Asia 2018-2019 Sia Partnerscompliance Watchlist

COMPLIANCE
BOOKLET
2018/2019 Watchlist
TABLE OF CONTENTS
Editorial 5
Regulation relating to the Insurance industry SCOPE OF IMPACT
AMENDMENT ORDINANCE | Implementation of an Independent Insurance 8

Authority and a new Prudential Framework
GUIDELINE | Duty to Advise on Underwriting Long Term 18

Insurance Business
IFRS 17 | Insurance Contracts 23
VHIS | Voluntary Health Insurance Scheme 28
Regulation relating to the banking industry SCOPE OF IMPACT
BASEL III | International Capital and Liquidity Framework 34
FRTB | Fundamental Review of Trading Book 36
IRRBB | Interest Rate Risk in the Banking Book 40
CCAR |Comprehensive Capital Analysis Review 45
CRD V | Comprehensive Requirements Directive V 49
Funding Plans | The European Banking Authority Report 51
Stress Testing | Three Types of Stress Scenarios 53
ANACREDIT | Analytical Credit Dataset 56
CECL | Current Expected Credit Losses 57
MiFID II | Markets in Financial Instruments Directive 60
BRRD | Banking Recovery and Resolution Directive 66
SFTR | Securities Financing Transactions Regulation 68
MAS Notice to Bank 610 | Submission of Statistics and Returns 71
SEC Swap dealer | Securities and Exchange Commission 73
CFTC Swap dealer | Commodities Futures Trading Commission 74
CONFIDENTIAL © Sia Partners

2
TABLE OF CONTENTS
Regulation relating to the banking industry CONTINUED SCOPE OF IMPACT
CAT | Consolidated Audit Trail 77
Stock T2 | Shortening of Stock Settlement Cycle to T+2 78
Conduct Risk | Regulatory Framework 80
Manager-In-Charge | Licensing and Designation Requirement for 84

Senior Managemen
SVF Licensing | Regulation for Stored Value Facilities 88
Virtual Banking Licensing | Authorization of Virtual Banking in Hong Kong 92
Open API | Open Application Programming Interfaces 96
FINRA Rule 4210 | Margin Requirements 100
Volcker 2.0 102
Regulation relating to the banking and insurance industries SCOPE OF IMPACT
“Living Wills” | Recovery and Resolution Planning (RRP) 108
Legal Entity Identifier | Unique Identification of Legal Entities 112
CRS | Common Reporting Systems 113
871(m) | Withholding on Dividend Equivalent Payments on US Equity Derivatives 116
IFRS 9 | International Financial Reporting Standards 120
IFRS 13 | International Financial Reporting Standards 124
Financial Crime | Overview of the Asian Framework 133
FinCEN’s Customer Due Diligence Rule | Collecting, Maintaining 136

and Reporting of Beneficial Ownership Information
NYSDFS Part 504 | Transaction Monitoring and Filtering Programme 139
GDPR | Protection of Personal Data 142
Data Privacy | Data Privacy Framework in Asia 152
Cybersecurity | Frameworks around Cyber Risks 155

3
4
EDITORIAL
IFRS9, Recovery and Resolution Planning, GDPR, Financial Crime, Conduct Risk, Cybersecurity,
Open API, among many more … Regulations of both banking and insurance industries have signi-
ficantly evolved over the past ten years. The entire value chain is affected, from product design to
distribution, from corporate management to assessment of own funds, and from anti-fraud mea-
sures to the protection of personal data. Broadly speaking, an overall strengthening of customer
protection can be observed across the globe, impacting the regulations and compliance needs in
the Americas, Europe and Asia. This is coupled with an alignment of the insurance industry regula-
tions with those of the banking industry.
Following the principle “Law without enforcement is of no value,” there has been a significant en-
hancement of regulatory authorities’ control and enforcement powers. In Hong Kong for example,
the Amendment Ordinance covers the implementation of an Independent Insurance Authority to
oversee both conduct regulation and a new prudential framework, which is one of the most impor-
tant reforms in the profession since the 80’s. The Hong Kong Monetary Authority (“HKMA”) fined a
foreign bank HK$7,000,000 due to breaches under the Anti-Money Laundering and Counter-terro-
rist Financing Ordinance. In 2017, there were 4 data privacy prosecution cases and a Hong Kong
company director was the first offender convicted of an offence under the Personal Data (Priva-
cy) Ordinance. Between October 2017 and January 2018, the Singapore Personal Data Protection
Commission issued enforcement decisions against no less than 6 organisations. In March 2018,
the Monetary Authority of Singapore fined a foreign bank and its affiliate a total of S$6.4 million
due to the 33 breaches of anti-money laundering requirements, unsatisfactory risk management
and controls in relation to the transfer of customers between the two parties and the failure to
file suspicious transaction reports in a timely manner. Everywhere else in Asia has adopted a si-
milar approach: a reinforcement of disciplinary committees, an increase of penalties, publication
of sanctions... Stakes are high for non-complying financial institutions as not only their financial
performance may be impacted but their reputation is also at stake given regulators’ ability to name
and shame.
In light of these constraints, financial institutions are investing heavily in transformation projects
to secure compliance. However, the term “constraints” does not begin to describe the deep res-
tructuring that will inevitably follow. Indeed, regulations represent a transformation lever largely
underestimated by corporate management who often take a “wait and see” approach when dealing
with compliance issues.
We believe that financial institutions have incentives to anticipate operational impacts of regula-
tions and make - as upstream as possible - decisions that will enable them be properly prepared.
With this Compliance booklet, our Asia, US and Europe teams have joined forces to provide you
with factsheets describing the substance and impact of the main - from our perspective - current or
pending regulations in both the banking and the insurance industries. We hope you find this useful
and helpful in managing your regulatory expectations and preparedness.
Vincent Kasbi
Head of Asia
5
6
Regulation relating to
the insurance industry
This first section focused on regulations that apply

solely to the insurance industry:
• Amendment ordinance | Implementation of an Independent

Insurance Authority and a new Prudential Framework
• Guideline | Duty to Advise on Underwriting Long Term

Insurance Business
• IFRS 17 | Insurance Contracts
• VHIS | Voluntary Health Insurance Scheme

7
Amendment Ordinance Guideline
Insurance Companies (Amendment) Ordinance 2015

A major regulatory reform for the insurance industry in Hong Kong
Key Facts History & Agenda

• Title: Insurance Companies (Amendment) Ordinance
(Amendment Ordinance) JULY 2017
The Amendment Ordinance
• Date of Release: 10 July 2015
comes into force
• Effective date: June 26, 2017
• Scope: Insurance stakeholders JULY 2015

• Targeted products/services: all insurance The bill is passed by Legco
and gazette as the Amendment
products
Ordinance
• Regulation topics: All insurance regulation

2011
topics
Insurance Core Principles (ICPs)
are issued by the IAIS
Context
2000
• The IAIS – of which Hong Kong is a member– has
OCI becomes member of the
established that an insurance supervisory authority should be International Association of
independent from the government. However, under Hong Insurance Supervisors (IAIS)
Kong’s regulatory regime:
- The Insurance Authority was personified in the Commissioner 1990
of Insurance, a civil servant; The Commissioner of Insurance
is appointed and the Office of the
Commissioner of Insurance (OCI)
- Intermediaries (i.e. agents, brokers) were regulated by the Insu-
is established
rance Agents Registration Board (administered by the Hong Kong
Federation of Insurers), the Hong Kong Confederation of
Insurance Brokers and the Professional Insurance Brokers 1983
The Insurance Companies
Associations, which are Self-Regulatory Organizations and as
Ordinance is passed
such, closely related to the industry.
Principles and Objectives

• The Amendment Ordinance covers the establishment of an independent Insurance Authority
(IA) in Hong Kong, which is one of the most important regulatory reforms in the profession since
the Insurance Companies Ordinance. Independence is not the only aim of the reforms. The
Legislative Council Brief dated 16 April 2014, lists two objectives of the IA:
1) PRUDENTIAL REGULATION i.e. to make sure that insurance stakeholders are financially
sound. The Brief notes: “the challenges in the coming years are to implement a Risk-Based
Capital (RBC) framework for insurers and observe the IAIS’s requirements on macro-
prudential surveillance, group-wide supervision and corporate governance of insurers”.
2) CONDUCT REGULATION i.e. to ensure that insurance stakeholders business is conducted

honestly, fairly and professionally to the customer. The Brief notes: “there has been rising
public expectation of robust oversight of insurance intermediaries, especially when insurance
products are getting more sophisticated and diversified”. To that effect, GL18 was issues on
June 26th, 2017.
• The Amendment Ordinance amends the Insurance Companies Ordinance and renames it the
Insurance Ordinance (IO) to reflect the fact that its application will significantly widen.
8
IFRS 17 VHIS

Insurance Authority (IA)
Focus on the IA
L
PROGRESSIVE TAKEOVER
• The Amendment enforcement is composed of three stages and is taking place over two to three
years to allow for a smooth transition from co-regulation by the OCI and the Self-Regulatory
Organizations to regulation by the IA.
26th June 2017 Mid-2019 3 years transition
STAGE 1 STAGE 2 STAGE 3

Previous Framework Provisional Insurance IA to take over OCI IA to take over SROs
Authority (PIA) responsibilities responsibilities
PIA
Insurance IA
Companies OCI IA
Insurance
Intermediaries Self-Regulatory Organizations
 Establish the PIA  The PIA was renamed  IA to take over SROs
the “independent functions.
 Gather funding Insurance Authority”
 Hire staff  A statutory licensing
 It took over the duties regime for insurance
 Lease offices of the CI and the intermediaries will
OCI incl. the pru- replace the SROs.
 Others dential and conduct
regulation of insurers
through GL18 and
enforcing the an-
ti-money laundering
regulatory regime
 The regulation of
insurance interme-
diaries by self-regu-
latory organizations
PREVIOUS REGULATORY continues.
FRAMEWORK
FUTURE REGULATORY
FRAMEWORK PROGRESSIVE
IMPLEMENTATION

9

Focus on the IA
L
IA’S NEW AUTHORITY
• The Securities and Futures Commission have empowered the IA to conduct inspections,
initiate investigations and impose disciplinary actions on authorized insurers. A licensee
guilty of misconduct or considered not fit and proper is subject to disciplinary actions.
Moreover, the Insurance Ordinance establishes the Insurance Appeals Tribunal.
• In addition, when the RBC framework comes into force, the IA will have the right to impose a
capital add-on if the standardized approach does not adequately reflect the risk profile of the
insurer or if it feels that the insurer’s ORSA process or underlying ERM framework is weak.
NEW LICENSING AND CORPORATE GOVERNANCE REQUIREMENTS FOR INSURERS
• An authorized insurer is not be able to appoint an individual as controller, or a director, or a

person in a “control function” without prior IA approval. The term “control function” is defined
by the Insurance Ordinance and includes the following functions: risk management, financial
control, compliance, internal audit, actuarial and intermediary management.
• IA approval encompasses factor in fit and proper considerations.
LEGAL STRUCTURE, COMPOSITION AND FINANCING
• The IA is no longer be part of the government. It is composed of a chairperson, a Chief

Executive Officer and five other directors with knowledge / experience in the industry and in
other areas such as actuarial science, accounting, law and consumer affairs. The IA has
appointed two industry advisory committees: one for long term business and one for
general business.
• IThe government provided an initial funding of HK$650 millions to the IA to facilitate its initial
operations. However, The IA is to be self-financed solely by:
 license fees payable by insurance stakeholders (waived for the first five years);
 user fees for providing specific services by the IA;
 a levy on insurance premiums, introduced over a three-year period
Phase 1 Phase 2 Phase 3 Phase 4
1 Jan 2018 to 1 Apr 2019 to 1 Apr 2020 to 1 Ap 2021

31 Mar 2019 31 Mar 2020 31 Mar 2021 onwards
Levy rate 0.04% 0.06% 0.085% 0.1%
Life $40 $60 $85 $100

Levy
cap
GI $2,000 $3,000 $4,250 $5,000

10
IFRS 17 VHIS

Risk-Based Capital (RBC) framework
Focus on the RBC History & Agenda

L 2020 to the earliest
• Since the 1980s, Hong Kong has followed a The effective date of the new RBC regime
rule-based capital adequacy regime for insurers, and phased-in implementation
which sets a predefined formula to determine
the solvency margin requirement. The formula is
based on the Solvency I framework. The factors 2018 - 2020
are stipulated by the regulator and do not reflect Possible earlier implementation of the
the underlying risks of the insurance business. ORSA requirement and other enhancements
to corporate governance and enterprise risk
management
• The introduction of the new RBC framework
will lead to a major change in the approach to
the supervision of insurance business in Hong 2018 - 2020
Kong. The changes encompass not only a new Legislative changes taking two to three
framework for assessing capital adequacy but years after development of detailed rules
also consider broader supervision of the conduct
of insurance companies and increased regulatory
and public disclosure of capital information. 2016 - 2018
Development of detailed rules, consultation and
Quantitative Impact Study (QIS)
• Similar to Solvency II, the proposed RBC
framework for Hong Kong consists of the fol-
lowing three pillars:
September 2015
Publication of the first Consultation Paper
(CP) focused on RBC broader objectives,
Pillar 1 – Quantitative requirements
overarching principles and high-level
Consistent valuation of assets and liabilities, framework
capital requirements, available capital and
the quality of capital resources.
2013
Pillar 2 – Qualitative requirements and OCI began discussion and consultation with
regulatory supervision the industry on the introduction of a Risk-
Based Capital (RBC), to align with international
Corporate governance, Enterprise Risk
standards such as Solvency II
Management, Own Risk and Solvency
Assessment (ORSA) and supervisory
adjustments.
1980s
Pillar 3 – Reporting requirements Rule-based capital
Statutory reporting to the Insurance

Authority and public disclosure. Only scarce
guidance is available at this stage
• In addition to the proposed changes to supervision on a solo-entity basis, the Insurance

Authority is proposing the introduction of group-wide supervision which would see all three
Pillars of the proposed RBC framework applied at group levels.
11

Focus on the RBC

L PILLAR 1 PILLAR 2 PILLAR 3
PILLAR 1 – QUANTITATIVE REQUIREMENTS (ASSESSMENT OF CAPITAL ADEQUACY)
FIRST REQUIREMENT - BALANCE SHEET VALUATION
• A total balance sheet approach has been proposed for assessing capital adequacy on the
basis of a consistent valuation of its assets and liabilities.
• The value of insurance liabilities to be included in the

balance sheet or the technical provisions will be made
up of: Assets Liabilities
a  Current Estimate (CE) to be calculated
using best estimate assumptions; and
Available
a Margin on Current Estimate (MOCE) to Capital
reflect uncertainty in the CE calculation.
Resources
• Assets and Liabilities will be assessed under an economic MOCE

Economic
valuation using either:
Value of
a market-consistent valuation approach for Assets Economic

all classes of business; or Value of
CE Liabilities
 a combination of both market-consistent and
amortized cost approaches depending on the
class of business being valued.
SECOND REQUIREMENT - REQUIRED CAPITAL
• The CP proposes that the RBC framework includes two explicit solvency control levels on the Own Funds to
trigger appropriate intervention by the IA in case of breach:
• The PCR (Prescribed Capital Requirement) is a risk- L Capital

based capital requirement assessed using a Value at Risk Surplus
measure at a confidence level of 99.5% over a one-year
horizon. Available
Capital
• The MCR (Minimum Capital Requirement) is a lower Resources PCR
capital requirement which calculation methodology will be
defined after the QIS exercise. MCR

12
IFRS 17 VHIS

Focus on the RBC

Prescribed Capital Requirement

Capital
Surplus Four high-level risk categories have been identified in
L the consultation paper for inclusion in the standar-
Available dized approach to calculation of the PCR as follows.
Capital
Resources PCR
PCR
MCR
UNDERWRITING RISK MARKET RISK CREDIT RISK OPERATIONAL RISK
SHORT TERM
LONG TERM
Stress-test approach Risk-factor based approach
• Liquidity risk and other non-quantifiable risks (legal,

strategic, reputational and emerging risks) will be
addressed through qualitative risk management
processes rather than quantitative capital
requirements. Their qualitative materiality
assessment will be reported in the ORSA report
along with corresponding risk management
processes in place.
• The Insurance Authority will examine whether
diversification benefits will be allowed through
aggregation within the standard model during a
later phase of the RBC framework development
process after finalization of the industry QIS.
Available Capital Resources

• Capital resources available and an assessment of
L their quality are also considered under Pillar I.
Capital
Surplus
• The Insurance Authority proposed to broaden the
scope of instruments considered as capital
Available resources. A tier-based approach is likely to be
Capital used to qualify resources quality. Such rules
Resources PCR including capital fungibility - which is key to group
supervision - will also be investigated during a later
MCR phase of the RBC framework development process
after finalization of the industry QIS.
13

Focus on the RBC

• In calculating the PCR and the MCR, the Insurance Authority proposed that a standardized
approach will be used initially. However, the IA leaves open the possibility for insurance
stakeholders to use internal models or partial internal models later in the future, without
communicating on a timeline yet.
STANDARDIZED APPROACH INTERNAL MODEL (FULL OR PARTIAL)
An undertaking can implement any

Set of calculations prescribed by
modeling technique as long as it
Content the regulator for generating
is compliant with both quantitative
the PCR
and qualitative requirements
Using the QIS, the standardized An internal model is intended

approach is intended to be easily to fully or partially replace the
Objective
used by a wide range of standardized approach to better
undertakings depict the undertaking’s risk profile
Risk Risk
Appropriation Appropriation
Benefits
Capital Competitve Capital Competitve

Saving by capturing Advantage Saving by capturing Advantage
diversification diversification
Explicit approval has to be granted

by the supervisor on a
Approval
Light approval process case-by-case basis through an
Process
application process involving the
production of an application pack
Increasing chances of capital add-on as less reflective of the true risks underwritten

14
IFRS 17 VHIS

Focus on the RBC

PILLAR 2 - QUALITATIVE REQUIREMENTS (GOVERNANCE AND RISK MANAGEMENT STANDARDS)
PRINCIPLE OF PROPORTIONALITY
The Hong Kong Insurance Authority proposes a principle of proportionality for Pillar 2 require-
ments in consistent with foreign frameworks developments.
CORPORATE GOVERNANCE AND ERM
ë KNOWN REQUIREMENTS OFORSEEN REQUIREMENTS

• The consultation paper fosters the • Given the Insurance Authority provides only
development of enhanced corporate limited indications at this stage, additional
governance and Enterprise Risk guidance will be needed at least on the
Management practices to supplement the following expected topics:
Pillar 1 quantitative requirements, including
 Data Quality framework
the following three key proposals.
 Specific key functions and
n effective ERM framework
A committees
to identify, measure, monitor,  Involvement of the Board of Directors
ERM manage and report the risks  Mandatory risk policies
to which the undertaking is  Integrating enterprise risk
exposed to. management and internal model in
business decisions (“the use-test”)
A risk appetite / tolerance
 Internal Models approval process
Risk statement and risk limits to
Appetite (documentation, stress and scenario
support management of risk
testing, independent reviews, etc.)
exposures.
ALM A formal ALM policy.
THE ORSA PROCESS & REPORT
• The Own Risk and Solvency Assessment (ORSA) process will be overseen by the Board and
Senior Management. It should:
` PROCESS 4 REPORT
• Cover all material risks that might impact • The rationale, calculations and action plans
an insurer’s ability to meet its obligations to associated with the performance of the
policyholders. ORSA will be documented in an ORSA report
• Demonstrate the ability to manage risks and and submitted to the Insurance Authority
capital under adverse scenarios. annually.
• Provide consideration of the effectiveness

of controls and risk mitigation techniques.
15

Focus on the RBC

PILLAR 2 - QUALITATIVE REQUIREMENTS (GOVERNANCE AND RISK MANAGEMENT STANDARDS)
• The ORSA is a process that will require participation of both the management and operational
teams. As such, we recommend to anticipate its implementation a soon as possible. Roles
and responsibilities in the project must then be identified in advance for all contributors to be
involved from the early stages.
• To that end, Sia Partners provides below a point of view on expected roles and responsibilities
of the different stakeholders within the ORSA process. Please note that these are our own
considerations and do not derive from official guidance from the Insurance Authority.
CONTRIBUTIONS MAIN RESPONSIBILITIES

• Define the risk appetite of the company
Top Management
• Review the risk management governance
(Executive committee,
• Acknowledge the results of the stress tests
Boards of directors, etc.)
• Validate the ORSA process policy and the ORSA report
• Translate the risk appetite of the company into
practical tolerated limits
• Develop/update appropriate reporting
• Define a risk management policy in accordance with the
Risk Management
company risk appetite
Department
• Ensure the consistency of the risk management system
(identification, measure and reporting)
• Define stress scenarios
• Manage the ORSA report production
• Work with the different contributors to develop the reporting
necessary to the ORSA
Technical Departments / • Implement new tools allowing risks measurement
Actuarial / Finance • Elaborate financial projections allowing the understanding of
risks evolutions over the strategic planning period
• Implement stress scenarios
• Provide inputs relating to the strategic plan of the company
(investment, new products, etc.)
Strategy Department
• Provide information related to the capital structure
(dividends, capital fungibility)
• Ensure that a consistent control framework has been
implemented
Audit Department
• Provide guarantees on the quality and reliability of the
process and in the ORSA report
16
IFRS 17 VHIS

Focus on the RBC

ANTICIPATED SUPERVISORS’ EXPECTATIONS TOWARDS STAKEHOLDERS’ RBC APPROPRIATION
CEO / BOARD OF DIRECTORS
CFO / CRO
OPERATIONAL TEAMS
PILLAR 1 PILLAR 2 PILLAR 3
Available Governance / RM Disclosures

Capital System / Policies
Use of
Resources
Reconcilliation internal
model in Group Entity
with the
accountants business
Prescribed decision
Capital ORSA Public Supervisor
making
Requirement
ANTICIPATED COMPARATIVE WORKLOAD FOR RBC FRAMEWORK IMPLEMENTATION PER WORK STREAM
Workload Item to be processed at every renewal
STANDARDIZED INTERNAL MODEL

APPROACH (FULL OR PARTIAL)
Production
Modeling Ownership
PILLAR 1 Reporting
Technical/ Documentation
Technical Departments
Data Quality
Actuarial / Finance
Governance / RM System / Policies

PILLAR 2
ORSA
Quantitative Reporting
PILLAR 3
Narrative Reporting
TRANSVERSAL Approval Process

17
GL 16 on Underwriting Long Term Insurance Business

Duty to advise

• Title: Guideline on Underwriting Long Term Insurance Business
(other than class C business) – former Guidance Note (GN) 1 January 2017
under the OCI GL16 applies to currents products
• Date of Release: 30 July 2015
• Effective date: Applies to all new products since 1 April 2016 and
current products since 1 January 2017
1 April 2016
GL16 applies to all new products
• Scope: Insurance stakeholders
• Targeted products/services: all long term insurance other than
investment-linked insurance (Class C): Whole Life, Universal Life,
Endowment, Term, Annuity
4 August 2015
HKMA Circular “Selling of Life
• Regulation topics: Consumer protection regarding Duty to Insurance Products” is released
Advise (promote transparency and fair customer treatment)
• Related Regulations:
a) GL16 was issued by the Office of the Commissioner of 30 July 2015
Insurance in Hong Kong (“OCI”), now replaced by the Isu- GL16 is released
rance Authority (AI). HKMA also issued two circulars after
consulting OCI to align common objectives regarding cus-
tomer protection, with consistent requirements:
Selling of Life Insurance Products dated after 4 August 2015 8 December 2014
Selling of Non-Linked Long Term Insurance Products dated HKMA Circular “Selling of
after 8 December 2014 Non-Linked Long Term Insurance
b) In May 2016 the OCI started working with the Hong Kong Products” is released
Federation of Insurers to refine its ‘Duty to Advise’ framework
with a fact statement specific to people from mainland
China purchasing insurance polices in Hong Kong.
c) GN15, Guidance Note on Underwriting Class C Business.

• Together, OCI and HKMA seek to fundamentally change the way insurers sell long term
insurance products. The focus will be on treating customers fairly, and setting and managing
reasonable expectations, particularly for non-guaranteed benefits.
• GL16 forces insurers to look at the remuneration structure and to thoroughly inform
customers of the details of their investment strategies so they better understand the
uncertain nature of non-guaranteed benefits. GL16 requires policies to be written in plain
language. This encourages consistent behaviors with the ongoing efforts of HKMA and the
Securities and Futures Commission in driving use of plain language in product documents and
sales materials. This new regulation dramatically changes the way that insurance companies
will communicate with their policyholders.
• While GL16 has been fully in force since 1st January 2017, the local market is still performing
a wide range of remediation activities to ensure compliance.
18
IFRS 17 VHIS

Duty to advise
Major requirements and operational impacts 1/4
DESCRIPTION OPERATIONAL IMPACTS
• Management teams are obligated A

to oversee the implementation Ensure that GL16 requirements are taken
Management of measures in compliance with into account and applied to the appropriate
Supervision GL16 and is ultimately responsible policies and governance structure
for ensuring fair treatment of
customers.
• Remuneration structure should

be appropriate and should not
create misaligned incentives for
intermediaries to engage in
Appropriate mis-selling, aggressive selling, B
Remuneration money laundering, and/or
fraudulent activities. Revamp the Remuneration Policy.
Structure
• It is strictly prohibited to provide
commission in advance or on an
indemnity basis. Commission must
be on an as earned basis.
• Insurers should develop market products

with due regard to interest of customers C
and carry out a diligent review to ensure
the product meets the “fair treatment to Fees and charges should be fair,
Product customer” principle. This should include proportionate to the benefit, and reflect
Design taking a holistic view of all relevant factors services/added value. Product pricing
such as product features, insurance needs to be done in a manner representing
elements, added value/ services, fees/ fair value to the customers.
charges, and others.

19

Duty to advise
• Insurers should provide customers with D

clear information before, during and
Non-exhaustive examples:
after the point of sale.
 Customer illustrations need to have
• Product information should be risk disclosures and show the
bilingual, clear and succinct, use plain variability of returns for products’
language and be easily understood by non-guaranteed elements
Provision of average customers.  Product brochures need to
Adequate encompass additional product risk
• Key product risks should be included
and Clear in the product brochure and marketing disclosures
Information materials; for example: key exclusions,  Public websites need to show
premium adjustment, premium term, historicaL dividend / crediting rate
termination conditions. declaration performance
 Application forms need to be
• Insurers need to ensure adequacy enhanced regarding policy loans,
of the proposal vis-à-vis the policy policy assignment, etc.
provisions and should use warning
statements and other tools (e.g., FAQs)
where appropriate.
• Insurers should seek appropriate

information from their customers to E
appropriately assess their insurance
needs, knowledge and experience, Customers’ needs should be properly
priorities and circumstances, and assessed through the use of Financial
whether they can afford the product. Needs Analysis (“FNA”) form where
This information may vary, but should appropriate.
Suitability at least include information on the
Assessment customer’s: Insurance policies should not be marketed
1) knowledge and experience; to customers before their needs are
2) needs, priorities and properly analyzed.
circumstances; and
3) ability to afford the product.
• Insurers must verify all available
information and assess whether a product
is suitable for customer’s needs.

20
IFRS 17 VHIS

Duty to advise
• Insurers need to ensure employees and F

agents are adequately trained to act
with due skill, care and diligence.
• When the customer is considering Reduce the risk of mis-selling by
Advice to an insurance policy, he/she should be strengthening training to intermediaries.
Customers properly informed of all the product
features, including the fees and charges,
surrender penalties and product risks,
key exclusions and 21-day cooling-off
period.
• To protect vulnerable customers (over For vulnerable customers, insurers

65, low education level or with no should have the appropriate independent
Post-sale quality assurance team to make post-
regular income source), insurers must
Control audio-record post sale confirmation sale calls, use best endeavors to contact
calls, which must be conducted within 5 customers, and send confirmation
working days of the policy issue date. letters together with email/SMS alert in
the event of unsuccessful calls.
• Insurers and intermediaries must H

manage any potential conflicts
appropriately; for example, through Insurers need to monitor the product
disclosure and informed consent. after launch, with appropriate reporting
Ongoing
to relevant governance bodies.
Monitoring • Insurers must service a policy
appropriately until all obligations have On-going communications with
been met and disclose any contractual policyholders should be maintained on
changes as well as further relevant an annual basis, at minimum.
information to policyholders.

21

Duty to advise
SELLING PROCESS OF NON_LINKED INSURANCE PRODUCTS
A B C F E
Complete Financial Needs Analysis
(FNA) Form
Explore Insurance Options
 Whole Iife  ILAS

 Universal life
 Endowment
 Term
 Annuity
D
Recommend suitable Follow

Product brochures and requirements of GN15
benefits illustration insurance product(s) to
(where applicable) to customer
customer
Assist customer in policy

application
G
Remind customer the importance of the post-sale
call (if applicable) and the cooling-off period
Insurer to check suitability of

customer in FNA
G
Post-sale call (if applicable) to confirm customer’s understanding
of fees and charges, payment term,
non-guaranteed benefits, and cooling-off period, etc.
Ongoing monitoring

22
IFRS 17 VHIS
IFRS 17
Insurance Contracts

• Title: IFRS 17 Insurance Contracts (previously referred to as
IFRS 4 Phase II) 1 January 2021
• Date of Release: May 2017 - Publication of IFRS Foundation IFRS 17 effective date (opening
balance sheet required as at 1
and the IASB.
January 2020).
• Effective date: 1 January 2021
May 2017
• Scope: Comprehensive and international standard establishing The IASB issued the final version
the accounting for insurance and reinsurance contracts that an of IFRS 17, published by IFRS
undertaking holds. Foundation.
• Targeted products/services: All insurance and reinsurance com
panies.
2004
The IASB issued IFRS 4
• Regulation topics: Accounting Insurance Contracts.
• Related Regulations: IFRS Insurance Contracts

The International Accounting Standards Board (IASB) issued IFRS 17 Insurance Contracts in
May 2017. IFRS 17 sets out the requirements that a company should apply in reporting
information about insurance contracts it issues and reinsurance contracts it holds. IFRS 17 is
effective from 1 January 2021. IFRS 17 replaces an interim Standard—IFRS 4 Insurance
Contracts.
IFRS 17 is the first comprehensive and truly international IFRS Standard establishing the
accounting for insurance contracts.
IFRS 4 IFRS 17
• When applying IFRS 4, companies are not • Provides updated information about the
required to account for insurance contracts obligations, risks and performance of
in one specific way. Instead, insurance insurance contracts;
contracts are accounted for
differently across jurisdictions and may • Increases transparency in financial
even be accounted for differently within the information reported by insurance
same company. companies, which will give investors and
analysts more confidence in
• Investors and analysts find it difficult to: understanding the insurance industry; and
 identify which groups of insurance
• Introduces consistent accounting for all
contracts are profit making or loss
insurance contracts based on a current
making; and
measurement model.
 analyze trend information about
insurance contracts.

23 23
IFRS 17
Insurance Contracts
Definitions
• The Standard uses three measurement approaches:
The General Model Premium Allocation Variable Fee

(GM) Approach (PPA) Approach (VFA)
• Default valuation • Optional simplified • Applies to contracts
approach for non-parti- approach for contracts with direct participation
cipating contracts with a duration of one features, as defined by
year or less, or where it three criteria, based on
• Insurance contract is a reasonable policyholders sharing in
valued using fulfilment approximation of the the profit from a clearly
cash flows — the pre General Model identified pool of
sent value of underlying items
probability weighted • Insurance contract
expected future cash valued as a liability • Insurance contract
flows plus a risk for remaining coverage liability based on the
adjustment and an incurred claims obligation for the entity
liability to pay the policyholder
• Plus a contractual an amount equal to the
service margin (CSM), • Similar approach to value of the underlying
which represents existing non-life items, net of a
the profit the insurer insurance contract consideration charged
recognizes based on measurement for for the contract — a
the transfer of services liability for remaining “variable fee”
to policyholders over coverage
time
• Incurred claims liability
discounted plus a risk
adjustment
• The general model requires entities to measure an insurance contract at initial recognition at
the total of the fulfilment cash flows (comprising the estimated future cash flows, an
adjustment to reflect the time value of money and an explicit risk adjustment for non-financial
risk) and the contractual service margin. The fulfilment cash flows are remeasured on a current
basis each reporting period. The unearned profit (contractual service margin) is recognised
over the coverage period.
• Aside from this general model, the standard provides, as a simplification, the premium
allocation approach. This simplified approach is applicable for certain types of contract,
including those with a coverage period of one year or less.
• For insurance contracts with direct participation features, the variable fee approach applies.
The variable fee approach is a variation on the general model. When applying the variable fee
approach, the entity’s share of the fair value changes of the underlying items is included in
the contractual service margin. As a consequence, the fair value changes are not recognised in
profit or loss in the period in which they occur but over the remaining life of the contract.
24
IFRS 17 VHIS
IFRS 17
Insurance Contracts
Main tasks & analysis to undertake 1/2
• IFRS 17 introduces a fundamental change to existing insurance accounting practices for

some companies and many concepts may be new to others.
• To reflect different risks in the measurement of various types of insurance contracts, some
requirements are arguably complex. Companies will incur significant operational costs
applying IFRS 17 requirements, including for:
 the fundamental data management strategy, including data quality, storage and
archiving;
 the end-to-end systems architecture design;
 the different actuarial, risk and accounting processes that will support the future
reporting process and how they will interact.
DESCRIPTION OBJECTIVE
Build an interpretation of the standard and

• Analyzing the standard a comparison with other standards such as
Solvency II or AFRIS17 (Australian substandard).
Study contract classification under IFRS17.
Build the IFRS17 balance sheets and provide

TECHNICAL IMPACT
• Studying financial statements of

the group and the Entities a comparison analysis and a reconciliation
statement.
Implement the calculations into a valorization

• Calculating and simulating tool, providing that contract classification has
been done.
• Taking into account the KPIs

currently used for financial Identify the actions required to manage the
communication and assessing the transition towards IFRS17.
impact of the standard

25
IFRS 17
Insurance Contracts
Main tasks & analysis to undertake 2/2
• Workshops with IT teams to

Evaluate the impact on the functional
analyze existing architectures
OPERATIONAL AND IT IMPACTS
architecture of information systems and on

(from actuarial tools to
operational processes in scope of accounting,
consolidation tools) and processes
financial and prudential reporting.
Draw the evolution of:

• Identify the necessary • The IT structure;
implementation of systematic • Actuarial tools and their respective usage;
controls on data flows and data • Data flows and data quality (accounting
quality and actuarial);
• Closing processes;
• Processes of production of consolidated
• Audit actuarial and accounting figures.
tools to identify the impacts
CHANGE MANAGEMENT AND TRAINING
• Definition of Roles &

Responsibilities
The first phase should be dedicated to staff

• Coordination of the different awareness and training. Such training should
working groups be synthetic for managers and more detailed
for identified stakeholders. Indeed, the scope
of stakeholders to be trained is wide and not
• High level IFRS17 training for every team member will be a core IFRS17
managerS stakeholder.
• Detailed IFRS17 training for

identified stakeholders

26
IFRS 17 VHIS
IFRS 17
Insurance Contracts
Our IFRS17 Simulation tool
OBJECTIVE FUNCTIONALITIES
• Getting familiar with the standard, its • Calculate the CSM

options and inputs • Produce the P&L, the balance sheet and
• Support you in your study around new the accounting figures in IFRS17 format
performance monitoring tools • Execute scenarios (accounting
• Support you in defining your target options, data assumptions, contract
solution (processes / tools / …) segmentation…)
• Upload data and download xls/csv outputs
Initial recognition / subsequent measurement
OUTPUT
Simultaneous INPUT COMPUTATION
Reconciliation of the
computations insurance asset / liability
on several group Parameters Your Cash EPV cash flow Risk Statement of
Flow projections and / adjustment CSM / loss profit or loss /
of contracts or or  Our projections of component PAA key financial Analysis
generations cash flow  based  allocation for of the insurance revenue
Simulation of on your data  revenues Comparison between
accounting Options 2 set of  options
What-if analysis
USER FRIENDLY

27
Voluntary Health Insurance Scheme

Minimum requirements for individual indemnity hospital insurance

• Title: IVoluntary Health Insurance Scheme (VHIS)
• Date of Release: 30 July 2015 2018
Finalization of the guidelines
• Effective date: To be confirmed, as the Food and Health Bureau
and details of the tax deduction
(FHB) aims at finalizing the VHIS guidelines and details of the arrangement
tax deduction arrangement in 2018, in collaboration with the
9 January 2017
• Scope: Insurance stakeholders Consultation report is released
• Targeted products/services: Individual indemnity hospital
insurance
2018-2015
First, second and third rounds of
• Regulation topics: Accessibility, quality and transparency of public consultation on healthcare
hospital insurance reform

• The VHIS proposes to require all individual indemnity hospital insurance in the market to
comply with a set of Minimum Requirements, which are designed to address the
shortcomings of the existing market as revealed in previous rounds of public consultation on
healthcare reform.
• The VHIS aims at fostering synergies between the public and private sectors and more
efficient use of public and private healthcare resources:
 By improving the accessibility, quality and transparency of hospital insurance,
consumers will have more confidence in making use of private healthcare services.
 As more people will be willing to make use of private healthcare services through
the VHIS, resources can be released in the public sector - current capacity as high
as 130 per cent according to the hospital authority - to enhance service quality and
reduce waiting time.
• The government will promote the scheme through tax incentives. Policyholders can claim tax
deduction in respect of :
 premiums paid for Standard Plans and Flexi Plans by policyholders (and their
dependents);
 premiums paid by employees for Voluntary Supplements.
Enforcement through coordination with the Insurance Authority

• VHIS will be implemented via a non-legislative regulatory framework in collaboration with the IA:
 FHB will be responsible for issuing and updating a set of VHIS practice guidelines in
consultation with relevant stakeholders based on the refined Minimum Requirements.
FHB will also handle public enquiries on and monitor compliance of the practice
guidelines.
 The IA will issue a Guidance Note based on the principle of fair treatment of clients
and other relevant considerations on various aspects of underwriting individual
Hospital Insurance business, under which insurers would be recommended to comply
with the VHIS practice guidelines.
• When an insurer misleads consumers by marketing a non-VHIS-compliant product as VHIS
compliant, the FHB may refer the case to the IA for “misconduct” consideration. The reader may
refer to the “Insurance Companies (Amendment) Ordinance ” section of this booklet.
28
IFRS 17 VHIS

Definitions of VHIS-compliant products

• Under the refined Voluntary Health Insurance Scheme (VHIS), there will be two types of
compliant individual Hospital Insurance products, namely the Standard Plan and the Flexi Plan.
Their definitions are listed out as follows:
• Insurers must offer to all consumers as one of the available options.

