Retail Distribution and Digitalisation

Retail Distribution and Digitalisation

Loading

Retail Distribution and Digitalisation

The rapid growth in digitalisation and use of social media is changing the way financial products
are marketed and distributed. Online domestic and cross border offerings of financial services and
products provide new opportunities for firms to reach potential clients and for investors to access
to a wider range of financial products.

2.

Nonetheless, increased digitalisation and cross border offerings bring various new risks for
investors, and challenges for IOSCO members. For instance, apparent risks are associated with the
accrued complexity of financial products and services, the rapid pace of innovation, the ongoing
gamification trends, and increasing levels and volumes of self-directed trading among retail
investors, that may have not been accompanied by a proportionate increase in financial consumer
education. In this increasingly digitalised environment, a big challenge for IOSCO members
becomes how to adapt their regulatory and enforcement approaches to the rapidly changing trends
of digitalisation and online activities and the regulatory challenges they may bring.

3.

This Final Report is part of IOSCO’s efforts to be proactive and forward looking in building trust
and confidence in markets that are facing new and emerging opportunities and risks, including
those posed by digitalisation and the development of new products such as crypto-assets.

4.

The Final Report analyses the developments in online marketing and distribution of financial
products to retail investors in IOSCO member jurisdictions, both domestically and on a crossborder basis. It presents toolkits of policy and enforcement measures, which include seven and five
measures, respectively, that would help in addressing the issues and risks associated with online
marketing and distribution.

5.

The policy toolkit measures relate to:






Firm level rules for online marketing and distribution;
Firm level rules for online onboarding;
Responsibility for online marketing;
Capacity for surveillance and supervision of online marketing and distribution;
Staff qualification and/or licensing requirements for online marketing;
Ensuring compliance with third country regulations; and
Clarity about legal entities using internet domains.

The enforcement toolkit measures relate to:





6.

Proactive technology-based detection and investigatory techniques;
Powers to promptly take action where websites are used to conduct illegal securities and
derivatives activity and other powers effective in curbing online misconduct;
Increasing efficient international cooperation and liaising with criminal authorities and other
local and foreign partners;
Promoting enhanced understanding and efforts by, and collaboration with, providers of
electronic intermediary services with regard to digital illegal activities; and
Additional efforts to address regulatory and supervisory arbitrage.

Furthermore, developments in online marketing, including social media, will likely continue to
rapidly evolve. IOSCO members should continue to observe and consider changes in their
respective markets.

1

Introduction
7.

The IOSCO Board identified “retail distribution and digitalisation” as a priority. 1 Recent and rapid
developments in online marketing and distribution are changing the way in which financial firms
interact with prospective clients and financial products are offered to retail investors. Such
developments span across the whole distribution chain, from online marketing techniques, such as
targeting methods and psychology based selling techniques, to onboarding procedures.

8.

Digitalisation trends are evolving faster than some jurisdictions’ underlying regulatory framework,
which brings various regulatory challenges to cope with this evolving environment accompanied
by technological advancements.

9.

While the online environment has the potential to improve investors’ access to financial services
and products, it may also enable fraudsters to target potential victims around the world and obtain
illegal profits at a relatively low cost and with little effort. Furthermore, it also provides opportunity
to hide one’s identity through the use of sophisticated advertising targeting technology, encrypted
and private messages, fake accounts and anonymity. Perpetrators may try to exploit jurisdictional
differences and potential gaps, and the online environment may enable concealing legal identity
and/or changing it rapidly and easily within a short span of time. Some constraints on regulatory
powers and the ability to timely cooperate on a cross border basis may be further challenges related
to activity occurring in the online environment. This in turn may make investigations and
enforcement particularly challenging, especially when new products, such as crypto-assets, are
offered. 2

10. In response to these challenges, the IOSCO Board jointly mandated the Committee on Regulation
of Market Intermediaries (“Committee 3”) and the Committee on Enforcement and the Exchange
of Information (“Committee 4”) to build on IOSCO’s Report on Retail OTC Leveraged Products 3
and tasked the two Committees to review the recent trends and developments in “online marketing
and distribution to retail investors (including cross-border aspects)” and develop a toolkit of
policy and enforcement measures with guidance for IOSCO members to consider in their
regulatory and supervisory frameworks.
11. The Committee 3 portion of this Final Report and the policy toolkit draws on IOSCO members’
experiences and practices as obtained through a survey conducted among IOSCO Committee 3
members, as well as a comprehensive firms’ survey, which covered quantitative and qualitative
aspects. 4 The regulators’ survey aimed to understand the current regulatory frameworks in place
related to online marketing and distribution, along with regulatory, supervisory and cross-border
challenges of online marketing techniques.
12. The Committee 4 portion of this Final Report and the enforcement toolkit draws on IOSCO
members’ experiences and practices as obtained through a survey conducted among IOSCO
Committee 4 members. The survey aimed to explore the investigatory and enforcement challenges
1

See IOSCO Board Priorities – Work Program 2021-2022, 26 February 2021.

2

In light of retail investors´ interest in crypto-assets across the globe, crypto-assets are an area of increasing
focus for IOSCO. Ongoing IOSCO efforts include the IOSCO Research Report on Financial Technologies
(Fintech), February 2017; Committee 2 work on the regulation of platforms trading crypto-assets (Report on
Issues, Risks and Regulatory Considerations Relating to Crypto-Asset Trading Platforms, February 2020; the
work of Committee 8 on relevant methods of providing investor educational material about crypto-assets to
retail investors (Report on Investor Education on Crypto-Assets, December 2020); and the efforts of the newlylaunched Fintech Task Force (See the IOSCO Crypto-Asset Roadmap for 2022-2023, 2022; IOSCO
Decentralized Finance Report, March 2022.).

3

FR17/2018 Report on Retail OTC Leveraged Products (iosco.org), September 2018.

4

Twenty-five IOSCO members participated in the regulators survey (see Annex 2 for the list of the responding
IOSCO members) and 93 licensed/regulated firms responded to the firms’ survey (see Annex 4 for the regional
breakdown of the participating firms). Due to a variety of reasons, including the rapid development of the
COVID-19 crisis and the resulting market disruption, U.S. and Canadian firms did not participate in the survey.
As a result, references to the “firms’ survey” and the “Americas” does not include any North American firms.
References to “firms” and results from the firms’ survey in the “Committee 3” portions of the Final Report
refer to participation by licensed entities (see Annex 4 for the classification of the participating firms).
2

posed by online marketing and distribution of financial services and products, as well as specific
investigatory techniques, enforcement approaches, potential strategies and actual experiences,
including in international enforcement cooperation, in connection with both authorised and nonauthorised businesses. 5
THE POLICY TOOLKIT
Measure 1: Firm level rules for online marketing and distribution
IOSCO members should consider requiring that firms have proper internal rules, policies,
processes and tools for their online marketing and distribution, and review them on a regular
basis. This should include that any use by firms of targeting, behavioural techniques and
gamification elements should be done in a way that ensures fair treatment of financial
consumers and aims to avoid potential financial consumer harm.
Measure 2: Firm level rules for online onboarding
IOSCO members should consider requiring that firms apply appropriate filtering
mechanisms, policies and procedures for financial consumer onboarding in line with the laws
and regulations of the firms’ jurisdiction, the financial consumers’ jurisdiction, and the
jurisdiction where the products or services are being marketed or distributed. During the
onboarding process, the information provided should be clear, fair and non-misleading.
Measure 3: Responsibility for online marketing
IOSCO members should require, subject to a jurisdiction’s laws and regulations, that
management assumes responsibility for the accuracy of the information provided to potential
investors on behalf of the firm, including those provided via various social media channels,
including influencers, and the timely disclosure of necessary information regarding potential
risks and conflicts of interest to avoid potential financial consumer harm.
Measure 4: Capacity for surveillance and supervision of online marketing and distribution
IOSCO members should consider whether they have the necessary powers and have
adequate supervisory capacity to oversee an increasing volume of online marketing and
distribution activity. IOSCO members should also consider ways to develop appropriate
monitoring programs for the surveillance of online marketing and distribution activities,
including on social media.
Within the context of domestic legal frameworks, considerations for enhancing surveillance
and supervisory capacity could include:
– the power to request access to content to detect illegal or misleading promotions;
– having regulatory channels in place to report consumer complaints for misleading and
illegal promotions; and
– suitable evidence tracking processes in place to cope with the fast pace and changing nature
of online information.
IOSCO members are encouraged to share experiences and good practices with each other
regarding supervision and surveillance of online marketing and distribution.
Measure 5: Staff qualification and/or licensing requirements for online marketing
IOSCO members should consider requiring that firms assess the necessary qualifications for
digital marketing staff. IOSCO members may also consider requiring firms to have specific
staff qualification and/or licensing requirements for online marketing staff, similar to
5

