Q3 2024 Financial Institutions Outlook & Trends

This article, updated quarterly, looks ahead to the areas expected to be prioritised by financial services regulators across the globe; we look at the key regulatory trends emerging from the past year which inform our expectations for 2024. As an overview, we expect that the following will be core focus areas across the EU, UK and US:

• ESG;
• Cryptoassets;
• Artificial Intelligence
• Capital Requirements & Crisis Management

What are the regulators doing about it?

Europe

Proposed Sustainable Finance Package:

The European Commission proposed a new sustainable finance package in June 2023. The proposal includes the following points of interest which will continue to gain relevance as the legislative procedure proceeds in 2024:

• The addition of further activities to the EU Taxonomy.
• A proposal for a regulation on the transparency and integrity of ESG rating activities, to increase transparency on the market for sustainable investments.
• A Commission Recommendation on facilitating finance for the transition to a sustainable economy which aims at providing guidance on how companies can use the tools of the EU sustainable finance framework.

Greenwashing

In June 2023, the European Supervisory Authorities ("ESAs" comprising the European Banking Authority ("EBA"), EIOPA and ESMA) presented their Progress Reports on Greenwashing and a common understanding of greenwashing and a corresponding warning on related risks for consumers, investors or other market participants, as well as on reputational and operational (litigation) risk. The Progress Reports address the key areas of the sustainable investment value change vulnerable to greenwashing, the causes of greenwashing and calls for remediation actions, while acknowledging that the regulatory frameworks need clarification and to gain in maturity. The ESAs also published an interactive factsheet on sustainable finance directed at consumers.

In June 2024, the ESAs issued final reports on greenwashing, including final recommendations and possible changes to the EU regulatory framework. The reports particularly focus on the role of supervision in mitigating risks resulting from greenwashing.

European Green Bond

Apart from setting out requirements for the designation under the European green bond standard ("European green bond"), the regulation adopted in October 2023 sets out the following noteworthy points:

• registration procedures;
• supervisory framework for external reviewers of the requirements; and
• voluntary disclosure requirements for other environmentally sustainable bonds and sustainability-linked bonds issued in the EU.

From December 2024, the European green bond will be aligned with the EU taxonomy for sustainable activities. This will mean that proceeds of European green bonds will need to be invested in economic activities that are aligned with the EU taxonomy.

New framework for ESG Risk 

Beyond disclosure regulation and the European green bond, new rules on effective management of ESG risk have become part of the of the EU's banking regulations.

The 'banking package' amending the Capital Requirements Regulation ("CRR") (Regulation 575/2013/EU) and the Capital Requirements Directive ("CRD") (Directive 2013/36/EU) entered into force in July of this year. The amended CRR (CRR III- Regulation (EU) 2024/1623/EU) will generally be applicable from 1 January 2025, whilst the amendments to the CRD (CRD VI – Directive 2024/1619/EU) must be transposed into national law by Member States by 10 January 2026. 

ESG-related amendments to the CRR include:

• definitions of ESG risk, Article 4(1) points 52d - 52i CRR;
  • ESG risk means the risk of any negative financial impact on an institution stemming from the current or prospective impact of ESG factors on that institution's counterparties or invested assets; ESG risks materialise through the traditional categories of financial risks;
  • Environmental risk includes both physical risk and transition risk, including factors related to the transition towards certain regulatory objectives. The definition explicitly refers to the Taxonomy Regulation (2020/852/EU) and includes objectives such as climate change mitigation;
    • Physical risk means the risk of any negative financial impact on an institution stemming from the current or prospective impact of the physical effects of environmental factors on that institution's counterparties or invested assets;
    • Transition risk means the risk of any negative financial impact on an institution stemming from the current or prospective impact of the transition to an environmentally sustainable economy on that institution's counterparties or invested assets;
  • Social risk means the risk of any negative financial impact on an institution stemming from the current or prospective impact of social factors on its counterparties or invested assets;
  • Governance risk means the risk of any negative financial impact on an institution stemming from the current or prospective impact of governance factors on that institution's counterparties or invested assets;
• the extension of reporting and disclosure requirements;
  • Reporting on prudential matters now requires reporting in relation to ESG risk, amending Article 430 CRR;
  • Disclosure of ESG risks now apply to all institutions, amending Article 449a CRR;
• scenarios for stress tests for capital adequacy including ESG risk factors, amended Article 177 CRR;
• an amendment of risk weights for capital requirements and collateral to reflect ESG risks;
  • lower risk weight for the commodity delta risk factor related to carbon trading emissions via a specific risk category for ETS allowances, Article 383v CRR;
  • preferential treatment of 80 per cent risk weight for "High Quality Finance Project Finance" meeting certain conditions, Article 122a CRR;
  • limitation of the infrastructure supporting factor to provide that assets being financed must contribute positively to and not significantly harm other objectives in the Taxonomy Regulation, amending Article 501a CRR;
  • collateral valuations are to consider ESG risks, amending Articles 207(4)(d); 208(3)(b); 210(g) CRR.

ESG-related amendments to the CRD include:

• the requirement to include short, medium and long-term horizons of ESG risks in institutions' strategies and processes for evaluating adequate internal governance, as well as internal capital needs, amending Articles 73 and 74 CRD;
• the requirement for management bodies to develop and monitor the implementation of transition plans to monitor and address risks arising in the short, medium and long-term from ESG factors. These transition plans must be consistent with those referred to in Article 19a / Article 29a Corporate Sustainability Reporting Directive ("CSRD" – Directive 2022/2464/EU), amending article 76 CRD;
• the collective knowledge, skills and experience expected of the management body must include understanding the entity's impact in the short, medium and long term, taking into account ESG factors, amending Article 91 CRD;
• the requirement that banks' governance arrangements include robust strategies, policies, processes and systems for identifying, measuring and managing and monitoring ESG risks over the short, medium and long-term, Article 87a CRD;
• supervisors will oversee how banks handle ESG risks in the context of the annual supervisory examination review (SREP), amended Article 98 CRD and may require banks to mitigate ESG risks as part of their supervisory powers, amending Article 104 CRD.

