1 Applicable Regulations in Digital Finance
-
Regulatory perimeter: Some developments, such as the mainstream use of cryptocurrencies, outsourced cloud computing services and the introduction of non-financial services firms as providers of products and services such as lending to SMEs and retail payment systems, bring into question where the boundary of the regulatory perimeter should be. As the network widens, an increasing number of firms will find themselves subject to regulatory requirements.
-
Retail conduct: For consumer protection, regulators are using a mixture of (a) transparency and disclosure, (b) prohibiting or limiting the sale of some products and services to retail customers and (c) adapting codes of conduct to consider fintech developments.
-
Data and artificial intelligence: Data protection legislation, including the EU General Data Protection Regulation (GDPR), already covers most issues arising from the use of digital technologies. However, rapid change resulting from the use of artificial intelligence (AI) and distributed ledger technologies means further regulation on the collection, management and use of data may be needed. The increased data gathering activities of broad ranges (of financial and non-financial data), and the sharing of such data between a growing pool of organizations, have intensified the debate on which further regulatory control may be required.
-
Governance: Regulators are seeking to ensure that boards and senior managers have complete awareness and understanding of the digital technologies and applications used, and of the risks resulting from them, aiming to increase the focus on risk management and accountability.
-
Cybersecurity: The focus from regulators is on enforcing the implementation of existing international standards.
-
Open banking: Regulation has managed the creation of a market for new fintechs in open banking by establishing the principles and protocols on which data can be shared between different parties, usually through an application programming interface (API).
2 Main Digital Finance Regulations
2.1 The General Data Protection Regulation (GDPR)
-
Personal data is gathered legally with the appropriate consent and declarations.
-
Collected data is not misused or exploited for purposes other than for which it was collected.
-
Rights of the data owner(s) are respected in line with the controls as set out in the regulation.
-
any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. [3]
3 The Market in Financial Instruments Directive II (MIFIDII)
-
Data storage, aggregation and analytical requirements: All information related to trades must be retained. A data retention and archiving strategy is required to support the likely volumes of data and information.
-
Integration between disparate applications: Integration of applications with trading platforms so that key data can flow through becomes a key requirement resulting from MIFID II. API-based integration is seen as the most efficient approach in most cases.
-
Enhanced and transparent client portal: In order to provide the appropriate protection to investors, it is a requirement to maintain comprehensive client classification and client data inventories.
-
Mobile device management (MDM) strategy: This relates to the need to maintain a record of all telephone calls and electronic communications. The MDM strategy should ensure that the appropriate technology is in place to facilitate this and also restrict the use of mediums of communication such as social media where communications are encrypted, thereby making compliance difficult [7].
3.1 Payment Services Directive 2 (PSD2)
-
Opens the payment market to new entrants which until now had been limited to those institutions with a banking license.
-
Transparency over services offered and the resulting fees that will be incurred has been improved. This also covers both maximum execution times and exchange rates. Development of the Single Euro Payments Area (SEPA) to ease the execution of payments has been accelerated as a result of the directive.
3.2 PSD II Security Requirements/Guidelines
-
Knowledge: information that the customer should only know such as a password, pin code, or a personal ID number
-
Possession: an artefact that only the customer has such as a smart card or a mobile handset
-
Inherence: the relation of an attribute to its subject, e.g. a fingerprint
-
The maintenance of an inventory of all business functions, roles and processes, thereby making it possible to map functions, roles and processes and to understand their interdependencies.
-
Maintain an inventory of information assets, infrastructure and the interconnection with other systems (both internal and external) so that all assets critical to the core business functions are effectively managed minimizing disruption.
-
Regularly monitor threats and vulnerabilities to assets critical to the effective delivery of business functions and processes.
3.3 4th Anti-money Laundering (AMLD4)
3.4 Basel IV
3.5 EU Legislative Proposal on Markets in Crypto-Assets (MiCA)
-
Legal certainty for crypto-assets not covered by existing EU legislation.
