali Suçları Araştırma Kurulu) (MASAK) of the Ministry of Treasury and Finance will update its CENTRAL BANK regulations as they pertain to Know Your Customer (KYC), anti-money laundering (AML), and counter-terrorist financing (CFT).
The roll-out of PSD2 and enforcement of the Regulation on Information Systems The Central Bank of the Republic of Banks and Electronic Banking Services will put Turkey’s financial system in the of Turkey (TCMB) is the primary spotlight. While banks will reap rewards in terms of efficiency and cost savings, banking authority in the country. the Turkish people may be the biggest winners of all.
Recently Passed Standards, Laws and Regulations DATA PROTECTION AUTHORITY 1. Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions (Law No. 7192) The Personal Data Protection In November 2019, the amendments to Turkey’s Law on Payment and Authority and the Personal Data Securities Settlement Systems, Payments Services and Electronic Money Protection Authority’s decision- Institutions were enacted and published in the Official Gazette (Issue: 30956). making body, the Kişisel Verileri The original 2013 law provided the legal framework for payment companies, Koruma Kurulu (Personal Data payment and securities settlement systems, and electronic money companies. Protection Board), passes data The revised law came into effect on 1 January 2020. It significantly enhances protection regulations in Turkey. the existing law for open banking within the Republic of Turkey. In addition, the law surprisingly empowers the Central Bank of the Republic of Turkey rather than the Banking Regulation and Supervision Agency to serve as regulator of payment services and open banking service providers. Under the law, open banking and payment service providers (PSPs) must apply to the Central Bank to obtain the authorization by 1 January 2021.
2. Regulation on Information Systems of Banks and Electronic Banking Services On March 15, 2020, Turkey’s Banking Regulation and Supervision Agency published the Regulation on Information Systems of Banks and Electronic Banking Services in the Official Gazette. The regulation entered into force on 1 July 2020 and significantly impacts banks, auditing firms, technology firms offering outsourced services to banks, and companies offering open banking solutions. The regulation addresses: • Establishment and management of information systems of banks
• Information security of banks
• Electronic banking services
EUROPE - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 77 3. Law on Electronic Financial Agreements (Law No. 7247) Most recently, on June 26, 2020, Law No. 7247 was published The changes now authorize financial services companies to in the Official Gazette. The law amends several existing laws accept electronic signatures to open bank accounts, apply affecting electronic agreements including: for loans and leasing, and credit cards. Specifically, the law • Banking Law (Law No. 5411) stipulates that customer agreements may now be entered into via writing or by any telecommunications device, such • Law on Financial Leasing, Factoring and Financing as a smartphone or PC that enables client authentication, Companies (Law No. 6361) and is considered by the regulator an appropriate substitute for written agreements regardless whether the transaction • Law on Payment and Securities Settlement Systems, is performed locally or remotely. Payment Services and Electronic Money Institutions (Law No. 6493) The changes will enable secure commerce to continue and enable Turkey’s citizens to socially distance during the • Bank Cards and Credit Cards (Law No. 5464) COVID-19 pandemic.
• Capital Markets Law (Law No. 6362)
EUROPE - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 78 UNITED KINGDOM (U.K.)
Country Overview The U.K. is one of the leading financial centers in the world and a top innovator of financial services and technology. Significant market developments, such as the Payments Services Directive II and open banking is opening the market further to increased competition.
Almost 40 billion payments were made in the UK in 2019, with consumers responsible for nine payments out of every ten, the majority of which are made CENTRAL BANK spontaneously. Plastic card usage continues to rise, particularly with the rapid increase in the use of contactless card acceptance at retailer terminals. Virtually all the UK population hold a debit card linked to a personal current or deposit The Bank of England is the central account and two thirds hold a credit card. Contactless card payments are used by bank for the United Kingdom. The two thirds of UK adults and accounted for 19 percent of all payments in 2019 – a bank maintains financial stability proportion that is forecast to double in the next decade as “payment-tapping” for the country, oversees monetary and the holding of cards in smartphone wallets becomes more commonplace. By policy and issues currency. 2024, debit cards are forecast to account for half of all payments in the UK, as the use of cash continues to decline. As a proportion of all payments it has more than halved, to 28 percent in the past decade. Other Financial Bodies: The increasing uptake of remote banking services is leading to a natural The Financial Conduct Authority consolidation of traditional bank branches, although through an industry (FCA) regulates the financial services arrangement with post offices, there are still some 20,000 physical locations industry in the UK. The agency where people can carry out banking transactions. protects consumers and promotes fair competition in the financial services market. Recently Passed Standards, Laws and Regulations
Her Majesty’s Treasury (HM 1. National Digital Identity Initiative Call for Evidence Response Treasury) is the national On 1 September 2020, the UK government released plans for next steps on government’s economic and digital identity initiatives after processing feedback from an RFI issued in 2019. finance ministry. The HM Treasury’s Plans include support of private sector identity proofing requirements, and primary objective is to develop there is currently a “Document Checking Service” in pilot stages. The service public economic policy and promote would focus on passport-centered data. Plans also call for updating existing economic growth. identity checking laws to be more comprehensive. The government stated that it will continue to consult on issues related to privacy and technical standards for secure digital IDs by driving forward legislation.
DATA PROTECTION Perhaps most significantly, the government plans on developing six guiding AUTHORITY principles to frame digital identity delivery and policy in the UK: privacy, transparency, inclusivity, interoperability, proportionality, and good governance. The Information Commissioner’s Office (ICO) is the primary data protection authority in the UK. The 2. HM Treasury Payments Landscape Review office is charged with upholding On 28 July 2020, HM Treasury published a Call for Evidence on the data privacy rights and promotes development of the UK payments landscape. This is the first stage of a transparency in the public sector. government review to ensure that the UK’s payments landscape is fit-for- purpose. The government wishes to identify opportunities, gaps and risks that need to be addressed in the future in order to ensure that the UK maintains its status as a country at the cutting edge of payments technology. The Call for Evidence consultation is set to end on 20 October 2020.
EUROPE - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 79 3. ICO Guidance on AI and Data Protection 6. FCA Data Strategy 2020 On 30 July 2020, the ICO published new guidance on AI The FCA announced in July 2020 detailed plans to create a and data protection. The guidance is intended to provide new strategy by building on the previous one published in organizations that are either using or developing artificial 2013. The FCA plans to reach the strategy objectives through intelligence technologies, with practical recommendations multiple initiatives over a 12-month period. The objectives on the steps they should take to comply with the data are to gain a deeper understanding of consumer and protection law. Consistent with the ICO’s general approach market behavior, identify and respond to issues across to compliance, the guidance emphasizes the importance of all financial firms and markets, and build a more organizations taking a risk-based approach to AI. flexible organization.
4. HM Treasury Cryptoasset Promotions Consultation 7. FCA Guidance on ID Verification During the COVID-19 In July 2020, Her Majesty’s Treasury launched a public Pandemic consultation seeking feedback on its proposal to include In April 2020, the FCA informed retail financial services firms crypto-assets within the scope of the financial promotions operating in the country that, in light of the pandemic, that regulation scheme. This consultation has been issued they may accept scanned documentation sent via email or alongside a second consultation on proposed amendments accept “selfies” to verify customer identities. to the regulatory framework for the approval of financial promotions in general. The deadline for responding to the consultation is 26 October 2020. 8. HM Revenue and Customs Digital Services Tax In the consultation, the government states that there will On 1 April 2020, HM Revenue and Customs introduced a not be a transitional period before amendments come new 2 percent tax on digital services that will affect any into force. business that gains revenue derived from social media services, search engines or an online marketplace.
5. FCA Research Note on Crypto-asset Consumers On 30 June 2020, the FCA published a research note on crypto-asset consumers, which forms part of the FCA’s work alongside the Government and the Bank of England to understand market size, consumer profiles and attitudes towards crypto-assets. The three institutions had previously, in October 2018, published a joint report as part of a UK Domestic Taskforce on Crypto-assets. The report identified three major risks of harm associated with crypto-assets: risk to market integrity, financial crime risk and risks to consumers.
1 “EBA Supports the EU Commission’s Call for a More Efficient and Effective Framework to Tackle Money Laundering and Terrorism Financing.” European Banking Authority, September 4, 2020. Bit.ly/3ioGtGn.
2 Kemkers, Willeke. “Regulation of Artificial Intelligence in the EU: A Status Update.” Lexology, August 21, 2020. Bit.ly/3bOdl9b.
4 “Insurance Market Developments in Albania for the period January-July 2020.” Autoriteti i Mbikëqyrjes Financiare, August 31, 2020. Bit.ly/2FbNMDh.
5 English. “Albania Starts Verifying Suspicious Accounts with 82 Countries around the World.” Radio Tirana International, August 7, 2020. Bit.ly/3hoCybr.
6 “Data Protection Officers.” Data Protection Officers in Angola - DLA Piper Global Data Protection Laws of the World, 2020. Bit.ly/3k6d7x2.
8 Gattini, Luca, and Sofia Borysko. “Republic of Belarus Financial Sector Review and Private Sector Financing.” European Investment Bank, June 2018. Bit.ly/35r1rAP.
9 “Belarus Will Get Its Own ‘GDPR’ – What Companies Should Prepare...” Insights, August 12, 2019. Bit.ly/2FsYHbr.
10 mckinsey.com/~/media/McKinsey/Industries/Financial%20Services/Our%20Insights/A%20perspective%20on%20German%20payments/A- perspective-on-German-payments-vF.ashx
11 https://www.jpmorgan.com/merchant-services/insights/reports/germany
12 “New Law on Personal Data Protection in North Macedonia.” KPMG. KPMG, March 2, 2020. Bit.ly/32mx4JT.
EUROPE - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 80 MIDDLE EAST MIDDLE EAST AFRICA
For countries in the Middle East, the implementation of legal frameworks that promote digital transformation at financial institutions (FIs) and comply with GLOBAL FINANCIAL international payment and anti-fraud standards can seem daunting. Though widespread digital transformation within the region’s financial services sector is REGULATIONS REPORT ramping up ̶ thanks to cross-border payment initiatives and other government- led financial innovation ̶FIs may find themselves up against great regulatory uncertainty, as well as political sanctions making it difficult to conduct business in the region. Because of international sanctions from the U.S. and its allies in Europe, including the U.K. and France, FIs have faced stiff penalties and other obstacles to This section of the report providing financial services to historically under-banked populations. covers the following regions and countries in the With that said, several Middle Eastern countries have begun initiatives aimed at Middle East: digitizing payment systems and using technology to diversify their economies away from oil production, an economic shift that could result in lasting regulatory Saudi Arabia, Iran, United Arab changes and increased competition within the private sector. Emirates (UAE), Iraq, Qatar, Kuwait, Israel, Oman, Jordan, Saudi Arabia, for example, has launched a regulatory “sandbox” that allows Lebanon, Yemen, Bahrain, international and regional financial institutions to provide innovative new solutions Syria, Palestine, Cyprus, Egypt, to customers. Ultimately, the hope is to bring a new type of investor to financially and Libya. isolated regions. Significant structural changes in Middle Eastern economies such as this drive the urgent need for FIs, especially corporate banks and international institutions, to transform operations specific to electronic payments, identity verification, and digital anti-fraud controls. Moving into 2020 and onward, those A Note on Methodology operating in the Middle East can expect varying levels of commitment from Nominal GDP rank does not legislators to international and regional standards and regulations, according to correlate with regulatory several firms, including global digital consultant McKinsey and Company.1 robustness. Therefore, this list Additionally, increased competition between small regional banks and is not organized by nominal international corporate banks will engender an environment ripe for digital GDP rank. transformation. According to McKinsey and Company, “Retail banks in the region have already made bold and aggressive moves in digitization and analytics [and] some have been effective enough to serve as global examples of successful digital transformations. To succeed, we believe Middle East corporate banks need to be as ambitious as their retail counterparts in pursuing holistic transformations.”2
Financial systems in the Middle East have a tough road ahead, but the rewards could be great for FIs willing to innovate while adapting to an uncertain regulatory environment, especially once sanctions and other political pressures have been lifted.
Regional Standards, Laws and Regulations New e-KYC and Digital ID Guidelines Published by Arab Monetary Fund (AMF): On April 27, 2020, the Arab Monetary Fund announced the publication of new guidelines to provide financial institutions with guidance on digital identity, electronic Know Your Customer standards, and customer due diligence. The guidelines were refined and published after the AMF sent out a survey to regional stakeholders. The survey revealed that digital identity and e-KYC standards implementations are in the early stages throughout the region. The guidelines promote compliance with international standards bodies, such as the Financial Action Task Force (FATF).
MIDDLE EAST - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 68 KINGDOM OF SAUDI ARABIA
Country Overview Saudi Arabia is an exciting place to be for innovative FIs willing to try new technologies. The Saudi Arabia Monetary Authority has proven itself to be a progressive agency body, willing to let private sector payment providers lead the way on digital transformation. Additionally, the Authority has passed several pertinent measures loosening restrictions on transaction limits and payment amounts. Meanwhile, the Capital Market Authority has imposed new KYC limitations on financial services clients. CENTRAL BANK SAMA Regulatory Sandbox for FIs and Fintechs SAMA officially announced plans for a regulatory “sandbox” on November 2, 2019. The sandbox is being designed to understand and assess the impact of new Saudi Arabian Monetary Authority technologies in the financial services market and “to help transform it into an (SAMA) is the Central Bank of the intelligent financial center, allowing local and international companies wishing Kingdom of Saudi Arabia. In its to test new digital solutions to enter the environment to be launched in [Saudi own words, “SAMA’s mission is to Arabia] in the future.”3 SAMA clarified that services and products that are being maintain monetary and financial tested currently include e-wallet services; P2P transfers; purchases through QR stability in the Kingdom and codes; and direct international transfers through financial technology companies support a balanced and sustainable in addition to the aggregators of point-of-sale (POS) devices. economic growth. To accomplish this, SAMA is committed to adopt Saudi Arabia Launches ABER Digital Currency Project with UAE globally relevant best practices as well as maintain and continually In 2019, Saudi Arabia announced plans for a common digital currency between develop highly competent human SAMA and the United Arab Emirates Central Bank, the monetary and financial capital supported by advanced and authority of the United Arab Emirates. innovative technologies.” According to SAMA, the initial stages of the project “will focus on the technical aspects of its implementation, and only a specific number of banks will use the common digital currency. These banks will be in a position to directly deal with each other in conducting financial remittances.”4 DATA PROTECTION AUTHORITY Barring technical difficulties and challenges, SAMA will consider future economic and legal requirements for application. One of the primary goals of the ABER project is to streamline financial settlements between the Kingdom of Saudi None. Saudi Arabia does not have a Arabia and UAE through blockchains and distributed ledgers. dedicated Data Protection Authority. However, Saudi Arabia does have Recently Enacted Regulations, Standards and Laws a National Cybersecurity Authority 1. Capital Market Authority Measures focused primarily on computer security. Several measures implemented by the Capital Market Authority aimed at limiting the negative effects of COVID-19 on market participants and trading activities Other Financial Regulatory Bodies: have become effective as of May 2020. Some measures remove restrictions Capital Market Authority (CMA) is on money transfers and direct registered institutions to continue trading Saudi Arabia’s financial regulatory activities remotely. authority governing capital markets Key Highlights for Financial Institutions in the country. In its own words, “The CMA’s functions are to regulate and • “The CMA temporarily suspended freezing of investment accounts pursuant develop the Saudi Arabian Capital to the Investment Accounts Instructions, which effectively removes any Market by issuing required rules and restrictions on money transfers from investment accounts or utilization of their regulations for implementing the balances.” provisions of Capital Market Law.” • “The CMA directed all market institutions under its supervision to activate their business continuity plans and utilize all available technologies to ensure continuity of trading activities remotely.”5
MIDDLE EAST - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 69 2. SAMA COVID-19 Enhanced Regulations Section 3, Data Privacy
Since the initial outbreak of COVID-19 in December 2019, the • “Unless the service provider and consumer agree to another Saudi Arabian Monetary Authority (SAMA) has issued several retention period, a provider may not keep consumers’ orders to further enhance COVID-19 preparedness and risk personal data except for a period required by the nature management, including the establishment of a COVID-19 of the transaction. Data is defined as “any piece of data, committee to address compliance and increased purchase regardless of its source or form, used directly or indirectly limits on electronic payments. when dealing with e-commerce.”
Key Highlights for Financial Institutions • “Service providers must take measures to protect consumers’ personal data and maintain the confidentiality • “All institutions are now required to establish a formal, of such data during the retention period. The providers internal, COVID-19 committee (the Committee) to ensure will be responsible for protecting the personal data that is that a risk management plan is developed in a timely not only in their possession but data which is held by their manner and that is implemented, if and when required. … agents.” The plan should address, as a minimum: alternative work arrangements, staff health and welfare measures, alternative • “Service providers are prohibited from using and/or processing arrangements, controls and compliance, disclosing such data without the consumer’s consent.” technology options, communications plans and resource • Penalties for non-compliance with Royal Decree M/126 start 6 priorities.” with an initial warning. Further non-compliance could result • SAMA increased the purchase limit on Atheer-enabled in a monetary fine of up to SAR 1 million (approximately cards that support NFC technology to SAR 300 with no $266,000 USD). E-commerce activity and partial or complete 10 PIN required for a single transaction, effective March 18, blocking of an FI’s website could also occur. 2020. The order requires all “banks, payments companies, and financial institutions issuing all bank cards” to make 4. Capital Market Institutions Authorized Persons Regulations the necessary adjustments to technological systems The Capital Market Authority announced in March 2020 and prepare them to support the new purchase limit. plans to change designated “Authorized Persons” to “Capital The deadline to implement new systems and have them Market Institution.” Essentially, this new regulation applies approved by SAMA was March 20, 2020. It should be noted requirements currently limited to clients classified as that the total accumulative amount of Atheer transactions “customers” to all clients, regardless of classification.11 made at POS terminals will remain at SAR 300. This step comes in line with SAMA’s supervisory and regulatory Key Highlights for Financial Institutions role and its pursuit to implement the precautionary and • According to the Saudi Press Agency, “These include KYC preventive measures issued by the competent authorities to obligations (including the completion of the Annex 5.3 stop the spread of the novel coronavirus (COVID-19).7 Form, some of which is noted as “indicative” only), fiduciary • SAMA Announces Raising E-Wallet Top-Up Monthly Ceiling duties and client principles and conflicts of interest. The Limit to 20,000 SAR: In line with the goal of boosting digital re-classification of all clients in accordance with the payment transactions, in accordance with the prudential new regime could be administratively burdensome for procedures taken to prevent the spread of the coronavirus Authorized Persons with large client bases. Moreover, (COVID-19). This should contribute to the hygiene of users of Authorized Persons whose client basis has historically the digital payments and streamline payment transactions been limited to ‘Counterparties’ will likely have to develop via e-wallets applications provided by those PSPs.8 new processes, procedures and documentation to apply the requirements that were previously only applicable to 3. Saudi E-Commerce law 2019, Royal Decree M/126 ‘customers’ to their clients. The draft amendments do not This law was passed on July 10, 2019 and became effective on provide for any indication or guidance on a grace period for 12 October 24, 2019. The decree is a new law regulating electronic these changes to be implemented.” transactions and affects the activities of service providers based within and outside Saudi Arabia that offer consumers 5. Microfinance Legislation products and services through an electronic platform. In its SAMA recently passed two sets of legislation aimed at own words, the law applies to: (i) any person providing goods regulating microfinance companies in Saudi Arabia: A) Rules or services (via electronic means) within Saudi Arabia; (ii) any Regulating Consumer Microfinance Companies, issued person outside Saudi Arabia who offers products or services, October 12, 2019, and B) Rules of Engaging in Microfinance which are accessible to consumers within Saudi Arabia; and Activity, issued October 16, 2019.13 (iii) e-commerce consumers. SAMA states that the Rules “aim to regulate the licensing The Executive Regulations for Royal Decree M/126 — which provisions of [these] type of companies and to organize their entered into effect on January 31, 2020 — provide some clarity activities according to the powers granted to SAMA under the on the application of the Law.9 regulation of the financial companies control and its executive regulations.” This is part of “SAMA’s efforts to enhance financial
MIDDLE EAST - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 70 inclusion by providing more financing products to meet 6. Rules Regulating Bancassurance Activities consumer’s needs, in line with the SAMA’s role in enhancing These rules were issued by SAMA on July 5, 2020. SAMA stated financial stability and supporting the growth and economic in an announcement that the new rules aim “to expand the development witnessed by the Kingdom towards achieving scope of distribution and marketing of insurance products 14 the goals of the Kingdom’s Vision 2030.” through banks [and] to ease the access to [a] variety of financial needs at one place.” The rules are primarily meant Key Highlights for Financial Institutions to regulate relationships between the insurance companies • Rules of Engaging in Microfinance Activity and banks. Financial institutions concerned with digital transformation and anti-fraud will need to implement KYC A Microfinance Company is a company that finances procedures to stay in compliance with the new rules. production activities of small businesses and craftsmen and the like. It is licensed to exercise such activities under Key Highlights for Financial Institutions the Finance Companies Control Law and its Implementing Regulation, as well as the Rules and Instructions issued by • Requirements for Practicing Bancassurance Activities: SAMA. The remaining terms and phrases used in these Rules “The Agreement [between Bank and Insurance Company] shall have the meanings indicated in Article (1) of the Finance must include, at a minimum, the following: e. Know Your Companies Control Law and Article (1) of its Implementing Client (KYC) procedures; f. Compliance procedures … Ensure Regulation unless the context indicates otherwise.15 compliance with the limits of insurance policies permitted to be marketed and distributed in accordance with the • Rules Regulating Consumer Microfinance Companies Agreement.”
