top of page

Search Results

135 items found for ""

  • Kuwait Bans Virtual Assets

    As global efforts intensify to fight money laundering and terrorist financing, the State of Kuwait has issued a directive grounded on a study by the National Committee for Anti-Money Laundering and Combating the Financing of Terrorism. This directive is Kuwait's vision of enforcing compliance with Recommendation (15) of the Financial Action Task Force (FATF), an international norm setter in virtual assets transactions. Virtual assets, as per FATF's delineation, are digital representations of value that can be traded, transferred, and utilized for payment or investment purposes. The State of Kuwait emphasizes the following prohibitions: The total ban on using virtual assets as a mode of payment or as a decentralized currency within its jurisdiction. All transactions utilizing virtual currencies as a payment instrument are under this embargo. Disallowing the use of virtual assets as an investment medium. Consequently, service providers are instructed to refrain from offering this service to clients. The prohibition of issuing or conferring any license to any individual or legal entity within Kuwait for providing virtual asset services for commercial gains or in the interest of others. Exceptions to these prohibitions are securities governed by the Central Bank of Kuwait and other financial instruments overseen by the Capital Markets Authority (CMA). Additionally, all activities linked to mining virtual assets or currencies are banned. In line with safeguarding the interests of clients, the directive necessitates consistent communication regarding the risks associated with virtual assets dealings executed outside Kuwait, particularly cryptocurrencies. These virtual currencies, devoid of any legal status, government issuance, or endorsement and unanchored to any underlying asset or issuer, are susceptible to speculative price fluctuations leading to potential substantial losses. Violators of the directive will be subject to the measures or penalties defined in Article (15) of Law No. 106 of 2013 on Anti-Money Laundering and Combating the Financing of Terrorism, alongside penalties as per each regulatory authority. This directive came into effect on 17/07/2023. Link to the primary source. The information provided is not legal, tax, investment, or accounting advice and should not be used as such. It is for discussion purposes only. Seek guidance from your own legal counsel and advisors on any matters. The views presented are those of the author and not any other individual or organization. Some parts of the text may be automatically generated. The author of this material makes no guarantees or warranties about the accuracy or completeness of the information.

  • Hong Kong VATP Licensing and Compliance In-depth Guide

    The inaugural Hong Kong framework for licensing virtual asset trading platform (VATP) operators was launched on June 1, 2023. The Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AMLO) is the statutory instrument that brought this licensing system to life. The administrative duties and responsibilities for overseeing this licensing system fall under the Securities and Futures Commission (SFC) purview. Who falls under the purview of the AMLO licensing structure? The licensing framework extends its jurisdiction to operators of virtual asset trading platforms (VATPs) both within Hong Kong and abroad. A VATP operator with a physical business location in Hong Kong must acquire a license. Similarly, an overseas VATP operator actively promoting its services to Hong Kong's public also requires a license. However, the licensing structure is tailored explicitly for VATPs operating an automated system to pair up sellers and buyers and those handling virtual assets on behalf of their clients, either directly or indirectly. It does not encapsulate peer-to-peer platforms facilitating transactions outside their platforms or platforms that don't manage clients' virtual assets. Furthermore, the licensing regulations do not cover service providers related to other virtual asset facets, such as custody or payment systems. Who qualifies for the transitional licensing terms? Transitional licensing provisions only extend to international VATP operators with a physical establishment in Hong Kong. VATP operators delivering virtual asset (VA) services (as outlined in the AMLO) in Hong Kong before June 1, 2023, may be considered for the transitional licensing terms. The SFC plans to implement stringent criteria for this purpose and will only entertain VATP operators with a significant presence in Hong Kong before June 1, 2023. In assessing whether a VATP operator has a substantial and meaningful presence, the SFC will consider factors such as: The VATP operator's incorporation status in Hong Kong. The existence of a physical office of the VATP operator in Hong Kong. Whether the Hong Kong staff of the VATP operator exercise central management and control over operations. Whether key personnel operating the trading system are stationed in Hong Kong. The extent of the VATP operator's live operations, considering the number of clients and trading activity volume in Hong Kong. A VATP operator qualifying for the transitional licensing terms and lodging an application to the SFC before February 29, 2024, is considered licensed until the SFC formally decides to either grant or refuse the license application. What steps must be taken to adhere to the AMLO licensing structure? Before lodging a license application, a VATP operator aspiring to be a licensee needs to: (a) Conduct an extensive gap analysis covering the organization's existing structure, governance, operations, systems, and controls to pinpoint areas requiring improvements to align with regulatory obligations; (b) Carry out the necessary upgrades, which might include changes to financial resources, custody arrangements, personnel, policies, documentation, etc.; (c) Create a fully owned subsidiary to serve as the VATP operator's associated entity with the intent to manage client assets and apply for a license from the Registrar of Companies for this subsidiary to operate as a trust or company services provider (TCSP) under AMLO; (d) Hire an independent external assessor to compile a Phase 1 Report (detailed in the section below). Some of the key requirements include: Necessary Financial Resources A licensed VATP operator should maintain a minimum of HK$5 million in paid-up share capital and HK$3 million in liquid assets. Responsible Officers and Executive Directors Applicants must appoint at least two responsible officers (ROs) for VATP services. Each RO must qualify as "fit and proper" and fulfill the requisite experience stipulations. At least one RO should hold a position on the corporation's board of directors and be actively involved in or directly oversee the VATP service (commonly referred to as an executive director). Every individual executive director needs to be approved by the SFC as an RO. Due to their seniority, board members cannot choose to be approved only as licensed representatives. At least one RO must be continually available to supervise the VATP operator's business, meaning one RO must ordinarily reside in Hong Kong. Formation of a Token Admission and Review Committee A licensed VATP operator is obliged to establish a token admission and review committee. This committee sets the criteria for admitting virtual assets to trading, suspending and withdrawing virtual assets from trading, imposing requirements on virtual asset issuers listed on the VATP, and conducting regular reviews of these criteria and requirements. Deployment of a Market Surveillance System A licensed VATP operator must implement a market surveillance system, provided by a reputable and independent provider, to identify, monitor, and prevent any market manipulative or abusive activities on its VATP. Custody Stipulations A licensed VATP operator must set up an "associated entity" for holding client assets. This associated entity must: (a) Be incorporated in Hong Kong; (b) Be wholly owned by the VATP operator; (c) Hold a TCSP license from the Registrar of Companies; (d) Retain client assets in trust; (e) Conduct no other business besides receiving or retaining client assets on behalf of the VATP operator. A minimum of 98% of client virtual assets must always be maintained in cold storage unless the SFC approves otherwise in specific instances. All seeds and private keys (and their backups) must be securely stored in Hong Kong. Insurance or Compensation Provisions for Potential Losses A licensed VATP operator must implement a compensation mechanism to offset potential losses resulting from hacking incidents, theft, fraud, or default. This mechanism should cover possible losses of 50% of client virtual assets in cold storage and 100% in hot and other storage. The compensation provision could comprise one or a mix of: (a) Third-party insurance; (b) Designated funds (held as a demand deposit or time deposit maturing in six months or less) or virtual assets of the VATP operator or any corporation within the same group of companies as the VATP operator that are held in trust for this purpose; (c) Bank guarantee issued by an authorized financial institution in Hong Kong. The SFC must greenlight the compensation provision and any modifications to it. What is the procedure for applying for a license? Required Data An applicant seeking a license must provide comprehensive information to the SFC regarding its business proposition, ultimate owners, directors, proposed responsible officers, and the associated entity created to hold client assets. Suppose the applicant is utilizing the transitional licensing provisions. In that case, confirmations of having operated the VATP in Hong Kong immediately before June 1, 2023, and adherence to regulatory requirements from the date the license is issued must also be provided. Method of Application Applications must be submitted digitally through the SFC's WINGS platform. Application Charges The applicant must pay application fees to the SFC. Currently, these fees are HK$4,740 for the VATP operator, HK$2,950 for each proposed responsible officer, and HK$1,790 for each licensed representative. Additional charges will apply if the applicant seeks to be licensed under the SFO. Submission of External Assessor Reports Along with the Application The license applicant must appoint an external assessor to evaluate its prospective business and submit the assessor's reports to the SFC during the license application (Phase 1 Report) and after the SFC has provisionally approved the application (Phase 2 Report) but before final approval. Allocating up to six months to finalize the Phase 1 Report is advised. Different external assessors may be appointed to review varying aspects of the applicant's business. The chosen assessor(s) must be independent, with the requisite expertise and technical knowledge to conduct the necessary assessments. The SFC clarified that the same service provider for a specific system could not also function as the external assessor. The SFC retains the right to object to the appointment of any external assessor. The SFC has released its Scope of External Assessment Reports, outlining its expectations for the Phase 1 and Phase 2 Reports. The Phase 1 Report should examine the proposed structure, governance, operations, systems, and controls of the VATP, concentrating on key areas like governance and staffing, token admission, virtual asset custody, client identification, anti-money laundering, market surveillance, risk management, and cybersecurity. The assessor should evaluate whether the VATP operator's policies and procedures comply with legal and regulatory requirements and are clearly documented. The Phase 2 Report should provide the assessor's evaluation of the actual adoption and effectiveness of the planned policies, procedures, systems, and controls. Only after being satisfied with the findings of the Phase 2 Report will the SFC give the final approval for a license application. External assessment reports are necessary to facilitate the SFC's processing of license applications. However, this requirement implies a further commitment of time and costs for license applicants in terms of identifying and appointing an external assessor and coordinating with the external assessor to review the VATP's proposed structure, governance, operations, systems, controls, and the final reports. What activities does a license authorize? Activities Allowed A licensed VATP operator can conduct virtual asset trading with "professional investors" (as the SFO outlines). A licensed VATP operator may also provide certain virtual asset trading services to retail investors. Activities Not Allowed The activities prohibited for a licensed VATP operator include the following: Offering financial aid to its clients for virtual asset acquisition (e.g., margin trading is not allowed) Providing, trading, or dealing in virtual asset futures contracts or related derivatives Offering algorithmic trading services to its clients Arranging with clients to utilize client virtual assets held by the VATP for generating returns for clients or any other parties (e.g., lending, borrowing, staking, etc.) Engaging in proprietary trading or market making on a proprietary basis Possibility to offer virtual assets to retail investors A licensed VATP operator can trade in eligible large-cap virtual assets with retail investors. Eligible large-cap virtual assets appear in at least two "acceptable indices" issued by two independent index providers. An index provider is deemed independent if it isn't part of the same group of companies as the virtual asset issuer or the licensed VATP operator. An "acceptable index" is defined as one that measures the performance of the largest virtual assets globally and satisfies the following criteria: (a) The index should be investible with sufficiently liquid constituent virtual assets (b) The index should be objectively calculated and abide by established rules (c) The index provider should have the required expertise and resources to construct, maintain, and review the index's methodology and rules (d) The methodology and rules of the index should be well-documented, consistent, and transparent At least one of the indices should be issued by an index provider in compliance with the IOSCO Principles for Financial Benchmarks, with experience publishing indices for conventional securities markets. The SFC may allow a licensed VATP operator to offer trading in other virtual assets to retail investors on a case-by-case basis. What are the ongoing license requirements? A licensed VATP operator must: (a) maintain consistent compliance with regulatory requirements under the AMLO (b) always meet financial resource requirements for minimum paid-up share capital and minimum liquid capital (c) periodically make regulatory filings to the SFC, including financial resources returns, annual returns, and annual business risk management questionnaire (d) make various ad hoc regulatory filings and applications to the SFC, for example, due to changes to personnel, ultimate owners, and scope of business activities (e) ensure continuous training for its representatives (f) promptly report to the SFC any significant breaches or non-compliance with regulatory requirements Is compliance with the SFO licensing regime necessary? The SFC recommends that a VATP operator obtain licenses under the AMLO and the SFO, even if the operator plans to list tokens not classified as "securities" under the SFO. The SFC will concurrently process applications under the AMLO and SFO using a streamlined approach. The SFC suggests dual licenses because the characteristics and features of virtual assets may change over time, and a token's classification may shift from a non-security token to a security token, and vice versa. Having licenses under both the AMLO and the SFO ensures that any changes in a token's nature would not result in a licensing regime breach. If an applicant applies for a license under the AMLO only, it will likely need to justify to the SFC why it doesn't need a license under the SFO. If the SFO and AMLO requirements differ, a dual-licensed VATP operator must comply with the stricter requirement. Can an existing SFC-licensed corporation apply for a dual license under the AMLO? A VATP operator licensed under the SFO is required to conduct VATP operations solely. As a result, existing SFC-licensed corporations that want to operate a VATP must establish a new entity for this purpose. What alternatives exist if you wish to avoid applying for a license? If you operate a VATP in Hong Kong and don't want to apply for a license under the AMLO, you must either: (a) Restructure your operations to avoid triggering a license obligation under the AMLO, as much as possible, or (b) Cease your business in Hong Kong – the deadline for winding down your business is May 31 2024. If you operate a VATP outside Hong Kong, you must stop actively promoting your services to the public in Hong Kong. At Prokopiev Law Group, we have established partnerships with leading legal firms worldwide to ensure a seamless and integrated service for your business, no matter where you operate. Our global reach allows us to navigate international regulations and complexities efficiently, ensuring your company's compliance with local and international laws. Link to the SFC website. The information provided is not legal, tax, investment, or accounting advice and should not be used as such. It is for discussion purposes only. Seek guidance from your own legal counsel and advisors on any matters. The views presented are those of the author and not any other individual or organization. Some parts of the text may be automatically generated. The author of this material makes no guarantees or warranties about the accuracy or completeness of the information.

