© Herbert Smith Freehills 2023 Modern Slavery and Human Trafficking Statement | Accessibility | Legal and Regulatory | Privacy Policy | Report Fraud | Whistleblowing
Beyond the hype – Will new laws win trust in banks’ AI tools?
Listing shake-ups – Can markets maintain investor confidence amid major reforms?
The greenwashing dilemma – How to fund net zero with confidence
Trust and verify – Can tougher oversight help crypto launch a comeback?
A rising bar – Why maintaining trust is getting harder for banks
Balancing acts – Can banks deliver social change and shareholder returns?
On the hook – Who pays when customers are scammed
Trust culture – Key lessons in keeping customers on side
CHAPTERS
Email
PARTNER, Hong Kong
Hannah Cassidy
Not that there is much complacency. The reality facing banks is that they must operate in a less hospitable environment where a significant portion of their business and retail customer bases are feeling the pinch of a higher inflationary environment and transformation towards a digital operating model still requires massive investment in technology. Such challenges are echoed in policy terms, where greater regional and political differences force banks to operate in a less harmonised world, requiring fleetness of foot in the deployment of their staff and human capital. Fragmented legal and regulatory regimes are not only less in tune but they are also more onerous for banks operating across borders, with the wave of new regulation confronting finance showing no sign of abating. You will find all these issues and more explored in this edition, which draws on decades of legal and sector experience across our network. In this more complex and uncertain environment, perhaps banks must grow more comfortable in the spotlight, asserting their value to society, and embrace a more visible position as leaders in business. Can banks deliver both social change and shareholder returns, staking out positions which can withstand a high level of reputational and regulatory scrutiny? We hope this edition will help you thrive under the glare of the spotlight with confidence.
Perhaps the most striking thing about the world of finance a decade and a half since the banking crisis is that the industry has not quite managed to regain the allure and self-confidence of earlier times, even though there have been successful years in between.
PARTNER, London
Simon Clarke
PARTNER, Sydney
Peter Jones
Co-Chairs – Global Banks Sector Group
00
Carbon-based – Creating trust in voluntary offset markets
Podcast series - A conversation between legal and commercial minds
02
Featured content
Trust culture – GC lessons in keeping customers on side
01
On the hook – who pays when customers are scammed
03
Indeed, gauging the mood in banking as we near the end of 2023, 'apprehensive' seems as good a description as any. Financial institutions have many reasons for feeling uneasy, among them subdued capital markets, a prolonged period of fractious geopolitics, the realities of serving more polarised societies, and the challenge of being in control rather than at the mercy of technology. Certainly, this is a time in which trust – that most precious commodity in banking – is hard to earn and retain, whether due to conflicting consumer pressures, mounting demands of regulators, or the challenges of managing reputations exposed to the whims and lightning-fast reach of social media. As we explore in this year's Global Bank Review: Trust Matters, trust will be stress-tested on many fronts, whether through combatting the escalating threat of online fraud, carving out credible positions on social and climate issues, creating new carbon offset markets which operate with integrity and transparency, or demonstrating resilience in the face of operational or market shocks. Yet, institutions have rebuilt consumer confidence in recent years, demonstrably improving in a wide range of non-financial factors which would once not have featured so prominently on boardroom agendas. That reputation was further bolstered during the pandemic and its aftermath with banks doing their part to help keep businesses operating. While 2023 brought a handful of high-profile reversals, such as the collapse of Silicon Valley Bank and First Republic in the US and the emergency rescue of Credit Suisse by UBS in Europe, the wider system retained confidence without widespread disruption.
Podcast – Legal team of the future
Kate Cheetham: When we think of ourselves, we think of ourselves as serving customers as opposed to just being a legal professional. There's lots of relevant regulation and compliance, but how do we go about bringing that into the customer experience? For example, we've been thinking about how to write our terms and conditions for digital banking, bearing in mind we are the largest digital bank in the UK. Inevitably people don't read many paragraphs before they click 'agree' but we need to make sure they understand what they're getting and what they're not getting.
From being corporate citizens to tackling scams, we asked two key industry figures how they protect consumer confidence
It's fair to say 2023 has offered some stern reminders to the banking industry about the costs and consequences of getting it wrong. Scrutiny of the sector has been in no short supply. But for those charged with protecting banks' reputations as trusted cornerstones of the economy, this is nothing new. To discuss the ongoing challenges and opportunities in protecting customers and their confidence in their banks and the banking system, we sat down with Lloyds Banking Group's Chief Legal Officer and Company Secretary Kate Cheetham and Australian Banking Association CEO Anna Bligh AC.
Next Chapter
Global Bank Review Trust matters
Home
Trust arrives on a tortoise and leaves on a galloping horse, and it cannot be restored quickly.
Customer understanding of what AI is and isn’t and what it uses and doesn't use is really important.
How does your role and that of legal contribute to fostering a culture of trust within your bank?
Kate Cheetham (Lloyds Banking Group): Ultimately, it's a culture point. Are you the sort of organisation customers can really trust? That comes from your commitment to prioritising them; understanding their needs; being transparent; being reliable; and treating them as individuals. Crucially, the transparency point is now key. Security has always been an integral part of trust in banks, but transparency is now a vital element of trust. We try to ensure people understand what we're doing and what they can expect from us and feel protected. Anna Bligh (Australian Banking Association): Trust has forever been at the heart of the banking relationship. And it’s important when we talk about trust we understand it comes in many forms. For the banking relationship to work the customer must have: information trust (that the bank will keep customers’ details safe), prudential trust (that the bank will keep customers’ money safe) and conduct trust (that the bank will do the right thing by the customer). Trust arrives on a tortoise and leaves on a galloping horse, and it cannot be restored quickly. It left on a galloping horse in 2018, and we’ve been in tortoise mode for a number of years. Trust is restored when you reliably and consistently behave in a trustworthy way. There are no shortcuts. It has to be something observed over an extended period.
What are the key factors to protecting trust in the banking system?
Anna Bligh CEO, Australian Banking Association
Anna Bligh: Emerging technology can change banking for every single customer, but if we get it wrong, it can have some very damaging impacts. Much as the online environment provides customers with unprecedented levels of convenience and speed, it also puts many of them at much greater risk. The industry must focus on how it keeps that prudential and data trust in that environment, as much as the conduct trust. Kate Cheetham: Intellectual property, regulatory compliance, data privacy, GDPR, those are clearly challenges. But what is probably the most difficult thing is all of the relevant regulations were written before AI came along. The framework is draconian in parts. The interpretation piece is really hard. Customer understanding of what AI is and isn’t and what it uses and doesn't use is really important. People can make assumptions which you'd not always expect, so making sure you're explaining it clearly is hard to do when things are changing so quickly.
Emerging technologies, such as AI, offer both an opportunity and challenge for the banking industry – what are the emerging legal, ethical and trust considerations that you anticipate?
Kate Cheetham Chief Legal Officer and Company Secretary, Lloyds Banking Group
Scams are continuing to be a major challenge for banks and across industry and have an impact on trust in the banking sector. What are your priorities here, and what role are banks and their legal teams playing in contributing to scams strategy?
I've listened to several customers who have been victims of fraud and it is heart-breaking to hear but also amazing to hear how colleagues have supported them.
There is no silver bullet. It’s a constant investment in closing open doors that scammers are getting through.
Kate Cheetham: Fraud is such an important topic and the UK's most common crime. There are so many different varieties: there's small frauds which are upsetting though not life-changing; but they still reduce trust in the whole system. Then there's the terrible stories of people losing significant amounts. We focus on prevention rather than just helping people to pick up the pieces afterwards. We're investing £100 million to do that. We have advanced fraud protection systems which analyse payments in real time and we've trained our branch and telephone colleagues. I've listened to several customers who have been victims of fraud and it is heart-breaking to hear but also amazing to hear how colleagues have supported them.
Anna Bligh: Scammers are increasingly part of sophisticated and often global organised crime networks. They rely on an ecosystem of interconnected players within the jurisdiction. When scams arrive, millions of customers are exercising judgment and not falling for them – but unfortunately there will be some people who are tricked. That’s when banks have a role to play. Banks have been doing an enormous amount of work in the scams space: putting friction back into the system, building a financial crimes exchange platform that allows them to advise another bank of money leaving an individual’s account and ask the receiving bank to freeze it until they get more information. But there is no silver bullet. It’s a constant investment in closing open doors that scammers are getting through.
Kate Cheetham: We are deeply involved in supporting our ESG activities across all business lines. We also engage in horizon scanning to understand key legal risks and anticipate how they might develop in the future. Additionally, we create training resources for our colleagues, including those on the risk of greenwashing. We're also involved on the business side. We have a net-zero business committee which I'm on and that's a group executive level committee which provides the direction to our entire environmental sustainability strategy and our net zero transition and targets. We approve all those before they go to the board. We've very involved in how we as an organisation drive our ESG commitments and how we help the UK transition to a low-carbon economy. Anna Bligh: I see ESG as a critical part of the trust equation. Banks don't just need a legal license to operate, they need a social licence too. We saw in the Royal Commission what happens when that social licence was seen to be ignored. Australians want to see their banks behaving like good corporate citizens. That means taking care of the environment as appropriate, being socially responsible and having the right governance to ensure those things are considered, along with the other financial and prudential responsibilities. This is not straightforward; however, often banks can make a decision they believe to be right, and find it brings reputational damage from some parts of the community. What banks need to be able to demonstrate – to regulators, customers, shareholders, and the public at large – is how they are taking those things into account and being as open and transparent as possible.