The Committee 4 survey addressed the following main points: (i) Practical enforcement challenges in the
context of online marketing and distribution; (ii) Common patterns or fraudulent schemes; (iii) Investigatory
or enforcement powers in the area of online marketing and distribution; (iv) Sanctions and relevant challenges;
(v) Effectiveness of the current IOSCO framework for international cooperation; (vi) Possible improvements
and further practical tools for international cooperation; and (vii) Most significant enforcement challenges.
Twenty-five responses were received from the regulators listed in Annex 3.
3

licensing requirements for sales staff, if such regulatory requirements do not already exist or
apply to online marketing staff.
Measure 6: Ensuring compliance with third country regulations
Where firms may have clients from jurisdictions other than where they hold a license, the
firm’s home regulator should consider requiring their domestic firms to have adequate
policies and procedures for onboarding these clients. For example, IOSCO members could
require firms to undertake due diligence to determine whether they are required to hold a
license in a prospective client’s home country and/or whether other regulatory obligations
apply, and to retain records of such due diligence.
Measure 7: Clarity about legal entities using internet domains
IOSCO members should consider requiring firms, when they offer products through
multiple internet domains, to adopt policies and procedures requiring clear, fair and not
misleading disclosure about who the underlying legal entity is offering the product and under
what license (and from which jurisdiction). This disclosure should also cover the scope and
limitation of services. IOSCO members should also consider prohibiting firms from
redirecting clients to a third country website to avoid the regulatory requirements in a
jurisdiction.
Additionally, IOSCO members may wish to consider keeping an open register which could
enable the public to check and confirm whether a website belongs to a firm authorised to
provide services in the jurisdiction and under the law.
THE ENFORCEMENT TOOLKIT
Measure 1 – Proactive technology-based detection and investigatory techniques
IOSCO members could consider whether to use proactive technology-based monitoring tools
and approaches, where appropriate, to support the detection and investigation of potentially
illegal digital conduct.
Measure 2 – Powers to promptly take action where websites are used to conduct illegal
securities and derivatives activity, and other powers effective in curbing online misconduct
IOSCO members could consider seeking additional powers to be more effective in promptly
curbing illegal online conduct, including the power to shut down or block access to illegal
websites, or seeking a legal order to do so, where appropriate.
Measure 3 – Increasing efficient international cooperation and liaising with criminal
authorities and other local and foreign partners
IOSCO members could consider ways to increase efficient cross-border cooperation and
collaboration in investigations and enforcement actions and enhancing liaison with criminal
authorities and other relevant local or foreign partners.
Measure 4 – Promoting enhanced understanding and efforts by, and collaboration with,
providers of electronic intermediary services with regards to digital illegal activities
IOSCO members could consider initiatives, individually and collectively through IOSCO, to
foster more meaningful understanding and efforts by, and collaboration with, providers of
electronic intermediary services in curbing digital illegal activities and anonymous website
registration, helping to enhance investor protection in the online environment.
Measure 5 – Additional efforts to address regulatory and supervisory arbitrage
IOSCO members could consider additional efforts to address regulatory and supervisory
arbitrage in the interest of facilitating international enforcement cooperation and enhancing
investor protection on a global scale.

4

13. IOSCO acknowledges that not every measure described in this Report would be appropriate in all
member jurisdictions. Use of any measure, including consideration of proportionate uses, depends
on the risks faced in each particular jurisdiction, as well as regulatory powers conferred under the
member’s jurisdictional framework and its supervisory approach or mandate. In addition,
implementation of the measures may vary across IOSCO members, in the discretion of member
authorities and consistent with jurisdictions’ laws and regulations.
The COVID-19 perspective – Impact on retail distribution and digitalisation
14. IOSCO’s work on the impact of the COVID-19 pandemic on retail market conduct 6 demonstrates
how exogenous systemic events like COVID-19 increase opportunities for retail misconduct and
potential investor harm, especially on a cross-border and digital basis. A stress situation like
COVID-19 may cause firms to aggressively or even fraudulently seek new revenue streams and
may increase potential risk to retail investors. At the same time, investors might be attracted to the
market by the opportunities offered, due to increased price volatility, hoping to turn a quick profit
during stress situations.
15. While misconduct relating to complex volatile products continues to be prevalent (e.g., retail OTC
leveraged products), the COVID-19 pandemic has increased retail demand for such products, as
well as online share trading and often riskier products. Some IOSCO members have observed
increased misconduct, including aggressive online advertising, mislabelling of products and
misleading disclosure through the use of social media. This in turn might be fueling the rise of
some share prices and potentially supporting “pump and dump” type behavior by providing
channels to promote harmful activity and certain risks. Some IOSCO members also observed an
increase in unlicensed financial services and scam activities.7
16. Lessons from the recent COVID-19 turmoil demonstrate the need for increased regulatory attention
on digital marketing and offerings on a domestic and cross-border level. 8 In this context, this
Report aims to highlight and guide IOSCO members on some of the critical regulatory issues, both
from a policy and enforcement perspective.

6

CR03/22, Retail Market Conduct Task Force, Consultation Report, March 2022. See also, FR13/2020
Initial Findings and Observations About the Impact of COVID-19 on Retail Market Conduct (iosco.org),
December 2020.

7

Ibid.

8

The surveys that were conducted in relation to this Report did not cover specific COVID-19 aspects, as
they were drafted prior to the outbreak of the pandemic. The Report, however, includes anecdotal evidence
from regulators on developing trends during the COVID-19 crisis.
5

Chapter 2 – Online Marketing and Distribution
2.1 Online marketing
17. Online marketing is an exponentially growing concept, as firms strive to capitalize on digital tools
to increase sales. It encompasses tools and methodologies for promoting goods and services via
the internet. Through online distribution, consumers can directly access services virtually. The
concept of online distribution complements the opportunities of online marketing.
18. The primary difference between traditional and online marketing is the platform that provides
information to the financial consumers. Traditional marketing relies on the use of offline channels
such as print media, tv and radio whereas online marketing is dependent on a multitude of social
media platforms, websites, and mobile applications.
19. Online marketing presents a number of potential benefits and risks. Among others, the potential
benefits of online marketing include:
For financial consumers:


Increased access to financial services and products;
Reduction in search cost; and
Flexibility, convenience, price and quality comparison.

For firms:



Demographic or geographic targeting;
Increased outreach, resulting in greater sales and economies of scale;
Time-effective marketing; and
Multiple low-cost and efficient marketing options (e.g., e-mail advertising, pay-per-click
advertising, local search engines, and social media advertising).

The potential risks for financial consumers, firms, and regulators of online marketing include:





Possibility for firms to track, experiment with and thus exploit investor biases;
Unsolicited online offerings and/or offers targeting an inappropriate market segment; 9
Push towards unsuitable products or strategies through online marketing methods;
Financial consumers facing privacy issues, for example through unauthorized use of personal
data;
Increased fraud and misconduct risk fostered through the online environment; and
Surveillance, investigation and enforcement challenges due to online and cross border nature;
and cybersecurity risk, regulatory risk, and reputational risk.
Qualitative example 1 – Collection and use of
financial consumer data:
“We collect audience data on leads who have
partially completed our sales funnel. We also
collect data on customer behavior in our app. With
this data, we send out targeted e-mails or serve ads
to them on platforms like Facebook ads or Google
ads. We have also installed pixels on our website
from various advertising platforms which allow us
to retarget users who have visited our website. Emails to customers are personalized to include
their name in the heading.” – Brokerage Services
Firm from Asia

9

2.2 Online Targeting
20. “Online targeting” is a method for
publishing digital advertisements to a
select consumer audience, based on their
prior online activities and interests. When
firms target a group of similar consumers
(“target audience”), this is called
“segmentation”. Targeting can also take
place on an individual level, which is
called
“personalisation”.
Personalisation allows firms to make
offers in advertisements on an individual
basis.

In certain cases, misleading and deceptive results may also occur when a financial consumer is conducting
online research and is rerouted to a product or service.
6

21. “Programmatic advertising” is the method of automatically publishing an advertisement based
on predefined algorithms in a banner ad 10 on a website or social media platform that is relevant to
the firm’s target audience. 11 It includes the process of buying digital ads through automated
platforms. It is gradually replacing the traditional model of advertising. One regulatory concern
with this type of advertising is that firms may not fully be able to control where the advertisements
are projected, due to their automated nature. Therefore, there is concern that potential investor
harm may propagate more quickly and that advertising on certain websites (e.g., content including
violence, use of arms, adult content, gambling, environmental pollution, etc.) may result in
reputational damages for firms. 12 Some firms argued that it is difficult to control and address these
risks, as search engines are very permissive on which sites advertisements can be listed. That being
said, the main responsibility lies with the firm and its management to carry out the necessary due
diligence and prevent potential risks of their products being advertised on inappropriate websites.
For example, a few survey respondents stated that they mostly have the discretion/choice to control
such advertisements.
22. “Retargeting” also allows firms to repeatedly target potential customers, who have earlier visited
the website, with specifically designed ads to convince them to buy the product.
2.2.1. Financial consumer data types that are used in online targeting
23. To target a specific audience, firms use online data that consumers leave behind when they are
online, including:

First party data: Data that the firm collects from its own customers;

Second party data: Data that is essentially someone else’s first party data, which is obtained
through corporate cooperation including data from BigTech and social media companies; and

Third party data: Data that is obtained from a data collector, such as data aggregator or ad
networks, which is available on the market for purchase.

24. Firms usually use a combination of the first and second and/or third-party data types. 13 One
potential risk with the use of third-party data is that when data is not proprietary (e.g., data obtained
from third party data providers), the risk of data not being accurate or being improperly obtained
(in breach of privacy or confidentiality rules) increases.
2.2.3. Online targeting methods
25. According to the firms’ survey, online targeting methods that firms widely use are “segmentation”,
“personalisation” and “retargeting”.

10

Banner advertising refers to the use of a graphic that stretches across the website or online media property.
Banner advertising promotes a brand and/or gets visitors to visit the advertiser’s website.

11

Respondents to the firm survey mentioned the use of “programmatic advertising”, however this was not the
focus of the survey.

12

It should be noted that inappropriate/unauthorised products can also be advertised on well-known websites.

13

According to the survey results, 39% of firms only use first party data. More than half of the firms use second
and/or third-party data. 43% of the firms combine their own data with second and/or third-party data.
Sometimes firms upload their first party data onto a platform (i.e., a BigTech platform) to combine it with
second party data. 10% of the firms only rely on second- or third-party data.
7

26. Most firms surveyed use segmentation. 14 In designing the message to the target audience, firms
use a variety of factors, including age, income, gender, geographic location and purchasing history.
The most commonly used factors are age and income. Firms also analyze their customers’15 past
experiences and likelihood to buy an investment product.

Data types used for targeting, in %
20
18
16
14
12
10
8
6
4
2
0

Age

Income Geographic Mobile
Location Access

Purchasing Desktop
History
Access

Gender

Other

Factors Used When Defining Messages to Different Target Audiences

Chart 1: The chart shows the different variables used for marketing targeting.

27. According to respondents, an important tool is “lookalike audience”, where a firm uses
segmentation based on its current customer base and its customers’ demographic data. 16 This
allows firms to reach potential new financial consumers, who exhibit similar characteristics to
existing customers, and are likely to invest.
28. As
explained
above,
personalisation is a form of
online marketing, which uses data
“We divide the customers into seven segments
points to collect personal
depending on how familiar they are with our products
information about the potential
and how much they use their debit card. E-mails and text
customer to increase the relevance
messages are personalised, always with the customer’s
of the advertisement. These data
first name and sometimes with other information such as
points may include specific
how much fee they paid. Customers are being retargeted
geographic
locations,
niche
after having shown any type of interest for the product
interests, behavioural patterns,
(through navigation) either by e-mail or through banners
previous
fees/charges
etc. 17
on our own website.” – A French Bank
Marketing
agents
often
incorporate web personalisation in
their e-mail campaigns so that the advertisements seem custom made to the potential customers.
Qualitative example 2 – Use of segmentation,
personalisation and retargeting:

29. Firms can use retargeting once a customer/financial consumer has shown previous interest in the
product, for example by spending a certain amount of time on the website or by starting a
registration form. The majority of the surveyed firms also track and measure whether their

14

84% of the surveyed firms target predefined audiences.

15

The term customers and financial consumers can at times be used interchangeably, if the context requires
that a financial consumer is also a firm’s customer.

16

Four out of ten responding firms use targeted messages for specific audiences. This practice is especially
widespread in Asia, where 78% of firms employ audience targeting. In other regions, between 26% (Americas,
also see footnote 5) and 33% (Africa) of firms use unique messages per target audience.

17

In this case, the line between marketing/distribution and investment advice may become blurry and would
depend on the content of the online communication targeted to the potential client, e.g., whether a specific
product is presented as suitable to that person based on the consideration of his specific circumstances.
8

messages have reached the targeted audience. They do this by using ad tracking metrics and web
analytics.
2.3. Behavioural Techniques
30. Empirical findings about human behaviour are increasingly incorporated into business models.
Behavioural finance examines investor behaviour to understand how people make investment
decisions, individually and collectively. Behavioural finance does not assume that investors always
act rationally, but instead that people can be affected by behavioural biases. Behavioural techniques
are strategies used by firms to analyse consumers’ behaviour when it comes to economic decisions.
31. Digitalisation makes the use of behavioural techniques more accessible and easily testable by using
online experiments. Many financial firms use various behavioural techniques in designing their
online marketing messages, as well as deciding on the timing of its delivery and who is delivering
it. The use of behavioural techniques brings various benefits for them, including:




Targeting the digital offering to the audience likely to purchase;
Helping to convert visitors to customers;
Generating higher click numbers;
Increasing return on investment; and
Enabling firms to anticipate customer needs.

32. Behavioural finance highlights how human choices are influenced by emotions. Research shows
that the use of behavioural techniques may also limit rationality in human decision-making process,
as it may steer customer decision making towards certain firm targets. The choice architecture, the
background against which decisions are made, can have a significant impact on financial consumer
decisions and outcomes.
33. The firms’ survey findings confirm firms’ use of behavioural techniques in digital offerings.
However, there are substantial differences across regions. 18
34. The most widely used behavioural techniques are the following: 19

Reciprocity: Offer something for free so that people might feel obliged to reciprocate and
buy a product or service;

Commitment/consistency: Get people to answer “yes” to a couple of questions or have them
start an easy sign-up process and they are more likely to follow through and make a purchase.
This also includes the “foot-in-the-door”-technique; 20

Social proof: Other people are doing it too, “we have 100,000 satisfied customers”, “500
people opened an account with us last week”. Reviews and likes can also be regarded as
leveraging social proof;

Authority: “Get advice from professor X, Ph.D.”, “We are authorised by supervisor XYZ”,
testimonials by famous people or influencers;

Liking: Images of persons/environments that can trigger an emotional reaction from potential
customers; and

Scarcity: “Offer ends soon”, “Only two left in stock” “Final week to sign up for this IPO”.

18

More than half of the firms surveyed make use of A/B testing, which is discussed in Section 2.3.1. It is most
prevalent in Asia and Europe. While persuasion techniques (nudging, social proof, scarcity) are used twice as
much in Europe in comparison to other regions.

19

Robert Cialdini – Influence: The Psychology of Persuasion (2006, first published in 1984).

20

The “foot-in-the-door” technique is based on the idea of getting people to agree to a larger request later by
agreeing to a small request first, while they might not accept that large request if asked outright. In the days
of door-to-door sales, if a salesperson got their foot between the doorframe and the door, then the potential
customer could not slam the door in their face.
9

2.3.1. Testing the efficacy of behavioural techniques
35. Firms use various tests to determine whether
their use of behavioural techniques works in Qualitative example 3 – Testing
practice and to improve digital marketing behavioural techniques:
outcomes. One way of testing whether a “When creating an ad, we try not to use any
technique works or which technique works texts with negative meaning (no/not), use
best, is the use of “A/B testing”. 21 For example, visuals to support texts, make call-to-action
one group of randomly assigned potential buttons well observed” – A bank from
customers receives a banner with a green “buy Russia
this product” button, whereas another group
sees the same banner with a red button. The firm measures the conversion rates for each group and
the winning version (i.e., with the highest conversion rate, most sales) will be used for all
customers. Thus, the firm can optimize how to market their products and services most effectively
through iterative testing (of which version sells better). A potential risk of the use of A/B testing
is that firms may mainly focus on acquiring new customers and thus increasing conversion rates at
the expense of transparent disclosure to consumers. In multivariate tests, more than two versions
of a proposition are tested.
2.3.2. Use of financial consumer biases in online marketing
36. Firms increasingly consider financial
consumer biases (or more generally consumer
psychology) when designing digital campaigns.
A quarter of firms surveyed have reporting
systems in place to detect signs of emotional and
cognitive biases during investment decision
making. 22 The survey results show that firms’ use
of investor biases and their awareness on the
potential role of this in online marketing varies
substantially across regions. 23 24

Qualitative example 4 – Use of investor
biases:
“Pay day, salary week, bonus periods and
13th month payments are all key
moments for our target audience and there
is a certain impulse buying/spending that
takes place, so our messages cue them to
remember to put some money away with
us before they splurge.” – Asset
Management and Fund Distribution
Firm from Nigeria

37. It is
important for firms, in line with existing regulation, to use
objective, and not misleading data and facts about the
products they market, when designing marketing
campaigns so that potential financial consumers can make
informed investment decisions. 25 This avoids exploitation
of the biases of financial consumers in a misleading
manner. IOSCO members should consider requiring that
the firm management carries the ultimate responsibility on
not exploiting consumers and that there are firm-level
rules in place, such as internal firm policies and
procedures, consistent with the jurisdictions’ laws and
regulations.

Qualitative example 5 – Use of
investor biases:
“Culture traits and societal status
are things that we consider when
approaching to our customers
and we factor this when
providing information to them
for marketing purposes.” –
Brokerage Services Firm from
Nigeria

2.4. Digitalisation
38. With the advent and growth of digital platforms for investing, such as online brokers and roboadvisers, and more recently, mobile investment apps and portals, broker-dealers and investment
21

While the digital environment makes it easier to use the A/B testing, this technique has already been used for
decades in direct marketing. Digital marketing makes it easier to measure its effects.

22

25% of respondent firms reported having such systems.

23

60% of European firms state that they are aware that investors have certain emotional and cognitive biases
and they take these into account when designing their online marketing campaigns. Awareness is slightly
lower in the Americas (37%) and Middle East (40%), and higher in Africa (73%) and Asia (78%).

24

Also see footnote 4.

25

82% of firms use objective data and facts when designing marketing campaigns.
10

advisers have multiplied the opportunities for retail investors to invest and trade in securities. Firms
employ a variety of practices including behavioural prompts, differential marketing, game-like
features (commonly referred to as gamification), and other design elements or features designed to
engage with retail investors on digital platforms (e.g., websites, portals, and applications).
39. In addition, investors do not only do online research through social media, but can also use social
media and forums in ways that result in similar concentrated buying or selling behaviour in one or
more meme stocks, which may contribute to excessive volatility in those stocks and potentially
raise investor protection concerns. IOSCO members worldwide have been observing gamification
trends carefully. For example, on August 27, 2021, the U.S. SEC requested information and public
comments on matters related to broker-dealers’ and investment advisers’ use of Digital Engagement
Practices (“DEPs”). 26 The request also focuses on the analytical and technological tools and
methods used in connection with these practices. The request was issued as part of an effort to
develop a better understanding of the market practices associated with firms’ use of DEPs and the
related tools and methods, and to facilitate an assessment of existing regulations and consideration
of whether regulatory action may be needed in connection with such practices. 27
40. Additionally, a call for advice on certain aspects relating to retail investor protection was issued
by ESMA to the European Commission on April 29, 2022. 28 ESMA received the mandate to draft
a technical advice on this topic from the European Commission, as part of the European
Commission’s strategy for retail investments in the European Union. In the call for advice, ESMA
concludes, amongst other things, that the use of digital engagement practices such as gamification
techniques can be used by firms as long as they are in the best interest of the client. When, however,
gamification techniques, or nudges, are used to influence (retail) clients into more risk taking and
trading more frequently, the use of such techniques may not be in the best interest of the investor.
In line with IOSCO´s findings on certain retail OTC leveraged products, ESMA believes there is
a risk that this might lead to addictive behaviour, which may not be in the best interest of the
client. 29
41. Similarly, other IOSCO members have been watching gamification trends closely. For example,
ASIC has provided warnings on the topic of gamification through recent media coverage 30 while
CONSOB published a statement on stock trading volatility and the use of social forums and web
trading platforms. 31 BaFin has conducted a “surf day” to assess investor protection, gamification
and other behavioural aspects on trading apps.
42. IOSCO has also been analysing gamification and self-directed trading related issues in detail
through the work of its Retail Market Conduct Task Force (RMCTF), findings of which were
published in March 21, 2022 32. The RMCTF Report focuses on evolving trends in retail markets,
with a specific focus on retail market fraud. The report analyses various technological
developments, some of which are related to the impact of social media, digital engagement
practices and crypto-assets, and thus, the findings of the RMCTF relate to some of the topics
analysed in this report and could be seen as complementary to the findings of this report.
26

Request for Information and Comments on Broker-Dealer and Investment Adviser Digital Engagement
Practices, Related Tools and Methods, and Regulatory Considerations and Potential Approaches; Information
and Comments on Investment Adviser Use of Technology To Develop and Provide Investment Advice,
Release Nos. 34–92766; IA–5833 (Aug. 27, 2021), 86 FR 49067 (Sept. 1, 2021). Comments

27

In October 2021, the U.S. SEC also published a staff report focusing on the January 2021 trading activity of
GameStop Corp (GME)

28

Final report on technical advice on ec retail investments strategy

29

On February 17, 2021 ESMA issued a statement urging retail investors to be careful when taking investment
decisions based exclusively on information from social media and other unregulated online platforms, if they
cannot verify the reliability and quality of that information.