  • Dual Licensing Regime: A New Era for Virtual Asset Trading Platforms in Hong Kong

    Hong Kong's digital landscape is undergoing a transformation. To bolster the growth of Web3 and virtual asset sectors, the government has initiated several proactive measures. One of these strides is the introduction of a new regulatory licensing regime to govern virtual asset trading platforms. Initial Regulatory Framework for Virtual Asset Exchanges Under the Securities and Futures Ordinance (Cap. 571) (SFO), the Securities and Futures Commission of Hong Kong (SFC) implemented an opt-in licensing regime. This allowed virtual asset exchanges to apply for SFC licenses to trade in both securities-type and non-securities-type virtual assets, effectively bringing them under SFC's supervisory umbrella. The Turn of Tides: Amendments to the AMLO In December 2022, a significant change came about with amendments to the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Cap. 615), otherwise known as the AMLO. These changes heralded a new licensing regime (AMLO Licensing Regime) for centralized virtual asset service providers (VASPs), bringing them under the SFC's purview. This move introduced statutory anti-money laundering and counter-financing of terrorism (AML/CFT) obligations, as well as new penalties for noncompliance. Unveiling the Dual Licensing Regime June 1, 2023, marked a watershed moment in Hong Kong's virtual asset trading industry with the initiation of the Dual Licensing Regime for virtual asset trading platforms (VATPs), following SFC's Consultation Conclusions in May 2023. The Role of the Securities and Futures Commission (SFC) The SFC has been empowered to regulate VATPs for their dealings with security and non-security tokens under the SFO and the AMLO. The SFC’s authority to supervise security tokens and any other virtual asset products classified as "security" under the SFO regime continues, but it has gained additional supervisory powers over non-security tokens under the new AMLO regime. Defining the Regulatory Groundwork: Key Laws and Guidelines VATPs, now deemed Platform Operators, must adhere to the laws and regulations specified in the SFO and AMLO, along with the Guidelines for Virtual Asset Trading Platform Operators (VATP Guidelines) released in May 2023. These guidelines define critical requirements that Platform Operators must comply with, ranging from establishment requirements (like fitness, competency, and financial soundness) to ongoing obligations (like client onboarding procedures, asset custody, due diligence, cybersecurity, and operational control). Tackling Money Laundering and Terrorism Financing: Supplementary Guidelines To further reinforce the AML/CFT obligations, the SFC has provided supplementary guidelines, including the Guideline on Anti-Money Laundering and Counter-Financing of Terrorism, and the Prevention of Money Laundering and Terrorist Financing Guideline. These guidelines are tailored to the unique nature of virtual assets, underscoring the importance of AML/CFT measures in this rapidly growing field. Identifying Potential Licensees The AMLO Licensing Regime mandates an SFC license for anyone in Hong Kong who operates or advertises the operation of a virtual asset service. Additionally, any individual or entity, regardless of geographical location, actively marketing any virtual asset service to the Hong Kong public must also obtain this license. For VATP operators providing virtual asset services before June 2023, the SFC has outlined transitional arrangements under the AMLO Licensing Regime, potentially easing their transition into the new regulatory landscape. Consequences of Noncompliance The penalties for noncompliance under the AMLO are severe. Failure to meet the licensing requirements can result in a fine of HK$5 million and imprisonment for seven years, with additional fines for continuing offenses. Moreover, the AMLO Licensing Regime introduces two criminal offenses for fraudulent activities involving virtual assets, applicable to any individual, not just VASPs. The penalties range from hefty fines to substantial periods of imprisonment, further underlining the serious consequences of disregarding the new regulatory measures. At Prokopiev Law Group, we stand ready to guide you through the intricate landscape of the Dual Licensing Regime. Leveraging our broad global network, we ensure your compliance worldwide in this rapidly evolving sector. Don't hesitate to contact us for tailored guidance uniquely suited to navigate your business through the complexities of virtual asset trading. Reach out today, and let us help you unlock new opportunities. DISCLAIMER: The information provided is not legal, tax, or accounting advice and should not be used as such. It is for discussion purposes only. Seek guidance from your own legal counsel and advisors on any matters. The views presented are those of the author and not any other individual or organization. The information provided is for general educational purposes only and is not investment advice. The author of this material makes no guarantees or warranties about the accuracy or completeness of the information. A professional should review any action based on the information discussed. The author is not liable for any loss from acting on the information discussed.