We have seen examples where ESG controversies can have a significant impact on trust in companies. What role do banks and their legal teams play in relation to ESG risks and mitigating any adverse effects they might have on trust?
Kate Cheetham: Above all, it's about early communication and ensuring that you understand their priorities and what matters to them. You need to make sure you're really talking to them about those things, being proactive and co-operative. You need to demonstrate you get the need for a strong culture of transparency and you need to tell them when things are going well and not going well, particularly the latter!
How does a bank successfully build trust in its relationship with its regulator, and vice versa?
We don’t expect perfect banking, but we do expect banks to strive for excellence and when mistakes are made they are identified and fixed quickly.
09
08
07
06
05
04
Contents
Listen
Digital x Human – How to forge a legal team for the future
Podcast Series A conversation between legal and commercial minds
10
Anna Bligh: The first and primary regulator the banking sector needs a relationship with is the government. They can only have a good relationship when both parties trust each other to do the right thing, and if they can consistently and reliably demonstrate they are trustworthy and are demonstrably looking after their customers. That is critical to get right. Then it is worth remembering banks employ almost 250,000 Australians – they are all humans and sometimes they get things wrong. We don’t expect perfect banking, but we do expect banks to strive for excellence and when mistakes are made they are identified and fixed quickly. If banks consistently do that, they can expect a good relationship with regulators.
Banks will need to monitor developments in regulation and standards to stay abreast of compliance obligations which may vary across relevant jurisdictions.
First name Last name Job title, Company
As law makers respond to the artificial intelligence frenzy, banks must deal with regulation in flux
Key issues relating to trust in banks' AI systems include:
Customers need to be able to understand when an AI system has been used and, to a degree, how they work and make decisions (including an understanding of the algorithms, the data used and the decision-making process).
Customers must be confident that AI systems are accurate and reliable. This means AI tools need to be able to make accurate predictions and decisions and should be tested regularly. The quality of training data is also paramount to avoid the AI perpetuating historical bias.
Customers need confidence their data is secure and AI systems will not be used to discriminate against them. Banks should ensure systems are in place to protect customer data and ensure AI systems are free from discriminatory bias.
Customer confidence will increase if people know they can hold banks accountable for the decisions AI systems make. Banks must establish responsible governance of AI development and use inclusive processes for addressing customer complaints and concerns about AI-powered decisions.
The spectre of diverging regimes looks problematic for banks with an international footprint. But despite the varying approaches, a common theme from statements of senior officials across the globe is that the cross-border application of AI requires international convergence on governance (which will likely draw heavily on internationally agreed standards) to create practical guardrails and foster innovation. Although governments are only now sensing the urgency to police AI, through hard or soft regulation, because of the early adoption and prevalence of AI in many financial institutions, finance regulators have already launched joint initiatives aimed at aligning regulatory practices.
The current state of global law reform on AI is still evolving with governments grappling with the same challenges in differing ways. Some jurisdictions continue to rely on voluntary self-regulation and frameworks, while others are pushing for more targeted risk-based regulations. Banks will need to monitor developments in regulation and standards to stay abreast of compliance obligations which may vary across relevant jurisdictions. For example, the Australian Government is currently consulting on whether specific AI regulation is necessary or whether existing laws and governance tools are adequate. Countries like Singapore favour a voluntary approach to promote responsible AI governance. Others like the EU and Canada are pursuing bespoke regulatory approaches with proposed new AI laws. The US has so far relied on voluntary approaches and is consulting on how to ensure AI systems work as claimed. The UK has released principles for regulators and to promote coherence of approach by regulators recognised the need for central support functions from within government that leverage existing activities and expertise from across the broader economy. G7 countries in May 2023 agreed to prioritise collaborations on AI governance, emphasising the importance of forward-looking, risk-based approaches to AI development and deployment.
The International Organization of Securities Commissions (IOSCO) published guidance in September 2021 to help market regulators supervise the use of AI by market intermediaries and asset managers. The guidance recommends six measures that align closely to the key issues identified above. Another forum is the Global Financial Innovation Network (GFIN) established in 2018. The GFIN is a knowledge and policy sharing network aimed at advancing effective regulatory responses to the use of emerging technologies in financial services. The body includes over 80 international regulators that collaborate and share approaches to complex emerging areas of regulation, including AI. Although the GFIN has conducted a survey of AI across financial institutions and regulators, so far there is no published guidance on aligning regulatory policy.
• •
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed efficitur eros ac placerat finibus. Curabitur vel faucibus augue, vel condimentum quam.
AI-driven change within legal teams. While AI and the surrounding regulatory landscape continues to evolve, in-house legal functions will need to prepare for related issues upon which they need to advise, as well as how AI will impact their own operations, processes and systems. Legal functions and operations teams will need the capability to forecast, plan and manage such shifts. Building such competencies will mean reacting to the risks AI presents while also taking a proactive, strategic approach which empowers legal talent, ultimately enabling banks to realise the potential of AI in their products and services.
AI is shaking up the finance industry as banks adopt the technology to improve a wide range of operations, from fraud detection to customer service. But while AI offers benefits for banks and their customers, it also raises concerns; both institutions and customers must have trust in AI-powered systems for such tools to be successful in the banking sector. Trust lies at the heart of the banking system and is a crucial focus in emerging AI regulation.
Further co-ordinated action along the above lines may help ensure that financial institutions do not face conflicting regulations across different geographies. And trust certainly cannot be taken for granted, particularly in sensitive areas like personal finance. Recent research conducted by our firm reveals that only 20% of UK consumers have a high level of faith that AI systems are trustworthy. Among respondents that trust AI, only 44% cited confidence in its ability to be impartial. For those who do not trust AI, 37% responded that they fear AI-system bias and 47% were concerned there are no ways to challenge or dispute the results of such systems. Whereas over 60% of consumers were comfortable for banks to use AI to spot online fraud or other criminal activities, less than half of respondents (39%) endorsed banks using AI to decide whether they receive a mortgage or credit.
The draft EU AI Act is a landmark piece of legislation that sets out a comprehensive regulatory regime for the development and use of AI in the European Union. It is the first of a kind in the AI field and like other areas of EU regulation, it could potentially serve as a model for other jurisdictions developing their own AI regulatory regimes. The Act essentially takes a risk-based approach, with the degree of regulation in relation to an AI system depending on its function. The Act would prohibit certain AI systems which are considered to present an unacceptable risk, including AI systems for social scoring and real-time remote biometric identification. Other AI systems designated as "high risk" would be subject to the most onerous substantive requirements, including in terms of human oversight and record keeping, while AI systems that are lower risk, but which interact with individuals, would be subject mainly to transparency requirements. Foundation models, including generative AI, which may be put to a variety of different functions and therefore cannot be easily categorised in line with a risk-based approach, would be subject to separate design, transparency and information provision requirements. The list of "high risk" AI systems can be amended and may be expected to evolve over time. At present, the main "high risk" AI systems of relevance to the banking sector are AI systems used to evaluate people's creditworthiness or credit score. Banks may also use AI systems that interact with individuals, such as customer service chatbots, to which the transparency requirements would apply. The final text of the legislation is now being negotiated between the EU legislative institutions, the European Council and the European Parliament. On the basis of the European Parliament's current position, the AI Act would further require operators to make best efforts to comply with certain general principles applicable to the use of all AI systems. These comprise principles in relation to human agency and oversight, technical robustness and safety, privacy and data governance, transparency, diversity, non-discrimination and fairness and social and environmental well-being. It remains to be seen whether these general principles will be retained in the final text. The EU AI Act is likely to have a significant impact on the way that all companies, including banks, use AI. It is expected that the text of the Act will be finally agreed and adopted during the first half of 2024 before the end of the current European Parliament's term. There will be a transition period before the Act comes into force and banks should make the most of this time to assess the impact of the Act on their AI projects and deployment plans.
Banks need to monitor developments in regulation and standards to stay abreast of compliance obligations which may vary across jurisdictions.
The European Union AI Act – The First Major AI Regulatory Regime
Senior Consultant
Simone Hui
Regional Head, Emerging Technology (APAC)
Susannah Wilkinson
Key contacts
Partner
Natalia Rodriguez
Senior Associate
Alex Lundie
Senior Manager, Legal Operations Advisory
Tuna Kutsal
Dr. Morris Schonberg
Accuracy
Transparency
Security
Accountability
Until the emergence of a global consensus on AI regulation, financial institutions will be under pressure to work towards gaining the confidence of customers and regulators in their AI-powered systems and services. Significant investments will likely be expected to ensure they are equipped to deal with these challenges and are well-resourced to attract the right talent to develop and maintain their systems.