30

‘Don’t believe the hype’: Common tactics to get you to invest in shares

31

CONSOB statement on cases of exceptional volatility in the trading of stocks and the use of social forums
and web trading platforms

32

Retail Market Conduct Task Force – Consultation Report, March 2022
11

43. Regulators globally recognize the potential for gamification (and other digital engagement
practices) to be used in ways that can benefits retail investors, such as the ability to educate
investors on complex material in a more compelling way. However, IOSCO encourages its
members to continue to balance any such benefits against the risks that may be associated with the
use of gamification, such as the potential for approaching the serious topic of personal finances in
a too light or playful a manner. As this way of investing is new, other potential risks should also
be carefully monitored, such as the potential for addiction and overly frequent trading.
2.5. The Online Onboarding Process
44. “Customer onboarding” is the process of seeking financial consumers and bringing them on to the
firm’s business. Successful marketing results in the online onboarding of the financial consumer.

Approximate percentage of the onboarding
process done online, in %
0-10%
21-30%
31-40%
41-50%
51-60%
71-80%
81-90%
91-100%
0

5

10

15
20
25
Number of firms

30

35

40

Approximately which percentage of the onboarding process of new
customers is done online?

Chart 1: The chart depicts the percentage of online aspects in onboarding per firm
count.

mechanisms and due diligence are not followed.

45.
From
a
regulatory perspective,
the onboarding phase
is a critical component
of the overall online
marketing
and
distribution process,
which
necessitates
proper due diligence
by the offering firm.
There may be various
risks
related
to
suitability, disclosure,
“know-yourcustomer”
(KYC),
“anti-moneylaundering” (AML),
and fraud both for the
customer and the firm
if appropriate filtering

46. The above chart illustrates the survey responses on the percentage of the onboarding process done
online: the onboarding process took place mostly either fully online (28%) or offline (35%), with
most firms using a hybrid approach. 33
47. Firms that do not make use of a full online onboarding process reported that certain aspects such
as customers’ verification and execution of the physical agreement take place through hard copies
(paper) or in person meeting (at the branch). This is often the case for higher risk corporate
customers where online due diligence is not possible, or where customers cannot provide an online
signature/authorization. In some cases, customers prefer to complete the transaction physically at
the firms’ office. 34
2.5.1. Filtering mechanisms used in the online onboarding process
48. Firms use the online onboarding process to vet applicants’ eligibility to open accounts. While there
are significant jurisdictional differences across the regions, firms use a wide range of filtering
mechanisms or requirements during customer onboarding to reach the right audience, including:

Obtaining comprehensive legal advice to ensure that the firm complies with legal obligations
of other relevant jurisdictions (e.g., legal obligations of the jurisdiction in which the financial
consumer resides or the jurisdiction in which products are offered), and not just the local
jurisdiction obligations;

33

28 of the 93 of the respondent firms have a fully online onboarding process.

34

One firm reported that about 1% of their retail customers choose to visit the company’s premises in person
despite the ability to complete the process online.
12





For some firms, requiring the customer to have a bank account in the firm’s jurisdiction or being
a resident in the same jurisdiction as the firm;
Checking the customer risk levels via an internal committee;
For several firms, requiring the customer to be resident in a low-risk country;
Requiring the financial consumer to pass all screening against AML, KYC, and suitability
requirements; and
At times, verifying various additional information, including customer ID, e-mail address,
social media accounts, source of income, education level, and place of residence, before
approving the application.

49. It is important to note that, irrespective of whether the firm assesses the information collected about
the potential financial consumer through a human review or an automated filtering process, the
assessment considerations are the same. Respondent firms stated that their systems route potential
customer applicants through processes based on their country of residence and their respective
local requirements for onboarding/marketing.
50. Ensuring investor protection and supervising conduct can be challenging during and after the
online onboarding process as the online environment can easily permit undesirable choices to be
presented in a prominent manner. IOSCO encourages supervisors to review if the online adequacy
of appropriateness assessment should be adjusted or if other methods should be found to encourage
suppressing undesirable choices in an execution-only environment. The NL-AFM encourages firm
to apply a strict target market assessment in line with the product oversight and governance criteria
to ensure execution only clients are presented with product choice within their target market. In
addition to product governance requirements, the UK FCA requires an appropriateness assessment
to be undertaken when execution only clients invest in complex products.
2.6. Use of outsourcing
51. The term “outsourcing” refers to a business practice in which a regulated entity uses a service
provider to perform tasks, functions, processes, services or activities that would, or could in
principle, otherwise be undertaken by the regulated entity itself. In many jurisdictions, the
complexity of markets and the wider trading landscape has grown as markets become faster and
more competitive. These developments, coupled with increasing automation, are incentivising
firms to reduce costs and improve efficiency, in some cases, by outsourcing certain tasks to service
providers. 35
52. According
Areas of outsourcing arrangements, in %
to
the
firms’
survey findings,
one third of the
Website Design
firms
outsource
one
or
more
Trading Software
activities related to
online marketing
Financial Promotions
or
online
Customer Disclosures
distribution
activity.
Customer On-Boarding Processes

0

10

20

30

40

50

60

70

Chart 3:The chart depicts the percentage of outsourcing activities per online marketing or online distribution
activity.

53. Of these firms, the most common activities they outsource are:
• Digital advertising planning and buying;
35

FR07/2021 Principles on Outsourcing (iosco.org), October 2021.
13

• Creation of online marketing campaigns;
• Lead generation (including use of third-party sites and apps to refer business); and
• Social media engagement.
2.6.1. Regulatory supervision of outsourcing arrangements and compliance with local regulations
54. According to survey responses, there are no specific regulatory requirements/approvals related to
the outsourcing of online marketing and distribution activities. Rather, IOSCO members apply the
general requirements applicable to outsourcing, including online activities. Regulated firms that
outsource tasks related to online marketing and distribution should apply the IOSCO Principles on
Outsourcing, 36 along with the related guidance for implementation, to their outsourcing
arrangements.
2.7. Regulatory and firm level rules on online marketing and distribution
2.7.1. Regulatory approach
55. IOSCO members often use principle-based rules, rather than specific technology-based rules. With
the transition to more online marketing and distribution, members should consider assessing if
gaps in oversight emerge due to the quickly changing technological environment.
2.7.2. Firm level rules and policies
56. The survey results show that the existence of firm level rules and policies on online marketing
varies across firms, and particularly, across different regions. Where firms do not have internal
online marketing rules, they rely on their general marketing rules and policies.37
Measure 1: Firm level rules for online marketing and distribution
IOSCO members should consider requiring that firms have proper internal rules, policies,
processes and tools for their online marketing and distribution, and review them on a regular
basis. This should include that any use by firms of targeting, behavioural techniques and
gamification elements should be done in a way that ensures fair treatment of financial consumers
and aims to avoid potential financial consumer harm.
Measure 2: Firm level rules for online onboarding
IOSCO members should consider requiring that firms apply appropriate filtering mechanisms,
policies and procedures for financial consumer onboarding in line with the laws and regulations
of the firms’ jurisdiction, the financial consumers’ jurisdiction, and the jurisdiction where the
products or services are being marketed or distributed. During the onboarding process, the
information provided should be clear, fair and non-misleading.

36

Ibid.

37

The survey findings highlight that:
• 67% of surveyed firms have developed internal rules or guidance to marketing through digital channels.
• Of these firms, 80% have specific rules applicable to investment products and services that the firms
offer online.
• A fifth of firms surveyed do not have internal rules or guidance for online marketing and have stated that
existing legislation is applied to customer communications through digital channels.
• Over 70% of firms in Europe and Asia have developed specific internal rules for online marketing, with
over 80% of these firms developing policies specific to products and services.
14

Chapter 3 – General Trends and Observations in Digital Offerings
3.1. Tools and channels for online marketing and distribution
57. Online marketing and distribution has seen strong growth over the past years. Firms reported using
a wide range of tools and channels for online marketing with social media and banners/display
marketing ranking the highest, as two-thirds of the firms make use of these channels. Furthermore,
more than half of the firms use email campaigns, search engine optimalisation and online video
marketing. According to the survey findings, app store marketing and voice marketing are the least
commonly used. Although 63% of the surveyed firms have an app, they tend to advertise their apps
through other means, such as banner/display marketing.

80
70
60
50
40
30
20
10
0

Activity of firms per marketing channel, in %

Activity of firms per channel, in %

Chart 4: The chart describes the percentage of marketing activity per channel by firms. The column names refer to the
different channels.

3.2. Budget and firm spending for online marketing
58. The firms’ survey results show that firms spend half of their total marketing budget on online
marketing, most of which is on desktop marketing. Firms are increasingly moving to online
targeting via mobile devices and tablets; however, this is not evident across all jurisdictions.38
59. The majority of the firms’ survey respondents indicated that in the last two years they increased
the budget allocation for online marketing, half of which had increased their marketing budget by
at least 25%. Going forward 68% of firms intend to increase their online marketing budget over
the next two years. 39
3.3. Regulatory spending for online marketing supervision
60. 17% of IOSCO members surveyed intend to increase their resources in this area in the next two
years. 40 It should be noted that not all IOSCO members surveyed can share details on
budget/headcount allocation.
3.4. Market trends observations in the use of online marketing and distribution tools

38

Asian firms already allocated over 55% to mobile device marketing.

