Sumsub Compliance Digest—December 2023 (+ Predictions for 2024)
Learn about all the latest compliance updates from the past month and our predictions for the upcoming year
Learn about all the latest compliance updates from the past month and our predictions for the upcoming year
Every month, Sumsub’s compliance team prepares a digest with all the latest news and updates in the world of AML and beyond. As we’re approaching the end of the year, we’re also sharing the most important regulations of 2023 and our predictions for 2024.
If you want to get the latest news every month in one place, subscribe to our newsletter.
December 2023
South Korea amends crypto legal framework
What happened?
The Financial Services Commission (FSC) of Korea has proposed detailed rules under the Act on the Protection of Virtual Asset Users (referred to as “the Act” hereinafter), which is set to take effect on July 19, 2024. The aim of these rules is to protect virtual asset users and establish a secure environment for virtual asset transactions. The Act defines the scope of virtual assets subject to the law and mandates virtual asset service providers (VASPs) to securely manage and store customers’ deposits and virtual assets. It also provides legal grounds for imposing sanctions, including criminal penalties and fines, to deter unfair trading activities involving virtual assets. The proposal seeks to specify the details that the Act delegates to its subordinate enforcement decree and supervisory regulation.
Who’s affected?
Virtual asset providers operating in South Korea
Deadline:
The proposed rules are open for public comments from December 11, 2023 to January 22, 2024, and are expected to be implemented from July 19, 2024 after going through legislative proceedings.
Read more:
FSC Proposes Rules on the Protection of Virtual Asset Users
Lugano starts accepting crypto for taxes, duties, and fines
What happened?
From December 2023, invoices issued by the city of Lugano, Switzerland can be settled using the cryptocurrencies BTC (Bitcoin), Bitcoin on Lightning Network, and USDT (Tether). This payment option is available for all invoices issued by the city, including taxes, duties, and fines, without any amount limit.
Cryptocurrency payments are available for both private citizens and businesses, complementing traditional payment methods like postal counters, e-banking platforms, and the eBill service.
Deadline:
Not specified
Read more:
The cryptocurrencies accepted by the city of Lugano for invoice payments are BTC and USDT
Spanish residents now have to submit an informative statement on crypto assets.
What happened?
Natural persons and legal entities residing in Spain now have to submit Model 721, “Informative statement on virtual currencies located abroad,” to the Tax authorities in case the balances of each type of virtual currency abroad jointly exceed 50,000 euros at the end of the year, regardless of whether the crypto is held on a hosted or unhosted wallet.
Who’s affected?
Crypto holders residing in Spain
Deadline:
Form 721 must be submitted between January 1 and March 31 pertaining to the previous calendar year.
Read more:
Model 721. Information statement on virtual currencies located abroad
Brazil sports betting regulation is approved by the Senate
What happened?
On December 12, the Brazilian Senate approved a new sports betting regulation, amending the approach to fixed odds sports betting, stipulating tax rates for winnings/profit, advertising regulations, and operator authorization standards.
Who’s affected:
Gambling service providers operating in Brazil
Deadline:
The law needs to be approved by Parliament before entering into force.
Read more:
Sports betting regulation is approved by the Senate
Australia amends the Interactive Gambling Act
On December 6, Australia amended the Interactive Gambling Act 2001 to prohibit the use of credit cards, credit-related products, and digital currency as payment methods for interactive wagering services. The amended law also expands the Australian Communications and Media Authority’s compliance and enforcement powers.
Who’s affected?
Gambling service providers operating in Australia
Deadline:
In force
Read more:
Interactive Gambling Amendment (Credit and Other Measures) Bill 2023
UK launches a confidential online reporting service for gambling
What happened?
In December 2023, the Gambling Commission launched a new ‘Tell us something in confidence’ service to report criminal and suspicious activity anonymously online. The tell us something in confidence service should be used to report activity such as:
The new service provides a one-stop service allowing users to anonymously upload supporting information connected to their report, such as photographs and documents. Users can also send further information by email or post.
Who’s affected?
Gamblers and stakeholders
Deadline:
Not specified
Read more:
New online confidential reporting service launched
EU political agreement on AI regulation
What happened?
In December 2023, EU members reached a political agreement on the Artificial Intelligence Act (AI Act) proposed by the European Commission in April 2021.
For minimal risk applications, such as AI-enabled recommender systems or spam filters, there will be no obligations or requirements. However, companies can choose to voluntarily adopt additional codes of conduct for these AI systems.
High-risk AI systems will have to adhere to strict requirements, including risk-mitigation systems, high-quality datasets, activity logging, detailed documentation, clear user information, human oversight, and a high level of robustness, accuracy, and cybersecurity.