• Standard Plan has fixed product template in terms of standard policy
terms and conditions, benefit coverage, benefit limits and cost-sharing
arrangement, etc.
• Standard Plan must meet but not exceed all Minimum Requirements.
• Insurers may accept or reject a subscription. For subscribers with
pre-existing conditions, insurers may offer acceptance subject to
Standard Plan exclusion clauses for these conditions (e.g. cataract) in the insurance
policies, but should concurrently provide an option of covering
pre-existing conditions with premium loading and waiting period.
Moreover, the exclusion clauses for pre-existing conditions are subject
to a set of guiding principles and interpretations to be developed by the
Food and Health Bureau (FHB) as part of the practice guidelines for
VHIS.
• Standard Plan is eligible for tax concession.
• Insurers may opt to offer Flexi Plan to consumers as available option

or not.
• Flexi Plan has modular product design, encompassing basic coverage
tantamount to Standard Plan plus add-on hospital insurance coverage
of which product template is not fixed (e.g. higher benefit limits, broa-
der hospital benefit coverage, etc.).
• Flexi Plan must meet or exceed all Minimum Requirements for the
basic coverage tantamount to Standard Plan.
Flexi Plan • Flexi Plan must meet some but not all of the Minimum Requirements
for the add-on coverage (e.g. more relaxed cost-sharing arrangement
to allow flexibility in product design), subject to further deliberation with
stakeholders.
• Insurers may accept or reject a subscription. For subscribers with
pre-existing conditions, insurers may offer acceptance subject to
exclusion clauses for these conditions (e.g. cataract) in the insu-
rance policies. The exclusion clauses are subject to a set of guiding
principles and interpretations to be developed by FHB as part of the
practice guidelines for VHIS. Unlike Standard Plan, insurers need not
provide an option of coverage of pre-existing conditions.
• Flexi Plan is eligible for tax concession.
• A plan (e.g. savings plans, critical illness plans, income protection

plans) that provides benefits other than those in the nature of health
insurance.
Top-up Plan • Not required to comply with Minimum Requirements
therefore not eligible for tax concession.

29

Summary of the Minimum Requirements being considered (1/2)

Improving accessibility to and continuity of health insurance
CONSULTATION
DESCRIPTION FEEDBACK *
Guaranteed
• No re-underwriting upon policy renewal
renewal 73.4%
No “lifetime
• No lifetime limit on cumulative claims amount
benefit limit”
Coverage of
• Subject to a three-year waiting period, during which only partial 78.5%
pre-existing
reimbursement will be provided
conditions
Guaranteed • Guaranteed acceptance with a premium loading cap of 200% of 79.0%

acceptance standard premium, will be offered to:
 all ages within the first year of implementation of the
with premium
VHIS; 75.1%
loading cap  those aged 40 or below starting from the
second year of implementation of the VHIS
Portable • Changing insurers without re-underwriting if no claims made for a 79.4%

insurance certain period of time (say three years) immediately before transfer
policy of policies
Enhancing quality of insurance protection
CONSULTATION
• Benefit coverage includes:

 Prescribed ambulatory procedures and treatments in addition to
those performed in in-patient setting 87.1%

Benefit  Advanced diagnostic imaging tests and non-surgical cancer
coverage treatments: Magnetic Resonance Imaging (MRI), Computed
Tomography (CT) and Positron Emission
Tomography (PET) scans, as well as chemotherapy and
radiotherapy, etc.
84.6%
Minimum • Prescribed levels for benefit limits to provide basic protection to
benefit limits the public
(% of strongly agreed/ agreed )

30
IFRS 17 VHIS

Summary of the Minimum Requirements being considered (2/2)

Promoting transparency and certainty
CONSULTATION
• "No-gap / known gap” arrangement for at least one procedure /

test: policyholders can enjoy “no-gap” (no out-of-pocket payment)
or “known-gap” (a pre-determined amount of out-of-pocket
payment) if the procedure concerned is on the list specified by the
Budget insurer 84.4%
certainty • “Informed Financial Consent” : i.e. written quotation, providing
information on estimated doctor fees, hospital charges and
out- of-pocket expenses to be paid after deducting estimated
insurance reimbursement amount
Standardized
policy terms • Minimize disputes over interpretation of terms and conditions.
80.5%
and conditions
Premium 91.9%
• Publish age-banded premium schedules
transparency
Group Health Insurance

• A Conversion Option is offered to employers who take out group health insurance, allowing
employees to switch to an individual Standard Plan without re-underwriting upon retirement or
leaving employment
• Employees may procure at their own cost Voluntary Supplements offered by insurers. The
group policy, enhanced by the Voluntary Supplement, should provide insurance protection at a
level comparable to the protection of an individual Standard Plan
• Group health insurance will not be subject to the Minimum Requirements, but employees have
the right to know whether their group plan is compliant with the Minimum Requirements
Migration
• Within the first year of the VHIS, if existing health insurance policyholders choose to migrate to
the VHIS:
 Their benefits in existing policies will not be re-underwritten;
 Their case-based exclusion in existing policies can be removed (may be re-underwritten
and need to pay premium loading)

31
the banking industry
This second section focused on regulations that apply

solely to the banking industry:
• BASEL III | International Capital and Liquidity Framework
• FRTB | Fundamental Review of Trading Book

• IRRBB | Interest Rate Risk in the Banking Book
• CCAR | Comprehensive Capital Analysis Review
• CRD V | Comprehensive Requirements Directive V
• Funding Plans | The European Banking Authority Report

• Stress Testing | Three Types of Stress Scenarios
• ANACREDIT | Analytical Credit Dataset

• CECL | Current Expected Credit Losses
• MiFID II | Markets in Financial Instruments Directive
• BRRD | Banking Recovery and Resolution Directive

• SFTR | Securities Financing Transactions Regulation
• MAS Notice to Bank 610 | Submission of Statistics and

Returns
• SEC Swap dealer | Securities and Exchange Commission
• CFTC Swap dealer | Commodities Futures Trading

Commission
• CAT | Consolidated Audit Trail
• Stock T2 | Shortening of Stock Settlement Cycle to T+2

• Conduct Risk | Regulatory Framework
• Manager-In-Charge Regime | Licensing and Designation
Requirement for Senior Management
• SVF Licensing | Regulation for Stored Value Facilities

• Virtual Banking Licensing | Authorization of Virtual Banking
in Hong Kong
• Open API | Open Application Programming Interfaces
• FINRA Rule 4210 | Margin Requirements

• Volcker 2.0 | Proposed Changes to the Volcker Rule
BASEL FRTB Funding Stress ANA- BRRD
IRRBB CCAR CRD V CECL MiFID II SFTR
III Plans Testing CREDIT
Basel III
Purpose of Basel III and Overview of its standards’ implementation in the U.S.
What is Basel III?

“Basel III” is a comprehensive set of reform measures, developed by the Basel Committee on Banking
Supervision, to strengthen the regulation, supervision and risk management of the banking sector. These
measures aim to: improve the banking sector’s ability to absorb shocks arising from financial and economic
stress, whatever the source; improve risk management and governance; strengthen banks’ transparency and
disclosures.
What is the purpose of Basel III?

The reforms target bank-level, or microprudential, regulation, which will help raise the resilience of individual
banking institutions to periods of stress, and macroprudential, system wide risks that can build up across
the banking sector as well as the procyclical amplification of these risks over time. These two approaches to
supervision are complementary as greater resilience at the individual bank level reduces the risk of system
wide shocks.
Overview of Basel III Standards Implementation in the U.S.

 In July 2013, the U.S. banking agencies issued a final rule that represents the most important overhaul
of U.S. Bank Capital Standards since the adoption of Basel I in 1989. The U.S. Basel III final rule
implements many aspects of the Basel III capital framework (as agreed upon by the Basel
Committee), but also incorporates changes required by the Dodd-Frank Act (DFA).
The final rule applies to all U.S. banking organizations (except for some small BHCs and some
 covered savings & loan holding companies) including any U.S. IHC that is required to be established by
large FBOs.
The rule also determines higher minimum risk-based capital ratios - it does not only
 address the quantity of required capital but also its quality (the eligibility criteria for
regulatory capital instruments are stricter). An additional ratio, (above the minimum risk-based capital
requirements) known as a capital conservation buffer of Common Equity Tier 1 (CET1) capital,
is introduced by the rule.
Risk-Based Capital Ratio (%) = Regulatory Capital / Risk-Weighted Assets

A 3-time
penalizing Higher required ratios More strict rules on More stringent and
effect eligible capital restrictive assessment
of risks
 Significant differences in the approach and phase-in have been identified between U.S. Basel III
framework, the Basel Committee’s framework and the European structure (CRD IV).
 In April 2014, the U.S. banking agencies issued a final rule to strengthen the leverage ratio
standards for the largest, most interconnected U.S. banking organizations and created the
Enhanced Supplementary Leverage Ratio (ESLR).
Basel III Supplementary Leverage Ratio (%) = Tier 1 Capital / Total leverage exposure
A new
requirement 3% minimum New eligibility Including
for U.S. banks criteria Off-Balance Sheet
exposure

34
SEC CFTC Conduct Manager- SVF Open Rule Volcker
MAS CAT Stock T2 VBL
Swap Swap Risk In-Charge Licensing API 4210 2.0
Basel III
Basel III Milestones Timeline
Capital Requirement Timeline

Minimum capital requirements: Start of the gradual phasing-in of the
2014 higher minimum capital requirements.
Minimum capital requirements: Higher minimum capital requirements are

2015 fully implemented.
Conservation buffer: Start of the gradual phasing-in of the conservation

2016 buffer.
2019 Conservation buffer: The conservation buffer is fully implemented.
Leverage Ratio Requirement Timeline

Supervisory monitoring: Developing templates to track the leverage ratio
2011 and the underlying components.
Parallel run I: The leverage ratio and its components will be tracked by
2013 supervisors but not disclosed and not mandatory.
Parallel run II: The leverage ratio and its components will be tracked and
2015 disclosed but not mandatory.
Final adjustments: Based on the results of the parallel run period, any final

2017 adjustments to the leverage ratio.
Mandatory requirement: The leverage ratio will become a mandatory part

2018 of Basel III requirements.
Liquidity Requirements Timeline

Observation period: Developing templates and supervisory monitoring of
2011 the liquidity ratios.
2015 Introduction of the LCR: Initial introduction of the Liquidity Coverage Ratio

(LCR), with a 60% requirement. This will increase by ten percentage points
each year until 2019. In the EU, 100% will be reached in 2018.
Introduction of the NSFR: Introduction of the Net Stable Funding Ratio

2018 (NSFR).
2019 LCR comes into full effect: 100% LCR is expected.

35
FRTB
Fundamental Review of the Trading Book
Key Facts
• The purpose of FRTB is to calculate the capital charges, replacing the existing Basel
approach.
• Following the 2007-08 financial crisis, the Basel Committee on Banking Supervision (BCBS) has
designed rules to address the gaps in the current Market Risk Framework. On January 12, 2016, the
BCBS released the Fundamental Review of the Trading Book (FRTB) to reduce the shortcomings of
the current Basel 2.5 market risk capital framework and reduce the variability of market risk weighted
assets across jurisdictions.
Significant Impacts on Banks

The FRTB regulatory requirements represent tremendous challenges beyond Risk departments with an
impact on Front Office business practices through higher capital charges and Front-to-Risk alignment:
Target Operating Model: Banks may want to change their business strategy and Front Office behavior
to minimize their capital requirements and make less risky trades. The business process will need to be
revised as a desk-level approval process is needed for the IMA approach.
Optimization of capital: FRTB will likely increase banks’ market risk capital requirement. Banks may
need to raise extra capital to be compliant with the revised regulatory framework.
Organizational structure: Banks need to change their governance structure and risk management
reporting structure. Roles and responsibilities are clearly defined, and banks will need to develop a joint
partnership between Front Office and Risk functions to harmonize processes across multiple departments.
Processes, procedures, controls, reporting: Banks will need to put extra business processes, such as
extra modelling, validation tests, reporting and disclosure, in place. Subsequently, operational costs will
increase.
Infrastructure: The new methodologies will require investments in both the hardware and software
systems, especially for the IMA implementation. There is a high demand for data management, data quality
and availability to augment existing ecosystems without impacting “business as usual” so that banks can
support the preparations for FRTB compliance, the migration from current to future steady state and then
the ongoing maintenance under a robust, high performing, transparent and efficient technical environment.
Analytics expertise: The complex modelling and calculation methods require both quantitative skills and
sufficient business experience to correctly interpret the regulatory clause.

36
FRTB
Regulatory and Implementation Timelines
Regulatory Timeline
Most national regulators have extended the deadline into 2020
Jan ‘11 May ‘12 Oct ‘13 Dec ‘14 Jan ‘16 Dec ‘17 Jan ‘18 Jan ‘19 Dec ‘19
Basel 2.5 1st consultation 2nd consultation 3rd Final Final National
Deadline for
consultation FRTB Standards Standards
Implementation
Approval Process
Implementation by Financial Institutions
FRTB Milestones
Final FRTB Final rule published by the BCBS in
Standards January 2016 Completed
Final National Depends on each national supervisory

body but completion by January 2019 Not-Started
Standards
Approval
Continuing as required by each bank, Following national
Process once national rules are in place rule making
Implementation At the earliest January 2018. Latest

reporting date December 2019 On-going
Implementation Timeline for Banks

Kickoff Paradigm Shift Parallel Run Go Live
2018
Late 2017
Early 2017
2019
o Develop pre- o Build the new o Run the VaR o Close out all
trade tools in technology models outstanding
Front Office to architecture alongside the items on the
run FRTB o Document Risk new ES project plan
development Management mandated by the o Make note of
pilots and frameworks, FRTB and incomplete
understand the policies and compare results items on the
impacts before procedures o Backtest loss project plan in
restructuring the o Execute on the estimates of the communications
business from a new Business ES models with the
risk perspective Strategies against historical Regulator
o Conceive data to o Ensure readiness
Technology determine for market risk
Architecture and model reporting under
internal policies performance the new
standards by
year end

37
BASEL Funding Stress ANA- BRRD
FRTB IRRBB CCAR CRD V CECL MiFID II SFTR
FRTB
Revised Market Risk Capital Requirements Framework
Limits of Basel 2.5
Boundary of the trading book Standardized Approach (SA) Internal Models Approach
limitations (IMA) limitations
There was no clear boundary There is a lack of risk Most IMA-based approaches
between the trading and sensitivity in the current allow for risk-reducing benefits
Banking book standardized approach, and of hedging and diversification,
model reliance to be used by unstable during times of
the majority of banks as a stress, while they are strictly
Consequence: There was credible fall-back to internal limited under the SA approach
a possibility of arbitrage of models
regulatory capital between the
two books Consequence: there were substantial differences in the
capital charge calculation between the IMA and the SA
At a high level, FRTB rules will provide
1 Establishment of a more objective boundary, supplemented with a list

Revised of instruments presumed to be in the trading book, will serve to reduce
Boundary incentives for arbitrage between the regulatory banking and trading
books, while still being aligned with banks’ risk management practices.
2 Improved risk sensitivity, by mapping instruments to a set of regulatory

Revised SA risk factors, to serve as an appropriate standard for banks that do not
require a sophisticated treatment for market risk, and a credible fall-
back for inadequate market risk models.
3 Stringent approval of internal models, which moves to a trading desk

level approach, instead of being approved at bank-level. Trading desks
will have to prove that their models comply by showing that they have
Revised IMA adequate P&L attribution and back-testing in place. Focus on capturing
the tail risk more effectively, with Expected Shortfall (ES) measure,
market liquidity through varying liquidity horizons, and constraining
diversification.

38
FRTB
A Path to Compliance
Key drivers for a successful FRTB Implementation
Planning
Success
Factors
Key FRTB Stakeholders Success Factors
• Mobilization of an accountable
executive to lead implementation
1. FRTB Programme Managers
across functions (FO, risk, treasury,
finance, operations, IT)
2. Front Office / Treasury Capital
Consumers
• Strong involvement from top
management and FO sponsorship
3. Risk Managers
of the project
4. Technology and Data Teams
• Working closely with data
management office

39
IRRBB
Principles for banks

Title: Interest rate risk in the banking book 31 December 2018:
Date of Release: April 2016 – Basel Committee on Banking Guidelines to apply from this date
Supervision
Effective date: January 1st, 2018.
Banks whose financial year ends on 31 December would have
to provide the disclosure in 2018, based on information as of 31
December 2017 October 2017:
Scope: EBA Consultation: Draft
guidelines
All large internationally active banks on a consolidated basis, but
may also be used for other banks and on any subset of entities of
internationally active banks.
Targeted products/services:
all financial products classified into the banking book 21 April 2016
The Basel Committee released
Regulation topics:
the final accord, choosing the
The revised IRR Principles, The standardized framework Enhanced Pillar 2 approach.
Related regulations:
Principles and Objectives September 2015

Interest rate risk in the banking book (IRRBB) is currently part of the End of the consultation period
Basel capital framework’s Pillar 2 (Supervisory Review Process),
which is based on the Committee’s guidance set out in the 2004
Principles for the management and supervision of interest rate
risk. The Principles lay out the Committee’s expectation for banks’ 8 June 2015:
identification, measurement, monitoring, governance and control Basel Committee published
the IRRBB consultation paper,
of IRRBB. This Pillar 2 approach relies on banks’ internal risk
proposing two(2) approaches,
management system (IMS) to adequately capture IRRBB, subject to namely Standardized Pillar 1
supervisor’s assessment. approach and Enhanced Pillar 2
In the new accord, Basel Committee adopted the Enhanced Pillar 2 approach.
Approach. It is similar to the existing Pillar 2 framework and here are

the main features:
April 2014:
• More extensive guidance on the expectations for a bank’s IRRBB Basel Committee released
management process in areas such as the development of stress first QIS IRRBB to assess the
impact of a potential Pillar 1
scenarios, as well as key behavioural and modelling assumptions methodology.
• Enhanced disclosure requirements to promote greater consistency,
transparency and comparability in the measurement and
management of IRRBB. This includes quantitative disclosure
July 2004:
requirements based on common interest rate shock scenarios;
Basel Committee issued
• An updated standardised framework Principles for the management
and supervision of interest rate
• A stricter threshold for identifying outlier banks; reduced from 20% risk to lay down the expectations
of a bank’s total capital to 15% of a bank’s Tier 1 capital. for the banks and supervisors in
the management of interest rate
• Increased sophistication regarding the modelling of different risks
risk in the banking book.
with three subtypes of IRRBB – gap risk, basis risk and option risk.
40
IRRBB
Principles for banks
Firms should develop and use their own internal arrangements to identify, measure, monitor and
control IRRBB ensuring that these are in lines with supervisory expectations:
PRINCIPLES STATEMENTS KEY POINT
IRRBB is an important risk for all banks Officially include CSRBB (Credit Spread
that must be specifically identified, Risk in the Banking Book) into the IRRBB
1 measured, monitored and controlled. management framework. This is a separate
In addition, banks should monitor and type of risk, but closely associated with
assess CSRBB. IRRBB.
The governing body of each bank is

responsible for oversight of the IRRBB
management framework, and the bank’s A proper risk management framework is in
risk appetite for IRRBB. Monitoring place. Governance body set up the bank’s
and management of IRRBB may be business strategies and IRRBB policies,
delegated by the governing body to determining the acceptable level of IRRBB
2 senior management, expert individuals given its strategies. It also oversees the
or an asset and liability management approval, implementation and review of
committee (henceforth, its delegates). IRRBB management policies, procedures
Banks must have an adequate IRRBB and limits.
management framework, involving regular
independent reviews and evaluations of
the effectiveness of the system.
The banks’ risk appetite for IRRBB should The bank should have defined risk appetite
be articulated in terms of the risk to both statements, which are implemented
economic value and earnings. Banks through risk appetite framework, i.e.
3 must implement policy limits that target policies and procedures for limiting and
maintaining IRRBB exposures consistent controlling IRRBB. These are tied to the
with their risk appetite. measured economic value or earnings.
• Define the high level rules of calculating

Measurement of IRRBB should be based economic value and earnings-based
on outcomes of both economic value and measure
earnings-based measures, arising from • Define the stress scenarios that are
4 a wide and appropriate range of interest needed to be applied to calculate the
rate shock and stress scenarios. economic value and earnings, including
the 6 mandatory stress scenarios for
disclosure purpose.
In calculating the risk matrix (economic
In measuring IRRBB, key behavioral and value or earnings), when it comes to
modeling assumptions should be fully products with a lot of behavioral options
understood, conceptually sound and i.e. Non-maturity deposits, a lot of
5 documented. Such assumptions should assumptions need to go into the modelling
be rigorously tested and aligned with the of future cash flows. Such assumptions
bank’s business strategies. must be fully documented, validated and
back-tested.
41
IRRBB
Principles for banks (Continued)
Measurement systems and models

used for IRRBB should be based on It specifies more concrete requirements on
accurate data, and subject to appropriate the measurement system of IRRBB regarding
documentation, testing and controls its:
to give assurance on the accuracy of • Data requirement
• Documentation
6 calculations. Models used to measure
• Automation
IRRBB should be comprehensive and
covered by governance processes for • Testing & controls
model risk management, including a • Validation of the models
validation function that is independent of • Auditability
the development process.
It specifies reporting requirements to the

Measurement outcomes of IRRBB and governing body:
hedging strategies should be reported • IRRBB exposures
to the governing body or its delegates • Compliance with policies and
7 on a regular basis, at relevant levels of limits
aggregation (by consolidation level and • Modelling assumptions
currency). • Summaries of reviews by
auditors and consultants
It specifies the disclosure requirements

Information on the level of IRRBB to the public, on the following 2 matrix,
exposure and practices for measuring providing a template for disclosure (both
8 and controlling IRRBB must be disclosed qualitative and quantitative):
to the public on a regular basis. • ΔEVE
• ΔNII
Capital adequacy for IRRBB must be • ICAAP: Banks are responsible for
specifically considered as part of the calculating the level of capital that they
Internal Capital Adequacy Assessment should hold in order to cover all risks
9 Process (ICAAP) approved by the • Level and quality of capital is
governing body, in line with the bank’s commensurate with the level of risk and
risk appetite on IRRBB. risk appetite

42
IRRBB
Principles for supervisors
Supervisors should, on a regular basis,

collect sufficient information from
banks to be able to monitor trends in
Supervisors should collect sufficient
banks’ IRRBB exposures, assess the
information from banks regarding its IRRBB
10 soundness of banks’ IRRBB management
exposures and identify which banks are
and identify outlier banks that should
outlier banks.
be subject to review and/or should be
expected to hold additional regulatory
capital.
Supervisors should regularly assess

banks’ IRRBB and the effectiveness
of the approaches that banks use to
identify, measure, monitor and control Supervisors should regularly assess the
IRRBB. Supervisory authorities should banks’ IRRBB and its approach. It should
11 employ specialist resources to assist with also leverage external specialist resource
such assessments. Supervisors should and cooperate with other supervisors.
cooperate and share information with
relevant supervisors in other jurisdictions
regarding the supervision of banks’ IRRBB
exposures.
Supervisors must publish their criteria

for identifying outlier banks. Banks
identified as outliers must be considered
as potentially having undue IRRBB. When a Supervisors should publish its criteria
review of a bank’s IRRBB exposure reveals in identifying outlier banks and require
12 inadequate management or excessive additional capital or improvement of the
risk relative to capital, earnings or general management system.
risk profile, supervisors must require
mitigation actions and/or additional
capital.

43
IRRBB
Standardized Framework
Standardized Framework provides a valid fallback for the banks to use. Banks might choose to
adopt this or the Supervisors request the banks to use.
It is a set of rules that can applied by the banks to calculate the minimum required capital for
IRRBB
The positions in the banking book need to be categorized into one of the 3 categories:
• Amenable Positions: Any position that can be decomposed into notional repricing
cash flows where the maturity or time to repricing is unambiguous
• Not Amenable Positions : Positions that are better suited to banks’ own
independently validated estimates of key risk parameters;
• Less Amenable Positions: Any position where the notional repricing cash flows have
maturity or repricing uncertainties that can be quantified. Usually refers to the
automatic interest rate option
The steps are as follows:
Banking Book Positions
Less Amenable Not amenable 3 types of

Amenable
operations
Stage 1 Positions Positions Positions
Allocation of the
positions
Non-Maturity Deposits proposed
(NMDs) Behavioral Options
According to nature of deposit According to CPR or TDRR
approaches
and depositor with core and scalar under shock scenarios for each
non-core deposits
category
Stage 2
Determination of
slotting of cash Slotting of notional repricing cash flows into 19 time buckets 19 time
flows buckets
Stage 3 Compute change in EVE (6 IR shock scenarios) for each currency The
Sensitivity sensitivity
Calculations
calculations
ADD are based on
Stage 4
Add-on: option value 6 shock
Integration of
additional changes under IR shock scenarios
changes scenarios
Stage 5
Currency Currency aggregation for each scenario (6 of them) The
aggregation maximum
ΔEVE among
Stage 6 the 6
scenarios
Calculation IRRBB minimum capital requirements

44
Comprehensive Capital Analysis Review

CCAR stands for Comprehensive Capital Analysis and Review, and is defined as a federally-
required stress test that is held annually to determine the financial resilience of the nation’s
large bank holding companies (BHCs) and intermediate holding companies (IHCs).
Key Facts Timeline

• Pronouncement: Part of Dodd-Frank Act of 2010
• Codification Date: November 2010 November 2010:
Fed issued deadline for 19 BHCs
• Effective date: First CCAR Annual Process in 2011
to participate in CCAR process
• Scope:
- (U.S.) based BHCs and IHCs
December 2011:
- CCAR includes qualitative and quantitative assessments Capital Plan rule issued
of firms’ capital plans. formalizing annual evaluation of
- The quantitative assessment is based on the supervisory capital adequacy
and company-run stress tests that are conducted under the
Board’s rules implementing sections: April 5, 2018
- 165(i)(1) and (2) of the Dodd-Frank Wall Street Reform and CCAR 2018 Capital Plan
Consumer Protection Act (DFAST). Submission Deadline.
• Reports: FR Y-14A, FR Y-14Q, FR Y-14M
June 30, 2018
Firms are required to disclose
Principles and Objectives the results of their company
• (CCAR) is an annual exercise by the Federal Reserve to assess run stress tests within 15 days
whether the largest bank holding companies (BHCs) and of the date the Federal Reserve
discloses the DFAST results.
intermediate holding companies (IHCs) operating in the United
States have sufficient capital to continue operations throughout
CCAR 2018 and 2019:
times of economic and financial stress and that they have
All firms should exclude the
robust, forward-looking capital-planning processes that account potential effect of CECL in CCAR
for their unique risks 2018 and 2019
Who Needs to Comply with CCAR

BHCs $50 billion or more:
• The Board’s capital plan rule requires top-tier BHCs with average total consolidated assets
of $50 billion or more and IHCs subject to the capital plan rule pursuant to 12 CFR 252.153 to
submit a capital plan to the Federal Reserve annually.
• Under the capital plan rule, a firm’s capital plan must include a detailed description of the
firm’s internal processes for assessing capital adequacy;
• The board of directors’ approved policies governing capital actions;
• And the firm’s planned capital actions over a nine-quarter planning horizon.
• Further, a firm must report to the Federal Reserve the results of stress tests conducted by the
firm under supervisory scenarios provided by the Federal Reserve and under a baseline
scenario
• And a stress scenario designed by the firm (BHC baseline and BHC stress scenarios). These
stress tests assess the sources and uses of capital under baseline and stressed economic
and financial market conditions.
• Before a firm submits its capital plan to the Federal Reserve, the capital plan must be
approved by the firm’s board of directors, or a committee thereof.
• For CCAR 2018, capital plans should be submitted to the Federal Reserve no later than April 5,
2018.
45
Mandatory Elements of a Capital Plan

The capital plan rule specifies the four mandatory elements of a capital plan
4 Mandatory Elements of a Capital Plan

1. Assessment of the 2. A
expected uses and sources detailed 4. A discussion of any
of capital over the planning description expected changes to the
3. The firm’s
horizon that reflects the firm’s of the firm’s firm’s business plan that
capital
size, complexity, risk profile, process for are likely to have a material
policy.
and scope of operations, assessing impact on the firm’s capital
assuming both expected and capital adequacy or liquidity.
stressful conditions. adequacy.
• Estimates of projected revenues, losses, reserves, and pro forma capital Levels
• A discussion of how the firm will maintain all minimum regulatory capital ratios
Assessment of Expected under expected conditions and the required stressed scenarios.
Uses and Sources of Capital • A discussion of the results of the stress tests required by law or regulation and
an explanation of how the capital plan takes these results into account.
• A description of all planned capital actions by the firm over the planning
horizon.
• A LISCC (Large Institution Supervision Coordination Committee), large and

complex firm’s capital planning process should have as its foundation, a full
understanding of the risks arising across all parts of the firm from its exposures
Description of a Firm’s and business activities, as well as scenario-based stress testing analytics, to
ensure that it holds sufficient capital corresponding to those risks to maintain
Process for Assessing Capital operations across the planning horizon.
Adequacy • The detailed description of a LISCC’s capital planning process should include
a discussion of how, under stressful conditions, that firm will meet supervisory
expectations for maintaining capital commensurate with its risks, taking into
account minimum regulatory capital ratios and its internal capital goals.
• Provides the firm’s policies outlining the principles and guidelines used for
Firm’s Capital Policy capital planning, capital issuance, usage, and distributions.
• Material business plan changes—provides a discussion of any expected

changes to the firm’s business plan that are likely to have a material impact
Expected changes to the
on the firm’s capital adequacy and funding profile (e.g., a proposed merger,
firm’s business plan acquisition, or divestiture; changes in key business strategies; or significant
investments).

46
Quantitative and Qualitative Assessments

The Board conducts qualitative and quantitative assessments of BHCs and IHCs’ capital plans
• In conducting the qualitative assessment, the Federal Reserve evaluates firms’ capital
planning practices, focusing on six areas of capital planning—namely, governance, risk
management, internal controls, capital policies, incorporating stressful conditions and
QUALITATIVE
events, and estimating impact on capital positions.

• For purposes of the qualitative assessment, the Federal Reserve assesses the
strength of the firm’s capital planning practices, including the firm’s ability to identify,
measure, and determine the appropriate amount of capital for its risks, and controls
and governance supporting capital planning.
• The qualitative assessment is informed by a review of the materials each firm
provides in support of its annual capital plan submission. In addition, the Board’s
qualitative assessment incorporates supervisory assessments of the firm’s capital
planning process that are undertaken throughout the year.
• The Federal Reserve’s quantitative assessment of a firm’s capital plan is based on the
supervisory and company-run stress tests that are conducted, in part, under the
DFAST rules.
• The quantitative assessment of a firm’s capital plan in CCAR includes a supervisory
assessment of the firm’s ability to maintain capital levels above each minimum
regulatory capital ratio, after making all capital actions included in its capital plans,
under baseline and stressful conditions throughout the nine-quarter planning horizon.
QUANTITATIVE
See table 1 for a list of the ratios that are applicable to firms participating in CCAR
2018 over the planning horizon.
• Beginning January 1, 2018, the minimum supplementary leverage ratio (SLR)
requirement of 3 percent applies to firms that meet the thresholds for applying the
advanced approaches framework. For purposes of CCAR 2018, firms must report their
SLR using data as of December 31, 2017.
• The quantitative and qualitative assessments serve as the basis for the Federal Re
serve’s decision to object, or not object, to a firm’s capital plan as a part of CCAR. The
decisions for all firms participating in CCAR 2018, including the reasons for any
objections to a firm’s capital plan, will be published on or before June 30, 2018. In
addition, the Board will separately publish the results of DFAST under the supervisory
severely adverse and adverse scenarios.
• DFAST uses the same supervisory stress test as in the CCAR quantitative
assessment, but with different capital action assumptions.
Table 1. Required minimum capital ratios for CCAR 2018

Percent
Regulatory ratio Minimum Ratio

Common equity tier 1 capital ratio 4.5
Tier 1 risk-based capital ratio 6.0
Total risk-based capital ratio 8.0
Tier 1 leverage ratio 4.0
Supplementary leverage ratio* 3.0
Note: All regulatory capital ratios are calculated using the definitions of capital, standardized
risk-weighted assets, average assets (for the tier 1 leverage ratio), and total leverage exposure
that are in effect during a particular quarter of the planning horizon. The advanced approaches
are not used for purposes of these projections.
* Supplementary leverage ratio applies only to advanced approaches firms.
47
IRRBB CCAR CRDV
CRD V CECL MiFID II SFTR
CCAR 2018
Federal Reserve response to Planned Capital Action
For purposes of CCAR 2018, if a firm receives a non-objection to its capital plan,
Capital Plan the firm generally may make the capital distributions included in its capital plan
non-objection submission beginning on July 1, 2018, through June 30, 2019, without seeking
prior approval from or providing prior notice to the Federal Reserve.
If a firm receives an objection to its capital plan, the firm may not make any
Capital Plan capital distribution other than those capital distributions with respect to which the
Objection Federal Reserve has indicated in writing its non-objection.
At the completion of the CCAR process, the Federal Reserve will publicly disclose
its decision to object or not object to a firm’s capital plan. The Fed will include in
its CCAR disclosure the results of its post-stress capital analysis for each firm,
Disclosure of including firm-specific post-stress regulatory capital ratios (tier 1 leverage, com-
mon equity tier 1, tier 1 risk-based, and total risk-based capital ratios, and supple-
Supervisory mentary leverage ratio, estimated in the adverse and severely adverse scenarios.
Assessments The disclosed information will include minimum values of these ratios over the
planning horizon, using the originally submitted planned capital actions under the
baseline scenario and any adjusted capital distributions in the final capital plans.
If a firm receives an objection to its capital plan, it may choose to resubmit its
plan in advance of the next CCAR exercise in the following year. For instance, a
firm may choose to resubmit its capital plan if it believes it has fully and effec-
tively addressed the Board’s supervisory concerns with the firm’s capital position
Resubmission or capital planning process. In addition, pursuant to the capital plan rule, a firm
must revise and resubmit its capital plan if it determines there has been or will be
a material change in the firm’s risk profile (including a material change in its bu-
siness strategy or any material-risk exposures), financial condition, or corporate
structure since the firm adopted the capital plan.
Execution of The capital plan rule provides that a firm must request prior approval of the Board
for capital distributions if the dollar amount of such capital distributions will ex-
Capital Plan ceed the amount described in the non-objected to capital plan. A firm that is well
and Requests capitalized may make additional capital distributions not to exceed 0.25 percent
of the firm’s tier 1 capital without seeking the Board’s prior approval if certain
for Additional conditions are met.
Distributions

48
CRD V Package
Capital Requirements Directive V and Capital Requirements Regulation II

• Title: Capital Requirements Directive and Capital Requirements Jan 2019:
Regulation (CRD V and CRR II) (CRD V -Directive 2013/36/EU) Implementation of CRD V/CRR
• Date of Adoption: 23 November 2016 II, which would fully phase in the
• Effective date: Q1 2019 capital requirements of Basel
III and lay the groundwork for
• Scope: All types of banking activities at consolidated and Basel IV
non-consolidated levels
• Regulation topics: Banking resolution Nov 2016:

Transposal of CRD V/CRR
• Related Regulations: II, building on the previous
- Basel I, II and III regulation, while expanding on
new elements of proportionality
- Capital Requirements Directive IV
and capital reviews
- Banking Recovery and Resolution Directive (BBRD)
Jan 2014:
Principles and Objectives Implementation of CRD IV/CRR
To further strengthen the existing regulatory framework currently in regulations and directives in full
force
place for financial institutions operating in the European Union, the
European Commission has released its most recent amendments
known as the ‘CRD V package’. The package addresses improve-
ments to the Capital Requirements Directive and the Bank Reco-
very and Resolution Directive, as well as the introduction of Basel July 2013:
III provisions into EU law. The purpose is to align with international Transposal of CRD IV/CRR,
regulatory standards while maintaining EU-specific interests. which focussed on prudential
requirements and activity of
credit institutions and investment
firms
Main elements of the CRD V/CRR II Package include:

Jan 2011:
• Introduction of a “Net Stable Funding Ratio” (NSFR) Implementation of the first
Implementation of a binding leverage ratio minimum of 3%, phase of CRD III, covering capital
with defined exceptions requirements for the trading
• Application of a Market Risk framework which leverages the book and re-securitisations/
BCBS “Fundamental Review of the Trading Book” (FRTB) supervisory reviews of
remuneration policies
• Amended calculation methodology of large exposures and in-
clusion of a 15% lower limit for G-SIBs
• Implementation of “Total Loss Absorbing Capacity” (TLAC)
requirements in conjunction with modifications to the existing Sept 2009:
MREL framework* Adoption of CRD II, the second
• Concept of proportionality with regards to protecting small to legislative package aimed at
medium enterprises from potential negative impacts of ensuring the financial soundness
regulatory restrictions of banks and investment firms
*TLAC and MREL requirements are detailed separately

