Fuelled by the rapid progress of digitalisation across financial services, regulators are scrutinising some of the technologies reshaping the industry. In the EU, regulators are putting together a comprehensive supervisory framework to oversee crypto-assets, a market that is undergoing exponential growth. Take crypto-currencies, for instance, which now have a market capitalisation of USD1.365 trillion.1 Simultaneously, EU regulators are also introducing new rules around operational resiliency, amid concerns that systemically important financial institutions are becoming too dependent on external IT providers. Experts at HSBC’s Markets and Securities Services Forum – Opportunities in 2021 and Beyond – shared some of their insights into how the EU’s digital reform package could impact markets.
Supervising the crypto-market
Shay Lydon, partner in the asset management group at Matheson, said there is a lot of ambiguity about the nature and definition of crypto-assets, which typically comprise crypto-currencies (e.g. Bitcoin), stablecoins, central bank digital currencies [CBDCs] and security tokens. “One of the critical objectives of the MiCA (Markets in Crypto-Assets) bill is that it hopes to come up with a definition of what constitutes crypto-assets,” said Paul Ellis, Global Product Head, Regulation, Tax, Trustee and Depositary at HSBC. Under MiCA, the EU has confirmed that existing rules such as the Markets in Financial Instruments Directive II (MiFID II) will be extended to apply to issuers and servicers of regulated crypto-assets. Nonetheless, there will be no double regulation of an asset under both MiFID and MiCA. Instruments within scope of MiCA will include things like security tokens otherwise known as tokenised assets. The European Commission (EC) also said it will endorse a pilot scheme allowing market infrastructures to support the trading and settlement of regulated crypto-assets using Distributed Ledger Technology.2 The EC hopes MiCA will help encourage more investors to trade regulated crypto-assets thereby facilitating greater market liquidity. Nonetheless, MiCA will not apply to CBDCs, an asset class which is the domain of Central Banks. James Pomeroy, global economist at HSBC, said a number of Central Banks – including those in China, Sweden and The Bahamas are all now developing their own CBDC pilots.
In the case of unregulated crypto-assets, the EC has confirmed it will impose tighter checks on issuers and servicers, including minimum capital requirements and more rigorous investor protection mechanisms.3 Unregulated crypto-assets consist of crypto-currencies, utility tokens, payment tokens, stablecoins and e-money tokens.4 Lydon said the proponents behind the MiCA rules are hoping to do for crypto-assets what MiFID did for equities, fixed income and derivatives. “MiCA allows for the regulation of crypto-assets and crypto-asset service providers. It supports a harmonised regime inside the EU. Crypto-asset service providers – who are regulated in their home jurisdiction – can passport their services across the EU,” commented Lydon.
Ensuring digital operational resilience
Through its recently proposed Digital Operational Resilience Act (DORA), the EC is responding to the increasing levels of outsourcing by financial institutions to third party IT and software vendors, said Richard Pounder, head of operational and resilience risk, Securities Services, HSBC. With so many IT activities now being outsourced, financial institutions are becoming very dependent on third parties.
“IT and cyber-security risk are big areas of focus for DORA and the broader Operational Resilience agenda,” said Pounder. Under the proposals – which will be harmonised across the EU 5 – financial institutions must demonstrate that they can withstand IT-related disruption at an external provider. In addition to requiring financial institutions to manage their external IT risk and test their digital operational resilience6 routinely, Pounder said it was essential for firms to build in fallback options to deal with potential crises at their IT vendors. The importance of this has been reinforced not just by the pandemic but also by recent high profile IT outages, such as those at Google and Fastly, a cloud computing services provider – both of which caused significant disruption.
Although digitalisation presents excellent opportunities for market participants, some of the new and dicier crypto-asset classes are not without their challenges, which is why regulators are introducing frameworks to oversee them. Similarly, the growing reliance on outside IT/software vendors at financial institutions, including banks and critical market infrastructures, creates a different sort of risk, which needs to be managed better. In short, regulators want financial institutions to demonstrate that they have robust digital resilience safeguards in place.
1 Coin Telegraph (June 23, 2021) Crypto market cap recovers USD76 billion, altcoins rally after Bitcoin hits USD34,000
2 European Commission (September 24, 2020) Digital Finance Package
3 European Commission (September 24, 2020) Digital Finance Package
4 Ashurst (October 7, 2020) 10 things you need to know about MiCA: Europe’s proposals for regulating crypto-assets
5 Refinitiv (March 3, 2021) Enhancing digital resilience in the EU
6 Deloitte – the EU’s Digital Operational Resilience Act for financial services