AI’s impact on the workplace
Rampant APP fraud raises thorny questions on liability for duped customers. A key Supreme Court ruling and an evolving regulatory landscape could provide some answers
Fraudsters are using increasingly sophisticated methods, including investment scams, online shopping scams, online dating scams and payment direction scams (where the perpetrator impersonates a business and requests money to be sent to a fraudulent account). Of that £1.2 billion in fraud, £485.2 million was attributed to authorised push payment (APP) fraud – where individuals are deceived into sending money under false pretences – the most prevalent being purchase scams and investment scams. Banks are often unwitting facilitators of fraud, effecting the transfer of funds from victims to criminals. This has led to a growing body of case law where victims have attempted to recover lost funds from banks – with mixed results. Regulators have long seen the bank’s role as pivotal in combatting scams, and banks have a strong incentive to dedicate time and resources to address the issue. A key question now is when and how regulators will turn their attention to other businesses in the fraud ecosystem, such as telcos and digital platforms, and pursue the cross-industry collaboration required.
• • •
Fuelled by the Covid-19 pandemic and increasing digital transformation of many industries, online fraud and scams are a growing problem throughout the world. For context, the UK alone reported over £1.2 billion being lost to fraud in 2022 and the banking and finance industry prevented a further £1.2 billion getting into the hands of criminals.
confirmed a bank owes an implied duty to act with reasonable skill and care when processing customer payments, which applies equally to individual and corporate customers; confirmed that this is a narrow duty limited to interpreting, ascertaining and acting in accordance with the instructions of a customer; held there will never be a conflict between the bank's duty to execute a valid payment instruction and the bank's duty of reasonable skill and care because the duty will only be engaged where there are questions about the validity of the instruction.
Regulators have long seen the bank’s role as pivotal in combatting scams and banks have a strong incentive to address the issue.
Bank liability – It's complicated
Generally, customers have some protection from liability by codes or regulations requiring refunds if the transaction was not authorised by the customer and the victim did not act fraudulently or negligently (eg, by failing to properly protect their device, password or PIN). With APP fraud, these codes or regulations usually do not apply because the transaction is authorised by the customer, albeit prompted by deception. Customers have sought legal remedies in these cases but courts have been cautious about imposing duties on banks beyond those in the contract with the customer and any applicable codes or regulations.
Prior to the Philipp decision, the courts of several common law jurisdictions considered the Quincecare line of authorities. It remains to be seen whether those jurisdictions will now adopt the same approach as the UK Supreme Court. For example, in Luk Wing Yan v CMB Wing Lung Bank Ltd [2021] HKCFI 279 the Hong Kong Court of First Instance held the Quincecare duty could not arise where the customer was tricked or defrauded by a third party to authorise the bank to transfer funds to the fraudster. This conclusion could have been reached on the basis underpinning the decision in Philipp, namely the existence of a valid payment instruction. However, the court applied a species of the agency analysis seen in the Quincecare cases, saying the duty could apply to protect corporate customers or unincorporated associations (where the person authorising the transfer was in fact an agent for the customer) but not an individual customer (where the person authorising the transfer was the customer itself). While both ways of analysing the issue mean a bank will not owe a common law duty to protect consumers from APP fraud, the approach in Philipp is arguably preferable for financial institutions because it provides greater certainty. In some jurisdictions, victims can also pursue non-judicial recovery, such as via the Australian Financial Complaints Authority (AFCA) or the Financial Ombudsman Service (FOS) in the UK. These avenues can hold greater prospects as the result may not turn on the strict legal position but more general notions of fairness. However, even in forums like the AFCA and FOS, customers can find it difficult to recover loss from APP fraud – for example, AFCA’s position has been that banks do not have a duty to monitor for scams and only need to act if there are clear “red flags”.
Until recently, the leading global common law authority on a bank’s duty to refrain from executing a customer’s payment instruction was the English High Court’s decision in Barclays Bank plc v Quincecare Ltd [1992] 4 All ER 363. However, in July 2023 the UK Supreme Court handed down its much-awaited judgment in Philipp v Barclays Bank UK plc [2023] UKSC 25, which considered the application of the so-called Quincecare duty in an APP fraud scenario. In summary, the judgment:
This strongly suggests the duty of reasonable skill and care cannot be relied upon in the context of APP fraud because there is a valid payment instruction from the customer who is the victim of the fraud.
Moreover, the court concluded there is no special rule called the “Quincecare duty” as this is in essence merely an application of the duty of reasonable skill and care. The line of so-called “Quincecare duty” cases were simply examples of the court applying the general duty of reasonable skill and care to the scenario where a third-party “agent” purported to give a payment instruction on the customer’s behalf. This agency analysis is irrelevant to APP fraud because this involves a customer giving a payment instruction directly to the bank, not via an agent. The Supreme Court acknowledged expressly that the duty of a bank to carry out its customer's valid payment instructions is not without limit: a bank cannot be required to carry out an unlawful act, for example. It considered the possibility of an implied limitation on valid payment instructions, as per the Australian court’s decision in Ryan v Bank of New South Wales [1978] VR 555. In Ryan, it was suggested a bank should not comply with the customer’s instruction “if a reasonable banker properly applying his mind to the situation would know that the [customer] would not desire their orders to be carried out if they were aware of the circumstances known to the bank”. However, the Supreme Court declined to express a concluded view on whether this was the correct test to apply under English law, as it was not necessary for the purpose of deciding the appeal. The Supreme Court gave the claimant permission to pursue an alternative claim that the bank failed to take steps to attempt to recover money transferred after being alerted to the fraud, although the legal basis for this claim is unclear.
Meanwhile, the Australian Securities and Investments Commission (ASIC) has called on banks to take steps to bolster their prevention, detection and response activities, having found the four major Australian banks’ approach to scams strategy and governance was highly variable and less mature than the regulator expected. ASIC also expressed concern banks were taking overly narrow and inconsistent approaches to determining whether to reimburse customers for scam losses.
As governments and regulators seek newer, more effective ways of dealing with scams, reaching a position on who is liable for losses is an important piece of the overall policy response. Jurisdictions are taking different approaches, as summarised below.
Regulatory responses – A changing environment
In the UK, the Payment Services Regulator is pressing ahead with the introduction of a new reimbursement requirement in respect of APP fraud likely to come into effect in 2024. Under this requirement, sending payment service providers must reimburse all in-scope customers who fall victim to APP fraud. The cost of reimbursement will be split 50/50 between sending and receiving firms. The exceptions to the reimbursement requirement include: (i) international payments; (ii) first-party fraud; and (iii) where a customer has acted with gross negligence. Firms will have five business days to reimburse a customer although they may 'stop the clock' to investigate. There will be a claim excess and a maximum level of reimbursement, yet to be determined. The time limit for claims will be 13 months from the date of payment.
In the EU, the European Commission has recently published a draft new Payment Services Regulation which would introduce limited liability on payment services providers for APP fraud, specifically limiting liability to impersonation fraud (where the fraudster has impersonated the payment service provider). Like the UK requirement, there is no liability where the customer has acted fraudulently or with gross negligence. In addition, there is an obligation on the customer to report the fraud to the police, without delay.
In Asia, the Monetary Authority of Singapore (MAS) is preparing a framework for equitable sharing of losses from scams and is expected to issue a consultation paper in the third quarter of 2023. MAS is currently studying the type of scams that should be covered by this shared framework, which is likely to address the duties and actions expected of banks and telcos, as well as defining the responsibilities of customers. The proportion of losses each party bears will depend on whether and how the party has fallen short of its obligations.
The Hong Kong Monetary Authority (HKMA) has collaborated with the banking industry and law enforcement to launch the Financial Intelligence Evaluation Sharing Tool (FINEST). FINEST is a bank-to-bank information-sharing platform which helps enhance banks’ ability to share information for detecting and disrupting fraud and mule account networks. The HKMA also recognises the importance of raising public awareness and has launched the Anti-Scam Consumer Protection Charter to enhance awareness of safeguarding credit card and personal information. It has also issued a circular outlining the principles that should be applied by banks in handling unauthorised payment card transactions. These include that banks should send regular reminders to cardholders to safeguard their cards and authentication information and provide them with information on the latest large-scale card scam methods and advice on precautionary measures.
awareness raising to help Australians spot scams; building data-sharing capability and technology over the next three years to centralise intelligence on scams and distribute relevant data; a ‘fusion cell’ to combat the growing problem of investment scams.