49
IRRBB CCAR CRDVV
CRD CECL MiFID II SFTR
CRD V Package
Capital Requirements Directive V and Capital Requirements Regulation II
Some of the key provisions and amendments
Description Operational Impacts
Net Stable Funding Ratio (NSFR)

• Ratio of an institution’s available stable • Re-evaluation of sustainable funding structure
funding for a 1 year period and ensure balance of maturity liabilities
• Minimum level of 100% to ensure a against regulatory capital
sustainable stable and funding structure
Leverage Ratio
• Introduces a binding 3% requirement
• For qualifying FIs, exposure ratio can be • Leverage ratio must be applied in addition to
reduced by the amount of: with existing risk-based capital requirements
• Pass through promotional loans and officially • Firms need to determine if they qualify for
guaranteed export credits reduced leverage ratio requirements
• Initial margin received for derivatives
• Lending provided to public sector investments
Market Risk - Fundamental Review of the

• Review instrument classification to ensure
Trading Book (FRTB)
instruments are appropriately aligned to
• Implementation of BCBS FRTB-based
trading or banking book
framework
•Update systems and internal model
• Concessions for medium-sized market risk
approaches to align with the modified
activities and small trading books
calculation methodologies of appropriate own
• Enhancing consistency and risk-weight
funds requirement
comparability
Amended calculation methodology of large

exposures • Remove Tier 2 capital from denominator for
• Introduces the use of Standardised Approach calculation of large exposures (only Tier 1 to
for Counterparty Credit Risk (SA-CCR) be included)
to measure exposure to OTC derivative • Evaluate and implement appropriate
transactions calculation method: SA-CCR, Simplified, or
• Lower limit of 15% for G-SIB exposure to other Standard Approach
G-SIBs
Proportionality
Amended reporting schedule, disclosure,
• Review definition of “SME” and as
and remuneration requirements for small
appropriate, ensure application of
institutions
concessions across all aspects of the reform
Maintenance of SME Supporting Factor
package
and reduced capital charges for qualifying
infrastructure investments

50
EBA Report on Funding Plans

Overview of the report
Key Facts
• Title: European Banking Authority Report on Funding Plans
• Date: Submission of data for the analysis was 10th July 2017.
The analysis
• Scope: 155 banks including subsidiaries from the European Union • Uses 31 December
banking system. 2016 as a reference
• Relevant activities: EBA Guidelines on harmonised definitions and date
templates for funding plans of credit institutions • Covers actual figures
for 2016
• Relevant activities: Banking resolution, bank funding. • And forecasts for three
• Related Regulations: Banking Recovery & Resolution Directive subsequent years
(BRRD) (2017 to 2019)

•The objective of this report is to provide an assessment of the feasibility of submitted funding
plans for the EU banking system
• To assess the feasibility of asset growth forecasted by banks on an aggregated level, the report
also compares submitted data with market and statistical information, including historical
issuance volumes and economic forecasts
• The sample covers the largest institutions in each Member State and in terms of total assets
covers 76% of the EU banking sector
• Funding plan data and forecasts are on a base-case scenario, and therefore are not intended to
represent a perception of their ability to attain funding under stressed conditions
Evolution of GDP, total assets, and loans (EU total)

• The asset side is considered the driver
for banks’ business, and in theory its
growth is connected to economic
conditions
• This implies that trends in asset growth
might be linked to the dynamics of GDP
• The dynamics of total assets are in fact
more volatile than those of GDP, while
loan growth also does not necessarily
move in accordance with GDP trends
Growth of selected liability classes (EU)

• As with the asset side, banks also expect
equity and liabilities to increase
• Growth is relatively diversified,
including client deposits as well as long-
term debt securities and equity
• With projected growth throughout all
forecast years, client deposits remain
the main component in EU banks’
funding mix

51
BASEL FRTB Funding
Funding Stress ANA- BRRD
EBA Report on Funding Plans

The key takeaways
Expected asset growth is driven by client loans

• Majority of banks’ asset sides are expected to grow over the 3 years by an average of 3.9%
• Main drivers are loans to households and non-financial corporates
• Assumed growth reasonable for several countries (France, Malta)
• Highly ambitious for others when factoring economic dynamics and growth (Slovakia, Sweden)
Ratio of non-performing loans in an important driver for assumed loan growth

• Strong negative correlation between NPL ratio and banks’ client loan growth forecast
• Stronger correlation for banks with lower capital ratios
• This suggests that less capitalised banks are more sensitive to the NPL ratio than higher ones
Funding mix assumed to remain largely stable

• Equity and liabilities are expected to increase
• Client deposits remain the main component in EU bank’s funding mix, with more than 50%
• Interbank financing and short-term debt volumes are expected to decrease
• Neither innovative instruments nor deposit-like funding account for a significant share
Deposits are assumed to grow significantly

• Expected increase in deposits higher than GDP growth for 16 countries
• Back-testing of former funding plan data suggests banks are able to significantly expand
deposit funding in times of GDP growth
Issuance of debt securities volumes set to grow

• Funding plans indicate increasing gross issuance volumes in 2018-19
• This is potentially driven by: the assumed asset growth, high availability of central bank funding
(2016-17), and successful bank issuances in 2016
• Banks expect mostly stable or decreasing costs for long-term market-based funding
Pressure on interest income will rise amid necessary changes in the funding mix
• There is a need to issue further MREL-eligible instruments, generally more expensive than
ineligible senior unsecured instruments
• Winding down of central bank funding support will put pressure on future funding costs
• Prices will also increase when secondary markets for debt securities are no longer supported
Policy considerations for regulators and supervisors

• High NPL levels combined with more thinly capitalised banks are expected to be a drag on new
lending
• Small and medium-sized banks will require close monitoring if they are to retain easy access to
capital markets and investors

52
Stress Testing
Financial stability and stress testing

• Title: Stress Testing
2018
Stresses applied are expanded
• Scope: Three types of stress scenarios have been designed and
to take into consideration a wide
calibrated by the Bank of England spanning a five-year period (Q1 range of UK macroeconomic
2018 – Q4 2022): outcomes as a result of Brexit
- Macroeconomic stress and the newly implemented IFRS
- Traded risk stress 9 accounting standard on the
timing of loss recognition during
- Misconduct cost stress a stress
• Regulation topics:
- Comprehensive Capital Analysis and Review (CCAR)
2017
- Dodd-Frank Act stress test exercises led by the Federal ACS framework was extended
Reserve to include additional exploratory
- Comprehensive Assessment led by the European scenarios, taking into account the
resilience of the system against
Banking Authority and the Bank of England’s annual risks that were not systematically
cyclical scenario (ACS) framework linked to financial markets

As a consequence of the 2008 financial crisis, most financial 2016
institutions have seen a dramatic increase in stronger regulatory Stress tests designed under the
ACS framework took even broader
capital requirements from supervisory bodies to make these insti- domestic and global risks into
tutions more able to withstand substantial shocks and continue to consideration, marking a more
operate whilst supporting the real economy. balanced approach than 2014 and
2015 stress tests
Since the 2016 European Banking Authority (EBA) Stress Tests and
the International Monetary Fund (IMF) Global Financial Stability
Report publications, the macroeconomic outlook has improved.
Stress testing has become an essential preventive tool through the 2015
Stress tests centred on global
application of its toughest scenarios on parameters like inflation, risks coming from China,
deflation, interest rates, unemployment, GDP, commercial property emerging markets, the Euro-area
values, Sterling exchange rates, equities and bond rates. periphery and UK corporates
Stress testing is now used for supervision, evaluation of
capitalisation plans and strategic management that may lead to in-
ternal (i.e. the institution) or external (i.e. the regulator) recommen- 2014
Stress tests designed by the FPC
dations. It is also used to create action plans to provide a quantita-
and the PRA mainly focused on
tive, forward-looking assessment of the capital adequacy of the UK risks to the UK household sector
banking system and individual institutions within it. and unemployment

53
Stress Testing
Risk Assesmernts
Macroeconomic Stress
Assessing domestic and global market risks allows the FPC and the PRA to determine the UK
activity risk level and calibrate the severity of the relevant scenarios
• Domestic environment:
• Output: GDP contraction of 4.7% over the first year with unemployment peaking at
9.5%. Large depreciation of the sterling with increased inflation to over 5% by the end
of 2019 following higher import prices. Residential property prices fall with a sharp
decrease of 33%
• Credit: Lending to the UK real economy increases by around 2% across 5 years
reflecting increased credit demand
• Global environment:
• Global growth: challenging macroeconomic environment with a 2.4% GDP
contraction over the first year with severe and synchronised slowdowns
• China: significant economic slowdown with a contraction from 2017 onwards hitting
a -1.2% low by end-2018 and rising to 4.8% on average until 2022
• EU: high unemployment rate reaching up to 13% in 2019 leading to weaker demand,
lower commodity prices and weak inflation throughout the scenario
• US: 21% versus 33% fall in residential and commercial real estate prices respectively,
3.5% GDP contraction across 5 years, increasing corporate credit costs leading to
decreasing profitability
• Commodity: weak global demand with falling oil prices to US$29 per barrel until
2020 and generally weak prices for other commodities until 2022
Quantitative differences between the 2016 and the 2018 macroeconomic scenarios
Note: GDP and unemployment shocks represent the first year of the scenario. Real estate prices shocks take
place from peak to trough.

54
Stress Testing
Risk Assesmernts
Traded Risk Stress Shocks and Scenario Types
Beyond the assessment of domestic and global Overall, the 2018 stress scenario is more
macroeconomic factors, this scenario is used to severe than the 2008 financial crisis with deep
examine the resilience of the investment banking simultaneous recessions in the UK and abroad,
operations to conditions likely to have material and large falls in asset prices
impacts on a bank’s profit and loss e.g.:
• Equity prices (FTSE 100): apply a price shock • Types of Shocks
of -11% to a bank’s most liquid positions and a • Instant/progressive
shock of -45% to its least liquid ones • Occasional/lasting
• Credit default: examine the ability of a bank to • Limited/global
withstand the default of seven counterparties • Internal/external
that would be vulnerable to the • Qualitative/mechanical
macroeconomic scenario • Types of Scenarios
• Economic activity: ecalculate stress scenario • Historical
revenues and cost projections for an • Hypothetical
Investment Banking division, assuming a fall in • Adverse
financial market volumes as a result of reduced • Stress
economic activity
Note: The FPC and the (PRC) will include the
ring-fenced bank sub-groups of the existing
participants separately in the 2020 annual
Misconduct Stress stress test after the introduction of the
ring-fencing requirements on 1 January 2019.
The ACS also incorporated stressed projections for
potential misconduct fines as of the end of 2017
either by mis-selling payment protection insu-
rance or misconducts linked to wholesale market
activities
Banking Models
Banks are expected to cover multiple risk models into their 2018 concurrent stress test:
• Balance sheet: project changes in the size and the composition of their balance sheet, corpo
rate plans, growth and contraction scenarios
• Credit risk and IFRS 9: reflect the change from incurred loss provisioning to ECL provisioning,
and calculate impairments and risk-weighted assets (RWAs) per asset class and country of
exposure
• Market and counterparty credit risks: calculate stressed losses and RWAs for fair-value
position depending on market risks, counterparty credit risks and credit valuation adjustment
(CVA) risks
• Prudential Valuation Adjustment (PVA): assess the impact of a shock to the funding and
investing cost component of PVA
• Structured Finance: perform stresses including exposures to third-party cash or synthetic
securitisations, own-originated securitisations, third-party covered bonds
• Interest income and interest expense: assess institutions net interest income vulnerability to
the interest rate and economic environments
• Other income and costs: perform stress tests on retail and wholesale products fees and
commissions
• Operational risks and misconduct costs: project operational risk losses
• Pension risk: stress banks’ pension schemes surplus or deficit
55
ANACREDIT
Constructing a European statistical database for credits for all Euro Zone participant countries
Introduction et objectives
Anacredit Snapshot Principles and objectives
Anacredit
• Name Snapshot
: AnaCredit - Analytical Credit Dataset • Principles
AnaCredit aimsand objectives
to construct a European statistical database for credits for all Euro Zone participant
• Publication date : 21st February 2014 countries. The premise is the collection of new granular credit data to meet large user needs (national
central banks, BCE, etc.) and to drastically improve transparency
• Implementation
Name : AnaCreditdate : 3 stage
- Analytical implementation
Credit Dataset • AnaCredit aims to construct a European statistical database for credits for all Euro Zone participant
• (March 2018,
Publication July: 21st
date 2019February
and September
2014 2020) • countries.
The credit The premise
database willishold
the between
collection100-200
of new granular
credit riskcredit data
criteria to meetinto
grouped large user needswhich
6 categories, (national
are
• Applicative scope: Financial institutions operating to be communicated
central to and
banks, BCE, etc.) the European Central
to drastically Banktransparency
improve (ECB): Lender/borrower data, valuation measures,
• Implementation date : 3 stage implementation Risk measures, loss measures (potential), state of Balance Sheet, Risk exposure factors
in the 2018,
(March Euro July
Zone,
2019with a focus on
and September credit
2020) • The credit database will hold between 100-200 credit risk criteria grouped into 6 categories, which are
institutions under the Capital Requirement
• Applicative(CRR)
scope: Financial institutions operating to be communicated
• AnaCredit to the
requirements European
involve the Central Bank
collecting, (ECB): Lender/borrower
processing, data, valuation
analysis and feedback measures,
of information.
Regulation
in the Euro Zone, with a focus on credit Risk measures,
AnaCredit data loss measures
collection is to(potential),
be monthlystate of Balance
for large banksSheet, Risk exposure
and trimestral factors
for smaller banks
• Products / services
institutions under the concerned: Increased
Capital Requirement
granularity of credit data initially to legal entities • AnaCredit requirements involve the collecting, processing, analysis and feedback of information.
Regulation (CRR)
only, then subsequently to private individuals AnaCredit data collection is to be monthly for large banks and trimestral for smaller banks
Regulatory
• Products / services concerned: Increased Management Referentials Reporting
• Regulatory
granularity offamily: A initially
credit data collection system
to legal of
entities Centralise Store Analyse Feedback
granular
only, then data, implemented
subsequently to privatebyindividuals
the BCE -> External Regulatory
regulatory reporting Finance
Management data
Referentials Reporting
Business Intelligence
• Regulatory family: A collection system of & operational
• Reporting data,
granular Frequency:
implemented by the BCE ->
Centralise Store Analyse Feedback
integration
External
Ø At the
regulatory time of new data availability
reporting Finance
• The principle data
objectives of the ECB addressing granular credit data collection: Business Intelligence
• Ø Monthly
Reporting (information on collateral…)
Frequency: Ø Better respond to a number of monetary policy issues
& operational
integration
Ø Trimestriel
Ø At the time (of
accounting
new data data, risk data…)
availability • The Ø Betterobjectives
principle evaluate the credit
of the ECBneeds of national
addressing banks
granular facing
credit thecollection:
data ECB
Ø Monthly (information on collateral…) Ø Better
Ø Better calibrate
respond to risk control and
a number collateralpolicy
of monetary management
issues in the Eurosystem
Ø Trimestriel ( accounting data, risk data…) Ø Improve transparency and financial stability in the Euro Zone
Ø Better evaluate the credit needs of national banks facing the ECB
Ø Better calibrate risk control and collateral management in the Eurosystem
Timeline Ø Improve transparency and financial stability in the Euro Zone
Timeline
21st February 2014 July 2015 1st March 2018 : Stage 1 1st July 2019 : Stage 2 1st September 2020 : Stage 3
Publication of First progressive implementation Compliance for credit Financial derivatives, accounts Mortgages, credits to
AnaCredit phase institutions solely for business receivable, off-balance sheet individual entrepreneurs
21st February 2014 July 2015 1st March 2018 : Stage 1 1st July 2019 : Stage 2 1st September 2020 : Stage 3
loans commitments
Publication of Compliance for credit Financial derivatives, accounts Mortgages, credits to
Regulatory Considerations and Impactsphase
AnaCredit
First progressive implementation
institutions solely for business receivable, off-balance sheet individual entrepreneurs
loans commitments
Regulatory
MainConsiderations and Impactsimpacts and Considerations of AnaCredit
regulatory evolutions,
Main
Evolution regulatory evolutions,
Description impacts and Considerations of AnaCredit
Impacts Considerations
1 • The required data must be

The new requirements impose the collection of new OrganisationalConsiderations
Considerations
Evolution Description
integrated within a unique, Impacts
data and necessitates an important adaptation of
robust and exhaustive
1Information • The required data must be the informational architecture of financial • Data dissemination: differing granularity
platform which also responds The new requirements impose the collection of new Organisational Considerations
system (IS) integrated within a unique, institutions in order to produce reportings in line levels between departments and
to AnaCredit requirements as data and necessitates an important adaptation of
Infrastructure robust and exhaustive with the criteria defined by AnaCredit Information Systems within financial
Information well as other regulations the informational architecture of financial • Data dissemination: differing granularity
platform which also responds institutions and creditdepartments
organisations and
system (IS) (AIFMD, Solvency II, BCBS institutions in order to produce reportings in line levels between
Infrastructure to AnaCredit requirements as
with the criteria defined by AnaCredit • Credit management process review
239…) Information Systems within financial
well as other regulations NCBs from credit redefinition
institutions and credit organisations
(AIFMD, Solvency II, BCBS •• Risk
2 Creditmanagement
management process reviewreview
process from
239…) • A new database of increased accuracy requirements for risk
• Data quality requirements are NCBs from credit redefinition
granular credit data,
Data Quality reinforced by the • analysis and new reporting
Risk management process review from
2 atnew
the European level The main issues • Internal controls requirements
review due to
implementation of this IS are • A database of increased accuracy for risk
• Data quality requirements (ECB) and member for credit increased data granularity
granular credit data, analysis and new reporting
Data Quality reinforced by the state
at thelevel (NCB)level
European establishments
The main issues • Collection process required to identify
• Internal controls review due to
revolve around 4 potential
implementation of this IS • (ECB) and member
New regulatory for credit increased channels for reporting missing
data granularity
3 • Numerous granularity criteria major axes: granular criteria
state level to
reportings (NCB)
be establishments • Collection process required to identify
required by AnaCredit which • Heightened constraints and costs for
Data
are not currently available in provided
• New to
regulatory •revolve around 4
Business potential channels for reporting missing
3 Granularity • Numerous granularity criteria prudential to be major axes: credit
granularinstitutions
criteria associated with the
financial organisations’ reportings • Data
Data required by AnaCredit which authorities • potential
Heightened decrease
constraints ofandMateriality
costs for
databases
are not currently available in provided to • Management
Business threshold for Credits
Granularity credit institutions associated with the
financial organisations’ • prudential
Harmonised data and Data
• Production of potential decrease of Materiality
4 • The mandatory reporting authorities
content coverage in IS Architecture Considerations
databases Management
regulatory threshold for Credits
threshold for credits is all member states
• Harmonised data and • reporting
Production of
• temporarily
The mandatory fixed reporting
at a •IS Architecture
New credit Considerations
management data collection
4 Materiality minimum offor€25,000. • content
Synergiescoverage
with in
threshold credits This
is all member
current states
regulatory
regulatory
• The • New reporting production features
threshold threshold can be
temporarily refined
fixed at at aa reporting
information •• Adequacy with Credit datamanagement
reporting (COREP, New credit management collection
for Credits
Materiality later stage • Synergies with
minimum of €25,000. This
FINREP…) and future • system
The • processes
New reporting production features
threshold • The non-performing
threshold can be refined loan
at a current regulatory •• Performance (stored data volumes etc.)
regulations (IFRS, information Adequacy with Credit management
for Credits thresohld
later stageof €100/ Client has reporting (COREP, system • Data security and anonymity
processes
been removed BCBS 229, CRDfuture
FINREP…) and IV…)
• The non-performing loan • Performance (stored data volumes etc.)
thresohld of €100/ Client has regulations (IFRS,
BCBS 229, CRD IV…) • Data security and anonymity
been removed

56
Current Expected Credit Losses

New FASB Accounting Standard for the Calculation of the Allowance for Loan and Lease Losses (ALLL)
Key Facts Timeline

• Pronouncement: FASB ASU 2016-13
January 1, 2018:
IFRS 9 Compliance Date
• Codeification: ASC 326
December 15, 2018:
• Effective Date: December 15, 2019 (SEC Filers)
Early Adoption Permitted
December 15, 2019:

Principles and Objectives SEC Files Compliance Date
CECL is the new accounting standard for the calculation of the
allowance for loan and lease losses (ALLL) which was issued by December 15, 2020:
Public Non-SEC Files Compliance
the FASB in the Accounting Standards Update (ASU) 2016-13 and Date
was codified under Accounting Standards Codification (ASC) 326.
Reacting to industry comments and a need to change the current December 15, 2021:
standard, the FASB, in coordination with IASB and their release of Other Entities
IFRS 9, has developed a new standard –CECL.
FASB response to industry concerns:

• Critics on the current incurred loss model: no possibility to anticipate expected credit losses under a “probable
threshold”
• Financial statements users’ needs: users estimates expected credit losses based on forward-looking
information
• Global Financial crisis: IASB and FASB to work together to reduce complexity of accounting standards and
increase comparability between IFRS and US GAAP
What’s Changed?
• The CECL model is based on future expected losses NOT on incurred losses and when impairment is determined
with certainty and recognized which is the current model.
• Adaptors will be required to use historical data, current market conditions and forward looking forecasted loan
and lease performance estimates to determine the expected loss over the life of the loan/lease – the entire life
of the loan/lease.
• The current CECL model will require a more comprehensive review of existing loans and leases to determine
future expected losses, even for those assets that are currently performing without any indication to the contrary.
Who Needs to Comply with CECL

A broad scope that affects both financial and non financial-services firms:
• Any institution issuing credit, including banks, insurance companies, savings
institutions, credit unions and holding companies filing under GAAP accounting
standards
• The standard contains guidance for the accounting of losses on a broad swath of
financial instruments held by disparate financial institutions

57

CECL Key Requirements
• Assets at amortized cost and Available-for-Sale

• Loans, debt securities, trade receivables, net investments in
Which
leases, off-balance-sheet credit exposures, reinsurance
Instruments?
receivables, and any other financial assets not excluded from the
scope that have the contractual right to receive cash
• No specific credit loss modelling methodology prescribed:

Models institutions will use judgement
• Pooling of financial assets with similar risk characteristics
• No probable “threshold” and incurred loss model : ECL

calculation whatever the credit quality of the assets
Basic • Initial recognition of a ECL over the life of the assets
Components • Establishment of an allowance amount to capture the ECL
• Based on historical Loss experience, current conditions and
reasonable and supportable forecasts
CECL Challenges : What Institutions Need to do to Get Ready

Multiple departments impacted by the CECL requirements Level of effort required
Key Impacts Focus Points

CFO CRO COO
1 • Incorporate Expected loss risk notion in accounting

Accounting
provisions –
& Risks
• Review the accounting schemes and close processes
2 • Define the roles and responsibilities in order to avoid
Organization &
duplicates
Process
• New controls will have to be defined and implemented
3 • Evaluate capital impact and additional regulatory capital
Financial required
–
communications • Prepare a communication plan for shareholders
• Define new reporting statements required
4 Areas of • Determine the appropriate credit loss measurement

judgment / methodology –
Modelling • Integrate the models with DFAST and CCAR
5 • Assess systems capabilities to support larger volumes
Information
• Enhance origination systems allowing to capture data in real
Systems
time for lifetime loss calculations
6 • Provide access to more historical, granular data and trend
Data information
Management • Centralize data from many sources and automate data
analysis for calculations and exports to regulators

58

Implementing CECL based on IFRS 9 existing framework: understanding the differences

Both CECL and IFRS9 Impairment model are based on expected credit losses. Leveraging on CECL/
IFRS9 similarities can lead to gain implementation efficiencies for institutions with dual filing
requirements under US GAAP and IFRS. However, some differences exist:
Component CECL IFRS 9
A 3 stage approach with

Single credit-loss measurement
Impairment a 12 month ECL horizon
approach with lifetime expected
measurement for stage 1 and lifetime
credit loss horizon for all assets
horizon for stages 2 & 3
No requirement to estimate ECL

Contractual life on unfunded loan commitment,
N/A
for credit cards unconditional option to cancel
exists
Concessions provided to a
Modifications of troubled borrower are treated
financial assets N/A
as a continuation of the original
agreement
Non accrual
Permitted Not permitted
practices
Implementing CECL only: Changes to the Current ALLL Model

Sia Partners’ prior IFRS 9 implementation led to observations and recommendations on how to put in
place an effective governance and control framework for CECL framework

59
MiFID II
Review of the Markets in Financial Instruments Directive

• Title: Markets in Financial Instruments Directive (recast) (MiFID II) March 2020:
and Markets in Financial Instruments Regulation (MiFIR) MiFID II functioning review
• Date of Release: June 12th 2014
• Effective date: January 3rd 2018.
• Scope:
- EU Investment firms and credit institutions providing investment
September 2019:
services and/or performing investment activities Commission to report provision
- EU Market operators of EU-wide consolidated tape
- All EU financial and non-financial counterparties as defined in
Articles 2(8) and 10(1)(b) of EMIR
• Targeted products/services: all financial instruments
• Regulation topics:
- Market infrastructure February 2018:
FCA published algorithm trading
- Transparency and reporting
report
- Investor protection
- Facilitation and harmonization of EU market access
• Related regulations:
- Markets in Financial Instruments Directive (MiFID I)
- Regulation (EU) No 648/2012 on OTC derivatives, central January 2018:
counterparties and trade repositories (EMIR) •MiFID II and MiFIR effective date,
- Market Abuse Directive and Regulation (MAD and MAR) MiFID I replaced
• FCA/BoE/BaFin grants grace
period (~30 months) to ICE/LME/
Principles and Objectives Eurex on clearing rules
• ESMA grants 6 month grace
MiFID II was created to address the gaps in MiFID I revealed by the
period on LEI requirement, FCA
financial crisis, with eight primary objectives: welcomes
1) Enhance the protection of investors by increasing compliance
obligations on EU investment firms
2) Grant EU regulators the mandate to ban certain activities and
products July 2017:
3) Tighten regulations around algorithmic/high-frequency trading Transposition into national laws
(publication no later than July
4) Improve market transparency and transaction reporting 3rd 2017)
5) Bring more trading in EU regulatory scope by implementing
commodity derivative position limits/reporting and creating a new
type of regulated trading venue – Organised Trading Facility
6) Restrict the use of waivers for dark-pool trading
April - May 2016:
7) Strengthen governance requirements and enforce accountability Publication of 3 Delegated Acts
by the European Commission to
8) Implement a harmonized regime that governs the ability of third
enforce the ESMA standards
country firms to access the EU market

60
MiFID II
Latest Update (06/03/2018) History & Agenda

• MiFID II Transposition status (deadline 03/07/2018): CONTINUED
No transposition measures communicated: Bulgaria, Croatia, Romania,
Slovenia June 2014:
Publication in the Official Journal
Partial transposition measures communicated: Lithuania, Luxembourg, of the European Union
Portugal, Poland, Spain, Sweden
• FCA issued algo. trading compliance report. As part of a distillation

of MiFID rules, FCA published the report in Feb.2018, highlighting the April 2014:
risks of algo. trading when operated with insufficient experience and MiFID II (Directive 2014/65/
expertise. The paper also listed out good and bad practices, regarding EU) and MiFIR (Regulation (EU)
No 600/2014) adopted by the
monitoring and managing algo. trading. FCA urged investment firms to
European Parliament
lay out clear process to identify, monitor and test algo. trading.
• Most asset managers will absorb the research cost. According to FT

research surveying over 70 asset managers, over 95% of the asset
October 2011:
managers will absorb the (now unbundled) research cost rather than Proposals for revising MiFID
passing the cost to their clients. adopted by the European
Commission and submitted to the
• Double Volume Cap (DVC) implementation is delayed. As required European Parliament
by MiFIR, DVC caps the amount of stock trading that can use waivers
from pre-trade transparency, in dark pools. Under current requirements,
all relevant trading venues shall report 12 month trading data for
DVC calculation. FCA has announce the delay due to insufficient data December 2010:
collected. Consultation on the review of
MiFID carried out by the European
Commission
• LEI requirement is given 6 months grace period. As one of the
requirements under transaction reporting obligations, LEI is required
for all MiFID II impacted firms. ESMA allowed 6 month delay. All
participants still need to finalise LEI process of both theirs and their Novmeber 2007:
clients. MiFID effective date
• FCA gives 30 month grace period to ICE and LME. Similar approach is
adopted by BaFin.
April 2004:
• New trading venue Systematic Internaliser attracts algo. traders such MiFID effective date MiFID
as Jane Street and Citadel to operate in equities. JPM/GS/UBS/DB (Directive 2004/39/EC) adopted
confirmed to become SIs for equities, fixed income and derivatives, by the European Parliament to
BNPP for some non-equity instruments and ETF, Barclays/Nordea/ replace the 1993 ISD Directive
Mizuho for fixed income.

61
MiFID II
Key requirements and operational impacts l Market infrastructure
Operational Impacts in
Requirements
the U.K.
• Algorithmic traders should be registered as an • Need to ensure

investment company and implement adequate adequate testing,
controls and risk management frameworks, control, and risk
Algorithmic including business continuity plans. protocols are in place
Trading and • The algorithmic trading strategies used by • New reporting to the
its subset investment companies must be communicated to competent authorities
HFT the competent authorities. • Must record all
• Rigorous audits should be conducted against placed and executed
anomalies such as ‘‘disorderly trading,’’ ‘‘erratic price orders, cancellations
movements,’’ and ‘‘capacity overload’’. and quotes
• New trading obligations have been introduced to • Execution policy

reduce OTC transactions and force execution on review
regulated platforms (RM, MTF, OTF or SI). • Notification to
Trading • When the instruments traded is also available on FCA on venues /
Obligations regulated platforms, OTC execution is only permitted instruments
for non-substantial, non-systematic, infrequent, • Threshold testing
irregular transactions. to apply for SI /OTF
• Requirements apply to all financial instruments. interconnections
Overview of the 4 types of trading venues defined by MiFID II:

Trading Venue Execution Parameters Types of Firms Examples
• Multilateral non-discretionary execution
Regulated Market Market
• Match principal and own-account trading prohibited
(RM) Operators
• Equity and non-equity instruments
Market Operators
Multilateral • Multilateral non-discretionary execution
Brokers
Trading Facility • Match principal and own-account trading prohibited
Trading platforms
(MTF) • Equity and non-equity instruments
Investment Banks
Most likely
• Multilateral discretionary execution
Organised Trading Market Operators,
• Match principal and own-account trading permitted
Facility (OTF) Investment Banks,
under certain conditions
New* HF and Asset
• Non-equity instruments only
Managers
• Bilateral discretionary execution Investment Banks
System
• Own-account trading permitted High-Speed
Internaliser (SI)
• Equity and non-equity instruments Traders

62
MiFID II
Key requirements and operational impacts l Transparency and reporting
Requirements
the U.K.
• Disclose supply and demand in the order book by • New disclosure

RM, MTF and OTF for equity, equity-like and non- obligations,
equity instruments as close as real time as possible • System changes
Pre-Trade
• Comply with waiver restrictions established to limit • Authorisation - some
Transparency
trading in dark-pools dark pools to be
• SIs required to publish quote when requested by a converted into MTFs
customer and agree to provide quote and SIs
• Disclose trades already executed by RM, MTF, OTF • New disclosure

and investment firm within 1 minute for equity/equity- obligations
Post-Trade like instruments and within 15 minutes (falling to 5 • System changes
Transparency minutes in 2020) for non-equity liquid transactions
• Waivers for illiquid non-equity transactions and large
transactions
• Report to the National Competent Authority of the • New data capture and
parent company on T+1 all trades executed during management
the trading day to enable the identification of market • New reporting
Transaction abuse obligations
Reporting
• 80 fields to capture including but not limited to LEI, Internal alignment
client ID, trader ID, algorithm used, decision maker ID, with EMIR reporting
ISIN, quantity and trading hour
• Comply with net position limits applicable to • New monitoring and

commodity derivatives traded on RM, MTF, OTF and reporting obligations
Commodity
Derivatives “economically equivalent” OTC derivative contracts
Positions • Report positions (applicable to investment firms and
trading venues operators)

63
MiFID II
Key requirements and operational impacts l Investor protection
Requirements
the U.K.
• Document a best execution policy in a way that can • Review of best

be fully understood by the final investor execution policies
• Obtain client approval of the policy before executing • Upgrade of the
transactions system architecture
Best Execution • Prove compliance with the best execution policy and processes
whenever requested by a client likely required to
• Publish annually the top 5 trading venues used for enable post-trade
each class of financial instruments justification
• Control or ban the perception of inducements • Review of gift and

factoring parameters such as the type of service compensation
provided or the independence of the investment policies
Inducements advisor • New research budget
• Establish and get client approval of the research setting process
budget on a yearly basis
• Increase transparency around costs charged before • Review of client

and after a transaction is executed invoicing policies and
Cost • Distinguish research from execution costs and procedures
Transparency
establish controls over research costs • System /
organisation changes
• Register all verbal and electronic conversations (with • Review of record-

clients and between employees) that might result in keeping policies
Record a transaction Implementation of
Keeping • Keep the records for 5 years from trade date tools to record and
process data
• Test appropriateness/suitability of execution and • Reinforcement of

investment advisory services provided to clients suitability testing
Suitability and
Appropriateness • Perform regular assessments for clients provided process
with investment advisory services Client classification
and management
• Define a target market for each product to be sold • Review of distribution

Product policies
• Control sales to make sure set targets are complied
Governance
with • New control
obligations
64
MiFID II
Key requirements and operational impacts l Third Country Regime
Requirements
the U.K.
Investment firms from a third country will be authorised • Need to classify

Access to
EU Eligible to address these types of clients without the need to clients as part of KYC
Counterparties set-up an EU branch or to obtain authorisation if the process (in line with
and European Commission determines that the legal and revised classification
Professional supervisory framework of such financial institutions’ rules compared to
Clients country of origin is “equivalent” to that of the EU. MiFID I)
Non-EU financial institutions will have to seek • Expansion of the

Access to authorisation from EU regulators and establish a branch entity footprint and
EU Retail and in the EU in order to access retail clients of the EU increase in operating
Elective member state where the branch is located. costs if the institution
Professional
does not already have
Clients
an EU entity
Jurisdictions meeting the following criteria will be • Cost of growing

recognised “equivalent”: business in the EU
• Prudential and business conduct standards reduced
Equivalence equivalent to MiFID II and CRD IV
• Equivalent system to recognise investment firms
authorised under third country regime
Third country firms who do not apply for authorisation • None as long as the
will still be allowed to serve and deal with EU clients, firm does not engage
Reverse
Solicitation provided that it is at the specific request of the client. in direct marketing

65
BRRD – Banking Recovery and Resolution Directive

Including MREL and TLAC
Key Facts
• Title: BRRD - Banking Recovery and Resolution • Relevant activities: All types of banking
Directive (2014/59/EU) activities at consolidated and
- MREL – Minimum Requirement for non-consolidated levels.
own funds and Eligible Liabilities
- TLAC – Total Loss Absorbing Capa • Related subjects: Banking resolution.
city
• Date of adoption: 15 May 2014. • Related regulations:
• Effective date for revisions: - Key Attributes of Effective Re
- MREL: 1 January 2020 solution Regimes for Financial
- TLAC: 1 January 2022 Institutions (FSB).
• Scope: - Banking Union: single
- BRRD / MREL: All European f mechanism of resolution (ECB).
inancial institutions
- TLAC: G-SIBs

Following the introduction of BRRD in 2014, further amendments have been
published to include:
• Adjustments to MREL to align with implementation of TLAC standard
requirements for G-SIBs;
• Enforcement of TLAC global standard.
While MREL and TLAC may have similar objectives, their differences lie in application. Key points
being: scope, calculation, and enforcement criteria.
In this context, the updated directive:

• Provides an enhanced cohesive resolution framework in the EU allowing authorities to address
the failure of institutions and ensure cooperation between home and host authorities across
financial institutions.
• Maintains the conversion of certain liabilities (bail-in and introduction of the MREL ratio*), which
will, combined with substantial restructuring mechanisms resulting from activities, ensure the
continuity of the institution’s operations.
• Includes enforcement of TLAC** global standard as part of the MREL framework in regards
to MREL calculations, incorporation of the concept of resolution groups, and recategorisation of
eligible instruments.
• In summary, two distinct bail-in standards will remain in effect, however will be much more in
sync going forward.
While the package CRR / CRD IV aims at reducing the probability of bankruptcy of a given insti-
tution, the BRRD framework, revised to include MREL and TLAC requirements, aims to prevent,
manage and reduce the societal impact of bankruptcy.
*MREL, new ratio of minimum requirement for own funds and eligible liabilities during a bail-in.
**TLAC is a global standard applicable to GSIBs only.
66
BRRD – Banking Recovery and Resolution Directive

Including MREL and TLAC
Key Milestones and Upcoming Agenda
Date Comment
May 2014 Adoption of BRRD
November 2014 Financial Stability Board proposes TLAC
Enforcement of the BRRD for European financial

January 2015
institutions
November 2015 TLAC final standards issued
1 January 2016 Enforcement of MREL
Amended BRRD issued to include changes to MREL

December 2016
and enforcement of TLAC
Phase-in
1 January 2019 Enforcement of minimum TLAC requirement
1 January 2020 Enforcement of MREL final level
1 January 2022 Enforcement of final TLAC requirement
Additional information on the MREL and TLAC

• The MREL is expressed as a percentage of total liabilities and own funds.
• The MREL level will be determined on a case-by-case basis depending on the institution’s risk
profile and will reflect both its “resolvability” and its systemic importance.
• The indicative MREL reference level is estimated at 10% of total liabilities and own funds.
• TLAC requirements for G-SIBs will be at least 16% of RWA’s and 6% of LRE’s from 2019, increa
sing to 18% and 6.75% respectively by 2022.
• There are three potential ways to meet TLAC requirements: regulatory capital; long-term unse
cured debt instruments; and industry pre-funded recapitalisation commitments.