These amendments are in line with previous steps taken by the European Central Bank ("ECB") and EBA requiring attention:

• Financial institutions continue to be required to disclose Pillar 3 information on ESG risks as per the Annexes of the Implementing Technical Standards ("ITS").
• The EBA published templates to collect climate-related data from EU banks in the context of the one-off Fit-for-55 climate risk scenario analysis.
• The EBA recommended short-term actions as part of the implementation of the CRR and CRD to accelerate the integration of environmental and social risks across Pillar 1. Among others, these comprise:
  • the inclusion of environmental risks as part of stress testing programs;
  • the acknowledgement of ESG factors as part of external credit assessments; and
  • greater emphasis on the importance of transition planning.

Banks will be expected to update their strategies to ensure they effectively deal with climate and environmental risk by the end of 2024. The ECB's November 2022 thematic review on banks' progress in meeting the expectations under the ECB's November 2020 Guide on climate-related and environmental risks revealed that banks are still far from adequately managing climate and environmental risks. More recently, the ECB has publicly warned of enforcement action, with press reports of warning letters sent to specific banks as well as fines for a number of bank.

As 2023 came to a close, a report from a joint ECB/ESRB team 'Towards macroprudential frameworks for managing climate risk' heralded the likelihood of further changes over time, with bank regulation potentially forming part of a wider EU macroprudential framework for climate risk.

Amendments to disclosure regulation

There have been further developments brought forward by the ESAs in regard to disclosure regulation which are to be monitored until the end of 2024:

• The recommendation of amendments to the Delegated Regulation of the Sustainable Finance Disclosure Regulation (Regulation (EU) 2019/2088) aiming to extend and simplify sustainability disclosures.
• A call for climate-related disclosure for structured finance products through harmonized climate-related data requirements for the underlying assets together with the ECB.
• New Regulatory Technical Standards ("RTS") on the ESG impact disclosure for simple, transparent and standardized ("STS") securitizations under the Securitisation Regulation. The key proposals would apply to STS securitizations where the underlying exposures are residential loans, auto loans and leases.

Beyond the financial sector, financial institutions should be aware of the transposed CSRD, which requires firms to report on their environmental impact since January 1, 2024. It updates and replaces the existing Non-Financial Reporting Directive (NFRD) and Accounting Directive (2013/34/EU). These changes will be particularly relevant for financial institutions in regard to Pillar 3 disclosures and risk management perspective in particular in relation to the new requirements under the amended CRR and CRD.

United Kingdom

Sustainability Disclosure Requirements

The Financial Conduct Authority ("FCA") published a policy statement (PS23/16) introducing new rules around sustainability disclosure requirements and investment labels on November 28, 2023. PS23/16 made changes to the naming and marketing rules to allow for the use of certain sustainability-related terms.

The policy statement explained that the FCA is a strong supporter of international corporate reporting standards on sustainability, noting the launch of the ISSB's first sustainability-related reporting standards in June last year. These international standards were used as a reference point for asset managers in scope of the rules, and the FCA intends to consult on updating its Taskforce on Climate-Related Financial Disclosures to reference these standards. This is expected to form the basis for a new set of rules for listed companies, which will likely be developed over the course of this year.

Key implementation dates under PS23/16 are:

• May 31, 2024: anti-greenwashing rule and guidance (FG24/3) came into force.
• July 31, 2024: firms can begin to use labels, with accompanying disclosures (the FCA introduced a fourth label 'Sustainability Mixed Goals' for funds that invest in a blend of different sustainability objectives and strategies).
• December 2, 2024: naming and marketing rules come into force (with accompanying disclosures).
• December 2, 2025: ongoing product-level and entity-level disclosures for firms with AUM > £50 billion.
• December 2, 2026: entity-level disclosures rules start applying to firms with AUM > £5 billion.

The FCA published a new webpage on its sustainability disclosure requirements and investment labelling regime on February 2, 2024, which reflects the new rules introduced in PS23/16. On July 1, 2024, the FCA updated the webpage to include information on how firms should notify them when they are using an investment label under the sustainability disclosure requirements and investment labelling regime. Over the next few months, we expect further FCA input on the assessment by managers of their assets against the criteria for labels. We also expect to see further clarification of the FCA's approach to overseas funds, pensions and investment products in respect of sustainability disclosures, with additional focus to come on financial advisers. 

The FCA's Business Plan 2024/25 confirmed that they will continue to integrate the Sustainability Disclosure Requirements and Investment Labels across the Market, including the anti-greenwashing rule and guidance. The FCA will continue to expand the regime, starting with a consultation on Portfolio Management in 2024. 

Management of climate change risks

In its January 11, 2024 letters to both UK deposit takers and international banks on its priorities for 2024, the Prudential Regulation Authority ("PRA") chose to emphasise its view that there is still considerable work for all firms to do in their development of climate-related financial risk management capabilities, and linking these more concretely into decision-making. The 2024 'priorities' letters referenced Supervisory Statement 3/19 on 'Enhancing banks' and insurers' approaches to managing the financial risks from climate change', as supplemented by an October 2022 'Dear CEO' letter containing thematic feedback on firms' embeddedness of climate-related financial management. The message conveyed in the 2024 'priorities' letter appears to be more urgent than the October 2022 'Dear CEO' letter, and an inference is that the PRA will be looking for tangible implementation during 2024.