  • The Impact of EU's Data Act on Smart Contracts

    The dawn of the digital age has prompted a shift towards smooth, automated data-sharing mechanisms, mainly through smart contracts. Smart contracts have emerged as a vital tool in our digitized economies by guaranteeing technical protection and facilitating efficient data exchanges. However, their lack of interoperability has raised concerns among EU policymakers, as it poses barriers to system integration, competitive diversity, and user choice. In response to these concerns, the EU has proposed the Data Act - a piece of legislation intended to define clear rules and standards for using smart contracts in automating data-sharing within its jurisdiction. Scope and Application The Data Act presents a definition of smart contracts. They are described as "a computer program used for the automated execution of an agreement or part thereof, using a sequence of electronic data records and ensuring their integrity and the accuracy of their chronological ordering." This definition explicitly targets smart contracts facilitating the execution of contractual arrangements between different entities, excluding those automating internal business processes. The Act stresses technological neutrality, meaning the definition can encompass a broad range of automation techniques, including blockchain or distributed ledger technology. "Essential Requirements" for Smart Contracts The Data Act emphasizes smart contracts must possess robust features to avoid functional errors and third-party manipulation. They must also have stringent access control mechanisms at governance and smart contract layers to ensure proper functioning and security. Another crucial requirement is the incorporation of 'safe termination and interruption' functions. These can reset or instruct the contract to cease operation, preventing any unintended executions in the future. The Act also stipulates the need for smart contracts to archive transactional data, along with the logic and code used. Finally, smart contracts must align with the terms of the data-sharing agreement they execute. Non-adherence to these requirements could result in non-compliance with the Data Act, attracting potential regulatory repercussions. Therefore, every smart contract vendor or commercial deployer must self-assess compliance and make an EU declaration of conformity. Enforcement of the Data Act The enforcement of the Data Act brings to light the crucial role played by smart contract vendors or persons deploying the contract commercially. They are responsible for self-assessing compliance with the essential requirements and making an EU declaration of conformity. A standardization organization appointed by the European Commission is entrusted with defining the standards for the "essential requirements." They must ensure smart contracts abide by the necessary standards for interoperability, safety, and functionality. Compliance with the Data Act's provisions is a matter of EU-level scrutiny and extends to the national level. The competent authorities within individual Member States are responsible for enforcing the Act's requirements, ensuring that the high standards outlined in the legislation are upheld. The 'Kill Switch' Controversy One of the Data Act's more contentious provisions, the requirement for a 'kill switch' function, has been met with resistance from the blockchain and smart contract community. This function would enable the termination or interruption of smart contract operations in cases of fraud, security breaches, or illegal activities. Critics argue that such a function would contradict the fundamental principle of decentralization. Despite these concerns, the Data Act stipulates that if a smart contract is used to automate a data-sharing contract, there are, by definition, two parties involved, and one of them should be capable of operating the 'kill switch.' Roadmap for the Data Act The Data Act's text must undergo a series of technical drafting refinements, translations into all EU official languages, and final formal adoption by the European Parliament and Council. To ease the transition, businesses will have a 20-month grace period to ensure compliance with the Data Act, likely beginning from December 2023 when the Act is expected to be finalized. * * * Navigating the new complexities of the EU's Data Act can seem daunting, especially with its implications for smart contracts. At Prokopiev Law Group, we speak the language of startups and are here to guide you through these changes. If you're a startup using smart contracts for data-sharing or are looking to ensure existing contracts comply with the new regulations, reach out to us. With our expertise, we can turn these regulatory challenges into opportunities. Write to us today, and let's navigate this journey together. DISCLAIMER: The information provided is not legal, tax, or accounting advice and should not be used as such. It is for discussion purposes only. Seek guidance from your own legal counsel and advisors on any matters. The views presented are those of the author and not any other individual or organization. The information provided is for general educational purposes only and is not investment advice. The author of this material makes no guarantees or warranties about the accuracy or completeness of the information. A professional should review any action based on the information discussed. The author is not liable for any loss from acting on the information discussed.

  • The EU-US Data Privacy Framework: An Analysis of the New Bridge for Data Transfers Post Schrems II

    Announced on July 16, 2020, by the Court of Justice for the European Union (CJEU), Schrems II invalidated the previous EU-US Privacy Shield framework, a mechanism to safeguard personal data transfers between the EU and the US. The court deemed that the framework didn't sufficiently mitigate the risk of extensive US surveillance practices nor provide EU citizens with adequate legal remedies. In the aftermath of the Schrems II ruling, uncertainty loomed over the EU-US data transfers. European organizations grappled with a considerable challenge - how to lawfully exchange personal data with US-based companies without falling foul of GDPR's strict regulations. The gap left by the defunct EU-US Privacy Shield needed a replacement to restore confidence and security in cross-Atlantic data transactions. EU-US Data Privacy Framework (DPF) On the third anniversary of Schrems II, the EU Commission approved the adequacy decision for the EU-US Data Privacy Framework (DPF). This new scheme aims to provide a mechanism for transferring personal data from the European Union to US-based companies. It constitutes a separate justification tool under Chapter V of the GDPR, alongside other established measures such as Standard Contractual Clauses and Binding Corporate Rules. The DPF was built to satisfy GDPR's stringent data protection requirements. It permits data transfers from the EU (or by entities subject to GDPR) to US companies that have agreed to participate in the DPF program. These companies must meet minimum data protection standards, reaffirming GDPR's principle that personal data should only be transferred to a country outside the EU with adequate safeguards in place. Compliance Monitoring The responsibility for monitoring adherence to the DPF program rests with the US Department of Commerce and the US Federal Trade Commission. These bodies ensure US-based entities abide by the specified minimum data protection standards, demonstrating a commitment to securing data transfers. Rights of Redress for EU Citizens The United States has agreed to limit the access of administrative authorities to personal data subject to GDPR. In the event of privacy rights violations, EU citizens now have the right to seek redress through an independent court. This newly introduced mechanism reflects the commitment to safeguard EU citizens' data and aligns with the core principles of GDPR. The Journey from EU/US Privacy Shield to DPF Invalidation of Previous Frameworks The legal journey from the Privacy Shield to the Data Privacy Framework (DPF) was not without turmoil. The fall of the Privacy Shield marked the second time the CJEU struck down an international data transfer scheme. Its predecessor, the Safe Harbor framework, was invalidated on similar grounds in 2015. These invalidations spotlighted the recurring privacy tension between Europe and the US, setting the stage for the advent of the DPF. Difficulties Faced by EU Companies The Safe Harbor and the Privacy Shield invalidations created a quandary for EU firms. The legal uncertainty posed a significant risk to their business continuity, mainly those heavily reliant on transatlantic data flows. Companies found themselves in a precarious balancing act, managing the legal requirements of GDPR while maintaining productive ties with their US counterparts. Intended Benefits of the DPF The introduction of the DPF offers a ray of hope for these companies. It is not merely a rebranded data transfer tool but a more comprehensive and robust framework. The DPF is envisioned to bolster the certainty of lawful data transfer, reduce the risk of non-compliance penalties, and bridge the transatlantic privacy divide by instilling greater trust in cross-border data exchanges. Requirements of GDPR for Data Exporters "Adequate" Level of Data Protection The GDPR strongly emphasizes the need for an "adequate" level of data protection when exporting data outside the EU. This means that the recipient country should provide comparable data privacy protections to the ones established in the EU. Role of an Adequacy Decision by the EU Commission The Commission's adequacy decision plays a crucial role in this context. It is a formal declaration that the third country's data protection regime meets GDPR's high standards. The recent adequacy decision for the DPF showcases the EU's acceptance of this new framework as an effective GDPR compliance tool. The Challenge with US Privacy Laws The challenge for the EU lies in reconciling GDPR requirements with US privacy laws, which have traditionally allowed broader governmental access to personal data. The DPF attempts to meet this challenge head-on by restricting government access and providing EU citizens with avenues for redress if their privacy rights are violated. EDPB's Suggested Improvements The European Data Protection Board, while generally supportive of the adequacy decision, recommended specific improvements to align the DPF with GDPR further. These suggestions included enhancing oversight of data access by US public authorities, improving clarity on legal remedies for EU citizens, and periodically revisiting the decision to ensure ongoing compliance. Obligations for US Entities under DPF Under the DPF, US entities must adhere to stringent core privacy principles. These include data minimization, purpose limitation, and offering robust data subject rights. Such principles mirror GDPR's approach, fostering an environment that respects and prioritizes data privacy. Compliance with the DPF is not voluntary or self-certified. An enforcement body monitors adherence to the framework's provisions, demonstrating a commitment to accountability and a departure from the self-regulatory model of the previous frameworks. Enhancements for the Protection of EU Citizens' Data Executive Order 14086 limits the US intelligence community's access to personal data and ensures recourse for EU citizens whose data rights may have been violated. The Executive Order introduces a two-layer protection mechanism. First, it reinforces safeguards at the federal level. Second, it bolsters individual redress mechanisms, underpinning the DPF's foundation and objectives. What Lies Ahead? Our journey towards fully implementing and operationalizing the Data Privacy Framework (DPF) has key milestones that bear significance. To fully understand the scope of this undertaking, let's walk through the timeline: Late 2023: A tentative deadline for the Data Privacy Framework to become fully operational has been set. Although this deadline is not set in stone, and the exact date might fluctuate due to many factors, it's the current target. Completion of the certification process for US entities, the establishment of the oversight body, and other necessary steps should ideally be achieved by this time. July 2024: This marks a critical juncture in the DPF's lifecycle. By this date, the European Commission plans to conduct an exhaustive review of the Data Privacy Framework. This review aims to verify the effective functioning of the DPF, examining its operational efficiency and identifying areas that require fine-tuning or restructuring. This rigorous process reflects the commitment of the EU to ensuring optimal data protection for its citizens. Despite the adoption of the DPF, some uncertainties remain. Businesses are waiting for further guidance on the certification process. Until this process is finalized, a level of ambiguity persists. Given the legal complexities, the DPF will likely face challenges, possibly even a CJEU review. The DPF must withstand these legal tests, as it forms the cornerstone of transatlantic data exchanges. As such, the future of the DPF will be closely watched, its success or failure shaping the landscape of international data transfer regulations. DISCLAIMER: The information provided is not legal, tax, or accounting advice and should not be used as such. It is for discussion purposes only. Seek guidance from your legal counsel and advisors on any matters. The views presented are those of the author and not any other individual or organization. Some parts of the text may be AI-generated. The information provided is for general educational purposes only and is not investment advice. The author of this material makes no guarantees or warranties about the accuracy or completeness of the information. A professional should review any action based on the information discussed. The author is not liable for any loss from acting on the information discussed.