67
SFTR
Transparency and transaction reporting for securities financing instruments

• Title: The Securities Financing Transactions Regulation (SFTR)
End of 2017/start of 2018:
• Publication date: 23rd December 2015 Expected review of RTS by
European Commission to
• Effective date: 12th January 2016 (excluding Articles 4(1), 13, 14, be completed for Article 4
and 15) (Transaction Reporting) and RTS
entry into force commencement
• Scope: Essentially any counterparty (financial and non-financial) date would then begin with
defined time horizons
established in the EU engaging in SFTs will be impacted
• Targeted products/ services: 13th July 2017:

Article 14 applies to UCITS and
A) SFTs (for transaction reporting purposes) including: AIFMs
- Repurchase agreements (repos / reverse repos, buy-sell
back /sell-buy back transactions)
- Securities lending (incl. commodities) 31st March 2017:
ESMA issues final RTS in a report
- Margin lending transactions on implementation of SFTR
B) Total Return Swaps (TRS). But only for information disclosure
purposes to investors by UCITS and AIFMs under Article 13 and 14
13th January 2017:
• Regulatory topics: Article 13 applies to UCITS and
- Transparency on reuse of collateral AIFMs
- Transparency of SFTs to investors
- Transaction reporting 13th July 2016:
Article 15 applies, and also
• Regulatory topics: includes existing collateral
arrangements
- FSB Initiative on SFT data collection and aggregation
- T2S
- MiFIR transaction reporting regime 12th January 2016:
Regulation becomes effective
- CASS 9 (excluding Articles 4(1), 13, 14
and 15)
Transparency on reuse of collateral – Article 15: 23rd December 2015
Conditions on the right to reuse financial instruments provided as Published in EU Journal
collateral (re-hypothecation). The article also stipulates additional
conditions to be able to exercise the right to reuse collateral.
25th November 2015:
Transparency towards investors– Articles 13 &14: SFTR ratified by EU Council and
Disclosure requirements on managers of UCITS and AIFs with parliament
respect to collective investment (SFTs and TRS). The regulation
requires managers of UCITS and managers of AIFs (AIFMs) to make
detailed disclosure of their funds’ use of SFTs and TRS through the
publication of periodical report and pre-contractual documents.
Transparency towards investors– Articles 13 &14:
Article 4 identifies in-scope entities for reporting obligations and
processes to report required data. The article also considers what
information needs to be reported.
68
SFTR
Article 4 focus – Transaction reporting
Article 4 identifies in-scope entities for reporting obligations and processes to report required
data. The article also considers what information needs to be reported.
What SFTs should be reported To whom?
 All SFTs concluded, modified or terminated after  Trade repository (TR) approved for SFTR (list of
the 12th January 2016 approved TR available on ESMA website)
 Exemptions: (1) Entities: Members of the ESCB, TR must ensure the confidentiality, integrity and
other EU public bodies with similar functions, EU protection of data received
public bodies charged with or intervening in the  Extended approval may apply for trade reposito-
management of the public debt; BIS; (2) Transac- ries recognised under EMIR
tions with the ESCB being a counterparty do not > ESMA has 20 working days to assess the com-
need to be reported pletion of the application
 SFTs concluded before 12th January 2016 shall > ESMA has 40 working days to examine the
be reported if: compliance of application for registration or
> The remaining maturity exceeds 180 days extension of registration
> for those SFTs which have an open maturity,  If no TR is available, counterparties shall ensure
those that remain outstanding 180 days after that reporting is done to ESMA
that date
When? Who needs to report?
 Details on any SFTs shall be reported the wor-  All counterparties (financial and non-financial) to
king day following the conclusion, modification SFTs must report
or termination of the transaction (T+1)  If the counterparty is a non-financial party and
 If SFT has been concluded before the 12th Ja- qualifies as SME under Directive 2013/34/EU,
nuary 2016, the information should be reported the financial counterparty must report both sides
within 190 days of the date of application of the of the transaction
SFTR reporting requirements  For undertakings in collective investment, the
ManCo of the UCITS or AIFM are responsible for
the reporting
What information to report?  The reporting obligation may be delegated to a
third party
 The parties to the SFT and the beneficiary of the
rights and obligations arising there from
 Inter alia: the principal amount; currency; assets Who needs to report?
used as collateral and their type, quality, and
value; the method used to provide collateral;
 Counterparties shall keep a record of any SFT
whether collateral is available for reuse; in cases
that they have concluded, modified or terminated
where it is distinguishable from other assets,
for at least five years following the termination
whether it has been reused; any substitution of
of the transaction
the collateral; the repurchase rate, lending fee or
Comes In force since 12 January 2016
margin lending rate; haircut; value date; maturity
date; first callable date; market segment
 Depending of the SFT: cash collateral reinvest-
ment and securities or commodities being lent
or borrowed
 ID Data: LEI, ISIN, UTI

69
SFTR
SFTR
Not just a simple compliance exercise, SFTR poses additional challenges
Topic Insight
Regulatory overlap • SFTR is not the only regulation to require reporting of certain trades and
transactions. Most notably EMIR and MiFID II have similar key
components. Unfortunately they aren’t always aligned created
additional complexitY.
• In addition, there are currently several other trade reporting
requirements, including those to be implemented in the coming years,
that will further overlap (e.g. CSDR).
Technology • SFTR is more than a simple reporting issue as it requires firms to supply
implications a number of matched data fields that need to be agreed with
counterparties. While some element of leniency will be allowed, getting
all data fields within the reporting requirement to line up, will still be
quite a challenge.
• This is further complicated as a result of the likely regulatory overlap.
Systems and processes will need to be able to accommodate the
various permutations.
Reduction in • A significant amount of liquidity in Europe comes from lending

counterparties and principals located outside Europe (recent work by ISLA suggests
thus liquidity approx. 60%,and even 80% in government bonds).
• These lending principals are likely to fall outside the mandatory
reporting obligations, presenting a problem to matched reporting.
• This may result in them withdrawing or not being able to participate,
thus reducing liquidity.
Pragmatism • The SFTR reporting requirements will add to the significant increase in
data being reported.
• Historically, the quality of data reported has not been of particularly
great quality (for example see MiFID 1 reporting). It is optimistic to think
that the quality of data will improve significantly especially given the
challenges.
• This in turn challenges how useful the data will be in trying to achieve
the aims for which the data was collected in the first place. Here we can
only wait and see, but there is a significant risk that the huge implemen-
tation costs only achieve limited aims.

70
MAS Notice to Banks 610

Consultation for Proposed Revisions to Submission of Statistics and Returns

• Title: Proposed Revisions to MAS Notice to Banks 610 and MAS
February 2017:
Notice to Merchant Banks 1003 - Submission of Statistics and Re- MAS response to feedback
turns regarding the removal of the
DBU-ACU Divide-Implementation
• Publication date: February 22nd 2017 Issues, and issues a Second
• Effective date: Consultation still in progress Consultation paper on the
proposed Revisions to MAS
Notice to Banks 610.
• Scope:
- MAS is revising the Statistics and Returns data collected under
MAS 610 and MAS 1003;
- More detailed and improved financial data for analysis; August 2015:
MAS issues a consultation paper
- Banks and merchant banks, Audit Firms. on the proposed consequential
amendments to regulatory
• Targeted products/ services: Consultation is with respect to sub- requirements following MAS’
mission of Statistics and Returns reported to MAS. announcement on the removal of
DBU-ACU divide.
• Regulatory topics:
- Financial Regulatory Reporting;
- Singapore FRS.
December 2014:
MAS issues a consultation paper
on the proposed revisions to MAS
- MAS Notice to Merchant Banks 1003; Notice to Banks 610.
- MAS is currently reviewing potential implications to
other MAS Notices.

Banks and merchant banks are critical to Singapore’s financial
system, and to ensure that the data MAS collects remains relevant
and up‐to‐date with developments in the financial industry, MAS is
conducting public consultations to revise data collected under MAS
610.
1. Enhance the quality of financial data by widening the scope of

data collected.
2. Improve reporting format by streamlining reporting forms in
accordance to Singapore FRS.
3. Acquire timely data by changing reporting frequency for various
reporting forms.
4. Reduce reporting requirements based on Domestic Banking
Units and Asian Currency Units.

71
MAS Notice to Banks 610

Consultation for Proposed Revisions to Submission of Statistics and Returns
Key Challenges Impacting Banks and Merchant Banks
Operational Impacts
Overall • Proposed 24 months implementation period, and 6 months testing period upon
Implementation issuance of revised Notice.
Timeline • Banks and Merchant Banks are to provide updates on implementation progress
every 6 months.
• Regulator becoming more granular, determining how calculations should be done

for each statistic reported.
Reporting • Different global reporting guidelines makes data reporting more complex as
Challenges Banks are forced to adopt new reporting standards.
• Scale of proposed changes is potentially enormous, and Banks may be forced to
re-think current reporting processes and methodologies.
• Immaculate coordination between Front, Middle and Back office within Banks to
complete transition.
System and • Current procedures and technological systems may not be set-up to handle the
Process new reporting standards.
Challenges
• Short-term processes may be required as Banks review strategic solutions to
meet reporting requirements.
• Potential updates and changes after revised MAS 610 is introduced.

Post MAS 610
• Banks and Merchant Banks may not have met regulatory reporting requirements.
revision

72
SEC Swap Dealer

Security-based Swap Rules under Dodd-Frank OTC Derivatives Regulations

• Law: Dodd-Frank Wall Street Reform and Consumer Protection
July 21, 2010:
Act (Pub L. 111-203, H.R. 4173) The Dodd-Frank Act was passed
• Sub-section: Title VII, Wall Street Transparency and Accountability by the US Congress (Pub L.
111-203)
•Specific component: OTC Derivatives rules – SEC Swaps
• Effective date: Pending October 2012:
The CFTC and SEC issue joint
• Scope: all “security-based swap” transactions globally
final rules and interpretations
• Targeted products/ services: SEC Security-based Swaps that define a “swap” is under the
Commodity Exchange Act and a
“security-based swap” under the
Securities Exchange Act of 1934.
June 25, 2014:
Title VII of the Dodd-Frank Act (DFA) dealt with all OTC Derivatives, Cross-border Guidance on
specifically, Swaps. The definition of a Swap was changed under Security-based swaps transaction
the Dodd-Frank Act effectively expanding the types of financial ins- is released by the SEC
truments to include all bilateral transactions except listed securities,
loans and true spot transactions. The DFA mandated the CFTC and February 11, 2015:
SEC to issue a set of Rules to which all parties transacting in swaps Reporting & Repository Rules
must comply. Finalized
While many of the SEC Rules have been finalized, there are a set August 14, 2015:
Registration Rules Finalized.
of rules that are not yet final. Once they have been finalized, it will Registration is to become
trigger a registration clock that will be approximately 6-7 months. effective 6 months after the last
Additionally, similar de minimis thresholds will be established for set of rules for Capital, Margin
SEC Swap Dealer Registration. and Segregation, Business
Conduct Standards or the
recordkeeping and reporting have
The final rules that need to be completed have been outstanding
been published in the Federal
and in various states of review for the past 18 months. With the Register.
recent change in the Executive Branch of the US Government, there
was a freeze placed on all new regulations. All pending regulations, February 10, 2016:
including the final SEC Swap rules needed to go under a review. Non-US Person defined
Currently there is indication that these rules will be finalized towar-
ds the end of 2018. That is approximately one year after the pre- April 14, 2016:
viously anticipated completion date. Business Conduct Standard
Rules Finalized. This is the first
of the rules that is required for
There is talk coming from the regulatory agencies, specifically the registration but not the rule to
CFTC and the SEC, to suggest that there might be more coordina- trigger registration.
tion of rules which may have the affect of delaying the final rules
further. July 14, 2016:
Additional rules for Securities-
based Swap Reporting are
finalized.

73
CFTC Swap Dealer

Continuing Changes to the new Dodd-Frank OTC Derivatives Rules for “Swaps”

• Law: Dodd-Frank Wall Street Reform and Consumer Protection
July 21, 2010:
Act (Pub L. 111-203, H.R. 4173) The Dodd-Frank Act was passed
by the US Congress (Pub L.
• Sub-section: Title VII, Wall Street Transparency and Accountability 111-203).
•Specific component: OTC Derivatives rules – SEC Swaps
October 2012:
• Effective date: Various, post 2013 The CFTC and SEC issue joint
final rules and interpretations
• Scope: all all swaps transactions globally
that define a “swap” is under the
• Targeted products/ services: CFTC swaps Commodity Exchange Act and a
“security-based swap” under the
Securities Exchange Act of 1934.
December 2013:
Title VII of the Dodd-Frank Act (DFA) dealt with all OTC Derivatives, By the end of 2013 the majority of
specifically, Swaps. The definition of a Swap was changed under financial institutions transacting
the Dodd-Frank Act effectively expanding the types of financial ins- in swaps in excess of the
truments to include all bilateral transactions except listed securities, “de minimis” threshold have
registered.
loans and true spot transactions. The DFA mandated the CFTC and
SEC to issue a set of Rules to which all parties transacting in swaps Summer 2014:
must comply. The National Futures Association
(NFA) kicked off their first wave
The CFTC Rules were issued first and mandated certain entities of Examinations of Swap Dealers.
engaging in specific swap activity that exceed $3 billion dollars April 2018:
(temporarily increased to $8 billion) to register with the CFTC as a NFA announced the change to
Swap Dealer and comply with the CFTC’s Swap Dealer Rules. a Risk Based approach to swap
dealer examinations. A change
Regardless of the requirement to register, all swaps activity is from topical meant to now
include all Dealers and All rules.
subject to the rules established under Title VII of the DFA.
Two main categories of CFTC swap requirements applicable:

Entity-level requirements which apply to the registered SD entity as a whole; and
Transaction-level requirements, which apply to individual swap transactions when facing “U.S.
persons” (and in certain cases, non-U.S. counterparties with U.S. guarantees or U.S. conduits)
Entity-Level Requirements Transaction-Level Requirements

Ø Internal business conduct standards (e.g., Ø Sales practices (External business conduct standards)
risk management, recordkeeping, etc.) Ø Trade execution (SEFs), Clearing and swap processing
Ø Swap data repository (SDR) reporting Ø Margining and segregation for un-cleared swaps
Ø Capital adequacy Ø Swap trading relationship documentation
Ø Chief Compliance Officer Ø Portfolio reconciliation and compression
Ø Swap data recordkeeping Ø Real-time public reporting
Ø Physical commodity swaps reporting (Large Ø Daily trading records/Trade confirmation
Trader Reporting)
Transaction-level requirements apply to all CFTC swap transactions with “U.S. persons” regardless of location of marketer and trader.
74
SEC CFTC
CFTC Conduct Manager- SVF Open Rule Volcker
Swap Swap
Swap Risk In-Charge Licensing API 4210 2.0
CFTC Swap Dealer

Service Offering Around Ongoing Client Needs:

Sia Partners has put together a Team with significant experience in OTC Derivatives, CFTC & SEC
Rules and the current NFA examination process. Our global Swap Dealer program is aimed at
helping prospective and existing Swap Dealers with a multitude of OTC derivatives needs as they
relate to statutory and regulatory compliance. The program was specifically established in 2014 as
a response to clients’ needs to assess their level of compliance with the CFTC swap dealer rules.
As the industry has evolved, so has our service offerings.
We now provide the following Swap Dealer services to our clients:
Industry Best Practices
Compliance Assessment
Program
Elements NFA Exam Preparation and Regulator Expectation Management
Remediation Execution and Management

SEC Registration Preparation and Execution
Swap Dealer Tools:

As a part of our service offering, we have developed several tools that we utilize to achieve our de-
sired results and we continue to develop more tools to automate the review process.
In order to assess the level of compliance and the robustness of a client’s Swap Dealer program,
we have developed the “CFTC Rules Matrix” tool. The Matrix tool details the requirements for all
CFTC Swap Dealer Rules and allows us to map to the following elements:
The Matrix allows our clients to track with precision how they are complying with each requirement
of the rules. The additional tools being developed will allow our team to automatically evaluate
transactions for proper reporting requirements to the swap execution facility (SEF) and swap data
repository (SDR) and other transaction level testing necessary to prepare for an NFA examination
or SEC Swap Dealer registration.

75
CFTC Swap Dealer

CFTC Service Offering
• Assist in Registration Preparation:

Compliance Assessment
Prepare the SD for compliance with multiple substantive regulatory requirements and registrations
including the 4s Attestation.
• Identify Applicable Rules:
Review SD activities to determine applicable rules and regulations across multiple jurisdictions.
• Policies and Procedure Review:
Evaluate Policies and Procedures to determine compliance with applicable rules and regulations.
• Process and Control Evaluation:
Conduct walkthroughs with key points of contact to document SD processes and identify controls.
• Compliance Gap Analysis:
Assess the compliance level of the Swap Dealer program, and identify any gaps in P&Ps, processes and
controls against the rules, regulations and requirements.
• Design Gap Remediation Plan:
Provide recommendations for closing the gaps identified during the assessment.
• Independent Review/Audit:
as required by Rule 23.600(d), 23.600(e), 23.601(h) and 23.603(g).
• Exam Overview:
Providing guidance on how clients should prepare the firm upon onsite regulatory exam.
Examinations
• Exam Interview Preparation:

Regulatory
Prepare staff for exam interviews through mock examinations.

• Document Request Handling:
Provide guidance on documents and responses to the examiners’ requests; including detailed
preparation work to identify inefficiencies and areas where remediation may exist for recordkeeping.
• Testing Methodology:
Conduct mock testing of key controls, systems and reports using examiners’ and standard audit testing
methodology and guidelines.
• Exam Report Management:
Provide guidance on how to handle exam findings and control deficiencies detailed in a Final Report.
• Strategic Remediation Plan:

Assist with designing a timely strategic remediation plan in response to the final examination report.
Identify tactical/strategic solutions and determine required resources and target dates for completion.
Remediation
• Policy and Procedure:

Provide guidance on updating the policies and procedures to ensure compliance.
• Process and Control:
Address weaknesses in internal controls and processes identified in a Final Report, if any.
• Remediation Documentation:
Assist with the production of documentation to satisfy the remediation efforts for distribution to the
examiners necessary to close findings.
• Training and Compliance Culture:
Provide “three lines of defense” training for staff on swap dealer requirements. Improve the
compliance culture of the firm and overall swap dealer governance.

76
Consolidated Audit Trail

Security and Exchange Commission’s comprehensive Consolidated Audit Trail (CAT)
Key Facts Timeline

• Pronouncement: Consolidated Audit Trail National Market System
November 15, 2016:
• Codification: SEC Rule 613, adopted July 2012 Final CAT NMS Plan Approved
and becomes effective
• Approval date: November 15, 2016 (Final Rules Approved by SEC
January 17, 2017:
Principles and Objectives Thesys Technologies selected as
the CAT Plan Processor.
CAT was created in response to the “flash crash” in 2010 in addition
to a few other similar events. It is intended to enable Regulators to November 15, 2017:
monitor, analyze and investigate trading activities in NMS securities SROs begin reporting to the
and OTC equities. CAT processor. CAT processor
publishes technical specifications
on order life cycle submission
There are three components to the CAT process; CAT Reporters,
protocol
CAT Processor and Regulators/SROs. The CAT Reporters consist
of the national exchanges, FINRA, broker/dealers, SIPs to submit
Order and Trade lifecycle data on a daily basis to the CAT Processor May 15, 2018:
(Thesys). CAT Processor publishes
technical specifications on
The CAT Processor, Thesys Technologies, collects and maintains customer information submission
protocol.
the data collected. The CAT Processor will, when requested by the
Regulators/SROs will make it available to them. In addition to the
November 15, 2018:
collection and maintenance of the data, the CAT Processor is ex- Large Broker/Dealers must begin
pected to evaluate the data quality, index the data creating linkages reporting to the CAT processor
where possible and have the data ready for review by the Regula-
tors and/or SROs within 5 days post trade date. November 15, 2019:
Small Broker/Dealers must begin
reporting to the CAT processor
Key Challenges
Likely areas where CAT Reporters will need to focus to get ready

77
Stock T+2
Shortening the Stock Settlement Cycle to T+2
Key Facts History and Agenda

• Title: Shortening the Stock Settlement Cycle to T+2 .
April or May 2019:
Migration to Stock T+2
• Date of Release: 30 June 2016 - Final Report of the Working
Group on Shortening Stock Settlement Cycle in the Japanese
Market Q4 2018:
Stock T+2 comprehensive test
• Effective date: Consecutive holidays on April or May 2019
• Scope: Japanese Stock June 2016:

JSDA releases its final report
on the stock settlement cycle
• Targeted products/services:
shortening
Stock Outright, Stock Lending and Borrowing, Tokuyaku,
Stock Option, Convertible bonds
July 2015:
• Regulation topics: JSDA establishes the working
group on shortening the stock
Shortening of the settlement cycle settlement cycle
Straight through process (STP), system automation, practices
standardization
March 2015:
• Related regulations: JSDA holds the study session
Working Group on Shortening on Stock Settlement Cycle, “Working of the stock settlement cycle
shortening
Group on Shortening on Stock Settlement Cycle – Final Report”
June 30 2016

Following Lehman Brother’s 2008 financial crisis, the Japan
Securities Dealers Association (JSDA) established the working group to focus on shortening the
stock settlement cycle (WG) in July 2015.
The shortening the stock settlement cycle to T+2 aim is the below:
- reduce settlement risks
- enhance the liquidity, stability, and efficiency of the JGB market and the money market
- bolster competitiveness among global markets
The Final Report proposes to revise the operational framework and to develop market
infrastructures for T+2 implementation in the Q2 of 2019.

78
Stock T+2
Shortening the Stock Settlement Cycle to T+2
Advantages and Disadvantages
• Reduction of settlement risk such as liquidity risk and reconstruction cost

risk at the time of failure by reduction of outstanding balance due to T + 2
• Improve liquidity with further utilization of securities and funds
Advantages
• Reduction of collateral by reduction of stock clearing fund requirement

• Further streamlining of settlement affairs as a whole financial industry
• Maintain and improve international competitiveness by introducing
payment system according to international standard
Disadvantages
• Increase possibility of failure by tightening of post-trade processing due to T + 2

• Increase of operational risk by tightening of post-trade processing due to T + 2
• Increase in cost of market participants due to system investment and reorgani-
zation of internal organization accompanying T + 2
Target schedule for T+2 Implementation for Stock

2015 2016 2017 2018 2019
Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
External
T+2 Implementation JGB T+1
environment
in US implementation
(Sept 5th, 2017) (May 1st, 2018)
T+2 WG / Study on Items that Check Comprehensive Running

Study Remaining
Sub-WG, etc. Tasks
require continuous Test P lan / Consider Scheduled Continue Necessary Study
detailed study Implementation Date
Report Consider Comments

from Broad Range of
Pubilication, etc P arties Involved Implementation
P ublish WG P ublish WG Judgement
of Study at WG,
Interim Report Final Report
etc. Set Scheduled
Implementation
Notify related Organizations Date
(including oveerseas organizations)
Reflect
Infrastructures / Established Necessary Structure / Rules Target Schedule for T+2

P repare for Comprehensive Running Test Implementation
Related ・Establish Outlines, Rules / Guidelines
・Draft Running Test Plan (as early as possible in 2019)
Organizations Established Necessary System
(Candidates: first business day
Implement
・Develop System Specifies
Comprehensive after consecutive non-business
days in April or May, 2019)
Running Test
Reflect
Market
Participants System Development, Build Internal Structure

79
Conduct Risk
Importance of Conduct
Definition
• Conduct refers to the behaviour and integrity of financial services firms towards their clients,
counterparties and other participants in the financial markets. Conduct risk is the risk of a com
pany’s or its personnel’s activities having a unfavourable impact on clients, customers or
negatively impacting the overall market stability and fairness.
Importance of Business Conduct

• Since the financial crisis in 2008-2009, banks and other financial institutions have been facing
financial and reputational challenges. One of the key factors of failure has been the maintaining
of an effective conduct and risk culture throughout firms.
• Although business or market conduct is not a new topic, the focus by regulators in Asia-Pacific
has historically been limited, but this is changing with local regulators intensifying their focus
and actively developing local, more specific regulations and guidelines that can be enforced or
breaches can be detected more easily. Regulators and market-wide bodies have launched a series
of new regimes such as the senior manager regime in the UK, the manager-in-charge regime in HK
or the FX Global Code by central banks around the globe.
• Conduct risk has become a priority for various market players as misconduct can have massive
impact to an organization not just due to monetary fines as seen over the last couple of years but
as well due to massive reputational damage which often will be long-lasting and can be depres-
sing revenues for years to come, the potential risk of increased capital costs and the continuously
increasing peer pressure.
• Although still quite fragmented across jurisdictions, various regulatory authorities are establi-
shing more holistic frameworks for business conduct, follow global recommended standards and
are becoming less lax in regards to its enforcement.
Examples of Misconduct
• Between 2012-2016, the world’s leading 20 banks were hit by conduct charges of a whopping
$350 billion globally1. Below some of the most recent, top ticket events that took place in the se-
cond half of 2017:
• Credit Suisse fined $135m by NYDFS for failing to implement effective forex controls
[RiskNet, Dec 2017]
• U.S. fines HSBC $175 million for lax forex trading oversight [Reuters, Sep 2017]
• BNP Paribas Fined $246 Million Over Currency Manipulation [Bloomberg, Jul 2017]

80
MAS CAT Stock T2 Conduct VBL
Swap Swap Risk
Risk In-Charge Licensing API 4210 2.0
Conduct Risk
State of Regulations and Guidelines Globally
Selection of recent conduct developments across US,

EU & Asia since 2016
Jurisdictions Regulations / Guidelines Timelines

1) Launched 2017, adoption
• GFXC/BIS – FX Global Code [Guideline]
by mid-2018
• FSB – Principles for Sound Compensation Practices
2) In consultation (new
[Guideline]
GLOBAL edition)
• FRB – Proposed Guidance on Supervisory Expectation

1) In consultation
for Boards of Directors [Guideline]
US
• ESMA – MADII/MAR - Market Abuse Directive & Regu-

lation [Regulation] (insider dealing, disclosure of inside
information and market manipulation)
1) Launched 2016
• ESMA - MiFID/MiFIR [Regulation] (Role of board
2) Launched 2018
members in compliance, risk management and internal
3) Launched 2018
audit to be strengthened)
EU
• ESMA – Benchmarks Regulation (BMR) [Regulation]
(process governance & control, consumer protection)
• FCA/PRA – Senior Manager Regime [Regulation]
• FCA – Consultation on extending the Senior Manage- 1) Launched 2016
ment Regime to all financial services firms [Regulation] 2) In consultation
UK
• SFC – Manager-In-Charge Regime [Regulation]

• SFC – Code of Conduct for Persons Licensed or
Registered with the SFC [Guideline] (fairness, conflict of
interest, senior management responsibility) 1) Launched 2017
• SFC – Conduct requirements to address risks posed by 2) Launched 2017
group affiliates [Regulation] (new edition)
• SFC/HKMA – Circular on Managing Conflicts of Interest 3) In consultation
in Financial Groups [Guideline] 4) Launched 2017
• HKMA – Circular related to Bank Culture Reform 5) Launched 2017
HONG KONG [Guideline] 6) Launched 2017
• HKMA – Circular on Management Accountability at
Registered Institutions [Guideline]
• MAS – Guidelines for Conduct of Business for Execu-

tion-Related Advice [Regulation based Guidelines]
• MAS – Guidelines on Standards of Conduct for Marke- 1) Launched 2017
ting and Distribution Activities by Financial Institutions 2) Launched 2016
[Guideline] 3) In consultation
SINGAPORE • MAS – Consultation on Recommendations of the Corpo-
rate Governance Council [Guideline]
• SEC – Corporate Governance Code [Guideline] (board

leadership & effectiveness; risk management & internal
controls; stakeholder relationship & communication)
1) Launched 2017
• SEC – Disclosure of Corporate Governance Code Com-
2) In consultation
pliance Listed Companies [Regulation, in consultation]
3) Launched 2017
• SEC – Investment Governance Code for Institutional
4) Expected in 2018
THAILAND Investors [Guideline]
• BoT – Regulation on Market Conduct [Regulation] (fair
services & fees; customer rights protection)
• SCM – Malaysian Code of Corporate Governance [Gui-

deline] (key principles: board leadership & effectiveness; 1) Launched 2017 (new
effective audit, risk management & internal controls; edition)
MALAYSIA corporate reporting & stakeholder relationship)

81
Conduct Risk
State of Regulations and Guidelines Globally
State of regulations and guidelines for a selection of five core business

conduct principles as identified by Sia Partners across countries¹:
CORE PRINCIPLES2
US EU UK Hong Kong Singapore Thailand Malaysia
Board / Senior
Management Leadership
& Accountability
ü ü ü ü ü ü ü
Fair Treatment of Clients
ü ü ü ü ü ü ü
Remuneration &
Incentive Structure ü ü ü ü ü û ü
Conflict of Interest
ü ü ü ü û 3 ü ü
Product Suitability
ü ü ü ü ü û ü
û No or limited availability of Guidelines / Regulation
ü Key Guidelines / Regulation available
1 The countries identified Selection of recent conduct developments across US, EU & Asia since 2016
2 The Core Principles of Business Conduct are a selection of possible principles as identified and determined by Sia Partners
3 Limited coverage through Guidelines on Addressing Conflicts of Interest Arising from Research Analysis or Reports

82
Conduct Risk
Common Requirements & Operational Impacts
Topics Requirement Description Impacts
• Ensure effective governance structures • Define and map out clear roles &
and mechanisms are put in place responsibilities and appropriate
that enable appropriate oversight, reporting lines, define accountability for
supervision and controls dual reporting lines or where superiors
• Ensure clear roles, responsibilities, are located outside the respective
Governance & accountabilities and appropriate and jurisdiction / location and ensure
transparent reporting lines escalation procedures to be in place
Organization
• Ensure conduct supporting remuneration • Establish conduct risk related forums to
structures review and discuss issues and decide
on business appropriate processes
• Establish a strategic balanced scorecard
and define key KPIs/KRIs
• Ensure competency in place for • Trainings and certifications to be

identified individuals to handle role and established and executed for identified
responsibilities assigned individuals in order to ensure proper
• Ensure governance policies and competency
procedures in line with regulatory • Definition of minimum standards and
Processes requirements and guidelines are in place level of risk tolerance or appetite and
outlining target outcome and behavior clear communication of these
for each use cases and describe the • Enhance policies and procedures,
level of tolerance define responses to improper practices,
communicate changes and train people
on new procedures across all impacted
functions
• Define clear golden sources for data

• Establish systems that can provide
sourcing, ensure data quality in order to
consistent, accurate and reliable data
ensure accurate and reliable data that is
that is readily available across functions
readily available
• Identify, select and leverage innovative
Technology
new technologies (e.g. Advanced
Analytics, AI, Cloud Computing) to
streamline accountability systems,
identify & manage conflicts, automate
monitoring and surveillance
• Ensure effective frameworks for risk & • Establish procedures to perform

control management are put in place frequent reviews and updates of
• Ensure adequate management policies, procedures, reports and system
information systems (MIS), dashboards functionality
and reports are put in place in order to • Establish reports/MIS/dashboards that
Controls
effectively monitor compliance are concise, timely, accurate, forward-
• Ensure ongoing compliance for looking and prioritized on a risk basis
processes established • Establish pre-emptive monitoring and
surveillance processes and functions

83
Manager-in-Charge Regime
Augmenting Senior Management Accountability for Licensed Corporations

• Title: Manager-in-Charge (MIC) Regime
16th October 2017:
• Date of Release: 16 December 2016 Deadline for existing MICs of the
overall management oversight
• Effective Date: 18 April 2017 – 6 months transitional period and key business line functions,
ended 16 October 2017 who are currently not ROs, to
submit applications as ROs.
• Scope: 17th July 2017:

All licensed corporations in Hong Kong excluding corporations Submission deadline of MIC
licensed under section 117(1) of the Securities and Futures Ordi- information and organisational
charts by all existing licensed
nance (SFO). corporations.
• Regulatory measures:
18th April 2017:
 Meaning of senior management MIC regime commenced
 A standardised format for information submission in respect operation.
of management structures
 Alignment with the existing regime governing responsible Since February 2017:
officers (ROs) The SFC conducted industry
workshops to explain MIC
 Corporate governance of licensed corporations measures and new features of the
SFC Online Portal for submitting
MIC information.
 General Principle 9 and Paragraph 14.1 of the Code of
Conduct for Persons Licensed by or Registered with the SFO 16th December 2016:
 The Internal Control Guidelines issued by the SFC The SFC issued a circular to
 The Guideline on Anti-Money Laundering and introduce the MIC regime.
Counter-Terrorist Financing

The MIC regime took effect on 18 April 2017. Under the regime, MICs of overall management over-
sight and key business line functions are expected to apply RO status with the SFC. In addition, all
existing licensed corporations are required to provide up-to-date MIC information and organisational
charts to the SFC.
The regulatory regime aims to provide clarity on the accountability, the regulatory obligations and
the potential liabilities for senior management of licensed corporations. The SFC may impose disci-
plinary sanctions on a regulated person if the person is found guilty of misconduct or is considered
as not fit and proper.

84
SEC CFTC Conduct Manager-
Manager- SVF Open Rule Volcker
Swap Swap Risk In-Charge Licensing
in-charge API 4210 2.0
Operational
Descriptions
Impacts
• Senior Management of a licensed A licensed corporation is required

corporation includes: to appoint at least one MIC for
 Directors; each Core Function.
 ROs; and
 Individuals who are MIC of Core When appointing a MIC, the
Functions licensed corporation should take
into account the actual authority
• the Core Functions include:
and the seniority of the individual
Meaning  Overall management oversight in relation to that specific Core
of “Senior  Key business line (business activities Function.
Management” constitute one or more types of
regulated activities)
 Operational control and review
 Risk management
 Finance and accounting
 Information technology
 Compliance
 Anti-money laundering and counter-
terrorist financing
• Each director, RO and MIC must be a ‘Fit and Hiring of directors and senior
Proper’ person. management should be planned
ahead.
• The MIC can be located in or outside of
Hong Kong and it is not necessarily to be The candidates’ knowledge,
an employee of the licensed corporation. experience and reputation
However, the MIC should hold a position should be considered during the
‘Fit and Proper’
of authority within the corporation and recruitment process.
Person;
be properly accountable to the dedicated
Knowledge and functions. The licensed corporation
Experience should provide appropriate
• A licensed corporation should possess and structured training
formal documentation with board approval programmes to ensure the
on the organisational structure, including senior management acquired the
roles, responsibility and reporting lines to relevant skillsets and practical
ensure that the accountability of each MIC is experiences.
clearly defined.

85
Operational
Descriptions
Impacts
• the SFC may impose disciplinary sanctions, Policies and procedures should
including but not limited to a fine, be updated / in place to reflect the
revocation or suspension of the licence MIC regime.
Legal liabilities / approval to be an RO and reprimand a
of senior regulated person (whether or not it is a
management
licensed person) if he/she is considered not
fit and proper or guilty of misconduct in the
management of the business.
• the MICs of the Overall Management Review existing management

Oversight and the Key Business Line structures and apply RO status
for the management personnel
Functions are expected to obtain SFC’s
concerned.
approval as ROs, due to the active
participation and the supervision of the Control measures should be
Alignment with regulated activities. in place to ensure the MIC
the RO regime concerned is fit and proper.
• Exemptions may be available to an
individual if he/she has sufficient
industry experience, holding a very senior
management position and has regulatory
support from other personnel.
• the Board members have the ultimate The Board members should
responsibility for the delegated decisions work with senior management to
and should ensure that sound systems and efficiently run the organisation.
controls are in place to supervise those who
Roles and are accountable to the Board. The management structure
responsibilities
should be approved by the
of the Board Board and the Board should
ensure MICs acknowledge the
appointment as MICs of the
particular Core Function.

86
SEC CFTC Conduct Manager-
Manager- SVF Open Rule Volcker
Swap Swap Risk in-charge Licensing
In-Charge API 4210 2.0
Operational
Descriptions
Impacts
• a licensed corporation is required to The licensed corporation should

submit an organisational chart and MIC maintain proper documentation
information to facilitate SFC’s assessment of the management structure and
during the licence application process. board approval on the appointment
of all MICs.
• an up-to-date organisational chart should
depict: A compliance process should be
 the management and the governance in place to monitor any changes
structure; in the appointment or particulars
 the business and the operational units; of the MICs and to notify such
and changes to the SFC within 7
Submission of
 the reporting lines of the key human business days.
management
structure resources
information
• the MIC information should include the
following particulars:
 Full name;
 Identification information;
 Job title;
 Place of residence;
 the relevant Core Functions that the MIC
is responsible for; and
 Job titles of the person to whom the MIC
reports to

87
SVF Licensing
Regulatory Regime for Stored Value Facilities in Hong Kong
Key Facts Timeline

• Title: SVF (Stored Value Facilities) Licensing.
November 2016:
• Date of Release: 13 November 2015 – one year transitional PSSVFO came into force.
period.
• Effective date: 13 November 2016. November 2015:
• Scope: PSSVFO commenced operation.
A person or firm that is operating a SVF business or intending to
launch new SVF business within the next twelve months.
Not applicable to licensed banks in Hong Kong. November 2015:
The Legislative Council passed
the Clearing and Settlement
• Targeted products/services: All SVF products. Systems (Amendment) Bill 2015.
• Regulation topics: May 2013:

- Principal Business Public consultation paper is
- Financial Resources issued to consult the public and
- ‘Fit and Proper’ Person; Knowledge and Experience industry stakeholders for the
proposed regulatory regime for
- Prudential and Risk Management
SVF.
- Anti-Money Laundering (AML) and Counter-Terrorist
Financing (CFT) Measures
November 2004:
- Management of Float and SVF Deposit The Clearing and Settlement
- Redemption of Outstanding Stored Value System Ordinance (CSSO) came
- Operating Rules into effect.
January 1997:
• Related regulations: The Banking Ordinance was
Payment Systems and Stored Value Facilities Ordinance (PSSVFO) amended to introduce a legal
framework to regulate issues
around multi-purpose stored
value cards.
The Payment Systems and Stored Value Facilities Ordinance (PSSVFO) took effect on 13 No-
vember 2015 with a one-year transitional period for existing and new issuers of SVFs to apply for a
license from the Hong Kong Monetary Authority (HKMA). From 13 November 2016 onwards, it will
be illegal for any issuers, unless exempted by HKMA, to issue or operate any stored value facilities
without a license.
The regulatory regime aims to ensure the safety and soundness of SVFs operating in Hong Kong
and adequate protection of the float. Prior to this ordinance, the regulatory regime only applied
to device-based multi-purpose stored value products under the banking ordinance (BO) and to
large-value clearing and settlement systems designated by HKMA under the Clearing and Settle-
ment System Ordinance (CSSO). However, the regulatory regime under BO or CSSO did not cover a
range of non-device based payment facilities.