Diversity and inclusion in PRA-regulated firms

On September 25, 2023, the FCA (CP 23/20) and PRA (CP 18/23) published separate consultation papers on diversity and inclusion in financial services, in which they propose to introduce new strategies, targets, reporting and disclosure requirements for regulated firms. The proposals set flexible and proportionate minimum standards to raise the bar, placing more requirements on larger firms. The proposals set out requirements for firms to:

• develop a diversity and inclusion strategy setting out how the firm will meet their objectives and goals;
• collect, report and disclose data against certain characteristics; and
• set targets to address under-representation.

The proposals represent an ambitious set of proposals aimed at improving diversity and inclusion, and the outcome of the consultation will initiate a very high-profile workstream for firms during 2024 and beyond.

United States

In December 2023, the Securities and Exchange Commission ("SEC") publicly announced that it would yet again delay finalising its long-awaited climate-related public company disclosure rule. The proposed rule (initially introduced in March 2022 and dubbed "The Enhancement and Standardisation of Climate-Related Disclosures for Investors") was met with sharp criticism under market feedback. We expect the SEC to finalise this rule in Spring 2024.

While federal regulators may have been slow to develop ESG regulation, California has proceeded full steam ahead, signing three bills into law in October 2023 that would require climate-related disclosures from California businesses. The Climate Corporate Data Accountability Act requires covered businesses to report their greenhouse gas emissions, the Climate-Related Financial Risk Act requires covered businesses to prepare climate-related risk disclosures and the Voluntary Carbon Market Disclosures Act requires covered businesses who make net-zero, carbon-neutral or similar emissions-related claims to report the accuracy of such claims on their website and disclose the purchase, use, or sale of carbon offsets.

Banks should also look out for SEC movements towards mandated reporting on climate matters (anticipated in early 2024) and the New York State Department of Financial Services plans to issue a request for information from regulated institutions about their proposed plans to assess and manage climate-related financial and operational risks.

[back to the introduction]

What are the regulators doing about it?

Europe

MiCA Regulation

The MiCA Regulation came into force on June 29, 2023 and became fully applicable in June 2024. This establishes a regime for the regulation and supervision of cryptoasset issuance and cryptoasset service provision, aimed at creating a harmonized European regulatory framework for cryptoassets to balance innovation with financial stability and investor protection.

The MiCA Regulation defines cryptoassets as a "digital representation of value or rights which may be transferred and stored electronically, using distributed ledger technology or similar technology", and distinguishes between (i) utility tokens, (ii) electronic money tokens ("EMTs") and (iii) asset-referenced tokens ("ARTs"). ARTs and EMTs can be designated as 'significant' by the EBA and trigger the application of additional (stricter) requirements. The MiCA Regulation provisions relating to ARTs and EMTs have been applicable since from June 30, 2024.

The MiCA Regulation establishes a licensing requirement for a number of cryptoasset activities (including the operation of a trading platform for cryptoassets, custody and administration activities, execution of orders for cryptoassets on behalf of clients, RTO in respect of cryptoassets, etc.) as well as establishing a harmonized prudential and business conduct framework in respect of specific cryptoasset services (Articles 59 – 85 of the MiCA Regulation).

Furthermore, the MiCA Regulation sets out an ownership control procedure for acquisitions of cryptoasset service providers ("CASPs"), Articles 83 – 84 MiCA Regulation, as well as a specific regulatory regime that is aimed at protecting market integrity and preventing market abuse (Articles 86 – 92 MiCA Regulation).

For a comprehensive overview see "MiCA Regulation: New regulatory framework for Crypto-Assets Issuers and Crypto-Asset Services Providers in the EEA"

The EBA and ESMA have issued a number guidelines and regulatory technical standards including on the authorisation, internal governance arrangements, complaints handling procedures and the procedure for the approval of white papers of ARTs issued by credit institutions.

The EBA and ESMA have issued a number guidelines and regulatory technical standards including on the authorisation, internal governance arrangements, complaints handling procedures and the procedure for the approval of white papers of ARTs issued by credit institutions.

AML/CTF

Beyond the MiCA Regulation, EU regulators and supervisors are also focusing on anti-money laundering and countering the financing of terrorism ("AML/CFT") in the context of CASPs. The EBA has extended its AML/CFT supervision guidelines to AML/CFT supervisors of CASPs. It is also currently working on guidelines aimed at CASPs on preventing the abuse of funds and certain cryptoassets transfers for money laundering and terrorist financing purposes.

Cryptoasset exposures of banks

With the adoption of the Banking Package amending the CRR (Regulation 575/2013/EU) and the CRD (Directive 2013/36/EU) new rules for cryptoasset exposures apply. The amended CRR (CRR III- Regulation (EU) 2024/1623/EU) will generally be applicable from January 1, 2025, however the transitional regime for the risk-weighting of cryptoasset exposures is already applicable, whilst the amendments to the CRD (CRD VI – Directive 2024/1619/EU) must be transposed into national law by Member States by January 10, 2026. 

The amendments to the CRR and CRD with regard to cryptoassets include:

• aligning definitions of cryptoassets and crypto asset services to those included in the MiCA Regulation. In turn, cryptoasset exposure is defined as an asset or an off-balance-sheet item related to a cryptoasset that gives rise to credit risk, counterparty credit risk, market risk, operational risk or liquidity risk, Article 5a CRR;
• an immediately applicable transitional regime for the risk-weighting of cryptoasset exposures. By July 2025, the European Commission will submit a new legislative proposal for a dedicated prudential treatment for cryptoasset exposures, taking into account MICA and international standards, Article 501d CRR;
• rules on reporting and disclosure of cryptoasset exposures, Article 451b CRR; and
• specific governance and supervisory review requirements for cryptoasset exposures, amending Articles 79, 83, 85, 89 and 104 CRD.