“Information technology systems and their related processes • In regard to client requirements, “a. The Bank shall ensure must be designed in a manner that ensures data integrity, that all documents issued are consistent with the regulatory availability, authenticity and confidentiality. Information and supervisory requirements; … b. Ensure that only relevant technology systems and their related processes must be parties can obtain the Clients’ data such as the Company assessed on a regular basis in accordance to the generally and external auditors of the Bank and the Company.” accepted technical standards and tested before they are used • Consequences of Non-Compliance: “Non-compliance with for the first time (and after any changes have been made).” the requirements of these Rules shall be deemed a violation Chapter 8, Compliance, Article 43: “The compliance of the Cooperative Insurance Companies Control Law, its department must ensure the Consumer Microfinance Implementing Regulation and the Banking Control Law, and 17 Company’s compliance with applicable laws, regulations and may subject the Bank or the Company to legal penalties.” instructions. It shall particularly perform the following tasks: […] Draft internal policies and procedures to combat financial 7. SAMA Draft Payment Services Regulations (PSR) crimes, such as money laundering and terrorism financing; 14 SAMA published a draft of the newly proposed Payment 6. Monitor compliance with anti-money laundering and anti- Services Regulations in January 2020. The Payment Services terrorism financing laws, regulations, and rules.” Regulations is a regulatory framework establishing provisions Article 44: “A Consumer Microfinance Company shall comply for the licensing of payment service providers (PSPs) in the with the legal requirements mentioned in the Anti Money United Arab Emirates. The law applies to all PSPs, including Laundering Law, the Law on Terrorism Crimes and Financing, traditional banks. The proposed regulations would allow PSPs their Implementing Regulations, and the relevant instructions or licensed banks to offer payment services and electronic and guidelines as specified by SAMA, in a manner that is money issuance, and covers both ‘micro’ and ‘major’ providers. consistent with the nature and size of this company’s activity As of the publication of this report, a timeline for finalization of and risks it may be exposed to. A Consumer Microfinance the draft regulations or enforcement has not been announced. Company, shall also comply with the requirements and instructions issued by SAMA on financial crimes and fraud.” Key Highlights for Financial Institutions
Article 64: “Finance agreements must be drawn up on • The PSR explicitly establishes the licensing and supervision paper or electronically between the Consumer Microfinance of (i) payment systems; (ii) their operators; and (iii) payment Company and the borrower and each contracting party must service providers (Article 3). [...] “The PSR provides that SAMA receive a copy of the finance agreement.” in the course of implementing this law will consider the following objectives: Article 73: “The Consumer Microfinance Company shall take all necessary measures to ensure confidentiality of clients’ • (i) safeguarding the stability and resilience of the information and transactions.”16 monetary and financial system; • (ii) increasing the security and capability of the payment infrastructure and financial markets in the Kingdom to mitigate potential risk;
MIDDLE EAST - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 71 • (iii) incentivizing innovation and competition in Key Highlights for Financial Institutions payment services in the Kingdom; and • “Notably, a digital-only bank will be subject to the same set • (iv) ensuring the protection of consumers insofar as of prudential requirements as conventional banks. Among payment services are concerned (Article 4).” those requirements, including requirements in relation to consumer and data protection, a digital-only bank must: • “Payment Service Providers are required to comply with the AML Law and the applicable rules and regulations on anti- • Apply SAMA’s Principles of Corporate Governance for money laundering and counter-terrorism financing issued Banks Operating in Saudi Arabia by SAMA.” • Apply relevant risk management and control policies • “If a Payment Service Provider claims that a Payer acted • Apply Banking Consumer Protection Principles fraudulently, the onus is on the Payment Service Provider to furnish supporting evidence during the dispute settlement • Comply with SAMA’s Rules of Outsourcing process laid out in Article 19.” • Comply with anti-money laundering and counter- • “The policies, procedures, systems and controls must explain terrorism financing requirements how the Payment Service Provider will identify, monitor, • Comply with the Cybersecurity Framework and manage and report risks to which it can reasonably expect BCM Framework. to be exposed. These risks include operational risk, fraud
risk, AML/CFT risk, cyber security risk, and data protection The Guidelines provide that applicants “should risk and “any other commercial, financial or business risk demonstrate the compliance of the AML/CTF relevant to the activities of the Payment Service Provider.” regulations in the fully digitalized environment”.21 • “A Payment Service Provider must: • Digital-only Banks are required to satisfy SAMA that their • (i) put in place and maintain fraud detection and proposed risk management and control policies are handling policies, procedures, systems and controls, adequate and appropriate for monitoring and limiting risk which may be updated at the direction of SAMA. exposures as per section D of the SAMA Banking Licensing Guidelines and Minimum Criteria. • (vii) … [Provide] controls to ensure compliance with applicable laws and regulations; • Technology and Cybersecurity Risks:
• (viii) … [Provide] methods for maintaining confidentiality 1. “Applicant should consider Information systems security, of information.”18 resilience and availability, as being key components of a Digital-only Bank. The selection of appropriate technologies • KYC and Identity Requirements: The Payer’s Payment and security arrangements should be aligned to the Service Provider must ensure that Payment Orders are proposed banking products and services.” accompanied by payer information including the payer’s official ID number and customer ID number; the unique 2. “SAMA requires compliance with all relevant requirements, identifier of the payment transaction; and the payer’s such as (but not limited to) SAMA’s Cybersecurity payment account number. Framework and BCM Framework. In addition, SAMA requires applicants to consider other relevant regulations, 8. SAMA’s Additional Licensing Guidelines and Criteria for (e.g. from National Cybersecurity Authority) when designing Digital-only Banks: and implementing the Technology and Cybersecurity framework of the proposed Digital-Only Bank. ... SAMA’s The additional licensing guidelines for digital-only banks Banking Consumer Protection Principles are also applicable was issued February 24, 2020. The guidelines are applicable to Digital-only Banks.”22 to digital-only banks and are cumulative to SAMA’s Banking Licensing Guidelines and Minimum Criteria published on its website. In SAMA’s terms, “A Digital-only Bank is defined as a bank that conducts a banking business mainly through digital channels (e.g. the web and mobile applications).”20
MIDDLE EAST - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 72 IRAN
Iran Fights U.S. Sanctions with Digital Gold-Backed Currency As of the publication of this report, Iran is developing a gold-backed cryptocurrency as an alternative payment method to ease the effects of its removal from the Society of Worldwide Interbank Financial Communications (SWIFT). Four Iranian banks have launched their own digital token, called PayMon, to settle payment transfers between themselves.
However, while the use of cryptocurrencies in Russia and Iran may allow for internal payments, it will not give their citizens access to the international CENTRAL BANK financial system which is anchored to the U.S. dollar. Because Iran will continue to be isolated from international financial stakeholders for the foreseeable future, legislators and financial authorities will continue to promote national and regional currency use over the dollar. Coincidentally, Iranian Parliament has passed The Central Bank of the Islamic measures limiting foreign cryptocurrency exchange and transactions. Republic of Iran (Bank Markazi, CBI) is the official central bank of FATF Blacklists Iran After Failure to Implement Action Plan Iran established in 1960. In its own words, “CBI is responsible for the In February 2020, the FATF ordered a lift of the suspension on all countermeasures design and implementation of the against Iran after its government failed to pass legislation that would address the monetary and credit policies with country’s deficiencies in AML/CFT regulation in line with FATF guidelines. Prior due regard to the general economic to February 2020, Iran had publicly claimed to be making several steps toward policy of the country.” meeting the FATF’s objectives. But the solution to FATF compliance isn’t so clear cut for Iran and has been in the works since 2016, when FATF put Iran on its “grey list”, or list of high-risk countries, and created an Action Plan for government stakeholders.
DATA PROTECTION The Action Plan included the passage of four international bills that would help AUTHORITY bring Iran into compliance. 1. Amendments to the Counter-Terrorist Financing Act;
2. Amendments to the Anti-Money Laundering Act; None. However, a recent data protection and personal privacy 3. Palermo Bill, or the International Convention Against Transnational Organized bill being drafted in Parliament Crimes; as of September 2018 calls for the 4. Convention Against Funding Terrorism. establishment of a Data Protection Commission. As of the publication All four bills have been passed by Parliament. The amendments to the Counter- of this report, the Data Protection Terrorist Financing Act and the Anti-Money Laundering Act are in enforcement, Commission has not been but the Palermo Bill and the Convention Against Funding Terrorism are not, as of established. the publication of this report. Nor has the Iranian government provided a timeline for when enforcement will commence. Other Financial Regulatory Bodies: The Institute of Standards of In light of Iran’s failure to enact the Palermo Bill and the Convention Against Industrial Research of Iran (ISIRI) is Funding Terrorism, the FATF has put Iran on its “blacklist,” or list of countries that the Iranian governmental institution will receive the full extent of countermeasures from FATF member states, which for standardization and certification includes more than 150 countries. The FATF’s official announcement stipulates and is the Iranian representative to that “these measures go beyond the due diligence requirements and can include the International Organization for prohibiting businesses from establishing branches in the country and instructing Standardization (ISO). them to terminate any correspondent banking relationships.”22
MIDDLE EAST - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 73 Recently Enacted Regulations, Standards and Laws 3. Data Protection and Personal Privacy - Draft of the Bill on the Protection of Data and Privacy in the Cyber Space 2018 1. Cryptocurrency/Digital Currency - Directive to License and Register Crypto-Mining Operations A Draft Act on Personal Data Protection and Safeguarding was introduced to the Iranian Parliament in September 2018 and is The directive to license and register crypto-mining operations, currently awaiting review. As of the publication of this report, or “the assignment of foreign exchange mining equipment,” no announcement has been made regarding a timeline for was issued in May 2020. finalization of the Bill. The Act is intended to apply to “Iranian • Miners will have to disclose their identities, the size of their citizens (individuals and corporations), public or private, mining farms and their mining equipment type with the whether their private data is being processed inside or outside Ministry of Industry, Mines and Trade. Iran, and to foreign citizens (individuals and corporations), public or private, only if their data is processed by Iranian • Beginning July 6, 2020, miners had one month to register processors and controllers”.24 Furthermore, it proposes their equipment, according to the Ministry, which will the creation of a Data Protection Commission in charge of publish a list of licensed mining centers. enforcing the Act. However, there remains in the Draft Act a number of unclear points, such as its territorial scope, which is 2. Remote Account Opening/ID Verification/KYC (FATF) - not covered in any provisions. Hopefully, more clarifications on Biometric Payments the Draft Act will be provided in the future. Iran is looking into a step-by-step integration of biometric payments and QR codes for better verification and to reduce the number of daily card transactions. In all, 2.5 billion card transactions took place in between August 23 and September 22, 2019, but the banks did not collect any fees. A central bank executive has stated that “Payment through biometric methods like fingerprint is being planned and will be implemented in the future” and that it is “estimated that using mobile phones for payments would increase by 20-30 percent if the fee system is reformed.”23
As of the publication of this report, further announcements regarding a biometric payments system have not been made and a deadline for passage of legislation hasn’t been determined.
MIDDLE EAST - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 74 UNITED ARAB EMIRATES (UAE)
Country Overview The United Arab Emirates (UAE) is one of the major financial centers of the Middle East. With three distinct financial “free zones,” a progressive outlook on cryptocurrency, and some of the lowest foreign tax exchange rates in the world, the UAE is a breeding ground for financial innovation.
In the UAE, there are separate legal and regulatory frameworks in play because of the aforementioned financial free zones. The financial free zones of theDubai International Financial Center (DIFC) and the Abu Dhabi General Market CENTRAL BANK Authority (ADGM) each have their own laws and regulators, while the remainder of the UAE, outside of the geographical areas of the financial free zones, falls within the remit of the Central Bank and the UAE Securities and Commodities Authority (SCA). The DIFC, for example, is regulated by the Dubai Financial The Central Bank of the United Arab Services Authority (DFSA). Emirates (UAECB) is the primary monetary authority governing all Strangely, customers partaking in commercial transactions and other commercial financial institutions operating in activities still prefer physical documentation with manual signatures, stamps and the country that don’t fall within execution. There seems to be a reluctance on the part of some UAE businesses to the financial “free zones”, those adapt to the new world of electronic commerce, specifically electronic payments. geographic economic centers that It remains to be seen, however, whether the physical and other constraints develop and enforce their own imposed on business activities as part of the COVID-19 pandemic will prompt regulations and laws. a change.
Data Protection and Personal Privacy Dubai International Financial Centre (DIFC) Data Protection Law No. 5/2020 OTHER FINANCIAL (The New DP Law): Dubai’s new DIFC Data Protection Law No. 5/2020, influenced AUTHORITIES by the EU’s General Data Protection Regulation (GDPR), applies to businesses with operations in the Dubai International Financial Centre (DIFC), an economic zone located in the Emirate of Dubai.
• ADGM Financial Services The new law came into force on July 1, 2020. However, financial institutions will Regulatory Authority be given until October 1, 2020 to achieve compliance to allow for the impact of the COVID-19 pandemic on business operations. As with the GDPR, “the New • Dubai Financial Services Authority DIFC Law sets out a series of data protection principles that organizations must (DFSA) comply with, which include (among others) familiar concepts such as lawfulness, • Securities and Commodities fairness, transparency and privacy by design and default. The DIFC Law imposes Authority an express obligation on controllers and processors to establish a compliance program to demonstrate compliance.” • Data Protection: The ADGM Office “The Board of Directors of the DIFC Authority has also issued new Data Protection of Data Protection is the primary Regulations that set out the procedures for notifications to the Commissioner of data authority for the ADGM Data Protection, accountability, record keeping, fines and adequate jurisdictions economic zone in the UAE. for cross-border transfers of personal data.”25
1. ADGM Draft Regulations on Cryptocurrency In May 2019, the Financial Services Regulatory Authority enhanced its “Guidance for the Regulation of Crypto Asset Activities.” These guidelines were supported by an additional guidance: “Regulation of Digital Security Offerings and Crypto assets under the Financial Services and Markets Regulations” and “Crypto asset Activities”. Both were issued by the FSRA earlier in 2019. The guidance was issued “in accordance with Section 15(2) of the Financial Services and Markets Regulations 2015 (FSMR) and should be read in conjunction with the FSMR, the relevant rulebooks, the guidance and policies manual of the FSRA, and the guidance on the regulation of initial coin/token offerings (ICOs) and crypto-assets under the FSMR.”
MIDDLE EAST - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 75 • “Stablecoins/fiat tokens: Stablecoins that are fully backed “I, the undersigned, declare with my full capacity, and through by fiat currencies (fiat tokens) will be treated as a form video communication, using BOTIM, my consent on all that is of digital representation of money. The activity will be stated in this application and I sign accordingly.”29 licensed if a payment instrument is used for the purposes of money transmission. The guidance also sets out the FSRA’s 4. COVID-19 - DFSA Letter on Cyber-related Risk Monitoring approach to regulating issuers, custodians and exchanges and Reporting using fiat tokens.” The DFSA issued a letter on cyber-related risk monitoring • “Technology governance: Further changes in the underlying and reporting on March 23, 2020. The letter outlined that, in protocol of a crypto-asset that results in a fork (coding light of the recent increase in the volume of email phishing change), and the associated governance and control campaigns used by cybercriminals attempting to exploit expectations for crypto-asset exchanges and license COVID-19 concerns, and the high number of staff working holders.” from home, regulated firms should continue to roll out • “FSRA anti-money laundering (AML) and sanctions rules and cybersecurity awareness programs with their employees. Firms guidance: The AML Rulebook applies in full to the regulated were also asked to review remote access controls, including activity of crypto-asset operators/holders, providing further ensuring two-factor authentication, and implementing clarity on the use of new regulatory and surveillance enhancements where necessary. Where regulated firms technologies.”27 experience cyber-related risks, notifications should be made through the DFSA Threat Intelligence Platform (TIP) and a 2. Securities and Commodities Authority Draft Regulations Cyber Incident Notification Form should be filed (the DFSA also issued a new guidance document for completing cyber- on Cryptocurrency related notifications).30 • The SCA, in October 2019, issued draft regulations relating to crypto-assets and invited feedback from various market 5. COVID-19 - FSRA COVID-19 Orders and Guidelines players. The draft regulations primarily dealt with token issuance requirements, trading and safekeeping practices. The FSRA recommended on March 9, 2020, that physical They emphasize protecting investor interests, financial crime meetings for staff take place through non-face-to-face prevention measures, crypto-asset safekeeping standards, channels where possible. This includes a circular issued on information security controls, technology governance March 29, 2020, implementing the UAE’s “Remote Work norms and conduct of business requirements for all market System” requirements under Ministerial Resolution No. 281 of intermediaries.28 2020, which regulates “Remote Work in Private Establishments during the Period of Application of Precautionary Measures to 3. Remote Online Notarization (RON) - Dubai Courts Remote Curb the Spread of Noel Coronavirus” (Resolution 281), issued Online Notarization Circular by the UAE Ministry of Human Resources & Emiratization (MOHRE). In April 2020, the Dubai Courts announced that public notary services would be available to be conducted remotely. The This requires all ADGM licensed entities to ensure that no circular states that the following notary services can be more than 30 percent of their employees work from the firm’s conducted remotely: registered office and that anyone who doesn’t need to be in the office physically work remotely. • Power of Attorney notarization;
• Notarization of legal notices; 6. COVID-19 - UAE Central Bank COVID-19 Orders and Guidelines • Acknowledgments; Following the issuance of Resolution 281 by MOHRE, the UAE • Notarization of Local Service Agent Agreements ; Central Bank issued its own statement on March 27, 2020, that the majority of the workforce in banks, financial institutions • Notarization of Memorandums/Articles of Association and and exchange houses under their supervision should work addendums thereto with respect to civil companies (i.e. remotely “with the exception of 30 percent of those working companies not subject to the Commercial Companies Law); in critical positions.” The UAE Central Bank also introduced a • Companies that are subject to the Commercial Companies remote system for employees. Law that wish to incorporate or amend constitutional documents must do so with the Dubai Economic 7. Artificial Intelligence - The Financial Services Regulatory Department. Authority of Abu Dhabi Global Market Regulatory This remote notary service requires a subscription to BOTIM, a Framework for Digital Investment Managers (Robo- video/voice calling application that can be found on the App advisors) Store for Apple users and the Play Store for Samsung users. In July 2019, the FSRA issued a new guidance, Supplementary For these remotely notarized documents to be permissible Guidance: Authorization of Digital Investment Management under this service, they must include the following language: (“Robo-advisory”) Activities. According to Hammal and
MIDDLE EAST - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 76 Al-Mehdar Law Firm in Dubai, “the FSRA believes these • The guidance addresses two critical areas. The first involves regulations will promote oversight, fairness, accountability, and regulatory permissions that the ADGM requires of operators transparency in the digital financial sector. The ADGM issued providing digital investment services. The second addresses the guidance under Section 15(2) of the Financial Services how the FSRA will apply authorization criteria to areas such and Markets Regulations 2015 (FSMR). According to the as governing technology and algorithms, and suitability and organization, the regulation is relevant to those who apply for disclosure. The ADGM has established the guidelines for Financial Services Permissions to conduct Regulated Activities, robo-advisors in their new supplementary guidance. as defined in the FSMR (Section 19), where applicants • Technology governance: Digital investment managers undertake Digital Investment Management.” must ensure that systems and controls are commensurate • The ADGM defines “Digital Investment Management” as for the scale and complexity of business operations. These financial services that use algorithm-based technology. controls include information transmission and storage, These tools require limited human interaction between investor safeguards and protections, outsourcing, technical clients and robo-advisory providers. Their affluent customers operations, and contingency arrangements. Additionally, are comfortable receiving financial services through digital managers must assess and mitigate risks for their clientele. channels. It also influences how they select service providers. For details, read Sections 4.6 – 4.7.31
MIDDLE EAST - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 77 IRAQ
Country Overview Financial institutions looking to innovate in Iraq will find little regulatory guidance in the way of data protection, digital financial services and electronic payments. The new government of Iraq has prioritized other issues in the financial sector such as economic diversification. This isn’t to say that a framework for digital financial services isn’t in high demand among consumers. According to Al Jad Law Firm based in Lebanon, “Iraq is adopting fintech at a slow pace, and overall investment in fintech and the enactment of related regulations have been low, compared to other countries in the region. This is due to many factors, including CENTRAL BANK the large unbanked population. According to an analytical note entitled “Bringing Back Business in Iraq” published on January 1, 2019, by the World Bank Group, only 23 percent of Iraqi households have access to an account with a financial The Central Bank of Iraq is the institution; the cost of internet and mobile services, relative to income, which primary regulatory authority for the limits demand for digital financial services; and the fact that Iraqis prefer cash financial services sector in Iraq. on delivery in e-commerce transactions, due to concerns about security of online payments.”
Though regulatory guidance is thin or altogether non-existent, electronic PSPs Other Financial: The Iraq Securities have moved forward with plans to provide services in Iraq, and the Iraq parliament Commission (ISC) is a public has laid out a plan to restructure the financial sector to combat anti-money commission working independently laundering and illegal foreign transactions. to oversee activities in licensed securities markets, such as the Iraq Iraq Launches First Digital-only Payment Card Stock Exchange. Iraq-based International Network for Cards and Digital Payment Services (INC Iraq) and a Lebanese fintech startupNymCard have collaborated with Visa to DATA PROTECTION launch the first digital-only, prepaid payment card (Neo) in Iraq to serve the AUTHORITY underbanked Iraqi population.33
Central Bank of Iraq Promotes ATM/POS Development Plans for As of the publication of this report, Electronic Payments Iraq does not have a dedicated data protection authority, and plans have The Central Bank of Iraq is promoting the development of plans for ATM and POS not been announced to establish one. electronic transactions/payments to banks and other financial institutions. The Central Bank also stated that, “there is no objection to the banks and payment companies continuing to work through agents/cash outlets until there is 34 Non-banks/Other: The Central sufficient spread of collection tools. Organization of Standardization and Quality Control (COSQC) is a Recently Passed Standards, Laws and Regulations government agency that promotes standardization and quality control. 1. Companies Law No. 21 Amendment 2019 Iraq has passed an amendment to certain articles of the Companies Law No. 21 of 1997, which may disrupt existing foreign investment in the country.
• Electronic exchange and express mail for procedures and correspondence with the Companies Registrar (new Article 223): The Amendment has added a new Article 223 that “allows companies to use electronic exchange and express mail for all correspondence, submission of data and all procedural matters with the Companies Registrar. The Companies Registrar will prepare the requirements for operating the electronic system.”35
• The amendment was published in the Official Gazette on September 9, 2019 and became effective immediately. As of the publication of this report, a grace period for implementation of the amendment has not been announced. It is also currently unclear whether there are exemptions for existing companies.
MIDDLE EAST - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 78 2. Suspension of license applications for electronic payment 4. CBI Decision 14/611 of 2019 – Controls on corporate companies governance and institutional management of information On January 1, 2020, the Central Bank of Iraq announced and communication technology in the banking sector the continued suspension of the “promotion” of license In May 2019, the Central Bank of Iraq issued controls, some of applications for electronic payment companies. The which are related to management of information and data in suspension was due to end in December 2019 but has been the banking sector. According to the Central Bank of Iraq, the extended through December 31, 2020.36 Decision “sets out certain criteria to be implemented by banks, financial institutions, payment service providers, exchange 3. Central Bank of Iraq Directive to Banks to Provide Mobile counters and other licensed institutions when dealing Phone Services with cloud computing service providers. Upon engaging The Central Bank of Iraq Information Office made an in such activities, these institutions must take into account announcement on September 30, 2019 directing banks to operational risks and factors such as confidentiality, integrity, provide mobile phone services to consumers. The Information cybersecurity, regulatory compliance and data transfer. The Office states: “In light of the strategy of the Central Bank of measures to be implemented by banks, financial institutions Iraq to achieve financial inclusion, and improve digital banking and other licensed institutions to ensure the safety of the services, and modern technologies, to ensure the ease of operations include: access of those services provided to different segments of • User identity management systems; society, this bank directed all licensed banks to provide the Mobile Banking service service, in a manner that ensures • Identification and protection of personal data; and the facilitation of the banking service to beneficiaries And • Security and protection systems that prevent hacks and to ensure the availability of protection and confidentiality attacks.”38 systems for them, provided that it is applied within a specific period of time from the date of issuance of instructions from this bank.”37
MIDDLE EAST - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 79 PAKISTAN
Country Overview Anyone with a nose for news will remember reading about Pakistan in late 2019 and how the country was “grey-listed” by the Financial Action Task Force (FATF). Since then, Pakistan has a made a slow-moving albeit fervent bid to get itself back into the good graces of the international security watchdog group. At a September 2020 meeting of the Asia Pacific Joint Group, a FATF-appointed group that reviews money laundering progress, Pakistani officials stated that “dealing with FATF’s requirements and boosting tax revenues are the government’s two biggest economic priorities” for the foreseeable future. As a necessary first step, CENTRAL BANK the federal government introduced a national Personal Data Protection Bill in 2020 with the goal of establishing a dedicated data protection authority.
But experts seem divided on whether or not Pakistan’s government will avoid The State Bank of Pakistan (SBP) being blacklisted come October 2020. By September 2020, the FATF noted is the central bank of Pakistan. The that Pakistan had implemented just 14 of 27 recommendations and called for bank has an operational subsidiary, “significant and sustainable progress especially in prosecuting and penalizing SBP Banking Services Corporation, terror financing.”50 that has branch offices across Pakistan. The bank supervises the Regarding the country’s financial services and banking sector, much of the banking sector in Pakistan, as well industry’s innovation and economic growth is being driven by technology and as non-banking entities such as consumer demand for financial products that are inclusive and easily accessible. small and medium enterprises and The country is composed of a variety of state banks, state-run banks (which are microfinance companies. being privatized more often than not), private commercial banks, and foreign banks. The spread of banks that operate within the principles of Islamic law, or takaful banks, have become especially popular. Several of these banks are digital Other Financial: The Securities and only, and the government has taken note of citizens’ desire for a fully digital Exchange Commission of Pakistan banking experience. In August 2020, the Special Assistant to the Prime Minister (SECP) is the primary financial for Overseas Pakistan and Human Resources stated that Pakistanis not currently regulatory agency in the country living in the country will be able to open banking accounts and make direct overseeing the insurance sector and banking payments by providing a digital banking facility. 51 non-banking financial companies, including the capital markets. Currently, the country’s federal government is working on several digitization to oversee activities in licensed and financial services initiatives that further expand financial inclusion. The SBP securities markets, such as the Iraq has launched the National Payment Systems Strategy (NPSS) and continues to Stock Exchange. announce plans for further regulatory and legislative updates related to digital banking and financial services.