The UK regulatory position may influence the direction in Australia and has already prompted calls by consumer groups for a similar mandatory reimbursement scheme. However, it is not clear the Australian Government would support such a regime. In late 2022, the financial services minister suggested that placing liability on banks would stoke the problem, creating a "honey pot for scammers". The Australian Competition and Consumer Commission has established a National Anti-Scam Centre to co-ordinate government, law enforcement and the private sector to combat scams. Its initiatives include:
In the UK, the Online Safety Bill is slowly making its way through the legislative process. Tech and social media companies will have to remove scam adverts from their platforms. The UK Government is also developing an online fraud charter with the technology sector. The charter is intended to ensure tech firms take action to block scams, make it easier to report frauds and ensure fraudulent content is removed swiftly. But so far the cost of APP fraud sits with financial services firms. Focus will also increasingly turn to preventing fraud at its source and removing the hurdles to collaborative cross-industry solutions. In addition to data-sharing, organisations will start to leverage the power of increasingly sophisticated machine learning capabilities. Government and industry must also lend their support to concerted awareness campaigns that draw from best practice in other areas. It is clear the fight against scammers cannot be won without education to increase consumers’ understanding of how to protect themselves. Stakeholders will also likely look to jurisdictions where the trend appears to be reversing (for example, overall fraud losses in the UK fell 8% from 2021 to 2022) and draw their own conclusions on whether the regulatory approach in those jurisdictions has contributed to that trend. In Australia, by contrast, losses to scams have been reported as increasing by 80% between 2021 and 2022. It seems inevitable regulators and governments will closely follow what is occurring in other jurisdictions and seek to adopt best practice. The debate about who should ultimately pick up the bill for fraud is far from settled.
Fraudsters use a variety of channels to reach their victims and corporates of many types inhabit the scams ecosystem. UK Finance recently reported that 78% of APP fraud cases start online (and a further 18% start via telecommunications) and around 75% of online fraud starts on social media. While many organisations are now signalling their ambitions to tackle online fraud, legislators and regulators have the challenge of ensuring they are incentivised to do so. Given their pivotal role and the tangible losses when fraud occurs, financial services firms have already been driven to action. The focus will now increasingly turn to the role others can play – for example, telcos, website providers, social media platforms and online dating providers.
The fraud ecosystem – Can other industries be liable?
Balancing act – can banks deliver social change and shareholder returns?
Heike Schmitz
Professional Support Consultant
Ceri Morgan
Global Head – Financial Services Regulatory
Jenny Stainsby
Senior Associate, Herbert Smith Freehills Prolegis
Chee Hian Kwah
Associate
Leanette Ko
Andrew Eastwood
Executive Counsel
Danielle Briers
Banks have a special opportunity to lead not only on responding to regulatory change but to engage more deeply in areas where business leadership is key.
Without question, banks are expected to support a strong financial system. In most economies, that has translated into bespoke and often intensive regulation of the sector and its role in the broader economy. Dedicated prudential regulators and prescriptive laws governing anti-money laundering and conduct requirements have been put in place to ensure banks meet expanding societal expectations. Instances of failure in the sector, whether a financial collapse of an institution or a failure to meet customer needs or community expectations, tend to be treated as examples of a breach of the trust placed in the sector and as a regulatory failure. Inevitably, the response is to update laws and regulations to guard against a repeat in the future.
With business increasingly expected to play a wider progressive role, we assess the competing demands facing finance
Transparency: Customers need to be able to understand when an AI system has been used and, to a degree, how they work and make decisions (including an understanding of the algorithms, the data used and the decision-making process).
Accuracy: Customers must be confident that AI systems are accurate and reliable. This means AI tools need to be able to make accurate predictions and decisions and should be tested regularly. The quality of training data is also paramount to avoid the AI perpetuating historical bias.
Security: Customers need confidence their data is secure and AI systems will not be used to discriminate against them. Banks should ensure systems are in place to protect customer data and ensure AI systems are free from discriminatory bias.
Accountability: Customer confidence will increase if people know they can hold banks accountable for the decisions AI systems make. Banks must establish responsible governance of AI development and use including processes for addressing customer complaints and concerns about AI-powered decisions.
For financial institutions, expectations are even higher. Unlike many other corporates, banks are often seen as having a special opportunity to lead not only on responding to regulatory change but to engage more deeply in areas where business leadership is key. Banks occupy an influential position as not only large businesses and employers, but financiers and facilitators of investment and economic growth. As large employers, the business case for banks to embrace a leadership position is often made citing research that staff want their business leaders to have a positive policy impact in areas like jobs, wage inequity, technology and automation and climate change.
And so, as diverse stakeholder groups call for businesses more broadly to step up on social issues, that pattern of rising regulation appears in many jurisdictions. Waves of disclosure and transparency regulation are evident, as are comparable reporting requirements for supply chains, covering disclosures as diverse as modern slavery, diversity, gender, environmental impacts and carbon emissions. These are being followed by due diligence and other obligations to take action to address specified risks. Amid this backdrop, questions inevitably arise about whether more regulation is the answer.
The reality for banks is more complex. Publicly advocating a position in social conversations on matters of reputational risk invokes a range of sometimes conflicting reactions. Banks have already been subject to green-washing and social-washing complaints. So too when banks make decisions based on reputational risk or ethical considerations, discussion can arise about the appropriate role of banks in society. Reconciling such complex trade-offs is not easy but recognising the competing demands on financial institutions might help point to where laws and regulations could provide better frameworks for the sector. For example, banks could benefit from the growth in broader business regulation towards disclosure, due diligence and transparency. Lenders have long recognised the risk of being associated with customers and ultimate recipients of financing that are outside their control, leaving banks to undertake their own often extensive due diligence on customers and proposed investments. Moves to regulate reporting and transparency can lend support to what banks are already required to do privately. For example, modern slavery reporting is leading corporates to assess the social impact of their supply and value chains, thereby increasing the access of banks to reliable information to manage their own ethical and regulatory risk. Anti-money laundering regimes are an area where the meeting of regulation and social expectation present frequent challenges. Many social issues are not merely political matters but are legal compliance matters (eg, human rights or corruption). Equally, banks have faced criticism for slashing their risk exposure, whether on risk appetite grounds or given the high costs of the enhanced due diligence and monitoring required to manage the risk associated with certain customers. International standards requiring diligence on politically exposed persons (PEPs) can also conflict with the personal interests of domestic policymakers who may be classed as PEPs. Obligations relating to transparency and fairness to customers may conflict with financial crime and particularly tipping off considerations where exit decisions are made. Tools such as screening mechanisms, and potentially private-private information sharing initiatives, may risk multiplying the impact of these issues for affected customers.
When banks make decisions based on reputational risk or ethical considerations, discussion can arise about the appropriate role of banks in society.
The days of simply focusing on the bottom line seem a distant memory. Companies, including banks, are now expected to lead on social causes. That expectation reflects a level of confidence in business to deliver and address issues well beyond producing financial returns for shareholders. And yet such competing demands are not easy to reconcile. On the one hand, we see new waves of regulation, accompanied by a common belief that business needs to have or play more than a narrow economic role. On the other, questions are raised about the limits of business (and banks) as social actors and the tension between responsibilities to shareholders and emerging stakeholder groups calling for change. What opportunities and challenges does this present for banks? How can the banking sector position itself to address these opportunities and challenges? Is there a way to meet competing expectations while building trust?
Against this backdrop, requiring the wider business community to improve diligence and disclosure activities across a range of social and ESG measures within supply chains and more widely may aid the banking sector as it meets existing financial crime obligations, as well as broader community expectations. Greater clarity and certainty regarding the outer limits of financial crime obligations and expectations would also be beneficial. For all these reasons, embracing calls for greater diligence, disclosure, and transparency around social factors across the wider business sector might just help to widen the narrow path currently facing banks trying to reconcile such divergent aims. Rather than having the sector try to navigate competing demands, it is rightly the domain of policymakers to translate societal expectations into requirements not only for banks but the entire business sector. Shifting reputational and ethical considerations into clearer legal frameworks provides a platform not only for banks to align their internal strategies with shareholder and customer expectations, but to encourage the broader business community to join the banking sector in leading on social imperatives.
Timothy Stutt
Rebecca Perlman
Professional Support Lawyer
Natalie Shippen
Leon Chung
Susannah Cogman
Antony Crockett
Jacqueline Wootton
A rising bar – why maintaining trust is getting harder for banks
Regulators expect institutions to build controls that respond to the full range of operational perils including legal, regulatory, compliance, conduct, technology, data and change management risk.
Globally, prudential regulators have a renewed focus on ensuring the banking sector is managing operational risks and is resilient to potential disruptions. This focus responds to global events as well as changing business operations. The Basel Committee on Banking Supervision (BCBS) defines operational risk as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. Operational resilience is the outcome of effective management of such risk, ensuring critical operations can be maintained through disruptions.
With regulators refreshing their stance on operational risk, resilience has become key to banks' relationships with its customers
Such risk is inherent in the day-to-day of a bank. It does not arise from a particular activity or business model. However, recent events have influenced the focus and expectations of regulators as they modernise their guidance. A decade ago, regulators were primarily focused on capital resilience and conduct. Following Covid-19, the rise of cyber-attacks and climate threats, we have seen increased emphasis on ensuring the banking sector is resilient to external factors and relationships, particularly banks' dependency on third party suppliers for cloud and other information and communication technology (ICT) services. Regulators expect institutions to build into their risk management controls that respond to the full range of operational perils including legal, regulatory, compliance, conduct, technology, data and change management risk. The focus of regulators can be seen in the following:
Operational risk management
The Australian Prudential Regulation Authority (APRA) finalised its Prudential Standard CPS 230 in July 2023. Covering operational risk, business continuity and service providers, the agency stated in its consultation that the new standard “is intended to ensure that APRA-regulated entities are well positioned to meet the challenges of rapid change in the industry and in technology more generally”.