United Kingdom

The MiCA Regulation will not apply in the UK. In contrast, in October 2023, HM Treasury published the responses received on its 'Future Financial Services Regulatory Regime for Cryptoassets'. This sets out extensive proposals to bring cryptoassets within the scope of UK regulation and we expect to see this realised over the course of 2024.

HM Treasury confirmed that it intends to use the 'designated activities regime' to expand the list of 'specified investments' in Part III of the RAO, requiring firms conducting relevant activities involving cryptoassets by way of business to obtain FCA authorisation (under Part 4A of the Financial Services and Markets Act 2000, "FSMA"). HM Treasury sets out a phased approach; Phase 1 will introduce fiat-backed stablecoins into the regulatory perimeter while Phase 2 proposes regulation for a broader set of cryptoassets.

Phase 1: HM Treasury has stated that it expects to define fiat-backed stablecoins as a cryptoasset that "seeks or purports to maintain a stable value by reference to a fiat currency and by holding fiat currency, in whole or in part, as backing". Phase 1 proposes to bring within scope of UK regulation: (i) the issuance of fiat-backed stablecoins in or from the UK; and (ii) safeguarding, safeguarding and administering, or the arranging of safeguarding or safeguarding and administering of UK issued fiat-backed stablecoins.

Phase 2: Phase 2 is intended to cover a broader set of cryptoassets than Phase 1, including algorithmic or crypto-backed stablecoins and, furthermore, HMT proposes to bring a fuller list of activities within scope, including issuance activities, activities relating to the exchange of cryptoassets, investment and risk-management related activities, certain lending, borrowing and leverage related activities and safeguarding and/or administration (custody). Following on from HM Treasury's proposals in October, over the course of H2 2024 (if not earlier), we expect HM Treasury to clarify a number of points in respect of each phase:

• The proposed treatment of non-fungible treatments and utility tokens, especially on what constitutes a 'financial services use case' – the UK government proposes capturing cryptoassets only when the subject of the financial activities, but that they will fall out of scope where they are not being utilised in the context of a financial activity.
• The treatment of overseas firms, including making clear the applicability of the 'overseas person exemption', reverse solicitation and intra-group exemptions.
• Delineate further between Phase 1 and Phase 2, both in terms of specific timelines for implementation and considering potential challenges for firms and consumers.
• Distinguish between services provided to professional/sophisticated investors versus retail consumers.
• Clarify the position on staking (HMT have proposed a definition of 'staking' as the process where a given amount of native cryptoassets are locked up on smart contracts in a PoS consensus mechanism blockchain (on-chain) in order to activate validator nodes which collaboratively validate subsequent transactions and achieve consensus on the network's current state).

The secondary legislation for both phases to bring cryptoassets within the scope of UK regulation is due to be brought forward in 2024 (subject to available parliamentary time), although Phase 1 legislation is expected "as soon as possible" this year.

Once the cryptoasset regime is ready to be implemented, firms undertaking relevant cryptoasset activities will likely need to adhere to similar financial services activities, standards and rules that apply to traditional regulated firms.

The FCA's Business Plan 2024/25 states that the FCA will assist in delivering a proportionate market abuse regime for Crypto assets. Similarly, the PRA's Business Plan 2024/25 states that the PRA will continue to work with international partners to establish a common, international standard for the treatment of banks' cryptoassets exposures, and it will also work with international partners to assess bank-related developments in cryptoassets markets, the role of banks as stablecoins issuers, custodians of cryptoassets and broader potential channels of interconnections with the cryptoassets ecosystem.

United States

With the wave of major cryptocurrency bankruptcies largely resolved, 2024 saw a paradigm shift in United States agency power that is likely to significantly hamper the U.S. Securities & Exchange Commission's cryptocurrency regulatory efforts. 

On June 28, 2024, the United States Supreme Court overruled a forty-year-old administrative law doctrine known as 'Chevron' deference. That eponymous doctrine — established in the 1984 Supreme Court decision, Chevron U.S.A., Inc. v. Natural Resources Defense Council, Inc. — required courts reviewing "agency actions" (i.e., formal agency rulemakings and adjudications) that involved the interpretation of an ambiguous federal statute to defer to the agency's "reasonable" interpretation of that statute, even if the court would have — if exercising its own independent judgment — found another interpretation more persuasive. Over the past four-decades, Chevron was invoked by courts more than 18,000 times to resolve challenges to agency actions, usually (due its deferential nature) in favour of the government. 

In Loper Bright Enterprises v. Raimondo, the Supreme Court overruled Chevron, concluding that its requirement that courts "defer" to agency statutory interpretations cannot be reconciled with a court's responsibility to independently review and decide all questions of law when deciding challenges under the Administrative Procedures Act ("APA"). The Supreme Court further criticized the underlying reasoning behind Chevron, observing that courts — as they have done since the founding — are eminently capable of interpreting ambiguous statutes, and that such deference is not necessary simply because agencies may possess superior subject-matter expertise since courts can still consider well-reasoned agency positions when independently interpreting statutes. In overruling Chevron, however, the Supreme Court has attempted to keep its hands on the reigns by expressly carving-out cases previously decided under Chevron from being re-opened absent some showing of a "special justification." 

Since that ruling, proponents and critics alike have described Loper Bright as marking the end of an era in agency supremacy on key issues. But, as applied to the cryptocurrency industry, the Supreme Court's decision is unlikely to have any immediate impact on the space, much less on the U.S. SEC's aggressive regulatory stance. This is chiefly because the SEC has been disinclined to promulgate industry-specific rules for the cryptocurrency space (i.e., the type of "agency action" that would have previously received Chevron's protections) and has instead taken a "regulation through enforcement" approach with the industry. 