  • Intersection of MiCA and PSD2 in Cryptocurrency Transactions

    Starting in June 2024, the European landscape for digital assets will be drastically reshaped with the implementation of the Market in Crypto Assets Regulation (MiCA). As a significant portion of cryptocurrency service providers are likely to be encompassed within this regulation, the relevance of MiCA for these entities is becoming increasingly pertinent. Cryptocurrency services resemble traditional financial services, such as payment services. However, it remains to be seen how the stipulations of MiCA align with the existing regulatory framework under the Payment Services Directive 2 (PSD2). MiCA, PSD2, and Crypto Transactions: A Comparison Imagine a consumer (let's call him Alex) wishing to purchase an electronic voucher (e-voucher) from a vendor (let's call her Becky) using fiat currency (say, Euros). Alex initiates the transaction on Becky's website. A third-party service provider (referred to as "TP") steps in to manage the transaction. TP collects the payment from Alex and transfers it to Becky's account. Once the payment is completed, the e-voucher is sent electronically to Alex. This is a typical transaction overseen by the guidelines of PSD2, where the third-party entity (TP) is required to possess a PSD2 license, except for certain exemptions. To better appreciate the impact of the Market in Crypto Assets Regulation (MiCA) on the financial transaction landscape, let's re-envision our earlier example. This time, we're introducing a twist: crypto tokens and Distributed Ledger Technology (DLT) are now involved in the transaction. Payment in Crypto Let's return to our previous characters: Alex (the consumer), Becky (the vendor), and TP (the third-party facilitator). Now, Alex wants to acquire an e-voucher from Becky, but with a marked difference from our previous scenario. Becky's e-voucher is offered through a blockchain network, and Alex is able to purchase it using crypto tokens. Let's break down this new transaction structure: Alex initiates the purchase, intending to pay with crypto tokens stored in a digital wallet. TP steps in, employing 'smart contracts' to facilitate the transaction. TP manages Alex's crypto tokens, transferring the correct amount to Becky's digital wallet. Once the payment is completed, the e-voucher is sent to Alex through the blockchain, directed by TP's smart contracts. In this case, TP's services - managing Alex's crypto assets and transferring them to Becky - are now under the umbrella of 'crypto-services' as delineated by MiCA. Consequently, TP needs to secure a MiCA license to operate legally. Bridging the Crypto-Fiat Gap Let's consider another permutation in our transaction scenario: this time, Alex (the consumer) wants to pay with crypto tokens, but Becky (the vendor) only accepts fiat currency (Euros). How does our third-party service provider (TP) navigate this dichotomy? Alex chooses the e-voucher and intends to pay with his crypto tokens. As before, TP manages the transaction. However, now TP has an added responsibility: converting Alex's crypto tokens into Becky's preferred fiat currency. TP carries out the exchange of crypto tokens for fiat currency, transferring the equivalent fiat amount into Becky's account. On successful payment, the e-voucher is dispatched to Alex. In this situation, TP's role has expanded. They not only manage the crypto assets but also handle the crypto-to-fiat exchange. According to MiCA, both these functions constitute 'crypto-services.' Thus, to legally facilitate such transactions, TP would need to possess a MiCA license. Dual Licensing for Crypto and Fiat Transactions As we further unravel the complexities of the digital asset landscape, a crucial point of intersection between MiCA and the PSD2 directive emerges. It concerns 'crypto-related payment services,' an area where the scopes of both regulations seemingly converge. What does this entail for our third-party service provider (TP)? Acquiring a MiCA license might seem like a comprehensive solution for TP to legally facilitate all crypto transactions. However, MiCA makes an explicit reference to PSD2 when crypto-related payment services come into play. For TP to provide such services, it must either qualify as a payment institution under PSD2 or collaborate with an external institution that already does. This raises an important question: what exactly falls under the umbrella of 'crypto-related payment services'? Let's clarify: managing crypto-assets, providing exchange services, or operating a trading platform are all deemed as 'crypto services' under MiCA. But does any payment service linked to providing these crypto services also qualify as a 'crypto-related payment service'? The boundaries are not yet crystal clear. To complicate matters further, let's consider a scenario where TP facilitates payment services for transactions involving both crypto and fiat currencies. In such a case, TP essentially provides the same type of service but with different currencies. And this may lead to a crucial legal requirement: dual licensing. In other words, to legally facilitate these transactions, TP would need to acquire not one but two licenses: MiCA for crypto transactions and PSD2 for fiat currency transactions. Interestingly, PSD2 contains an exemption for certain payment service providers: if the payment instrument is only usable within a restricted network of providers or for a select range of goods or services, providers are excused from needing a PSD2 license. However, MiCA doesn't seem to adopt these PSD2 exceptions. MiCA’s language suggests it only considers 'authorized' providers, with 'authorized' presumably meaning those who hold a PSD2 license. The term doesn’t seem to cover providers exempted under PSD2 but still able to offer payment services. In a twist, this could mean that a payment service provider, though not needing a PSD2 license for conventional payment services, could need both PSD2 and MiCA licenses when handling crypto tokens. * * * Don't let regulatory complexities hinder your growth. Reach out to us at Prokopiev Law Group today and pave the way for a seamless future in digital finance. Your success is our mission. DISCLAIMER: The information provided is not legal, tax, or accounting advice and should not be used as such. It is for discussion purposes only. Seek guidance from your legal counsel and advisors on any matters. The views presented are those of the author and not any other individual or organization. Some parts of the text may be AI-generated. The information provided is for general educational purposes only and is not investment advice. The author of this material makes no guarantees or warranties about the accuracy or completeness of the information. A professional should review any action based on the information discussed. The author is not liable for any loss from acting on the information discussed.

  • Legal Implications of Facial Recognition Technologies in Europe

    Europe, in its continuous journey of technological regulation, recently witnessed a groundbreaking event with the proposal of the first European legislation on artificial intelligence - the AI Act. This milestone sets the stage for the region as a dynamic hub for discussions and debates on the application and regulation of AI, with biometric technologies at the forefront of these discourses. Biometric technologies, a term that captures an array of automated processes employed for individual identification, have seen an unprecedented rise. These processes leverage distinctive physical, physiological, or behavioural attributes of individuals, forging a new era in technology and surveillance. Among the array of biometric technologies, facial recognition technology has emerged as an essential tool in the vast landscape of artificial intelligence. The Mechanics of Facial Recognition Delving into the inner workings of facial recognition technology, it operates on a two-step principle. Firstly, it involves capturing an image of an individual's face, followed by the extraction of unique facial features to create a digital portrait, referred to as a biometric template. This template is then stored in a database for subsequent comparisons. The second stage involves the technology acting as a detective, analyzing the stored biometric templates for potential matches. The technology operates on the foundation of probability - the degree of certainty that the face being analyzed corresponds to the stored template. It’s not a game of absolutes but rather a play on the probabilities. Varied Applications of Artificial Intelligence The applications of facial recognition technology are diverse and multifaceted, primarily falling into two broad categories: • Authentication of an individual: This aspect of facial recognition technology provides a one-to-one verification of an individual's identity. The real-time image of an individual is compared to a previously stored template to ascertain a match. Think of it as a password, but instead of alphanumeric characters, it's the individual's face. A commonplace example is the facial recognition functionality on smartphones that permits users to unlock their devices. • Identification of an individual: Here, the technology serves a broader purpose, facilitating a one-to-many verification. This implies that the technology sifts through several templates to identify a specific individual within a group or geographic location. Potential Risks Associated with Artificial Intelligence To address the varying potential risks, the AI Act proposes a tiered system, with regulations tailored to different levels of risk: • Unacceptable Risk: The highest category of risk, where certain AI applications, such as real-time and remote biometric identification systems, including facial recognition, are strictly prohibited due to their potentially grave implications on individual rights and freedoms. • High-Risk: This category encapsulates AI systems posing a significant threat to health, safety, or fundamental rights. While not entirely banned, stringent requirements are imposed on these systems for their deployment. Privacy and Security Concerns in AI Facial recognition technology's deployment necessitates the processing of personal data, making privacy and security paramount concerns. As this technology delves into the realm of biometric data, it grapples with the task of unique identification. The EU’s General Data Protection Regulation (GDPR) categorizes "biometric data for the purpose of uniquely identifying a natural person" under "special categories of data," mandating enhanced protection due to the sensitive nature of such data. Therefore, adopting facial recognition technology is not merely a technical decision but a choice intertwined with data protection considerations. Compliance with the GDPR and LED Ensuring the lawfulness of facial recognition systems requires aligning their use with the regulations stipulated by the GDPR and the Law Enforcement Directive (LED). The cornerstones of lawful processing under these directives are necessity, proportionality, and the presence of a legally justified basis. For private companies, obtaining user consent might seem the most straightforward path for lawful processing. However, the situation becomes more nuanced when facial recognition is used by public authorities, as their processing justification rests on the "prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.” But lawful processing does not imply an unchecked carte blanche. Authorities must inform the data subjects, as non-compliance would risk violating data protection regulations and potentially creating a sense of omnipresent surveillance, thereby infringing upon other fundamental rights, such as the right to freedom of expression and association. The Right to Human Oversight Legal provisions such as Article 22 of the GDPR and Article 11 of the LED establish the right for individuals not to be subject to decisions based solely on automated processing, including profiling. No significant decisions that legally affect an individual or have a substantial personal impact should be made purely by an algorithm without human intervention. In the context of facial recognition, this human oversight becomes particularly vital. Given the sensitive nature of the data being processed and the potential for profiling, human intervention may safeguard against discrimination or unjust outcomes. It also offers a mechanism for individuals to understand and challenge decisions made by automated processes. More details about the AI Act you can find here. DISCLAIMER: The information provided is not legal, tax, or accounting advice and should not be used as such. It is for discussion purposes only. Seek guidance from your legal counsel and advisors on any matters. The views presented are those of the author and not any other individual or organization. Some parts of the text may be AI-generated. The information provided is for general educational purposes only and is not investment advice. The author of this material makes no guarantees or warranties about the accuracy or completeness of the information. A professional should review any action based on the information discussed. The author is not liable for any loss from acting on the information discussed.