DATA PROTECTION AUTHORITY Regulations and Standards
As of the publication of this report, 1. SBP Revised AML/CFT Regulations for Banks and Development Finance Pakistan does not have a dedicated Institutions (DFIs) national data protection authority. On December 30, 2019, the State Bank of Pakistan published new changes However, the country’s Ministry to its anti-money laundering and combating the financing of terrorism of Information Technology and regulations for banks and development finance institutions (DFIs). The Telecommunication introduced a document was last revised in 2016. The main changes to the regulations draft Personal Data Protection Bill require banks and DFIs to assist customers experiencing account issues and earlier in 2020 that would establish a ensure financial transaction execution. The rules also specifically address use of Personal Data Protection Authority the National Database & Registration Authority’s (NADRA) Verisys identification for Pakistan within six months of the system to verify NADRA-issued identity documents. enforcement date. An enforcement The regulations officially went into force on July 1, 2020. date has not been announced.
MIDDLE EAST - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 80 Key Highlights for Financial Institutions
• According to the SBP, “Banks/DFIs may use the NADRA Additionally, the circular encourages banks to implement Verisys system in place of obtaining certified photocopies additional risk mitigation measures while offering these of required NADRA identity documents and biometric new collection and deposit services. verifications wherever required as per SBP AML/CFT regulations including for request of activation of dormant 4. SBP Circular on Measures to Combat COVID-19 Pandemic: account by customers. They should retain the NADRA Branchless Banking Operations and Regulations for Digital Verisys for record keeping requirements (digitally or hard Onboarding of Merchants copy).” 53 On July 13, 2020, the State Bank of Pakistan issued a circular on March 26, 2020, extending the validity of two previous 2. SBP Circular on Measures to Limit the Spread of COVID-19 circulars regarding branchless bank operations and the by Promoting the Use of Digital Payment Services onboarding of merchants. The circular references customer On March 26, 2020, the State Bank of Pakistan published biometric verification for branchless banking and digital new measures to combat cyber security threats and onboarding. The extension for both circulars has been promote cyber resilience among banks and payment extended to December 31, 2020. service organizations (PSOs). The circular reminds banks and PSOs to adhere to cyber security requirements in BPRD 5. SBP Service Standards for Roshan Digital Accounts for Circular No. 5 of 2017 and PSD Circular No. 09 of 2018. The Non-Resident Pakistanis (NRPs) new circular advises banks to implement several measures On September 9, 2020, the State Bank of Pakistan published related to remote user authentication. new service standards for remote account opening through Key Highlights for Financial Institutions the previously launched Roshan Digital Account system for non-resident nationals. The new standards address • Remote User Authentication: The new rules address requirements related to the development and continuous internal remote access for authorized users. “While improvements of RDA portals and mobile apps, the account enforcing telework/remote access, Banks/MFBs and PSOs opening process, and payment system monitoring and shall ensure that security policies are adequately reviewed support. and implemented based on the risks of eavesdropping, interception, and modification. Such threats shall be Key Highlights for Financial Institutions mitigated by using strong user and device authentication, • Account Opening Standards: The new account opening encryption and antimalware technologies, network standards add the following requirements to the segmentation and tier-based access control to protect existing digital accounts framework: development and the confidentiality and integrity of organizational assets.” continuous improvements of RDA portals and mobile apps; account opening and monitoring processes 3. SBP Circular on Facilitation Regarding Paper-based that ensure compliance with existing SPB standards; Clearing Operations in the Wake of COVID-19 realization and repatriation of funds; monitoring and On March 28, 2020, the State Bank of Pakistan published a ongoing support. circular allowing banks to provide certain deposit and check collection services to their customers. Policy and Legislation
Key Highlights for Financial Institutions 1. Draft Bill on Personal Data Protection 2020 • Multifactor Authentication: Under the provision The consultation soliciting feedback on the draft bill for for direct check deposit services, banks “must take a new personal data protection law ended on May 15, necessary precautions including but not limited to 2020. The bill applies to any business or entity operating customer call back or multifactor authentication to verify in Pakistan that processes personal data; it establishes the authenticity/genuineness of the instrument and requirements and restrictions related to personal data verification of their respective customers. Similarly, before processing, as well as penalties for violating the law. Within crediting the customer account, the payee/beneficiary six months of coming into force, the federal government bank must ensure the authenticity of the customer’s would establish a Personal Data Protection Authority of credentials as well.” Pakistan with powers to enforce rules and regulations
under the law. Likewise, under the drop box check collection provisions, “the Paying/Drawee bank shall implement all necessary controls including call back confirmation or multifactor Key Highlights for Financial Institutions authentication to ascertain the authenticity and genuineness of the instrument and identity of the payee. • Sensitive Personal Data Definition: The bill defines Upon satisfactory validation, Paying/drawee bank may “sensitive personal data” as “data relating to access transfer funds to beneficiary bank.” control (username and/or password), financial
MIDDLE EAST - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 81 information such as bank account, credit card, debit card, 2. SBP Digital Banking Facility or other payment instruments, and, passports, biometric In mid-August 2020, the State Bank of Pakistan announced data, and physical, psychological, and mental health plans to launch a digital banking facility for overseas conditions, medical records, and any detail pertaining Pakistanis. Even with a decrease in remittances due to to an individual’s ethnicity, religious beliefs, or any other the economic challenges of the COVID-19 pandemic, the information for the purposes of this Act and rules made country is looking to make sure overseas nationals receive thereunder.” the help they need to make payments while being abroad. • Consent: Regarding data subject/user consent, the bill Digital bank accounts will be used to make credit card states that, “A data controller shall not process personal purchases, pay utility bills or invest in stocks. data including sensitive personal data of a data subject Registration for the facility has begun; however, an official unless the data subject has given his consent to the launch date for the digital banking facility has not been processing of the personal data.” announced.
MIDDLE EAST - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 82 QATAR
Country Overview Qatar aims to be the digital and financial center of the Middle East. The Government of Qatar has passed several laws in the past year (2019-2020) related to digital innovation, FinTech, AML/CFT, and customer due diligence. Qatar has a robust electronic payment system based on the SWIFT Network and Messages Standards, and there are plans to establish a single ATM network linking multiple Gulf countries. This initiative is being led by Qatar and the Gulf Cooperation Council.39 CENTRAL BANK Cryptocurrency Banned in Qatar
The Qatar Financial Centre Regulatory Authority (QFCRA) announced via tweet that crypto asset services may not be conducted in or from the Qatar The Qatar Central Bank is the financial center. primary regulatory authority supervising traditional financial As noted in the tweet, there will be penalties imposed on firms that provide such institutions in Qatar. services in the financial center. The Authority has said virtual assets are anything “of value that acts as a substitute for currency that can be digitally traded or transferred and can be used for trading and investment purposes, excluding fiat Other Financial: currencies and other monetary instruments.”40
• Qatar Financial Centre Qatar Central Bank Launches Qatar Mobile Payment System
• Qatar Financial Markets Authority In May 2019, Qatar Central Bank (QCB) launched the “Qatar Mobile Payment System” (QMP), which provides a method for immediate electronic payment.
The Qatar Mobile Payment System aims to enable customers to use an e-wallet DATA PROTECTION on their mobile phone to carry out P2P payments in addition to conducting AUTHORITY withdrawals. To further streamline payment transactions, Qatar Central Bank (QCB) has issued unified QR code specifications and standards enabling users to make payments by scanning the response code (QR code) through their mobile 41 • The ADGM Office of phone at POS and public transportation. Data Protection COVID-19 Shuts Down In-person Money Exchanges • DIFC Commissioner of Data Protection On March 26, 2020, Qatar Central Bank announced the temporary closure of in- person money exchange and transfer service offices in the country. The measure was introduced by the government in response to COVID-19g. The gGovernment also promoted the use of electronic payments over cash. It stated that, that “the most important thing that the people of Qatar can do to contain the spread of the virus is to reduce day-to-day contact with other people. Throughout the period of closure, money can be transferred through online exchange services, mobile applications and Ooredoo Money. All services allow users to transfer money abroad instantly either online or through their phone.”42
Recently Passed Standards, Laws and Regulations
1. Central Bank of Qatar Law No. 20 of Year 2019 on Combatting Money Laundering and Terrorism Financing On September 11, 2019, the Central Bank of Qatar passed Law No. 20, legislation aimed at combatting money laundering and terrorism financing. Following the passage of Law No. 20, the Council of Ministers’ passed Decision No. 41 of 2019, Promulgating the Implementing Regulations of Law No. 20 of 2019. The Implementing Regulations became effective in December 2019.43
MIDDLE EAST - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 83 • “Council of Ministers’ Decision No. [41] of 2019 Promulgating 6. Qatar Financial Markets Authority Guidance on Covid-19 the Implementing Regulations of Law No. (20) of 2019 on Risk Management based on the Risk-Based Approach Combatting Money Laundering and Terrorism Financing: In May 2020, the Qatar Financial Markets Authority issued Thursday, December 26: The Qatar Central Bank (“QCB”) its own guidance on COVID-19 risk management. In its own announced the adoption of the Implementing Regulations words, “The QFMA issues these guidelines to include key risks to Law No. (20) of 2019 on Anti-Money Laundering (AML) faced by licensed parties in light of the spread of corona virus and Combating the Financing of Terrorism (CFT) Law, which (Covid-19). It also includes measures to be taken by all licensed builds on the strong and innovative legal and regulatory parties and full compliance with the effective implementation initiatives enacted by the AML/CFT Law No. (20) of 2019 on 11 of the risk-based approach to address those risks, while ensure September 2019.” overall compliance with the QFMA legislations, specifically those on AML/CFT and all Circulars and Guidance issued.”48 2. Qatar Financial Centre Regulatory Authority AML/CTF Rules 2019 7. The Qatar Supreme Committee for Crisis Management These new regulations regarding anti-money laundering COVID-19 Regulations and terrorism financing were passed February 1, 2020 and In its coordinating role, the Committee has initiated legislative became effective immediately. The law applies to any financial and regulatory actions to safeguard Qatari citizens, residents, institutions operating or conducting business within the and visitors from harm. As of April 15, 2020, the following Qatar Financial Centre. According to the legislation, these measures are in effect: new regulations repeal the AML/CTF law of 2010. The 2019 law covers applications of risk-based approaches within financial • Banks are to permit postponement of payment of services, including customer, interface and product risk.44 outstanding loan installments and interest for certain industry sectors for a period of six months starting on 3. Qatar Financial Markets Authority AML/CTF Rules 2019 March 16, 2020. The Qatar Financial Markets Authority (QFMA) has issued • By way of a circular, the Qatar Central Bank stipulated the Anti-Money Laundering and Combating Terrorist Financing allocation of a repurchase window with a zero percent rate Rules (AML/CFTR) pursuant to Law No. (20) of 2019 on issuing to be used by banks to postpone loan installments or grant Anti-Money Laundering and Combating Terrorist Financing new loans, as well as to cancel fees at point-of-sale and Law and its implementing regulations issued by the Counsel withdrawal fees via ATMs. This does not include personal of Minister’s Resolution No. (41) of 2019.45 loans granted with a salary guarantee.
• The Qatar Central Bank has facilitated further transition to 4. Qatar Financial Centre Regulatory Authority Customer and electronic banking by requiring banks and money exchange Investor Protection Rules 2019 points to offer electronic money transfers abroad and the These new rules, which are meant to regulate the conduct of provision of electronic services to workers. financial institutions in their dealings with customers, became • Banks are to permit domestic workers to open bank effective on January 1, 2020, though they were announced accounts with no minimum amount requirement.49 back in April 2019.46
8. QCB State Law for Insurance Intermediaries Data 5. Qatar Central Bank Guidelines for Financial Institutions on Protection Provisions Managing AML/CFT Risks linked to Covid-19 Virus • There are provisions requiring policy and procedures for data In March and April 2020, the Qatar Central Bank issued protection in Chapter 10.5 of the Intermediary Rules. These guidelines for financial institutions on Managing AML/CFT new requirements need to be reviewed closely to ensure Risks linked to COVID-19. The guidelines were issued through that compliance is also consistent and in in line with the several circulars and directives instructing banks on customer new Qatar law, concerning Personal Data Protection, Law due diligence, combating fraud, and developing technical No. 13 of 2016, which requires full compliance from 29 June systems that will allow remote payments and transactions.47 2017. Particular attention is required to ensure appropriate Qatar Financial Markets Authority Guidance on Client/ disclosures and client consents are secured for processing Customer Due Diligence 2020 of data, including sensitive data such as that relating to health.50 In May 2020, the Qatar Financial Markets Authority issued guidance on client and customer due diligence. In its own words, “the purpose of this document is to provide practical guidance to Licensed Parties on Client/Customer Due Diligence to assist them with day-to-day compliance challenges and provide examples of international best practice.”
MIDDLE EAST - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 84 1 Denis Francis and Hesham Elmais, “Digital and Analytics: The next Horizon in Middle East Corporate Banking,” McKinsey & Company, February 12, 2020, shorturl.at/DJY28.
2 Denis Francis and Hesham Elmais, “Digital and Analytics: The next Horizon in Middle East Corporate Banking,” McKinsey & Company, February 12, 2020, shorturl.at/DJY28.
3 “SAMA Launches Regulatory Sandbox for Financial Institutions and Fintechs,” SAMA Launches Regulatory Sandbox for Financial Institution’s and Fintechs, November 2, 2019, shorturl.at/nLX37.
4 “A Statement on Launching ‘ABER’ Project, The Common Digital Currency Between Saudi Arabian Monetary Authority and United Arab Emirates Central Bank (UAECB).” Saudi Arabian Monetary Authority, January 29, 2019. shorturl.at/mqJT7.
5 Salman Al-Sudairi, Noor Al-Fawzan, and Abdullah A. Alsaeed, “Issues and Considerations for Businesses in Saudi Arabia,” Lexology, May 17, 2020, shorturl.at/uRZ46.
6 John Barlow and Mohammed Alkhliwi, “COVID-19 and Other Policies: Saudi Arabia,” Lexology, April 20, 2020, shorturl.at/fqvP9.
7 “SAMA Increases Purchase Limit for Mada Atheer to SAR 300 With No Pin Required.” Saudi Arabian Monetary Authority, March 18, 2020. shorturl.at/lDLU9.
8 “SAMA Announces Raising E-Wallet Top-Up Monthly Ceiling Limit Up to 20,000 SAR.” Saudi Arabian Monetary Authority, March 25, 2020. shorturl.at/xDM48.
9 Din Wilkinson, and Ben Gibson. “Call-to-Action: The New Executive Regulations of the Saudi E-Commerce Law.” Lexology, May 13, 2020. shorturl.at/ikHRZ.
10 Brian Meenagh, Salman Al-Sudairi, Homam Koshaim, and Avinash Balendran. “COVID and Online Transactions in Saudi Arabia.” Latham and Watkins, May 1, 2020. shorturl.at/kptBE.
11 “Capital Market Authority Authorised Persons Regulations.” Capital Market Authority, 2017. shorturl.at/cvOQW.
12 “With More Than SAR 120 Bn: Government of Saudi Arabia Implements Urgent Measures to Mitigate the Impact of Coronavirus on Economic Activities and Private Sector.” Saudi Press Agency, March 20, 2020. shorturl.at/eglu0.
13 “SAMA Announces Issuing Regulations for Microfinance Companies.” Finance Rules and Regulations, December 10, 2019. shorturl.at/muwWZ.
14 “SAMA Announces Issuing Regulations for Microfinance Companies.” Finance Rules and Regulations, December 10, 2019. shorturl.at/pGHZ9.
15 “Finance Rules.” Saudi Arabian Monetary Authority. Accessed July 29, 2020. shorturl.at/quDYZ.
16 “Finance Rules.” Saudi Arabian Monetary Authority. Accessed July 29, 2020. shorturl.at/quDYZ.
17 “Insurance Rules and Regulations.” Saudi Arabian Monetary Authority. Accessed July 24, 2020. shorturl.at/vAFG7.
18 “Insurance Rules and Regulations.” Saudi Arabian Monetary Authority. Accessed July 24, 2020. shorturl.at/vAFG7.
20 Scott Campbell, Nicholas Edwards, Omar El Sayed, Jonathan Fried, Andrew Jennens, Sarosh Mewawalla, Kieron Zaman, and Reem Alsayegh. “GCC Quarterly Review - Q1 2020.” Lexology, April 1, 2020. shorturl.at/cjyGR.
21 “SAMA Issues Additional Licensing Guidelines for Digital Only Banks in Saudi Arabia.” Latham and Watkins, April 26, 2020. shorturl.at/sNS12.
22 Campbell, Scott, Nicholas Edwards, Omar El Sayed, Jonathan Fried, Andrew Jennens, Sarosh Mewawalla, Kieron Zaman, and Reem Alsayegh. “GCC Quarterly Review - Q1 2020.” Lexology, April 1, 2020. shorturl.at/rCRY0.
23 “High-Risk Jurisdictions Subject to a Call for Action – 21 February 2020.” Financial Action Task Force, February 21, 2020. shorturl.at/lyX47.
24 Pascu, Luana. “Iran Looks into Biometric Payments to Reduce Card Transactions.” Biometric Update. BiometricUpdate.com, November 4, 2019. shorturl.at/jquwP.
25 Zak, Monika. “An Update on Personal Data Protection Laws in the Middle East Region.” Research World, August 6, 2019. shorturl.at/opFQ0.
26 Blyth, Kellie, and Benjamin Slinn. “United Arab Emirates: New DIFC Data Protection Law - What You Need to Know and How to Prepare.” Lexology, June 8, 2020. shorturl.at/gmvU1.
27 “ADGM Enhances Guidance on Regulation of Crypto Asset Activities.” ADGM, Abu Dhabi’s International Financial Centre, July 14, 2020. shorturl.at/eiGS1.
28 “UAE: Abu Dhabi Global Market Updates Guidance for Regulation of Crypto-Asset Activities.” Vixio PaymentsCompliance, May 13, 2019. shorturl.at/nvCKN.
29 Gambhir, Divya Abrol, and Ashish Banga. “FinTech Space in the UAE.” Lexology, January 31, 2020. shorturl.at/lruJN.
30 Abuwasel, Abdulla. “UAE Remote Notarization/Attestation amidst COVID-19.” Lexology, May 11, 2020. shorturl.at/yBCU8.
31 Boustany, Mazen, and Samir Safar-Aly. “Guidance for the Financial Services Industry in the UAE.” Lexology, April 1, 2020. shorturl.at/adh24.
MIDDLE EAST - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 85 32 Hammad, Abdulrahman. “The ADGM Releases New Guidance about Robo-Advisory Regulation and Governance.” Lexology, October 8, 2019. shorturl.at/tuXZ5.
33 “Iraqi First Digital-Only Payment Card.” Iraq Business News, October 29, 2019. shorturl.at/zFNP3.
34 “The Central Bank Invites Banks and Electronic Payment Companies to Deploy ATMs and POS Points of Sale.” Central Bank of Iraq, July 2, 2019. shorturl.at/guwyI.
35 Janabi, Ahmed Al, Omar Aqrawi, Christopher Gunson, Saad Emran, and Peter Goepfrich. “Client Alert: Amendment to Iraqi Companies Law No. 21 of 1997.” Lexology, October 2, 2019. shorturl.at/vFX58.
36 “The Central Bank Decides to Extend the Suspension of the Promotion of Applications for Licensing Electronic Payment Companies.” Central Bank of Iraq, January 19, 2020. shorturl.at/cJTU5.
37 “The Central Bank Directs Banks to Provide Their Services by Mobile Phone.” Central Bank of Iraq, September 30, 2019. shorturl.at/aetMN.
38 “The Central Bank of Iraq Announces Controls on Corporate Governance and Institutional Management of Information and Communication Technology in the Banking Sector.” Central Bank of Iraq, May 19, 2019. shorturl.at/aDLT6.
39 “A Complete Guide to Mobile Banking in Qatar.” Expatica, July 8, 2020. shorturl.at/hiqsT.
40 Zmudzinski, Adrian. “Qatar Financial Centre Puts Blanket Ban on Cryptocurrency Businesses.” Cointelegraph. Cointelegraph, January 6, 2020. shorturl.at/fwxU5.
41 “Qatar Central Bank Launches Mobile Payment System.” Qatar Central Bank - Qatar Central Bank Launches Mobile Payment System, March 29, 2020. shorturl.at/nCHLV.
42 “Press Release about Closure of In-Person Money Exchange Locations.” Qatar Central Bank - Press release about Closure of In-Person Money Exchange Locations, March 26, 2020. shorturl.at/vwz25.
43 Chan, Simon. “Qatar’s New Anti-Money Laundering and Terrorism Financing Law.” Lexology, January 6, 2020. shorturl.at/ijsvZ.
44 “Legislations.” Qatar Financial Information Unit. Accessed July 29, 2020. shorturl.at/rKMP5.
45 “QFMA Issues Anti-Money Laundering and Combating Terrorist Financing Rules (AML/CFTR).” Accessed July 29, 2020. shorturl.at/czCQ8.
46 “Customer and Investor Protection Top Priority for QFC Regulatory Authority.” Qatar Financial Centre Regulatory Authority, April 2, 2019. shorturl.at/fgBH0.
47 “Guidelines for Financial Institutions on Managing AML/CFT Risks Linked to Covid-19 Virus.” Supervision and Control of Financial Institutions Division, May 31, 2020. shorturl.at/nvCJL.
49 Yaghi, Lana A., and Pawel Chudzicki. “COVID-19 Developments in Qatar.” Lexology, April 15, 2020. shorturl.at/cpzOR.
50 Phillips, Roger. “The Last Part of the Jigsaw? New Regulations for Insurance Intermediaries in Qatar.” Lexology, August 14, 2017. shorturl.at/CDFSU.
51 https://asiatimes.com/2020/09/pakistan-destined-for-terror-finance-blacklist
52 https://profit.pakistantoday.com.pk/2020/08/17/97940
53 https://www.sbp.org.pk/bprd/2019/C7-AML-CFT-Regulations.pdf
MIDDLE EAST - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 86 AFRICA AFRICA AFRICA
For financial institutions in African countries, regulatory compliance as it relates to digital ID authentication and verification can often GLOBAL FINANCIAL seem like navigating the Sahara: an ever-changing and, at times, REGULATIONS REPORT volatile landscape that offers more questions than answers. Relatively straightforward challenges that would have relatively straightforward solutions in regions where PSD2 and GDPR are in force take a more unsteady course in North, Central, and West Africa, where there is limited This section of the report regulatory framework development and oversight in both the financial covers the following regions and technology sectors. South Africa stands as the lone country to have and countries in Africa: implemented GDPR-influenced data protection regulations. It is the Algeria, Angola, Benin, continent’s exception to the rule. Botswana, Burkina Faso, Burundi, Cameroon, Cape Verde, On the other hand, North, Central, and West African countries are by Central African Republic, Chad, no means financially or technologically anemic and have the potential Comoros, Democratic Republic to lead regional efforts in digitizing economies, increasing financial of the Congo, Republic of the inclusion through mobile money payment systems, and creating open Congo, Djibouti, Equatorial banking systems. In lieu of these government-led initiatives, African Guinea, Eritrea, Ethiopia, Gabon, central banking systems, technology and financial agencies, and third- Gambia, Ghana, Guinea, Guinea- party stakeholders have stepped up efforts starting in the late 1990s to Bissau, Ivory Coast, Kenya, Lesotho, Liberia, Madagascar, ensure a robust regulatory landscape that will foster financial technology Malawi, Mali, Mauritania, innovation and aid in the enforcement against digital identity fraud and Morocco, Mozambique, Namibia, other forms of financial cybercrime. Niger, Nigeria, Rwanda Sao Tome and Principe, Senegal, As summed up in the 2019 Africa Guide to Financial Regulation from Seychelles, Sierra Leone, Somalia, global law firm Clifford Chance, “African jurisdictions vary in their South Africa, South Sudan, financial regulatory legislation and treatment of financial services Sudan, Swaziland, Tanzania, activity, but the region’s drive for improved regulatory systems and the Togo, Tunisia, Uganda, Zambia, establishment of more effective regulatory frameworks has been on the and Zimbabwe. rise in the past two decades.”1
A Note on Methodology Nominal GDP rank does not correlate with regulatory robustness. Therefore, this list is not organized by nominal GDP rank.
AFRICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 88 ALGERIA
Country Overview
Financial institutions operating in Algeria will likely find a bare regulatory landscape raising more questions than answers. In a 2019 study of 142 countries from consumer research firm Comparitech, Algeria was ranked the “least cyber- secure” nation in the world.2 The ranking is based on several criteria, including the number of financial malware attacks and the country’s legislative robustness.
As of the publication of this report, the Central Bank of Algeria has not recently enacted any regulations or issued any legislation, decrees or circulars with regard CENTRAL BANK to cybersecurity.
Delayed Implementation of the Algerian Authority of Personal Data The Central Bank of Algeria is the Protection primary regulatory authority for On June 10, 2018, the Algerian government enacted national Law 18-07, thereby financial institutions in Algeria. In officially implementing a legal framework for the protection of personal data. its own words, “The Bank of Algeria Financial institutions operating in Algeria have had more than a year to establishes the general conditions become familiar with Law 18-07 and implement policies that establish and under which Algerian and foreign maintain compliance. banks and financial institutions may Additionally, the Law mandated the creation of a data protection authority be authorized to be incorporated in to be named the Algerian Authority of Personal Data Protection. According Algeria and to operate there.” to Oxford Business Group, “Compliance with this new regulation requires the accomplishment of formalities before the Algerian Authority of Personal Data Protection as well as the implementation of technical and organizational DATA PROTECTION measures for the protection of this data.”3 However, as of the publication of AUTHORITY this report, the authority has not yet been established and does not exist. Because a date has not been given for implementation of the authority, financial institutions that possibly have non-compliant technical policies could None yet. The Algerian Authority be in breach of law statutes that are punishable by fines and imprisonment. of Personal Data Protection has Because the data protection authority does not yet exist to provide guidance or been mandated by the Algerian control implementation, financial institutions must be especially vigilant when Parliament but is not yet active as of developing payment service providers (PSPs), adapting digital ID systems, and this report’s publication. implementing other electronic consumer services. The Central Bank of Algeria remains the primary financial regulatory authority, but it’s worth noting that in lieu of the data protection authority’s absence, there has been little oversight and enforcement from the Algerian government regarding regulatory non-compliance.
Recently Enacted Regulations, Standards and Laws As of the publication of this report, no regulations, standards, or laws have been enacted in Algeria within the past year, whether it be new legislation or amendments to existing legislation.4
Upcoming Regulations, Standards and Laws As of the publication of this report, no announcements have been made regarding upcoming regulations, standards, or laws in Algeria.5
AFRICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 89 ANGOLA
Country Overview
The National Bank of Angola continues to draft and implement regulations related to data protection and personal privacy, but lags behind many other African countries in regard to regulatory and technical oversight of cryptocurrency and digital transformation. With that said, financial innovation seems to be a priority for the National Bank with the selection of a mobile money operator for the country and the restructuring of the country’s state-owned banks to be privately owned, the latter of which will increase competition in provide CENTRAL BANK a more amenable environment to potential FinTech investors. Additionally, the government has de-licensed several banks in a bid to clean up the country’s financial sector by stopping stop high-level corruption and anti-money laundering at Financial Institutions. The National Bank of Angola is the central bank of Angola. It is state- Selection of a Mobile Money Operator for Angola owned and the Government of However, the National Bank of Angola issued a proposal request June 24, 2020, Angola is the sole shareholder. seeking a mobile money operator for the country’s future instant money transfer system, simply coined Mobile Money. The operator selection is expected for September 2020. Financial institutions, therefore, can expect some regulatory legislation specific to mobile payments and mobile app security sometime in the DATA PROTECTION future. The RFI documentation can be accessed on the National Bank of Angola’s AUTHORITY website at https://www.bna.ao/Newsletter/anexos/RFI-STMI.pdf.
Recently Enacted Regulations, Standards and Laws
The Agencia de Protecao de Dados 1. The Republic of Angola National Assembly Law No. 5/2020 (APD) is the primary data protection Law on Combating Money Laundering and the Financing of Terrorism and authority in Angola. The agency was Proliferation of Weapons of Mass Destruction – Law No. 5/2020 revoked Law No. established in October 2019 through 34/11, enacted December 12, 2011, in order to strengthen prevention and control Law 22/11, and its purpose is “to duties applicable to Financial Institutions, along with other entities subject to the control the treatment that public new law. The new law was enacted January 27, 2020, and enforcement began on and private institutions, namely January 28, 2020. banks, hospitals and private clinics give to personal data.”6 Key Highlights for Financial Institutions
According to Luanda-based international legal practice Miranda Alliance, the risk- based approach adopted by the National Bank of Angola has been strengthened through several changes to the original 2011 legislation:
• There is now an autonomous duty to carry out mandatory risk assessment. The relevant entities must implement any measures and controls deemed appropriate to identify, evaluate, understand and mitigate money laundering, the financing of terrorism, and the proliferation of weapons of mass destruction;
• Identification and due diligence duties are now applicable to occasional transactions executed via wire transfers in an amount of more than $1,000 (USD), in national or foreign currency;
• New rules have been established on simplified due diligence and enhanced due diligence measures applicable to cross-border transactions;
• The scope of the duty to communicate suspicious transactions in cash or wire transfers has been amended and is now applicable to transactions between $5,000 (USD) and $15,000 (USD), depending on the underlying operation;
• PSPs that control the ordering and reception of a wire transfer must consider the information received from the sender and the beneficiary to determine whether this is a [duty to relay information relevant to the transaction].7
AFRICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 90 ETHIOPIA
Country Overview
Though Ethiopia has been hit especially hard by the COVID-19 pandemic and is requesting aid relief from the International Monetary Fund (IMF), the country has outlined forward-looking initiatives to expand financial inclusion through the development of electronic payments and mobile money providers. Financial inclusion in Ethiopia is currently limited but the National Bank of Ethiopia intends to increase this by permitting non-banks to be alternative mobile money providers through the National Payment System Licensing and CENTRAL BANK Authorization of Payment Instrument Issuers Directive No. ONPS/01/2020.8 With registration of a standard license under the directive, “providers will be able to offer cash-in and -out; domestic remittances; bill payments; retail payments; over the counter transactions; and inward international remittances.”9 However, only The National Bank of Ethiopia is the Ethiopian-owned non-financial institutions are allowed for licensure under the central bank of Ethiopia based in directive, which has some experts predicting a delayed rollout of non-bank mobile Addis Ababa. money providers and a slow change to widespread financial inclusion.
Ethiopian Parliamentary Bill on the Regulation of Electronic Payments DATA PROTECTION In addition to this, the Ethiopian Parliament is drafting a bill for the regulation AUTHORITY of electronic payments. According to the Ethiopian House of People’s Representatives in a press release from May 2020, “The proclamation is intended to serve both computer literates and paper-based users equally as to the Minister As of the date of this publication, [of Innovation and Technology]. It also aims to incorporate citizens into the new Ethiopia does not have a dedicated trend of cyber-based economy and to drag government structures into versatility data protection authority. so that good governance will be ensured.”10 A timeline for drafting and finalizing the bill has not been announced.
Recently Enacted Regulations, Standards and Laws
1. Oversight of the National Payment System Licensing and Authorization of Payment Instrument Issuers Directive No. ONPS/01/2020
This National Bank of Ethiopia directive was issued March 31, 2020, in order to “promote the safety and efficiency of the payment system” in Ethiopia and went into enforcement April 1, 2020. The directive goes hand in hand with the Banking Business Proclamation (Amendment) No. 1159-2019, which has added new licensing requirements in order to conduct digital banking business. Key Highlights for Financial Institutions
• According to the National Bank of Ethiopia, “a person other than the licensed financial institutions, shall submit a complete application to NBE to get a license to issue a payment instrument. … Besides, based on written approval of the National Bank, a licensed payment instrument issuer under full responsibility of and written outsourcing agreement with regulated financial institutions and pension funds may be allowed to provide; micro-saving products, micro-credit products, micro-insurance products; or pension products.”
• Under the directive, a newly registered PSP must provide “a minimum capital deposit of ETB50 million ($1.5 million USD), central bank approval of key product executives, a five-year business plan, geographical rollout schedule andpolicies around security.”
• Additionally, “New services could be subject to a three-month pilot phase assessed by authorities. The National Bank of Ethiopia [has] also set out transaction and balance limits reflective of the level of know-your-customer data collected on account holders.”
AFRICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 91 2. Banking Business Proclamation (Amendment) No. 1159-2019 The Banking Business Proclamation of 2008 was amended • “The National Bank may issue [a] Directive prescribing in late 2019 to ease certain legal restrictions to allow foreign standards on banks’ minimum-security measures.” nationals opportunity to invest in the banking sector, while • “Minimum conditions to provide digital financial services stipulating new restrictions in regard to digital services and shall be determined by the National Bank Directive.” giving the National Bank of Ethiopia more regulatory power.
Key Highlights for Financial Institutions:
• “No person shall transact banking business or provide digital financial services in Ethiopia without obtaining a banking business license or digital financial services license or authorization from the National Bank.”
AFRICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 92 GHANA
Country Overview
The Bank of Ghana has published a forward-looking strategic plan addressing various planned initiatives through 2022. Ghana has the fastest-growing mobile money market on the continent. Though the Bank of Ghana plans to develop a digital currency pilot project to be launched in 2020, there is no legislation backing the trading and use of cryptocurrency in Ghana. Through these, and the Ministry of Finance’s Financial Inclusion and Digital Payments Policies initiatives launched in May 2020, Ghana is poised for extensive regulatory reform in the future. CENTRAL BANK Currently, financial institutions operating in Ghana “are subject to extensive legislation and supervision. The BoG conducts periodic on-site and regular off- site examinations on regulated banks. The on-site visit is influenced by the off-site examination undertaken by the regulator.” Additionally, the Bank, “issues reports on The Bank of Ghana (BoG) is the the banks’ concerns and expects corrective measures to be taken by these banks. central bank of Ghana based in Where the affected banks fail to remedy the matter set out its report, the BoG may in Accra. The bank’s primary forward- the worst-case scenario revoke the license of the financial institution concerned.”11 looking objective is greater financial inclusion. GhIPSS Sees Increase in Use and Will Undergo Significant Commercialization The national payment system in Ghana, or the Ghana Interbank Payment and Settlements System (GhIPSS) has seen a 51 percent increase in transactions on its DATA PROTECTION 12 AUTHORITY platform from the same time period last year, June 2019. Much of this increase is due to updated COVID-19 policies in both the private and public sectors that require electronic payments in lieu of cash. Additionally, GhIPSS extended its fee waiver for users in June 2020. The Data Protection Commission is the national data protection From 2020 to 2024, “the Bank of Ghana will embark on the diversification of GhIPSS authority of Ghana. In its own words, with regards to both operational mandate and its ownership base. “The Data Protection Commission As a result of this process, the share ownership structure of GhIPSS is expected to (DPC) is an independent statutory witness increased private sector participation, hence reducing its dependency on the body established under the Data central bank. This is according to the latest National Payment Systems Strategic Plan Protection Act, 2012 (Act 843) to for 2019 to 2024. … It is envisaged that a commercialized GhIPSS, with widespread protect the privacy of the individual ownership by stakeholder institutions, will be able to establish versions of existing, and personal data by regulating the innovative payment systems, being introduced by competing commercial banks processing of personal information.” through collaboration with financial technology firms (fintechs), but which are inter- operable, thus providing wider convenience and cheaper access – the latter through better economies of scale – for electronic payments platforms users.”13
Additionally, GhIPSS launched its universal QR Code initiative earlier in 2020.14
Recently Enacted Regulations, Standards and Laws
1. Banking Amendment Act 2020 (Amending 2007 Banking Act) The Banking Amendment Act 2020 amends several sections of the existing 2007 text.
Key Highlights for Financial Institutions
• “The duty of confidentiality imposed under this section shall not apply where (a) a customer who had been issued a credit card or charge card by a bank, has had the card suspended or cancelled by the bank by reason of default in payment, and the bank discloses information related to the customer’s name and identity, the amount of indebtedness and the date of suspension or cancellation of the credit card or charge card to other banks issuing credit cards or charge cards in Ghana.”
• “The Bank [of Ghana] may require that information supplied to it be verified, certified or otherwise authenticated in the manner that the Bank may consider fit.”
AFRICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 93 KENYA
Country Overview Kenya is the third largest economy in Africa after Nigeria and South Africa. The Kenyan government has passed two pieces of legislation in the past year and lifted suspensions on another to foster a more robust regulatory environment among several industries, including financial services and commercial banks.
Historically, Kenyan authorities have been lax on AML/CFT enforcement, but the Central Bank of Kenya (CBK) recently flexed its regulatory muscles when it penalized the commercial bank Absa with a seven-day suspension on foreign CENTRAL BANK exchange transactions in April 2020.15 On the other end of the spectrum, the CBK has advised stakeholders to stay far away from cryptocurrency, possibly because the Bank is mulling over launching its own digital currency.
The Central Bank of Kenya is the Recently Enacted Regulations, Standards and Laws primary regulatory authority for the financial sector in Kenya. In its 1. COVID-19 Fee Moratorium own words, “The Central Bank of Kenya is responsible for formulating In March 2020, President Uhuru Kenyatta issued a directive via the Central Bank of monetary policy to achieve and Kenya telling mobile money platforms, such as M-Pesa, to forgo transaction fees maintain price stability. The Central for low value transactions, “and for banks to do the same for transfers to and from 16 Bank also promotes financial mobile money accounts.” The directive became effective on March 16, 2020. stability; an effective and efficient 2. Data Protection Act No. 24 of 2019 payment, clearing and settlement system; formulates and implements The Data Protection Act, 2019 (the “DPA” or the “Act”) came into enforcement foreign exchange policies; holds on November 25, 2019. The Act regulates how and when personal data can and manages foreign exchange be obtained, handled or disposed. According to the law firm ENSAfrica, “the reserves; issuing of currency; and is DPA was enacted to give effect to Articles 31(c) and (d) of the Constitution. The the banker for, adviser to and fiscal two clauses guarantee the protection of the privacy of personal information agent of the Government.” and communication. In that regard, the DPA provides for principles of data protection, rights of a data subject, requirements for collecting personal data and restrictions on handling personal data. … It is worth noting that there will be a tough balancing act between the rights of the data subjects’ right to privacy and the necessity of using personal data to institute and defend claims in DATA PROTECTION AUTHORITY dispute resolution.” Because there is no timeline for the appointment of a data commissioner, certain thresholds for mandatory compliance can’t currently be met. This is because mandatory registration requires the Commissioner “to prescribe thresholds for mandatory registration and … to consider the nature of Office of the Data Protection industry; the volumes of data processed; [and] whether sensitive personal data is Commissioner (DPC) – As of being processed amongst other matters,” according to the law. the publication of this report, the Kenyan government is in 3. The Business Laws Amendment Act, 2020 the process of recruiting a data protection commissioner. The Data The Business Laws (Amendment) Act, 2020 was passed by the President on March Protection Act of 2019 mandates the 18, 2020 and introduced several significant changes to various existing laws, establishment of this position. improving the ease of doing business. Key Highlights for Financial Institutions
• Electronic signatures: Parties can now sign contracts using advanced electronic signatures, thus aligning the provisions of the Law of Contract Act, Cap. 23 (the “LCA”) with those of the Kenya Information and Communications Act, 1998 (the “KICA”). While the KICA already made provision for the conducting of electronic transactions and the use of electronic signatures and advanced electronic signatures, application of these provisions has been unconventional. The new amendment will hopefully see parties embrace technology and conclude contracts virtually, making it more efficient to carry on business.17
AFRICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 94 4. Computer Misuse and Cybercrimes Act 2018 suspended For companies such as financial institutions and their provisions lifted employees, the now-active provisions “impose substantial fines and/or imprisonment upon conviction.”19 BAKE and When the Bloggers Association of Kenya (BAKE) disputed other third parties may appeal the decision, but banks can certain provisions of the Computer Misuse and Cybercrimes safely anticipate, barring any more disputes or litigation, that Act of 2018, the Kenyan government suspended said provisions regulations and subsidiary legislation will be published to until a decision was reached. In February 2020, the High Court guide compliance with and implementation of the Act. of Kenya officially lifted the suspended provisions, thus putting them into enforcement.
Key Highlights for Financial Institutions
• According to ENSAfrica, “These provisions aim to regulate emerging technology issues such as the unauthorized interference of computer systems; intercepting the transmission of data, electronic messages or money transfers over telecommunication systems; publication of fake news; cyber harassment; cybersquatting; and the fraudulent use of electronic data, among others. ... As a matter of compliance, companies must now ensure implementation of effective cybersecurity measures that prevent unauthorized persons from accessing private data and restricted computer systems.”18
AFRICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 95 MOROCCO
Country Overview Moroccan Financial Institutions have very little regulatory guidance regarding electronic financial services and digital currency. There is no specific regulatory framework to regulate Fintech businesses operating in Morocco, and many businesses including financial institutions, must work within existing corporate laws to maintain compliance. In addition to this, any preliminary authorizations should be obtained from the Bank Al-Maghrib and the Moroccan Financial Market Authority (AMMC).
CENTRAL BANK In regard to e-signature legality, Moroccan Law No. 53-05 is extremely amenable to e-signature use and stipulates that “a handwritten signature isn’t always needed for a contract to be considered credible, and that contracts can’t be refused for simply being electronic.”20 The Bank Al-Maghrib is the central bank in Morocco that supervises the Morocco Accedes to International Data Protection Treaty financial sector. Convention 108+ Morocco acceded to the first international data protection treaty, Convention 108, in May 2019, joining 54 other nations. The Convention and the additional Protocol DATA PROTECTION entered into force in Morocco on September 1, 2019. Convention 108+ has the AUTHORITY potential to become a global standard-setter in the field of data protection.21
CMI Morocco Launches Global Infrastructure for Contactless Mobile The National Commission for the Payments Control of the Protection of Personal On June 15, 2020, the Interbank Electronic Banking Center of Morocco (CMI) Data (CNDP) is the primary data announced plans to create a global infrastructure that would “allow merchants protection authority in Morocco. to accept all the digital payment instruments in circulation and to favor the In its own words, “The National contactless payment method.” Commission for the Protection of The press release states that “[CMI] will make new, latest-generation payment Personal Data (CNDP) was created terminals available to supermarkets, fast-food restaurants and service stations by Law No. 09-08 of 18 February accepting interoperable mobile payments. Intended for all m-wallet users, they 2009 on the protection of individuals allow the electronic display of a QR code identifying the merchant and the with regard to the processing of transaction. The holder of the smartphone on which the m-wallet application is personal data. It is responsible for installed only has to scan this code to make his payment. These terminals also verifying that the processing of accept payments by mobile m-wallet in contactless NFC.”22 personal data is lawful, legal and that it does not infringe on private In COVID-19 related news, CMI raised its transaction limit from 200 DH to 400 DH life, freedoms and fundamental per transaction, effective as of late April 2020.23 human rights. The Commission is made up of personalities known for Recently Enacted Regulations, Standards and Laws their impartiality, their moral probity 1. Moroccan Data Protection Authority Deliberation No. D-113-2020 and their competence in the legal, judicial and IT fields. The Moroccan Data Protection Authority Deliberation No. D-113-2020 became Other Financial Regulatory Bodies: effective on May 22, 2020. The Deliberation provides guidance on the processing Moroccan Capital Market Authority of personal data in the context of the procedures implemented by the data (AMMC) controller to ensure adequate management of mail. Key Highlights for Financial Institutions
In particular, “the Deliberation recommends, among other things, the adoption of a mail management policy setting the conditions for processing mail and guaranteeing the confidentiality and security of data processed and the adoption of security measures to safeguard data stored on paper and in electronic form. In addition, the Deliberation notes that data controllers must notify mail management activity to the CNDP and any transfer of data abroad.”
AFRICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 96 2. Moroccan Data Protection Authority Deliberation No. D-194-2019 of 08/30/2019 relating to a moratorium on facial recognition
The Moroccan Data Protection Authority Deliberation No. Key Highlights for Financial Institutions D-194-2019 became effective on August 30, 2019. Some of • The Deliberation proposes, among other things, that “data the deliberation provides certain guidelines relating to facial related to use and data related to authentication should not recognition and on March 26, 2020, a moratorium was put on be stored together by the same entity, the use of sector- use of facial recognition technology. On March 30, 2020, the specific identifiers, while also addressing possible security authority extended the moratorium on facial recognition to measures.” December 31, 2020.
AFRICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 97 MOZAMBIQUE
Country Overview Mozambique does not have any legislation specific to general data privacy and protection. Mozambique’s Constitution, however, establishes “the right to honor, good name, reputation, protection of [citizens’] public image and privacy”. The Constitution of the Republic of Mozambique also imposes restrictions on disclosures of personal information to third parties.
Additionally, under the Electronic Transactions Law, “the person/entity responsible for processing electronic data, must protect personal data against CENTRAL BANK risks, losses, unauthorized access, destruction, use, modification or disclosure. The Penal Code (Law No. 35/2014 of December 31) provides for certain computer- related crimes, such as intrusion through informatics, which is subject to imprisonment from two to eight years and a one-year fine.”24 Fraud committed The Central Bank of Mozambique electronically is subject to imprisonment for at least one year and a corresponding is the primary regulatory authority fine. However, given that Mozambique does not have specific data protection supervising the financial sector laws nor a specific authority responsible to oversee data protection matters, in Mozambique. enforcement of data protection-related matters is minimal.
DATA PROTECTION Recently Enacted Regulations, Standards and Laws AUTHORITY 1. Circular No. 03/DNRN/027.15/2020
This circular suspends certain acts granted to notary offices, except for the None. A dedicated data protection following: issuance of powers of attorney for the purpose of alimony, survival, authority has not yet been forensic, and other urgent matters; granting of public deeds, of urgent character, established in Mozambique. involving no more than 3 persons; and issuance of deeds of authentication restrictions.
AFRICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 98 NIGERIA
Country Overview Nigeria has neither blocking statutes nor any general privacy laws, other than the general constitutional right to the privacy of homes, correspondence, telephone conversations and telegraphic communications. With that said, Nigeria’s plans for a digital payment system will be implemented through 2030 under its Payment Systems Vision (PSV) 2030 policy guidance. Nigeria also has plans to be the open banking capital of Africa by prioritizing open banking in its new strategy.25
Although there is currently no comprehensive regulatory framework for FinTech CENTRAL BANK services and operations in Nigeria, some Central Bank of Nigeria (CBN) and National Information Technology Development Agency (NITDA) regulations have effect on the industry, albeit very narrowly.
The Central Bank of Nigeria is the Nigeria’s legislative bodies actively passed several pieces of legislation related to primary regulatory authority for data privacy, payment systems, and cybersecurity in 2019 and 2020, indicating the Nigeria. In its own words, “The CBN country’s dedication to a more digitally friendly and financially inclusive society. Act of 2007 of the Federal Republic of Nigeria charges the Bank with the Recently Enacted Regulations, Standards and Laws overall control and administration of 1. Data Protection Regulation Implementation Framework the monetary and financial sector policies of the Federal Government.” In July 2019, NITDA published the Data Protection Regulation Implementation framework to help entities apply the Nigeria Data Protection Regulation (NDPR).
Key Highlights for Financial Institutions DATA PROTECTION • The NDPR “limits the power of data controllers to share that data for anything AUTHORITY that is not to the benefit of the owner of the data. It also restricts the ability of controllers to transfer data to another country, particularly countries with weaker data protection laws. In addition, certain industries have had The Nigerian Information data protection regulation from their own regulating bodies, and there is a Technology Development Agency requirement that information must not be transferred to any party except as (NITDA) is a public service institution otherwise permitted or required by other applicable laws or regulations.” established by NITDA Act 2007 as the information communications 2. Central Bank of Nigeria Anti-Money Laundering and Combating the and technology (ICT) policy Financing of Terrorism Amendment Act 2019 implementing arm of the Federal Ministry of Communication of the This act, published October 7, 2019, amends several dozen regulations from the Federal Republic of Nigeria. original 2013 text. Several amendments address KYC requirements, customer due diligence measures, and identity verification. Other Financial Regulatory Bodies: The Economic and Financial Crimes 3. COVID-19 Response Measures Commission (EFCC) is a Nigerian law enforcement agency that The Central Bank of Nigeria issued several orders and directives in response investigates financial crimes such to COVID-19. as advance fee fraud and money Key Highlights for Financial Institutions laundering. • Check-clearing suspension lifted: The Central Bank of Nigeria lifted the temporary suspension on check-clearing on April 27, 2020.
• A one-year extension of a moratorium on principal repayments for CBN intervention facilities: “All CBN intervention facilities are hereby granted a further moratorium of one year on all principal repayments, effective March 1, 2020. This means that any intervention loan currently under moratorium are hereby granted additional period of one year. Accordingly, participating financial institutions are hereby directed to provide new amortization schedules for all beneficiaries.”
• Commencement of a three-month repayment moratorium for all TraderMoni, MarketMoni and FarmerMoni loans.
AFRICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 99 • Similar moratorium to be given to all Federal Government 7. Exposure Draft of the Guidelines for the Regulation and funded loans issued by the Bank of Industry, Bank of Supervision of Microfinance Banks in Nigeria 2020 Agriculture and the Nigeria Export-Import Bank. On March 3, 2020, the Central Bank of Nigeria issued an • NIS payment waiver for visitors affected by travel ban: On exposure draft for new guidelines regulating the microfinance April 16, 2020, Nigeria Immigration Service (NIS) announced industry in Nigeria. The draft builds on the Revised Supervisory the grant of payment waiver to visitors and migrants and Regulatory Guidelines for Microfinance Banks in Nigeria affected by the travel ban and the closure of international passed in 2012. As of the publication of this report, the public airports. Affected persons are expected to reschedule their comment and observation period is ongoing. A date for final flights and travel within a week of the suspension of the publication has not been announced. The guideline covers restriction. ownership and licensing requirements, permissible and prohibited activities, funding, corporate governance, prudential 4. Circular and Operation for the Regulation of Indirect and anti-money laundering requirements, among other topics. Participants in the Payment System 8. Nigerian Payments System Risk and Information Security On October 10, 2019, the Central Bank of Nigeria issued a Management Framework circular that took effect on November 11, 2019. The objectives of In January 2020, the Central Bank of Nigeria issued this new the circular, as stated in the legislation are to: framework after it spent several years in draft form, starting in • Set out the procedures for effective integration of indirect 2007. The framework aims to guide the management of risks participant in the payments system in Nigeria; associated with payment systems in Nigeria. “This Framework is designed to guide the operators and users of the payment • Standardise the operation of indirect participants in the systems across Nigeria. These systems may be organized, payments system, taking into cognisance their located, or operated within Nigeria domestic payments, operational risks; outside Nigeria offshore payments, or both cross-border • Provide a mechanism and framework for the clearing and payments and may involve currencies other than the Naira or settlement of indirect participants payment instruments non-Naira systems and multi-currency systems.” through the direct participating banks; 9. Revised Guide to Regulation on Electronic Payments and • Strengthen indirect participants for effective contribution to Collections for Public and Private Sectors in Nigeria digital financial services in Nigeria. On September 10, 2019, the Central Bank of Nigeria issued 5. Circular on Pre-Authorization of Cards in Nigeria this as a revision to the Guidelines on Electronic Payment of Salaries, Pensions, Suppliers and Taxes in Nigeria (2014). OnDecember 30, 2019, the Central Bank of Nigeria issued a The revised regulations are intended to guide the end-to- circular that immediately took effect. However, the circular end electronic payment of salaries, pensions and other stipulated that the deadline for full compliance was July 31, remittances, suppliers and revenue collections in Nigeria. 2020. The objective of the circular as stated by the CBN is “to facilitate the development of the Nigerian payments system 10. Reviewed and Approved Guidelines on Operations of and deepen the adoption of various electronic payment Electronic Payment Channels in Nigeria 2020 options available to users.” These guidelines were issued in June 2020. The objective of 6. Revised Guide to Charges by Banks, Other Financial and these new guidelines, which revise the 2016 Guidelines on Operations of Electronic Payment Channels in Nigeria, is Non-Bank Financial Institutions “to promote and facilitate the development of efficient and In December 2019, the Central Bank of Nigeria released a effective systems for the settlement of transactions, including revised guide to provide a basis for the application of charges the development of electronic payment systems.” on various products and services offered by banks and other regulated institutions under the Bank’s purview. The revised 11. Revised Standards on Nigeria Uniform Bank Account guide provides new information in response to further Number (NUBAN) for Banks and Other Financial evaluation of the financial industry in Nigeria.The revisions Institutions to the guide took effect on January 1, 2020. Some of the new On March 9, 2020, the Central Bank of Nigeria issued revised information includes: standards on the uniform bank account number for financial • Downward review of charges for electronic banking institutions. The standards took effect on April 20, 2020, but transactions have a deadline of March 15, 2021, for full compliance. In the words of the Central Bank, “it is imperative that the scope of • Review of other bank charges to align with market the Standards be expanded to include the OFIs … It is in this developments; and regard that the Revised Standards on Nigeria Uniform Bank • Inclusion of new sections on Accountability/Responsibility Account Number Scheme for banks in Nigeria was revised and a Sanction Regime to directly address instances of to include OFIs.” In this case, OFI stands for “Other excess, unapproved and/or arbitrary charges. Financial Institution”.
AFRICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 100 SOUTH AFRICA
Country Overview South Africa has the most extensive and innovative regulatory and legislative framework of all African countries. This is in part due to the adoption of the Protection of Personal Information Act in 2013, a sweeping legislative initiative meant to strengthen consumer protection in the region. It is so comprehensive, in fact, that it won’t fully go into effect until 2021.
South Africa is poised to set the example on cryptocurrency regulation for the rest of the continent. The Reserve Bank of South Africa has introduced new CENTRAL BANK regulations stipulating how people “can and should” hold cryptocurrency. The new regulations went into effect in early 2020 after a more than five-year consultation period.
South African Reserve Bank (SARB) South Africa Prepares Digital Payments System for Modernization and Consumer Use In late 2019, the South African Reserve Bank announced plans to replace its current digital payment system with a new system that will expand its user base DATA PROTECTION AUTHORITY from strictly B2B transactions to include low-value P2P consumer transactions. According to recent announcements from the South African Reserve Bank (SARB), the bank is “working with PASA and BankservAfrica to modernize three core payments systems — SAMOS, bulk EFT credit and debit settlement, and the Office of the Information Regulator RTC system. They are also looking to improve interoperability, for example through Other Financial Regulatory Bodies: ISO 20022 migration and QR code standardization for mobile payments.”26 Economic and Financial Crimes A timeline for standards implantation has not yet been announced. Commission (EFCC) Recently Enacted Regulations, Standards and Laws
1. Protection of Personal Information Act 2013 (POPIA) will not go into full effect until June 2021 The South African Reserve Bank (SARB) has encouraged proactive compliance with POPIA regulations as they currently exist in draft form. However, as of the publication of this report, POPIA’s commencement date was July 1, 2020 and the one-year grace period for full compliance has begun.27 The South Africa Information Regulator will begin enforcing POPIA one year after the commencement date. Financial Institutions not already in compliance with all POPIA provisions should prepare for full compliance by June 30, 2021.
Here is what has gone into effect in 2019 and 2020 and what Financial Institutions can expect from POPIA next year.
POPIA in 2019: On December 14, 2018, the South African Information Regulator, the organizational body charged with legislating and enforcing POPIA (as mandated by the Act itself in 2013), published a largely administrative portion of POPIA which has been dubbed “final POPIA Regulations.” It includes only eight pages of regulations and guidance and 35 pages of administrative forms and for the most part, won’t help financial institutions navigate and implement POPIA. For reference, the scant guidance provided covers the following:
• Request for Data Subject’s consent to process personal information
• Submitting complaints
• Settling complaints
• Issuing a Code of Conduct
AFRICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 101 The commencement date of the final POPIA Regulations published in late 2018 aligned with the POPIA commencement date of July 1, 2020. Because the final regulations were ready by late 2018, Penalties for Non-Compliance: POPIA makes provision for regulators and stakeholders had expected POPIA to be fines of up to R10 million and a jail sentence of up to 10 years, finalized sometime in 2019. This would have meant the depending on the seriousness of the breach.31 enforcement period would begin in 2020. Key Highlights for Financial Institutions However, movement on POPIA regulations was relatively quiet up until the end of 2019 when key executive positions • Several organizations have committed to voluntary and for the Information Regulator were finally filled. Authorities proactive compliance with POPIA. Though there will be involved with developing POPIA felt the organizational body a one-year grace period after the new legislation comes enforcing POPIA should be fully functional before into effect in its entirety, businesses are advised to start commencement began. complying with the provisions of POPIA as soon as possible.
POPIA in 2020: POPIA officially commenced on July 1, 2020. • Controllers (which are referred to as responsible parties in There is a one-year grace period to comply with POPIA and South Africa) must conclude mandate agreements with newly enacted sections of the Act.28 processors (which are referred to as operators in South Africa). The sections that will commence on July 1, 2020, are: • Processors/operators may act only in accordance with the • Sections 2-38 dealing with exclusions and the conditions for terms of those agreements. lawful processing of personal information; • Controllers/responsible parties are ultimately responsible • Sections 55-109 dealing with the responsibilities of for compliance with POPIA. information officers, direct marketing (unsolicited electronic communications), relevant Codes of Conduct • Processors may be liable under GDPR to pay damages and and enforcement mechanisms (offences, penalties and administrative fines for noncompliance with GDPR. POPIA administrative fines); and does not provide for similar fines in respect of operators.32
• Section 114(1), (2) and (3) which deals with transitional arrangements.29
POPIA in 2021: Once POPIA goes into full effect on July 1, 2021, the final sections of the act will become effective immediately.30 The sections that will commence on June 30, 2021, are:
• Sections 110 and 114(4), which deal with the amendment of laws and the transfer of functions from the South African Human Rights Commission to the Information Regulator regarding the Promotion of Access to Information Act (PAIA).
AFRICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 102 1 “Guide to Financial Regulation in Africa.” Clifford Chance, October 11, 2019. shorturl.at/boDPQ.
2 Paul Bischoff, “Which Countries Have the Worst (and Best) Cybersecurity?,” Comparitech, March 3, 2020, shorturl.at/quGM6.
3 “Summary of Relevant Laws and Regulations for Investors in Algeria,” Oxford Business Group, August 28, 2019, shorturl.at/ijqRT.
4 Bank of Algeria - Banque d’Algérie. Accessed July 24, 2020. shorturl.at/cjnpF.
5 Bank Of Algeria - Banque d’Algérie, accessed July 24, 2020, shorturl.at/abkST.
6 Xavier Antonio, “Data Protection Agency Already in Office,” Jornal De Angola, October 9, 2019, shorturl.at/sEHP3.
7 “New Rules on Anti-Money Laundering, Financing of Terrorism and Proliferation of Weapons of Mass Destruction - Alerts - Publications,” Miranda Alliance (Miranda Alliance, February 24, 2020), shorturl.at/fzPU5.
8 Paul Golden, “Lack of Licensing Clarity Tempers Ethiopian Mobile Money Optimism,” Euromoney, June 19, 2020, shorturl.at/luDPR.
9 Chris Donkin, “Ethiopia Opens Mobile Money to Newcomers,” Mobile Money Live, April 1, 2020, shorturl.at/qACPU.
10 “FDRE House of Peoples’ Representatives,” FDRE House of Peoples’ Representatives, May 6, 2020, shorturl.at/egmzX.
11 Theophilus Tawiah, “Banking Regulation in Ghana,” April 4, 2019, shorturl.at/sGKPX.
12 “Express Direct Credit Records 51% Growth in Q1,” Ghana Interbank Payment and Settlement Systems Limited (Ghana Interbank Payment and Settlement Systems Limited, 2020), shorturl.at/ftwNX.
13 “GhIPSS to Undergo Diversification,” Ghana Home Page, resource for News, Sports, Facts, Opinions, Business and Entertainment (GhanaWeb, January 20, 2020), shorturl.at/nyWY3.
14 “GhIPSS Launches Universal QR Code Payment Solution in Partnership with HPS.” HPS, May 14, 2020. HPS. shorturl.at/dkqV3.
15 Lameez Omarjee, “Central Bank of Kenya Suspends Absa Kenya’s Forex Dealer Licences,” Fin24, April 9, 2020, shorturl.at/zJN23.
16 Central Bank of Kenya (@CBKKenya). 2020. “Press release: Emergency Measures to Facilitate Mobile Money Transactions.” Twitter, March 16, 2020, 7:33 AM. shorturl.at/oHRWY.
17 Binti Shah. “Kenya: Key Highlights of the Business Laws (Amendment) Act, 2020,” April 7, 2020. shorturl.at/axKRW.
18 Mahesh Acarya, and Neema Oriko. “Kenya’s Computer Misuse and Cybercrimes Act, 2018: Suspended Provisions Now Effective,” February 21, 2020. shorturl.at/qFX67.
19 Demas Kiprono, “Cybercrime Laws Blow to Freedom of Expression,” The Standard, March 6, 2020, shorturl.at/epxA2.
20 “Electronic Signature Legality Guide in Morocco,” emSigner, accessed July 24, 2020, shorturl.at/aoGJL.
21 “Council of Europe,” Council of Europe, May 28, 2019, shorturl.at/oOPUW.
22 “CMI,” CMI (Central Bank of Morocco, June 15, 2020), shorturl.at/ayS67.
23 “CMI,” CMI (Central Bank of Morocco, April 30, 2020), shorturl.at/jvxW1.
24 “Law in Mozambique,” Law in Mozambique - DLA Piper Global Data Protection Laws of the World, 2020, shorturl.at/gqxSV.
25 “Nigeria to Pioneer Open Banking in Africa, Joins the UK, Others,” Open Banking Nigeria, June 30, 2019, shorturl.at/djoY6.
26 Robin Arnfield, “South Africa’s Digital Payments Plan Takes a Page from India’s UPI,” PaymentsSource (PaymentsSource, October 15, 2019), shorturl.at/fkL27.
27 Robert Kayihura and Shivani Naidoo, “An Update on South Africa’s 2013 Protection of Personal Information Act,” Lexology, July 24, 2020, shorturl.at/fvJTX.
28 Admire Moyo, “No More Hiding as POPI Act Kicks off on 1 July,” ITWeb (ITWeb, June 23, 2020), shorturl.at/fjkT7.
29 “This Is When South Africa’s New Personal Information Laws Will Come into Effect – What You Need to Know,” BusinessTech, June 22, 2020, shorturl.at/jpBOU.
30 John Giles, “When Is the POPIA Deadline in South Africa?,” Michalsons, July 3, 2020, shorturl.at/fqvTV.
31 Paul Mullon, “Offences, Penalties and Administrative Fines,” POPI Act Compliance, 2020, shorturl.at/knuBR.
32 Angela Itzikowitz, Era Gunning, and Suemeya Hanif, “The Legal Implications of South Africa’s Coronavirus National Disaster: Booking Repayments and Data Protection,” Lexology, March 16, 2020, shorturl.at/pxOW6.
AFRICA - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 103 ASIA-PACIFIC ASIA-PACIFIC AFRICA
Of all the regional markets driving digital transformation at the regulatory level, the Asia-Pacific (APAC) region is leading the pack in strides. Banks and financial GLOBAL FINANCIAL institutions operating in most Asia-Pacific region countries are implementing highly innovative digital services facilitated in part by national regulatory initiatives REGULATIONS REPORT around legislation and policy. Asia, in particular, is extremely financially progressive and fintech friendly. In fact, Singapore has the most robust financial services regulatory framework and the most active national legislators and authorities of any developed country not in just the region, but the world. The Monetary Authority of Singapore is extremely active in legislating and is constantly issuing new regulations around a variety of issues in the financial services sector, including multi-factor authentication and other security initiatives.
The Asia-Pacific region is also the leader in open banking regulations and fintech investment, though many investors remain wary of the financial services industry there. Because open banking continues to grow, national governments in the region have and continue to align with international security standards such as Basel III implementation. Additionally, Asian countries such as Japan have begun developing basic principles and determining the risk around AI use in multiple sectors, including financial services. But perhaps most concerning to traditional banks and financial institutions is technology giants amassing enough support to completely reshape digital payments, loans, banking and wealth and asset management.
Australia and New Zealand, however, have some catching up to do. While New Zealand is exploring the possibility of adopting PSD2 through national legislation, Australia has made the puzzling decision not to adopt PSD2. Because of this, open banking in those countries remains minimal with no regulations or standards to guide entities.
ASIA PACIFIC - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 105 AUSTRALIA
Country Overview Australia may be known as a laid-back country famous for sand, surf and sun, but the country is a crucial strategic partner to its regional neighbors in the realms of financial services innovation and digitization. Australia has formed several partnerships throughout the Asia-Pacific region, namely with the other top financial centers, including Singapore and Hong Kong. Australia’s financial services regulations remain some of the most robust in the region. Of note is the country’s “buy now pay later” sector of the financial services industry and its growth over the past three years. The Australian Financial Industry Association CENTRAL BANK recently published a code for self-regulation of the sector, but that in turn has been criticized by the Australian Securities and Investment Commission. This self- imposed regulatory approach to industry checks and balances has worked well in The Reserve Bank of Australia (RBA) bracing Australia’s banks for the COVID-19 pandemic. is Australia’s central bank charged Australia is dominated by four big banks that hold more than 35 percent of the with issuing the country’s currency market share of the finance industry; however, there are 53 banks operating in and maintaining economic stability. Australia and only 14 are owned by Australians. Australia doesn’t have any state- The Reserve Bank’s Payments owned banks. This could be a factor for the lukewarm reception the country’s System Board governs and develops open banking initiative has received among established financial services payments system policy. providers and banks. Regardless, the country’s national payments system, or the New Payments Platform (NPP), continues to innovate with integrated billing, mobile payments and streamlined payments, and the insurance sector in particular has plans for greater digital distribution. 1 Since the program’s launch in 2018, it has experienced exponential growth.
For the next few years, Australia’s financial services sector will continue to prepare for a primarily cashless society, while using data to determine customer needs.
Other Federal Financial Regulatory Bodies The Australian Competition and Consumer Commission (ACCC) is a regulatory commission operating under the Department of the Treasury. The Commission is mandated with protecting consumer and business rights, industry regulation, and preventing anti-competitive market and business practices.
The Australian Securities and Investments Commission (ASIC) is the supervisory body overseeing the country’s securities market. The commission primarily enforces trading practices and laws against misconduct in the financial sector.
The Council of Financial Regulators is an independent coordinating body for the country’s main financial regulatory agencies. The members are the RBA, ASIC, the Australian Prudential Regulatory Authority (APRA), and the Department of the Treasury.
The Department of the Treasury is Australia’s main economic policymaker. The Treasury, as it’s called, is also responsible for the nation’s federal budget and market regulation.
The Office of the Australian Information Commissioner’s (OAIC), Privacy Commission is the national data protection agency that enforces the country’s Privacy Act and other related privacy laws. The commission dispenses guidance to entities regarding Privacy Act compliance.
ASIA PACIFIC - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 106 Laws and Regulations
1. ACCC Competition and Consumer (Consumer Data Right) • Minimum Controls for Password Authentication: Rules 2020 and Open Banking Initiative Under the bill’s section on minimum requirements for information security controls, “Strong authentication On February 4, 2020, the Australian Competition and mechanisms are enforced prior to allowing users to Consumer Commission (ACCC) published the final rules access systems within the CDR data environment, for competition and consumer data rights applicable including, but not limited to, general security to consumers seeking financial services. The final rules requirements relating to password complexity, account address consumers’ rights to request personal data and lockout, password history, and password aging.” data holder obligations in response to personal data requests. 2. CDR Privacy Safeguard Guidelines The new rules also give citizens greater access and control On July 29, 2020, the Office of the Australian Information over personal data. Additionally, a “data portability right” Commissioner published the second version of the has been added to the rules to enable consumers to direct Consumer Data Right (CDR) Privacy Safeguard Guidelines. companies to share personal data with third parties. The The guidelines outline requirements for privacy safeguards rules apply to individual and business consumers. related to consumer data rules and best practices for It is worth noting that their first revision took place in June privacy. There are 13 privacy safeguards that establish 2020. Those amendments clarified rule objectives. standards in relation to data collection and use:
A phased roll-out of the rules under a national open • Open and transparent management of CDR data banking initiative began with four banks on July 1, 2020, • Anonymity and pseudonymity starting with sharing of “product reference data” with • Collecting CDR data from CDR participants accredited data recipients. Mortgage and personal loan data sharing began November 1, 2020. Before that happens • Notifying of the collection of CDR data however, the ACCC is assessing the results of a months- • Use of CDR data by accredited data recipients long consultation process that ended in September 2020. • Overseas disclosure of CDR data The consultation inquiry sought feedback from industry stakeholders and consumer privacy advocates regarding • Adoption or disclosure of government related identifiers “write” access to allow customers to manage and apply • Notifying of the disclosure of CDR data for products related to open banking and payment • Quality of CDR data transactions through open APIs. Recommendations based on the inquiry will be published sometime in late 2020. • Security of CDR data and de-identification
The rules officially went into force on August 5, 2020, and • Correction of data data standards under the law go into force in November 3. Corporations Coronavirus Economic Response 2020. All banks in the country have until July 2021 to comply with mandatory consumer data-sharing obligations under Determinations of 2020: Electronic Documents the new rules. On May 6, 2020, the Australian treasurer issued its first determination permitting the execution of electronic documents in the course of corporate business. Due to Key Highlights for Financial Institutions the determination’s popularity, the Treasurer issued a • Screen Scraping: In response to industry concerns third determination on September 21, 2020, extending the over screen scraping, the ACCC has indicated it is not legality of the use of electronic documents. inclined to outlaw screen scraping for open banking. Key Highlights for Financial Institutions ACCC authorities have acknowledged that while screen scraping presents “inherent risks,” there is no evidence of • Document Execution and Identity Verification: “consumer detriment” in practice. 2 In September 2020, According to the section of the determination regarding the Senate Select Committee on Financial Technology the execution of company documents, it states: “A and Regulatory Technology published an interim report. company may also execute a document without using a Included is the recommendation that the “Australian common seal if each person specified in paragraph 127(1) Government maintain existing regulatory arrangements (a), (b) or (c), as the case requires, of the Act either: (a) in relation to digital data capture.” (screen scraping) signs a copy or counterpart of the document that is in a physical form; or (b) complies with subsection (4) of this • Minimum Controls for Multifactor Authentication: section in relation to an electronic communication (within Under the bill’s section on minimum requirements for the meaning of the Electronic Transactions Act 1999).” information security controls, “multi-factor authentication Additionally, “the copy, counterpart or electronic or equivalent control is required for all access to CDR data.” communication must include the entire contents of the This doesn’t apply to consumers seeking information on document, but need not include the signature of the collection and use of their personal data.
