Autumn is upon us and people are returning from their holidays and to their desks – both virtually and in the office. So what should compliance professionals be considering as the seasons change?
During the summer, life in the payments space was no quiet sunbathe. While government departments all over the world were making hectic announcements about how to test and innoculate tourists, changes in regulatory policy were emerging just as quickly.
The most favourable news of the last few months is the European Union’s decision to grant “adequacy” to the UK’s data protection regime. Following hard on the heels of this, however, is the British Government’s declaration this week that it wants to wreak massive changes on “UK GDPR,” its onshored version of the European General Data Protection Regulation. It wants to make the data-protection process more business-friendly and less bureaucratic, which could be code language for watering people’s data rights down. This might result in European retaliation.
Also in the UK, a senior official at the Financial Conduct Authority has hinted overtly that his organisation might force directors at payment and e-money firms into the UK’s Senior Management & Certification Regime (SM&CR).
The official made his comments at a webinar organised by the Emerging Payments Association. The FCA introduced the SM&CR in its original form in 2016 and uses it to regulate the governance of financial institutions by assigning responsibility and showing clear accountability.
The UK’s Information Commissioner’s Office, which is responsible for data protection, has also proposed some wording for a standard contract that any firm, including a payment service provider, might use when making a restricted transfer of personal data to a country outside the UK. This came on the back of the EU’s declaration that the UK’s regime was adequate.
Across the Channel, the EU finally unveiled its digital euro plans. Although the European Central Bank has not fully committed to an eventual CBDC issuance, the new investigative phase will look at the new product’s design and distribution.
The EU also unveiled its long-awaited anti-money laundering (AML) plans. Money-laundering control has long plagued the EU, with countries following differing policies in response to the directives and often failing to keep up-to-date with their progress.
As part of its new proposal, the European Commission has stated that it wants a single rulebook for AML in the trading bloc, that there will be new rules for crypto-transactions that fall in line with the Financial Action Task Force’s recommendations and, most significantly, that there will be a new authority at EU level.
It is anticipated that the latter will have the biggest impact on financial institutions. Compliance professionals are used to dealing with their national regulators on this matter, and now face an entirely new and centralised entity. However, this is still some time off and a tussle between the EU’s capitals should be anticipated as governments begin to lobby to host the agency. If the European Banking Authority’s (EBA) post-Brexit rehousing in Paris is anything to go by, it could get personal.
Speaking of the EBA, it also has its eye on AML at the moment.
The EBA is consulting on new guidelines to govern the day-to-day activities of compliance officers whose job it is to organise their firms’ efforts against money laundering and terrorist financing. Stakeholders have until November 2 to respond to the proposed guidelines.
And coming up this autumn, there is the EU’s long-awaited review of the revised Payment Services Directive. It is expected that issues such as authentication, and regulatory blind spots such as the role of big tech in payments could be considered as part of the review.
Likely to begin in November, the review could send ripples through the EU’s payments industry, which could either be in line for a victory considering some of PSD2’s more awkward compliance requirements or could find they are grappling with even more changes after years of cooperation and negotiation in the payments ecosystem to ensure initiatives such as open banking work for consumers.
Lastly, payment firms in Singapore have until September 10 to adapt to the city-state’s new individual accountability and conduct regime, which will hold senior managers responsible for the actions of their employees and the conduct of the areas that they oversee.