88
SVF Licensing
Operational
Descriptions
Impacts
• In general, the applicant should not engage The applicant may need to
in any SVF-related business unless the setup a separate legal entity for
conduct of such business is necessary conducting SVF business.
Principal for the operation of the SVF business and
Business therefore requires to obtain an SVF license.
• The licensee may provide remittance and/or
money changing services as an ancillary or
incidental services to its principal business.
• The applicant must have a paid-up share The applicant may need to work
capital not less than HK$25 million or an with their Legal Counsel and
equivalent amount in another currency that External Auditor relating to their
is freely convertible into HK dollar, or is paid-up share capital.
approved by HKMA.
Financial
• HK$25 million is a minimum paid-up share
Resources capital requirement. HKMA may apply a
higher level of capital requirement after
considering the applicant’s risk profile,
the size of the float, the number of user
accounts and the complexity of the SVF
business.
• Each chief executive, director and controller Hiring of directors and senior
of the applicant must be a fit and proper management should be planned
person. ahead.
• The applicant must have in place adequate
systems and controls to ensure that HKMA The candidates’ knowledge and
is regularly updated on changes of chief experience, reputation, criminal
executive, director and controller and record and location should be
‘Fit and Proper’ consent from HKMA is received prior to their considered.
Person; official appointment/s.
Knowledge and • The applicant must have in place adequate
Experience systems and controls to ensure that each
manager of the applicant is a fit and proper
person to hold the position concerned.
• The senior management team and the
key personnel responsible for financial
management, control and risk management
functions, compliance and internal audit of
the applicant should be based in Hong Kong.

89
SVF Licensing
Operational
Descriptions
Impacts
• The applicant must have in place

Risk management framework
appropriate risk management policies and
should be established.
procedures for managing risks arising
from the operation of its SVF business in
Policies related to technology risk
proportion of the scale and complexity of
management, payment security
the business.
management and business
Prudential • Adequate security and internal controls
continuity management should be
and Risk should be in place to protect its system
in place.
Management and data. Effective controls should be in
place to safeguard against cyber-threats,
detected fraud and attempted fraud.
• Robust and proven contingency
arrangements should be in place to address
any operational disruptions and major
disasters.
• The applicant must have adequate and

AML and CFT policy and procedure
appropriate systems and controls in place
should be established.
for preventing or combating potential
AML/CFT money laundering or terrorist financing
Measures Risk assessment on ML and TF
(ML/TF) to ensure compliance with AMLO
for the SVF business should be
and other regulatory requirements from
regularly performed.
HKMA.
• Adequate risk management policies and Risk management policy and

procedures for managing the float and SVF procedure for float and SVF
deposit should be in place to ensure that deposit should be established.
there will always be sufficient funds for the
redemption of the stored value that remains Custodian banking arrangement
on the facility. to separate float and SVF deposit
Management • Float and SVF deposit should be kept from the other funds must be
of Float and separate from any other funds paid to or established.
SVF Deposit maintained or received by the applicant.
• Adequate float safeguarding measures Declaration of trust should be
and related risk management policies and obtained from legal counsel.
procedures should be in place to ensure that
the float and SVF deposit are adequately
protected.

90
SVF Licensing
Operational
Descriptions
Impacts
• The applicant must redeem in full the total

A Contract with terms and
of the stored value that remains on the
conditions between the applicant
facility as soon as practicable after being
and the user must be in place.
requested by the user to do so.
• The applicant should provide users with
Redemption of easy access to redeem outstanding stored
Outstanding value.
Stored Value • The applicant must state clearly in the
contract with the user the amount of fee
or charges. HKMA expects that such fees
and charges should be proportionate and in
line with the costs actually incurred by the
applicant.
• The operating rules of the SVF scheme

must be prudent and sound.
• The operating rules should be properly Operating rules covering end-to-
documented, clear, understandable, end SVF business process should
comprehensive, up-to-date and available to be in place.
all related parties.
• The operating rules have a well-founded Operating procedures with
legal basis consistent with relevant laws custodian bank, business exit plan
and regulations that are enforceable and and complaint handling procedures
provide a high degree of certainty for each should be covered in the operating
Operating
material aspect of the SVF scheme. rules.
Rules
• The operating rules should cover the
complete chain of an SVF’s operation
including account opening, pre-transaction
and authorization to clearing and
settlement and post-transaction processes.
• The applicant should ensure that adequate
arrangements are in place to monitor and
enforce compliance with the operating rules
of the SVF scheme.

91
Virtual Banking Licensing

Authorization of Virtual Banking in Hong Kong

• Title: Authorization of Virtual Banking
August 2018
• Publication date: May 2018 The HKMA has received a total of
29 applications for the first batch
of applications
• Scope: Any entity would like to conduct banking business
in Hong Kong
May 2018
• Targeted products/Services: Retail Banking Products HKMA to issue the revised
guideline which will supersede
the version first issued on 5 May
• Regulatory topics: 2000 and subsequently updated
 Principal Business on 21 September 2012
 Financial Resources
 ‘Fit and Proper’ Person; Knowledge and Experience
 Prudential and Risk Management
March 2018
 Anti-Money Laundering (AML) and Counter-Terrorist Financing Public consultation deadline
(CFT) Measures for the revised Guideline on
 Deposit Protection Scheme Authorization of Virtual Banking.
Guideline on Authorization of Virtual Banks under section 16(10) 2017
The establishment of virtual
of the Banking Ordinance by HKMA
banks was one of the 7 HKMA
initiatives to prepare Hong Kong
Principles and Objectives into a New Era of Smart Banking.
Guideline on Authorization of Virtual Banks is issued under section

16(10) of the Banking Ordinance (the Ordinance). It sets out the
2000-2017
principles which the Hong Kong Monetary Authority (HKMA) will Only 1 licensed bank transformed
take into account in deciding whether to authorize “virtual banks” its original business model to
applying to conduct banking business in Hong Kong. A “virtual a business model similar to a
bank” is defined as a bank which primarily delivers retail banking virtual bank, but later on ceased
services primarily, if not entirely, through the internet or other forms such adoption. No other new
banking license applicants
of electronic channels instead of physical branches. involved in virtual banking.
The development of virtual banks will promote the application of

financial technology and innovation in Hong Kong and offer a new
kind of customer experience. In addition, virtual banks can help pro- 22 July 2014
mote financial inclusion as they normally target the retail segment, The HKMA issued the first
including the small and medium-sized enterprises (SMEs). For a Guideline on Authorization of
company applying to set up a virtual bank (virtual bank applicant), Virtual Banks during the dot-com
fulfilment of the minimum criteria essentially means that it must euphoria. The HKMA did not
object to the establishment of
have substance and cannot simply be a “concept”, taking advantage virtual banks in Hong Kong.
of the popularity of new technology. The applicant must have a Virtual Banks during the dot-com
concrete and credible business plan setting out how it intends to euphoria. The HKMA did not
conduct its business and how it proposes to comply with the autho- object to the establishment of
rization criteria on an ongoing basis. virtual banks in Hong Kong.

92

Key pass criteria in the “Revised Guideline on Authorization of Virtual Banks
General principle Physical presence

 Promote financial inclusion with retail  Must maintain a physical presence in
segment including SMEs as the main Hong Kong to provide a point of contact with
target customers [New] the HKMA and customers
 Must satisfy the minimum criteria for  Physical branches are not expected
authorization in the Seventh Schedule  Maintain record keeping on books,
to the Banking Ordinance (Appendix C) accounts and transactions in Hong Kong
 No minimum account balance
requirement or low-balance fees Ongoing supervision [New]
should be imposed on customers [New]  Virtual banks are subject to the same set of
 Senior management should be “fit and supervisory requirements to conventional
proper” banks
 Board of directors and senior management to
Ownership possess requisite knowledge on the
 The virtual bank must be locally- technology-driven business model
incorporated [New]
 The immediately holding company which Risk management
has >50% ownership of the virtual  Appropriate measures to identify,
banking applicant should be incorporated measure, monitor and control risks
in Hong Kong (i.e. credit, interest rate, market, liquidity,
 Ensure a strong parent to provide operational, reputation, legal and
managerial, financial and technology strategic risks must be assessed at a
support to virtual banks minimum)
Business plan
 A credible and viable business plan to Customer protection
strike a balance between business growth  Adhere to the Treat Customers Fairly Charter
and the need to earn a reasonable return  Terms and conditions must be fair on the
on assets and equity rights and obligations between the bank and
 Virtual banks should not place an customers
aggressive business strategy in the  Highlight the losses from security breaches,
expense of its systems and risk system failure or human error to be born by
management capability the bank and customers
Technology risk Capital requirement

 Security and technology related controls  Business capital amount should commensu
should be in place and “fit for purpose” rate with the nature of the virtual banking
 Submit an independent assessment operations (minimum HK$300 million share
report on computer hardware, systems, capital)
security procedures and controls to the
HKMA Outsourcing
 Establish procedures for regular review  Discuss in advance with the HKMA for any
of security and technology arrangements material outsourcing plans
 Security control, confidentiality and integrity
Exit plan [New] of customer information should not be
 Submit an exit plan to ensure that the compromised
virtual bank can unwind its business
operations without disrupting the
financial system and customers

93

Key Elements for Setting Up a Licensed Bank in Hong Kong
Organization
& People
HKMA Risk
Regulatory Management
Returns & Policies
Bank’s
Corporate
Governance
IT
Processes &
Infrastructure Controls
& Systems

94

Key Elements for Setting Up a Licensed Bank in Hong Kong
Setup a corporate governance structure and

framework to ensure the proper allocation of authority
Corporate Governance and responsibilities by which the business and affairs
of a bank are carried out by its board and senior
management.
Setup a target organization structure to fulfil the MA’s

requirements and the business need. In addition, it is
Organization & People important to appoint the right qualifications and
relevant experience for the “Chief Executive”, “”ACE”,
“Directors” and “Manager” positions.
Establish a robust risk management framework

covering the market risk, credit risk, liquidity risk,
Risk Management interest rates risk, operational risk and technology risk
& Policies etc., and setup a set of policies to meet the MA’s
requirements including Anti-money laundering, Risk
management, IT, HR etc.
Define a target operational model and a robust

Processes & Controls processing workflow for each business line and function
as well as the adequate internal controls are in place.
Define a target IT infrastructure setup, select and

IT infrastructure & implement the core systems, such as Core banking
system and Accounting system in addition with the
Systems establishment of the business continuous plan, IT
controls and cybersecurity etc.
The MA’s powers to collect prudential data from

authorized institutions on regular or ad hoc basis.
Need to understand the requirement of each return
HKMA Regulatory Returns
and implement the tool & process to obtain the
accurate and complete data and transactions for
completing the returns.

95
Open Application Programming Interfaces (Open API)

HKMA Smart Banking Initiatives

• Title: Open Application Programming Interfaces (Open API
Q4 2018:
• End of Consultation Period: 15 March 2018 Announcement of timeline of
Account Information (Phase 3) &
• Expected Timeline: Transactions (Phase 4)
. 12 months after release of

framework:
New Application for Product /
Service (Phase 2)
6 months after release of

framework:
Product & Service Information
• Scope: (Phase 1)
HKMA Open API Framework is consisted with 5 pillars:
 Selection of Open API 15 March 2018:
 Architecture, Security & Data Standards End of Consultation Period
 Third Party Service Provider (TSP) Certification
 Open API Facilitation
11 January 2018:
 Open API Maintenance
HKMA release consultation paper
on Open API
• Targeted products/services:
Retail Banking & Wealth Management
October 2017:
Workshop discussions for
• Regulation topics: banking representatives with
New era of Smart Banking, press release on 29 Sep 2017 HKMA
29 September 2017:
Principles and Objectives Open API is confirmed as one
HKMA released the consultation of Open API on 11 Jan 2018, of the 7 initiatives in HKMA
Strategies of “New Era of Smart
which aims to widely adopt and achieve standardization of Open
Banking”
API across banking sectors. API is the interfaces between software
applications that enabling communication between among them.
Open API is therefore allowing TSP to access banks’ products and 15 August 2017:
service via standardized API. Such API must be secured, efficient, Workshop between banking
controlled and cost effective. HKMA aims to facilitate Open API in representatives & technology
banking industry by taking a role of leadership and guidance. Open firms for knowledge sharing
API policy is one of the seven initiatives of HKMA strategies of “New
era of Smart Banking”, with the following objectives:
July 2017:
• Ensure the competitiveness of the banking sector 20 retail banks & 3 foreign banks
• Encourage more services to improve customer were invited to start working
experience with HKMA on formulating the
• Keep up with world wide development framework

96

 The Open API framework is formulated with 20 Retail Banks & 3 foreign banks representatives,
invited by HKMA in July 2017. It also undergo workshops with information & communication
technologies (ICT) industry on knowledge & experience sharing, to design the customized
roadmap & approaches for Hong Kong.
 During the framework outlining period, examples of Open API development from worldwide,
including UK, EU, Singapore & Japan are referenced. Pros & cons of implementation approach
of each of these countries were analysed, and identified the risk-based principles for Hong
Kong development.
 Five Pillars were identified for Hong Kong.
Five Pillars of Open API
• 4 phases, with review and fine adjustment between phases

Selection of Open • Leverage between standardized approach vs. industry-led
API approach
• Initially only high level Open API framework is defined
• Convergence of standardized Open API will be driven by market
Architecture, • Architecture & security standards has general consensus from

Security & Data Japan, Singapore & UK. HK is recommended to follow
• Data has no general consensus. Banks are allowed to define
Standard their own data standard with published definition
• Bilateral approach vs Central Entity approach

• Short term on risk-based Bilateral approach
TSP Certification • Long term on Central Entity approach
• HKMA may develop a set of risk- based common baseline
criteria
• Dashboard of Open APIs from all banks are listed under
the Data Studio of Hong Kong Science & Technology Park
Open API • Banks should publish Open API specification
Facilitation • Banks should provide sample code & sandbox to assist
TSP using their owned Open APIs
• Hong Kong Association of Banks (HKAB) set up a workgroup

Open API • Setup Roadmap to establish a centralised entity for Open API on-
going review & maintenance
Maintenance • Interoperability is the long term goal

97

Key Challenges for Banks to adopt Open API
Win-Win Market Strategies with TSP
• Specific bilateral agreement with each TSP • Message Ref ID

• Improve customer experience • Synergies exploitation with TSP
• Cross-selling market strategies • Unique integrated / packaged products
Information Technology Readiness
• Open API technology standards • Efficient system processing / res-

• Interoperability of API interface to core ponsive time
banking systems • Extendibility of Open APIs
• Capability of bank’s internal legacy systems
Agile Responsiveness & Time-To-Change
• Responsive to market changes • Responsive to technology changes

• Responsive to TSP condition changes • Responsive to regulatory changes
• Shortest time to implement the changes on • Efficiency & accuracy to make change
systems / Operations decisions
Staff Awareness & Expertise
• Internal staff motivation • Profound staff trainings

• Talents acquisition • Sufficient human resources
• Staff technical knowledge on Open API
Management Governance & Top-Down Staff Incentive Alignment
• C-suit management buy-in • Top-down incentive alignment

• FinTech culture cultivation • Governance committee
• Appropriate TOM model • Short - / Long – term Roadmap
• Budgeting

98

World Wide Open API Development
Jurisdiction UK EU Singapore Japan
Mar 2017 (Phase 1)

Timeline Jan 2018 Nov 2016 Mid of 2022
Jan 2018 (Phase 2
Product / Service / 411 APIs including

Account Information: product, marketing, Deposit account
Mar 2017 Online Account / sales, serving, information enquiries
Scope
Payment Service: Payment Services payments and & interbank transfers
Jan 2018 regulatory
European Union’s MAS:

Regulatory Competition &
payment services “Finance-as- Japanese Banking
Markets Authority
Guideline directive 2015/2366 a-Service: API Act
(CMA) mandate
(PSD2) Playbook” (Playbook)
Financial Institutions
Implementation Central Banks & Other
are voluntary to
Implementation Payment Service Banks & TSP
Entities implement the
Entity Providers
Playbook
Approach of Open Standardized Industry-Led Standardized Industry-Led

API Selection Approach Approach Approach Approach
Specified
Architecture, Developed by banks Architecture & Specified
Security & Data Developed by Central / payment service Security Standard, Architecture &
Entity
Standard providers and Data Standard Security Standard
for some APIs
Implementation
Certification by License from Not specified in
of TSP Bilateral Agreement
Central Entity Regulator Playbook
Certification
Open API 411 APIs in

Facilitation Playbook Implemented
Central Entity European Banking Entities
Central Entity Authority (EBA) Implemented
Open API Not specified in Entities
Maintenance Playbook

99
FINRA Rule 4210 Amendment

New margin requirements for certain MBS related transactions
The amendment to FINRA Rule 4210 (the “Rule”), was proposed to the Securities and Exchange
Commission (the “Commission”) on October 6, 2015. The scope of the amended changes, as de-
tailed in SR-FINRA-2015-36, seek to establish margin requirements for these “in-scope” transac-
tions which are related to Mortgaged-Backed Security (“MBS”); specifically, transactions in (1) To
Be Announced (“TBA”) securities, (2) Specified Pools and (3) Collateralized Mortgage Obligations
(“CMO”) issued in conformity with a program of an agency or Government-Sponsored Enterprise
(“GSE”) with forward settlement dates (collectively “Covered Agency Transactions”).
Effective Date:
Initially the effective date for these changes was announced to be eighteen months after the ap-
proval date or December 15, 2017, however, after two subsequent requests from the industry the
effective date was pushed out twice and currently the effective date is now March 25, 2019. It
does not appear that this date will change.
Impact to Your Organization

The delay to the effective date is largely due to the changes needed to address TBA and other
forward settling MBS transactions. The securities and transactions subject to the new margin re-
quirements have not previously been subject to margin requirements by issuing firms. No one col-
lected collateral from other institutions and qualified investors who wanted to invest in MBS Pools
and subsequently the TBAs that begin trading before the pool contents are announced. Collateral
will now be required for these in-scope transactions and the amount of collateral required will be
dependent on whether the party is an “exempt account” or “non-exempt account.”
For many firms, these in-scope transactions are about to go from a routine securities trade to a
complicated transaction involving significantly more resource requirements (i.e. Legal, Operational
Risk, Operations, Collateral Management, etc.). This poses a great risk to many of the financial
institutions engaging in these types of trades because trading on margin will be a completely new
frontier.
How Sia Partners Can Assist

The new margin requirements will definitely impact some firms more than others and this list,
above, is not exhaustive. Sia Partners is ready to assist our clients and any one that may need
assistance with reviewing their existing processes and procedures, legal, controls and collateral
management functions to assess the impact of the rule change and develop a remediation plan, if
necessary to prepare for the Rule changes.

100
FINRA Rule 4210 Amendment

New margin requirements for certain MBS related transactions
Impacted Area What is needed?
Master Securities Forward Transaction Agreements and other

contracts, not previously required, and the templates used by the
business will need to be developed and new agreements entered
Legal
into with all applicable parties. Additionally, a review of all current
documentation will need to be performed to ensure it is not outdated
in light of the Rule change.
Internally, firms will need to incorporate the margin into the Front
Office pricing models, collateral management systems will need to
Technology be updated to handle the new products, interaction with third parties
(clearinghouses, etc.) will need to be incorporated into the systems,
where possible.
Operations & Collateral Procedures will need to be established to manage the new collateral
Management and the fee structure around the MBS collateral collected or paid.
General policies and procedures for all affected departments will need
Policies & Procedures
to be updated or created, including the written supervisory procedures.
Ongoing Monitoring and other controls (i.e. reconciliations of

collateral amounts and fees, payments, etc.) will need to be
Controls
established to ensure all aspects of the Rule are adhered to and there
are no major operational impacts as a result of the new requirements.
Across the firm, areas such as Audit, Risk, Legal, and Compliance will
need to guide the business and other support functions in the new
margin process. As a result, all departments and resources, impacted
Training
by the rule change, will need to have some form of training to ensure
their upstanding of the impact the rule change has to their new BAU
processes. For some firms, new staff will need to be hired.

101
Volcker 2.0
Proposed Changes to the Volcker Rule
PUBLISHED IN THE-FEDERAL REGISTER JULY 17, 2018, THE COMMENT PERIOD FOR THE PROPOSED CHANGES TO THE
VOLCKER RULE IS NOW OPEN UNTIL SEPTEMBER 17, 2018. BELOW IS A SUMMARY OF THOSE CHANGES.1
On January 14, 2014, Congress approved the revised final Volcker regulations that largely went
into effect on July 21, 2015. The Volcker Rule, as it is commonly referred to, is Section 13 of the
Bank Holding Company Act (the “Act”). Section 13 of the Act requires that the five prudential
regulators collaborate on one common set of requirements for the Volcker Rule. The five pru-
dential regulators are; the Federal Reserve (“Fed”), the OCC, the FDIC, the CFTC and the SEC (the
“Agencies”). The Volcker Rule restricts certain banking entities and nonbank financial companies
from engaging in proprietary trading and certain interests in, or relationships with, specific types of
funds (i.e. hedge funds or private equity funds). This month, led by the Fed, a proposed amend-
ment to the Volcker Rule was agreed upon by the Agencies and submitted currently for public
comment. The final step will be to present a final version to Congress for formal approval.).
Overview of the Proposal

The Agencies acknowledge concerns that some parts of the 2013 final rule2 may be unclear and
potentially difficult to implement in practice. Based on experience since the adoption of the 2013
final rule, specifically the collection of nearly four years of quantitative data as required under
Appendix A of the 2013 final rule, the Agencies have identified opportunities, consistent with the
statute, for improving the rule. Most notably, further tailoring the Volcker Rule’s application based
on the activities and risks of banking entities globally.
The proposed amendment is intended to provide banking entities with clarity about what activities
are prohibited and to improve supervision and implementation of the Volcker Rule.
While the Volcker Rule addresses certain risks related to proprietary trading and covered fund
activities of banking entities, the Agencies note that the nature and business of banking entities
involve other inherent risks, such as credit risk and general market risk. To that end, the Agencies
have various tools, such as the regulatory capital rules of the Federal banking agencies and the
comprehensive capital analysis and review framework of the Fed, to require banking entities to
manage the risks associated with their activities. The Agencies believe that the proposed changes
to the 2013 final rule are consistent with keeping the banking industry safe and sound while
providing banking entities the ability to implement the appropriate risk management policies in
line with the risks associated with the activities in which banking entities are permitted to engage
under section 13.
The Agencies also note that the Economic Growth, Regulatory Relief, and Consumer Protection
Act (“EGRRCP Act”), which was enacted on May 24, 2018, amends section 13 of the BHC Act
by narrowing the definition of banking entity and revising the statutory provisions related to the
naming of covered funds. The Agencies plan to address these statutory amendments through a
separate rulemaking process; no changes have been included in the proposed amendment that
would implement the amendments in the EGRRCP Act. The EGRRCP Act amendments took effect
upon enactment, however, and in the interim period since enactment and before adoption, the
Agencies will not enforce the 2013 final rule in a manner inconsistent with the amendments to
section 13 of the BHC Act with respect to institutions excluded by the statute and with respect to
the naming restrictions for covered funds.
1
https://www.federalreserve.gov/newsevents/pressreleases/files/bcreg20180605.pdf
The Federal Register version 83 FR 33432
2
The final rule signed January 2014 is referred to as the “2013 final rule.”
3
For the determination of the trading assets and liabilities, the calculation should be excluding obligations of or guarantees by the US government and should include all
global trading assets and liabilities.

102
Volcker 2.0
Proposed Changes by Subtype

Change 1: CATEGORIES
The creation of categories to direct specific levels of compliance efforts based on the size of the banking
entity or nonbank financial institution global trading assets and liabilities3; SIGNIFICANT (≥$10B),
MODERATE (<$10B & ≥$1B) & LIMITED (<$1B)
SIGNIFICANT: This category is reserved for banking entities with combined global trading assets and
liabilities3 greater than or equal to ten billion US dollars.
MODERATE: This second category is reserved for banking entities with combined global trading assets
and liabilities3 greater than or equal to one billion but less than ten billion US dollars.
LIMITED: The last category is reserved for banking entities with combined global trading assets
and liabilities3 less than one billion US dollars. Further, for banking entities in this category, there is
presumption of compliance and there is no obligation to demonstrate compliance. However, discovery
of non-compliance would change the category to “MODERATE” and the regulatory agency may apply the
more stringent requirements upon the non-compliant banking entity.
Change 2: P&L v. HOLDING PERIOD, ELIMINATION OF REBUTTABLE PRESUMPTION
Change to the metric used to flag trading as potentially proprietary trading activity from the length of the
holding period to the total profit & losses (“P&L”) made from trading activities. This change removes the
“rebuttable presumption” and replaces it with the presumption of compliance provided the P&L doesn’t
exceed $25MM over a rolling trailing 90 day period.
Change 3: FBOs RELIANCE ON LOCAL REQUIREMENTS/BCBS MINIMUM STANDARD
With respect to the Market Risk Capital prong of the prohibition of proprietary trading prong, Foreign
Banking Organizations will be permitted to use their local capital requirements provide those
requirements at least meet the standards set by the Basel committee.
Change 4: EXCLUSIONS
(1) Expansion of financial instruments (i.e. FX forwards, etc. per statutory definition list)
(2) Use of transactions to correct previously booked trades/transactions

103
Volcker 2.0
Proposed Changes by Subtype Continued
Change 5: EXEMPTIONS
(1) Elimination of RENTD metric. The ability to use internally set risk limits, provided they’re established in
accordance with the Volcker Rule, to presume that trading within those limits signals compliance with the
proprietary trading restrictions.
(2) Relaxing the compliance program requirements for MODERATE and LIMITED categories.
(3) Risk-mitigating hedging standards
MODERATE and LIMITED: eliminated except the effective requirements
SIGNIFICANT: no change except softening language and relaxing documentation reqs.
(4) Modifies and removes certain TOTUS requirements (significant change for FBOs)
Change 6: ALLOWING 3RD PARTY COVERED FUNDS & USE OF COVERED FUNDS FOR HEDGING
(1) Elimination of RENTD metric. The ability to use internally set risk limits, provided they’re established in
accordance with the Volcker Rule, to presume that trading within those limits signals compliance with the
proprietary trading restrictions.
(2) Relaxing the compliance program requirements for MODERATE and LIMITED categories.
(3) Risk-mitigating hedging standards
MODERATE and LIMITED: eliminated except the effective requirements
SIGNIFICANT: no change except softening language and relaxing documentation reqs.
(4) Modifies and removes certain TOTUS requirements (significant change for FBOs)
Change 7: COMPLIANCE PROGRAMS
The proposed changes would allow SIGNIFICANT firms to integrate their Volcker compliance programs (“6
Pillar program”) into their existing framework. MODERATE firms will implement a simplified version and
LIMITED firms will not be required to proactively demonstrate compliance and will enjoy a presumption of
compliance. But they are still required to maintain a compliance program.
Change 8: CEO ATTESTATION
With the elimination of Appendix B, the only element that survives is the CEO attestation requirement but
only for the SIGNIFICANT and MODERATE firms.

104
Volcker 2.0
Conclusion and next steps

The Agencies have provided for a 60 day comment period which began July 17, 2018, the date
the proposed changes were published into the Federal Register. Comments must be received on
or before September 17, 2018. In preparation for the final release, in scope banking entities and
nonbank financial companies should assess the rule changes as noted herein and, assuming the
proposed rule changes are largely unchanged, be prepared to consider the following items:
1. Quantify the global trading assets and liabilities to determine which Category your firm will fall
under;
2. Assess the strategy for each Volcker Unit and the businesses overall to determine what
changes, if any, are needed to enhance the desk’s operational efficiency and performance;
3. Review the third party covered funds transactions;
4. Develop the new P&L tracking and monitoring process for the newly created Accounting prong;
5. Update the suite of metrics, including the elimination of some (e.g. RENTD);
6. Adjust the compliance programs to tailor to the new requirements based on Categorization;
7. Assess the impact on the ability to rely on the Basel requirements outside the US;
8. Assess the impact for changes in certain TOTUS activities;
9. Revise Volcker Rule policies and procedures based on rule changes’ impact; and
10. Develop a training program which communicates the changes to the rules (e.g. trading require-
ments, reporting, hedging, ownership/sponsorship of covered funds, etc.).
The impact of these proposed changes have diverse effect on the firms subject to the rules. Smal-
ler firms will see lower costs and a less intrusive compliance program associated with the reduced
compliance requirements while the midsized and larger firms will find the changes significantly
enhance their ability to transaction and manage their risks. While the proposed rule change does
not eliminate the core mandate of the Volcker Rule, it does increase slightly the risk of non-com-
pliance (e.g. less monitoring may allow increased bad actors to take advantage, etc.) however, the
changes allow firms to operate more effectively and efficiently. The intent is to restore a little bit of
the liquidity to the markets that was taken away by the original rule. There are those that say that
Volcker 2.0 brings the markets closer to more sensible balance.

105
the banking and
insurance industry
This last section focused on regulations that apply to

the banking and insurance industries:
• “Living Wills” | Recovery and Resolution Planning (RRP)
• Legal Entity Identifier | Unique Identification of Legal Entities
• CRS | Common Reporting Systems

• 871(m) | Withholding on Dividend Equivalent Payments on US
Equity Derivatives
• IFRS 9 | Financial Instruments
• IFRS 13 | Fair Value Measurement
• Financial Crime | Overview of the Asian Framework
• FinCEN’s Customer Due Diligence Rule | Collecting,

Maintaining and Reporting of Beneficial Ownership
Information
• NYSDFS Part 504 | Transaction Monitoring and Filtering

Programme
• GDPR | Protection of Personal Data
• Data Privacy | Data Privacy Framework in Asia
• Cybersecurity | Frameworks Around Cyber Risks

Living Wills Legal Entity CRS IFRS 9
Identifier
871(m) IFRS 13
“Living Wills”
Recovery and Resolution Planning (RRP)

• Title: Guidance from the Financial Stability Board (FSB) “Key
July 2017:
Attributes of Effective Resolution Regimes for Financial HK l Published additional
Institutions” (section 11 and Appendix I-Annex 4) guidelines on recovery planning
• Publication date: October 2011 (updated October 2014)
• Effective date: FSB members expected to have “Key Attributes” July 2017:
in place by end of 2015 (number of jurisdictions beyond schedule) HK l Resolution planning: core
information requirements
implemented by the HKMA
• Scope: any financial institution that could be systematically
significant if it fails, including:
- Global systemically important financial institutions July 2017:
(G-SIFI) SG l Bill passed by Parliament
- Domestic systemically important financial institutions to strengthen MAS’ powers to
impose RRP requirements
(D-SIFI)
- Financial market infrastructures (FMI)
December 2015:
Global l FSB members expected
• Regulatory topic: to have “Key Attributes” in place
- Systemic financial stability
- End of “too big to fail” paradigm and publicly-funded bailouts June 2014:
HK l Recovery planning
• Related regulations: series of reforms launched to align national requirements implemented by
the HKMA
regimes on the “Key Attributes” set by the FSB, including:
- US - Dodd Frank Act Section 165(d) May 2014:
- EU - Bank Recovery and Resolution Directive EU l Bank Recovery and
- Japan - Japanese Deposit Insurance Act (revised) Resolution Directive adopted by
- Hong Kong - HKMA Supervisory Policy Manual module the European Parliament
RE-1 on Recovery Planning and Code of Practice CI-1
Resolution Planning: Core Information Requirements
June 2013:
- Singapore – Monetary Authority of Singapore
JP l Japanese Deposit Insurance
(Amendment) Bill 2017 Act (revised) approved by the Diet

The overarching objective of the FSB’s 12 “Key Attributes”, which November 2011:
include recovery and resolution planning, is to enable the resolu- Global l FSB’s “Key Attributes”
tion of non-viable financial institutions without severe systemic endorsed by G20 leaders as
international standards for
disruption and without exposing taxpayers to loss while protec-
resolution regimes
ting vital economic functions and respecting the hierarchy of claims
between creditors in case of liquidation.
RRP aims at identifying and planning:
i . Stabilisation options that restore financial strength and viability October 2011:
US l Dodd Frank Act Section
when the firm comes under severe stress (recovery planning). 165(d) approved by the FRB and
ii. Liquidation options that provide for the orderly closure and wind- FDIC
down of all or parts of the firm’s business if the recovery strategy
fails (resolution planning).

108
Financial FinCEN NYSDFS GDPR Data Privacy Cybersecurity
Crime Part 504
“Living Wills”
Global Systemically Important Banks (G-SIB)

Agricultural Bank of China Goldman Sachs Royal Bank of Canada
Bank of America Groupe Crédit Agricole Royal Bank of Scotland
Bank of China HSBC Santander
Bank of New York Mellon ICBC State Street
Barclays ING Société Générale
BNP Paribas JP Morgan Chase Standard Chartered
China Construction Bank Mitsubishi UFJ FG Sumitomo Mitsui FG
Citigroup Mizuho FG UBS
Credit Suisse Morgan Stanley Unicredit Group
Deutsche Bank Nordea Wells Fargo
Global Systemically Important Insurers (G-SII)

Aegon Aviva Ping An Insurance Group
Allianz Axa Prudential Financial
AIG MetLife Prudential plc
Domestic Systemically Important Banks (D-SIB) in Asia1

HONG KONG SINGAPORE JAPAN
HSBC DBS Mitsubishi UFJ FG
Bank of China OCBC Mizuho FG
Hang Seng Bank United Overseas Bank Sumitomo Mitsui FG
Bank of East Asia Citibank Sumitomo Mitsui Trust Hold.
ICBC Malayan Banking Berhad The Norinchukin Bank
Standard Chartered Standard Chartered Daiwa Securities Group
HSBC Nomura Holdings
Sources: Notes:
• G-SIB: FSB, November 2017 • 1 Focus on Hong Kong, Singapore and Japan only
• G-SII: FSB, November 2016
• Hong Kong D-SIB: HKMA, December 2017
• Singapore D-SIB: MAS, November 2016
• Japan D-SIB: IMF, July 2017

109
Legal Entity CRS IFRS 9
Living Wills 871(m) IFRS 13
Identifier
‘‘Living Wills’’
Key FSB requirements and operational impacts
Operational
Requirements
Impacts
• Senior management of financial institutions
are responsible for developing and Need to:
maintaining, and where necessary • Implement a robust
executing, plans that will guide the recovery governance and sufficient
process in case of financial stress. resources to support the RRP
• process
Recovery plans should:
Recovery Reflect organisation-specific
Planning circumstances (activity, complexity, • Establish a robust stress-
interconnectedness, level of substitutability testing process fed by
and size), concrete firm-specific
Be based on severe stress scenarios and scenarios
Include measures to reduce the risk profile
and conserve capital (exit of business lines, • Have systems that can
conversion of debt into equity etc.). generate in time the extensive
information required
• Resolution authorities are responsible for
developing and maintaining, and where • Liaise regularly with home
necessary executing, plans that will guide (and host) authorities to
the resolution process if the recovery review plans and underlying
Resolution strategy fails. simulations
Planning • Institutions have to provide to the
designated authorities the data and
information, including strategy and
scenario analysis, required for resolution
planning purposes.
• RRP should be updated at least annually or Significant on-going

RRP whenever there are material changes to a commitment of human resources
Updates and firm’s business or structure.
Reviews • RRP should be reviewed regularly (at least
annually for G-SIFI) by the designated
resolution authorities.
• RRP should be informed by the conclusions
Significant business and
of the assessments conducted by the
operational adjustments (incl.
resolution authorities in the home and host
activity break-up) potentially
jurisdictions.
required to satisfy resolution
Resolvability • Should the resolution authorities conclude
authorities
Assessment that plans are not credible or sufficient,
institutions may be requested to change
their business practices, structure or
organisation and to amend their recovery
and resolution strategies.
110
Crime Part 504
“Living Wills”
FSB guidance l Essential elements of a recovery plan
1. Range of possible recovery measures

 Actions to strengthen the capital (recapitalisation, dividend payment suspension etc.),
business exits or spin-offs, liability restructuring (debt bail-in), measures to secure
funding and collateral
2. Assessment of additional funding required in case of stress
 Pre-funding or extra collateralisation of positions required to maintain memberships
of FMIs
3. Operational contingency arrangements
 Including but not limited to functioning of internal processes, IT systems, clearing and
settlement facilities, supplier and employee contracts
4. Backstops and escalation procedures ensuring prompt implementation of recovery plan
 Quantitative and qualitative measures triggering the launch of the recovery plan and
associated corrective actions
5. Communication strategy with key stakeholders
 Resolution authorities and regulators, public, financial markets, employees etc.
FSB guidance l l Information required for recovery and resolution planning
1. Intra-group financial and operational interconnectedness

 Core operational dependencies by business line, legal entity and jurisdiction,
intra-group exposures (guarantees, loans), back-to-back trades, capital and liquidity
dependencies etc.
2. Operational data (on- and off-balance sheet analysis)
 Extent of asset encumbrance, liquid assets, maturity and run-off profile of the
balance sheet, credit enhancement measures, derivatives exposures, asset/liability
overhang etc.
3. Organisation and operations impacting execution of RRP measures
 Dealing rooms, trade booking models, hedging strategies, custody of assets,
payment, clearing and settlement systems, key information systems (position keeping,
accounting and risk)
4. Key crisis management roles and responsibilities
 Contact information, in-crisis communication facilities and procedures
5. Legal and regulatory framework in which firm operates
 Home and host authorities, functions and responsibilities in crisis management,
resolution regimes, relevant aspects of applicable laws and insolvency regimes

111
Living Wills Legal
Legal Entity
Entity CRS IFRS 9
Identifier
871(m) IFRS 13
Identifier
Legal Entity Identifier

Review of ISO 17442 – Legal Entity Identifier

• Title: International Organization for Standardization (“ISO”) 17442
March 2018:
• Publication date: June 1, 2012 More than 1.1 million entities
from over 200 countries and
• Effective date: Not Applicable territories had obtained LEIs from
30 operational issuers accredited
• Scope: All legal entities by the GLEIF
• Targeted products: Not Applicable
March 2016:
The LEI ROC publishes the final
• Regulatory topics: Know Your Customer, Dodd Frank, EMIR. version of its report on Collecting
data on direct and ultimate
parents of legal entities in the
Global LEI System
A Legal Entity Identifier (LEI”) is a 20-character, alpha-numeric code,
to uniquely identify legally distinct entities that engage in October 2015:
financial transactions. These LEIs are issued by Local Operating Search Function to verify the
status of an entity’s LEI was
Units (“LOUs”) of the Global LEI System. Four key principles underlie added to the system
the LEI:
1. It is a global standard.
2. A single, unique identifier is assigned to each legal entity. June 2014:
3. It is supported by high data quality. Global LEI Foundation was
4. It is a public good, available free of charge to all users. established to act as operational
arm of the Global LEI System
A result of joint public and private sectors efforts, the LEI supports
authorities (i.e., CFTC, SEC, ESMA) and market participants in January2013:
identifying and managing financial risks. In particular, LEIs may Inaugural meeting of the Global
be used for reporting and other regulatory purposes in the various LEI Regulatory Oversight
Committee (“ROC”) to establish
jurisdictions represented in the Regulatory oversight Committee
the Global LEI System
(“ROC”).
Once a legal entity has obtained an LEI, it will be published together December 2012:
with the related LEI reference data by the organization that has is- First LEIs are issued
sued the LEI. This means the full data on the entire LEI population
is publicly available for unrestricted use by any interested party at
all times. Although the structure of the ROC and LEI is in place, all June 2012:
ISO publishes first edition of LEI
entities required by its local regulators to implement and convert
systems will need assistance with accommodating this LEI regime.