Consequently, the bulk of the SEC's regulatory efforts have been devoted to its "crypto asset enforcement actions," the most high-profile of which have been brought against the cryptocurrency exchanges Coinbase, Kraken and Binance. Importantly, those actions are pending in U.S. District Courts, which will exercise their independent judgment to resolve the SEC and the cryptocurrency exchanges' differing interpretations of how to apply the investment contract test set forth in SEC v. W.J. Howey Co., 328 U.S. 293 (1946), to cryptocurrencies and digital assets. Those enforcement actions do not implicate the sorts of questions or "agency actions" (such as a "formal adjudication" that may have resulted if the SEC pursued those actions before its administrative law judges instead of U.S. District Courts) that (previously) would have implicated Chevron. 

However, Loper Bright may have more substantial downstream consequences for the industry as the SEC (by choice or otherwise) adopts cryptocurrency specific rules. Indeed, on December 15, 2023, Coinbase petitioned the U.S. Court of Appeals for an order directing the SEC to develop and promulgate industry-specific rules for the cryptocurrency sector. Coinbase, Inc. v. Securities & Exchange Commission, No. 23-3202 (3d Cir. Dec. 15, 2023), ECF No. 1. That case has been fully briefed, with oral argument set for September 27, 2024. Id. at ECF No. 44. If Coinbase prevails, the SEC would be forced to initiate the rulemaking process. Any final rule that may result from that process would be subject to challenge under the APA, which — under Loper Bright — means the SEC will no longer be able to resort to the significant deference Chevron would have afforded it had it not been abrogated. Likewise, if the SEC's recent amendments to the definition of a "dealer" contained in Rule 3a5-4 to encompass some Decentralized Finance activities is later challenged under the APA, the SEC would not be able to rely on Chevron to defend its actions against determined cryptocurrency industry actors.

[back to the introduction]

Many regulatory bodies have been calling for greater regulation of AI and its uses. Given the speed with which AI capabilities change, it can be challenging for financial services regulators to stay ahead. In early January 2024, Basel Committee on Banking Supervision (BCBS) Chair Pablo Hernandez de Cos urged global leaders ahead of the World Economic Forum Annual Meeting to use financial regulation as a blueprint for tackling the issues presented by AI, noting "If we are not able to give a co-ordinated global response, the likelihood of getting the right solution to these challenges will be reduced." 

The BCBS is expected to publish a report in the coming months on financial stability implications of AI.

• Machine learning models excel at harnessing massive computing power to impose structure on unstructured data, giving rise to AI applications that have seen rapid and widespread adoption in many fields;
• The rise of AI has implications for the financial system and its stability, as well as for macroeconomic outcomes via changes in aggregate supply (through productivity) and demand (through investment, consumption and wages)
• Central banks are directly affected by AI's impact, both in their role as stewards of monetary and financial stability and as users of AI tools. To address emerging challenges, they need to anticipate AI's effects across the economy and harness AI in their own operations; and
• Data availability and data governance are key enabling factors for central banks' use of AI, and both rely on cooperation along several fronts. Central banks need to come together and foster a "community of practice" to share knowledge, data, best practices and AI tools
   

What are the regulators doing about it?

Europe

Currently, express regulation for AI in the financial sector only concerns high frequency trading under the markets in financial instruments directive ("MiFID II").¹ This requires financial entities to have effective systems and risk controls suitable to the business in place and to ensure that the trading systems are "resilient and have sufficient capacity, are subject to appropriate trading thresholds and limits and prevent the sending of erroneous orders or the systems otherwise functioning in a way that may create or contribute to a disorderly mark".

However, on March 13, 2024 the EU regulation on artificial intelligence ("AI Act") was adopted. The AI Act entered into force on August 1, 2024 and will become applicable two years after its entry into force, except for some specific provisions: prohibitions on those AI systems considered to be a clear threat to the fundamental rights of people (i.e., AI systems deemed to pose an 'unacceptable risk') will apply six months from the AI Act's entry into force. Similarly, the rules on general purpose AI (discussed below) will apply 12 months from the AI Act coming into force.

The horizontal framework intends to ensure that general-purpose AI systems/models (across industry sectors) are developed and used in the EU in accordance with EU rights and values including human oversight, safety, privacy, transparency, non-discrimination, and social and environmental wellbeing. 'General purpose AI' is intended to capture AI systems that can be used to perform generally applicable functions (i.e., image/speech recognition, audio/video generation) and is able to have multiple purposes. In other words, it is an AI system that can handle many different tasks rather than being used for a specific purpose.

The AI Act follows a technology neutral risk-based approach with a threefold categorization. The categories are: (i) those AI systems deemed to pose an 'unacceptable risk'; (ii) 'high risk systems' which will be subject to certain supervision and conformity requirements; and (iii) 'low risk systems' which will be unregulated (although voluntary codes of conduct might be adopted).

It is anticipated that systems performing activities deemed to be critical to the access of certain financial services (providing access to 'essential public services') may be categorized as high risk, such as systems performing activities relevant to creditworthiness and affordability assessments of natural persons.² There has also been much debate around systems providing certain activities related to individual's access to insurance, and we anticipate that systems used for risk assessment and pricing in relation to natural persons in the case of life and health insurance will also be categorised as 'high risk'. The recitals of the latest draft note that the authorities responsible for the supervision and enforcement of financial services law should also be designated as competent authorities for the purpose of supervising AI systems provided or used by regulated and supervised financial institutions.