-
Uniform rules for crypto-asset service providers and issuers.
-
Replace existing national frameworks applicable to crypto-assets not covered by existing EU legislation.
-
Establish rules for ‘stablecoins’, including when these are e-money.
3.6 EU Draft Digital Operational Resilience Act (DORA)
-
Bringing ‘critical ICT (Information and Communication Technology) third-party providers’ (CTPPs), including cloud service providers (CSPs), within the regulatory perimeter. The European Supervisory Authorities would have mechanisms to request information, conduct off-site and on-site inspections, issue recommendations and requests and impose fines in certain circumstances.
-
EU-wide standards for digital operational resilience testing.
-
Creating consistency in ICT risk management rules across financial services sectors, based on existing guidelines.
-
Consistency in ICT incident classification and reporting.
-
Future potential for a single EU hub for major ICT-related incident reporting by financial institutions.
3.7 EU Draft AI Act
-
Establish a risk management system.
-
Maintain clear quality criteria for the datasets used for training and testing of those systems.
-
Design of high-risk AI systems should enable them to automatically log events whilst the system is operating.
-
Operation of the high-risk AI systems must be sufficiently transparent to allow the users to interpret the system’s output and use it appropriately.
-
Systems must come with instructions.
-
High-risk AI systems must be designed to enable humans to oversee them effectively, including understanding the capacities and limitations of the AI.
-
Oversight features allowing users to override the decisions of the AI or to interrupt the system by means of a ‘stop’ button.
-
Design and develop in such a way that they achieve, in the light of their intended purpose, an appropriate level of accuracy, robustness and cybersecurity, perform consistently in those respects throughout their lifecycle and are resilient, in particular against errors, inconsistency of the operating environment and malicious actors.
4 Supporting Technologies for Regulations in Digital Finance
Name tool/platform | Relevance and applications for regulatory compliance |
---|---|
Data Protection Orchestrator (DPO) (Atos (https://atos.net) is the provider of this technology) | It allows embedding of automating tools for assessing security and privacy by design and by default in business flows, these being heterogeneous and complex. It orchestrates various privacy and security management functions (such as access control, encryption and anonymization) |
Digital User Onboarding System (DUOS) (Atos (https://atos.net) is the provider of this technology)
| This solution allows management of virtual identities in a mobile device. It makes use of electronic ID (eID) or passport for remote user registration |
DUOS uses eIDs issued by European national authorities according to the EU eID schemas: eID cards and passports | |
In order to integrate DUOS, it is necessary to adapt and customize it for a user’s context of need (e.g., bank application) that requires user authentication | |
This technology could be used in digital finance to implement ‘anonymous’ user onboarding. The user can be securely identified by eID or e-Passport without revealing any detail about his/her identity to a third party | |
Botakis Chatbot Development Network (Crowd Policy (https://crowdpolicy.com) is the provider of this technology)
| A tool for rapid development of chatbot applications, which can be used for the development of chatbot’s features in digital finance |
Botakis Chatbot Platform is expected to be enhanced in this way: | |
Built-in dialogs that utilize and are integrated with existing natural language processing (NLP) frameworks (open or proprietary) provided by partners or every interested party | |
Powerful dialog system with dialogs that are isolated and composable | |
Built-in prompts for simple actions like yes/no, strings, numbers or enumerations [14] | |
As part of the available chatbot functionality, it will be possible to include GDPR consent and manage requests from people exercising the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability and the right to object | |
Crowdpolicy Open (innovation) banking solution (Crowd Policy (https://crowdpolicy.com) is the provider of this technology)
| ‘Crowdpolicy Open (innovation) banking platform is a set of predefined and customizable banking web services and data models integrated with our own API Manager that supports access control, monitoring and authentication. This solution puts the bank (or any monetary financial institution) in control of the third-party partner relation’ [14] |
Crowdpolicy Open (innovation) banking platform mainly covers the requirements for open banking APIs as part of the PSD2 directive, which has several modules that also are API-based |