39

44% of these firms intend to increase their online marketing budget by at least 25%, a quarter of which (11%)
indicated that they intend to increase by more than 50% of past budget, while almost half of the other
respondents intend to increase it by up to 25% (as of January 2020).

40

In contrast, in 2020, 25% of IOSCO members surveyed indicated an increase in their budget/headcount
allocation for online marketing supervision in the past two years.
15

61. Both the firm and the regulatory surveys asked in which online marketing and distribution tools
firms as well as IOSCO members respectively currently observe an increase in their market in
general and in which they expect more future growth.
62. “Influencer marketing” is (mostly) online video ads by a person with a substantial number of
online followers on social media, mostly gained through his/her strong presence. So far, 10% of
the firms from the survey already use influencer marketing, 41 but of this 10%, only some of these
firms stated that they oversee the activities of the influencers they engage with while others do not.
However, both firms’ survey-respondents as well as regulators shared the observation that in the
markets in which they are active or supervise respectively influencer marketing is the most
common trend to advertise financial products and services. Some IOSCO members reported
challenges with influencer marketing, as they only have jurisdiction over firms and their associates,
but not over influencers. A concern brought forward by market participants addresses cases where
remuneration structures of influencers are not fully transparent. In those cases, regulators should
consider requiring full transparency on the remuneration that financial institutions provide to
influencers for their advertisement via Social Media 42. In December 2021 the NL-AFM published
the results of an exploratory review on financial influencers and more specific about their
communication and services regarding investing. While the AFM acknowledges that these
influencers fulfill the need of accessible information regarding personal finance and investing, the
AFM also sees the risk that several of the influencers investigated are unfamiliar with applicable
legislation such as the market abuse regulation MAR, MiFID II, unfair commercial practices
directive as well as the respective national Dutch law or do not fully comply with these rules. 43
63. Also, “online video marketing” and “advertisements within dating, news and chat apps” rank high
in the market observations, followed by social media stories. IOSCO member-respondents in
general make comparable observations to firm respondents, albeit at a lower level. IOSCO member
respondents cited that the most common forms of marketing they supervise are advertisements
within apps and voice marketing.
64. “Cross-selling” allows firms to advertise related products that the customer may be interested in
after purchasing the original product. This is an attempt to enhance sales and entice the consumer
into purchasing more products than he/she had originally intended. SuperApps 44 are increasingly
used for cross-selling purposes. Both firms and IOSCO members in Asia Pacific reported a slight
trend in cross-selling via SuperApps mainly through payment platforms such as Alipay and
WeChat, while firms in Africa quoted online marketplaces such as Jumia. The relatively higher
trend in Asia can be explained with the dominant use of certain payment platforms. Two IOSCO
members mentioned to observe cross-selling using SuperApps, such as WeChat and Alipay.
65. “Interactive content” allows firms to engage with their customers based on their interest, for
instance, via interactive tools like shoppable posts, quizzes and polls on social media. The use of
this tool is increasingly popular in Asia.
66. “Voice search engine optimization” is a fairly new marketing tool, which was expected to grow
rapidly based on the feedback some IOSCO members have received from marketing agencies
during the last few years. The survey findings show, however, that this growth has not happened
in practice yet.

41

Nine of the 93 firms indicated that they benefit from the services of social influencers. Five oversee the
activities of the social influencers they engage and four do not. Given the small sample size it is hard to
determine regional differences; however, it appears that the use of social influencers is most common in Asia
and Africa.

42

Bitcoin : l’influenceuse Nabilla a payé 20.000 euros d’amende, Les Echos Investir, July 2021

43

The Pitfalls of Fininfluencers, Dutch AFM, December 2021

44

A “SuperApp” is a cross selling tool as an application which has numerous in-built functions for a wide range
of services, which may include both financial and non-financial services. The SuperApp is a one-stop market
where different apps are encompassed in one platform.
16

Increase in the use of online marketing techniques
(firm observations), in %

100%
80%
60%
40%
20%
0%

Africa

Asia Pacific
Europe
Middle Eastern
Social media influencer ads and word-of-mouth marketing
Ads within apps, e.g. dating, news content or chat apps
Social media stories
Cross-selling of investment products via Super App
Interactive content, e.g. shoppable posts, quizzes, polls on socmed
Voice marketing
Online video marketing

Americas

Chart 5

Increase in the use of online marketing techniques
(regulator observations), in %

80%
60%
40%
20%
0%

Africa

Asia Pacific

Europe

Middle Eastern

Americas

Social media influencer ads and word-of-mouth marketing
Ads within apps, such as dating, news content or chat apps
Social media stories
Cross-selling of investment products via the use of Super App
Interactive content such as shoppable posts, quizzes and polls on social media
Voice marketing
Online Video Marketing
Chart 6

3.5. Future prospects in the use of marketing and online distribution tools
67. As future trends, the majority of firms surveyed are considering using or increasing the use of
online video marketing, influencer and word-of-mouth marketing, as well as social media stories.
Some firms, particularly those in Asia Pacific, Middle East and Europe are also considering using
or increasing the use of advertisements within apps. Some firms utilizing social media platforms
such as Facebook, Instagram, WeChat and Weibo are exploring increasing their use of these
platforms. A few firms mentioned that they are building their own apps, while others use them
already.
68. Influencer marketing is the marketing tool in which firms surveyed expect the highest growth going
forward (see chart 6). For example, 63% of the African firms and 43% of the European firms plan
to increase use of this tool.
69. Some IOSCO members cited that they also plan to increasingly supervise social media influencers.

17

Firms’ plans to use or increase use of online marketing tools
70%
60%
50%
40%
30%
20%
10%
0%

Africa

Asia Pacific

Europe

Middle Eastern

Americas

Social media influencer ads and word-of-mouth marketing
Ads within apps, such as dating, news content or chat apps
Social media stories
Cross-selling of investment products via the use of Super App
Interactive content such as shoppable posts, quizzes and polls on social media
Voice marketing
Chart 7

3.6. Increasing need for investor education in light of the exponential retail interest in cryptoassets
70. Technological innovation, including digitalization of financial products, may offer promising
possibilities for retail investors, but also exposes them to certain risks that should be fully
disclosed. Financial education also has an important role in enhancing investor protection. For
example, crypto-assets may carry risks that investors may not fully understand and that may
lead to investor losses. Crypto-assets can represent an asset or ownership of an asset, such as
a currency, a commodity, or a security or derivative. It is important that retail investors are
aware of the complexity of these products and the risks attached to them, such as market
liquidity risk, volatility risk, risk of fraud, or the risk that market participants are acting outside
of, or in non-compliance with, applicable regulatory frameworks, particularly given the
challenges of cross-border regulation and enforcement.
71. The IOSCO Committee on Retail Investors (Committee 8) has developed some materials to
help regulators in their efforts to educate retail investors about the specific risks arising from
crypto-assets. 45
72. The report includes examples on different areas to be covered through the education materials,
such as:


warnings to retail investors and prospective investors regarding the risks of investing and
holding crypto-assets and the likelihood of incurring losses;
educational awareness initiatives designed to educate investors about the red flags of fraud in
the crypto-asset space;
articles, podcasts and videos that inform retail investors about fraud and how they can avoid
being misled by unlicensed firms offering crypto-assets.

73. Since the publication of this report, crypto-asset related matters have continued to evolve,
revealing new opportunities and risks for retail investors, thus keeping this issue on the list of
priorities for Committee 8. IOSCO, through the IOSCO World Investor Week campaign, has
also developed some Key Messages on ICOs, crypto-assets, and online investing to assist
regulators and retail investors in enhancing awareness and supporting retail investor
protection:

45

Report on Investor Education on Crypto-Assets, December 2020
18

IOSCO World Investor Week
Key Messages – ICOs, crypto-assets, and investing online
A smart investor:
Understands the risks that are associated with initial coin offerings and crypto-assets in
general and is careful in deciding whether to invest in these products
• Does not forget about the importance of due diligence when considering investments in
online and digital environments
• Recognizes the red flag warning signs of online investment fraud
• Never invests based solely on a celebrity endorsement
• Understands the methods in which legitimate firms receive money for investments.

Additional Key Messages – ICOs, crypto-assets, and investing online




Get unbiased information on how crypto-assets work and the risks you should know about.
Make sure you understand the risks involved and potential volatility of crypto-assets,
including coins and tokens, before you invest.
Crypto-asset risks: Lack of transparency, unproven track records and high price volatility.
Do your research first!
Sometimes an ICO is called a ‘software presale token’ or other terms to avoid securities
regulation.
New technologies, like ICO’s and crypto-assets, may seem appealing, but messages of
caution before investing remain to avoid fraud!

19

Chapter 4 – Use of Social Media in Digital Offerings
4.1. Increasing use and influence of social media
74. Social media is a form of electronic communication that allows users to create and share content
via social networking websites, such as Facebook, Twitter, Instagram and TikTok, among others.
Social media touches virtually all areas of society and, as such, is reshaping the way individuals,
companies, governments, and other organizations interact. It is a frequently used marketing
channel due to its enormous reach, ability to support customized marketing approaches, flexibility,
convenience and speed. Social media provides a means to multiply the number of interactions
between financial consumers and firms.
75. Social media allows for more dynamic interaction among retail investors, provides communication
opportunities and, in turn, creates new content. The stock trading events in late January 2021,
which saw soaring trading volume from retail investors (organized via popular message boards)
driving up the price of certain stocks that had been shorted by institutional investors, demonstrate
the power of social media.
4.2. Challenges brought by the use of social media
76. Social media usage will likely continue to evolve rapidly as technology advances and new concepts
and methods for social media-based interaction further develop. These developments also affect
the financial services industry, as market intermediaries and their representatives increasingly use
social media to communicate with existing customers and to attract new ones. 46 Social media is
widely used in online offering, marketing and promotion of products. That being said, the forms
in which social media is used for online marketing differs between firms and is still evolving as
discussed in the previous chapter.
77. Significantly, social media communication often occurs outside traditional channels used by firms
in the past, with enormous public outreach. This raises potential concerns about the nature of social
media usage and its impact on customers, for example, the ability to communicate information to
a large group of individuals by simply posting it on social networking sites; the potential for
information to become outdated more quickly; the quantum of information available and the ease
of accessibility; the potential for ideas and information to spread on the internet at high speed while
not being a reliable source of information for prospective investors. These bring various challenges
for firms’ internal compliance units. They may also bring challenges to IOSCO members. 47Social
media might expose investors to behavioural biases. The number or eminence of
likes/shares/endorsements could, for example, be seen as a sign of quality/appropriateness of a
financial product/service or advice. The way information is presented can also exacerbate
behavioural biases.
4.3. Most commonly used social media platforms
78. With rapidly evolving landscape and new social media networks coming to markets continuously,
62 firms from the survey use social media for their marketing and online distribution purposes. 48
The below chart shows that those firms cited Facebook, Twitter, and Instagram as the most
commonly used social media platforms for marketing of their products. A few firms also cited
YouTube, Snapchat, WeChat and Weibo as the most popular platforms in the Asia Pacific region.
One firm also cited TikTok.