112
Crime Part 504
Common Reporting Standard (CRS)

Automated Exchange of Tax Information

• Title: CRS (Common Reporting Standard).
1 February 2018
• Publication date: 13 February 2014 Begin exchange of information on
pre-existing lower value accounts
• Effective date: 1 January 2016 (Early Adopters), 1 January 2017
(committed countries)
31 December 2017
Due diligence for all other
• Scope: preexisting accounts must be
Financial Institutions including banks, custodians, brokers, completed
certain collective investment vehicles, trusts, certain insurance
companies 1 September 2017
 Custodians First exchange of information
 Brokers between governments on
 Certain collective investment vehicles new accounts and High Value
accounts
 Trusts
 Certain insurance companies
31 December 2016
• Targeted products/Services: Due diligence for high value
Reportable Financial Account information individual accounts must be
completed
Increase the Tax transparency 1 January 2016
New account opening procedures
must be in place and begin
• Related regulations: monitoring for changes in
Foreign Account Tax Compliance Act (FATCA) by US IRS circumstances
Q3 2015
Principles and Objectives Early adopter countries have local
The Organization of Economic Cooperation and Development legislation in place
(OECD) released the CRS, which seeks to establish a new global
standard for automatic exchange of financial account information 16 December 2014
between governments. CRS was endorsed by the G20. More than CRS incorporated into DAC2
65 jurisdictions have publicly committed to such implementation,
with 44 countries having committed to a specific and ambitious ti- 29 October 2014
metable to have in place the first automatic information exchanges Early adopter countries signed
in 2017 and be recognised as the ‘Early Adopters’. CRS
To comply with the CRS requirements, all Financial Institutions will
be required to identify reportable accounts, obtain and review the 22 July 2014
accountholder’s identifying information such as tax residency and CRS Model Commentary
report those accounts to their local tax administration authorities published
on an annual basis. The reportable information will then be ex-
changed with the accountholder’s residency country. 13 February 2014
In order to exchange these data, the OECD has created an Auto- CRS Model Published by OECD
matic Exchange of Information (AEoI) system to ensure systematic
transmission of large information between the CRS jurisdictions.

113
Identifier
871(m) IFRS 13

The Standard consists of the following four key parts:
• A model Competent Authority Agreement (CAA), providing the international legal framework
for the automatic exchange of CRS information;
• The Common Reporting Standard;
• The Commentaries on the CAA and the CRS; and
• The CRS XML Schema User Guide
As at November 2017, a total of 146 jurisdictions committed to AEOI, where the status of
commitments varies and with different date for first exchange exchanges.
e.g. India & South Korea Albania, Maldives, Nigeria
Number of Jurisdictions 49 53 3 41
(Year) (2017) (2018) (2019/20) (TBD)
e.g. China, Hong Kong, e.g. Philippines,

Indonesia, Japan, Singapore Thailand

114
Crime Part 504

Common Reporting Standard (CRS) User Guide and Schema
• The CRS Schema is re-using the FATCA schema and elements of STF, so there are some
elements in the CRS schema that are not required for purposes of reporting and exchanging
under CRS.
• The CRS XML Schema is developed at the level of the OECD as part of the CRS, for exchan-
ging information with each other and , in many instances, to receive information from their
Financial Institutions. A schema is a data structure for holding and transmitting information
electronically and in bulk. XML “extensible mark-up language” is commonly used for this
purposed.
• The User Guide explains the information required to be included in each CRS data element to
be reported in the CRS XML Schema. It also contains guidance on how to make corrections
of data items within a file that can be processed automatically.
1. Message Header with the sender, recipient, 2. Person Party Type: controlling person of Passive
message type, reporting period NFEs or account holder details if an individual
• Sending Company • Contact • Tax residence country • Address
Identification Number • Message Ref ID code • Nationality
• Transmitting Country • Reporting period • Tax Identification • Birth Information
• Receiving Country • Timestamp Number (TIN)
• Message Type • Name
4. CRS Body: Reporting FI and reporting group and

3. Oganisation Party Type: account holder if an entity
account details
• Tax residence country • Address • Reporting FI • Controlling Person

code • Reporting Group • Account Balance
• Organisation ID Number • Account Report • Payment
• CRS Entity Type • Account Number
• Name • Account Holder
5. Transliteration is required because sending and receiving jurisdiction do not use a common alphabet,
Competent Authorities may agree how they will undertake such transliteration.
6. Guidance on the correction process for CRS
• By sending a file of corrected data that can be processed in the same systems as the original data that was
received.
• If the whole of a data file is to be completely replaced, there can be a cancellation of the first message, then a new
message with a file of completely new data can be sent, with no link to the previous records apart from the
message header- “cancel and report” not “correct”.

115
871m
871(m) IFRS 13
Identifier
Section 871(m) of the US Internal Revenue Code

A regulatory amendment to close a tax loophole for non-US persons

• Title: Section 871(m) of the US Internal Revenue Code
2019
• Publication date: 10 July 2015 Non-delta-one trades will now be
covered
• Effective date: January 1, 2017
2018
• Scope: withholding cash-payment operations at financial Delta-one transactions will now
institutions with non-US counterparties be covered
• Targeted products: equity linked instruments/ non-principal
contracts and other derivatives.
Jan 2017
Final regulation published to
• Regulatory topics: Taxation and Derivatives reflect phased-in application
Context 2016
Since the Hiring Incentives to Restore Employment (“HIRE”) Act was Finalize QI withholding
agreement, including Qualified
passed in 2010, non-US counterparties were able to avoid taxes on
Derivatives Dealer (QDD) status
“dividend equivalent” payments if they held long positions in certain
derivatives contracts linked to US equity underliers. However, the
US Internal Revenue Service’s (“IRS”) amendment to IRC 871(m) Sept 2015
in 2015 made “dividend equivalent” payments to non-US persons Publication of Final Regulations
by the IRS (Internal Revenue
investing in notional principal contracts (“NPCs”), derivatives and
Service)
other equity-linked instruments (“ELIs”) subject to a default 30% US
withholding tax rate, absent an exception and subject to rate reduc-
tion by treaty.
2010
• The methodology for determining whether a transaction HIRE Act taxes payments on
is within the scope of the withholding tax, as well as derivatives for US counterparties
which party must perform which test (either the Delta or
Substantial Equivalence test) is not prescriptive.

The amendment requires withholding on certain derivatives referencing US-sourced equities,
resulting in two significant challenges to both US & non-US financial institutions:
1. Understanding their complex and oftentimes unclear responsibilities as they relate

to managing in-scope clients and transactions, as this will ultimately require pivotal decisions
in an uncertain regulatory environment.
2. Preparing for the transformations to operational infrastructures in order to ensure
compliance with 871(m) requirements.
Financial institutions have struggled with the operational challenge that arises due to 871(m). The
IRS’ amendments to 871(m) fail to account for the negative impact on market participants in the
US-sourced derivatives industry; as a result, global disruption has occurred. However, the one year
extension for implementation should assist both banks and taxpayers. If the delay is a signal of
permanent status, then non-delta-one transactions and the more complex aspects of the QDD re-
gime will never be covered by the rules, absent anti-abuse provisions. This extension for a phased-in
implementation provides financial institutions to achieve compliance with 871(m).
116
Crime Part 504

Regulatory Timeline
On September 17, 2015, the US Treasury released final regulations under section 871(m) of the
Internal Revenue Code which provide rules for withholding of up to 30% (subject to reduced
rated under applicable U.S tax treaties) on payments pursuant to a derivatives contract or other
equity-linked instruments that reference US equity securities.
• In-scope products include, but are not limited to, equity swaps, structure derivatives,
structured notes or certificates, OTC equity options and OTC equity forwards.
• The rule is global in scope and applies to all regions and countries.
Timeline of Events Leading to 871(m) Changes
Jan 1,
2017
March 2010 2012 2015 July 2016

US Passed Hire Act. Temporary and IRS presents IRS releases the Effective
• Section 871(m) proposed Section 871(m) Qualified Date
enacted regulations regarding the Intermediary
• Scope: Specified enforcement of Agreement (QIA),
Notional Principal 2013 withholding taxes providing the
Contract (NPC) New final and and reporting on requirements to
• ISDA HIRE Act proposed derivatives become a
Protocols published regulations products Qualified
in 2010 Derivative Dealers
• The US Department of the Treasury and the IRS amended section 871(m) to delay the
effective date of certain rules in the final regulation. Specifically, the phase-in period.
• Taxpayers and withholding agents will have additional time to implement 871(m) regulations
for non-delta-one transactions. Therefore, the Treasury Department and the IRS intend to re-
vise the effective date to not apply to any payment made with respect to any non delta-one
transaction issued before January 1, 2019.
• The IRS will determine whether the taxpayer/withholding agent made a “good faith effort”
to comply with the 871(m) regulations with respect to delta-one transactions in 2017 and
non-delta-one transactions in 2018. In addition, the IRS will also consider the extent to which
the taxpayer/withholding agent made a “good faith effort” to comply with the section 871(m)
regulations for (1) any delta-one transaction in 2017 and 2018, and (2) any non-delta-one
871(m) transaction in 2019.
Section 871(m) regulatory dates
2018 2019
Withhold on Delta One contracts that Withhold on Non-Delta One

were issued in 2016 contracts that were issued in 2016
871(m)products
segmentation
Identify, withhold and report on contracts issued in 2017 as in scope for 871(m)

117
871m
871(m) IFRS 13
Identifier

Micro Impacts
The IRS amended 871(m) in a manner that could confuse market participants about whether
their conduct would be compliant with the rule. Market participants entering into these contracts
will have to understand the roles and responsibilities for each specific trade they enter into, and
if they cannot rely on their referential source systems (i.e., Bloomberg, Thomson Reuters) or
broker-dealers to compile this information with monitoring for them, they will have to either imple-
ment this process into their own infrastructure, or stop entering in-scope trades. At a minimum,
the following needs and constraints have been identified:
Identified needs Constraints
• Two main challenges resulting from this • Planning
regulation: • A very tight planning timeline
1. Identify the effected financial products • A short time to comply with the
and their associated withholding taxes regulation (fully effective in 2017)
2. IT & process transformation from the • Financials
front to the back office (pricing to • Very high fine if institution is not com
reporting tools) pliant
• This regulation provides opportunity to: • If an in-scope counterparty is not
• Produce a mapping of all products withheld upon, they are fined at 100%
traded by the bank of the withholding tax. If appropriate
• Allow a clear picture of all client documentation (such as an a
financial products traded signed ISDA agreement) is not obtained
• Allow a more accurate and stored by the bank, the bank is
monitoring of all financial technically liable
products • Why this regulation different?
• Review business strategy • The 871 (m) section brings new notions
• Some products are less attractive for to the regulatory environment.
clients because of the withholding tax • The FATCA application doesn’t
• Regulation can significantly impact withhold tax on certain dividend
client portfolio yield equivalent payments
• IRS has introduced new terms; Simple
& Complex products, new tests, new
process. This is an all new request for
dealers to adapt in a short time frame
Despite the lack of clarity, financial institutions are forced to make decisions on procedures on the
following items in an uncertain environment.
4 major Items for Financial Institutions to Address
Is the client Non-US? Onboarding
Is the product in the scope of the tax? Product classification
When and how the dealer should/will

Withhold the tax
withhold the tax?
How the dealer will report the tax? Reporting

118
Crime Part 504

IT and Process Transformation
871(m) will require financial institutions, both Foreign Banking Organizations & US Bank Holding
Companies, to develop and implement an IT infrastructure to ensure compliance. Specifically, they
must develop IT systems to (1) identify the citizenship of the counterparty and product types that
are in-scope for withholding, (2) calculate the dividend equivalent amount and withholding tax
for each in-scope counterparty, (3) monitor corporate actions on underlying US equities, and (4)
report and remit withholding taxes to the IRS.
Scope
§ Impacted Products:
SWAPS Options (Listed & OTC) Futures
Repurchase Agreements Convertible Debt Compensation Agreements
Forwards Security Lending Equity Linked Contracts
§ Impacted Parties
Hedge Funds Banks Asset Managers
Brokers Clearing Houses Executing Brokers
Custodians Wealth Managers Foreign Investors
Impacts on several streams of financial services clients
• Many financial institutions are effected by Section 871(m)

• The main challenge of complying with this regulation is producing a product identification
tool which will determine if the product is eligible to the tax.
• Delays are short for a very wide scope of products and clients
• Regulation impacts pricing IT tools, withholding financial movement, IT reporting process
• Certain yield strategies are significantly effected by Section 871(m)
IMPACTS High Medium Low

119
Identifier
871(m) IFRS 13
IFRS 9
Financial Instruments

• Title: IFRS 9 Financial Instrument.
January 2018:
• Date of release: 14 July 2014 - Publication of IFRS Foundation Effective date and FTA
and the IASB.
• Effective date: 1 January 2018.
July 2017:
Start date of a parallel run as
• Scope: suggested by regulator
The package of improvements introduced by IFRS 9 includes
a logical model for classification and measurement, a single,
forward-looking ‘expected loss’ impairment model and a December 2015
substantially-reformed approach to hedge accounting The Basel Committee published
the guidelines on credit risk and
• Targeted products/services: all financial products the recognition of expected credit
losses under IFRS 9
• Regulatory topics: Classification and Measurement, Impairment,

and Hedge Account on Financial Instruments. July 2014
The IASB issued the final version
of IFRS 9 is published by IFRS
• Related regulations: IAS 39, IFRS 7. Foundation and the IASB.
November 2015
Principles and Objectives The IASB issued IFRS 9 Financial
Instruments (Hedge Accounting
IFRS 9 brings together the classification and measurement, im- and amendments to IFRS 9, IFRS
pairment and hedge accounting phases of the IASB’s project to re- 7 and IAS 39) amending IFRS 9
place IAS 39 Financial Instruments: Recognition and Measurement. to include the new general hedge
accounting model, allow adoption
IFRS 9 is built on a logical, single classification and measurement
of the treatment of fair value
approach for financial assets that reflects the business model in changes due to own credit on
which they are managed and their cash flow characteristics. liabilities designated at fair value
Built upon this is a forward-looking expected credit loss model that through profit or loss, and remove
will result in more timely recognition of loan losses and is a single the 1 January 2015 effective
model that is applicable to all financial instruments subject to date.
impairment accounting.
December 2011
In addition, IFRS 9 addresses the so-called ‘own credit’ issue, whe- The IASB issued Mandatory
reby banks and others book gains through profit or loss as a result Effective Date and Transition
of the value of their own debt falling due to a decrease in credit Disclosures (Amendments to IFRS
worthiness when they have elected to measure that debt at 9 and IFRS 7), which amended the
fair value. effective date of IFRS 9 to annual
periods beginning on or after 1
January 2015, and modified the
The Standard also includes an improved hedge accounting model relief from restating comparative
to better link the economics of risk management with its accoun- periods and the associated
ting treatment. disclosures in IFRS 7.

120
Crime Part 504
IFRS 9
Major requirements and operational impacts: Classification and Measurement

Operational
Description
Impacts
On Governance
• Implement appropriate governance structures for
implementing new systems and processes
• Review and implement the KPIs /Dashboards
On Accounting / Reporting
Financial Assets • Enhance the account structure
•Define additional requirements for the data
• New model of classification •Update the accounting procedures
containing 3 accounting categories
On Data Source
(vs 4 for IAS 39) • Enhance the data model (historical data, forecast data,
• The classification depends on 2 characteristics of financial instruments,…etc.)
criteria: contractual cash flows and
business model On Finance
• The three categories are: • Identify additional information and impacts of
reporting in the financial statement
. Amortization cost (AC)
• Estimate and communicate the potential impacts of
Classification and Measurement
 Fair value through other the changes introduced by new IFRS 9 Standard
comprehensive income • Estimate the impacts on the regulatory capital
(FVOCI)
 Fair value through profit or On Area of Judgements
loss (FVTPL) • Determine and validate business models
• Determine the characteristics of the cash flows (choice
of the financial instrument benchmark)
Financial Liabilities
• Trading liabilities are recorded On Business

• Update the structure of portfolios
using Fair value through profit or • Implement tests of SPPI (Sole Payment of Principle
loss (FVTPL) and Interest) (in depth analysis of the contractual
dispositions of all financial instruments /modifications
• Financial Liabilities in Fair Value: of clauses if necessary according to the evaluation
criteria, etc.)
variations of fair value related • Review impacts of pricing / modifications of the pricing
to the credit «spread» of the if necessary
issuer is recorded in OCI (Other • Update the product catalog (sold or exchanged by the
Comprehensive Income) F/O), and changes required in the risk management
• Monitor the individual agreements and specific
agreements
• Document the choice of the models / of the
characteristics of the financial instruments
• Adjust the processes of validation
On Area of Judgements
• Implement at each level the new categories of financial
instruments and allocate the assets to the different
categories
• Conduct necessary studies regarding the system
implementation of business model and test of SPPI
Modify the systems to provide necessary data for
classification (historical and forecast data)

121
Identifier
871(m) IFRS 13
IFRS 9
Major requirements and operational impacts: Impairment

Operational
Description
Impacts
On Accounting / Risks
• New model is forward-looking
• Incorporate the notion of expected loss in the provisioning
which requires the recognition of related to the risks
expected credit losses to reflect • Define the thresholds of significant change of the credit
changes in the credit risk of risk
•Validate data sources (audit trail, peculiarities of the
financial instruments products impacting their accounting mode, the
provisioning rules…)
• A 3 steps approach, the allocation • Revise the necessary accounting schemes
of a financial asset at each • Review/Update the accounting procedures
stage depends on the level of On Organization / Process
deterioration of credit quality: • Coordinate the processes between risk management and
accounting departments
• Define the roles and responsibilities (implying the
risks and the accounting) in order to manage the gaps/
distortions and avoid duplicates
• Set up training sessions to increase the awareness of risk
and accounting people on mutual issues that is impacting
Evolutin of the Credit Quality them
• Define and implement the necessary controls across all
functions and departments involved in the application
of the procedures, data collection, implementation of
Impairment
calculations, and the consideration of the hypothesis, etc.
On Financial Communication
• Quantify the impact on equity, the covenants, and the
regulatory capital
• Define a communication plan for the shareholders
Recognition of Expected Losses on Credit (analysts , investors, regulators…etc.)
On Area of Judgements
• Develop accurate estimates for:
 Expected credit losses
 The date on which the entity considers that
there is significant increase in credit risk
• Clarify the definition of “default” and “significant increase”
considering the characteristics of financial instruments,
and being consistence with the risk management
• Document the information and data required for the
calculation of the expected credit losses (historical data,
both recent and prospective)
On Information System
• Audit the information systems in order to ensure their
robustness in terms of data collection/calculation related
to:
• The estimation of expected credit losses of financial
assets on 12 months or on total lifecycle
• The occurrence of the changes of credit risk (significantly
increase or inverse trend)
• The collection of necessary data for the production of the
information in the notes (annex of financial statement)
122
Crime Part 504
IFRS 9
Major requirements and operational impacts: Hedge Accounting

Operational
Description
Impacts
On Business
• More closely align hedge
• Review the existing hedged relations and define the new
accounting with risk hedging relations
management activities: • Evaluate the new hedging strategies (analyzing the risk
More transactions are components of non financial instruments to maximize the
proportion to hedge)
eligible as hedges: hedged • Integrate risk management and accounting
items and hedging
instruments On Organization / Process
Less volatility of • Ensure the consistency of the information to provide in
P&L the notes (annex of financial statement) with the new
• Replacing the usage of the IFRS 9 Standards:
Description of the hedging instruments and their
range of 80%-125% as the FV
requirement for prospective Description of the hedge utilized
and retrospective effectiveness Amount of the inefficiency by hedging type
testing with a single prospective Impact on the balance sheet, P&L and equity
Impact on hedging activities on cash flows
test of 3 criteria (amount, timing, uncertainty)
Strategy of the entity in terms of risk management
• Allow using the provisions and its implementation
Hedge Accounting
of IAS 39 in terms of hedge Hedged risks

accounting until the finalization On Methodology
of the project on macro hedging • Identify the eligible elements for the hedge accounting
(hedging instruments and hedged elements)
• Develop a methodology to determine the risk component
of the hedged element
On Process / IT Systems
• Upgrade systems to implement the new IFRS 9 Standards
in terms of hedge accounting (more hedged elements
and eligible instruments and more information to provide)
• Examine possibilities of integration of the data deriving
from risk management accounting
• Implement risk assessment components of non- financial
hedged elements
• Implement qualitative assessment of hedge effectiveness
• Follow hedging relationships to determine those that
require a “rebalancing” that the hedging relationship is
not interrupted
• Setting the calculation of the fair value of the
components of future contracts, purchased options or
currency swaps (“cross - currency swaps”)

123
Identifier
871(m) IFRS 13
IFRS 13
Review of IFRS 13 Fair Value Measurement

• Title: IFRS 13 Fair Value Measurement.
January 2018:
• Publication date: May 12th, 2011 IFRS Taxonomy Consultative
Group meeting; an agenda
• Effective date: January 1st, 2013. item is “Update to the IFRS
• Scope: Taxonomy content – analysis
- IFRSs that require or permit fair value measurements or of the reporting practise for the
sensitivity analysis required by
disclosures (exclusions noted in paragraph 2 below, under
IFRS 13 Fair Value Measurement
“Principles and Objectives”)
- Nations who have adopted IFRS (see page 2, top, “Nation
Usage”); permitted but not required by foreign US SEC registrants December 2013:
in the US ‘‘Annual Improvements to IFRSs
2010–2012 Cycle’’ (short-term
receivables and payables)
• Targeted products: all financial instruments (assets amendment
and liabilities)
• Regulatory topics: December 2013

‘‘Annual Improvements to IFRSs
- Transparency and reporting (globally, as applicable per Scope)
2010–2012 Cycle’’ (short-term
- Investor protection receivables and payables)
• Related regulations (implementation in tandem): amendment
- In the U.S., separate from IFRS but similar: U.S. GAAP, Financial
Accounting Standards Board (FASB) - Accounting Standards May 2011
Codification (ASC) Topic 820, Fair Value Measurement IFRS 13 “Fair Value Measurement”
released
August 2010
IFRS 13 defines fair value, sets out a framework for measuring fair IFRS staff draft on fair value
value, and requires disclosures about fair value measurements. measurement released
It applies when another Standard requires or permits fair value June 2009
measurements or disclosures about fair value measurements (and “Measurement Uncertainty
measurements based on fair value, such as fair value less costs to Analysis Disclosure for Fair Value
sell), except in specified circumstances in which other Standards Measurements” exposure draft
govern. For example, IFRS 13 does not specify the measurement published
and disclosure requirements for share-based payment transac-
tions, leases or impairment of assets. Nor does it establish disclo- May 2009
sure requirements for fair values related to employee benefits and “Fair Value Measurements”
exposure draft published
retirement plans.
IFRS 13 defines fair value as the price that would be received to November 2006:
sell an asset or paid to transfer a liability in an orderly transaction “Fair Value Measurements”
between market participants at the measurement date (an exit discussion paper published
price). When measuring fair value, an entity uses the assumptions
that market participants would use when pricing the asset or the lia-
bility under current market conditions, including assumptions about September 2005:
risk. As a result, an entity’s intention to hold an asset or to settle or Fair Value Measurement added to
otherwise fulfil a liability is not relevant when measuring fair value. IASB’s agenda

124
Crime Part 504
IFRS 13
Latest Update on IFRS nation usage (as of January 25, 2018):

• 12 jurisdictions permit, rather than require, IFRS Standards:
- Bermuda, Cayman Islands, Guatemala, Honduras, Japan, Madagascar, Nicaragua, Panama,
Paraguay, Suriname, Switzerland, Timor-Leste;
• One jurisdiction requires IFRS Standards for financial institutions but not listed companies:
- Uzbekistan;
• One jurisdiction is in process of adopting IFRS Standards in full:

- Thailand;
• One jurisdiction is in process of converging its national standards substantially (but not
entirely) with IFRS Standards:
- Indonesia; and
• Seven jurisdictions use national or regional standards:

- Bolivia, China, Egypt, India, Macao SAR, United States, Vietnam.
Source (retrieved April 12, 2018):

http://www.ifrs.org/use-around-the-world/use-of-ifrs-standards-by-jurisdiction/#analysiS
Key Definition:
• Fair value:
- The price that would be received to sell an asset or paid to transfer a liability in an orderly
transaction between market participants at the measurement date
• Active market:
- A market in which transactions for the asset or liability take place with sufficient frequency and
volume to provide pricing information on an ongoing basis
• Exit price:
- The price that would be received to sell an asset or paid to transfer a liability
• Highest and best use:

- The use of a non-financial asset by market participants that would maximise the value of the
asset or the group of assets and liabilities (e.g. a business) within which the asset would be
used
• Most advantageous market:

- The market that maximises the amount that would be received to sell the asset or minimises
the amount that would be paid to transfer the liability, after taking into account transaction
costs and transport costs
• Principal market:
- The market with the greatest volume and level of activity for the asset or liability
Source (retrieved April 12, 2018): Deloitte microsite for IFRS 13: https://www.iasplus.com/en/standards/ifrs/ifrs13

125
Identifier
871(m) IFRS 13
IFRS 13
Fair Value Hierarchy (Overview, and Levels 1 / 2 of 3)

Overview:
IFRS 13 seeks to increase consistency and comparability in fair value measurements and
related disclosures through a ‘fair value hierarchy’. The hierarchy categorises the inputs used in
valuation techniques into three levels. The hierarchy gives the highest priority to (unadjusted)
quoted prices in active markets for identical assets or liabilities and the lowest priority to unob-
servable inputs.
If the inputs used to measure fair value are categorised into different levels of the fair value
hierarchy, the fair value measurement is categorised in its entirety in the level of the lowest level
input that is significant to the entire measurement (based on the application of judgement).
Level 1:
Level 1 inputs are quoted prices in active markets for identical assets or liabilities that the entity
can access at the measurement date.
A quoted market price in an active market provides the most reliable evidence of fair value and
is used without adjustment to measure fair value whenever available, with limited exceptions.
If an entity holds a position in a single asset or liability and the asset or liability is traded in an
active market, the fair value of the asset or liability is measured within Level 1 as the product of
the quoted price for the individual asset or liability and the quantity held by the entity, even if the
market’s normal daily trading volume is not sufficient to absorb the quantity held and placing
orders to sell the position in a single transaction might affect the quoted price.
Level 2:
Level 2 inputs are inputs other than quoted market prices included within Level 1 that are obser-
vable for the asset or liability, either directly or indirectly.
Level 2 inputs include:
• quoted prices for similar assets or liabilities in active markets

• quoted prices for identical or similar assets or liabilities in markets that are not active
• inputs other than quoted prices that are observable for the asset or liability, for example:
• interest rates and yield curves observable at commonly quoted intervals
• implied volatilities
• credit spreads
• inputs that are derived principally from or corroborated by observable market data by
correlation or other means (‘market-corroborated inputs’).
Source (retrieved April 12, 2018) – Deloitte microsite for IFRS 13: https://www.iasplus.com/en/standards/ifrs/ifrs13

126
Crime Part 504
IFRS 13
Fair Value Hierarchy (Level 3 of 3)

Level 3:
Level 3 inputs inputs are unobservable inputs for the asset or liability.
Unobservable inputs are used to measure fair value to the extent that relevant observable inputs
are not available, thereby allowing for situations in which there is little, if any, market activity for
the asset or liability at the measurement date. An entity develops unobservable inputs using
the best information available in the circumstances, which might include the entity’s own data,
taking into account all information about market participant assumptions that is reasonably
available.

127
Identifier
871(m) IFRS 13
IFRS 13
Measurement of Fair Value

Overview:
The objective of a fair value measurement is to estimate the price at which an orderly transac-
tion to sell the asset or to transfer the liability would take place between market participants at
the measurement date under current market conditions. A fair value measurement requires an
entity to determine all of the following:
• the particular asset or liability that is the subject of the measurement (consistently with its
unit of account)
• for a non-financial asset, the valuation premise that is appropriate for the measurement
(consistently with its highest and best use)
• the principal (or most advantageous) market for the asset or liability
• the valuation technique(s) appropriate for the measurement, considering the availability of
data with which to develop inputs that represent the assumptions that market participants
would use when pricing the asset or liability and the level of the fair value hierarchy within
which the inputs are categorised
Guidance on measurement:
IFRS 13 provides the guidance on the measurement of fair value, including the following:
• An entity takes into account the characteristics of the asset or liability being measured that
a market participant would take into account when pricing the asset or liability at measure-
ment date (e.g. the condition and location of the asset and any restrictions on the sale and
use of the asset)
• Fair value measurement assumes an orderly transaction between market participants at
the measurement date under current market conditions
• Fair value measurement assumes a transaction taking place in the principal market for the
asset or liability, or in the absence of a principal market, the most advantageous market for
the asset or liability
• A fair value measurement of a non-financial asset takes into account its highest and best
use
• A fair value measurement of a financial or non-financial liability or an entity’s own equity
instruments assumes it is transferred to a market participant at the measurement date,
without settlement, extinguishment, or cancellation at the measurement date
• The fair value of a liability reflects non-performance risk (the risk the entity will not fulfil an
obligation), including an entity’s own credit risk and assuming the same non-performance
risk before and after the transfer of the liability
• An optional exception applies for certain financial assets and financial liabilities with
offsetting positions in market risks or counterparty credit risk, provided conditions are met
(additional disclosure is required)

128
Crime Part 504
IFRS 13
Valuation techniques
An entity uses valuation techniques appropriate in the circumstances and for which sufficient
data are available to measure fair value, maximising the use of relevant observable inputs and
minimising the use of unobservable inputs.
The objective of using a valuation technique is to estimate the price at which an orderly tran-
saction to sell the asset or to transfer the liability would take place between market participants
and the measurement date under current market conditions.
Three widely used valuation techniques are:
• market approach – uses prices and other relevant information generated by market tran-
sactions involving identical or comparable (similar) assets, liabilities, or a group of assets
and liabilities (e.g. a business)
• cost approach – reflects the amount that would be required currently to replace the service
capacity of an asset (current replacement cost)
• income approach – converts future amounts (cash flows or income and expenses) to a
single current (discounted) amount, reflecting current market expectations about those
future amounts
In some cases, a single valuation technique will be appropriate, whereas in others multiple
valuation techniques will be appropriate.

129
Identifier
871(m) IFRS 13
IFRS 13
Disclosure
Disclosure objective:
IFRS 13 requires an entity to disclose information that helps users of its financial statements
assess both of the following:
• For assets and liabilities that are measured at fair value on a recurring or non-recurring
basis in the statement of financial position after initial recognition, the valuation techniques
and inputs used to develop those measurements
• For fair value measurements using significant unobservable inputs (Level 3), the effect of
the measurements on profit or loss or other comprehensive income for the period
Disclosure exemptions:
The disclosure requirements are not required for:
• Plan assets measured at fair value in accordance with IAS 19 Employee Benefits
• Retirement benefit plan investments measured at fair value in accordance with IAS 26
Accounting and Reporting by Retirement Benefit Plans
• Assets for which recoverable amount is fair value less costs of disposal in accordance with
IAS 36 Impairment of Assets.
Identification Classes:
Where disclosures are required to be provided for each class of asset or liability, an entity
determines appropriate classes on the basis of the nature, characteristics and risks of the asset
or liability, and the level of the fair value hierarchy within which the fair value measurement is
categorised. [IFRS 13:94]
Determining appropriate classes of assets and liabilities for which disclosures about fair value
measurements should be provided requires judgement. A class of assets and liabilities will
often require greater disaggregation than the line items presented in the statement of financial
position. The number of classes may need to be greater for fair value measurements catego-
rised within Level 3.
Some disclosures are differentiated on whether the measurements are:
• Recurring fair value measurements – fair value measurements required or permitted by

other IFRSs to be recognised in the statement of financial position at the end of each
reporting period
• Non-recurring fair value measurements are fair value measurements that are required or
permitted by other IFRSs to be measured in the statement of financial position in particular
circumstances

130
Crime Part 504
IFRS 13
Disclosure
Specific disclosures required:
To meet the disclosure objective, the following minimum disclosures are required for each class
of assets and liabilities measured at fair value (including measurements based on fair value
within the scope of this IFRS) in the statement of financial position after initial recognition (note
these are requirements have been summarised and additional disclosure is required where
necessary):
• The fair value measurement at the end of the reporting period*

• For non-recurring fair value measurements, the reasons for the measurement*
• The level of the fair value hierarchy within which the fair value measurements are catego-
rised in their entirety (Level 1, 2 or 3)*
• For assets and liabilities held at the reporting date that are measured at fair value on a
recurring basis, the amounts of any transfers between Level 1 and Level 2 of the fair value
hierarchy, the reasons for those transfers and the entity’s policy for determining when
transfers between levels are deemed to have occurred, separately disclosing and discus-
sing transfers into and out of each level
• For fair value measurements categorised within Level 2 and Level 3 of the fair value
hierarchy, a description of the valuation technique(s) and the inputs used in the fair value
measurement, any change in the valuation techniques and the reason(s) for making such
change (with some exceptions)*
• For fair value measurements categorised within Level 3 of the fair value hierarchy, quantita-
tive information about the significant unobservable inputs used in the fair value measure-
ment (with some exceptions)
• For recurring fair value measurements categorised within Level 3 of the fair value hierar-
chy, a reconciliation from the opening balances to the closing balances, disclosing separa-
tely changes during the period attributable to the following:
• Total gains or losses for the period recognised in profit or loss, and the line item(s)
in profit or loss in which those gains or losses are recognised – separately disclosing
the amount included in profit or loss that is attributable to the change in unrealised
gains or losses relating to those assets and liabilities held at the end of the reporting
period, and the line item(s) in profit or loss in which those unrealised gains or losses
are recognised
• Total gains or losses for the period recognised in other comprehensive income, and
the line item(s) in other comprehensive income in which those gains or losses are
recognised
• Purchases, sales, issues and settlements (each of those types of changes disclosed
separately)
• The amounts of any transfers into or out of Level 3 of the fair value hierarchy, the
reasons for those transfers and the entity’s policy for determining when transfers
between levels are deemed to have occurred. Transfers into Level 3 shall be disclosed
and discussed separately from transfers out of Level 3

131
Identifier
871(m) IFRS 13
IFRS 13
Disclosure
Specific disclosures required (continued):
To meet the disclosure objective, the following minimum disclosures are required for each class
of assets and liabilities measured at fair value (including measurements based on fair value
within the scope of this IFRS) in the statement of financial position after initial recognition (note
these are requirements have been summarised and additional disclosure is required where
necessary):
• For fair value measurements categorised within Level 3 of the fair value hierarchy, a
description of the valuation processes used by the entity
• For recurring fair value measurements categorised within Level 3 of the fair value
hierarchy:
• A narrative description of the sensitivity of the fair value measurement to changes
in unobservable inputs if a change in those inputs to a different amount might result
in a significantly higher or lower fair value measurement. If there are
interrelationships between those inputs and other unobservable inputs used in the
fair value measurement, the entity also provides a description of those
interrelationships and of how they might magnify or mitigate the effect of changes in
the unobservable inputs on the fair value measurement
• For financial assets and financial liabilities, if changing one or more of the
unobservable inputs to reflect reasonably possible alternative assumptions would
change fair value significantly, an entity shall state that fact and disclose the effect
of those changes. The entity shall disclose how the effect of a change to reflect a
reasonably possible alternative assumption was calculated
• If the highest and best use of a non-financial asset differs from its current use, an entity
shall disclose that fact and why the non-financial asset is being used in a manner that
differs from its highest and best use*.
• ‘*’ In the list above indicates that the disclosure is also applicable to a class of assets or
liabilities which is not measured at fair value in the statement of financial position but for
which the fair value is disclosed. [IFRS 13:97]
• Quantitative disclosures are required to be presented in a tabular format unless another

format is more appropriate.
Effective date and transition

IFRS 13 is applicable to annual reporting periods beginning on or after 1 January 2013. An entity
may apply IFRS 13 to an earlier accounting period, but if doing so it must disclose the fact.
Application is required prospectively as of the beginning of the annual reporting period in which
the IFRS is initially applied. Comparative information need not be disclosed for periods before
initial application.