  • The Dawn of Fintech in Bermuda: An Evolutionary Leap in the Financial Landscape

    Pioneering the fintech landscape, Bermuda is now celebrated as one of the leaders in the global market and stands as a beacon of innovation for businesses. In partnership with the Bermuda Monetary Authority (BMA), the financial services regulator of Bermuda, the government has constructed a legal and regulatory framework that ensures business transparency, investor protection, and customer security. Bermuda prides itself on one of the largest (re)insurance markets worldwide, renowned for crafting risk solutions and alternative-risk structures. The BMA developed a dynamic, risk-based regulatory regime that caters to the needs of digital asset businesses while remaining open to the quick adoption of distributed ledger and other technologies. Bermuda’s legislation evolution is distinguished by several key laws: The Digital Asset Business Act 2018 (DABA) sets the blueprint for licensing and supervising digital asset businesses in Bermuda. It features codes of practice, principles, rules for client disclosure, cybersecurity, accounting, and sector-specific guidelines to prevent money laundering and terrorist financing, specifically tailored for the digital asset business sector. The Digital Asset Issuance Act 2020 governs the behavior of digital asset issuances parallel to initial public offerings of shares. The Banks and Deposit Companies Act 1999 underwent amendments, paving the way for a unique banking license category that fosters the establishment of banking institutions serving the fintech sector. The Insurance Act 1978 received amendments, forming a unique regulatory sandbox license class to be issued by the BMA for innovative insurers, insurance managers, and intermediaries. It also enables the creation of an innovative insurance company category that companies can register as or transition into from the sandbox. The DABA has been further enhanced several times since its enactment to keep pace with the rapid advancements intrinsic to the fintech sector. One of the primary advancements is the regulation of the digital assets derivative market, such as options, futures, contracts for differences, and swaps with digital assets as the underlying. The licensing regime has also been expanded to include digital assets derivative exchanges, digital asset benchmark administrators, and trustee companies that oversee and administer digital assets. Fintech businesses, investors, and financiers will find a rich ecosystem in Bermuda, which boasts an advanced legal system, an abundance of intellectual capital, regulatory sandboxes, an innovation hub, and a sizable customer base. Digital Asset Issuance Act (DAI Act) Introduced in 2020, the DAI Act is a foundation for Bermuda's digital asset regulation. It stipulates a statutory framework for sanctioning digital asset issuances and elaborates on the requirements that digital asset issuers must meet. The DAI Act governs anyone planning a public offer for acquiring digital assets from or within Bermuda. The broad definition of 'digital assets' under the DAI Act and the Digital Asset Business Act (DABA) encompasses digital coins, cryptocurrencies, and even security, utility, and equity token offerings. How to Launch a Digital Asset Offer in Bermuda Issuers planning a public offer of digital assets are expected to conform to certain provisions under the DAI Act. The key requirements include: Establishing a company, limited liability company, or partnership. Procuring the minister of finance's approval since the public offer is considered a 'restricted business activity.' Upon fulfilling these requirements, an issuer needs to apply for BMA authorization. The application must provide a detailed business plan, issuance documents, and other relevant documents, along with the necessary application fee. Offer Document The offer document—usually an extended version of the White Paper—forms the core of a public offer for digital assets. It provides a comprehensive view of the offering, covering the promoter's details, financial projections, project description, potential risks, custodial arrangements, and privacy measures, among others. However, certain offers are exempted from the requirement of filing and publishing an offer document. These include offers made to less than 150 persons, 'qualified acquirers,' or those typically acquiring, disposing, or holding digital assets as part of their usual business activities. 'Qualified acquirers' refer to individuals or entities with substantial personal income, net worth, or total assets as specified under the DAI Act. The Digital Asset Business Act (DABA) Bermuda's digital asset business landscape is governed by DABA, which defines and regulates a wide spectrum of digital asset business activities. Whether it's issuing, selling, or redeeming digital assets, providing custodial wallet services, or operating as a digital asset exchange, all such businesses must be licensed under the BMA. Navigating the DABA Licensing Labyrinth The BMA provides three classes of licenses under DABA: Class F (full), Class M (modified), and Class T (test). Applications for each class require a business plan, information about beneficial owners, directors, and officers, proposed staffing, financial projections, and evidence of controls and risk management. Class T licenses are typically for start-ups wanting to beta test a minimum viable product. The Class M license acts as a 'regulatory sandbox,' allowing businesses to establish proof of concept before transitioning to a full Class F license. Each license has different requirements, catering to different stages of a business's development. The BMA applies minimum licensing criteria across all these classes, with some possible waivers or modifications for Class T or Class M licenses. These criteria include 'fit and proper' controllers, conducting business prudently, having sufficient insurance and risk mitigation measures, maintaining adequate accounting records, and implementing effective corporate governance measures. Cybersecurity DABA necessitates establishing an extensive cybersecurity program and policy by licensed entities. These are expected to align with the business's size and complexity and must be periodically audited externally. In general, both the DAI Act and DABA contain detailed cybersecurity requirements, with the BMA issuing Cybersecurity Rules that require licensed undertakings to maintain a comprehensive cybersecurity program and conduct an annual external audit. Compensation Models DABA-certified firms can set their own customer charges based on their individual business models. However, they must comply with the Client Disclosure Rules (2018) that mandate the communication of all potential risks associated with their services and products to their customers. They must also share any additional information the BMA considers necessary for customer protection. Key details like the license class, voting rights, insurance coverage, and a detailed schedule of fees and charges should be disclosed at the time of agreement initiation with a DABA-licensed entity. Regulatory Sandboxes The DABA includes provisions for regulatory sandboxes through Class T and Class M licenses, thus fostering innovation and new product testing in the digital assets realm. Similarly, the BMA has established two innovation tracks: An insurance regulatory sandbox catering to firms seeking licensure as insurance entities or insurance intermediaries. This provides a controlled environment for firms to test new technologies and offer innovative products and services to a limited number of policyholders for a set duration. Upon successful completion of sandbox testing, companies may transition to an existing class of license. The 'Innovation Hub' promotes interaction between innovators and the BMA, offering guidance on regulatory standards related to innovative insurance solutions. It is also seen as a platform for idea exchange and is used by companies at an early stage before applying for entry into the insurance regulatory sandbox. Regulator's Jurisdiction The BMA is the sole financial services regulator in Bermuda. However, if digital asset issuers provide services or products using blockchain technology in other countries, regulators may also have jurisdiction, depending on the extent to which such products or services are regulated. Outsourcing Regulated Functions Under DABA, certain regulated functions like asset management, custodial services, cybersecurity, compliance, and internal audit can be outsourced. While no specific jurisdictions are preferred for outsourcing, companies should ideally outsource to an entity regulated by a jurisdiction with standards equivalent to those in Bermuda. Accreditation of Exchanges and the Gatekeeper Liability The DAI Act allows a licensed exchange under DABA to apply to become an "accredited digital asset exchange." These accredited exchanges can authorize digital asset issuances without the issuer having to file the issuance documents with the BMA. Enforcement Actions and Penalties The BMA can impose civil penalties of up to USD 10 million and issue prohibition orders, public censures, and injunctions under its enforcement powers granted by the DABA. It can also demand information production and restrict or revoke licenses if a licensed entity complies with DABA rules and regulations. Privacy Regulations and Compliance Under Bermuda's Personal Information and Protection Act 2016 (PIPA), digital asset businesses must have detailed measures and policies to protect personal information. Fintech businesses should also have a designated privacy officer and an accessible consent mechanism. The organization transferring personal information to an overseas