We expect the AI Act to specify a conformity assessment procedure and some of the providers' procedural obligations in relation to risk management, post marketing monitoring and documentation under the AI Act will be integrated into the existing obligations under the CRD. We also expect that there will be limited scope for derogations in relation to the quality management system of providers and the monitoring obligation placed on deployers of high-risk AI systems (to the extent that these apply to credit institutions regulated by the CRD). The ECB has suggested that the AI Act's requirements for high-risk systems may be relevant benchmarks for updating the obligations set by the CRD regarding the (internal) governance of the risks posed by AI technologies and third-party providers.

The AI Act must also be considered in the context of existing and upcoming EU regulatory and policy initiatives, such as amendments to the EU Liability Directive and a new EU Liability Directive, as well as the EU Cyber Resilience Act and the NIS2 Framework.

For financial institutions deploying AI, the EU Digital Operational Resilience Act ("DORA") (Regulation (EU) 2022/2554) (entering into effect on January 17, 2025), requiring financial institutions to mitigate ICT risks, should also be considered. Financial institutions will need to prepare to monitor ICT-related incidents and report on these to regulators and affected clients. It will be important for firms to factor in AI to their monitoring and implementation of DORA requirements.

United Kingdom

In the King's Speech of July 17, 2024 which set out the new UK government's plans, it was confirmed that the UK "will seek to establish the appropriate legislation to place requirements on those working to develop the most powerful artificial intelligence models." Previously, a Private Members' Bill (the AI (Regulation) Bill) was introduced to the House of Lords on November 22nd, 2023 by the Conservative government which put forward key proposals for the regulation of AI, including the creation of a dedicated UK AI authority, designated AI officers, and requirements for businesses deploying AI systems to be to be transparent and compliant. However, this version of the AI (Regulation) Bill did not make any further progress due to the prorogation of Parliament, and the King's Speech made no firm commitment to publish an imminent AI bill.

The government issued a response to its August 2023 white paper on AI regulation on 6 February 2024. Some respondents to the white paper have noted that financial services could leverage an AI 'sandbox' to explore AI-based applications for risk assessment, fraud detection, algorithmic trading and customer service, but the response paper also looks at the use of AI in broader circumstances.

In the financial services sector specifically, the PRA and FCA joint feedback statement (published in October 2023) summarized key themes and feedback from several stakeholders on key artificial intelligence concerns while the FCA Chief Data, Information and Intelligence Officer stated, in an FCA speech in October 2023, that we are at a "pivotal junction" for the regulation of AI. As noted in the PRA's 2024/25 Business Plan, the PRA and FCA are expected to conduct the third edition of the joint survey on machine learning in UK financial services this year. Responses to the survey will allow the PRA and FCA to further explore how best to address the issues/risks posed by AI and machine learning in a way that is aligned with the PRA's and FCA's statutory objectives. 

In the financial services sector specifically, the PRA and FCA joint feedback statement (published in October 2023) summarised key themes and feedback from several stakeholders on key artificial intelligence concerns while the FCA Chief Data, Information and Intelligence Officer stated, in an FCA speech in October 2023, that we are at a "pivotal junction" for the regulation of AI.

The FCA has since published a further 'AI Update' on 22 April 2024. On the same day, the Bank of England (the BoE) and the PRA published a joint letter to Michelle Donelan and the Economic Secretary to the Treasury and City Minister (Bim Afolami) on their strategic approach to AI. The BoE and PRA emphasise that they are taking a technology-agnostic approach to the supervision and regulation of AI, but that they intend to address risks relating to the use of specific technologies that may have an adverse impact on their statutory objectives. The PRA is considering whether further regulatory guidance would be helpful in the areas of data management, model risk management, governance, and operational resilience and third-party risks, and the BoE will work with the Digital Regulation Cooperation Forum (DRCF) on selected AI projects, such as conducting joint research to better understand cross-sector adoption of generative AI (GenAI) technology.

Based on the recent updates from the PRA and FCA on AI, we expect the following areas to lead regulator discussions around AI:

• Governance structures. While respondents to the FCA's October 2023 feedback statement confirmed that existing structures governed by the Senior Managers and Certification Regime ("SMCR") (the individual accountability regime applied to firms authorised under the Financial Services and Markets Act 2000) were sufficient to address AI risks, they noted that further guidance would be helpful. Most respondents stated further guidance on how to interpret the "reasonable steps" element of the SMCR in an AI context would be helpful, so long as it was practical or actionable guidance.

  In its recent AI Update published on 22 April 2024, the FCA agreed that the use of AI in relation to certain activities, business areas or management functions of a firm could fall within scope of an SMCR senior manager's responsibilities. The FCA confirmed that it plans to issue a consultation paper on the SMCR regime in June 2024.

• Model AI risk. Elements of the PRA's 'Model Risk Management Principles for Bank's' (SS1/23) could be strengthened or clarified in order to address issues particularly relevant to models with AI characteristics.

  In the PRA's 2024/25 Business Plan, it noted that the PRA will focus on how banks are embedding and implementing the expectations set out in SS1/23. In particular, the PRA will seek to understand the extent to which banks' management teams are adopting the principles and promoting the management of model risk as a risk discipline in its own right across their firms.