Anonymization tool (Gradiant (https://gradiant.org) is the provider of this technology) | ‘The anonymization tool is based on a risk-based approach that modifies data in order to preserve privacy. The tool includes different anonymization algorithms and it will determine automatically which of them (generalization, randomization, deletion, etc.) should be applied in order to preserve the maximum level of privacy for the data. It also includes a set of privacy and utility metrics that allow to measure the risk that remains after anonymizing the dataset, and the impact of the anonymization process on the quality of the data. |
The component requires two inputs: the data that has to be anonymized and a configuration file that defines the structure of the data, its location and the privacy requirements’ [14] | |
The anonymization tool is intended to be used in two modes, batch or streaming. In the case of using it in batch mode, the output of the component (anonymized data) is stored in a database. The location of the database has to be known beforehand (through the configuration file that is taken as an input). If the streaming mode is used, the output will be the queue of the service | |
Blockchain-enabled Consent Management System (Ubitech Limited (https://ubitech.eu), IBM (https://il.ibm.com) and Innov-Acts Limited (https://innov-acts.com) are the providers of this technology) | The blockchain-enabled Consent Management System offers a decentralized and robust consent management mechanism that enables the sharing of the customer’s consent to exchange and utilize their customer data across different banking institutions. The solution enables the financial institutions to effectively manage and share their customer’s consents in a transparent and unambiguous manner. It is capable of storing the consents and their complete update history with complete consents’ versioning in a secure and trusted manner. The integrity of customer data processing consents and their immutable versioning control are protected by the blockchain infrastructure [15] |
To achieve this, the solution exploits the key characteristics of blockchain technology to overcome the underlying challenges of trust improvement, capitalizing on its decentralized nature and immutability due to the impossibility of ledger falsification. The usage of blockchain enables extensibility, scalability, confidentiality, flexibility and resilience to attacks or misuse, guaranteeing the integrity, transparency and trustworthiness of the underlying data [15] |
Regulation | Regulatory compliance need | Technology applied |
---|---|---|
GDPR
| Consent management: set of tools that allow the data subject what data they permit to share | Botakis Chatbot Development Network |
Privacy dashboards | ||
CMS (Content Management System) for storing digitized documents | ||
Blockchain-enabled Consent Management System | ||
Anonymized data: dataset in which it has removed personally identifiable information, in an irreversible way | Anonymization tool | |
ICARUS | ||
Pseudonymized data: dataset in which the fields within a data record are replaced by one or more artificial identifiers or pseudonyms; this makes the data less identifiable whilst remaining suitable for data analysis and data processing | Pseudonymization tool | |
MIFID II | Recording and auditing system: allows the review and evaluation of computer systems and processes that are running, as well as their use, security and privacy whilst processing information. It provides security and adequate decision-making | Ad hoc logging implementations |
PSD II | Online payment services meeting the regulations | CrowdPolicy Open banking solution |
SIEM | ||
AMLD4 | Inclusion on local databases of PEPs | Ad hoc solutions for each country |
General
| Authentication: the process of identifying a user or process, proving that they are valid or genuine | Specific solutions |
CrowdPolicy Open solution | ||
DUOS for Digital User Onboarding | ||
Authorization: the process of specifying access rights to use resources | Specific solutions | |
CrowdPolicy Open solution | ||
Identity and access management | ||
Privacy and security services orchestration: execution of processes involved in creating a service that provides compliance with regulations | Data Protection Orchestrator |
5 Regulatory Compliance Tool and Data Protection Orchestrator (DPO)
-
Helps secure service developers and protection component’s providers to ease the provision of the process for protection configurations
-
Allows the combination of individual privacy, security or data protection components creating complex protection processes
-
Supplies the needed business logic to ensure that regulations are fulfilled
-
BPMN diagrams can be visually exposed, providing a clear view of the protection process