132
Crime Part 504
Financial Crime
Key Facts Examples of recent

• Types of Finance Crime: financial crime cases
• Money laundering and terrorist financing (AML/CFT) January 2018:
Apple was required to paid
• Tax Evasion
additional taxes of £81m to UK
• Sanctions tax authority after audit.
• Cyber Crime October 2017:
2 ICO platforms ”Recoin” &
• Crime involving Crypto Currency/ICO
“DRC World”, were charged
by US Securities Exchange
Commission (SEC) for selling
• Major Governing Regulations: unregistered securities & coins to
• Financial Action Task Force ( FATF) on AML/CFT investors with frauds.
measures and financial inclusion September 2017:
• 4th EU Anti-Money Laundering Directive 2 ICO platforms ”Recoin” &
“DRC World”, were charged
by US Securities Exchange
Key Initiatives Commission (SEC) for selling
unregistered securities & coins to
Financial crimes today continued to be the major concern of finan- investors with frauds.
cial institutions throughout the world.
September 2017:
60 ICO platforms listed by
In recent years, the domains of anti-money laundering and counter the China government for
terrorist financing (AML/CTF), tax fraud prevention, cyber security investigation and report, due to
and prevention of crime associated with crypto currency have been suspicion of fraud.
merging, which are taking a more holistic view of financial crime. May-September 2017– Equifax:
These areas share a need for rapid actions by financial institutions. Data Leakage involving 700K
UK and 2.5 mil US customers
Some of the initiatives led by Financial Institutions these days to , making them vulnerable to
identity theft and other fraud.
combat financial crime includes:
MayMay 2017– WannaCry
• Large investments to improve systems, operations and training; Ransomware Attack:
• Set-up of Financial Crime Risk Mitigation Programme; Over 200,000 victims across 150
countries, with economic losses
• Sourcing talents in financial crime expertise at all levels including
reach up to USD 4 bil.
in the Board;
• Global coordination with overseas entities and branches to unify January 2017– Deutsche Bank
and centralised business hubs; and (£163 mil):
Failing to prevent money
• Enhance level of assurance by putting in place self-assessment
laundering due to weak systems
and quality assurance programmes. and insufficient controls.
November 2016– Agricultural

Bank of China (USD 215 mil):
Violating U.S AML and sanctions
Law by masking of suspicious
transactions.

133
Identifier
871(m) IFRS 13
Financial Crime
Regulatory Developments on Combating Financial Crime
Examples of Recent Regulatory Initiatives :

• Fraud Investigation Service (FIS) established for tax- Examples of Recent Regulatory Initiatives :
fraud action| Aug 15 • Cybersecurity Law | June 2017
• HMRC Capital Gain Manual updated with tax treatment • The People’s Bank of China’s (PBOC)
on cryptocurrencies | May 2016 No.3 decree | July 2017
• National Cyber Security Centre | Oct 2016 • ICO declared as an illegal activity| Sep
• Investment in data and cyber security to be boosted 2017
above £50 million |July 2017
• Office for Professional Body Anti-Money Laundering
Supervision( OPBAS) | Jan 2018
Examples of Recent Regulatory Initiatives :
• Amendment of the Cybersecurity Basic
Act | Apr 2016
• Act on Promotion of Information
Processing | Apr 2016
• The Act on Prevention of Transfer of
Criminal Proceeds | Oct 2016
• Inspection of all cryptocurrency
exchanges| Jan 2018
Examples of Recent Regulatory Initiatives : Examples of Recent Regulatory Initiatives :

• Cybersecurity Fortification Initiative (CFI) launched by • Cyber Security Advisory Panel (CSAP) | Sep 2016
HKMA | Nov 2016 • Consultation on payment service regulation, covering
• The Anti-Money Laundering and Counter-Terrorist cryptocurrency transactions| Nov 2017
Financing (Amendment) Bill| July 2017
• Guidelines to reduce and mitigate hacking risks
associated with internet trading | Sep 2017
• Reminder on cryptocurrency-related products and
derivatives | Dec 2017
• Amendment Bill to prevent the shifting of profits to
low or no-tax locations that have little or no
economic activity | Jan 2018

134
Crime Part 504
Financial Crime
Impact of Financial Crime to Financial Institutions

Hidden costs greater than regulators’ fine
A financial penalty from a regulator makes up one part of the cost upfront and the others are
hidden costs that the public do not see, which usually exceeds the cost of the penalty.
HIDDEN COSTS TO THE
FINANCIAL CRIME
FINANCIAL INSTITUTION
Reputational Risk Compliance Risk Compliance
Remedial actions Re-training
Control
Information Security Risk Operational Risk
Legal Quality
Investigations
enforcement Assurance
Financial crime exposes the Financial Institution
directly to a variety of risks (not limited to the Independent Audit and Process
above) both internally and externally with a Review Inspection Re-design
waterfall effect down to individuals in the FI who Increase System
are held accountable on negligence. Data analytics
surveillance Enhancement
The cost of financial crime to a Financial Institution has a direct impact on people in the
organization, operational processes and information technology that supports the FI.
Key Challenges Faced by the Financial Institutions
Lack of effective data management with

advanced analytics to timely detect and
prevent financial crime threats
Lack of need-based training

program to increase staff Lack of appropriate
awareness on the emerging governance structure to
threats. mitigate financial crime risk
Evolving regulations
Balancing between regulatory make it hard for
compliance and seamless systems and process to
customer experience. remain updated with
the latest requirements
Lack of skilled resources to

manage, oversee and conduct
financial crime prevention
related tasks.
The challenges results in limited success in staving off threats and meeting regulatory
requirements. With the increased scope of financial crimes and regulatory liabilities,
financial institutions should regular review and enhance their approach to risk mitigation
and compliance.

135
Identifier
871(m) IFRS 13
Customer Due Diligence Rule

FinCEN’s New Requirement to Collect Beneficial Ownership Information

• Title: Customer Due Diligence (“CDD”) Requirements
May 2018:
for Financial Institutions US covered financial institutions
• Publication date: May 11th 2016 must comply with the beneficial
ownership requirements.
• Effective date: May 11th 2018.
May 2016:
FinCEN publishes final rule
• Scope: covered financial institutions: (i) insured banks; (ii) on beneficial ownership
commercial banks; (iii) agencies or branches of a foreign bank in requirements.
the U.S.; (iv) federally insured credit unions; (v) savings June 2014:
associations; (vi) corporations acting under section 25A of the FinCEN proposed new CDD Rule.
Federal Reserve Act (Edge Act corporations); (vii) trust banks
or trust companies that are federally regulated and are subject June 2013
US presented to the G8 its
to an AML program requirement; (viii) broker dealers in action plan for transparency on
securities registered, or required to be registered, with the SEC ownership and control.
under the Securities Exchange Act of 1934; (ix) futures
commission merchants or introducing brokers registered, or February 2012:
FinCEN issued advanced notice.
required to be registered, with the CFTC under the Commodity
Exchange Act; and (x) mutual funds. February 2010:
FinCEN issued guidance to obtain
• Targeted products/services: all financial instruments beneficial ownership information.
• Related regulations (implementation in tandem): 2001:

- Bank Secrecy Act USA Patriot Act enacted to make
- The Fourth EU Anti-Money Laundering Directive (EU 2015/849 FinCEN regulatory functions.
1970:
Currency and Foreign
Transactions Reporting Act is
Principles and Objectives passed in the US.
Prior to the effective data of FinCEN’s CDD Rule, financial

institutions were not required to identify the individuals who own or control their legal entity cus-
tomers (“beneficial owners”). Absent an exemption, a covered financial institution with either notice
of, or a reasonable suspicion that, a customer is evading or attempting to evade CDD requirements
should consider whether it should not open an account, close an account, or file a suspicious acti-
vity report.
The beneficial ownership requirement will address the failure to conduct CDD on beneficial owners,
and provide information that will help prevent financial crimes. improve the ability of financial ins-
titutions to assess risk, facilitate tax compliance, and advance U.S. compliance with international
standards and commitments.
As this new requirement is effective in May 2018, banks may need help implementing and updating
their P&Ps for the new standard. Assessment of existing P&P could also be done to provide a gap
analysis and remediation action, if necessary.

136
Financial FinCEN
FinCEN NYSDFS GDPR Data Privacy Cybersecurity
Crime Part 504
Current BSA/AML Regulatory Landscape

Key Risk Areas in Customer Due Diligence
Fine
Date Institution Key Reason
(USD)
Jul Subsidiary of FDIC determined that the bank failed to implement an effective BSA/ $140
2015 Global US Bank AML Compliance Program over an extended period of time. million
Feb Bank processed 159 banned transactions which were for corporate
$2.48
2016 Global UK Bank customers of Bank’s Zimbabwe subsidiary that were owned 50
million
percent or more, directly/indirectly, by a company on OFAC’s List.
May Inadequate compliance and process systems to detect red flags, and
US Financial $17
2016 not conducting due diligence review on foreign financial investments
Services Firm million
causing widespread failures related to the firms’ AML programs.
Fined for violating anti-money laundering requirements in a recent

New York Branch
Aug 2016 DFS examination, the bank’s head office was indifferent toward risks $180
of Leading
associated with transactions involving high-risk jurisdictions for million
Taiwanese Bank
money-laundering.
New York Branch
Nov 2016 of Major Chinese Intentional wrongdoings including masking of suspicious $215
transactions and falsified invoices to avoid DFS screening. million
Bank
FINRA detected deficiencies in the suspicious activity monitoring
Dec Global Swiss program: 1) reliance on registered representatives for escalation of $16.5
2016 Bank trading activities; 2) improperly implemented automated systems to million
monitor suspicious money movement.
In a statement from the U.S. Department of Justice and Federal

Jan Trade Commission, authorities describe insufficient or poorly
Money Transfer $586
2016 enforced policies that resulted in the funneling of hundreds of
Agent million
millions of dollars in proceeds from illegal gambling, fraud and drug
and human trafficking.
CDD Areas Potential Risks
Client Profile
• Name  Insufficient screening capability and
• Address manual Due Diligence Process
• Identification Number – Tax ID Number
• Nature of Business  Lack of effective risk rating process and
procedure
Beneficial Ownership and Controllers
• Control Prong  Due diligence process not reflective to AML
policies
Relationship
• Length of Relationship  Lack of quality in customer data, including
• Source of Funds beneficial owners, control prong, controllers
• Account Type data, and required legal documentation
• Expected Transaction Volume and Account
Balance  Lack of resources to perform Periodic
Reviews
Screening, Sanctions, PEPs, Negative News
• World Check  Risk profile of customer does not quickly
• Authorized Signers update reflective to material news received
• Beneficial Owners
• Risk Rating

137
Identifier
871(m) IFRS 13
Customer Due Diligence Rule

Benefits of a Strong KYC program
BSA/AML Customer Due Diligence, commonly referred to as Know Your Customer (“KYC”), be-
gins with client on-boarding and does not end until the client terminates its relationship with the
financial institution, which makes up the “customer lifecycle”. Thus, KYC is needed at all phases
of the lifecycle in order to re-examine the adequacy and accuracy of customer data, as well as
immediately minimize AML risk exposure.
An efficiently implemented KYC program provides banks with the advantage of conducting due
diligence and periodic reviews with minimal allocation of resources. An efficient system ope-
rates actively and is able to adjust a multi-factored risk-rating in accordance to ever-changing
compliance standards.
2016 Know Your Customer Survey

Thomson Reuters’ 2016 KYC Survey conducted among 822 FIs globally, identified:
• $60 million – average cost to meet KYC obligations
• Global banks spending up to $500 million on compliance with KYC/CDD
• 69% of banks said that the level of KYC/CDD engagement by regulators had increased
• 70% of C-Suite executives are spending more time on and attention to KYC
• FIs and customers agree that KYC procedures put more strain on the on-boarding and
client relationships
• 1/3 of FIs spend at least an entire day per week tracking and analyzing regulatory
changes
Benefits of Effective KYC and Onboarding include:

• Easier ongoing monitoring of KYC data
• Adequate risk assessments with corresponding monitoring controls
• Compliance with regulatory requirements and best-practice onboarding and monitoring
procedures
• Avoidance of legal fines and operating enforcements

138
Financial FinCEN
FinCEN NYSDFS GDPR Data Privacy Cybersecurity
Crime Part 504
NYSDFS Part 504

Review of New York State DFS (NYSDFS) Part 504

• Title: New York State Department of Financial Services (NYS-
May 2018:
DFS), Siperintendent’s Regulations, Part 504 (also known as 3 First annual date of
NYCRR 504) “Superintendent Annual
• Publication date: June 12th 2014 Board Resolutions or Senior
Officer(s) Compliance Findings”
• Effective date: January 1st, 2017 submission:
• First annual date of “Superintendent Annual Board Resolutions
or Senior Officer(s) Compliance Findings” submission: April 15,
2018 January 1st, 2017:
Effective date in New York State
• Scope:
- New York State (U.S.) based Financial Institutions
- Anti-Money Laundering (AML) transaction monitoring / reporting June 2014:
NYS DFS Press Release notifiying
• Targeted products: all financial instruments Financial Institutions of the
Effective Date
- Transparency and reporting
- Investor protection December 1, 2015:
NYS DFS Part 504 initial proposal
• Related regulations (implementation in tandem): was announced by NY State
- NY State Statutory authority: Banking Law §§37(3)(4); Financial Governor Andrew Cuomo
Services Law §302).

 The Final Part 504 Rule requires the regulated institutions to adopt a ‘‘risk-based’’ and ‘‘as
appropriate’’ approach to transaction monitoring and filtering
 The requirements under the Final Part 504 Rule include:
• a Transaction Monitoring program to detect potential violations of the Bank Secrecy Act
(BSA) and other AML laws and identify and report suspicious activity; and
• a Watch List Filtering program to identify and interdict transactions prohibited by
• applicable sanctions and terrorist financing rules, including those promulgated by the
U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC), politically
• exposed person (PEP) lists, and other relevant internal watch lists.
 A full program validation and review of the Institution’s Transaction Monitoring and Sanctions
Filtering programs is required for Part 504
 In-scope financial institutions must review and document their on-going management of the
Institution’s Transaction Monitoring/AML and Sanctions Filtering Program
 Findings and remedial efforts planned or underway, related to Part 504, need to be documented
 In-scope financial institutions must demonstrate the involvement and oversight of the
Institution’s Senior Management and Board of Directors to comply with the NYSDFS Part 504
 In-scope financial institutions must be able to certify and submit the “Superintendent Annual
Board Resolutions or Senior Officer(s) Compliance Findings” on an annual basis to NYSDFS,
by April 15th

139
Identifier
871(m) IFRS 13
NYSDFS Part 504

Frequently Asked Questions regarding Part 504 (as of April 9, 2018):

1. What as of date should a Regulated Institution use for the “as of” date for its transaction
monitoring and filtering program certification?
Regulated Institutions should submit the required certification covering the prior calendar year
by April 15 of each year.
2. May a Regulated Institution submit a certification under 3 NYCRR 504.7 if it is not yet in
compliance with the requirements of Part 504?
The Department (NYS DFS) expects full compliance with the regulation. A Regulated Institution
may not submit a certification under 3 NYCRR 504.7 unless the Regulated Institution is in com-
pliance with the requirements of Part 504 as of the effective date of the certification.
3. Should a Regulated Institution send additional documentation along with the certification
proving that the system is in compliance?
The Regulated Institution must submit the compliance certification to the Department and is not
required to submit explanatory or additional materials with the certification. The certification is
intended as a stand-alone document required by the regulation. The Department also expects
that the Regulated Institution maintains the documents and records necessary that support the
certification, should the Department request such information in the future. Likewise, under 3
NYCRR 504.3(d), to the extent a Regulated Institution has identified areas, systems, or pro-
cesses that require material improvement, updating or redesign, the Regulated Institution must
document such efforts and maintain such schedules and documentation for inspection during
the examination process or as otherwise requested by the Department.
4. Does the Department require a pre-implementation testing for systems the Regulated Insti-
tutions used that that were operational prior to the Regulation?
The Department will not require full end-to-end, pre implementation testing of systems that the
Regulated Institution uses that were operational prior to the effective date of the regulation,
as is required when adopting new systems. However, under 3 NYCRR 504.3(a)(2), Regulated
Entities’ systems and programs must “be reviewed and periodically updated at risk-based
intervals” and thus Regulated Institutions are expected to conduct periodic risk based systems
testing and data validation on all systems that support the transaction monitoring and filtering
program.
5. Does the Department require the Regulated Institution to conduct a vendor selection for the
systems that are already in place prior to the Regulation?
The Department does not require a Regulated Institution to conduct a vendor selection process
for vendors that were engaged prior to the effective date of the regulation, as is now required
when hiring a new vendor to acquire, install, implement or test the transaction monitoring and
filtering program. However, on an ongoing basis, 3 NYCRR 504.3(c)(7) requires Regulated Ins-
titutions to engage qualified personnel or outside consultants for these purposes and as such
Regulated Entities should have processes in place to confirm that the personnel and vendors
it has engaged to execute its transaction monitoring and filtering program are qualified and
competent.
Source: NYS DFS website (updated by NYS DFS as of April 9, 2018), retrieved April 15, 2018: https://www.dfs.ny.gov/legal/dfs/
trans_monitor_faqs.htm

140
Crime Part 504
NYSDFS Part 504

Frequently Asked Questions regarding Part 504 (as of April 9, 2018): CONTINUED
• Final adoption publication, online:
https://www.dfs.ny.gov/legal/regulations/adoptions/dfsp504t.pdf
• Where does a Financial Institution submit a Certification of Compliance? In order to

submit your certification of compliance, a NYS DFS portal account online is required. If your
Financial Institution does not have an account, they may create an account at the Regulation
504 Transaction Monitoring portal.
• New York State Regulation 504 Transaction Monitoring portal URL:

https://myportal.dfs.ny.gov/web/regulations-504
Source: NYS DSF website (updated by NYS DFS as of April 9, 2018), retrieved April 15, 2018: https://www.dfs.ny.gov/legal/dfs/trans_
monitor_faqs.htm
141
Identifier
871(m) IFRS 13
GDPR
Strengthening and harmonizing EU data protection rules
Key Facts:
• Title: The General Data Protection Regulation (Regulation (EU) 2016/679)
• Publication date: 14th April 2016
• Effective date: 25th May 2018
• Scope: The regulation applies to any EU firm and any firm worldwide that holds personal data
on EU data subjects
- Data protection and data subject rights
- Lawfulness of data processing
- Data breaches
- Consent for collection
- Governance - Data Protection Officer (DPO)
• Related regulations/ directives:
- Replaces the EU Data Protection Directive 1995 (officially Directive 95/46/EC)
- Replaces the UK Data Protection Act 1998
- Being implemented as the UK Data Protection Bill 2017

The GDPR is a new piece of legislation setting out new rules and changes in obligations meant to
strengthen and harmonise personal data protection requirements across the EU
The regulation goes beyond the requirements of the previous Data Protection Act of 1998 increa-
sing the standards for data protection and applies to the processing of personal data from the
B2B and the B2C world, there is not a differentiation. A key requirement is that the consent of an
individual to data processing activities must be unambiguous. Consent cannot be implied from
inaction but must be the result of a positive action by the individual.
There are significant impacts on firms, notably the fines for non-compliance of up to €20mn or
4% of annual turnover, whichever is greater
The GDPR will confer many new rights upon EU Citizens:

Right to object:
The customer has the right to demand to controller to not use its data for certain purposes
Right to data portability:
The customer has the right to receive its data in a machine readable way
Erasure/right to be forgotten:
Upon request the customer can request the controller to forget its data through all systems
Right of access:
The customer has the right to see all the data the controller is processing
Right to restriction of processing:
The customer has the right to ask the controller to not use its data in any processing activities
Right to Rectification:
The customer has the right to demand the controller to adapt and change its data

142
Crime Part 504
GDPR
GDPR introduces a number of key new obligations
Data breach notification

Data Minimisation Information Provision
and security
• 72 hour data breach notification • Data capture and retention • Provide information in a
requirement must be limited to the minimum ‘’transparent, intelligible, and
• Ensure level of security requirements specific to the easily accessible form
appropriate in light of the risks stated purpose of its use
• Implement robust cyber • Capture wholistic view of • Review/amend privacy

security measures, processes where personal notices
data breach detection data is collected and used • Establish and document
mechanisms, and escalation within the organisation (e.g., data retention periods
processes data register) and legal grounds for
• Consider cyber insurance • Utilise the data register to processing
options assess volume and purpose
• Anonymise personal of data against minimum
data or (if not possible) requirements
pseudonymise
Data Consent
• Consent must be freely given, awarding people genuine

ongoing choice and control
• Consent must be specific and informed, covering the • Ensure systems are in
controller’s and any other third parties’ name, the purpose of place to request, record,
processing, and the types of processing activity and withdraw consent
• Explicit consent must be specifically established in words, throughout the use of data
rather than any other positive action
• Consent requests must be prominent and unambiguous,
i.e. separate from other terms and conditions, and require a
positive opt in to establish consent
WHAT SHOULD BE REVIEWED AND

Key Actions REALIGNED WHERE NEEDED? Reorganisation costs
• Governance
• Information flows
• Organisation
• Processes

143
Identifier
871(m) IFRS 13
GDPR
GDPR impacts your governance, information systems, reporting and processes
We have identified 4 key operational impacts: governance, information systems, reporting and processes.
Based on our experience, processes and information systems are the most impacted parameters
Governance
• Implement a self-sufficient data protection
framework
• If necessary, appoint a Data Protection Officer
(DPO) and ensure effective communication
across your departments and DPO
• Create a network of correspondents to ensure
communication effectiveness
Information systems Sia Partners Impact Index
• Maintain robust data security protocols

• Implement data tracking functionalities
to identify potential breaches, oversee
compliance with data retention periods and
enable data deletion Governance
• Secure appropriate level of protection when
designing new tools/applications involving
• the processing of EU data subjects’ personal Information Systems
data
Reporting, Disclosures, and Documentation
Reporting
• Implement new processes for customer
reporting (data collected and processed),
disclosures (data breaches), process maps
(process inventory), and risk assessments Processes
(data protection framework annual review,
privacy impact assessments)
Processes
• Realign the way you collect personal data:
explicit consent, privacy by design & by
default, and inclusive of data subject rights:
1. Right to object
2. Right to be forgotten
3. Right to data portability
4. Right to Access
5. Right to restrict processing
6. Right to rectification
• Define data streams necessary to conduct
your activities and answer client requests
• Cover data transfer to competitors (data
portability)

144
Crime Part 504
GDPR
Common misconceptions around the GDPR
Misconception Analysis
• The GDPR is technology neutral

THE GDPR IS ONLY • New rules apply to personal data both in the online and offline world
ABOUT ONLINE DATA (e.g. paper filing system)
I AM ONLY • The GDPR applies to the processing of personal data, and does not
PROCESSING B2B differentiate between personal data from the B2B and the B2C world
DATA, SO THE GDPR IS • Personal data in the B2B world includes work email address, work
NOT FOR ME direct dial number, name job title and workplace postal address
because all these data identify a living individual
I DON’T PROCESS DATA • The GDPR applies to personal data which are processed
AUTOMATICALLY, > automatically (e.g. profiling), partially automatically
THE GDPR IS NOT FOR > processed by any other means, including manual processes
ME (i.e. by a human being)
ALL I NEED TO DO IS TO • The GDPR increases the standards of already existing obligations
REVIEW AND UPDATE related to data protection
MY PRIVACY • There are additional policies that need to be written but more
POLICIES AND PRIVACY importantly there is an underlying need to understand your data: how it
NOTICES TO COMPLY has been handled, used and shared and embed these changes into your
WITH THE GDPR business practices
• The GDPR increases the standards for data protection, including the
I HAVE THE CONSENT requirement that consent of an individual to data processing activities
OF INDIVIDUALS TO must be unambiguous
USE THEIR DATA, • Consent cannot be implied from inaction but must be the result of a
I DON’T NEED TO positive action by the individual
IMPLEMENT THE GDPR • Marketers will have to review their way of collecting consent from
individuals to receive communications
ALL OUR OFFICES

OUTSIDE THE EU ARE • If EU personal data is being processed by offices globally, the GDPR
NOT IMPACTED still applies to these locations
BRITAIN IS LEAVING • The rules apply to any firm holding data on EU data subjects
THE EU SO THIS WON’T • The rules will apply in advance of Britain leaving the EU, meaning that
APPLY TO ME British firms will need to implement the rules to avoid non-compliance
• Finally, similar standards will be adopted into UK law separately through
the Data Protection Bill

145
Identifier
871(m) IFRS 13
GDPR extra-territorial impacts in Asia

What impacts on Asian businesses?
The extra-territorial impacts of GDPR

• The global Data privacy landscape is evolving rapidly, especially following the publication of the
European GDPR, the new data which will be enforced in May 2018.
• GDPR introduces a significant uplift of the data privacy standards, by strengthening the rights of the data
subjects and elevating the obligations of the data controllers and processors.
• One of the newest concept introduced by the EU GDPR is the extra-territoriality: any company holding
personal data of individuals who are located in the EU, regardless of its operating location, needs to
comply with GDPR. Therefore, many businesses in Asia will fall within scope.
• Sia Partners provides a simple diagram, to understand whether the GDPR impacts a certain company or
not, with 3 simple questions:
• A number of local regulators in Asia have undergone a thorough review of their local data privacy laws,
following GDPR publication:
Hong Kong Data Privacy Commissioner Stephen Wong has appointed his bureau to
conduct an extensive review of the data-protection regime in Hong Kong.
The objective is to point to considerable shortfalls between Hong Kong and EU law
and propose recommendations on changes to local law.
The Privacy Commissioner of Personal Data has issued a non-binding guidance
booklet in April 2018, which highlights the new concept and possible impact of GDPR
to Hong Kong businesses.
Tan Kiat How, Head of the Personal Data Protection Commission of Singapore, has
announced to plan significant amendments to the current Act.
His bureau is reviewing the Personal Data Privacy Act (PDPA) and have identified
some issues to address in the coming year, with a plan to review the consent
regime, data protection certification framework and data breach notification
Japan’s reformed privacy law came into full force May 30, 2017 to reduce the
differences with the GDPR. The establishment of the Personal Information
Protection Commission in Japan, which is dedicated to the establishment and
enforcement of privacy regulations, significantly enhances Japan’s privacy law
system.
146
Crime Part 504

GDPR and local laws

• The impacts of GDPR on Asian businesses depend on the gap between the local law in force and GDPR.
With a fragmented data privacy protection landscape across Asia, the workload associated to GDPR
projects for each Asian country needs to be assessed on a case by case basis.
• Sia Partners has conducted a thorough study in Hong Kong and Singapore, where local companies have
started to grasp the importance of GDPR following some announcements by their Privacy commissioner
- respectively Stephen Wong and Tan Kiat How - to propose amendments of the privacy law and uplift the
standards.
Common principles with GDPR

GDPR requirements GDPR requirements
covered by the Hong covered by the Hong
Kong Personal Data Kong Personal Data
(Privacy) Ordinance (Privacy) Ordinance
Definition of personal data

Data security obligation
Right to be informed
Data protection by design and by default
Right of access Right to object
Right of rectification Data Protection Officer
The gaps between GDPR and local laws

Sensitive data is special categories of

personal data, such as information on As a consequence, for companies
medical conditions, financial situation, racial handling sensitive data:
The A complete review and
or ethnic origin, political opinions, religion or
notion of categorization of special categories
philosophical beliefs.
sensitive of data will be necessary to adopt
According to GDPR, such data requires
data in enhanced security measures around
particular attention and appropriate security
GDPR the processing of this data.
measures should be implemented to
guarantee its security, such as:
• Pseudonymization
• Data encryption
• PDPA has no definition of sensitive data

while there is a non-binding guidance
Gaps with issued by the HK PCPD (in the context
PDPO and of biometric data) that indicates that
PDPA higher standards should be applied
as a matter of best practice to more
sensitive personal data.
147
Identifier
871(m) IFRS 13


Data Protection Authorities (DPA) can only take

appropriate enforcement action in relation to data
A substantial impact, and
breaches if they are aware of those breaches.
intense time pressure, can
Therefore, the GDPR requires controllers and
be expected on company’s
The data processors to report such breaches to DPAs in
processes to identify, review
breach certain circumstances.
and report data breaches. It will
notification Under GDPR, any event leading to the destruction,
be necessary to implement data
loss/alteration, unauthorised disclosure of/ access
breach response plans, incident
to personal data must be notified to the regulator
detection mechanisms and
by the organisation holding such data, within 72
escalation processes.
hours of the organisation becoming aware of it.
We also recommend
implementing robust security
measures, such as personal
Although both PDPO and PDPA encourage data anonymisation or
Gaps with notification of data breaches to the Office of the pseudonymisation by hashing
PDPO and Privacy Commissioner for Personal Data and data
PDPA relevant parties, there is no binding obligation or
stringent timeframe for doing so.
Under certain circumstances, GDPR imposes to

the data controller the appointment of a Data
Protection Officer (DPO) to deal with data privacy
protection matters within the company and
The data face the data protection Authorities in case of
protection disputes.
officer Even if a company does not fall into the categories
mentioned by GDPR, it should still appoint a DPO The appointment of a DPO
as best practice for its reputational value, to will require an overhaul of a
highlight the company’s engagement with data company’s internal structure,
privacy protection matters. a review of its current job
specifications to ensure its
GDPR requirement is not covered by the PDPO, optimal reporting line.
while PCPD issued a non-binding guidance
to advocate the development of a privacy
Gaps with
management programme and the appointment of
PDPO and
a DPO.
PDPA
While appointing a DPO is mandatory under PDPA,
only 50% of the companies have appointed a DPO.
(as of Jan 2017, according to PCPD)

148
Crime Part 504


GDPR states that the data subject can request to
The right transmit the personal data previously provided
from one controller to another controller, without To comply, data controllers will
to data
hindrance from the controller. The transmission have to restructure their data
portability process should be carried out by automated sets and implement processes
means if technically feasible. to enable data exchange upon
request.
Gaps with
There is no such requirement neither in PDPO nor
PDPO and
in PDPA.
PDPA
The GDPR introduces PIAs as a means to identify
high risks to the privacy rights of individuals,
when processing their personal data.
The Privacy Where a type of processing is likely to result
Impact in a high risk to the rights and freedoms of PIA will be an additional
Assessments natural persons, the controller shall, prior to the compliance step for
processing, carry out an assessment of the impact Organisations when they launch
of the envisaged processing operations on the new projects or products,
protection of personal data. involving extra cost and time to
be considered at the budgeting
In PDPO, PIAs are encouraged when the processing phase.
Gaps with activities are related to biometric data while in the
“Guide to Data Protection Impact Assessments”
PDPO and
issued by the PDPC of Singapore, PIA are
PDPA encouraged when creating new system or process
that involves handling of personal data.
Existing standards in PDPO and PDPA, strengthened by GDPR

Each and every data processing activity requires
a lawful basis. Consent provides one such lawful
basis
Conditions to obtain a valid consent from
The Customer individuals to use their personal data is stricter The Organizations will have to
Consent under GDPR. The consent must be freely given, carry out a complete review of
unambiguous, explicit (given by either a statement the way the customer consent
or clear affirmative action) and expressed by the is collected (contracts, online
data subject. forms, etc.) to make sure it
will meet GDPR standards on
being specific, granular, clear,
Under PDPO, an indication of no objection is
opt-in, documented and easily
considered as consent but is not valid under GDPR
Gaps with withdrawn. This applies to both
as not resulting from a positive action.
new and existing consents.
PDPO and PDPA considers deemed consent where personal
PDPA data is voluntarily provided by data subject,
therefore, in such case, the consent does not need
to be expressed or verbalized at all.
149
Identifier
871(m) IFRS 13

Data controllers are accountable for

GDPR compliance, meaning not only they Accountability principles
are responsible to enforce GDPR within means additional compliance
The steps for data controller to:
the Organisation, but they are obliged to
Accountability • Keep a record of all
demonstrate compliance to the regulator.
principle
While the principles of accountability have processing activities
previously been implicit requirements of data • Appoint a DPO when
protection law, the GDPR’s makes it mandatory. necessary
• Implement measures
that secure compliance
Gaps with Both PDPO and PDPA provide guidance on how to with the data protection
embrace the notion of accountability as a vehicle principles
PDPO and
to drive privacy compliance without notion of • Use PIA whenever
PDPA mandatory accountability principle. appropriate
The data subjects have the right to obtain from

the controller the rectification of inaccurate
personal data concerning them, without undue
delay.
The GDPR stipulates that personal data that is
The right of processed should be accurate and kept up to To comply, Organisations
rectification date, should the data subjects request to rectify must implement reporting
their personal data, Organisations must oblige and processes to ensure the
within one month from the date of request. quality of the personal data
Moreover, if the personal data has been disclosed they hold and process about
to third parties, the data controller must inform the individuals. They must be
them of the rectification where possible. able to respond to personal
rectification requests in a
timely manner.
Under PDPA, it is an absolute requirement only
Gaps with when the personal data in question is likely to be
used by the organization to make a decision that
PDPA
affects the individual to whom the personal data
relates or if likely to be disclosed to a third-party.
Under GDPR, the data subjects have the right to With regard to the consent
The right to object, regardless of the process purpose, at any process mentioned earlier,
object (to time to processing of personal data, unless the companies will have to
profiling) data controller can demonstrate the legitimate review their privacy notices
ground. and implement a more
comprehensive process
Gaps with Such right only applies to direct marketing for to collect consents and
PDPO PDPO objections.

150
Crime Part 504

Data subjects have the right to access their

personal data held by an organization.
Under GDPR, the request to personal data
The right of To comply with GDPR,
access should be processed without delay and
access at the latest within one month from the date of Organisations should respond
request. The copy of the information must be to personal data access and
provided free of charge. rectification requests in a
timely manner and maintain a
record of processing activities
GDPR does not impose a time limit for personal to be made available to the
Gaps with data access while PDPA only requires to disclose data subject upon request.
information concerning the use or disclosure of
PDPA
personal data in the preceding one year from the
date of request.
The right to erasure, also known as the right

“to be forgotten”, is to enable an individual to
request the deletion or removal of personal
The right to data.
be forgotten Upon the data subject’s request, the data
controller is obliged to erase personal data
without undue delay where specific conditions To comply with GDPR, it will
are met. be necessary to upgrade IT
systems to enable deletion
• PDPO states that all practicable steps must of data and conduct a regular
be taken to erase personal data held by the review of data retention
data user where the data is no longer required schedules to erase unused or
Gaps with for the purpose but does not specify that obsolete data.
a data subject has the right to request for
PDPO and
personal data erasure.
PDPA • In PDPA, data must be destroyed or
deidentified only when there are no longer any
legal or business and any other purpose for
its retention.
The Organisations in Hong Kong and Singapore need to make numerous changes if they need to be
compliant with GDPR, with impacts expected on:
Governance Information Systems Reporting Processes

In addition to more stringent obligations under GDPR, business could be fined up to four percent of their
global annual turnover or EUR20 million (USD23.35 million), whichever is higher. Statutory fines in Hong
Kong are relatively low at HK$100,000 (US$12,780) – except for direct marketing offences – and in
Singapore SGP$1 million (US$732,900) so do not act as a deterrent in certain circumstances.
151
Identifier
871(m) IFRS 13
Data Privacy
Overview of Asian Framework
Common Principles and Objectives

• As regulators come to grips with these new laws, differences in interpretation are becoming
apparent and attention should be paid to local context. However, Asia’s data privacy laws
draws from a consistent set of core data protection principles as set out in the table below.
• Indeed, these regulations are based on the notion of purpose: all data can only be collected
or processed for a clearly defined and lawful purpose and cannot be retained beyond this
purpose. Moreover,
Companies must vouch for the security of data and ensure transparency.
They must also guarantee the right of those concerned to have an easy access and
they must have sufficient resources to update data in order to ensure continuous
accuracy and relevance.
If companies wish to transfer the data, they must first seek the approval of the
supervisory authority.
on
ata ata te cti
D D ro
al al
r son r son t he P tion
Pe ce e
|P t
n
t o form
a
ng | inan r e c A c
o d o
ap ion A | l In
ng K y) Or ng t pan sona
Ho ivac i
S tec Ja Per
(Pr Pro of
CORE PRINCIPLES
PURPOSE AND MANNER

OF COLLECTION* R R R
ACCURACY AND
DURATION OF RETENTION R R R
USE R R R
SECURITY R R R
INFORMATION TO BE
GENERALLY AVAILABLE R R R
ACCESS & TRANSFER
LIMITATION R R R
DO-NOT-CALL (DNC) R**
*Including notification, consent…

** Data Users are required not to send marketing messages to individuals who have registered in the National DNC registry through

152
Crime Part 504
Data Privacy
Major common requirements and operational impacts 1/2
• The purpose of collection must relate to a Establish documentation to use

function or activity of the data user. customers’ data.
• Collection shall be necessary but not
excessive to that purpose. Establish and document strong
• Means of collection must be lawful and fair. controls for access to, use
• Before collecting data, the data user must and transfer of biometric data.
Purpose and inform the customer: Ensure data accuracy: data
1. Whether it is obligatory or voluntary. If users must ascertain and be
Manner of
obligatory, the consequences of failing to satisfied that errors are within
Collection supply the data; reasonable limits.
2. The purpose of collection;
3. The classes of persons to whom the Ensure and demonstrate that
data may be transferred; and retention doesn’t exceed the
4. The rights of the data subject to required “necessary and not
request access to and the correction of excessive” period for the
the data. lawful purpose for which it is
collected.
• Obligation to ensure that personal data is A Data Privacy Officer might

Accuracy and accurate and kept no longer than necessary, be appointed to oversee data
in particular in case of transfer to a third privacy issues within the
Duration of
party. company.
Retention • Obligation to take all practicable steps to
erase personal data no longer required
• Data users are required not to use personal Collect express content of the
Use data collected for a new purpose without the customer before using data for
express consent of the customer. a new purpose.

153
Identifier
871(m) IFRS 13
Data Privacy
Major common requirements and operational impacts 2/2
• Obligation to take all practicable steps Customers’ data stored

to protect the personal data against electronically in the database,
unauthorized or accidental access, computers or portable storage
Security processing, erasure, loss or use (being data devices should be protected
kept by the data user or transferred to a data with adequate IT security
processor). measures and access control.
• Requires a data user to take all practicable Data users should formulate
steps to ensure openness and transparency and make available to
about its personal data policies and customers their Privacy Policy
Information practices, the type of personal data it holds Statements stating in detail the
to be and the main purposes for which the data is kind of personal data held, the
generally used. main purposes of use of each
available type of personal data and their
privacy policies and practices
in place.
The data user is required to

• The customer has the right of access to and
comply with such request
correction of his personal data held by a data
within a define number of
user.
Access business days after receiving
the request and must set-up
appropriate processes.

154
Crime Part 504
Cybersecurity
Global Financial and Legal Cybersecurity Regulation Actors and Frameworks

155
Identifier
871(m) IFRS 13
Cybersecurity
Cybersecurity initiatives with Global impacts
Key Facts
• Financial Services is the most impacted industry sector in term of cyber crime
• Financial services industry faces a rapidly evolving threat and sophistication of cyber attacks
lead to significant risk for the stability of financial systems and operations
• Financial services industry faces more strict government regulatory climate
• Financial institutions need to enhance the resilience of financial systems and embrace a ful-
ly dynamic approach, controlling risk scenarios & protecting assets of itself and customers
SWIFT Customer Security Program shakes the History and Agenda

Financial Industry worldwide
January 2019: inspections
Following the successful USD 81 million funds heist from Ban- begin :
gladesh Bank account at the Federal Reserve Bank of New York, Non Compliance to self-
The Society for Worldwide Interbank Financial Telecommunication assessment will be reported
(SWIFT), established the Customer Security Program to support its to supervisory bodies and
customers in the fight against cyber-fraud using the SWIFT network. messaging counterparties
January 2018: inspections
SWIFT users are required to define, document, implement and as- begin :
sess their payment processes and technologies against SWIFT’s Non Compliance to self-
attestation will result in SWIFT
controls through:
reporting to supervisory bodies
• A Self-assessment against the SWIFT Customer Security and messaging counterparties
Controls Framework (CSCF), comprised of 16 mandatory se-
curity controls and 11 advisory security controls;
May 2017:
• A Self-attestation on user’s compliance with the CSCF SWIFT released the Customer
controls, based on the results of the self-assessment (refer- Security Controls Policy updates
ring to SWIFT Customer Security Controls Policy).
May 2016:
Guidance on cyber resilience for financial market in- SWIFT released the Customer
frastructures Security Program (CSP)
Six years ago, in 2012, CPMI and IOSCO (the International Organi-
sation of Securities Commissions) released the Principles for Fi- Nov 2015:
nancial Market Infrastructures (PFMI). This was a groundbreaking The Committee on Payments
and Market Infrastructures
effort to define international standards for market infrastructures (CPMI) and the board of the
and promote orderly market and financial stability. International Organization of
Securities Commissions (IOSCO)
released the Guidance on cyber
ISO / IEC Refresh resilience for financial market
The ISO / IEC Information technology, Security techniques and gui- infrastructures
delines for cybersecurity were refreshed on July 2012.
July 2012:
PFMI ISO/IEC 27032: 2012
The Principles for financial market infrastructures are the interna-
tional standards for financial market infrastructures, i.e. payment
systems, central securities depositories, securities settlement sys- July 2012:
tems, central counterparties and trade repositories. CPMI and IOSCO launches PFMI

156
Crime Part 504 Cybersecurity
Cybersecurity
Recent federal moves in the US
NIST - Cybersecurity Framework (CSF) v1.1

History and Agenda
• NIST CST has the objective to standardize a security framework
for critical infrastructure in the US. It has been adopted and re- April 2018:
cognized by many other industries, such as Financial Services. NIST Cybersecurity framework
• The NIST CSF is organized in five core Functions, which repre- v1.1
sent the security lifecycle: Identify, Protect, Detect, Respond
and Recover.
• Each of these functions is split into categories and subcatego-
ries that are mapped to other frameworks such as CSC, COBIT,
ISO 27k, NIST SP800-53.
• The recent update of this globally recognized framework aims
at reducing and better managing cybersecurity risks by provi- Mar 2018: CLOUD Act:
Clarifying Lawful Overseas Use
ding structured approaches, standards guidelines, and prac- of Data
tices aligned with today’s reality of cyber threats.
Clarifying Lawful Overseas Use of Data Act (or

“CLOUD Act”)
• The CLOUD Act is a federal law enacted in 2018 that amends
the Stored Communications Act (SCA) of 1986 to allow fede-
ral law enforcement to serve warrants or subpoenas on ser-
ver-stored data regardless of the physical location of the ser-
vers, as long as the service provider is a US-based company, May 2017: Executive Order:
On “Strengthening the
and without informing those involved. Cybersecurity of Federal
• The Cloud Act poses a new threat and legal implications for Networks and Critical
data security, data privacy, and law enforcement capabilities Infrastructure”
which divides the cyberspace into supporters (e.g. US tech-
nology companies and service providers) and opponents (e.g.
advocates for privacy and human rights). It is also not clear
whether the bill would meet legal requirements under EU’s
GDPR Act.
Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

• President Trump executive order aims to assess the scope and efficiency of the education
effort to support the growth and sustainment of the Nation’s cybersecurity workforce in both
the public and private sectors. It provides a report to the President with findings, recommen-
dations, and strategies to improve that workforce in both the public and private sectors from
primary to higher education.

157
Identifier
871(m) IFRS 13
Cybersecurity
Other significant cybersecurity initiatives
Recent moves by individual states

• The NY Department of Financial Services (NYDFS) Cyberse-
curity Regulation Part 500 (23 NYCRR 500) is a new set of Feb 2017:
regulations that place new cybersecurity requirements on all 23 NYCRR Part 500
covered financial institutions, with several implementation
dates starting July 2017. Most of the entities are concerned,
as it provides an exemption only for firms below 10 employees
or few million dollars growth revenue/total assets.
Dec 2016: Executive Order:
Continuation of the National
Older significant initiatives impacting financial industry Emergency with Respect to
• The Continuation of the National Emergency with Respect Significant Malicious Cyber-
to Significant Malicious Cyber-Enabled Activities executive Enabled Activities
order aims to improve the Nation’s cyber posture and capabi-
lities to face cyber threats to its digital and physical security in
four fronts: (i) secure the Federal networks that operate on be-
half of the American people, (ii) encourage collaboration with Nov 2015:
industry to protect critical infrastructure (iii) strengthen the Financial Services Sector
Coordinating Council
deterrence posture of the US and build international coalitions,
(FSSCC) released Automated
(iv) build a stronger cybersecurity workforce. Cybersecurity Assessment
• FS-ISAC collaborated with members of the FSSCC on a Tool (ACAT) for all members of
user-friendly excel spreadsheet tool to assist financial institu- financial services industry
tions of all sizes to collect and score their responses to the
FFIEC Cybersecurity Assessment Tool. Language specific to
inherent risk profile and maturity levels was taken verbatim wi-
Jun 2015:
thout any attempt to change or interpret FFIEC expectations. Federal Financial Institutions
• The FFIEC released the Cybersecurity Assessment Tool to Examination Council (FFIEC)
help institutions of all sizes identify their risks, assess their cy- released Cybersecurity
bersecurity preparedness, and help inform their risk manage- Assessment Tool (CAT)
ment strategies. Some FFIEC agencies are using the results of
the Cybersecurity Assessment Tool as part of the examination
and supervisory process.
• The C³ (Critical Infrastructure Cyber Community) Voluntary Feb 2014:
Program’s coincides with the release of the NIST Cyberse- NIST Cybersecurity Framework v1.0
C³ Voluntary Program’s
curity Framework v1.0 and focuses on (i) engaging specific
agencies, (ii) developing guidance on how to implement the
Framework and (iii) broaden the program’s to reach to all
critical infrastructure and businesses interested in using the
Feb 2014: Executive Order:
Framework. On “Improving Critical
• The Obama Executive Order Improving Critical Infrastruc- Infrastructure Cybersecurity
ture Cybersecurity seeks to improve existing public-private
partnerships by enhancing the timeliness of information flow
cyber threat intelligence sharing between public and private
entities identified as a target. It improves the process to ex- Apr 2013:
pedite security clearance processes to share this information. CISPA Act
• CISPA - Cyber Intelligence Sharing and Protection Act of April
2013, which calls for protection against lawsuits aimed at
companies that disclose breach information.
158
Crime Part 504
Cybersecurity
Other significant cybersecurity initiatives
Other finance related regulations

• FINRA - Financial Industry Regulation Authority - multiple guidance, notices and regulations:
Guidance:
2018 Regulatory and Examination Priorities Letter – Cybersecurity being one of the key item
Notices:
2015 Notice on Distributed Denial of Service (DDoS) Attacks on Member Firms
2012 Hoax Emails That Purport to Be From Regulators
Regulations:
i. S-P (17 CFR §248.30): firms to adopt written policies and procedures to protect customer
information against cyber-attacks and other forms of unauthorized access
ii. S-ID (17 CFR §248.201-202): firm’s duties regarding the detection, prevention, and mitigation
of identity theft
iii. The Securities Exchange Act of 1934 (17 CFR §240.17a-4(f)), requires firms to preserve
electronically stored records in a non-rewriteable, non-erasable format
Legacy frameworks still in use

• California Assembly Bill 1950 (2004)
• California Notice of Security Breach Act of 2003
• HSA - Homeland Security Act of 2002
• FISMA - Federal Information Security Management Act of 2002
• GLBA - Gramm–Leach–Bliley Act of 1999
• HIPAA - Health Insurance Portability and Accountability Act of 1996

159
Identifier
871(m) IFRS 13
Cybersecurity
Bank of England CBEST

History and Agenda
• CBEST is a derivative of CREST STAR with additional requi-
Nov 2016: NCSS:
rements and inputs from Threat Intelligence to ensure resi- National Cyber Security Strategy
lience of banking system in the UK. While it is not compulsory, 2016-2021
strong incentives are expected from regulators. Oct 2016: NCSC:
• The framework includes standardised reporting formats for National Cybersecurity Center
providers, and a series of KPIs used by the Bank of England an original
to assess the performance of both providers and participants.
mid 2014: CBEST:
• CBEST propose a comprehensive approach to threat model- Announcement and launch of
ling by listing and documenting threat actors profile: (i) Goal CBEST
orientation, (ii) Adversary Capabilities , (iii) Modus operandi
Nov 2011:
• This threat profile will then be used to tailor and increase the First UK Cyber Security Strategy
efficiency of:
• Penetration tests, that will make use of realistic scenarios derived from the threat model
• Cyber readiness assessments by the regulators to assess the vulnerability of the industry
• Firms & Financial Market Infrastructures threat assessments, to comply with CBEST requirements
• Day-to-day security operations, for example on the Incident Detection, as illustrated below
CBEST addresses 2 main challenges for banks

1
Strong governance is enabled through an
Security is a Business need that has to be
Oversight Committee that plans, pilots simu-
carried at the Executive level. Information
lation and makes sure the Executive Board
security more often fails due to lack of
is aware of actions that have to be taken
empowerment than lack of budget
and mitigation plans to be implemented
2 The framework elaborates complex and rea-

Security testing is a core component of the listic attack scenarios that require Threat
enterprise cybersecurity. However, it has Intelligence, collaboration of all actors
limitations such as the adequacy of tests (both private and public) as well as strong
and their coverage of real-life scenarios stakeholders involvement at the Executive
level
160
Crime Part 504
Cybersecurity Regulation View HKMA
 Recent moves in Hong Kong

Given the increasing level of sophistication and potential impact of cyber attacks, HKMA has
pursued the CFI - Cyber Fortification Initiative - to further enhance the cyber resilience of the
banking sector.
It is structured on 3 pillars :
1. Cyber-Resilience Assessment Framework (C-RAF) 1. Inherent risk assessment

2. Cyber Intelligence Sharing Platform (CISP) 2. Maturity level assessment
3. Professional Development Programme (PDP) 3. iCAST (intelligence-led Cyber Attack Simulation
Testing
2 phases implementation: History and Agenda

• Phase 1 Ais: 30 biggest Authorized Institutions were required Phase 2 Ais
to implement the C-RAF 2019:
• Phase 2 Ais: All smaller banks considered less mature will iCast implementation
have more delay to implement the C-RAF Deadline not announced
The inherent risk profile is measured on 5 axis through a guided Dec 2018:
assessment and will output the target maturity to be reached Inherent risk and maturity
assessment
Phase 1 Ais
Jun 2018:
iCast implementation
Sept 2017:
Inherent risk and maturity
assessment
Aligned with CFI’s PDP objectives, the HKMA launched a module

on cybersecurity under the Enhanced Competency Framework Dec 2016:
(ECF). Enhanced Competency
Framework on Cybersecurity
(ECF-C)
“ECF-C” is a no statutory framework which sets out the common
core competences required for cybersecurity practitioners in the
Hong Kong banking industry. The objectives of the ECF-C are
twofold: May 2016:
• Develop a sustainable talent pool of cybersecurity practitio- Launch of the consultation on CFI
ners for the workforce demand in this sector; Cyber-Fortification initiative, including:
• Raise and maintain the professional competence of cyber-
security practitioners in the banking industry.
161
Identifier
871(m) IFRS 13
Cybersecurity Regulation View SFC
Introduction
• For the 12 months ended September 2016, a sensitive increase of security breaches, com-
promised online client trading accounts and unauthorized transactions with 16 incidents
reported to SFC in which involved 7 securities brokers and total unauthorized trades in
excess of HKD$100 million.
• SFC put highest priority on cybersecurity management and suggests a range of control
measures, including self-assessment and questionnaire.
The three pillars of the new cybersecurity review History and Agenda
New Cybersecurity Review
Oct 2016:
First pillar Second pillar Third pillar “SFC Circular on Internet,
Issue a questionnaire to Onsite inspections of selected Benchmarking the SFC
assess brokers for the review of regulatory requirements mobile trading systems”
• Assessment
• Licensed Corporations (LCs) • Implementation of previous • Sia Partners conducts similar
confidentiality, integrity and Circulars activities globally and knows •Sensitization of the client on
contingency • information security posture major regional actors securities vulnerabilities and
• Relevant functionalities for and readiness initiatives (HKMA, MAS …) as
data protection (customer) • Cyberattacks detection and well as best-in class industry risks
• cybersecurity
management and governance
risks Prevention capabilities players • Benchmarking the SFC regulatory
requirements and market
practices in Hong Kong
Strengthening threat, effective user
1 intelligence and 4 authentication and access
vulnerability management controls 6 key controls
to be reviewed
Reliable preventive, contingency plan and
2 detective and monitoring 5 cyberattack scenarios
measures Mar 2016:
Vigilance monitoring Raising awareness of the “SFC Circular on
3 unusual logins / 6 customer Cybersecurity”
transactions (new area of focus) • Review and assessment of the
cybersecurity risks
• Cybersecurity management
Review and assessment of cyber risks
SFC shared with industry its 5 key areas of concern and

suggested 8 Cybersecurity Controls with a reminder to take
appropriate measures to critically review and assess the ef-
fectiveness of cybersecurity controls in place.
1.
û Inadequate coverage of cybersecurity risk assessment exercises
2.
û Inadequate cybersecurity risk assessment of service providers 5 key areas of
3.
û Insufficient cybersecurity awareness training concerns for
4.
û Inadequate cybersecurity incident management arrangements SFC
5.
û Inadequate data protection programs
1. well implementation of the review and assessment 3 main areas

2. identification of any weaknesses followed up by a clear actions plan of focus for
3. enhancement of the cybersecurity controls treated as a matter priority. Organizations

162
Crime Part 504
Cybersecurity Regulation View SFC
Tips on Protection of Online Trading Accounts History and Agenda

SFC and CSTCB have listed out suggested control measures to Jan 2016:
improve the monitoring and the safeguarding against unautho- “Tips on Protection of Online
rized activities : Trading Accounts”
• Tips on protection of online
New Controls trading accounts such
1. Monitoring unusual or 3. Preventive, detective measures to particularly the reinforcement
questionable transactions protect systems and information the authentication
2. User authentication and 4.. Effective Contingency
access controls by brokers planning
June 2015:
“Internet Trading – Assessment
Checklist”
Regular Self-Assessment of Internal Trading System
• An internet trading
SFC has published a guidance and a checklist for Licensed Cor- self-assessment checklist
porations to conduct regular self-assessment of their Internet • Guidance for the assessment
trading systems and network infrastructures (related policies,
procedures, practices):
SFC Self-Assessment Check list

1. Management Oversight 5. System implementation
2. User Access Controls 6. Backup and Contingency
3. Network Infrastructure 7. Monitoring
4. Application controls and 8. Vendor Management
Processing Integrity 9. Application Vulnerability
Time “Three”
phases
Cyber Security assessment Results Analysis APPROACH
Scoping Implementation
Security campaigns
Prioritiziation
TO BE DEFINED AT
THE END OF
ASSESSMENT
• Scoping: Identify stakeholders responsible to perform the

self assessment.
• Cyber Security Assessment: fill in the assessment of in-
ternet trading systems.
• Results analysis and prioritization: report conclusions
with recommended actions to the board or senior mana-
gement.
• Implementation of the observations: after prioritizing the Jan 2014: “Internet Trading
results, the stakeholder should implement the identified – Reducing Internet Hacking
Risks”
recommendation.

163
Identifier
871(m) IFRS 13
Cybersecurity Regulation View

Regulations on cybersecurity in Singapore
Recent Moves in Singapore History and Agenda

• We expect an increasing focus on Cyber threat modelling July 2018:
and intelligence with the upcoming FS-ISAC summit on Next FS-ISAC AP summit
July 2018
• April 11 2018, MAS has issued an advisory to remind

financial institutions to remain vigilant, following recent
reports of cyber incidents overseas where attackers April 2018:
attempted fraudulent fund transfers using the SWIFT Advisory reminder on
system. This advisory comes with guidelines on controls remaining vigilant on Cybers
implementation regarding the SWIFT network
threats
• The “Cybersecurity Bill” is a recent Singaporean law
providing a legal framework to establish and empower a
cybersecurity regulator by conferring extended power to a
Cybersecurity Commissionner to conduct investigations,
Feb 2018:
examine people, seize evidence, or cease business activi-
ties. Critical Information Infrastructure including Banking Cybersecurity Bill
and Financial Institution are in scope with legal and liabi-
lity procedures to enforces owners of part of whole of a
system considered critical to implement changes, conduct
regular audits, risks and vulnerability assessment. There
are significant criminal and civil penalties for failing to
comply with these obligations. This act will progressively
come into force by Q2 2018 Feb 2018:
Guidelines to protect users of
• Shortly after releasing Guidelines to protect users of electronic payments
electronic payments set out the responsibilities of e-pay-
ments users, including good security practices aims to
make e-payments simpler and more secure to push for its
adoption
• November 2017, The Asia Pacific Financial Services Infor- November 2017:
mation Sharing and Analysis Center’s office is launched MAS launches FS-ISAC on
by MAS to support 49 Financial Institutions across 9 Cyber Information Sharing
countries
• The New Outsourcing Guidelines provide expanded

guidance to the industry on prudent risk management
practices for outsourcing, including cloud services. It
also eases Cloud adoption by removing for financial
July 2016:
institutions the need for pre-notification or Technology
New Guidelines on
questionnaireon such arrangements; However MAS
expects that Fis will exercise appropriate due diligence Outsourcing Risk
on their outsourcing arrangements and should be able to Management ; Guidance on
provide evidence of their compliance with the Outsourcing Cloud services
Guidelines
164
Crime Part 504

Regulations on cybersecurity in Singapore
sia Partners' View od Singapore Cybersecurity History and

Agenda
• May 2016, launch of a “Cyber Risk Management Project” (CRMP)
which facilitates the systematic collection and modelling of
cyber risks data ,bringing together government bodies, public May 2016:
institutions and a number of private organizations. CRMP does Cyber Risk
not include any call for specific new cyber security compliance Management Project
measures. It enables talent development, and facilitates the
building of professional competencies and capabilities of those
working in cybersecurity.
June 2013:
• June 2013 launch of a “Technology Risk Management Guide- Technoly Risk
lines” (TRM) which stated that MAS expects financial institutions Management
to implement strong controls in their IT systems and manage Guidelines (TRM)
technology and cyber risks.
• National Cyber Security Masterplan 2018: SGP launched the

five year national cyber security Masterplan to further secure
Singapore’s cyber environment which was developed through a 2013-2018:
multiagency effort led by the infocomm Development Authority National Cyber
of SGP (IDA) under the guidance of National Infocomm Security Security Masterplan
Committee. The masterplan will look into developing human and
intellectual capital within the infocomm industry to boost cyber-
security in Singapore. It fosters the development of cyber training
facilities for testing and training of cybersecurity experts. There
are also plans to promote collaboration between private and
public sectors as well as R&D thereby attracting and cultivating 2008-2012:
more cybersecurity expertise. Second Infocomm
Security Masterplan
• Second Infocomm Security Masterplan will expand on that and
engage both the public and private sectors even more deeply in
securing Singapore’s cyber space. Second Infocomm Security
Masterplan will also focus on the development of sector-specific
infocomm security programmes. Eschewing the one-size-fits-all
approach, the Government will work with critical infrastructure
2005-2007:
owners in both public and private sectors to develop customised
solutions, starting with the infocomm and energy sectors which Infocomm Security
support the vital operations of many other key industries. Masterplan
• The first Infocomm Security Masterplan (ISMP) provided the

overarching plan in Singapore’s continued national efforts to en-
hance cyber security. Launched in February 2005, this three-year
(FY2005 - FY2007) strategic roadmap is the result of extensive
private and public sector feedback to increase the resilience of
national critical infrastructure from cyber attacks and to maintain
a secure infocomm environment for government, businesses and
individuals.
165
Identifier
871(m) IFRS 13

Regulations on cybersecurity in China
 Recent moves in China focuses on Cybersecurity History and Agenda

While the scope of the Cybersecurity law affects mainly June 2017:
Telco and Cloud providers, the so called “Network Operators” China Cybersecurity Law
definition has been significantly extended to institutions or comes into effect
companies providing services through “networks”. As a conse-
quence, this law is totally applicable to Financial Organization
providing network services such as internet or mobile banking
or e-trading. Banking institutions, Securities and Insurance
companies collecting citizens personal information are in
scope of this law.
 With an intent to onshore foreign companies datacenters

April 2017:
The launch of Measures on Security Assessment of Perso-
Measures on Security
nal Information and Important Data targets more specifically
foreign invested Network Operators providing Cloud services. Assessment of Personal
It creates significant issues such as forced onshoring of Information and Important
Datacenters in China and therefore applicability of all People Data to be Transmitted
Republic of China laws and regulations. abroad
The launch of the National Cybersecurity Strategy and

Chinese “Cybersecurity law” enacts the increasing focus December 2016::
shifting on Cyber security. Indeed older measures were more National Cyber Security
related to IT Security concerns such as safeguard systems
and networks :
i. Measures for Prevention and Treatment of
Computer viruses
ii. Measures for Hierarchical Protection of I
nformation Security
 Large impacts in terms of complex regulations for foreign

institutions moving to China
A major consequence of the Cybersecurity law is that the November 2016:

foreign Financial Institutions manipulating personal informa- Adoption of the Chinese
tion of Chinese citizens or providing network services have Cybersecurity Law
to move their Datacenters into China and reach immediate
compliance with many regulators such as PBOC, SAFE, CBRC
and others (see next page). This has significant impact that is
hardly anticipated by organizations and poses many challen-
ges such as:
1. Tightening regulatory landscape
2. increasing demand in IT security
3. Identifying gaps and comply with regulatory require-
ments from 3 regulators

166
Crime Part 504
Insights on IT related Regulations for Financial

Institution in China
Regulation from PBOC Regulation from CBRC Regulation from SAFE
Regulations from the 3 regulators main-

ly focus on IT security, IT management
and system design. There are some
overlapping so that we can leverage
A
IT
Regulators concern banks’ IT mana-
security gement and system design so as to
reduce IT security risk. Having in place
E E a comprehensive IT management
E
F A framework supported by well designed
C system is a priority for banks in China
Quality IT D
B C
& design management
A D F SAFE concerns more on system
design and PBOC concerns more on IT
B
B D C management. CRBC regulates bank in a
holistic manner. Banks should address
different concerns between regulators
PBOC - People’s Republic of China

A General specification of information security for internet banking system
B Law of the People’s Republic of China on Banking Regulation and Supervision
C Guidance on Internal Control of the Commercial Banks
D Law of the People’s Republic of China on Commercial Banks
E Provisional Rules on Management of Individual Credit Information Database
F Regulations on the Administration of Foreign-funded Banks of the People’s Republic of China
CBRC - China Banking Regulatory Commission

A Notice on Issuing the Regulatory Guidelines for the Risks in the IT Outsourcing of Banking
Financial Institutions
B Implementation Measures of the CBRC for the Administrative Licensing Items concerning Foreign-Fun-
ded Banks (No.4 (2015))
C Notice on Further Strengthening the Work of Authenticating the Software of Banking Financial Institu-
tions
D Notice on Issuing the Measures for the Commissioning and Change of Important Information Systems
of Banking Institutions
E Notice on Doing a Good Job in E-Bank Risk Management and Services (No. 134 (2007))
SAFE - State Administration of Foreign Exchange

A Notice on Issuing Measures for the Standardization of the Code of Information Systems
B Notice of the State Administration of Foreign Exchange No. 101, 2009
C Information System Code Standard Management Implementation Rules
D Notice of the State Administration of Foreign Exchange No. 16, 2014
E Notice of the State Administration of Foreign Exchange No. 95, 2014
F Rules for data collection of foreign exchange business of financial institutions
167
Identifier
871(m) IFRS 13

Regulations on cybersecurity in Japan
Upcoming moves in Japan History and Agenda

• While the 2020 summer Olympics Games in Tokyo is expec- July 2020:
ted to create new business opportunities, there is raising Summer Olympic Games in
concerns about the obstruction of the management due to Tokyo
cyber attacks as this may indeed affect Japanese compa-
nies’ competitiveness and credibility.
• The next cyber security strategy will be decided by the Cabi- July 2018:
net coming July 2018. Following recent large-scale breach Formulation of next cyber
and successful hacks targeting cryptocurrencies in Japan, security strategy
Sia Partner believes that the wave of regulation may expand
to cutting-edge technologies such as IOT and block chain.
Also, extension of the scope of the coming Cybersecurity
Strategy, may apply to smaller companies may make sense. March 2018:
Draft legislation amends part
of the cyber security basic
law
Recent moves in Japan
• In 2017, the ''Cyber Security Management Guidelines'' establi-
shed by METI in 2015 is amended. It promotes cyber security March 2018:
measures for large and medium enterprises.
Revision of cyber security
management guidelines
• The Act for Protection of Personal Information (APPI) was
substantially amended and strengthened in 2015 to align with
foreign regulation such as the EU GDPR. These changes came
into force on May 30, 2017. May 2017:
• Amended APPI Act comes
• The Personal Information Protection Commission (PPC) is the
into effect
national regulator for data privacy. While it does not have the
ability to impose fines, it can prosecute with criminal sanc- • Personal Information
tions and has significant inspection and audit powers as well Protection Commission
as the power to request companies to submit evidence and operations begins
compliance reports.

168
Crime Part 504

Regulations on cybersecurity in Japan
Recent moves in Japan (Continued) History and Agenda

• The Basic Law on Cybersecurity (Act No. 104 of 2014) October 2016::
was established in November 2014 and came into effect Cyber Security Basic
in October 2016. Among them, the establishment of Law(2014) is enforced
Cyber Security Strategy Headquarters is mentioned,
the Cabinet Office launched the Cyber Security Strategy
Headquarters and is currently conducting activities such Jan 2016:
as revising guidelines for formulating safety standards Personal Information
for ensuring information security in important infrastruc-
Protection Commission
ture.
(PPC) is established
• The Personal Information Protection Commission (PPC)

is the national regulator for data privacy. While it does December 2015:
not have the ability to impose fines, it can prosecute Formulation of cyber security
with criminal sanctions and has significant inspection management guidelines
and audit powers as well as the power to request com-
panies to submit evidence and compliance reports.
February 2015:
• The National Center of Incident Readiness and Japan’s Cyber Security Strategy
Strategy for Cybersecurity (NISC) is empowered to deve-
lop national strategy and policy, ensuring the cyberse-
curity of ministries and agencies, and serving as a focal February 2015:
point for international cooperation. The first Cyber Secu- First Cyber Security Strategy
rity Strategy Headquarters meeting is shortly followed by
Headquarters meeting
the 2015 Japan’s Cyber Security Strategy.

169
About Sia Partners
SIA PARTNERS, A MANAGEMENT CONSULTING FIRM
WITH A GLOBAL REACH
200 1999 2x
M$ Revenue Date created Sustained double digit
in 2018 growth (resilient)
21 1,200+ 41+
Offices worldwide Consultants Nationalities
> A team with an unparalleled expertise able to deliver superior

value and tangible results for our clients
15% 65% 15% 5%
Strategy Business IT & Digital Data Science
Transformation Strategy
11 Coverage sectors - 14 service areas

Our teams are fully integrated with a global reach
> A culture of excellence and high standards for our clients

and our team
Key clients
include 55,000+ 7,000+
20% Followers on Assignments
of Fortune 500 LinkedIn since our creation
companies
172
BANKING AND INSURANCE SERVICES
A solid expertise built around our competence centers
Key Figures
4 10+ 100,000+ 100+

Competence Exclusive studies Visitors to our blog per year Quotes in the
Centers per year en.finance.sia-partners.com press per year
Main transformation services

Regulatory compliance and
financial performance Performance optimization
• Compliance: Risk-Based Capital

frameworks, Data Quality and Data • Operational Efficiency; Process
Privacy, Anti-Money Laundering, KYC, Analysis & Optimization (e.g.,
OFAC, CRS, Information Security, Duty reconciliations); Lean Six-Sigma; Agile
to Advise (GN16, etc.)… • Front-to-Back Optimization; Operating
• Regulatory Reviews & Impact Model Redesign
Assessments; Policies & Procedures • Claims Management
Development; Data Quality • Payment Capability
Frameworks • Actuarial Science
• Risk Management & Control; Internal • IT Risk Assessment and Cost
Audit Asset & Liability Management Optimization
• Financial Control; Accounting and P&L
• Subsidiary Management &

• Digital and Customer Centricity; Multi-
Organization Support
Access Oriented Products
• Operational Due Diligence; Acquisition
• Data Science
Assessment and Merger Integration;
• Benchmark; Target Business Models &
Target Operating Model Definition
Offerings Definition
• Location Strategy; Outsourcing
• Banking & Insurance Convergence
Strategy Definition; BPO Health checks
Design and launch of new offers Domestic and International Growth

173
NOTES

174
NOTES

175
YOUR CONTACTS IN ASIA
Helina Lo
HONG
KONG
Head of Finance, Risk and Regulatory Practice | Banking

helina.lo@sia-partners.com
+852 5664 1057
SINGAPORE
David Hollander
Head of Singapore office
david.hollander@sia-partners.com
+65 6635 3433
Naoyuki Miyazaki
JAPAN
Manager
naoyuki.miyazaki@sia-partners.com
+81 80 4790 9890
AMSTERDAM | BRUSSELS | LYON | LONDON | LUXEMBOURG | MILAN | PARIS | ROME

HONG KONG | SINGAPORE | TOKYO
CHARLOTTE | HOUSTON | MONTREAL | NEW YORK | TORONTO
ABU DHABI | CASABLANCA | DOHA | DUBAI | RIYADH
Driving Excellence
Follow us on LinkedIn and Twitter @SiaPartners
And our blog: en.finance.sia-partners.com

Asia 2018-2019 Sia Partnerscompliance Watchlist

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Asia 2018-2019 Sia Partnerscompliance Watchlist

Încărcat de

Drepturi de autor:

Formate disponibile

COMPLIANCE

Regulation relating to the Insurance industry SCOPE OF IMPACT

AMENDMENT ORDINANCE | Implementation of an Independent Insurance 8

GUIDELINE | Duty to Advise on Underwriting Long Term 18

IFRS 17 | Insurance Contracts 23

VHIS | Voluntary Health Insurance Scheme 28

Regulation relating to the banking industry SCOPE OF IMPACT

BASEL III | International Capital and Liquidity Framework 34

FRTB | Fundamental Review of Trading Book 36

IRRBB | Interest Rate Risk in the Banking Book 40

CCAR |Comprehensive Capital Analysis Review 45

CRD V | Comprehensive Requirements Directive V 49

Funding Plans | The European Banking Authority Report 51

Stress Testing | Three Types of Stress Scenarios 53

ANACREDIT | Analytical Credit Dataset 56

CECL | Current Expected Credit Losses 57

MiFID II | Markets in Financial Instruments Directive 60

BRRD | Banking Recovery and Resolution Directive 66

SFTR | Securities Financing Transactions Regulation 68

MAS Notice to Bank 610 | Submission of Statistics and Returns 71

SEC Swap dealer | Securities and Exchange Commission 73

CFTC Swap dealer | Commodities Futures Trading Commission 74

CONFIDENTIAL © Sia Partners

CAT | Consolidated Audit Trail 77

Stock T2 | Shortening of Stock Settlement Cycle to T+2 78

Conduct Risk | Regulatory Framework 80

Manager-In-Charge | Licensing and Designation Requirement for 84

SVF Licensing | Regulation for Stored Value Facilities 88

Virtual Banking Licensing | Authorization of Virtual Banking in Hong Kong 92

Open API | Open Application Programming Interfaces 96

FINRA Rule 4210 | Margin Requirements 100

Volcker 2.0 102

Regulation relating to the banking and insurance industries SCOPE OF IMPACT

“Living Wills” | Recovery and Resolution Planning (RRP) 108

Legal Entity Identifier | Unique Identification of Legal Entities 112

CRS | Common Reporting Systems 113

871(m) | Withholding on Dividend Equivalent Payments on US Equity Derivatives 116

IFRS 9 | International Financial Reporting Standards 120

IFRS 13 | International Financial Reporting Standards 124

Financial Crime | Overview of the Asian Framework 133

FinCEN’s Customer Due Diligence Rule | Collecting, Maintaining 136

NYSDFS Part 504 | Transaction Monitoring and Filtering Programme 139

GDPR | Protection of Personal Data 142

Data Privacy | Data Privacy Framework in Asia 152

Cybersecurity | Frameworks around Cyber Risks 155

CONFIDENTIAL © Sia Partners

This first section focused on regulations that apply

• Amendment ordinance | Implementation of an Independent

• Guideline | Duty to Advise on Underwriting Long Term

• IFRS 17 | Insurance Contracts

• VHIS | Voluntary Health Insurance Scheme

CONFIDENTIAL © Sia Partners

Insurance Companies (Amendment) Ordinance 2015

Key Facts History & Agenda

• Scope: Insurance stakeholders JULY 2015

• Regulation topics: All insurance regulation

Principles and Objectives

2) CONDUCT REGULATION i.e. to ensure that insurance stakeholders business is conducted

Insurance Companies (Amendment) Ordinance 2015

26th June 2017 Mid-2019 3 years transition

STAGE 1 STAGE 2 STAGE 3

CONFIDENTIAL © Sia Partners

Insurance Companies (Amendment) Ordinance 2015

NEW LICENSING AND CORPORATE GOVERNANCE REQUIREMENTS FOR INSURERS

• Amendment ordinance | Implementation of an Independent

• IA approval encompasses factor in fit and proper considerations.

• The IA is no longer be part of the government. It is composed of a chairperson, a Chief

• The value of insurance liabilities to be included in the

• Assets and Liabilities will be assessed under an economic MOCE

• The PCR (Prescribed Capital Requirement) is a risk- L Capital

• Liquidity risk and other non-quantifiable risks (legal,

• Provide consideration of the effectiveness