ESMA issues principles on third-party risks supervision

ESMA has issued principles on third-party risks supervision, providing harmonised guidance for supervisory authorities overseeing third-party risk management across EU securities markets.

The non-binding principles address issues such as governance, risk assessment, contractual arrangements and oversight, focusing among others on third-party location, intragroup arrangements, and supply chain risks.

Closely related: While ICT risk management and ICT third-party risk under the EU Digital Resilience Act (DORA) are out of scope of the guidance, alignment with the DORA framework is ensured.

Vietnam passes landmark law on digital technology industry

Vietnam’s National Assembly passed the landmark Law on Digital Technology Industry (“DTI Law”), creating a comprehensive legal framework for the nation’s burgeoning digital economy.

Aims: The law aims to attract investment and regulate key emerging technologies, most notably providing the first formal legal recognition for digital assets, establishing a risk-based regulatory approach for artificial intelligence (AI), and creating policies to support the semiconductor industry.

Timeline: The law will largely take effect on January 1, 2026, with specific incentive policies coming into force earlier on July 1, 2025.

In summary: The DTI Law provides an unprecedented legal foundation for several critical and emerging technology sectors in Vietnam. Key provisions include:

  • Artificial Intelligence (AI): The law establishes a comprehensive set of principles for the development and deployment of AI. It introduces a risk-based classification system for AI applications, with the government tasked to detail specific management requirements for high-risk systems. A key provision mandates identification labelling for certain AI-generated content or technologies, with the specific list to be determined by the Minister of Science and Technology. The law also assigns different obligations to various stakeholders in the AI supply chain, such as developers, providers, and users.
  • Digital Assets: For the first time, the law formally recognises digital assets — defined to include virtual and encrypted assets — as a form of property under Vietnam’s Civil Code. This provides a crucial legal basis for ownership and transfer. The government is also empowered to create further regulations for the classification and management of other types of digital assets in specific sectors.
  • National Database and Incentives: The Ministry of Science and Technology (MST) will develop a national database for the digital technology industry. The law imposes a general obligation on all industry participants to provide and update data for this system. Furthermore, the law sets criteria for identifying “key digital technology products and services,” which will be eligible for various government incentives to spur growth.

Next steps: Following the passage of the law, several key implementation phases and government actions are expected:

  • July 1, 2025: The incentive policies outlined in the DTI Law for key digital products and services will come into force, providing early support for the industry.
  • January 1, 2026: The full Law on Digital Technology Industry will take effect, making the broader regulatory frameworks for AI, digital assets, and data reporting legally binding.

Future government action: Key ministries, particularly the MST and the broader government, are now tasked with developing detailed implementing regulations. This will include specifying the list of AI-generated technologies that require labelling, detailing the risk-management requirements for different AI tiers, and further clarifying the management rules for various digital assets.

Nigeria publishes draft framework to modernise AML standards

The Central Bank of Nigeria (CBN) has issued a directive mandating real-time anti-money laundering (AML) transaction alerts across all financial institutions. This move, reinforced by its draft “Baseline Standards for Automated AML Solutions,” marks a significant regulatory shift aimed at enhancing financial system integrity.

In sum: Banks must now deploy systems that enable real-time monitoring, customer risk profiling, and automated suspicious activity alerts.

Key revisions:

  • Mandatory Risk-Based Approach Implementation: Institutions must integrate a risk-based approach into AML systems to ensure resource allocation aligns with risk levels associated with different customers, products, and services.
  • Automation of Customer Due Diligence (CDD): Automated systems must support initial and ongoing CDD, including identity verification, risk scoring, and periodic reviews, ensuring dynamic and real-time updates.
  • Enhanced Transaction Monitoring Requirements: New standards require automated, rule-based, and machine learning-supported transaction monitoring that captures unusual patterns and generates alerts with minimal false positives.
  • System Audit and Validation Protocols: Institutions must establish regular validation and audit protocols for AML systems to verify effectiveness, accuracy, and compliance, including third-party audits where applicable.
  • Data Quality and Integrity Assurance: There is an emphasis on ensuring that data used by AML systems is accurate, complete, and timely. Institutions must implement controls for data integrity and reconciliation.

Implementation timeline and oversight: Financial institutions are required to align their automated AML solutions with the revised baseline standards within 12 months of the issuance date.

  • The CBN will conduct follow-up reviews and periodic industry-wide assessments to monitor compliance and system effectiveness.
  • Institutions must deliver regular training to AML personnel on the usage of automated systems and on evolving money laundering risks and typologies.

UK finalizes updated data protection legislation

The Data (Use and Access) Bill has received Royal Assent, making it the Data (Use and Access) Act, amending elements of the UK’s data protection regime.

In summary: This new Act updates key aspects of UK data protection law, including:

  • clarifying how personal information can be used for research;
  • lifting restrictions on some automated decision making;
  • setting out how to use some cookies without consent;
  • allowing charities to send people electronic mail marketing without consent in certain circumstances;
  • requiring organisations to have a data protection complaints procedure; and
  • introducing a new lawful basis of recognised legitimate interests.

The UK Government is recruiting for seven non-executive members to the board of the new Information Commission, which will replace the Information Commissioner’s Office (ICO) as the UK’s data regulator.

Looking ahead: The Government will phase implementation of the new law, commencing different changes using secondary legislation. While most provisions are expected to come into force either two or six months after Royal Assent, some may take up to 12 months.



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *