Regulators propose new regulations for virtual asset exchanges and enhanced customer identity verification requirements, and launch an innovative commercial data interchange.

This blog post summarises key regulatory developments in Hong Kong and Singapore during November 2020, including:

— The Hong Kong FSTB’s consultation proposing a new regulatory framework for virtual asset exchanges
— The HKMA’s new commercial data interchange initiative
— The MAS’ consultation proposing requirements to strengthen financial institutions’ non-face-to-face identity verification process of individuals
— The MAS’ guidance to financial institutions to review security controls amidst COVID-19
— The MAS’ publication of its 2019/2020 enforcement report

Hong Kong

1. The FSTB consults on a new regulatory regime for virtual asset exchanges

The Financial Services and Treasury Bureau (FSTB) issued a consultation paper proposing a new licensing regime for virtual asset service providers (VASPs).

The FSTB consultation paper follows on from the Securities and Futures Commission’s (SFC’s) November 2019 position paper, which set out a new regulatory framework for virtual asset trading platforms (VATPs). Under this regime, a VATP offering trading of at least one virtual asset that is a “security” (as defined in the Securities and Futures Ordinance) is able to “opt in” to be licensed and regulated by the SFC. (For more details, see Latham’s blog post “Hong Kong FinTech Week: Day 1 in Review”.)

The SFC acknowledged the limitations of this opt-in regime, noting that virtual asset exchanges that only facilitate trading in non-security cryptocurrencies could operate as unregulated businesses.

The FSTB subsequently issued a consultation paper proposing a new licensing regime (New Regime) under the Anti-Money Laundering Ordinance for VASPs that operate a virtual asset exchange and do not offering trading in securities (VA Exchange). In the consultation paper, the FSTB proposes requiring VASPs to apply for an SFC licence if they operate VA Exchanges in Hong Kong or target Hong Kong customers. Further, under the proposal, any person carrying on such activities without a valid licence will commit a criminal offence.

The key takeaways from the FSTB’s consultation paper include:

• The New Regime will enable the SFC to engage its whole range of regulatory functions, including assessing VA Exchange applicants through their licence applications, monitoring VA Exchanges’ daily operations, conducting investigations, and, if necessary, enforcing rules.
• The New Regime will only apply to centralised VA Exchanges; decentralised VA Exchanges will continue to fall outside of the regulatory licensing perimeter (consistent with the opt-in licensing framework for VATPs).
• Licensed VA Exchanges, at least initially, will only be permitted to offer their services to customers that qualify as “professional investors”. This limited permission means that once the New Regime comes into effect, retail investors in Hong Kong may find themselves unable to trade virtual assets on exchanges (though they could still access decentralised exchanges and transact with over-the-counter brokers).
• Under the New Regime, all VA Exchange providers will either be licensed as VATPs under the current opt-in regime or as VA Exchanges under the New Regime. The regimes will have the same regulatory standards, as well as the same benchmark regulatory and supervisory principles that apply to traditional financial services intermediaries and other trading venues.

(For more details, see Latham’s blog post “Hong Kong Fintech Week 2020: SFC Announces New Crypto Regulatory Regime for Virtual Asset Exchanges” and Client Alert “Hong Kong Consults on a New Licensing Regime to Regulate Virtual Assets Exchanges”.)

2. The HKMA’s commercial data interchange initiative

On 2 November, the Hong Kong Monetary Authority (HKMA) announced in a press release and a speech at the Hong Kong Fin Tech Week that it will be introducing a new data sharing initiative, the Commercial Data Interchange (CDI).

Currently, data comes from different sectors and entities, and moves between data providers and banks via bilateral connections without standardized protocols. Customers, especially small and medium-sized enterprises, are negatively affected by the fact that it is difficult for banks to collect holistic information from them about their businesses or financial activities. In particular, if banks are unable to perform credit assessments based on up-to-date business data, they may instead require collateral, such as property, before granting a loan.

The CDI aims to establish a consent-based common standard for data owners to share their digital footprint with banks through data providers (such as utilities companies and payment gateways). Under the CDI, each bank and data provider will have a single connection to this interoperable platform, and with customers’ consent, banks will have direct, efficient access to a substantial body of data. This central platform would enable banks to offer more suitable services to customers and perform more precise and objective credit assessments.

The HKMA is currently conducting a proof-of-concept study of the CDI in collaboration with banks. The study focuses on using trade-related data to facilitate the trade finance application process and is expected to be completed by the end of 2020.

The next phase, related to other commercial data sources that could facilitate alternative credit scoring by banks, will begin in 2021. Alternative credit scoring describes the use of alternative data to evaluate a borrower’s financial soundness and repayment capability. Alternative data may be obtained from third-party data providers such as telecom companies, utility companies and social media platforms. It can also include analysed data derived from a multitude of unconventional evaluation methods, for example data accumulated from tracking digital activities on social media that can be used to evaluate the potential operational risk of a business. This promises to be an interesting area for further development during 2021.

For more details, see Latham’s blog post “Hong Kong Fintech Week 2020: 3 Key Policy Initiatives of the HKMA”.

Singapore

3. MAS consults on requirements to strengthen financial institutions’ non-face-to-face identity verification process

The Monetary Authority of Singapore (MAS) issued a consultation paper proposing requirements on the types of information financial institutions must use for non-face-to-face verification of an individual’s identity (Proposed Requirements). In light of the rising number of impersonation fraud cases, the Proposed Requirements aim to address the risk of impersonation fraud arising from the theft and misuse of an individual’s personal particulars.

The Proposed Requirements are as follows:

• Financial institutions must use at least one of the following types of information for non-face-to-face verification, through channels such as phone banking or online banking, before they undertake any transactions or requests from an individual:
  • Information that only the individual knows, such as password or personal identification number
  • Information that only the individual has, such as one-time password generated by a hardware token issued to the individual, or a software token activated on the individual’s mobile device
  • Information that uniquely identifies the individual based on the individual’s biometrics, such as face or fingerprint recognition
  • Information that is only known between the individual and the financial institution, such as account transaction information

• Financial institutions must not rely on common personal information such as National Registration Identity Card number, residential address, and date of birth as the sole means of identity verification.

The MAS has proposed a transition period of six months from the date of issuance of a Notice on Identity Verification for financial institutions to comply with the Proposed Requirements. The consultation closes on 9 December 2020.

4. MAS advises financial institutions to review security controls amidst COVID-19

The MAS’ Cyber Security Advisory Panel (CSAP) emphasised the need for financial institutions to review their security controls given the elevated technology-related risks arising from remote working and safe management measures due to COVID-19.

The CSAP’s key recommendations include:

• Financial institutions should review existing risk profiles and the adequacy of risk mitigating measures (and assess whether existing risk profiles have changed and remain acceptable), given the risks and vulnerabilities arising from the rapid adoption of remote access technologies and work processes.
• Financial institutions should improve oversight of third-party vendors, and monitor and secure remote access by third parties to the financial institutions’ systems, especially since remote working has become pervasive during the COVID-19 pandemic.
• Financial institutions should establish policies and procedures on the use of open-source software and ensure these codes are robustly reviewed and tested before deploying them, given that open-source software is typically targeted and exploited by threat actors.

5. The MAS’ publication of its 2019/2020 enforcement report

The MAS published its enforcement report detailing the enforcement actions it had taken from January 2019 to June 2020, and its key enforcement priorities for 2020/2021.

The MAS’ key enforcement priorities for 2020/2021 include:

• Pursuing serious and complex cases of corporate disclosure breaches
• Deepening the capability to proactively detect potential financial advisory misconduct
• Continuing to focus on financial institutions that lack rigorous systems and processes for combatting money laundering and countering terrorism financing
• Updating enforcement-related powers to better detect, investigate, and take action against misconduct
• Enhancing focus on senior management accountability for breaches by their financial institutions or subordinates