Regulatory sandboxes will be introduced to encourage responsible innovation and the development of AI systems that comply with the rules.
Deadline:
2 years*
*The political agreement is now subject to formal approval by the European Parliament and the European Council and will enter into force 20 days after publication in the Official Journal. The AI Act would then become applicable two years after its entry into force, except for some specific provisions: For instance, prohibitions will already apply after 6 months while rules on General Purpose AI will apply after 12 months.
Read more:
Commission welcomes political agreement on Artificial Intelligence Act
Digital cooperation between Singapore and China
What happened?
On December 7, Singapore and China announced that they will allow citizens of both countries to use e-CNY spending.
Read more:
Singapore and China Enhance Digital Finance and Capital Markets Cooperation
In 2023, the world of compliance witnessed a significant increase in both globalization and digitalization. This includes the development of digital identities in European and African countries, pilot projects on digital currency implementation, and cooperation between the regulators around the globe.
In 2023, the EU announced the development of unified Digital identity wallets
What happened?
EU eID wallets will enable access to online services through national digital identification, which will be recognised throughout Europe.
Read more:
Proposal for a Regulation of the European Parliament and of the Council amending Regulation (EU) No 910/2014 as regards establishing a framework for a European Digital Identity
OECD global tax transparency standard
What happened?
48 countries agreed to implement the OECD global tax transparency standard for crypto-assets by 2027. The Crypto-Asset Reporting Framework (CARF) is an important element of the International Standards for Automatic Exchange of Information in Tax Matters, created by the OECD under a G20 mandate. It facilitates the automated exchange of tax-relevant information about crypto-assets, which have gained significant popularity for various investment and financial purposes. Unlike traditional financial products, crypto-assets can be transferred and stored without the involvement of traditional financial intermediaries, like banks, and without any central administrator having complete visibility over transactions or holdings of crypto-assets. 48 countries and jurisdictions have agreed on their intention to implement the OECD’s global tax transparency framework for the reporting and exchange of information with respect to crypto-assets by 2027.
Read more:
What happened?
In June 2023, the FATF issued a report providing a Targeted Update on Implementation of the FATF Standards on Virtual Assets and Virtual Asset Service Providers. The report provides an update on country-level compliance with the FATF’s Recommendation 15 and its Interpretative Note (R.15/INR.15), covering various aspects such as the Travel Rule. It also includes information on emerging risks and market developments, including decentralized finance (DeFi), peer-to-peer transactions (P2P), non-fungible tokens (NFTs), unhosted wallets, and stablecoins.
According to the report, more than half of the 151 jurisdictions responding to the FATF’s 2023 Survey still have not taken any steps towards implementing the Travel Rule. However, during 2023, several jurisdictions have passed legislation implementing the Travel Rule.
In June 2023, Travel Rule came into force in Hong Kong, affecting Virtual Asset Service Providers, which are required to share data on the originator and beneficiary of crypto transactions.
In October 2023, the Securities and Futures Commission (SFC) and the Hong Kong Monetary Authority (HKMA) issued additional investor protection measures for the distribution of VA-related products. In particular, virtual asset-knowledge test and corresponding selling restrictions.
Read more:
Guidelines for Virtual Asset Trading Platform Operators
Joint circular on intermediary virtual asset-related activities
The UK is actively working on the development of a legal framework around crypto by
Read more:
Cryptoassets: AML / CTF regime – Registering with the FCA
Suggested read:
What is the FATF Travel Rule? The Ultimate Guide to Compliance (2023)
UAE introduces its gambling regulator
What happened?
The newly-established General Commercial Gaming Regulatory Authority (GCGRA) of the UAE is highlighting a large pivot towards regulated gaming in the region.
Read more: Commercial Gaming Regulator Established in UAE
In addition to the regulatory initiatives in the EU mentioned above, several countries issued legal frameworks regulating AI in the near future:
What happened?
In August 2023 the “Regulations on the Administration of Deep Synthesis of Internet Information Services”, issued by the Chinese Cyberspace Administration Authority (CAC), came into effect. According to the regulation, deepfakes cannot be used for the purpose of spreading fake news. Moreover, deepfake content must come accompanied with a warning informing users that the content is AI-generated.
Read more:
Regulations on the Administration of Deep Synthesis of Internet Information Services
What happened?
In March 2023, the UK Department for Science, Innovation and Technology published a “pro-innovation approach to AI regulation”. The consultation was closed in summer, 2023. Responses to the consultation will be used for the development of a comprehensive regulatory framework.
The document established five fundamental principles that will serve as the foundation for the regulatory approach towards AI in the UK:
1. Ensuring safety, security, and robustness: AI systems used in the UK should be developed and trained on reliable data to ensure their stability and effectiveness.