In 2022, following the work of the BCBS, the Hong Kong Monetary Authority (HKMA) introduced significant revisions to its guidance, including a new module, OR-2, on operational resilience under its Supervisory Policy Manual (SPM), as well as updates to module OR-1 on operational risk management and TM-G-2 on business continuity planning. Module OR-2 provides guidance on developing a holistic resilience framework and highlights expectations regarding the risk management which banks should take in account at a minimum, namely, operational risk management, business continuity planning and testing, third-party dependency management and information and communication technology (including cyber security).
The BCBS has been at the forefront of refocusing attention on operational risk, with the release of updated “Principles for the Sound Management of Operational Risk” as well as issuing “Principles for Operational Resilience” in March 2021.
Ensuring controls are embedded into a bank’s risk management framework to create resilience to operational risk is a renewed global regulatory priority.
A critical part of cyber preparedness is to simulate severe but plausible scenarios in exercises for the organisation’s incident response/crisis management teams, the board and third-party suppliers that provide critical services. Incident response plans must be critically tested to ensure they offer practical guidance during the incident (often in checklist form), rather than existing as a compliance document. It is becoming common for organisations to have separate (but aligned) incident response plans for multiple teams including information technology, legal, crisis management and the board. Effective planning ensures the delivery of a timely and thorough response to incidents, particularly ensuring that there is good governance in respect of any public statements.
Cyber security incidents and technology failures are increasingly recognised as having the potential for significant disruptions to the operation of financial institutions. In the BCBS’s updated “Principles for the Sound Management of Operational Risk”, effective ICT performance and security is specifically cited as “paramount for a bank to conduct its business properly”. The importance of controls around ICT risk management and cybersecurity measures are recognised as essential to ensuring the bank’s operations. While ICT was considered in the 2011 version of the Principles, the focus has markedly shifted.
Cyber security risk
Global cyber threats continue to increase, with evolving and increasingly sophisticated adversaries, including organised criminal groups and nation-state-backed actors. In response to this, regulators are imposing or considering new rules to deliver greater resilience in critical national infrastructure and important business services, including banking. Common global features in rules include greater obligations to notify regulators and intelligence agencies; enhanced obligations upon individual directors in relation to cyber security (both greater expertise on the board and better oversight by the board); and an emphasis on tighter control of the supply chain, in light of high-profile attacks affecting large volumes of organisations such as the SolarWinds, GoAnywhere and MOVEit attacks. Examples of the new approach are the EU-wide NIS2 Directive and its UK equivalent in Europe as well as financial services specific provisions such as DORA. To manage cyber security risk firms should undertake periodic threat assessment and risk mitigation. They should structure and control daily operations to ensure delegations are managed and reviewed (and increased cyber security know-how at senior levels within firms should support that goal). In light of supply chain risk, contractual arrangements with third-party suppliers should be reviewed and enhanced if necessary. Not infrequently, firms find their contracts lack provisions they might need in the event of an incident – such as prompt provision of information about the incident, the right of audit or appropriate indemnities.
While traditional oversight of outsourcing arrangements has focused on relationships with third parties carrying out services that would otherwise be performed in-house, regulators are increasingly alive to the risks posed by service providers offering new services (especially cloud and other ICT) and concentration risks of over-reliance on a small number of suppliers industry-wide. Regulators are not only focused on the risks associated with the direct service provider. They are also scrutinising risks posed by the service provider’s own underlying service providers, looking through to fourth-party risks. Meeting regulators' expectations and managing this fourth-party risk requires an increased level of due diligence, governance and oversight by banks on their counterparty and their counterparty’s contractual arrangements with others. The risks associated with downstream service providers can be easily imagined. However, undertaking due diligence and implementing controls on these relationships raises practical challenges (e.g. lack of any contractual relationship with, or visibility over, the fourth-party) that must be factored into the upfront contractual negotiations and the ongoing oversight of those services. Failure to implement robust controls on these service providers not only places a bank at risk of failing to satisfy operational resilience regulatory requirements but may lead to irreparable damage to customer trust in the service offered by the bank.
In efficiently onboarding customers, developing new apps and ensuring that data is stored securely, for example, banks are reliant on ICT service providers. Recognising that a bank’s service to the customer is contingent on the ability of those service providers to perform their function, prudential regulation is increasingly focused on the management and resilience of service provider relationships.
As banks compete to provide customers with the most user friendly and reliable service, they are under pressure to ensure their service is adapting to customer demand for more convenient methods of banking, especially digital. At the same time, customers expect banks to keep their information and money secure.
Supply chain and material service providers
To manage cyber security risk firms should undertake periodic threat assessment and risk mitigation.
While the BCBS’s 2011 Principles for the Sound Management of Operational Risk included expectations in respect of the board and senior management, this was identified as an area that had not been adequately implemented. The 2021 revision includes more detailed guidance on the expectations of boards and senior management. In Australia, part of the regulatory reform is to place more obligations on boards to engage with non-financial risk. CPS 230 will place ultimate responsibility for operational risk management on boards, requiring senior managers to provide clear and comprehensive information to the board on such risk. The new HKMA SPM module OR-2 contains detailed guidance on the roles of the board and senior management respectively in relation to the operational resilience framework required to be implemented by regulated banks in Hong Kong. The UK PRA and FCA have introduced express requirements for bank boards and senior managers to review and approve various elements of the bank's operational resilience framework. Individuals can be personally accountable: in April 2023, the PRA fined TSB’s former CIO for failing to take reasonable steps to ensure that TSB adequately managed and supervised appropriately its outsourcing arrangement in relation to its 2018 IT migration programme.
Regulators globally are placing more explicit responsibility on boards and senior management of banks for operational risk management.
Senior management responsibility
Operational risk management and ensuring operational resilience is a global focus as external events such as cyber, climate and Covid-19, and growing dependency on ICT third party providers in the digital age, place operational risk in a new light. While regulators update their approach to operational risk management, the importance of ensuring banking services are delivered reliably, data is protected and funds are secure remain central to customer demands.
The European Union (EU), introduced in December 2022 a new regime for the management of digital operational resilience and regulator oversight of critical ICT third-party service providers (the EU Regulation on digital operational residence for the financial sector (known as 'DORA')). Banks must comply from January 2025.
In the UK, following high-profile service failures in the banking sector, the Bank of England (BoA), Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) developed supplementary requirements on operational resilience, effective from March 2022. Banks must identify their important business services; set impact tolerances for disruption to those services; map resources relied on to operate those services; and undertake scenario testing.
Knowing your money is safe with your bank is at the heart of the relationship between a bank and its customer. However, a bank’s trusted position is not only centred on the safety of the customer’s funds – protection of data and reliability of access to services (especially digital) are growing aspects of the relationship between institution and customer. Ensuring controls are embedded into a bank’s risk management framework to create resilience to operational risk is a renewed global regulatory priority.
Phillip Magness
Valerie Tao
Consultant
Kate Macmillan
Alice Molan
Trust and verify – can tougher oversight help crypto launch a comeback?
Partner, Head of Financial Services Regulatory, Asia
Clive Cunningham
Partner, Intellectual Property and Global Head of Cyber & Data Security
Andrew Moir
Charlotte Henry
Volatility and insolvencies have raised questions over the future of digital currencies but regulation could bring needed trust and clarity. We track global progress
Nonetheless, digital assets seem here to stay. Industry players, consumers, investors, banks and central banks recognise the important use cases of certain types of digital assets. There has been a multi-year pilot by six central banks for a wholesale central bank digital currency (CBDC) to settle between them and various countries have conducted pilots for a retail CBDC. In addition, crypto remains a popular investment and is now becoming a more widely accepted payment value. Meanwhile, certain stable coins are becoming mainstream (eg, USDC and MasterCard bringing stablecoin onto its networks) and non-fungible tokens (NFTs), unique digital assets registered on blockchain, continue to have a place in an increasingly digital world.
Given the vulnerability we have seen, the question becomes, if digital assets are going to remain, is there any way that trust can be restored? Ironically for a field defined by its free-thinking individualism, the most likely path to mainstream recognition and renewed confidence looks to come via more effective and globally-co-ordinated regulation.
In the UK, the Guardian reported that in 2023, banks were closing more than 1,000 accounts every working day due to de-banking.
The global financial landscape has witnessed a dramatic trend in the rise of cryptocurrencies. According to the World Economic Forum, 2021 was the year crypto markets boomed with the sector’s total market cap growing by 187.5%. Meanwhile, the blockchain technology which underpins most cryptocurrencies has been applauded as a solution to longstanding issues in the financial sector such as fraud or data manipulation.