ASIA PACIFIC - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 107 • another person signing the document nor any material method: (i) is as reliable as appropriate for the purpose for included in the document because of subsection (4) of which the company is executing the document, in light of this section. A person complies with this subsection if: (a) all the circumstances, including any relevant agreement; a method is used to identify the person in the electronic or (ii) is proven in fact to have fulfilled the functions communication and to indicate the person’s intention described in paragraph (a), by itself or together with in respect of the contents of the document; and (b) the further evidence.”
Policy and Legislation
1. Anti-Money Laundering and Counter-Terrorism Financing Key Highlights for Financial Institutions Rules Amendment Instrument 2020 (No. 2) • Customer Authentication: The NPP states in the On May 6, 2020, the Anti-Money Laundering and Counter document that “customer authorization is at the core of Terrorism Financing Rules of 2007 were amended to the MPS” and details best practices for authentication: include provisions allowing data controllers to adopt “customer’s explicit authorization is required for any “alternative identity checking processes” in cases where payments to be initiated on their account by a third customer identification isn’t possible or when customers party, and performing authorization within a customer’s don’t possess necessary documents or information proving banking channel benefits from the bank’s secure identity. The publication of these rules is primarily due to authentication practices which are already in place circumstances for consumers in the wake of the COVID-19 today.” pandemic. • Corporations Fintech Sandbox Australian Financial Key Highlights for Financial Institutions Services License Exemption Regulations: On May 28, 2020, the federal government published these • Customer Identification: The rules state that “If a regulations in the national register. The regulations reporting entity is required, in accordance with its provide exemptions from the Australian Financial applicable customer identification procedure, to verify Services License (AFSL) and Australian Credit License information based on the original, or a certified copy or (ACL) requirements to allow for a Fintech regulatory certified extract, of a document but cannot do so because sandbox. of COVID-19 Pandemic measures, then it may rely on a copy of the document in accordance with its risk-based 3. Cybersecurity Strategy 2020 systems and controls.” On August 5, 2020, the Australian Department of Home • Types of Alternative Identity Proofing: The rules state Affairs published the Australian Cyber Security Strategy that “Alternative identify proofing processes could 2020, last revised in 2016. The strategy addresses cyber include, but are not limited to, acceptance of multiple security measures to be implemented during the next types of secondary identification documents where several years. normally a primary identification document would be required.” Key Highlights for Financial Institutions
• Self-Attestation: The rules state that “If a reporting • Update to National Identity Security Strategy: In its entity is unable to establish the identity of a customer in Cyber Security Strategy 2020, the OAIC indicates plans accordance with paragraph 4.15.1 or 4.15.1A, then it may to work with states and territories to update the National accept a self-attestation from the customer certifying Identity Security Strategy, last revised in 2012. As of the that the information provided in relation to their identity publication of this report, a timeline for strategy revision is true and correct.” has not been announced.
• Customer Due Diligence: The rules state that, “A 4. Amendment of the Security of Critical Infrastructure Act reporting entity must apply appropriate levels of ongoing 2018 customer due diligence in order to identify, mitigate and manage any ML/TF risk associated with customer On September 16, 2020, the Department of Home Affairs identities established using self-attestation.” ended a five-week consultation seeking feedback on the Protecting Critical Infrastructure and Systems of National 2. NPP Mandated Payments Service Overview Significance Consultation Paper, which outlines a package of key reforms as part of the country’s Cyber Security On May 6, 2020, the New Payments Platform Australia Strategy 2020. Reform plans call for an amendment to the (NPP) published an overview of its Mandated Payments 2018 Security of Critical Infrastructure Act 2018 that will Service (MPS) payments platform. The document outlines enhance cybersecurity obligations for entities, including key features of MPS and refers to customer authentication banks, and mandate government assistance to entities in and authorization. response to infrastructure-wide cyberattacks.
ASIA PACIFIC - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 108 Responses to the consultation have not yet been published, the operation of a federated digital identity ecosystem as and a timeline for official changes and enforcement has not soon as possible. The Trusted Digital Identity Framework been announced. will provide rules and standards for the country’s digital identity program. It provides four levels of identity 5. Australian Payments Network (AusPayNet)TrustID proofing and defines requirements for identity system Framework Governance operation.
On August 13, 2020, the Australian Payments Network • Amendments to Legislation: The Corporations Act 2001 (AusPayNet) launched a consultation seeking feedback on and other relevant legislation and regulations will be procedures and policies surrounding the proposed TrustID amended in order to allow for the electronic signature Framework, which will provide rules and regulations for and execution of legal documents and to enable the organizations. AusPayNet describes the TrustID Framework witnessing of official documents via videoconferencing or as “an open, contestable framework that can be used by other secure technological means. different organisations to offer a range of interoperable • National CDR Authority: The Australian Government will identity services to individuals and private sector entities.” establish a new national body to serve as regulator for the
Consumer Data Right body. As of the publication of this The consultation ended September 8, 2020. A date for report, a timeline for an official launch of the authority implementation of the new framework has not been has not been announced. For the time being, the ACCC is announced. the lead CDR regulator.
6. Australian Data Standards Body Joint Account Guidance • Rules for accessing CDR Banking Data: The Australian November 2020 Implementation Expectations Competition and Consumer Commission, or the new On August 25, 2020, the Australian Data Standards Body proposed national Consumer Data Right (CDR) body, published guidance on joint bank accounts to support data are expected to finalize the rules for intermediary and controllers in addressing concerns regarding the Consumer third-party access to CDR banking data by late 2020 and Data Right 2020 rules and data standards relating to enable intermediaries to enter the CDR ecosystem as consumer accounts. soon as possible thereafter.
7. Select Committee on Financial Technology and Regulatory Technology Interim Report On September 7, 2020, the Australian Senate’s Select Committee on Financial Technology and Regulatory Technology published an interim report detailing issues previously raised regarding Fintech and regtech. The Committee provides 32 recommendations to both industries regarding tax, regulations, access to capital, skills and talent, and culture, as well as the impact of COVID-19 on technological innovation in the sector.
Key Highlights for Financial Institutions
• Remote Access to Financial Services: The Committee explicitly states that remote access to financial services and digital payments are key issues in the Fintech regulatory landscape.
• Digital Signature During COVID-19: The Committee details a recent statement from the Law Council of Australia explaining difficulties regarding executing signatures in the wake of the COVID-19 pandemic. The Committee reminded stakeholders that the Corporate Act determination issued in May 2020 by the Treasurer extends the legality of electronically executed documents through March 21, 2021.
• Digital Identity Reforms: Digital identity reforms by the Digital Transformation Agency will be accelerated in order to deliver a national, economy-wide framework for
ASIA PACIFIC - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 109 HONG KONG
Regional Overview Hong Kong is one of the premier international financial centers in Asia. If you have business in China, then you can safely say you have business in the city of Hong Kong. Designated as a “special administrative region” of the People’s Republic of China, Hong Kong’s population is dense and extremely diverse. And its financial services sector has experienced consistent growth during the past decade, now accounting for approximately 20 percent of the city’s GDP. 3
While traditional banks make up a sizeable percentage of the financial services CENTRAL BANK market, digital banking is gaining traction among Hong Kong adults. According to a Finder.com survey from April 2020, approximately 16 percent of adults with banks accounts stated they have digital bank accounts. That’s approximately 990,000 people across a range of ages. The Hong Kong Monetary Authority is the city’s central bank reporting to Digital banking’s popularity is bound to grow in Hong Kong due largely in part to the Financial Secretary. The bank’s the Hong Kong Monetary Authority’s progressive digitalization and open banking primary objectives are to ensure the initiatives. Few financial authorities have taken it upon themselves to examine stability of the country’s financial the use and risks of artificial intelligence (AI) in digital banking, but the HKMA system and currency. has already released its 12 high-level principles for AI implementation and use within the financial services sector. While many authorities in other regions have explored the use of AI on a general level, few have looked at it through the lens of Other Financial: providing digital banking services. But don’t count on technology companies or the HKMA to take the reins of Hong Kong digital banking in the next few years. The Insurance Authority (IA) is an S&P Global Ratings predicts that banks will continue to lead the city’s financial independent authority regulating services digitalization initiatives and that while HKMA’s regulations and initiatives the insurance industry in Hong could cause disruption to the sector, the COVID-19 pandemic has accelerated Kong. In 2019, the Insurance digital banking and contactless payment, and will continue to do so.4 Authority took over regulation of insurance intermediaries, as well. Laws and Regulations
1. HKMA Circular on Consumer Protection Measures for Open API Framework DATA PROTECTION On October 29, 2019, the HKMA published a circular clarifying consumer AUTHORITY protections measures of authorized institutions (AIs) operating and/or developing solutions within Hong Kong’s Open Application Programming Interface (Open API) framework. The Open API framework launched in July The Office of the Privacy 2018 with the goal of assisting banks with creating banking services that Commissioner for Personal Data, “improve customer experience”. AIs are expected to uphold the Code of Hong Kong, (PCPD) is the main data Banking Practice consumer protection principles “regardless of underlying protection authority in the city. The technology adopted for their banking products and services, and whether AIs statutory body enforces the Personal provide the products and services themselves or in partnership with third- Data Privacy Ordinance (PDPO). party providers.” The circular also addresses the use of intermediaries under The PCPD issues various regulations the Open API framework. and guidelines implementing requirements under the PDPO. Key Highlights for Financial Institutions
• Circular Annex: Sound Consumer Protection Practices by AIs for Open API Phase II and Beyond: The circular’s annex lists seven protection practices for AIs, such as financial institutions, to follow during Open API use:
• Conduct appropriate onboarding checks and monitoring on third-party service providers; • Make available a list of partnering third-party service providers; • Conduct regular monitoring; • Enhance customer education on potential risks of third-party services; • Establish liability and settlement arrangements; • Implement appropriate complaint handling; • Implement policies and procedures aligning with consumer protection requirements issued by HKMA.
ASIA PACIFIC - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 110 2. HKMA Circular on “High Level Principles on Artificial 4. Proposed Amendments to the Personal Data Privacy Intelligence” Ordinance November 1, 2019, the Hong Kong Monetary Authority On January 20, 2020, the HKMA released a proposal to released guidance related to the development of artificial review the Personal Data Privacy Ordinance. The paper intelligence (AI) and its use in the banking and fintech states that the government was “reviewing and studying industries. The guidance, based on a 2019 survey the HKMA possible amendments to the PDPO” to strengthen the issued to banks, proposes 12 high-level principles for AI, protection of personal data in the city. As of the publication including adoption of an Ethical Accountability Framework of this report, further legislative announcement and for the collection and use of personal data issued by the updates have not been made regarding amendments to PCPD. the PDPO.
Key Highlights for Financial Institutions 5. HKMA Circular on Remote Account Opening and Customer • Data Protection Requirements: The guidance states Onboarding that banks should implement data protection measures On June 3, 2020, the Hong Kong Monetary Authority that comply with the country’s Personal Data Privacy Act (HKMA) published a circular to outlining remote onboarding and “any other applicable local and overseas regulatory for individual customers based on feedback from banks requirements.” The guidance also states that in certain and fintech firms. The feedback is in response to the effects cases, “sanitized data instead of personally identifiable of the COVID-19 pandemic. The circular sets out regulatory information should be used.”5 expectations and best practices for remote onboarding. • Cybersecurity Measures and Controls: Regarding cybersecurity, the guidance states that AI applications 6. HKMA Circular on Remote On-Boarding of Corporate will expose banks to new threats that will “exploit AI Customers models through data manipulation.” In turn, “Banks On September 24, 2020, the HKMA issued a circular should ensure that their security controls can effectively outlining key principles in relation to remote onboarding deal with such attacks.” of corporate customers in the wake of the COVID-19 pandemic. The circular determines the difference between 3. Insurance Authority (IA) Guideline on Cybersecurity individual customer onboarding and corporate customer On January 1, 2020, a guideline on cybersecurity setting onboarding regarding customer due diligence. The circular minimum cybersecurity standards for authorized insurers states that corporate customer due diligence is more went into effect. The Insurance Authority’s new standards extensive compared to individual customer verification and outline risk identification, cybersecurity strategy and lists four steps for verification. implementation.
Policy and Legislation
1. HKMA White Paper on “Reshaping Banking with Artificial 3. SFC Consultation on Amendments to AML/CFT Guidelines Intelligence” for Licensed Corporations (LCs) and Associated Entities (AEs) In December 2019, the Hong Kong Monetary Authority On September 27, 2020, the Securities and Futures published a research paper aiming to promote discussion Commission launched a three-month consultation seeking surrounding AI and its use in the financial services industry. feedback on proposals to amend AML/CFT guidelines for The paper examines AI technology and explores key licensed corporations and associated entities. The objective findings of a previously conducted survey. It explains AI is to align the guidelines with FATF guidance issued in technology and its basic concepts, discusses potential October 2018, Guidance for a Risk-based Approach for AI applications in the banking sector, explores recent the Securities Sector. The new amendments would add development and implementation issues in the banking new provisions for customer due diligence during third- industry, and promotes the adoption of AI by presenting its party transactions and a section that outlines high- and benefits and risks. low-risk customers participating in cross-border securities transactions. The consultation ends on December 18, 2020. 2. Insurance Authority’s Extension of COVID-19 Temporary Key Highlights for Financial Institutions Measures On September 4, 2020, the Insurance Authority issued • Customer Due Diligence During Third-party a circular extending Phase 2 of temporary measures Transactions: The guidelines state that financial established in previous circulars. The goal of the Phase 2 institutions “should exercise extra caution when the extension is to “obviate the need to conduct face-to-face relationship between the customer and the third party is meetings in order to minimize the risk of infection” during hard to verify, the customer is unable to provide details of the sale of policies. The measures have been extended to the identity of the third-party payor for verification before December 31, 2020. the deposit is made, or one third party is making
ASIA PACIFIC - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 111 • or receiving payments for or from several seemingly unrelated customers.” Furthermore, financial institutions should perform due diligence on “the source of a deposit and evaluation of any third-party deposit before settling transactions with the deposited funds.” In situations where this is not possible, there are special provisions for delayed due diligence.
ASIA PACIFIC - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 112 INDIA
Country Overview India’s financial services sector is highly diversified, comprised of commercial banks, insurance companies, mutual funds, and microfinance companies. And because it is the second-most populated country in the world, boasting a diverse set of regions both rural and cosmopolitan, India’s financial services sector stands to continue its consistent economic and technological growth. Notably, India’s asset management industry is among the fastest growing in the world, and there’s a growing demand for financial services across socioeconomic brackets.6 India’s private wealth market will be the largest in the world by 2028. With this CENTRAL BANK demand for new services will come the inevitable demand for remote online banking services to serve transitional customers and customers living in rural areas. India’s mobile wallet industry is estimated to grow to $4.4 billion by 2022, The Reserve Bank of India (RBI) is according to a report from the India Brand Equity Foundation.7 the central bank of India in charge The national government and the Reserve Bank of India, the two primary financial of issuing and supplying the Indian regulators for the country, have caught on to this and have launched a series of rupee. The bank is the primary initiatives and regulatory packages aimed at stoking innovation while protecting regulator for the commercial consumers. Just in 2018, the government launched the India Post Payments Bank banking industry, as well as non- (IPPB) to expand to 650 bank branch locations with the objective of reaching banking finance companies. customers in rural regions.
It could be that India’s next challenge in its endeavor to promote contactless Other Financial: banking services is age group penetration within the financial services market. According to a survey of consumers using smartphones for banking activities in The Insurance Regulatory and India in 2018, approximately 60 percent of smartphone users were ages 18 to 26.8 Development Authority of India Increasing smartphone usage in the country will be a key to increasing mobile (IRDAI) is an independent statutory wallet accounts. body tasked with regulating and promoting the insurance and re- Laws and Regulations insurance industries in India.
1. Universal Payment Interface (UPI) Multi-Factor Authentication (MFA) Implementation The Central Registry of Securitization In February 2020, the National Cyber Coordination Centre announced plans Asset Reconstruction and Security to eventually implement multi-factor authentication (MFA) into the digital Interest of India (CERSAI) is payment legal framework to enhance the safety of digital transactions. an independent government- Google Pay and other digital payment apps could eventually be required to mandated business that facilitates add an extra layer of security by implementing facial recognition or iris scan. operations for the country’s Geolocation would be used to check placement of digital payments.9 Registration System for the securities market. Authorities at the National Cyber Coordination Centre have indicated that implementation of MFA is dependent upon adoption by international authorities. As of the publication of this report, a timeline for MFA implementation has not been announced. DATA PROTECTION AUTHORITY 2. HKMA Circular on “High Level Principles on Artificial Intelligence” RBI Notification on Increasing Instances of Payment Frauds: On June 21, 2020, As of the publication of this report, the Reserve Bank of India published a notification to all authorized payment India does not have a dedicated data system participants and operators in the country, including banks and non- protection authority. However, the banks, directing entities to leverage multiple communication channels to raise Personal Data Protection Bill of 2019, consumer awareness of digital payment fraud. introduced in December 2019, calls for the establishment of a national data protection authority.
ASIA PACIFIC - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 113 3. RBI Oversight Framework for Financial Market include the circular on enhancing the security of card Infrastructures (FMIs) and Retail Payment Systems (RPSs) transactions, the Guidelines on Regulation of Payment Version 2.0 Aggregators and Payment Gateways, as well as the net- worth requirement set out under the Master Direction on On June 14, 2020, the Reserve Bank of India (RBI) published Issuance and Operation of Prepaid Payment Instruments. an updated version of the Oversight Framework for Financial Market Infrastructures (FMIs) and Retail Payment 5. RBI Circular on Internal ML/TF Risk Assessment by REs – Systems (RPSs). It outlines the authority’s approach to the oversight of FMIs and RPSs operating in the country Amendment to Master Direction (MD) on KYC and covers core principles, scope of oversight and legal On April 20, 2020, the Reserve Bank of India issued a framework. circular that updates the authority’s Master Direction on Know Your Customer (KYC) requirements and requires The document outlines several rules related to KYC and regulated entities to conduct periodic risk assessments to cybersecurity standards for customer due diligence. measure and anticipate potential money laundering and terrorism financing risk, taking into account matters such 4. RBI Notification on Regulatory Extensions In Response to as cybersecurity deficiencies in the financial services and COVID-19 Pandemic banking sectors. On June 3, 2020, the Reserve Bank of India (RBI) published a In addition, entities must apply a risk-based approach to notification applicable to a range of authorized institutions, prevent identified risks when submitting all pertaining including payments banks, non-bank prepaid payment policies, controls, and procedures for RBI board approval. instrument issuers and authorized payment system According to the circular, entities were to complete their participants and operators. first assessment by June 30, 2020, subject to periodic The notification addresses the disruptive circumstances review. brought by the COVID-19 pandemic, extending timeframes for compliance with a range of regulatory instruments released by the RBI. Affected policies and regulations
Policy and Legislation
1. Personal Data Protection Bill of 2019 In December 2019, the Indian government introduced the The bank’s recommendations to enhance the efficiency, Personal Data Protection Bill into Parliament. The bill, if security and transparency of QR-based payments passed, would create the first legal framework for data took into account not only the lifecycle of digital protection in India. payment transactions, but also relevant factors such as interoperability and scalability, promotion of innovation, Key Highlights for Financial Institutions security and customer education/awareness.
• RBI Consultation on Report of the Committee for The consultation seeking feedback on the report ended Analysis of QR Code: RBI Consultation on Report of on August 9, 2020. the Committee for Analysis of QR Code: On July 21, 2020, the Reserve Bank of India (RBI) launched a public consultation on the Report of the Committee for Analysis of QR Code. The report is part of the authority’s policy for “furthering digital payments”, aimed at understanding the current position of QR code-enabled payments within the domestic market, as well as assessing the scope for improvement in existing QR codes.
ASIA PACIFIC - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 114 JAPAN
Country Overview Japan is another highly developed Asian country enjoying the fruits of a population that has favored online and digital services for decades. From ordering food at a restaurant, to checking in for a hotel room, Japanese consumers are the leaders in demanding non-face-to-face services. In Japan, consumer demand drives the need for remote and online banking services, and the banks and fintech companies are obliging full force through technological innovation. In the past two years, several fintech startups have partnered with big banks to launch digital apps that help with a variety of financial services, including tracking CENTRAL BANK billings and loyalty points. And some banks are leveraging AI and automation solutions to cut costs and streamline operations, particularly for credit assessment services. The Bank of Japan is the central The country’s financial regulators began promoting open banking in 2017 and bank and primary monetary have since continued to encourage its adoption among banks. But it seems banks policymaker for the country. The are somewhat unsure on how to move forward due to a lack of clarity from the bank’s headquarters is in Tokyo. Financial Services Agency on third-party provider fees.10
Even so, industry experts predict that Japan’s digital banking space will gain even more prominence n the financial services industry moving into 2021, due in large DATA PROTECTION part to the effects of the COVID-19 pandemic. AUTHORITY DATA PROTECTION
The Personal Information Other Financial Protection Commission (PPC) is the The Japanese Financial Services Agency (JFSA) is the primary government central data protection authority in agency responsible for banking, securities and exchange, and insurance sector Japan. The agency enforces the 2003 regulations. Act on the Protection of Personal The Japan Virtual Currency Exchange Association (JVCEA), established in 2018, Information (APPI). independently enforces cryptocurrency rules within the industry. The group has the power to issue penalties to cryptocurrency exchanges and is formally The National Center of Incident recognized by the JFSA. Readiness and Strategy for Cybersecurity (NISC) is Laws and Regulations the “cybersecurity strategic headquarters” of Japan established 1. Payment Services Act (PSA) Amendments 2020: Financial Service in November 2014. The agency Intermediaries and Fund Transfer Licensing operates under the national Cabinet On December 20, 2019, the Financial Services Agency (FSA) published a and several ministers, including the report on the regulatory framework for the provision of settlement services Minister in charge of Cybersecurity. and introducing a new one-stop intermediary license for financial product The NISC “coordinates cybersecurity marketing. The report presents two proposals for the amendments: 1) to policy” by developing standards amend the licensing system to fund transfer service providers and 2) to and policies based on ongoing introduce a new type of license for financial service intermediaries.11 cybersecurity research. Under the new bill, payment receiving agency services are now deemed The Japan Financial Intelligence fund transfer services requiring registration with the FSA. Therefore, certain Center (JAFIC) is an independent unregistered entities may be required to register with the FSA to remain in agency that enforces the Act on compliance. Prevention of Transfer of Criminal Additionally, amendments were made to the Prepaid Payment Instruments Proceeds. (PPIs) section of the PSA to require implementation of security measures and safeguards to ensure user protection. The PSA amendments also stipulate that PPI issuers have an obligation to monitor and supervise third-party vendors in the case of issuance operations.