third party shall remain responsible for PIPA compliance. The Auditing Landscape Auditing firms have a pivotal role to play. They are acutely aware of the need for audited financial statements under the Digital Asset Business Act (DABA), particularly for Class M or F license holders. Interestingly, some Bermuda-licensed digital asset companies are engaging overseas audit firms for external audits, a practice accepted by the Bermuda Monetary Authority (BMA). Banking Institutions & Fintech Bermuda's government, via the Banks and Deposit Companies Amendment Act 2018, has effectively removed a roadblock for banks and lending institutions to serve the Fintech sector. This change was necessitated by the initial reluctance of incumbent banks to provide banking services to the sector. However, attitudes have changed, and local banks are now servicing Fintech businesses. This trend extends to some US banks known for their Fintech focus. The Intersection of Unregulated and Regulated Offerings The broad ambit of the Digital Asset Issuance Act (DAI Act) and DABA mean that most companies looking to conduct public digital asset offerings or blockchain-based business activities will fall within their purview. Those operating solely for their own business or subsidiary or falling within specific exemptions will not be subject to the DAI Act or DABA. Anti-Money Laundering and Anti-Terrorist Financing (AML/ATF) Requirements Companies operating under the DAI Act must also adhere to the AML/ATF regulations. This includes participant identification, record-keeping, and establishing an internal audit system for compliance purposes. Companies licensed under DABA are considered "regulated financial institutions" for AML/ATF purposes and must comply with all applicable Bermuda legislation along with other "regulated financial institutions." Unregulated businesses outside DABA's scope are not required to comply with Bermuda's AML/ATF requirements. Crypto-lending Bermuda's government introduced the restricted banking license to allow applicants from outside the jurisdiction to provide banking services to digital asset businesses in Bermuda without needing a retail presence. Amid regulatory uncertainty, digital assets brokers and platforms offering crypto-lending or yield-generating products are looking to capitalize on the legal certainty offered under DABA. Payment Processors Payment processors in Bermuda do not have a legal obligation to use existing payment rails. However, if they deal with digital assets, they may require a DABA license. If a payment processor provides money services to the general public in Bermuda (excluding Banks Act licensed entities), it must obtain a BMA license under the Money Service Business Act 2016, unless exempted. There are no additional regulations for cross-border payments and remittances other than those under DABA and the Money Services Business Act 2016. Fund Administrators Fund administrators' services in Bermuda range from maintaining accounts, processing transactions, calculating net asset values, and distributing dividends to complying with Anti-Money Laundering (AML) and Anti-Terrorism Financing (ATF) requirements. While the terms of the agreement between a fund and its administrator largely stem from contractual negotiations, the BMA has issued a Code of Conduct to guide fund administrators on acceptable business standards. This Code aims to foster the growth of the Fintech ecosystem while ensuring the maintenance of ethical guidelines and sound principles. Trading Platforms: The New-Age Marketplaces Bermuda's Fintech landscape comprises various trading platforms, including digital assets and derivative exchanges, regulated under the Digital Asset Business Act (DABA). Whether these platforms function as centralized or decentralized marketplaces, they necessitate a DABA license for operations. Additionally, the role of a 'digital asset benchmark administrator' warrants a DABA license. These administrators manage a digital asset benchmark, which is any published rate, index, or figure, determined by the value of underlying assets used to calculate the amount payable under a digital asset. In the realm of security trading, the Bermuda Stock Exchange (BSX) holds a significant place, offering listing services for both debt and equity securities. The BSX has also begun listing digital asset Exchange-Traded Funds (ETFs), indicating a promising future for other Fintech entities. Cryptocurrency Exchanges The advent of cryptocurrency exchanges has spurred the government to implement licensing regimes under DABA. These cryptocurrency exchanges, classified as "digital asset exchanges," must obtain a Bermuda license. Meanwhile, the BMA has not set specific listing standards for digital assets and derivatives exchanges, allowing them to set their own based on industry norms, subject to BMA approval. However, the issuers of securities listed on the BSX must comply with the applicable BSX Listing Regulations. High-Frequency and Algorithmic Trading High-frequency and algorithmic trading falls within the purview of the DABA licensing regime or the Investment Business Act 2003 (IBA), where applicable. In this context, 'market makers' or entities trading in digital assets as part of their business are also regulated under DABA. Nevertheless, an entity trading exclusively in a principal capacity might not come under the definition of a 'market maker' and thus requires a careful examination of its arrangements. The regulatory framework does not distinguish between funds and dealers involved in these activities. While investment funds generally don't come under DABA, they are regulated under the Investment Funds Act 2006. Conversely, a dealer may require licenses under both DABA and IBA. Programmers and Programming Despite being the architects of trading algorithms and electronic trading tools, programmers and developers are not currently subject to regulations unless they offer these services directly to the public as part of a business. Financial Research Platforms Financial research platforms enjoy a certain degree of freedom in Bermuda, with no specific requirements for registration. Nonetheless, this freedom is accompanied by a duty of care. The Bermuda Monetary Authority (BMA) vigilantly scrutinizes any activities that could amount to market manipulation. Blockchain Bermuda blockchain regulation is integrated into the broader fintech regulatory landscape, as discussed in earlier sections. Particular attention must be paid to: Blockchain asset classification, where the approach is rooted in the broader regulatory landscape. Blockchain asset issuers, falling under the regulation of the Digital Asset Issuance Act (DAI Act) and DAI Rules. Blockchain asset trading platforms, requiring a DABA license if they meet the definition of a digital assets exchange or digital assets derivative exchange. Interestingly, DABA-licensed businesses are allowed to use third-party software and trading platforms, subject to compliance with the BMA’s outsourcing rules. Emerging Tech Phenomena The regulatory landscape is flexible enough to accommodate emerging phenomena in the digital asset sphere. These include: Non-fungible tokens (NFTs): As they fall under the wide definition of "digital assets" under DABA, the regulation depends on the type of public services provided. If they align with one of the categories defined under DABA, such as issuing, selling, or redeeming digital assets, they will be regulated accordingly. Decentralized Finance (DeFi) platforms: Depending on the type of public services provided, they may be classified and regulated under DABA as a digital assets exchange, derivative exchange provider, or a digital asset services vendor. Virtual Currencies: Like NFTs and DeFi platforms, virtual currencies are included in the definition of "digital assets" under the DAI Act and DABA and are regulated accordingly. Open Banking Bermuda's approach to open banking is refreshingly liberal, with no specific restrictions in place. However, open banking activities carried out in or from within Bermuda are subject to the licensing requirements of the Banks Act. In summary, Bermuda’s regulatory landscape is an intricate network, ingeniously designed to cater to various fintech subsectors while maintaining market integrity and promoting innovation. This careful blend of freedom and responsibility enables Bermuda to be at the forefront of the ever-evolving fintech industry. Navigating Bermuda's dynamic fintech regulatory landscape can be complex, but you don't have to do it alone. At Prokopiev Law Group, we're ready to provide expert guidance tailored to your unique needs. Our global partnerships expand our capabilities, enabling us to offer specific services for web3 projects across various jurisdictions. Reach out to us today, and let's ensure your journey in the fintech world is smooth, compliant, and successful. Together, we can turn regulatory challenges into opportunities for innovation and growth. Connect with Prokopiev Law Group, where global expertise meets local insight. DISCLAIMER: The information provided is not legal, tax, or accounting advice and should not be used as such. It is for discussion purposes only. Seek guidance from your legal counsel and advisors on any matters. The views presented are those of the author and not any other individual or organization. Some parts of the text may be AI-generated. The information provided is for general educational purposes only and is not investment advice. The author of this material makes no guarantees or warranties about the accuracy or completeness of the information. A professional should review any action based on the information discussed. The author is not liable for any loss from acting on the information discussed.