2. Promoting transparency and explainability: The functionality of AI systems should be understandable to users, allowing them to comprehend how the system operates.
3. Upholding fairness: AI should not compromise individuals’ legal rights, ensuring that the technology does not discriminate or show bias.
4. Emphasizing accountability and governance: There should be appropriate oversight and clear lines of accountability for AI systems, governing their ethical and responsible usage.
5. Providing avenues for contestability and redress: If an AI system causes harm, there must be avenues available for affected individuals to seek redress and resolution.
Read more:
AI regulation: A pro-innovation approach
What happened?
2023 saw a significant increase in the number of proposed state laws on AI throughout the United States. In ten states, AI regulations have been included as part of more extensive consumer privacy laws that have either been passed or are scheduled to take effect in 2023. These laws govern AI and automated decision-making by granting users the option to opt out of profiling and mandating impact assessments.
In particular, An Act Concerning Artificial Intelligence, Automated Decision-Making and Personal Data Privacy (the ‘Act’) is in effect starting from July, 2023. The Act establishes an Office of Artificial Intelligence with the purpose of safeguarding children against targeted advertising.
One more notable legislative act is the Final Rule on ‘Automated Employment Decision Tools’ provided by the New York City Department of Consumer and Worker Protection. The document requires employers to notify candidates about the use of AI tools in employment decisions. Generally, this legislation is drawing national attention as it pioneers AI regulation in hiring practices.
Additionally, several other states have put forth similar bills, while others have established task forces to examine the impact of AI. Concerns have also been expressed regarding AI’s effects on services like healthcare, insurance, and employment.
The EU Digital Services Act
What happened?
The Digital Services Act (DSA) and the Digital Market Act (DMA) together establish a unified set of regulations that apply throughout the European Union. These acts have two main objectives:
Digital services encompass a wide range of online services, from swebsites to internet infrastructure services and online platforms. The Act primarily focuses on online intermediaries and platforms, such as online marketplaces, social networks, content-sharing platforms, app stores, and online travel and accommodation platforms. It sets forth specific rules and regulations for these platforms.
The Digital Market Act, on the other hand, includes rules that govern gatekeeper online platforms. Gatekeeper platforms are digital platforms that hold a significant role in the internal market and act as a bottleneck for other businesses in terms of access to users or customers.
Who’s affected?
Regulated digital service providers
Deadline:
DSA rules apply to all regulated entities, and the deadline for EU Member States to establish Digital Services Coordinators is February 2024
Read more:
The Digital Services Act package
Suggested read:
The EU Digital Services Act and Digital Markets Act—The Impact on Tech Companies
The EU Travel Rule is applicable starting from 30 December 2024
What happened?
Crypto providers to be ready. The EU Regulation 2015/847 was adopted to ensure that the Financial Action Task Force (FATF) requirements on wire transfer service providers, and in particular the obligation on payment service providers to accompany transfers of funds with information on the payer and the payee, were applied uniformly throughout the Union. Thus, starting from December 2024, the virtual asset providers are required to obtain “required and accurate originator information and required beneficiary information” and share it with counterparty VASPs or financial institutions during or before the transaction.
Who’s affected:
Virtual Asset Providers in the EU
Deadline:
December 30, 2024
Read more:
Markets in Crypto Assets Regulation (MiCA) came into force in June 2023
What happened?
The Markets in Crypto-Assets Regulation (MiCA) is a comprehensive regulatory framework introduced by the European Union to govern crypto-assets. It covers a wide range of crypto-assets, including asset-reference tokens and e-money tokens, and aims to protect consumers, investors, and financial stability. MiCA includes provisions for the issuance and trading of crypto-assets, such as the requirement for companies offering crypto assets to the public to publish a white paper warning of risks without misleading potential buyers. The regulation also introduces licensing and conduct requirements for issuers of crypto-assets. MiCA is set to become applicable in 2024, and its introduction is considered a significant development in the global regulation of crypto-assets and especially in the EU.
Read more:
Markets in Crypto-Assets Regulation (MiCA)
USA data privacy laws
What happened?
At least 6 state privacy laws will go into effect in 2024, including those in Utah, Washington, Oregon, Texas, Florida, and Montana. There are a number of actions companies can take to ensure compliance. After examining whether the law is applicable, companies should conduct a thorough examination of their current data processing practices to identify any areas that may need to be adjusted or improved.
Most notably, some of the mentioned legislative acts include provisions regarding the use of AI. In particular, the Montana Consumer Data Privacy Act gives consumers the right to opt out of automated profiling and mandates data protection assessments if the automated decision-making poses a heightened risk of harm.
Who’s affected?
Data controllers and processors falling under the scope of these laws