The FSA administration proposed the bill to the National Diet on January 22, 2020. The Diet officially adopted the amendments to the PSA on June 5, 2020. The amendments will go into effect sometime in 2021.12
ASIA PACIFIC - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 115 2. Payment Services Act (PSA) and Financial Instruments three key priorities the Japanese Financial Services Agency and Exchange Act (FIEA) Amendments 2019 and 2020 (JFSA) will focus on: implementing COVID-19-related Implementing Regulations: Crypto Assets regulations and policies to help financial institutions fight the pandemic’s economic effects on consumers; making The Financial Services Agency has presented proposed the Japanese financial and capital markets more attractive amendments to two separate acts to strengthen crypto to investors through administrative revision; and reforming asset investor protection and promote crypto asset the JFSA through modernization. investment. The new regulations primarily focus on three key areas: Regulating crypto exchanges, custodians, and Priorities for COVID-19 directly address banks and financial products; reforming existing “virtual currency” terminology; institutions and would call for the revision of regulations and creating appropriate transaction measures. that cover banks, enabling them to better assist customers with post-COVID-19 financial recovery. Additionally, the • Payment Services Act (PSA) Amendments: In the PSA, JFSA will promote modernization of certain practices at “crypto asset exchange service providers” are defined as banks that rely on paper documents, seals, and in-person persons/entities that sell, purchase, or provide custody communication. services for crypto assets. Custody service providers not engaged in selling, purchasing and intermediating crypto 5. 2020 Amendment to the Act on Protection of Personal assets weren’t previously regulated under the PSA but are now under the Act’s scope. Information (APPI) On June 5, 2020, the National Diet passed an amendment Additionally, crypto asset-related activities, such as crypto to the Act on the Protection of Personal Information custody services, will be subject to licensing under the (Act No. 57 of 2003 aka APPI). A consultation regarding new regulations. supplementary rules and guidelines to implement regulations under the amendment was launched June 23, • Financial Instruments and Exchange Act (FIEA) 2020 and results of the consultation were released August Amendments: Under the new amendments, the FIEA will 31, 2020. Supplementary rules and guidelines based on the regulate all Initial Coin Offering (ICO) related activities in consultation results are expected to be released sometime Japan, and custodians of crypto assets are now required in 2021, and the amended APPI will officially come into force to register as cryptocurrency exchanges. no later than June 2022.14
The amendments regarding crypto assets to the PSA and Key Highlights for Financial Institutions FIEA went into effect May 1, 2020.13 • Right to Erasure: Before the current amendment, data subjects or “principals” could not exercise a right 3. Payments Japan’s Merchant-Presented Mode Guideline to deletion, cessation of use and/or cessation of data V.2.0 provision to a third party under APPI. The new changes On April 27, 2020, the Ministry of Economy, Trade, and broaden data subjects’ rights, though the scope of right Industry issued a guideline surrounding the country’s to erasure is narrower than that of the European Union’s implementation of the JPQR initiative, the specifications General Data Protection Regulation (GDPR). of the standard QR codes and standard barcodes. The guideline sets standards for barcode and QR payments The amendment accomplishes this by abolishing the six- under JPQR. The guideline also outlines the “Bill Payment” month rule on “retained personal data,” which stipulated service, which allows streamlined payments based on that personal data that is set to be erased within six personal invoices. months is not considered “retained” and therefore not subject to the right to erasure. • JPQR 2020 Initiative: On June 22, 2020, the Ministry of Internal Affairs and Communications began accepting • Right to Disclosure: Under the new APPI changes, JPQR applications from entities nationwide, including data subjects will have the right to request disclosure financial institutions. The JPQR initiative, part of the of retained personal data by electronic means. Before Payments Japan’s Merchant-Presented Mode Guideline the amendment, disclosure was delivered via written V.2.0, is “a unified standard for QR code payments documents. Additionally, the scope of retained established by the Payments Japan Association.” The goal information available to data subjects will broaden under of the initiative is to consolidate payment QR codes of the supplementary rules to be released in 2021. Those multiple entities into one unified QR code that can be use rules will add three key changes all personal information across multiple payments at different companies. controllers will have to implement:
4. JFSA Summary of Priorities for July 2020 – June 2021 • A framework for processing personal information On August 31, 2020, the JFSA published a summary of its • Safeguards to protect personal information priorities for July 2020 through June 2021. The summary lists • A framework for processing of retained personal data
ASIA PACIFIC - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 116 • Personal Data Provision to Third Parties: The • Introduction of “Pseudonymously Processed amendment broadens the scope of personal data rights Information” Definition: APPI’s new amendment while limiting the scope of third-party use of personal introduces a new type of personal information called data. Under the new changes, two types of personal data “pseudonymously processed information”, which “deletes can’t be provided to a third party without consent based a person’s name” from processed personal information, on opt-out provisions: 1) personal data which is illegally such as cashless transactions. This, in theory, provides an obtained and 2) personal data that has been provided extra cushion of protection to data subjects who provide based on the opt-out provision. personal information, especially electronically.
ASIA PACIFIC - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 117 NEW ZEALAND
Country Overview Banks in New Zealand have enjoyed a long and prosperous reign over the country’s financial system. As of March 2020, registered banks accounted for $631 billion in assets, dwarfing the meager $81 billion in assets from insurance companies. However, in the wake of the COVID-19 pandemic, the financial services industry is grappling with a set of significant changes that could determine how digitalization of the economy will move forward.
Just in the past few years, before the pandemic hit, digital banking onboarding CENTRAL BANK in New Zealand sky-rocketed because of its convenience and speed. According to finance intelligence agency RFI Research, 80 percent of New Zealand residents were using digital banking services on a weekly basis.16
The Reserve Bank of New Zealand However, according to a 2018 survey from Canstar, an Australian company that (RBA) is the central bank of New helps consumers compare financial services, 60 percent of financial institution Zealand. The Bank’s primary customers were cautious of sharing financial data with third-parties or non- functions are to maintain price banking businesses.17 By late 2019, experts agreed that consumer trust in the stability through effective monetary financial services sector was at an all-time low and that it was at a crossroads as policy and maintain a healthy an industry. According to officials at UMR Market Research, a market research financial system for the country. firm located in New Zealand, “Trust in the financial services sector has risen from 49 percent to 57 percent over the past five years, but the bad news is that, as a sector, it’s still the least trusted of all the sectors [we] measure.”18
Perhaps in response to this lack of consumer confidence, various financial DATA PROTECTION regulators have banded to together to pass a series of sector-specific legislation AUTHORITY and regulations aimed at combating money laundering and terrorist-financing, and protecting consumer financial data and personal information. If financial The Office of the Privacy institutions and consumers eventually come to a middle ground on personal data Commissioner (OPC) is the primary protection and consumer data rights, then New Zealand will have little trouble data protection authority in New maintaining its status as an innovator of digital financial services. Zealand. The OPC develops and DATA PROTECTION promotes personal information protection among consumers Other Financial and businesses and enforces the The Commission for Financial Capability (CFFC) is a British Crown agency that country’s Privacy Act, which was just supports and promotes the growth of New Zealand residents’ financial capability updated in 2020. and financial health.
The Financial Markets Authority (FMA) is the financial regulatory authority in New Zealand. The government agency regulates and enforces financial regulations for all financial markets and exchanges.
The Ministry of Business, Innovation and Employment (MBIE) is a federal government agency that develops policy, advice and regulations that aim to increase the country’s economic growth. Many regulations and advisories the MBIE create surround issues and businesses directly related to the financial sector, including the Financial Markets Conduct Act, insurance contract law, and reforms in line with international standards.
Laws and Regulations
1. Consumer Data Right (CDR) Consultation The country of New Zealand is exploring the option of providing consumers with a Consumer Data Right (CDR) to give them, and businesses, more authority and control over individuals’ personal data. The Ministry of Business, Innovation and Employment (MBIE) has released a series of consultations seeking feedback about several issues in relation to CDR legislation.
ASIA PACIFIC - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 118 On August 4, 2020, the MBIE released its third consultation Key changes from the previous Act will strengthen privacy seeking further feedback on the proposed CDR initiative. protections for New Zealand residents by setting new The consultation ended on October 4, 2020. The discussion requirements for breaches of private information and paper attached to the consultation outlined three main expanding the role and authority of the OPC. issues to focus on when responding: the need for a national Since 2018, the country’s Cabinet Office has released a CDR, how a CDR could be formed, and how it could be series of responses to the various changes made in the new designed. Act. Key Highlights for Financial Institutions Key Highlights for Financial Institutions • PSD2 Influence: According to the discussion paper for • Compliance Notices: The Ministry of Justice has stated the consultation, “A sector-specific approach in New that the Office of the Privacy Commissioner (OPC) will Zealand could be similar to the EU and UK approach to now be able to issue compliance notices with “cease-and- open banking, including the Payment Services Directive desist” powers. 2 (PSD2).” The MBIE points out that a sector-specific approach to CDR will be “quicker and more cost-effective” • Access Request Decisions: The OPC will now be able to and could encourage industry-led technology solutions. make binding decisions on complaints about information access. Decisions will be able to be appealed by the • Consumer Consent: Regarding consumer consent, the Human Rights Review Tribunal. discussion paper states that, “In order to ensure that access to consumer data is only shared when it has • OPC Expanded Authority: The OPC timeframe for agency been authorized by the consumer, and that it is only compliance with investigations will be shortened, and used for the intended purpose, it is necessary to create a penalty for non-compliance will be increased from $2,000 framework where consumer consent is required before to $10,000. information is transferred. A key part of obtaining an • Enhanced Protection of Cross-border Information: individual’s consent to share data is confirming the Personal information sent overseas or across national identity of the individual.” borders is protected under the new changes. Organizations sending personal information overseas will 2. Privacy Act 2020 have to implement the appropriate measures to ensure New Zealand’s new Privacy Act repeals the Privacy Act of personal information is safeguarded. 1993 and will officially take effect on December 1, 2020.
Policy and Legislation
1. Updated Guidelines on Territorial Scope of AML/CTF Act The guidance advises entities, including financial On November 21, 2019, the Financial Markets Authority institutions, on how to strengthen customer due diligence updated its guidelines on the territorial scope of the 2009 and account monitoring in the wake of the COVID-19 AML/CFT Act and its supervisory framework. The updated pandemic. guideline clarifies territorial scope in order to assist financial Key Highlights for Financial Institutions institutions and non-financial businesses with deciding whether they must comply with requirements under the • Electronic Documents: The guidance states that act. electronic documents are an acceptable solution to ongoing CDD efforts. It states that “in the current The supervisory framework for the guidelines details the situation, it may be more difficult for reporting entities objectives of the RBNZ, the FMA and the Department of to carry out ongoing CDD as per their usual processes. Internal Affairs in relation to combating money laundering Instead, reporting entities should apply a risk-based and terrorism financing in the financial sector. approach. This may mean, for example, that reporting entities accept scanned copies of documents as an 2. Joint Guidance on Complying with AML/CFT Verification interim measure, with the originals to be sighted at a Requirements During COVID-19 Alert Levels reasonable later time (upon lifting of alert levels)”.
On March 25, 2020, the Reserve Bank of New Zealand • Identity Verification: The guidance advises entities on (RBNZ), the Financial Markets Authority (FMA), and the how to verify identities now that face-to-face verification Department of Internal Affairs released joint guidance isn’t possible. It states that under the AML/CFT Act, advising entities on compliance with verification entities may establish a new relationship with a customer requirements under the 2009 AML/CFT Act. and delay verification to a later time. Under the law, this applies to remote account opening at
ASIA PACIFIC - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 119 • banks. However, there are additional measures that will Key Highlights for Financial Institutions have to be adopted by banks opening new accounts. • Identity Verification: The guideline states that, The guidance also promotes a risk-based approach to “Enhanced CDD requires the collection and verification exception handling provisions for circumstances where of the same identity information that is required for a customer’s identity can’t be verified with original ID standard customer due diligence. However, when documents. undertaking enhanced CDD, you may need to use • Electronic Identity Verification: The guidance states increased or more sophisticated measures to do this. In that, “The IVCOP (Identity Verification Code of Practice) most, but not all cases, enhanced CDD also requires the provides that where an electronic source does not collection and verification of information relating to the have a mechanism to link the customer to their source of wealth (SoW) or source of funds (SoF) of your claimed identity (whether biometrically or otherwise), customer.” a reporting entity must apply additional measures • Promotion of Risk-Based Approach: The guideline states to ensure the person being dealt with online is the that, “A risk-based approach allows you some flexibility genuine holder of the identity they claim to be.” in the steps you take when conducting enhanced CDD. Your risk assessment and program will determine the 3. AML/CFT Enhanced Customer Due Diligence Guideline amount of time and effort you spend on enhanced CDD.” In September 2020, a group of three of the country’s Additionally, “A risk-based approach does not stop you financial regulators and policymakers issued a set of from engaging in transactions/activities or establishing enhanced guidelines surrounding customer due diligence business relationships with higher risk customers. Rather, supporting AML/CFT efforts. The three organizations are it should help you to effectively manage and prioritize the Financial Markets Authority, the Reserve Bank of New your response to ML/TF risks.” Zealand, and the Department of Internal Affairs.
The guideline aims to assist financial institutions with conducting AML/CFT under the 2009 AML/CFT Act. It outlines new requirements for ID proofing and identity information collection and promotes a risk-based approach when implementing enhanced CDD solutions.
ASIA PACIFIC - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 120 REPUBLIC OF KOREA
Country Overview Because South Korea, or the Republic of Korea as it is officially known, is one of the most highly developed countries in Asia infrastructure-wise. It enjoys some of the fastest Internet connection speeds and stunning technological advances in the region, such as a high-speed railway. Some would argue South Korea is one of the most technologically advanced nations in the world, and the country’s global influence has only increased in the last 20 years. It is understandable, then, that the country’s financial services sector sets the example for global financial services innovation. Other countries in the region are just now beginning to CENTRAL BANK license digital banks.
The COVID-19 pandemic, has only accelerated demand for online banking The Bank of Korea is the central services. In 2020, many virtual banks announced plans to partner with large bank of the Republic of Korea. financial companies in a bid to increase financial inclusion and provide online and The bank’s primary objective is remote services to as many Koreans as possible. This is a significant shakeup for to maintain the country’s price the industry because South Korean regulators have been particularly lax about stability and it often targets inflation, who can register for a digital banking license. One of the most popular messaging especially consumer price inflation. apps, Kakao Talk, launched its bank, kakaobank, in 2017 and will soon have more than 10 million customers.19
The Republic of Korea’s financial and technology innovators have issued a series DATA PROTECTION of legislative amendments aimed primarily at increasing open banking adoption AUTHORITY and providing exemptions that remove barriers to entry for consumers and businesses.
The Personal Information Protection DATA PROTECTION Commission (PIPC), established Other Financial under the country’s Personal The Financial Services Commission (FSC) is an independent government body Information Protection Act (PIPA), is the primary data protection authority The Financial Supervisory Service (FSS), formerly known as the Financial in South Korea. The independent Supervisory Commission, is the Republic of Korea’s primary financial regulator commission develops policies charged with supervising financial institutions under the FSC. and coordinates communication between government agencies regarding personal data processing. Laws and Regulations However, the Ministry of the Interior and Safety (MOIS) is charged with 1. Digital Signature Act Amendment 2020 the enforcement of the country’s On December 10, 2020, amendments to the Digital Signature Act regarding Personal Information Protection Act digital identification become effective. Changes in the act remove certain (PIPA). requirements for certificates for digital signatures to “remove barrier to entry” for consumers.20 As it stood previously, the Act established a public The Korea Internet and Security certificate for use during electronic services such as online banking. The public Agency (KISA) is a statutory certificates system became cumbersome to financial services technology organization established by the Act innovation and competition. on Promotion of Information and The new law will stoke competition among private certificate businesses and Communications Network Utilization technology firms, such as mobile carriers and other ICT firms, that provide and Information Protection (ETC) electronic signature services. This will, in turn, provide businesses such as that assists government agencies financial institutions with greater choice of e-signature services outside of with data breach resolution and the public certificate system. In Korea, there are “certified signatures” and research. The agency also provides “uncertified signatures.” Confusingly, Korean authorities use “digital” and advice on personal data protection “electronic” interchangeably. Private certificate businesses, such as online security standards and policies. banks, will have to conform to new standards to ensure they offer “certified signatures” for their customers for both transactional and document signing.
ASIA PACIFIC - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 121 This is because e-signature use for both electronic information such as characters, membership IDs, or transactions and electronic documents falls under the symbols, the signer must provide a captured image of the purview of the Framework Act on Electronic Documents signer’s certificate to validate e-signature authenticity.22 and Transactions (FAEDT). Additionally, the Electronic Signature Act (ESA), which establishes an e-signature 2. PIPA Amendment 2020 framework, defines an electronic signature as a “piece of On August 5, 2020, comprehensive changes made information in electronic form that is affixed on, or logically through several amendments to the Personal Information combined with, an electronic document in order to identify Protection ACT (PIPA) went into effect. The amendments the signatory and verify that the electronic document has to PIPA establish new definitions, clarify several existing been signed by said signatory.” clauses, and permit new types of personal data processing.
Therefore, when referring to e-signature use in Korea, one Key Highlights for Financial Institutions must keep in mind that it might not necessarily refer to an electronic version of a “wet ink” signature. • Introduction of Pseudonymized Information: Several changes clarify the concept of personal data and Key Highlights for Financial Institutions introduce pseudonymized data as a type of personal • Promotion of Innovative Identity Proofing Technologies: data. The law also defines the scope of pseudonymized Recent changes under the law promulgate the use of data processing for data controllers and imposes data various types of identity proofing technology, including processing restrictions. biometric authentication and blockchain, during • Transfer of ICNA Personal Information-Related e-signature certification. The changes do not directly Provisions: Special provisions once part of the address transactional signing, but as it already stands, Information and Communications Network Utilization the law applies to “electronic administrative services” for and Information Protection (ICNA) have been transferred 21 online banking. to PIPA under the amendment. The provisions related to • MSIT E-Signature Standards and Measures: The Act the protection of personal data. obligates the Ministry of Science and Information Communication Technology (MSIT) to develop measures 3. Act on Reporting and Use of Specific Financial that will “enhance the reliability of electronic signatures” Transactions Amendment 2020: Virtual Assets and promote choice of e-signature authentication • On March 5, 2020, South Korea’s National Assembly services among consumers. passed a new amendment to the country’s financial information act that allows operation of cryptocurrency The MSIT will also create a set of operational standards exchanges by legitimizing virtual asset ownership for e-signature certification that will be influenced and trading. Under the changes, virtual asset service by internationally recognized standards. Plans for the providers (VASPs), or cryptocurrency exchanges, must standards include countermeasures against e-signature enhance customer due diligence by requiring customer fraud; measures protecting user rights; procedures registration of an authorized Korean bank account and for customer due diligence during the use of digital reporting registration to the Korean Financial Intelligence signature authentication services; and procedures for Unit (KoFIU) before September 2021. suspension of e-signature services. Cryptocurrency exchanges are also required to apply Under the MSIT’s goal under the new law, the Korea for an information security certificate with several Internet and Security Agency (KISA) is the enforcing prerequisites for approval, including implementation agency tasked with ensuring standards compliance. of suitable technical solutions for sharing real-identity information with transaction counterparties. This change • Korean Intellectual Property Office (KIPO) Amended is in line with the “travel rule” clause implemented in 2019 Guidelines Concerning Digital Identification: In response to the Digital Signature Act amendment, the by FATF in its “Recommendation 16 on Wire Transfers.” Korean Intellectual Property Office published amended guidelines around digital identification, specifically The Act will come into force in March 2021 and 23 e-signatures, in June 2020. The guidelines establish that compliance is required by September 2021. e-signatures and digital notarization have the same legal force as written signatures. Depending on the 4. Credit Information Use and Protection Act Amendment type of e-signature, additional requirements must be 2020 met. E-signatures that mimic conventional handwritten • Changes to the Credit Information Use and Protection signatures must be joined with a statement from Korean Act were promulgated by the Korean National Assembly legal counsel that the document has been signed by on February 4, 2020 and most of the implementing an authorized party. For e-signatures that do not mimic regulations that were amended took effect August 5, a conventional handwritten signature but instead use 2020. However, amendments to the Credit Information
ASIA PACIFIC - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 122 • Act are more comprehensive than the PIPA amendments 5. Act on Promotion of Information and Communications because they include provisions for data protection and Network Utilization and Information Protection (ICNA) the regulatory system for the use and management of Amendment 2020 credit information.24 Several provisions of the new law Amendments to the ICNA went into effect on February won’t go into effect until February 4, 2021. 4, 2020 and the Act officially went into force on August Key Highlights for Financial Institutions 5, 2020. The act was amended to streamline and remove overlapping data protection provisions that appear in the • Unlike PIPA, the amended Credit Information Act Personal Information Protection Act (PIPA) and to allow the contains several provisions regarding data subject rights. Korea Communications Commission to legally delegate They are: authority to affiliated agencies. • Establishes right to request transfer of personal credit information from one financial company or public institution to another;
• Streamlines user consent process;
• Provides greater restrictions and clarification on management and use of pseudonymized information.
Policy and Legislation
1. FSC Open Banking Initiative Two new licenses will be created by the FSC under In February 2019, the Financial Services Commission the amendment: MyPayment providers will carry out launched an open banking initiative aimed at transitioning transactions “without holding customers’ funds,” while to an open API system, therefore increasing fintech the one-stop PSP license will enable those providers to competition. The initiative directly affects payment “issue and manage” payment accounts in addition to operations at banks and other payments services providers. providing payroll and billing services. The initiative outlined three steps to transitioning to the open system: As of the publication of this report, the revisions have not yet been presented to the National Assembly for • Voluntary Payment Network Access from Banks: The consideration. initiative will ask banks to voluntarily agree to an open banking system and will provide payment network access • Fintech Access to Financial Payment System: The to all fintech PSPs. This will also require banks to lower FSC has proposed allowing fintech PSPs access to the transaction fees to stoke fair competition. The open API country’s payment system without registration through program officially launched in December 2019 after a a bank or financial institution. A PSP would have to be pilot period starting in October 2019. In July 2020, the FSC qualified based on digital and financial capability criteria. reported that more than 20 million Koreans are using open banking services through the API platform. The FSC has announced plans to expand open banking to fintech sometime in the fourth quarter of 2020, and there • Open Banking Legislation: The FSC has proposed are plans to allow card issuers direct access sometime in amendments to the Electronic Financial Transaction Act. 2021.25 • Electronic Financial Transactions Act Amendment 2020: In July 2020, the Financial Services Commission (FSC) announced plans to propose revisions to the Electronic Financial Transactions Act (EFTA) to expand payment and settlement services in the country by expanding the roles of payment service providers (PSPs) to include brokerage services and possibly savings accounts. The changes would be applicable to mobile payment service providers as well as traditional banks. Loan servicing would not be permitted under the changes.
ASIA PACIFIC - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 123 TAIWAN
Country Overview Taiwan, like the Republic of Korea, is one of Asia’s most highly developed countries with an economy founded on manufacturing, specifically in machinery and electronics. The country’s close ties to China engender a unique political and social structure that can prove divisive at times. However, Taiwan’s financial services sector remains one of the strongest and most effectively regulated in Asia, though it is oversaturated with traditional banks. That has changed in 2020 with the launch of several digital banks. This follows the launch of three new licenses for internet-only banks in Taiwan announced in July 2019. CENTRAL BANK Taiwan’s embrace of fintech has been moving rapidly compared to other Asian countries, and regulators have launched several initiatives to promote adoption of The Central Bank of the Republic digital banking services at financial institutions. In July 2020, the National Cabinet of China (Taiwan) is the central released plans through 2024 for a national digital “development plan” aimed at bank of Taiwan. The bank issues the improving economic growth by “creating a digital nation” and to build for a post- country’s currency and develops COVID-19 society. The financial services industry is one of the six core strategic monetary and payment system industries listed in the plan. policies. The bank operates through Because of the intense competition and oversaturation of the market, banks will several departments, including a have to expand to niche markets to expand their customer bases. Digital savings Department of Banking. accounts have gained popularity among consumers. Banks have caught on: 30 banks accounted for nearly 3.5 million digital savings accounts opened at the end of 2019.26 Other Financial:
The Financial Supervisory Commission (FSC) is the Laws and Regulations independent government agency supervising and regulating the 1. Taipei Exchange Rules on the Issuance and Trading of the Security Token securities markets, as well as the On January 20, 2020, the Taipei Exchange securities market authority banking and insurance sectors. promulgated several rules for security tokens. The regulations were released in response to the FSC’s incorporation of security token offerings (STOs) into the Securities and Exchange Act (SEA) framework on July 3, 2019. The FSC DATA PROTECTION incorporation officially defines “security tokens” as so-called securities under AUTHORITY the SEA. The entire set of rules and regulations was officially published and went into As of the publication of this report, force in April 2020. Taiwan does not have a dedicated Key Highlights for Financial Institutions data protection authority. However, the National Development Council • Enhanced Customer Due Diligence: The new rules stipulate that securities (NDC), Taiwan’s primary policy- dealers should adopt a real-name system for themselves and customers planning agency under the during token trading through price negotiation. Under the rules, “customers executive branch, is the current may only engage in the outward/inward remittance of funds in New Taiwan 27 authority charged with enforcing Dollars through accounts with names identical to those of customers.” the provisions of the Personal Data • Compliance with AML/CTF Law: The new rules stipulate that anti-money Protection Act (PDPA). Taiwanese laundering and counter-financing of terrorism operations should be based authorities announced plans to on a risk-based approach. establish a data protection authority but as of the publication of this report, a timeline for the launch of said authority hasn’t been announced.