  • Criminal Liability in Swiss Data Protection Compliance

    The revised Swiss Data Protection Act (DPA), slated to come into effect on September 1, 2023, has sparked a flurry of queries and concerns. Notably, this legislative overhaul, while generally less stringent and formalistic than its European counterpart, the General Data Protection Regulation (GDPR), has introduced a significant shift. The DPA has adopted a stricter stance by stipulating personal criminal liability, whereas the GDPR primarily imposes administrative fines. This has thrust the roles of Data Protection Compliance Officer (DPCO) and Data Activity Owner (DAO) into sharper focus. A comprehensive understanding of their functions, coupled with an awareness of how criminal liability manifests in data protection compliance, becomes paramount. Decision-Making Power - How Less Can Be More In the nuanced world of data protection, sometimes exercising restraint is the greatest display of power. Particularly when it comes to the role of the Data Protection Compliance Officer (DPCO), the decision-making power can be a double-edged sword. Role of DPCO In many organizations, the DPCO plays a pivotal role in guiding the company's data protection strategy. However, the key to navigating this role effectively lies in the strategic delegation of decision-making powers. When the DPCO is engaged in certain compliance-related activities, such as drafting a privacy notice or responding to a data subject access request, some degree of decision-making is inevitable. Yet, this power should be utilized judiciously, primarily focusing on advisory capacity rather than conclusive decision-making. Challenging decisions, such as engaging a service provider in a country lacking adequate data protection standards or addressing a complex data subject access request, should be left to the Data Activity Owner (DAO) or management. The DPCO should primarily function as an advisor, clearly expressing their professional opinion but leaving the ultimate decision to others. Avoidance of Decision-Making Authority Over Data Processing A critical aspect of mitigating the risk of criminal liability for the DPCO lies in abstaining from decision-making authority over data processing activities. While the DPCO often has a legal obligation to report non-compliance to management or the board, they should neither accept nor be given the right to issue binding instructions concerning the processing activities in question or intervene in non-compliant conduct. This approach is crucial to avoid the DPCO becoming liable if they fail to halt non-compliant conduct when confronted with it. While the DPCO can issue warnings and advice on legal requirements, the ultimate decision should be made by those with the decision-making power. Practical Perspective Practicing the principle of non-decision-making power involves a clear and concise delineation of roles and responsibilities. This can be achieved through the internal data protection policy and the job description of the DPCO. It is common, however, for organizations to overlook this aspect during policy drafting or for DPCOs to seek authority over data processing or give binding instructions. But a DPCO should not have such authority, nor should they try to assume it by de facto decision-making. Their primary role should be to report findings to the DAO and management, which aligns with their function as a second line of defense. Adopting this approach not only ensures clear role definition but also shields the DPCO from potential criminal liability. Adopting Robust Reporting Mechanisms - An Antidote to Complacency In our evolving data-rich business landscape, an organization's ability to maintain a robust reporting mechanism is pivotal. Management, especially, needs to adopt an active supervisory role rather than a passive bystander's stance regarding data protection compliance. The Imperative of Supervisory Oversight by Management Management holds the reins to guide the organization's compliance journey. Often, the difference between strict adherence to data protection regulations and lax compliance lies in management's hands. The cornerstone of their approach should be thorough supervision, a facet that transcends simply issuing instructions to subordinates to ensure compliance. Common Pitfalls in Delegating Responsibility for Data Protection Compliance One of the primary misconceptions in the delegation of responsibility for data protection compliance involves the role of the Data Protection Officer (DPO). While it's essential to have a DPO to oversee data protection compliance, management often mistakenly assigns ultimate responsibility for compliance to this role. In reality, the DPO is responsible for the execution, not the outcome or strategic direction. Clear demarcation of responsibility, or accountability in terms of a RACI matrix, is vital for smooth operations. Institutionalizing Accountability in Data Processing Activities Accountability for data processing activities often resides with the Data Activity Owner (DAO). The internal data protection policy of an organization should define who is accountable for ensuring compliance with data processing principles and other legal requirements. This accountability should ideally lie with an individual for each distinct data processing activity. Busting the Myth of "Fire and Forget": A Proactive Approach to Data Protection Management often approaches data protection compliance as a one-off task, adopting a "fire and forget" mentality. This strategy can lead to a lack of oversight, making it harder to identify and correct non-compliance issues. Management should, therefore, implement ongoing oversight and feedback mechanisms to track how their instructions are being followed. Choosing the Right Personnel, Providing Clear Instructions, and Monitoring Compliance Diligently Management's responsibilities in ensuring data protection compliance can be distilled into three key roles: selection, instruction, and supervision. Not only should they choose competent individuals to ensure compliance, but they should also provide clear instructions and the necessary resources. Most importantly, management must diligently monitor compliance, with any failure in these responsibilities potentially resulting in legal consequences. Reporting on Data Protection Compliance Periodic reporting on data protection compliance is crucial for management to stay informed about the organization's compliance status. Regular reports provide a mechanism for management to respond promptly to non-compliance and ensure measures are taken to rectify the situation. By instituting this practice, management can maintain a broad understanding of the organization's data protection landscape, allowing for proactive intervention when necessary. Ensuring No Non-Compliance Goes Unnoticed Gray Areas of Responsibility for Non-Compliance When it comes to data protection, the lines of responsibility can often blur, creating gray areas that could potentially lead to non-compliance. The pivotal roles in the organization, such as the Data Protection Compliance Officer (DPCO) and the Data Activity Owner (DAO) should be clear on their respective responsibilities. An organization must ensure that the respective roles are well-defined, distinct, and designed to ensure compliance with the data protection norms. The DPCO should have a broad understanding of the company's data processing activities, while the DAO should take full responsibility for ensuring that each data processing operation complies with the regulatory framework. When these roles are clearly defined and managed, the chances of non-compliance slipping through the cracks are significantly minimized. DISCLAIMER: The information provided is not legal, tax, or accounting advice and should not be used as such. It is for discussion purposes only. Seek guidance from your legal counsel and advisors on any matters. The views presented are those of the author and not any other individual or organization. Some parts of the text may be AI-generated. The information provided is for general educational purposes only and is not investment advice. The author of this material makes no guarantees or warranties about the accuracy or completeness of the information. A professional should review any action based on the information discussed. The author is not liable for any loss from acting on the information discussed.

  • The Evolution of Jersey's Regulatory Framework for Virtual Asset Service Providers (VASPs)

    Jersey has recalibrated its approach to supervising Virtual Asset Service Providers (VASPs) by incorporating them into its stringent anti-money laundering, countering the financing of terrorism, and countering proliferation financing (AML/CFT/CPF) rules. A move designed to establish regulatory harmony with the Financial Action Task Force Standards, enhancing Jersey's reputation for robust financial oversight. VASPs, for those new to the term, encapsulate a range of individuals and entities that conduct various operations involving virtual assets on behalf of their clients. This includes, but is not limited to: Virtual assets and fiat currency exchanges. Transfers of virtual assets between accounts or addresses. Safekeeping or administration of virtual assets. Provision of financial services related to an issuer's offer and/or sale of a virtual asset. The Proceeds of Crime legislation in Jersey has undergone alterations earlier this year to accommodate these changes. The introduction of these modifications led to a six-month transitional period designed to allow existing VASPs to adapt to the new regulatory environment. The transitional period culminates on June 30, 2023. In this transitional period, certain actions are necessitated, such as: Registering with the Jersey Financial Services Commission (JFSC) for AML/CFT/CPF supervisory purposes. Filing applications by Virtual Currency Exchange Businesses in response to revoking the 'turnover' exemption. Updating notifications for regulated entities engaging in VASP activities. Furthermore, any new VASP-related businesses that have commenced operations after January 30, 2023, must ensure registration with the JFSC prior to launching any business activities in Jersey. To ensure the highest standards of compliance, the focus is on authorizing vehicles aimed at professional, sophisticated, or institutional investors. Through this, the transition reflects Jersey's commitment to creating a more regulated virtual assets market, aligning with global practices. DISCLAIMER: The information provided is not legal, tax, or accounting advice and should not be used as such. It is for discussion purposes only. Seek guidance from your legal counsel and advisors on any matters. The views presented are those of the author and not any other individual or organization. Some parts of the text may be AI-generated. The information provided is for general educational purposes only and is not investment advice. The author of this material makes no guarantees or warranties about the accuracy or completeness of the information. A professional should review any action based on the information discussed. The author is not liable for any loss from acting on the information discussed.

  • GDPR Compliance for AI-Driven Companies: Key Considerations for Data Processing