• Reliance on third-party AI applications. We expect further clarity around AI's role in the use of third-party models and data, noting that the risks posed by third-party exposure could lead to an increase in systemic risks (the FCA 's consultation paper on 'Operational resilience: Critical third parties to the UK financial sector' (CP26/23) closed in March 2024 and the FCA is currently inviting feedback).
• In July 2023, the FCA confirmed that it was considering the risks that 'Big Tech' could pose to operational resilience in payments, retail services and financial infrastructure and, in April this year, the FCA published a feedback statement on the data asymmetry between Big Tech firms and firms in financial services (FS24/1). The feedback statement notes that Big Tech firms are increasingly a critical component of UK firm's operations and that this is likely to increase with the development of AI services. The FCA further notes that the data asymmetry between Big Tech firms and financial services firms may affect how competition evolves in retail financial markets.
• Consumer protection. In the FCA's recent AI Update, the FCA noted that the regulatory approach to consumer protection is relevant to fairness in the use of safe AI systems by firms. In particular, the Consumer Duty requires firms to act in good faith, avoid causing foreseeable harm, and enable and support retail customers to pursue their financial objectives. AI has the potential to increase risks for consumers, and the FCA states that firms should consider their obligations under the Consumer Duty where using AI (for example, where a firm uses AI in risk assessments, some categories of customers may do better than others automatically and some might even be excluded from the market). The FCA has confirmed that the Dispute Resolution: Complaints Sourcebook (DISP) rules provide means of contestability and redress for consumers in relation to AI decisions or outcomes in breach of the rules.

Separately, the DRCF, a multi-regulatory forum comprised of the FCA, the Information Commissioner's Office, Ofcom and the Competition and Markets Authority, has announced the launch of its pilot advisory service, the AI and Digital Hub. The new advisory service is limited to products, services or business models which are digital or use AI, are innovative, and are likely to benefit consumers, businesses or the UK economy. The DRCF will publish case studies of all queries and responses addressed in the hub in an aim to help a wider pool of innovators.

United States

In July 2023, the SEC proposed new rules addressing conflicts of interest arising from the use of predictive data analytics by broker-dealers and investment advisers. The new rules aim to regulate firms using AI-related technologies and models, requiring them to evaluate and neutralize conflicts arising from their use of algorithms like machine learning, deep learning, natural language processing and large language models to prevent potential systemic risks.

On October 30, 2023, the President of the United States published the Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence ("EO") addressing near-term AI-related threats to national-security, pandemic-risk and infrastructure vulnerabilities, as well as the development of internal procedures. Various measures of the EO have implications for the financial services sector (where it notes that protections are "especially important" and mistakes by or misuse of AI could harm consumers and small businesses). We expect 2024 to see the implementation of the EO across the US, along with further discussion around the impact this will have on the financial services sector.

Furthermore, in March 2024, the Secretary of the Treasury issued a public report on best practices for financial institutions to manage AI-specific cybersecurity risks.

Independent regulatory agencies are encouraged to address risks to financial stability that may arise from the use of AI, as well as to clarify the responsibility of regulated entities to conduct due diligence on and monitor any third-party AI services they use. They should, in addition, emphasize or clarify requirements and expectations related to the transparency of AI models and regulated entities' ability to explain their use of AI models.

In January 2024, the White House announced that federal departments and agencies had completed all the 90-day actions tasked by the EO. In the financial sector, the Department of Commerce has compelled developers of powerful AI systems to disclose AI safety tests and U.S. companies that provide cloud computing power for foreign AI training to disclose that they are doing so. Additionally, the Federal Trade Commission has proposed a change to a privacy rule to limit the ability of companies to monetize children's data.

Additionally, on January 25, 2024, the staff of the CFTC responded to the President's EO by publishing a request for public comment on the use of AI in CFTC-regulated markets and by CFTC-regulated entities. The request's aims are threefold: (i) to assess the benefits and risks associated with the use of AI in CFTC-regulated markets; (ii) to inform staff's supervisory oversight, and (iii) to evaluate the need for any future guidance and rulemakings. The request, which takes the form of 20 questions, is limited only to comments about AI use in CFTC-regulated markets, to a definition of AI in the EO as a machine-based system that can, for a given set of human-defined objectives, make predictions, recommendations or decisions influencing real or virtual environments, and to understanding concerns raised by the broader set of similar technologies within and beyond the scope of this definition of AI. The public had until April 24, 2024 to provide comments to the request, and the Staff of the CFTC are due to provide guidance on its regulatory response.

And, on July 26, 2024, the U.S. Department of Commerce announced new guidance and tools to enhance the safety, security, and trustworthiness of AI systems, in accordance with the EO. The guidance was the result of the work of multiple divisions and offices within the Department, including the National Institute of Standards and Technology, U.S. Patent and Trademark Office, and National Telecommunications and Information Administration, and it cover a range of topics, including guidance and software packages designed to mitigate and measure risks of AI systems, guidance on patent eligibility for AI innovations, and studies on the risks and benefits of large AI models with widely available weights.

Requirements are also imposed on the Director of the Federal Housing Agency and the Director of the Consumer Financial Protection Bureau, for example, with respect to the evaluation of underwriting models for bias or disparities affecting protected groups.
Various state and local laws, such as privacy and employment law, will also impact the deployment of AI in the financial sector. We expect further discussion around the risks posed by AI from state level regulators over the course of 2024.

For instance, on May 17, 2024, Colorado passed its AI Act, which mandates that developers and deployers of high-risk AI systems (i.e., AI systems that make consequential decisions affecting employment, housing, healthcare, and financial services) take reasonable measures to guard against "algorithmic discrimination," maintain detailed records, and make certain disclosures to consumers. The Colorado AI Act goes into effect February 2026.

[back to the introduction]

What are the regulators doing about it?

Europe

In the EU, these recent bank failures have emphasised calls for a focus on capital requirements and a review of the EU's crisis management and deposit insurance framework as proposed by the European Commission in April 2023. We expect to see further discussion around these proposals as the legislative procedure is expected to continue until the end of 2024.

The review envisions an enhancement of the early intervention framework, as well as of the framework for collaboration and exchange of information between supervisors and resolution authorities, the adoption of a new "early warning" procedure, further calibrates some of the existing tools, including preventative and alternative deposit guarantee scheme ("DGS") measures and precautionary recapitalizations and revises the (optional) DGS framework.

