Inside FinTech blog

On March 27, 2024, the Cybersecurity and Infrastructure Security Agency (“CISA”) published a Notice of Proposed Rulemaking for the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”), which imposes new reporting requirements for entities operating in critical infrastructure sectors. The CIRCIA was originally enacted in part as a response to recent attacks on critical infrastructure, such as the ransomware attack on Colonial Pipeline in May 2021, but CISA’s proposed regulations take a surprisingly broad view of who may be considered a covered entity and what incidents are reportable.

On March 28, 2024, the White House Office of Management and Budget (OMB) issued guidance to federal government agencies on agency use of artificial intelligence (AI). The guidance recommends that agencies take a risk-based approach with respect to AI.

On 22 April 2024, the Financial Conduct Authority (FCA) published a speech by its chief executive, Nikhil Rathi, entitled ‘Navigating the UK’s Digital Regulation Landscape: Where are we headed?’. In the speech, Mr Rathi announced the FCA’s plans to focus on Big Tech, which are included in Feedback Statement FS24/1 (published alongside the speech). The speech also covered the FCA’s response to the Government’s White Paper on Artificial Intelligence (AI), which was also published in parallel with the speech.

On 13 March 2024, the European Commission adopted:

Commission Delegated Regulation supplementing the Regulation on digital operational resilience for the financial sector (DORA) with regard to regulatory technical standards (RTS) specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents.

When talking about digital assets, how much is saying too much? How much is saying too little? Did what you say ultimately matter? Recent court decisions arising from the purchase and sale of digital assets have grappled with liability claims posing such questions about information that had been stated or omitted.

In a notable victory for the US Securities and Exchange Commission (SEC) in its closely-watched enforcement action against Coinbase over its crypto-assets activities, a New York federal court on March 27, 2024, rejected nearly all of Coinbase’s challenges to the SEC’s charges against it and cleared the case to proceed. SEC v. Coinbase, Inc., No. 1:23-cv-04738-KPF (S.D.N.Y. Mar. 27, 2024) (Katherine Polk Failla, J.). The court held that the SEC’s allegations about Coinbase’s crypto transactions were sufficient for them to “suffice to constitute ‘investment contracts’ under the three-pronged Howey test” and thus be subject to the federal securities laws and the SEC’s enforcement authority. The SEC’s victory was not total, however, as one specific claim as to Coinbase’s Wallet product was rejected, although on different grounds.

The new Digital Assets Law No 2 of 2024 (the Digital Assets Law) was enacted in the Dubai International Financial Centre (DIFC) on 8 March 2024, alongside significant supporting amendments to existing legislation.

On 1 March 2024, Singapore’s Personal Data Protection Commission (PDPC) issued the Advisory Guidelines on the Use of Personal Data in AI Recommendation and Decision Systems (AI Advisory Guidelines). These AI Advisory Guidelines followed a public consultation which concluded in August 2023. Our blog post on the public consultation for the draft AI Advisory Guidelines can be accessed here.

On 7 March 2024, the European Court of Justice (the ECJ) published an important decision in relation to IAB Europe’s Transparency and Consent Framework (the TCF).

On March 13, the EU Parliament voted to adopt the EU’s AI Act. The AI Act is the EU’s first comprehensive legislation setting rules regulating artificial intelligence on an EU-wide basis. It will impose new and significant obligations on those developers, distributors, and users of AI systems that affect people in the EU.