46

See IOSCO Report on the IOSCO Social Media and Automation of Advice Tools Surveys, July 2014.

47

Ibid.

48

Of the 93 firms in the survey, 62 answered the question on social media platforms in the survey. The other
firms either stated not to use social media platforms or chose not to answer the question.
20

79. Internet and
social
media
monitoring
by
80
regulators is a
70
challenging task
60
and
IOSCO
members
use
50
different
in
house
40
or third party tools
30
to address this,
depending on the
20
supervisory
10
approach and the
0
legal framework
in
their
jurisdiction.
Among others, these
Chart 8 : The chart shows the percentage of how many firms have presence in the
tools
include
according social media channel. The column names refer to the social media channel.
advanced
analytics
tools related to social media content, audits, on-site-visits, market surveys, and complaints.

Firms social media presence, in %

Qualitative example 6 – Firm level
surveillance of staff communication
with customers
“In accordance with domestic laws and
regulations, staff are forbidden to
communicate with customers through
invisible channels on social networks.
We must record and maintain
communication between staff and
customers during online marketing and
distribution”. – Asset Management
and Fund Distribution Firm from

4.4 Policies and procedures for tracking
recording of staff communication

and

80. Over half of the survey respondents indicated that
they have policies and procedures in place to track and
record the interaction between staff / agents / referrers /
introducers and customers in online marketing and
distribution; 49
81. One third of the respondent firms indicated they
tracked these interactions by recording the chat or phone
conversation; and
82. One third of the firms indicated they retained
accessible records of this tracking within electronic data
storage.

Measure 3: Responsibility for online marketing
IOSCO members should require, subject to a jurisdiction’s laws and regulations, that
management assumes responsibility for the accuracy of the information provided to potential
investors on behalf of the firm, including those provided via various social media channels,
including influencers, and the timely disclosure of necessary information regarding potential
risks and conflicts of interest to avoid potential financial consumer harm.

49

The existence of policies and procedures was the highest in the Asia region (61%).
21

Chapter 5 – The Regulatory Perspective
5.1. Oversight of online marketing and distribution
83. The majority of the IOSCO members surveyed have principles-based rules that require online
marketing communications (and communications in general) to be made fair, clear and not
misleading. 50 Many members surveyed review online marketing techniques that are brought to
their attention on a case-by-case basis, as part of their supervisory activities.
84. Some IOSCO members stated in the regulators’ survey that it is particularly difficult to catch
misleading or at times illegal recommendations or promotions published through digital means,
especially via closed channels in social media.
85. According to the regulators’ survey, the use of social media increasingly affects how IOSCO
members oversee and approach firms that use these evolving digital mediums. To date, some
IOSCO members state that they have approached the oversight of social media by using regulatory
approaches such as the general rules and guidelines already established for advertising, product
disclosure, risk warnings, record keeping, and general supervisory control requirements.
Additionally, some members have conducted on/off-site inspections and thematic reviews of how
firms employ these evolving mediums. IOSCO suggests that members assess whether applying
rules and processes designed to regulate traditional telephone and e-mail correspondence works
effectively against an entirely new medium of communication 51.
86. Some IOSCO members surveyed suggested that regulatory actions regarding social media
marketing are often reactive. It can be challenging to supervise against misleading or illegal
promotions, due to the sheer amount of social media posts and as not all social media posts are
accessible by regulators 52. Members surveyed mostly rely on consumer complaints for
investigation and enforcement purposes for misleading and illegal promotions. 53 In addition, when
an individual has signed up to a particular firm or platform, the ability for direct communication
can include unsolicited messaging beyond what the individual has signed up to receive. This may
be difficult for IOSCO members to monitor as the platforms often have embedded social media
aspects such as chat functions.
87. In Australia, ASIC has issued Information Sheet 269 Discussing financial products and services
online 54. This includes a number of case studies to assist influencers understand how the financial
services laws apply including the licensing regime and liability for misleading statements. It also
includes a reminder to Australian financial service licenses that they may be liable for any
misconduct by influencers they use to promote their products and services. This resulted in a
number of influencers changing their business model and some licensees ceasing to use influencers
to minimise potential liability.
88. The four main factors highlighted by IOSCO members that increase challenges in supervision of
online marketing and distribution are the following:

50

Only one IOSCO member reported using specific provisions with respect to online marketing as a requirement.

51

IOSCO also encourages mobile phone and internet providers to actively support supervisors in their fight
against financial fraud and to prioritize such cooperation whenever possible.

52

Some IOSCO members note that any responsibility for online communications of affiliates, such as
influencers, are generally the responsibility of the firms unless there is no link with monetary or no monetary
benefits between the firms and the affiliate.

53

Some Committee 3 members reported that consumer complaints on misleading and illegal promotions are
relatively low.

54

Discussing financial products and services online

22

1.

Lack of visibility
Many members noted that detecting the existence of the
activity in an online environment is the greatest
regulatory challenge. Many online marketing initiatives
are targeted towards specific audiences, and therefore,
not visible to every user and regulator, making it
possible for misleading information to spread out of
regulatory sight.

2.

Overload of information
The volume of information posted online poses
monitoring challenges. Even if the visibility issue above
were to be solved, the vast amount of information that is
published daily can make it difficult for IOSCO
members to continuously monitor all online marketing.
Effective and high-tech regulatory monitoring tools
would be helpful to minimize this challenge.

Qualitative example 7 – Lack of
regulatory visibility in oversight
of online marketing:
“If social media posts are not open
to general public e.g., protected
tweets, it is difficult to catch
misleading or non-legal
recommendations or promotions.
Even if we search through
keywords, they cannot be screened.
Even if we can get in closed circuit
channels e.g., WhatsApp groups, if
the owner of the account uses
nickname or/and foreign telephone
or IP numbers, it is difficult to
locate and identify him/her.” –
Capital Markets Board, Turkey

3. Continuously changing information
A firm can create and adapt online advertisements more rapidly than advertisements through
traditional channels, such as radio, tv and print. Online information can be forwarded and copied,
increasing the potential target market compared to the traditional advertisement channels.
Information can also be easily deleted from websites and is therefore more difficult to track. This
means IOSCO members need to act quickly to keep track of evidence or other material that could
be indicative of an infringement. Members need to respond swiftly when it comes to misleading
online information, due to the speed in that online information is distributed.
4. Cross-border challenges
Some IOSCO members have observed that online marketing enables unlicensed firms to enter the
market relatively easily with minimal or no physical presence. These firms can market themselves
and their products with minimal capital expenditure and very low, fixed overheads. Sometimes, the
high-risk/high-profit nature of the product makes it particularly attractive for unlicensed firms to use
it as a tool to defraud retail investors on a cross-border basis. There may be instances of persons or
firms wrongly holding themselves out on social media as being licensed. This can make it difficult
for IOSCO members to locate and take action against an unlicensed firm, as described in Chapter 8
below.
89. Some jurisdictions have set their regulatory perimeter to only require firms that market, offer or sell
the products to residents of that jurisdiction to be licensed. Firms that offer the relevant products to
non-residents are often exempt from the requirement to be registered, and therefore, are not subject
to any regulatory oversight in that “home” jurisdiction. A number of unlicensed firms have tried to
exploit this regulatory gap to target foreign investors. As a result, as highlighted in Chapter 8, it can
be difficult for IOSCO members to effectively take enforcement actions against these firms.
Furthermore, customers in the host jurisdiction may not be aware they do not have any regulatory
protection.55

55

FR17/2018 Report on Retail OTC Leveraged Products (iosco.org)

23

Measure 4: Capacity for surveillance and supervision of online marketing and distribution
IOSCO members should consider whether they have the necessary powers and have
adequate supervisory capacity to oversee an increasing volume of online marketing and
distribution activity. IOSCO members should also consider ways to develop appropriate
monitoring programs for the surveillance of online marketing and distribution activities,
including on social media.
Within the context of domestic legal frameworks, considerations for enhancing surveillance
and supervisory capacity could include:
• the power to request access to content to detect illegal or misleading promotions;
• having regulatory channels in place to report consumer complaints for misleading
and illegal promotions; and
• suitable evidence tracking processes in place to cope with the fast pace and changing
nature of online information.
IOSCO members are encouraged to share experiences and good practices with each other
regarding supervision and surveillance of online marketing and distribution.
5.2. Product oversight and governance
90. Product governance rules may provide IOSCO members with a tool to address financial
consumer harm and protect against the emergence of
Qualitative example 8 – Exam
potential risks from the manufacture and distribution
requirement for online marketing
of investment products including those associated
and distribution staff:
with investment distribution strategies based on
When staff of a regulated firm
gamification techniques. 56
conducts online marketing or
91.
Some jurisdictions have rules and
distribution activities, he/she is
requirements
surrounding the oversight and
required to acquire a sales
governance of the product lifecycle. We refer to these
representative qualification by taking
rules as product oversight and governance, which
an exam and registering with Japan
refers to the systems and controls firms have in place
Securities Dealers Association, the
to design, approve, market and manage products
self-regulatory organization for
throughout the products’ lifecycle to ensure they meet
Japanese securities industry, as a sales
legal and regulatory requirements. Product
representative. (Article 64 of the
governance regulations aim to ensure that the
FIEA) – Japan FSA
products:
meet the needs of one or more identifiable target
markets;


are sold to clients in the target markets by appropriate distribution channels; and

deliver appropriate client outcomes.