However, the collapses of Terra Luna and FTX in 2022 were significant events in the history of cryptocurrency, wiping $240 billion off the market in a matter of days. This, coming amid a period in which valuations had already dipped substantially against 2021, resulted in investor confidence faltering further. This prompted some to declare the arrival of a crypto winter and served as a reminder of the vulnerability of the cryptocurrency ecosystem. Understandably, this has resulted in the most significant display of a lack of trust of this customer base – de-banking. And it has become a global phenomenon. In the UK, the Guardian reported that in 2023, banks were closing more than 1,000 accounts every working day due to de-banking (albeit not just of crypto exchanges) which has led one minister to call for a royal commission to investigate this “scandal”. In fact, this is the reason why some regulators (for example, Australia’s anti-money laundering regulator) do not include the c. 440 crypto exchanges that they license on any publicly accessible register.
An increasingly global and refined approach to regulating the custody of cryptoassets, licensing virtual asset service providers and enforcement action will play a huge role in earning trust back and helping the sector develop products and services that can win mainstream appeal. As this framework develops, consumers should find comfort from the protections and conduct measures in place to safeguard them from harm when engaging with cryptoassets.
Each of the US, UK, Australia, Singapore and Hong Kong has new, proposed or under-consultation regimes which are focused on the safeguarding of customers' crypto and virtual assets. These requirements contemplate a regime for custodians which applies and adapts the existing frameworks for traditional finance custodians but for crypto. This includes: (i) a licensing requirement; (ii) arrangements to safeguard investors’ rights to their assets including segregation of customers’ funds and assets from those of the licensee; and (iii) designating key personnel to be responsible for the provision of the custody services.
The FTX collapse was primarily caused by customers' assets (both crypto and fiat) not being appropriately safeguarded. Billions of customers' funds were allegedly converted to a single token which then lost its value. Even before the FTX collapse, regulators globally were at different stages of considering frameworks for digital assets with the focus being on custody.
Global regulatory responses
Regulation of custody
Hong Kong has recently introduced a Virtual Asset Trading Platform (VATP) licensing regime, which came into effect in June 2023. It requires centralised virtual asset trading platforms to obtain a licence to carry on business in Hong Kong or actively market their services to local investors. The VATP regime applies to virtual assets - which will include utilities tokens, payment tokens, governance tokens and security tokens - and introduces several key licensing requirements. These include capital requirements; fitness and properness requirements for the corporation and its representatives; approvals of directors and ultimate owners; the requirement to have responsible officers; anti-money laundering/combatting the financing of terrorism (AML/CTF) obligations; and robust ongoing compliance controls and procedures. Australia has had a licensing regime for digital currency exchanges for some time but primarily focusing on those entities’ compliance with AML/CTF obligations. The Financial Stability Board, International Monetary Fund and the Bank for International Settlements published a Global Regulatory Framework for Crypto-Asset Activities on 17 July 2023 and a Synthesis Paper on Policies for Crypto-Assets on 7 September 2023. As with any regime that requires licensing, it will allow markets, consumers, investors and others to gain a level of trust in relation to the activities of the entity. This is primarily because licensing leads to regulatory supervision and enforcement, auditing and assurance, reporting and disclosure together with the maintenance of minimal levels of capital.
Regulation of exchanges
Some jurisdictions have also focused on the digital asset itself. For example, the UK has introduced new powers to bring cryptoassets within the scope of regulation as a type of financial product. The UK Treasury intends to create various regulated activities relating to cryptoassets which would mean these firms would either need to be authorised (licensed) or exempt to carry out those activities nationally.
Regulation of digital assets
Others are looking also to license the exchange itself. For example, Singapore has introduced a licensing regime regulating digital payment token (DPT) services under the Payment Services Act 2019. Regulated DPT services currently include facilitating the exchange of DPTs and buying and selling DPTs. However, this will be extended to a further seven services, including custody and DPT transmission once the Payment Services Amendment Act 2021 comes into force. The Monetary Authority of Singapore (MAS) has also proposed further regulatory measures to increase investor protection and prevent market abuse and unfair trading practices. Such measures include segregation of customer DPTs, safeguarding of customer funds, enhanced disclosures and prohibiting the staking and lending of retail customers' DPTs.
In Singapore, MAS has placed certain unlicensed crypto exchanges on its Investor Alert List where the exchanges were seen to be actively soliciting users in Singapore specifically, eg, by offering listings in Singapore dollars and accepting Singapore-specific payment modes.
In Australia, the financial services regulator ASIC has started to bring court proceedings against crypto-product providers too. In December 2022, ASIC filed court proceedings against Finder Wallet Pty Ltd for allegedly providing unlicensed financial services, as well as breaching product disclosure requirements and not complying with design and distribution obligations. Finder offered a crypto-asset related product, Finder Earn. ASIC alleged that the Finder Earn product was a debenture regulated by Australian law.
In the US, the Securities and Exchange Commission (SEC) made cryptocurrency-related enforcement a priority, bringing 30 actions against 79 defendants or respondents in 2022. Several of those enforcement actions arise from the regulator’s determination that digital assets transactions carried out on crypto currency exchanges are necessarily subject to US securities legislation. While one court recently rejected the SEC’s position, the agency has vowed to appeal that ruling. Accordingly, to the extent cryptocurrency issuers continue to provide unregistered offerings, they are at risk of being found to be contravening securities laws.
Until a regulatory framework is in place globally, there is also the protection of courts and regulators who step in using existing tools and frameworks to target bad actors and questionable products. This has been helpful to stop abuse but existing frameworks are not always suitable for digital assets and so only those assets that neatly fall within existing financial product regimes can be caught. This can create regulation by enforcement. Most of the enforcement has come from the US but it has increased in Australia recently.
Enforcement
Xavier Amadei
Philippa Stone
Michael Jacobs
Partner, Head of US Securities
Tom O'Neill
Of Counsel
Thomas Vaughan
Dinesh Banani
Funding net zero with confidence
Marina Reason
Michael Jones
Rigorous due diligence, ambitious targets and robust reporting and verification will remain key to maintaining trust in sustainable finance products.
The burgeoning sustainable finance market has led to the development of industry standards and guiding principles by bodies such as the International Capital Markets Association (ICMA) for bonds and the Loan Market Association, Asia Pacific Loan Market Association and the Loan Syndications and Trading Association for loans. These set out to aid the development of a robust sustainable finance market and ensure that labels attached to finance products have integrity. Greenwashing is a complex subject. In this article we will focus on the mitigation of product-level greenwashing through careful structuring, extensive due diligence, disclosure, reporting and verification and, to a certain extent, contractual protections to maintain and build trust in sustainability-linked loans and bonds.
Sustainable finance is an important tool in the drive to net zero. However, it will only form part of the enormous contribution required if market participants can trust in the integrity and credibility of sustainable finance products. Any sign of greenwashing and the reputational risk of allegations of greenwashing can affect all participants. Sustainable finance covers a wide range of products: "use of proceeds" loans and bonds can be deployed to finance particular "green", "sustainable" and/or social projects. Sustainability-linked bonds and loans, where a margin adjustment may arise where particular sustainability targets are not met (or are met), are useful tools in a corporate's sustainability strategy.
The continued development of a sustainable finance market will be crucial to the drive to net zero, given the vast sums required to drive decarbonisation at a global level.
Circumstances may change during the life of an SLL or SLB such that the existing targets are no longer appropriate or are not sufficiently stretching (or too difficult to achieve). There may be a corporate event, such as an acquisition, a change in circumstances or in the business of the group, or a change in regulatory standards applicable to the borrower group. In these circumstances, in an SLL it may be a contractual requirement that the parties come together to negotiate new SPTs (the so-called "rendezvous" clause, with a failure to agree in a particular timeframe again leading to declassification of the loan as an SLL). This approach is not practical in the bond market, where an issuer would typically include contractual recalculation provisions in the terms and conditions of the bonds to permit appropriate recalculation without holder consent. There are typically robust contractual reporting and verification requirements in both SLLs and SLBs to allow lenders and investors continued assessment of the borrower's performance against the targets. Verification of performance against the SPTs by an independent external reviewer with relevant expertise at least annually is a feature of both the sustainability-linked bond and loan markets, and any external verification report should also include information to assist lenders or investors in determining if the targets remain relevant and stretching.
For sustainability-linked loans (SLLs) and bonds (SLBs), the position is more complicated because these are forward-looking performance-based products. For these products, the ICMA SLB Principles and the loan market SLL Principles both focus on the critical requirements for ambitious, stretching sustainability performance targets (SPTs), as well as regular reporting with external verification. Much of the work in ensuring the robustness and ambition of the initial SPTs comes during the structuring phase. Market participants are grappling with the consequences of failure to meet the SPTs: in almost all cases, failure to meet these targets leads to an increase in margin or coupon (or premium). In the wider context, failure to meet the SPTs on occasion could be viewed positively, in that it demonstrates the targets are sufficiently stretching and ambitious. However, repeated failure to meet them might lead to an SLL, for example, being declassified as such, and therefore no longer benefiting from the pricing advantage or being publicised as an SLL. Claims, terminology and labels all need to be appropriately calibrated.
Sustainability-linked loans and bonds
Use of proceeds products are often relatively straightforward. This is because they rely on the funded project or development being "green" or "sustainable" and therefore rely mainly on disclosure, due diligence and on-going reporting and verification in sufficient detail to give lenders and investors comfort that stated aims are being appropriately pursued.