    Artificial Intelligence (AI) has become a cornerstone for businesses worldwide, transforming traditional processes and paving the way for a new era of insights and efficiency. However, it's not all about optimization and profit - companies utilizing AI must also navigate the labyrinth of legal obligations when their operations involve the processing of personal data. One primary legal framework that comes into play is the General Data Protection Regulation (GDPR), which sets forth stringent guidelines for data protection and privacy for all individuals within the European Union. Roles Defined: Controllers and Processors Before diving into the specifics of GDPR compliance, it is crucial to discern the roles an AI-using company might occupy – the Controller and the Processor. These roles are determined based on the level of discretion the company exercises in determining how AI functions, the kind of personal data used, how AI processes this data, and the terms under which AI retains or shares this information. The Controller: A company is deemed a "Controller" when it dictates how and why personal data is processed. In other words, it has a high degree of discretion and authority in shaping the AI's operations, deciding what personal information is used for training the AI and establishing guidelines on data processing and retention. The Processor: Conversely, a "Processor" carries out data processing on behalf of the controller. Their activities are more oriented toward executing tasks dictated by the Controller and could include, for instance, a third-party hosting the personal data used to train an AI model. The delineation between these two roles plays a vital part in determining the legal obligations your company has under GDPR. GDPR Requirements for Controllers With great power comes great responsibility; a statement that resonates profoundly when analyzing the various provisions of GDPR for entities acting in the capacity of a Controller. Identifying Lawful Basis of Processing (Article 6) The first stepping stone to GDPR compliance lies in identifying a lawful basis for data processing. The GDPR provides six options, and the company must decisively choose one that aligns with its objectives and operations. An intriguing perspective arises when we consider the usage of publicly sourced data for AI training, such as data scraped from the internet. The most likely lawful bases are (1) the consent of the individuals, or (2) the legitimate interest of the controller. It is, therefore, imperative for companies to tread carefully while selecting their lawful basis, as it can have a significant impact on their compliance journey. Upholding Data Minimization Principles (Article 5(1)(c), (e)) Data Minimization encapsulates the concept that companies should use only the bare minimum of personal data necessary for their purposes. Controllers must limit the scope of personal data utilized and the duration of its identifiable form. To apply this in an AI context, a company should scrutinize the type and quantity of data fed to the AI for training and regulate the length of time the AI retains this data. Access Rights (Article 15) The key to GDPR's data subject rights lies in empowering individuals with control over their personal data. Access rights provide one such channel of empowerment. Controllers must be ready to comply with requests from individuals who wish to access personal data about them, which was used in AI training. It is the intersection of technology and law where Controllers must demonstrate the ability to respond accurately to these requests, contributing to an environment of trust and transparency. Obligation to Provide Privacy Notice (Article 12 - 14) GDPR underscores the need for transparency via the obligatory Privacy Notice. Companies donning the hat of Controllers must provide detailed information on their data processing activities to data subjects. Here's where it gets captivating: AI-driven companies aren't exempted from this, and indeed, it's suggested that such firms must craft a comprehensive privacy notice elucidating how data is processed in AI training. This notice should also explain the underlying logic and an overview of the rights of the individuals involved. Enabling Correction Rights (Article 16) Controllers should provide mechanisms for individuals to correct any inaccurate personal information. When the data is used for training an AI model, especially if it's sourced publicly, the legal landscape becomes even more nuanced. Companies may be required to develop an online tool to facilitate data rectification requests. This tool would handle not only the data used in AI training but also any data generated by the AI. Maintaining Records of Processing Activities (Article 30(1)) The next key requirement for controllers is record-keeping, which might appear administrative but carries significant legal weight. Article 30(1) mandates Controllers to maintain records of their data processing activities, including information about the type of personal data used to train the AI, the individuals involved, and the specific purpose behind the data utilization. This record must also detail any restrictions for the AI’s usage or data retention. Rights to Withdraw Consent / Object (Article 7(3), 21) If a Controller bases the use of personal data on the individual's consent or its legitimate interest, they must provide a mechanism for the individual to withdraw consent or object to the use of their data. These mechanisms should be clear, accessible, and efficient, ensuring that the rights of individuals are actively exercisable in practice. Data Protection Impact Assessments (Article 35) The GDPR requires Controllers to conduct Data Protection Impact Assessments (DPIA) under the conditions set out in Article 35. Specifically, if new technologies, such as AI, could result in a high risk to individuals' rights and freedoms, a DPIA becomes obligatory. In the AI context, this involves a comprehensive assessment of the potential impact of AI algorithms on data protection. Cross-border Data Transfers (Article 44-50) But when personal information finds its way to an AI hosted outside the European Economic Area (EEA), the GDPR's cross-border data transfer rules come into play. Controllers need to protect personal data when it travels across borders, a mandate of particular significance to AI training that uses data from the EEA. Mandates for Vendor Management (Article 28) The responsibilities of Controllers under the GDPR also extend to their third-party vendors. For instance, if an AI system is hosted by a third-party provider, Article 28 of the GDPR demands specific contractual provisions to safeguard personal data. Controllers, therefore, need to manage their vendors prudently, ensuring that they are compliant with the GDPR. Erasure Rights (Article 17) Known as 'the right to be forgotten,' the erasure rights allow individuals to erase their personal information if its processing is no longer necessary concerning the purposes for which it was initially collected. In the AI realm, this translates to Controllers contemplating a mechanism to erase personal data from the training set upon receiving a deletion request. Conclusion: Adhering to GDPR for AI Training Using Personal Data As we conclude, it's crucial to note that the GDPR presents both a challenge and an opportunity for companies using AI. The nuanced requirements necessitate companies to not only understand and implement complex legal provisions but also to balance these with the technical realities of AI training using personal data. From identifying the lawful basis of processing and upholding data minimization to conducting DPIAs and managing vendors, adherence to GDPR's requirements isn't a mere legal mandate - it's a step towards trustworthy AI. The journey may be complex, but it promises a future where AI respects individual privacy, building a stronger, more sustainable bond between AI innovations and their human users. Navigating the intricate intersection of AI and GDPR compliance can be challenging. If you find yourself in need of guidance, don't hesitate to reach out to us at Prokopiev Law Group. Our team is always here to help, providing clear, actionable advice to help you align your AI strategies with GDPR regulations. Give us a call or drop us an email today - let's create a future where innovation and privacy go hand in hand. DISCLAIMER: The information provided is not legal, tax, or accounting advice and should not be used as such. It is for discussion purposes only. Seek guidance from your legal counsel and advisors on any matters. The views presented are those of the author and not any other individual or organization. Some parts of the text may be AI-generated. The information provided is for general educational purposes only and is not investment advice. The author of this material makes no guarantees or warranties about the accuracy or completeness of the information. A professional should review any action based on the information discussed. The author is not liable for any loss from acting on the information discussed.

  • New Regulatory Landscape: Understanding FCA's Final Rules on Cryptoasset Marketing in the UK

    New regulatory pathways are emerging, with the UK's Financial Conduct Authority (FCA) spearheading novel policies that align with this dynamic environment. On June 8, 2023, the FCA released a pioneering policy statement that improves the rules of engagement for financial promotion involving cryptoassets. Key Stakeholders: Who is Impacted? The implications of this new policy radiate across all tiers of the financial industry, affecting everyone from mainstream financial service providers to burgeoning cryptoasset businesses. Any entity communicating financial promotions to UK consumers, particularly in the crypto space, must be mindful of these new directives. Restricted Mass Market Investments: Categorization of Cryptoassets In a significant stride, the FCA’s policy classifies cryptoassets as 'Restricted Mass Market Investments.' The FCA's new policy statement underscores the importance of consumer protection with a set of regulations: Risk Warnings: Firms must now provide clear warnings about the risks associated with investing in cryptoassets. Cooling-off Period: Also known as "positive frictions," this directive is designed to prevent rash decision-making by potential investors. Incentives Ban: The FCA takes a stern stand against investment incentives, aiming to reduce misjudged decisions driven by seemingly attractive benefits. Client Categorisation: This requirement helps firms to make more appropriate and risk-adjusted proposals based on the clients' understanding of, and capacity to withstand, crypto investment risks. Appropriateness Assessments: Evaluating Consumer Readiness for Crypto Investments The FCA takes a prudent stance towards consumer protection by introducing the necessity for 'appropriateness assessments' and expects firms to cover certain areas during this assessment: Understanding the basic features of cryptoassets. Acknowledging the absence of certain protections, like the Financial Services Compensation Scheme (FSCS) or the Ombudsman service. Comprehending the volatile nature of cryptoasset investments and the potential for total loss. Legal Ramifications: Consequences of Non-compliance with the New Rules The FCA's policy statement underscores that rules are not just guidelines but also mandates with severe repercussions for non-compliance. From October 8, 2023, any firm that unlawfully communicates financial promotions to UK consumers is committing a criminal offense. Here are the stringent penalties that come into play: Infliction of an unlimited fine. Possibility of two-year imprisonment. Notably, cryptoasset businesses registered under the Money Laundering Regulations (MLRs) with the FCA can communicate their financial promotions, relying on the exemption in Article 73ZA of the Financial Promotion Order. This exemption saves them from either having to be authorized under Part 4A FSMA or having their financial promotions approved by a person authorized under Part 4A. The Guidance Consultation: Ensuring Fair, Clear and Non-misleading Promotions In addition to the policy statement, the FCA has published a guidance consultation (GC 23/1). The aim is to ensure that financial promotions about cryptoassets are fair, unambiguous, and not designed to mislead. Factors Influencing Assessment of Promotional Compliance The consultation document covers several factors for evaluating the fairness and clarity of promotions. It emphasizes how firms must communicate the risks of investing in cryptoassets straightforwardly. Specific Rules for Complex Cryptoassets For complex cryptoassets, additional rules have been proposed. These additional regulations strive for greater transparency, attempting to eradicate any promotional ambiguity that could mislead potential investors. The FCA’s Vision: Balancing Consumer Protection and Innovation The FCA views these rules as a delicate balancing act between protecting consumers and fostering innovation. Despite some stakeholders voicing concerns that these regulations might be either too restrictive or too lenient, the FCA believes the rules strike a fair balance. The aim is to allow for potentially beneficial innovation, while ensuring that consumer interests are safeguarded. Open Consultation: An Invitation to Shape the Cryptoasset Future The FCA's guidance consultation offers a golden opportunity for stakeholders to have their voices heard. They can share their insights and concerns by August 10, 2023, effectively contributing to the shaping of cryptoasset regulation in the UK. DISCLAIMER: The information provided is not legal, tax, or accounting advice and should not be used as such. It is for discussion purposes only. Seek guidance from your legal counsel and advisors on any matters. The views presented are those of the author and not any other individual or organization. Some parts of the text may be AI-generated. The information provided is for general educational purposes only and is not investment advice. The author of this material makes no guarantees or warranties about the accuracy or completeness of the information. A professional should review any action based on the information discussed. The author is not liable for any loss from acting on the information discussed.

bottom of page