Furthermore, in the EU, the implementation of Basel III (or Basel IV) follows the adoption of the 'banking package' amending the CRR (Regulation 575/2013/EU) and the CRD (Directive 2013/36/EU) entered into force in July of this year. The amended CRR (CRR III- Regulation (EU) 2024/1623/EU) will generally be applicable from January 1, 2025, whilst the amendments to the CRD (CRD VI – Directive 2024/1619/EU) must be transposed into national law by Member States by January 10, 2026. This broadly aligns with progress being made by the UK's PRA and in the US.

United Kingdom

The PRA's January 2024 'Dear CEO' letters set out its key priorities for 2024, underlining the need for "robust governance, risk management and controls", to enable the effective and proactive identification, assessment and mitigation of risks. Other areas of priority include financial and operational resilience.

In specific response to the 2023 bank crises, HM Treasury published a consultation on 'Enhancing the Special Resolution Regime' on January 11, 2024 to consider "any lessons that can be learned about how best to manage the potential failure of smaller banks". The consultation proposed a new mechanism which would enhance the BoE's existing resolution regime to allow additional flexibility to manage small bank failures; the government states that it may be in the public interest to transfer a failing small bank into either a Bridge Bank (as in the case of SVB UK) or to a willing buyer, rather than placing it into insolvency. The BoE issued a statement on the same day confirming that it welcomes HM Treasury's consultation and supports measures to continue to enhance the UK bank resolution regime.

This consultation closed on March 7, 2024 and on July 22, 2024 the UK government issued a response to the consultation. The response included general support for the proposals, including the benefits of increased flexibility, reduced contagion risk, and lower industry costs. On the same day, the UK government introduced a new Bank Resolution (Recapitalisation) Bill to the UK Parliament. The Bill implements the proposals set out in its response to the consultation specifically by:

• amending the Financial Services and Markets Act 2000 (FSMA 2000) to expand the statutory functions of the Financial Services Compensation Scheme ("FSCS"). This will enable the FSCS to provide funds to the BoE upon request to meet certain costs arising from the failure of a bank, and allow the FSCS to recover any funds provided after a failure event through levies on the banking sector;
• providing the BoE with the ability to require a bank under resolution to issue new shares, facilitating the BOE's use of the funds provided by the FSCS to meet a failing bank's recapitalisation costs; and
• making a number of technical amendments to FSMA 2000 and the Banking Act 2009 to support the measures outlined above and ensure use of FSCS funds in resolution can be used effectively.

Subject to consultation with the Banking Liaison Panel, the SRR Code of Practice will then be updated to reflect that these proposals have taken effect. The PRA and FCA will also consult on any relevant updates to their rulebooks resulting from these proposals.

In relation to the Basel III standards, on December 12, 2023, the PRA published the first of two near-final policy statements on the implementation of Basel 3.1 standards or market risk, credit valuation adjustment risk, counterparty credit risk and operational risk (PS 17/23). The near-final policy statement considers the feedback received to the PRA's consultation paper on the Basel 3.1 standards published in November 2022 (CP16/22). The near-final rules aim to enhance competition by minimising the disparity in risk weights calculated under internal models, commonly employed by larger firms, and standardised approaches. These rules also seek to align with international standards, fostering global competitiveness; they are designed to enhance the safety and stability of firms regulated by the PRA while ensuring greater consistency and comparability in capital ratios.

It is anticipated that the PRA will publish a second policy statement by the end of 2024, to cover the remaining chapters of the consultation paper (CP 16/22) not addressed in the first near-final policy statement published. The PRA does not intend to change the policy or make substantive changes before making the final policy material. The implementation date of the final Basel III banking standards is still planned for July 1, 2025, and the PRA plans to implement these standards over a 4.5-year transitional period between July 1, 2025 and January 1, 2030.

The FCA's Business Plan 2024/25 further states that "As the increase in corporate insolvencies is expected to persist in 2024, we will continue to use data and horizon-scanning mechanisms to anticipate firms that are at risk of failure and make sure that we can respond appropriately in the event that they do to protect consumers and ensure market integrity". Similarly, in the PRA's 2024/25 Business Plan, the Chief Executive of the PRA (Sam Woods) noted that "While I expect the capital impact of [the Basel 3.1] reforms to be limited for UK banks, they will nonetheless play a vital role in maintaining sufficient consistency in risk measurement across firms and jurisdictions – which is the cornerstone of the bank capital regime."

United States

Similarly, the US federal banking agencies published their proposal on how they intend to implement outstanding Basel III standards in the US in July 2023, with the aim of ensuring they can apply from July 1, 2025.

Following the 2023 bank failures, the Federal Reserve also moved to increase capital requirements for US banks. On July 27, 2023, the Federal Reserve Board announced new large bank capital requirements, including a minimum capital requirement of 4.5 percent, that took effect on October 1, 2023.

Additionally, on September 18, 2023, the Federal Reserve, Office of the Comptroller of the Currency, and Federal Deposit Insurance Corporation proposed a new rule that would substantially revise capital requirements for large banks with substantial trading activity to more closely conform with international BCBS capital standards requirements. Following bank complaints that the new capital requirements would impair lending activities, the regulators extended the comment period to January 16, 2024, and we expect to see further discussion around this over the first half of 2024.

[back to the introduction]

Grace O'Connell (White & Case, Trainee, London) contributed to the development of this publication.

_{1 Art. 17 Directive 2014/65/EU of the European Parliament and of the Council of May 15, 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU.
2 Annex III – paragraph 1 – point 5 – point b, Draft Proposal June 2023.}

_{White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.}

_{This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.}

_{© 2024 White & Case LLP}