Use of proceeds
In an SLL, which is not public, lenders will also be concerned about the accuracy of information provided by the borrower group (which they may need to rely on in their own reporting) and in having a right to receive and disclose to relevant parties the information they need. These are reflected in an information representation and covenant. In an SLB, failure to meet contractual reporting and verification covenants could lead to triggering the relevant coupon step-up or premium payment. The quantum of the change in margin or coupon has historically been small, possibly to avoid linking sustainability performance too closely with a financial premium for one side or the other. The corollary of this, particularly in SLLs, is that the cost to the borrower of compliance with onerous reporting and external verification requirements, legal fees involved in negotiating terms to avoid hair-trigger declassification events, and management time required for dealing with an SLL may all be greater than the interest saving at stake. To mitigate this and ensure that the product continues to remain attractive to borrowers, existing reporting and audit obligations can be used as part of the reporting and verification matrix.
The continued development of a sustainable finance market will be crucial to the drive to net zero, given the vast sums required to drive decarbonisation at a global level. Equally, it is important to minimise the scope for allegations of greenwashing in relation to SLBs and SLLs and there are a number of ways the risk of such allegations can be minimised. The sustainability-linked bond and loan markets continue to evolve, but the most important risk mitigants currently focus on ensuring careful structuring, robust due diligence, disclosure, reporting and verification and the inclusion of appropriate contractual protections for lenders and investors. Hopefully, the ongoing evolution of the sustainable finance market will remain one with integrity and a market which investors and other market participants can increasingly trust.
Sustainability-linked derivatives (SLDs) may be included in interest rate swaps, which are often connected to a sustainability-linked financing, which use some of the same sustainability metrics and margin adjustment techniques outlined above. Alternatively, they may be included in other types of derivatives such as FX and commodities swaps. Many of the same concerns relating to ensuring the robustness of the products through diligence, reporting and verification will apply here, in the same way as to loans and bonds. ISDA has recently published sample wording for SLDs, which is expected to help develop the market approach to documentary terms.
Derivatives
PArtner
Patrick Lowden
Nick may
William Breeze
Partner, Global Head of Debt Capital Markets
Amy Geddes
Emily Barry
Listing shake-ups – can markets maintain investor confidence amid major reforms?
Podcast series A conversation between legal and commercial minds
in certain jurisdictions, such as the UK and (to a lesser degree) the EU, the reform of the listing and capital markets rules by transitioning from a prescriptive rules-based regulatory framework to a continuous disclosure-based regime; in other jurisdictions, such as the US, new regulatory developments are introducing more prescriptive disclosure requirements than have historically applied; and in other jurisdictions, a combination of the above.
We explore the importance of trust in disclosure and due diligence as stock exchanges around the world compete for capital raisings
Underlying these initiatives is an acknowledgement of the importance of accurate and robust disclosure in maintaining investor confidence and trust, reducing information asymmetries and enabling investors to make informed decisions. However, as prescriptive rules-based requirements are weakened, investors' expectations for robust disclosure will increase, highlighting the continued importance of investment banks in carrying out due diligence on companies to ensure their reporting is rigorous.
In recent years, various regulatory initiatives in capital markets have been instigated which will shake up the capital raising landscape. This is being undertaken not only to improve the efficiency of capital markets and enhance disclosure practices, but as part of a more competitive landscape for initial public offerings (IPOs) as markets continue to globalise. These developments include:
There is an acknowledgement of the importance of accurate and robust disclosure in maintaining investor confidence and trust.
In the UK, proposed capital markets reforms are intended to bolster the country's status as an international destination for public offerings and listings and improve the efficiency of the capital raising process. Moreover, they look to unwind trends that have resulted in UK pension and insurance funds dis-investing in UK equities.
Widescale reform of the UK's listing and capital raising framework has been proposed, with relaxations on eligibility requirements and the opportunity to undertake significantly larger equity capital raises without publishing a prospectus expected to be implemented. This shift will decisively place the onus on the UK's continuous disclosure regime to maintain market integrity – with issuers continuing to ensure that announced information is accurate and complete while also placing more disclosure risk on investors in the absence of a prospectus. Historically, the UK has long been recognised as having a gold-plated listings framework with enhanced shareholder protections in place which seeks to maintain market integrity and manage conflicts of interest, for example, by prohibiting dual class shares and requiring shareholder approvals for large, related party transactions. The UK Financial Conduct Authority (FCA) is considering how the standards and rules applying to companies seeking to list or which are already listed in London can be relaxed while maintaining the high standards of corporate governance, shareholder rights and transparency for which the UK is known. The FCA is due to announce its conclusions in the second half of 2023. However, a significant consequence of moving from a prescriptive rules-based approach to a disclosure-based regime (for instance, in relation to related party transactions and increasing the number of undocumented capital raisings) is a heightened expectation by investors for the level of detail of disclosure and due diligence undertaken by key market participants, including banks. Also, given the increasing importance of the US investor base in UK equities, investment banks will need to determine how to apply US due diligence and disclosure standards when securities are offered into the US consistent with their global requirements in large capital raises. This will likely place more emphasis on the quality of continuous corporate and financial reporting.
These reforms are expected to heighten investor risk in the UK equity markets as the regime shifts away from prospectus-based disclosure and waters down the management of conflicts of interest – with the FCA being clear investors need to adapt their attitude to risk. It is also recognised that these reforms are only one aspect of the capital markets ecosystem and, alone, will not radically improve the UK's competitiveness, with the UK Government looking at more sweeping reforms across the financial services industry.
Capital raising reforms in the UK
The EU Listing Act is intended to apply more proportionate requirements to companies and some of the reforms are similar to UK initiatives, such as increasing the threshold at which a prospectus is required for a secondary issuance. Proposed arrangements intended to simplify the secondary capital raising process face similar hurdles to those under the UK reforms in ensuring sufficient disclosure.
The EU Listing Act
The European Commission has introduced the EU Listing Act with the aim of reducing administrative burdens on businesses and to promote European public market activity in the context of the Capital Markets Union.
Historically, US securities laws have focused on disclosure (as opposed to mandatory corporate governance requirements) as the primary basis for establishing trust among companies, investors and investment banks. The importance of the US institutional investors to global capital markets has also meant that issuers in non-US markets have historically looked to the US disclosure rules as a key reference point for drafting clear, accurate reporting in prospectuses used for international securities offerings. Moreover, the well-known process for investment banks to establish statutory due diligence in the US against securities-related claims has led many of these banks to adopt US processes globally for offerings which are distributed into the country.
In recent years, the US Securities and Exchange Commission (SEC) has continued to focus on the importance of high-quality reporting in capital markets reforms. However, these recent reforms have contained disclosure requirements that are significantly more prescriptive than has historically been the case. For example, in 2023, the SEC adopted share buy-back disclosures which require US-listed issuers to release detailed daily share buy-back data on a quarterly basis. The regulator has also adopted reporting requirements which will require US-listed issuers to have specific procedures to report material cybersecurity incidents to the market on a timely basis. Later this year, it is expected the SEC will adopt detailed climate-related reporting requirements for US-listed issuers that will significantly increase the amount of information companies are required to release (although similarly prescriptive ESG reporting trends are being observed in the UK and Europe). The above developments will place increasing compliance pressure on US-listed issuers and enhance due diligence procedures adopted by investment banks. Given the importance of US due diligence procedures for large international offerings (which are typically offered into the US under Rule 144A of the US Securities Act), change in US disclosure and due diligence practices will impact the UK, European and Asian capital markets.
US disclosure reforms
In Southeast Asian jurisdictions, such as Thailand and Indonesia, banks are increasingly requiring issuers to apply more demanding Rule 144A due diligence and disclosure standards for offerings to international investors, including for those offerings that do not include a US tranche. This has generally promoted best practice for due diligence and disclosure in these markets and subsequently increased levels of investor confidence.
In major Asian markets, including Hong Kong and Singapore, more prescriptive due diligence requirements are being introduced in connection with securities transactions, particularly for IPOs. For instance, the Monetary Authority of Singapore has set out mandatory baseline standards of due diligence for corporate finance advisers and a requirement for assessment and verification of material statements relating to, and given by, third parties.
The Asian perspective
For example, Australian practice for IPOs involves formation of a due diligence committee to assist the issuer and all participants (including the investment banks, as underwriters have deemed prospectus liability) to comply with applicable disclosure requirements. The diligence process undertaken for IPOs contrasts with a quicker-to-market and less formal process for secondary offers by existing ASX-listed companies. Rights offers by such companies can be undertaken on a low documentation, accelerated basis, with only information not already disclosed to ASX needing to be disclosed. Although investment banks do not have deemed liability for low documentation rights offer disclosure, there is still in effect an "all material information" obligation and companies generally undertake a due diligence committee process for rights offers (although investment banks are not typically members of the due diligence committee). Secondary offering structures in Australia are one source of inspiration for reforms in the UK and it remains to be seen whether investment banks in the UK will be willing to rely on a London-listed issuer's continuous public disclosure to largely satisfy materiality requirements for disclosure in secondary offerings.