92. Just under two-thirds of firms surveyed were familiar with product governance and oversight
principles given the concept is not applied in all regions. Due to the product governance
requirements within the European Markets in Financial Instruments Directive II (MiFID II), the
survey responses indicated that European firms demonstrated the highest levels of familiarity with
product governance requirements. 57 Several firms in Asia-Pacific also displayed a good

56

Product intervention powers can also be a powerful and complementary tool for regulators to prohibit the
marketing, distribution or sales of certain financial products with certain specified features or to ban certain
practices in light of significant investor protection concerns.

57

In January 2018, the MiFID II introduced product governance requirements requiring firms that manufacture
or distribute financial instruments consider the best interests of customers at all stages of the product
development and distribution life cycle.
24

understanding of product governance. 58 This may extend further as other jurisdiction impose
similar rules to the MiFID II product governance rules. 59 Most firms in these jurisdictions had
developed internal policies and procedures to make sure that their product development and review
process promotes appropriate product features for the target market and appropriate marketing
strategies. These firms then typically test their product development and review process by
compliance.
93. For other jurisdictions, less than half of the firms that responded to the survey were familiar with
product governance principles. However, one global firm outlined that despite product governance
requirements not being applicable in all jurisdictions in which they operate, they have developed
policies and procedures to achieve the same spirit of the regulatory outcome. A number of other
firms also outlined that they achieve the same outcome of the product governance requirements,
by having a thorough client onboarding process and by ensuring that they only onboard clients for
whom their products are suitable (See Annex 5 for respondent members’ approach to product
governance).
5.3. Licensing requirements and qualifications required from staff
94. Online marketing and distribution is a developing field, and therefore, licensing requirements for
online marketers typically do not yet exist in the existing regulatory frameworks. Most IOSCO
members do not yet require that firms have specific certifications or licensing for staff responsible
for online marketing and distribution. 60 Only one IOSCO member that responded to the member
survey requires a degree or skill-set specific to the digital aspect of online marketing and
distribution.
95. Most IOSCO members have highlighted that they commonly carry out pre-assessment of firms’
staff’s qualifications, knowledge and experience during the firm authorization process. This preassessment is mainly based on staff’s academic background and industry experience. Thus,
members are able to assess if the structure and business model of the firm and experience of its
staff are appropriate for the nature, scale and complexity of the business.
96. Certain jurisdictions do not specifically assess if the staff responsible for digital offerings are
appropriately qualified. Rather, these jurisdictions put this responsibility on the senior management
of the firm, who often are required to ensure that all the necessary resources (including adequately
skilled staff) are in place as regards to online business activities. As firm/ client interaction moves
more and more online, or at times takes place exclusively online, the role of digital marketers
transforms and gains more responsibility.
Measure 5: Staff qualification and/or licensing requirements for online marketing
IOSCO members should consider requiring that firms assess the necessary qualifications for
digital marketing staff. IOSCO members may also consider requiring firms to have specific
staff qualification and/or licensing requirements for online marketing staff, similar to
licensing requirements for sales staff, if such regulatory requirements do not already exist or
apply to online marketing staff.
5.4. Firm level responsibility in online marketing and distribution
97. Some member jurisdictions commented that it is challenging to identify which firm and individuals
are responsible for anonymous advertisements (advertisements where the owners can’t be tracked
58

On December 2020, ASIC published regulatory guidance related to an underlying regulatory requirement to
design financial products to meet the needs of consumers, and to distribute their products in a more targeted
manner.

59

For instance, Australia imposed Design and Distribution Rules that came into effect in October 2021.

60

EU jurisdictions, the UK, Switzerland and Turkey have their national certification regimes, which establish
minimum criteria for the assessment of knowledge and competence for staff providing investment advice. The
Japanese FSA specifically addresses digital offerings and requires digital marketers to have the same licensing
requirements as sales professionals.
25

down), and therefore, suggested that IOSCO members should consider whether to require
responsibilities be clearly defined under the respective regulatory regimes.
98. The responsibility to prevent consumer harm falls to different firm functions across jurisdictions,
including compliance; senior management (CEO, board of directors); sales department, fund
manager and trustee; and internal audit. 61
Challenges in identifying key decision-makers and
ultimate beneficial owners
99. Nearly all IOSCO members surveyed responded
that the common practice of obtaining information
of the key decision-makers and ultimate beneficial
owners 62 is based on their geographical location.
IOSCO members expect firms to maintain a record
of the geographical location of the senior
management and key function holders. In the case
of a foreign entity entering a regulator’s domestic
market, the domestic regulator will often liaise
with the foreign entity’s regulator to identify key
decision makers and ultimate beneficial owners.

Qualitative example 9 – Difficulty in
identification of geographical location
“The geographic location of a person
behind an activity can be difficult to
ascertain when dealing with online
material. This is made especially hard as
more people are aware of geo-tagging and
turn these options off on devices – The
UK-FCA

100. It is sometimes challenging to geographically locate a person or firm behind an online activity,
which makes it difficult to determine which home authority is responsible. The utilisation of mobile
applications also makes it difficult to determine the parties behind the online marketing activity. It
is often difficult to obtain the relevant digital footprints and validate the identity of an individual
based on information posted on online channels. Multilateral requests for assistance to foreign
regulators also may take time as part of the process of identifying natural persons, as discussed in
the IOSCO Committee 4 findings in Chapter 8.
5.5. Most common tools that IOSCO members use to supervise online marketing activity
Qualitative example 10 – Monitoring of online
marketing and distribution channels:
“We monitor online marketing and distribution
channels which are open to the general public. In
addition, we make use of whistle blowing from former
employees or tips from customers to reach closedcircuit channels like WhatsApp groups.” – Capital
Markets Board of Turkey
102. While most IOSCO members do not currently have
special powers for online marketing and distribution,
some members have relevant general powers and use
various tools, including:
Mystery shopping: Mystery shopping is a tool used
by some IOSCO members to understand and analyse
firm practices. It is also used for inspecting and
auditing firm level execution of specific customer
services based on regulatory standards. In the
regulator survey, the IOSCO members Spain,

101. The vast majority of IOSCO
members have a wide range of monitoring
tools and policies in place to ensure that
online marketing and distribution is not
carried out in an aggressive, misleading or
biased way or does not involve
misrepresentations or fraud.
Qualitative example 11– Review of
online marketing and distribution
material
“Regulated firms are obliged to perform
ex-ante compliance reviews for online
marketing and distribution materials and
submit relevant materials to us to
review. If there are any aggressive,
misleading or biased presentation in
materials, the regulated firm will be
warned or fined as per the regulation.” China Securities Regulatory
Commission

61

In Europe and North America, senior management/board members bear this responsibility, while in Nigeria
and China, the fund manager and trustee, as well as the board of directors are responsible. In the UK, regulatory
approval is required for certain responsibilities.

62

Ultimate beneficial owners are the real owners of the firm who may not appear as the official owners.
26

Australia, AMF Quebec, Canada, UK, Germany 63, France 64 and Israel indicated that they conduct
online mystery shopping. 65
Use of Web Scraping Platform: The UK FCA has built a “Web Scraping” platform to support a
number of use cases, using the FCA powers under Investigatory Powers Act 2016. 66
On and Off-Site Supervisions: For example, in Hong Kong, the SFC employs on and off-site
supervision of financial intermediaries’ online distribution platform to investigate instances of
consumer harm.
Thematic reviews: Thematic reviews are used for supervision of online marketing activity to
assess the level of compliance with the conduct of business rules. The Spanish CNMV adopts this
approach.
5.7. The Firm Perspective – Regulatory compliance challenges
103. Firms have highlighted the following regulatory compliance challenges:
Strict disclaimer and wording requirements: Firms stated that the regulatory obligation to use
specific wording and disclaimers within each advertisement is challenging, especially due to display
possibilities with regards to text length option on mobile devices or using paid advertisements on
search engines.
Changing regulatory requirements: Some firms found it challenging to ensure that the external
communications comply with evolving regulations as the field of online marketing and distribution
is still developing. Complying with such regulations likely requires firms to review their digital
activities and controls on a continuous basis and to seek (re)approval from the compliance
department.
Defining customer risk awareness: Related to customer onboarding, one firm stated that the largest
compliance challenge is defining the risk profile of customers in line with the regulatory
requirements.
Getting to know the customer through social media: Another challenge is getting to know the
customer thoroughly through social media as the knowledge and experience of investment and risk
tolerance level may differ widely.
Limited space on mobile application terminals as well as in online advertisements: Limited screen
space on mobile devices and in online advertisements makes it difficult for a firm to provide
complete and necessary information for a customer to make an investment decision and include
potential risk disclosures. This limitation may result in a situation whereby the customer may neglect
potential risks or act based on inadequate and incomplete information. To address this, one firm
surveyed mentioned that the firm complements the required information link with an additional
click-through to all the relevant information.
Risk of circumvention of the controls in place: The use of mobile devices and new technology,
increases the potential for customers to (unwittingly) buy products and services outside their home
jurisdiction, 67 leading to the risk of firms circumventing/ breaching the electronic restrictions, such
as geographical restrictions, in place to limit a distribution to within their jurisdiction.
63

For example, BaFin Germany has established a legal basis for mystery shopping in July 2021 and plans to
conduct several mystery shoppings, online and offline, in the coming years.

64

For example, the French AMF uses mystery shopping to monitor how financial products accessible to the
general market are marketed, however, does not consider mystery shopping as a supervisory exercise, rather
a tool to study and understand the existing market practices. This is a way of helping firms to improve trough
the feedback that they receive from the regulator..