ASIA PACIFIC - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 124 2. NDC Guidelines for Trial Operation of Data Interface on verification systems that meet personalized data security MyData Platform requirements and provide accurate personalized data.
On February 18, 2020, the National Development Council • Personal Data Collection: Service providers are advised to (NDC) published guidelines for the MyData Platform open only allow for a minimum level of data collection and take government application and took effect the same day. The proper measures to disclose personal data use during MyData Platform is an application that allows the public user authorization and consent. to have more authority over personal data. Users can download personal data and authorize access to personal • Personal Data Breaches: In the case of a breach or data for government agencies and/or private sector misuse of personal data, service providers are solely businesses. responsible, and the NDC has the authority to delete the provider’s interface within the MyData Platform.28 As of the publication of this report, the MyData Platform is in trial stages and is only open to banks and state-owned 3. Public Reminder on Risks Associated with Virtual Assets enterprises. On July 6, 2020, the FSC issued a press release reminding Key Highlights for Financial Institutions the public to be vigilant of risks related to virtual assets. The FSC made three points in its press release, most significant • ID Verification: The rules apply to ID verification of which is that virtual assets are not considered currency in requirements for both data providers and service Taiwan. providers. Data providers are required to adopt identity
Policy and Legislation
1. MAS Promotion of Digital Finance and E-Payments to 3. Draft Amendments to Act Governing Electronic Payment Support COVID-19 Safe Distancing Measures Institutions On August 6, 2020, the Financial Supervisory Commission In July 2020, the Executive Yuan approved draft issued its Financial Security Action Plan for 2021 through amendments to the Act Governing Electronic Payment 2025. The plan’s objective is to “strengthen the financial Institutions. The changes would streamline digital money industry’s information security protection capabilities.”29 transfers and allow consumers to send foreign currency to a According to the FSC press release, the plan will reach its mobile payment device or app. objective through several measures: The proposed amendment would also integrate mobile 1. shaping the organizational structure of financial payment devices with electronic payment services by institutions that prioritize information security; establishing a platform for sharing financial information and conducting money transfers. PSPs and digital payment 2. strengthening information security protection in fintech card providers would be able to participate in the platform development; and provide services. 3. cultivating financial security professionals on a nation- The draft amendment was introduced to Taiwan’s wide level; legislature in September 2020.30 4. encouraging the introduction of international information security standards on a domestic level. 4. Bill to Establish Ministry of Digital Development The federal government of Taiwan announced on 2. Bill for “Digital Rights and Personal Data Protection September 11, 2020, plans to establish a national Ministry of Commission” Digital Development that will perform a variety of functions In September 2020, the Legislative Yuan introduced a bill and objectives relative to digital health and economy, aimed at aligning the domestic data protection framework including information technology business development, with the EU’s GDPR. Taiwan’s goal, ultimately, is to satisfy cybersecurity, and telecoms. adequacy requirements to allow cross-border data flow If passed, the bill will consolidate several agencies into one, between Taiwan and the EU. including the current Department of Cybersecurity. The The bill calls for the establishment of a national data national Cabinet was set to review the proposed bill in the protection authority with enforcements powers similarly fall of 2020. established under the GDPR.
Once the bill is approved, the Executive Yuan will set an effective date. As of the publication of this report, the Executive Yuan has not yet issued the order that will establish the effective date.
ASIA PACIFIC - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 125 5. Bill for “Basic Law for Development of Artificial Intelligence” In September 2020, the legislative branch of the Taiwanese government introduced a private bill for the establishment of a framework to promote safe AI development within the country’s economy.
The law provides legal certainty on key definitions, core development principles supporting AI solutions, and ethical aspects. The bill also establishes the Ministry of Science and Technology as the primary AI authority for the country, in line with domestic data privacy protection frameworks.
The bill will become effective on the date of its promulgation. As of the publication of this report, a date for promulgation has not been announced.
ASIA PACIFIC - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 126 SINGAPORE
Country Overview Anyone with doubts that effective regulation and policymaking can be the principal drivers for financial sector innovation and development need only look to Singapore to dispel uncertainty. Singapore has established itself as one of the top five global financial centers by adopting a “risk-based” approach to regulation and supervision in the wake of the Asian financial crisis of the late 1990s. Since then, financial development in the country has expanded to include various innovation and cybersecurity initiatives that have established Singapore as a financial services innovation hub. CENTRAL BANK Currently, more than 200 banks, including 125 commercial banks, operate in Singapore. Of the commercial banks, local and foreign banks make up just 24 percent of banks awarded full banking status. The rest are foreign commercial The Monetary Authority of wholesale banks or offshore banks. In fact, offshore financial services are hugely Singapore (MAS) is the central bank popular in Singapore, in general. Offshore insurance business has driven industry of Singapore and the country’s main growth and accounts for more than 50 percent of all general insurance business financial regulatory authority. The in the country.31 With the popularity of offshore banking comes the reality that bank issues statutes surrounding more regulation around digital identity verification and customer due diligence/ banking, insurance, securities and KYC will be needed to ensure a sound financial system. the financial sector in general. Several other financial regulators In regards to financial regulation and governance, the Monetary Authority of in the country were previously Singapore’s (MAS) statutes and standards for risk-taking and innovation are consolidated into the MAS to create extremely thorough when compared to other financial regulators in Asia. This is a more centralized regulatory due, in part, to the MAS working with other domestic authorities and regulators environment for the financial on corporate governance and consumer safety-nets, as well as a dedication to services sector. a comprehensive consultative approach to regulation. Regarding AML/CFT, the MAS consistently meets benchmarks set by internationals standards bodies such as FATF, which has in turn strengthened investor and consumer confidence in the country’s financial system during the past 20 years.
DATA PROTECTION Singapore’s dedication to financial services innovation, its digital partnerships AUTHORITY with other countries in the region such as Australia and the Republic of Korea, and its strong regulatory environment puts the country’s financial sector firmly within the nexus of global digital identity standards development. In fact, at The Personal Data Protection the Singapore Fintech Festival in November 2019, the MAS and the Bank for Commission (PDPC) is the national International Settlements (BIS) issued a joint press release announcing the data protection authority in creating of a new BIS Innovation Centre in Singapore that will supplement the Singapore. The agency promotes MAS’s work on establishing “a framework for public digital infrastructures on and enforces personal data identity, consent and data sharing.” 32 Because all other government systems, protection in the country and not to mention many private sector systems, already rely on the existing national protects consumer interests and ID card number (NRIC), Singapore’s implementation of a national digital ID rights in relation to data protection. framework could be relatively seamless.
Laws and Regulations
1. Personal Data Protection Bill Amendment 2020 The Singapore Ministry of Communications and Information and the Personal Data Protection Commission ended a consultation for an amendment to the country’s 2012 Personal Data Protection Bill on May 27, 2020. Responses to the bill were published in June 2020. According to the consultation, the MCI/PDPC wants to amend the law to “take into account technological advances, new business models and global developments in data protection legislation.” As of the publication of this report, a timeline for bill enactment and enforcement deadlines has not been announced.
ASIA PACIFIC - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 127 Key Highlights for Financial Institutions 2. United Nations Anti-Terrorism Measures Regulations Amendment 2020 The MCI/PDPC is proposing four key changes: On January 13, 2020, the Singapore government published • Strengthen Organizational Accountability: The PDPA an amendment to the UN Anti-Terrorism Measures states that it will strengthen accountability practices by stipulated under the United Nations Act Chapter 339. introducing new requirements for financial institutions The amendment removed and substituted regulation 3. and by incorporating recommendations of the Public Essentially, the change excludes financial institutions or Sector Data Security Review Committee (PSDSRC). Those “class of financial institutions” already under the purview recommendations focus on third party accountability in and supervision of the Monetary Authority of Singapore processing personal data. from the scope of the UN Anti-Terrorism Measures. • Enable Meaningful Consent: Through the amendment, the PDPA framework for personal data collection, use and 3. Payment Services Regulations 2019 disclosure will be revised to enable meaningful consumer On December 4, 2019, the MAS officially published these consent, “where necessary.” regulations, which apply to all entities regulated under the Payment Services Act. The regulations set out licensing • Greater Consumer Autonomy: The PDPA will give requirements for payment service providers and officially consumers more authority over the use and collection of went into effect on January 28, 2020. The regulations also their personal data. The new Data Portability Obligation outline exemptions. under the amendment “will give individuals greater choice and control over their personal data, prevent consumer lock-in and enable switching to new services.”33
• Strengthen the Effectiveness of Enforcement: The new act provides for increased financial penalties and expands the PDPC’s enforcement powers.
Policy and Legislation
1. Payment Services Act (PSA) 2019 controls to address deficiencies in system controls and On January 28, 2020, the Payment Services Act (PSA) detection capabilities in a bid to combat risks. The guidance officially took effect after being preceded by a months- states that MAS assessments uncovered a general lack of long consultation process in 2019. The Act enhances the understanding surrounding inappropriate SWIFT access regulatory framework for payment services in Singapore, rights and their security risks. strengthens consumer protection and promotes In regards the mitigating payments fraud risks, the confidence in the use of e-payments. The Act also expands guidance states that “Banks should assess the effectiveness the Monetary Authority of Singapore’s authority to include of their operational controls against MAS’ expectations new types of payment services, such as digital payment and good practices” by implementing baseline SWIFT CSP token services. controls for electronic payments. The existing Money-changing and Remittance Businesses Act and the Payment Systems (Oversight) Act were 3. MAS Notice PS-N01A on Prevention of Money Laundering repealed with the commencement of the PSA. and Countering the Financing of Terrorism for Persons Providing Account Issuances Services Who Are Exempted Key Highlights for Financial Institutions Under the Payment Services Regulations 2019 (Exemption • “Unique Identifier” Definition: Under the Act’s for Specified Period) interpretation, a “unique identifier” is defined as “a This notice was published on December 5, 2019, along with combination of letters, numbers or symbols used by a MAS Notice PS-N01, regarding AML/CFT requirements payment service user to identify unambiguously either for individuals and businesses that are exempt under the or both of the following for the purposes of a payment 2019 Payment Services Regulations. The requirements transaction: 1) any payment service user that is a party to don’t differ in principle from MAS Notice PS-N02 regarding the payment transaction or 2) any payment account.” MAS expectations for implementing appropriate AML/CFT measures. However, it’s worth noting that the requirements 2. MAS Guidance to Enhance Operational Controls in are significantly simplified and specific to entities and Payments and Electronic Funds Transfer Operations individuals whose primary business is not payment services On December 5, 2019, the MAS issued guidance and are not legally licensed. encouraging banks to implement adequate operations
ASIA PACIFIC - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 128 4. MAS Notice PSN01 on Prevention of Money Laundering 8. MAS Consultation Paper on a New Omnibus Act for the and Countering the Financing of Terrorism for Holders of Financial Sector Payment Services License (Specified Payment Services) On July 21, 2020, the Monetary Authority of Singapore (MAS) This notice was published on December 5, 2019 and became announced plans to implement June 2019 Financial Action effective on January 27, 2020. The notice outlines AML/CFT Task Force (FATF) recommendations for crypto currency requirements for payment service providers, accept for into the national legal framework.34 The legislation is part digital payment token service providers, which must abide of a broader initiative to combat risks undermining the by their own set of requirements outlined in Notice PS-N02. country’s financial sector.
• It would mandate that all virtual asset service providers 5. Guidelines to MAS Notice PS-N02 on Prevention of Money (VASPs) be subject to the same AML/CTF requirements Laundering and Countering of Financing of Terrorism as other financial institutions. This would also apply to On March 16, 2020, the MAS published new guidelines offshore virtual currency providers. supplementing MAS Notice PS-N02, which was released • It would impose requirements on technology risk in December 2019. The guidelines provide further AML/ management by introducing a power to issue directions CFT instructions in relation to Notice PS-N02 by providing or regulations for the management of technology and definitions and clarifications, introducing key concepts in cybersecurity risks, the safe use of technology to provide money laundering and terrorism financing, outlining risk financial services and the safe use of technology when assessment best practices, and reiterating customer due protecting data. These requirements would be applicable diligence requirements. to all financial institutions. Key Highlights for Financial Institutions Additionally, the new act would clarify which kind of • Customer Due Diligence and Non-Face-to-Face services are considered “digital token services”. The Identity Verification: Section 6 of the guidelines consultation closed August 20, 2020. As of the publication exhaustively outlines requirements for customer due of this report, a timeline for enactment has not been diligence, including identification of customers that announced. are considered legal persons, verification of customer identity; reliability of information and documentation, 9. MAS Guidance on Enterprise-Wide Risk Assessment identification and verification of beneficial owners and (EWRA) on Money Laundering/Terrorism Financing customer representatives, and the review of non-account Information Paper transactions. There are also measures for non-face-to- In August 2020, the Monetary Authority of Singapore (MAS) face business relations or non-face-to-face transactions published an information paper on general enterprise-wide undertaken without account opening. risk assessment at financial institutions and the security measures that should be implemented to combat inherent 6. MAS Promotion of Digital Finance and E-Payments to AML/CFT risk. The information paper doesn’t provide Support COVID-19 Safe Distancing Measures new regulations or standards but encourages financial On April 9, 2020, the MAS “urged” individuals and institutions to challenge risks through effective control businesses to digital financial services and e-payments in procedures. the wake of the COVID-19 pandemic and the related social distancing regulations. The MAS states that it “encourages 10. Payment Systems Oversight Revocation Order 2019 FIs to actively promote the use of [non-face-to-face] digital This order, originally published December 5, 2019, went options and provide customers suitable guidance on how to into effect on January 28, 2020. The order revokes previous use them,” specifically for customer verification. orders issued under the Payment Systems Oversight Act.
They are the Payments Systems Oversight Designated In concordance with this, the MAS announced that it would Payment Systems Consolidation Order; the Payment be working with The Association of Banks in Singapore Systems Oversight Designated Payment Systems Order (ABS) to promote the use of existing digital payment 2011; and the Payment Systems Oversight Designated applications such as PayNow, PayNow Corporate and SGQR. Payment Systems Order 2015.
7. MAS AI Adoption in Financial Services: Launch of Veritas AI 11. PDPC Guide to Accountability Under the Personal Data Initiative Protection Act On May 28, 2020, the Monetary Authority of Singapore On July 15, 2019, the PDPC updated its guidance on (MAS) announced the launch of the first phase of its Veritas organizational accountability under the Personal Data AI initiative. The Veritas framework for financial institutions Protection Act. The guide introduces key concepts promotes the adoption of AI and data analytics and gives surrounding accountability in personal data protection, FIs a way to test AI solutions while incorporating existing specifically the ways organizations can demonstrate best practices. The first phase is focused on fairness metrics accountability to customers. in credit risk scoring and customer marketing. A timeline and agenda for Phase 2 has not been announced.
ASIA PACIFIC - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 129 12. PDPC Technical Guide to Advisory Guidelines on the PDPA for NRIC and Other National Identification Numbers On August 25, 2019, the Personal Data Protection Commission published updated guidance “to provide organizations with tips for the replacement of identification numbers as a way of identifying individuals in their websites and other public-facing computer systems.” The PDPC states that it doesn’t advise entities to adopt one type of identifier over another to replace NRIC and that each organization should assess the suitability of an identifier based on business and operational needs.
Key Highlights for Financial Institutions
• Key Considerations for Choosing a Replacement Identifier for NRIC Numbers: The guidance states that entities should consider the following when replacing NRIC numbers with another identifier: it should be easily remembered by the individual; it should be unique to each individual, it should not contain sensitive information; and it should not be able to be easily guessed by others.
• Types of Identifiers: The guidance details several types of identifiers, including user selected identifiers/usernames, organization selected identifiers, email addresses, mobile numbers, and partial NRIC numbers.
ASIA PACIFIC - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 130 1 “The Future of Financial Services: Impact for Australia,” Deloitte (Deloitte, 2016), Bity.ly/3kQZHFo. 2 Joseph Brookes, “Fintechs Get ‘Screen Scraping’ Green Light from Australian Regulators - Which-50,” Which-50, March 3, 2020, Bit.ly/2Gb78Z0. 3 “Financial Services Industry in Hong Kong.” Hong Kong Means Business. HKTDC, September 19, 2019. Bit.ly/3dcSJIB. 4 Chan, Patrick. “Tech Disruption in Retail Banking: Hong Kong’s Large Banks Are Pioneering The City’s Fintech Development.” Tech Disruption in Retail Banking: Hong Kong’s Large Banks Are Pioneering The City’s Fintech Development | S&P Global Ratings. S&P Global, June 3, 2020. Bit.ly/30AKErW. 5 HKMA, and Raymond Chan, Hong Kong Monetary Authority § (2019). Bit.ly/34slqNn. 6 “Indian Financial Services Industry Report 2020.” IBEF. India Brand Equity Foundation, September 4, 2020. Bit.ly/2StqlrZ. 7 “Financial Services in India: Sector Snapshot.” IBEF. India Brand Equity Foundation, September 4, 2020. Bit.ly/30AK4dT. 8 Keelery, Sandhya. “India: Consumer Usage of Smartphones for Digital Banking by Age Group 2018.” Statista, July 7, 2020. Bit.ly/2Sw4P60. 9 Burt, Chris. “Biometric Multi-Factor Authentication Requirement for Digital Payments Weighed by Indian Government.” Biometric Update. BiometricUpdate.com, February 18, 2020. Bit.ly/3nkNwTG. 10 Liu, Meng. “Japanese Banks’ Digital Awakening Is On The Way.” Forrester, June 25, 2020. https://go.forrester.com/blogs/japanese-banks-digital-awakening-is-on-the-way. 11 Fujihara, Katsuhiko. “Japanese FinTech Regulations Set for Further Changes in 2020.” Morrison & Foerster. MoFo.com, February 20, 2020. Bit.ly/2F2545t. 12 Fujihara, Katsuhiko. “Update on Reforms to Japanese Regulations for Non-Bank Fund Transfer Services and Other Amendments to the Payment Services Act.” Morrison & Foerster, July 15, 2020. Bit.ly/3jzClnB. 13 Omagari, Tsuguhito, and Yuki Sako. “Japan’s New Crypto Regulation: 2019 Amendments to Payment Services Act and Financial Instruments and Exchange Act of Japan.” K&L Gates hub. KLGates.com, November 26, 2019. Bit.ly/36xRAtx. 14 Okada, Atsushi. “Japan: Impact of Adopted APPI Amendment Bill.” DataGuidance. Mori Hamada & Matsumoto, Tokyo, August 4, 2020. Bit.ly/34qtMoW. 15 Overview of the New Zealand financial system. Reserve Bank of New Zealand, March 31, 2020. Bit.ly/2GGalQA. 16 St. Anne, Christine. “New Zealand Leads on Digital Banking.” AB&F Magazine/RFI Group, August 2018. Bit.ly/3lgURl6. 17 Barker, Sara. “New Zealanders Love Digital Banking - What It Means for Ecommerce.” bizEDGE New Zealand. bizEDGE New Zealand, September 25, 2018. Bit.ly/2SriXgP. 18 Stepanova, Ksenia. “Financial Services in New Zealand Is ‘at a Crossroads’ – and It’s Only the Beginning.” Insurance Business. Insurance Business New Zealand, October 16, 2019. Bit.ly/3iwo1uP. 19 Bellens, Jan. “How a Social Media Firm Created Korea’s Fastest Growing Bank.” How a social media firm created South Korea’s fastest-growing bank. EY, June 20, 2018. Bit.ly/3nkRw6E. 20 Umeda, Sayuri. “Global Legal Monitor.” South Korea: New Digital Signature Act to Take Effect in December 2020 | Global Legal Monitor. LOC.gov/ Library of Congress, August 28, 2020. Bit.ly/2SvJ4TC. 21 Umeda, Sayuri. “Global Legal Monitor.” South Korea: New Digital Signature Act to Take Effect in December 2020 | Global Legal Monitor. LOC.gov/ Library of Congress, August 28, 2020. Bit.ly/2SvJ4TC. 22 Ji, Hyung-Geun, Kyu Bin Lin, and Raymis H. Kim. “KIPO Accepts E-Signatures and Online Notarizations During COVID-19 Pandemic.” Lexology. Kim & Chang, June 30, 2020. Bit.ly/3lh67OE. 23 Merkle Science. “RegWatch: South Korea’s Act on Reporting and Using Specified Financial Transaction Information...” Medium. OhKims Law & Company/Merkle Science, April 15, 2020. Bit.ly/34qxjnc. 24 Park, Kwang Bae, Hwan Kyoung Ko, Sung Hee Chae, and Kyung Min Son. “Amendments to the Personal Information Protection Act and Credit Information Use and Protection Act.” The Legal 500. Lee & Ko, August 17, 2020. Bit.ly/3jzGRCI. 25 Hamilton, Alex. “South Korea Reports 20m Subscriptions to Open Banking Service.” FinTech Futures, July 6, 2020. Bit.ly/2GsdXWL. 26 Shih-ching, Kao. “Digital Savings Accounts’ Popularity Growing: FSC.” Taipei Times, February 6, 2020. Bit.ly/36AAhIk. 27 Huang, Teresa, and Elva Chuang. “Focused Summary of the Taiwan Regulations on the Issuance and Trading of the Security Token and Regulatory Amendment Recommendations (Taiwan).” Lexology. Lee, Tsai & Partners, May 4, 2020. Bit.ly/3cZD4vQ. 28 Chang, Robin, and Eddie Hsiung. “National Development Council Prescribed the Guidelines for Trial Operation of Data Interface on MyData Platform.” Lexology. Lee and Li Attorneys At Law, April 30, 2020. Bit.ly/2SxPfXe. 29 “The FSC Promotes the ‘Financial Security Action Plan’ to Pursue the Goal of Safe, Convenient and Uninterrupted Financial Services.” Financial Supervisory Commission R.O.C (Taiwan). FSC.gov.tw, August 6, 2020. Financial Supervisory Commission. Bit.ly/33v47Mt. 30 “Draft Amendment to Act Governing Electronic Payment Institutions.” VIXIO PaymentsCompliance, September 16, 2020. Bit.ly/36yacJU. 31 Chow, Hwee Kwan, and Sai Fan Pei. Rep. Financial Sector in Singapore. Singapore Management University, January 2019. Bit.ly/3cBBK2l. 32 Evans, Jamie Lloyd. “Digital Identities: A Game Changer for Singapore Banking.” Regulation Asia, April 7, 2020. Bit.ly/2RPBmn6. 33 “Public Consultation on the Draft Personal Data Protection (Amendment) Bill”. MCI.gov.sg. Ministry of Communications and Information, May 14, 2020. Ministry of Communications and Information. Bit.ly/2HrJMPH. 34 “Public Statement on Virtual Assets and Related Providers.” Documents - Financial Action Task Force (FATF). FATF-GAFI.org, June 21, 2019. Bit.ly/32TVavZ.
ASIA PACIFIC - ONESPAN GLOBAL FINANCIAL REGULATIONS REPORT FOLLOW US 131