The fundamentals of the Australian disclosure regime for securities offerings have been stable for some years, with the due diligence process tending to involve a high degree of co-operation and trust among the issuer, underwriters and the other advisers.
Perspectives from Australia
In recent years, there has been a growth in securities litigation and regulator-driven redress measures in many jurisdictions. The trend towards principles-based regulation in jurisdictions such as the UK is likely to increase disputes given the enhanced subjectivity in determining the requirements for disclosure and likelihood that judgment calls will attract criticism when assessed with hindsight. As a result, investment banks may come under increased pressure to ensure robust due diligence is undertaken to support high quality disclosure. This may stem from the need to fulfil formal sponsor or other regulatory or legal obligations or from the need to manage their legal and reputational risk. Shareholder activism also increases the focus on accurate and complete disclosure, with activists aiming to highlight failings in certain areas such as ESG reporting. The potential for increased scrutiny on disclosure, whether through legal or regulatory actions or shareholder activism, stresses the importance of the due diligence process in establishing accurate and complete reporting as cornerstones of trust in capital markets.
Litigation, regulation and shareholder activism
Carbon-based – creating trust in voluntary offset markets
As more companies set net zero targets and ESG scrutiny mounts, stronger governance and greater transparency become key
Carbon emissions offsetting via the purchase of offsets from voluntary carbon markets is often the least expensive and most accessible option to achieving emission reductions.
Several factors have led to the growth and increased scrutiny of carbon markets. Firstly, about 75% of countries now have net zero targets announced or proposed (covering close to 90% of global emissions) and around 45% of companies world-wide have made net zero commitments, while ESG and social licence pressures more generally continue to increase. Carbon emissions offsetting via the purchase of offsets from voluntary carbon markets is often the least expensive and most accessible option to achieving emission reductions. While decarbonising operations and supply chains will become an increased focus for companies, it is also evident that voluntary carbon markets will play a significant role in global efforts to reduce emissions. This is especially true for carbon-intensive industries with unavoidable or hard-to-abate emissions and the supply chains that depend on them.
As such, while the voluntary offset market was worth just $2 billion in 2021, according to the Taskforce on Scaling Voluntary Carbon Markets, exponential growth should be expected. By 2050, BloombergNEF estimates demand for offsets could increase 40-fold to 5.2 billion tons of CO2 equivalent (or 10% of current global emissions) and be worth over $250 billion. Projections for the future growth in carbon markets has led to banks, investors and commodities traders to claim stakes and led many major banks to establish dedicated divisions to monitor and provide services in the trading of carbon credits. These include Macquarie Bank, BBVA, BNP Paribas, Citibank, ANZ, NAB, CBA and Westpac. The key challenges to the growth and efficacy of voluntary carbon markets globally are twofold: the fragmented nature of the markets currently (including the lack of an international carbon market) and the lack of governance, standardisation and transparency surrounding such markets. However, there are recent developments that strengthen confidence in respect of tackling each of these challenges.
Voluntary carbon offsets are currently traded bilaterally or in a piecemeal fashion across a handful of commodity exchanges/regional carbon platforms. Last year BNP Paribas, CIBC, Itau Unibanco, NAB, NatWest, StandardChartered and UBS announced a new global platform, Carbonplace, to help scale up transactions of voluntary carbon offsets and make it easier for their customers to trade in such credits with confidence. Carbonplace utilises distributed ledger technology to ensure robust reporting and traceability of credits and is targeted to be available to the banks' corporate clients later this year (with the longer-term view of potentially being generally available to retail customers). Carbonplace is the most ambitious carbon trading platform to be developed so far, aiming to connect the various disparate markets, registries and exchanges for voluntary carbon offsets to customers and its effectiveness will be keenly observed by many.
International carbon markets – Updates
The lack of governance, standardisation and transparency surrounding voluntary carbon markets has given rise to concerns around the integrity of voluntary offsets and undermined both investor and end user confidence.
The lack of governance, standardisation and transparency surrounding voluntary carbon markets has given rise to justifiable concerns around the integrity of voluntary offsets and undermined both investor and end user confidence in such markets generally. To address concerns there have been numerous initiatives and reviews at international and national levels in recent years to try to improve the integrity of emissions offsets and rigour of carbon markets.
On a global level, the Integrity Council for the Voluntary Carbon Market (ICVCM) acts as an independent governing body for the voluntary carbon market and in March this year published a set of ten quality standards, known as the Core Carbon Principles (CCPs). The highly-anticipated CCPs aim to provide a market-wide, cohesive set of standards for quality and integrity of carbon offsets. The overarching themes of the CCPs are governance, emissions impact and sustainable development, including principles to ensure:
The Program-Level Assessment Framework (which sets out criteria to ensure the consistent assessment by the ICVCM as to whether carbon-crediting programmes meets the CCPs) was published at the same time as its principles. This is to be followed by a Credit-Level Assessment Framework anticipated to be released later this year which will set out criteria the credit categories must meet. To assess the quality of categories of carbon credits, working groups of internal and external experts, known as the Categories Working Group, will be separately set up by the ICVCM to review and assess categories of carbon credits. The working group will make recommendations on which categories ought to be fast-tracked for approval, which raise more complex issues and therefore require deeper assessment, and which ought not to be approved. Credits recommended for deeper assessment will be assessed by a Multi-Stakeholder Working Group, consisting of experts with specialised knowledge. Ultimately, both working groups’ findings will be reported back to the ICVCM board, which will then make final decisions on both programmes and categories of credits. New and existing credits issued under methodologies from approved categories will be able to use the CCP label. The ICVCM indicated earlier this year that carbon-crediting programmes may be able to label the first credits as CCP-approved by the end of 2023. However, as the Credit-Level Assessment Framework has not yet been released (flagged to be released mid 2023), this timing appears less likley. While not without limitations, in the absence of a universal framework accepted by all stakeholders to govern voluntary carbon markets and pending the detail of the Credit- Level Assessment Framework, the ICVCM’s principles and assessment regime will contribute to the integrity of voluntary carbon markets.
Core carbon principles
no double counting of emissions; tracking of credits via registries; publicly available, comprehensive and transparent information on all credited mitigation activities; independent third-party validation and verification of credits; and additionality (ie, the emissions or removals would not have occurred in the absence of the incentive created by carbon credit revenues).
• • • • •
As part of publishing the CCPs, the ICVCM is also introducing a detailed assessment framework. This will ensure credits only receive the CCP label if both the carbon-crediting programme that issued them (for example, Verified Carbon Standard, Verra or the Gold Standard) and the credit category are assessed by the ICVCM and meet its quality criteria set out in the CCPs.
Silke Goldberg
Kathryn Pacey
Partner and Global Co-Head of Energy
Nick Baker,
Neena Aynsley
Podcast – Global Bank Review
Maintaining trust and confidence is key to the success of the banking sector, and while banks are facing an increasingly challenging environment, there are also exciting opportunities to grow and innovate. Join HSF colleagues and industry experts as they explore key issues and opportunities for the banks sector
Banking on people in an age of digital transformation: Banks and social shifts
Banking on people in an age of digital transformation: Banks and crypto
Banking on people in an age of digital transformation: Banks and scams
Friend or foe? – Assessing AI's impact on the workplace
Related listening: Banking on People - Global Bank Review
In this podcast, we discuss how the increasing use of AI is reshaping the traditional workplace across the finance sector, particularly in areas of trust, the bedrock of any relationship. Join our hosts Jenny Andrews, Chris Jones, Tyler Hendry and Sian McKinley as we try to wrestle with these issues and more.
Chris Jones
Senior Associate (Employed Barrister)
Sian McKinley
Tyler Hendry
Jenny Andrews
From harnessing new technologies and fostering a culture which embraces change, to exploring emerging skillsets, there are multiple ways legal teams can future-proof themselves. Libby Jarvis, HSF Director of Legal Operations Advisory, is joined by Jon Benson, Matt Zaba and Hannah Shillson from National Australia Bank (NAB) to discuss this and more in our latest podcast.
Director, Legal Operations, Advisory
Libby Jarvis
Balancing act – Can banks deliver social change and shareholder returns?
Our latest podcast explores the ways artificial intelligence is reshaping the meaning of trust in employer-staff relations across the finance sector
Legal team of the future
It's been hard to cut through the noise as AI continues to capture the imagination of business. The workplace has been central to the story as companies wrestle with what the technology means for them commercially and crucially for their relationship with staff. In this podcast, we discuss how the increasing use of AI is reshaping the traditional workplace across the finance sector, particularly in areas of trust, that bedrock of any relationship. Join our hosts Jenny Andrews, Chris Jones, Tyler Hendry and Sian McKinley as we try wrestle with these issues and more.
Podcast Legal team of the future
11
Podcast Friend or foe? – Assessing AI's impact on the workplace
Has crypto lost its way and can regulation bring trust back?
A rising bar – why maintaining trust is getting harder for bank
Beyond the hype – will new laws win trust in banks’ AI tools?
GC Q&A with Kate Cheetham and Anna Bligh
A series on the transformation of the banking industry as it navigates the ever-evolving digital landscape while prioritising the safety and trust of its customers
Podcast