65

Please see Chapter 8 for a discussion on mystery shopping in the enforcement context.

66

Please refer to Chapter 8 for a detailed description and further examples of IOSCO members that use scraping
tools in the enforcement context.

67

According to survey answers, mobile devices make it possible to switch off the geographical location, see also
Qualitative example 9, but also not all firms possess adequate tools to control the geographic location of the
client.
27

Chapter 6 – Cross-Border Activity and Challenges
104. This section analyzes various aspects of online cross-border marketing and product distribution
and the challenges related thereto. For the challenges encountered by IOSCO members in the
enforcement activities against unauthorized online marketing and distribution of financial products
and services, please refer to Chapter 8.
6.1. Cross-border online activity – quantitative findings
105. According to the results from the firms’ survey, a quarter of the firms surveyed actively
market/distribute their products on a cross-border basis. European firms estimate that 10% of their
services and products are provided on a cross-border basis under the European MiFID II passport.
The responding African jurisdictions as well as the Middle East show a higher level of cross-border
activity with 32% and 27% respectively:
6.2. Multi-language marketing material

Firms’ cross border activities
per region
Americas
15%

106.
Half of the respondent firms
engaging in cross-border activity
provide marketing material in more than
one language. Provision of marketing
material in more than one language is
prominent in jurisdictions where
multiple languages are spoken. This
trend is partly observed in Europe and
Asia. In the Middle East and Africa, all
of the respondent firms stated that they
use multi language material.

Europe
10%

Asia
16%

Africa
32%
Middle
East
27%
Chart 9: The chart describes what percentage of firms engage into
cross border activity per region, based on the firm’s main location

6.3. Tools used to target customers on
a cross-border basis

107.
While there are jurisdictional
differences in how firms target financial
consumers on a cross-border basis, social
networks, online chat tools, mobile applications and third-party platforms are still the main tools
that firms use to this purpose. 68 Generally, financial consumers are targeted via popular social
networking websites like Facebook and Instagram, as they provide unrestricted reach that is not
confined to a jurisdiction. Location analytics within Google is also gaining popularity as it allows
firms to track the whereabouts of their clients along with what kind of products they prefer.
Moreover, social networking websites allow firms to benefit from multi-language tools that further
target specific financial consumers and expand the firm’s reach across borders.

6.4. Role of licensing in cross-border activity
108. Licensing is a key concept, which bifurcates how firms engage in online marketing on a crossborder basis. For example, firms are responsible for complying with relevant laws of a jurisdiction
when marketing their products or services. Therefore, firms should only target cross-border
financial consumers in jurisdictions where they have a pre-existing license. However, firms could
accept foreign financial consumers from other non-licensed jurisdictions on a reverse solicitation

68

A firm from the Middle East Region stated that third party platforms are used to target and map customers.
Third-party platforms often target audiences by collecting their information via a data management platform
which ultimately increases the number of clients targeted. Platform analytics (such as Google analytics) and
social media (Facebook, Hotjar) are used in cross-border offerings in Africa. In the Americas, two firms stated
that they do not map the reach of their online activity. For North America see footnote 4.
28

basis, 69 provided they are legally entitled to do so, if the consumer found the website and if it is
considered that the website is not specifically targeting these financial consumers. 70
6.5. Firm-level policies, procedures and controls to prevent the breach of local laws
109. The firms’ survey results indicate that most regulated firms are not active in cross-border online
marketing/distribution. Those firms that are active in online marketing stated that their online
marketing does not target financial consumers outside of their home jurisdiction. To achieve this,
30% of the firms stated they have control mechanisms in place. Such control mechanisms include
firm-level compliance scans and information technology (“IT”) filters to ensure that no targeting
outside of the home jurisdiction takes place.
110. While many firms find it challenging and costly to maintain a proper level of understanding of
applicable foreign regulations, most firms active in cross-border distribution 71 apply policies and
procedures to prevent the breach of different local laws where potential financial consumers are
based, including:

Having firm-level rules included in handbooks, policies and procedures, as well as in the
customer due diligence policy;

Tailoring the onboarding process to the applicant’s country of residence and the respective
jurisdictional requirements;

Requiring customers to have bank accounts in the relevant jurisdiction where the firm is
licensed or allowed to provide service;

Prohibiting direct marketing in any country in which the firm is not licensed or allowed to
provide service for example by maintaining appropriate group policies;

Seeking comprehensive legal advice in multiple jurisdictions to ensure that the firm operates
within legal obligations; and

Accepting customers who find their website from foreign jurisdictions on a reverse-solicitation
basis, provided that the firm is legally entitled to do so.

111. Where reverse-solicitation (see footnote 48) is allowed (although the firm is not licensed in the
country of residence of the investor requesting the service/product at his own initiative), ensuring
proper disclosure to customers that:

the firm is not licensed in their jurisdiction;

products are not intended for them;

they need to consent that they have not been directly solicited (to able to continue the
onboarding process); and

69

Reverse solicitation is the situation where a client or prospect initiates at its own initiative the provision of a
financial service by a third-country firm (from EU perspective). Reverse solicitation would be considered as
met when the third country firm responds to the exclusive initiative of the client.

70

For an example of the concept of reverse solicitation in the US, see 1998 Commission Internet release at
https://www.sec.gov/rules/interp/33-7516.htm. Excerpt: When offerors implement adequate measures to
prevent U.S. persons from participating in an offshore Internet offer, we would not view the offer as targeted
at the United States and thus would not treat it as occurring in the United States for registration purposes. What
constitutes adequate measures will depend on all the facts and circumstances of any particular situation. We
generally would not consider an offshore Internet offer made by a non-U.S. offeror as targeted at the United
States, however, if the Website includes a prominent disclaimer making it clear that the offer is directed only
to countries other than the United States. For example, the Website could state that the securities or services
are not being offered in the United States or to U.S. persons, or it could specify those jurisdictions (other than
the United States) in which the offer is being made; and The Website offeror implements procedures that are
reasonably designed to guard against sales to U.S. persons in the offshore offering.

71

According to survey results, 27% of the firms are active in cross border online marketing/distribution.
Amongst the active ones, 70% have control mechanisms in place.
29

any contact following a form filled in on the internet via a banner in a direct or indirect way
cannot be considered as reverse solicitation.

112. To avoid breach of local laws, measures should be in place to prevent firms from actively
marketing to financial consumers in jurisdictions where the firm is not licensed or allowed to
engage in such activities.
113. In addition, the following good practices can be considered by firms so as to prevent detrimental
situations for investors:

having a bank account(s) in the jurisdiction in which the firms is located;

ensuring disclosure of information to financial consumers on all relevant information required
under host jurisdiction’s disclosure requirements;

seeking legal advice, including on local financial consumer law; and

having a “complaints service” in place which offers services in the language of the targeted
jurisdiction and access to an ombudsman in the host country.

Measure 6: Ensuring compliance with third country regulations
Where firms may have clients from jurisdictions other than where they hold a license, the
firm’s home regulator should consider requiring their domestic firms to have adequate policies
and procedures for onboarding these clients. For example, IOSCO members could require
firms to undertake due diligence to determine whether they are required to hold a license in a
prospective client’s home country and/or whether other regulatory obligations apply, and to
retain records of such due diligence.
6.6. Factors that IOSCO members take into consideration while determining whether the firm
falls under their regulatory remit
114. Determining where online marketing is occurring is particularly important to determine the
responsible regulator and the applicable law. IOSCO members face various challenges in
determining whether the online activity occurs in their jurisdiction. Furthermore, various legal
consequences might be tied to the online activity depending on where it occurs. IOSCO members
typically take into account several factors to determine whether online marketing and distribution
activities are carried out in their own jurisdiction by a regulated firm that is headquartered outside
the home jurisdiction. IOSCO members could also assess whether national residents are being
targeted by firms located in another jurisdiction and whether the communication, website or the
app directly targets local customers. IOSCO members could use a number of criteria for this
purpose. These could include checking:

whether the firm uses the specific residents’ language, offerings of dedicated phone services
to national residents, use of national electronic domain, etc.;

whether the firm has a postal address or telephone number in the specific jurisdiction targeted;

whether the firm has business premises or office for marketing purposes in the specific
jurisdiction targeted;

whether the firm has a “.X” (targeted specific jurisdiction) internet domain name;

whether the firm organizes the distribution of its products and services through one or more
distribution networks located in the specific jurisdiction targeted;

whether the firm sends promotional communications, regardless of the medium, to potential
customers residing or established in the specific jurisdiction targeted;

whether the firm approaches potential clients domiciled in in the specific jurisdiction targeted
directly (email, fax, phone, letter) for the purpose of offering financial services and/or
products (other than within existing relationships in relation to these particular products); and

whether there is evidence of an internet offer targeted specifically at residents, such as the
domain name, language, product description, financial or other country-specific client
30

information, legal framework, prices and methods of payment, as well as the provision of home
jurisdiction contact details.
6.7. Main compliance and regulatory challenges for firms in cross-border online marketing and
distribution activity
115. Firms have responded that they keep abreast of and follow foreign regulatory restrictions.
However, as marketing campaigns become increasingly borderless, it becomes challenging to both
deliver robust advertising and stay within regulatory limits at a global scale.
116. One of the biggest challenge firms reportedly face is keeping up to date with regulatory
developments across multiple jurisdictions. Understanding global regulation, which can be
jurisdiction-specific and remaining on top of constantly changing regulation is difficult and costly.
This is particularly difficult for new entrants due to the cost of accessing sophisticated legal and
compliance advice.
117. Additionally, firms drew attention to the competitive disadvantage and regulatory arbitrage created
by unlicensed firms. Some surveyed firms stated that when regulatory restrictions become too
burdensome and complex, the burden of cost falls on licensed firms that are mindful of legal and
reputational considerations, and the entities that benefit most are often those that are improperly
operating unlicensed and unregulated as they do not comply with the necessary requirements
and/or circumvent the law. Furthermore, their ads can be easily accessed by financial consumers
due to the aggressive targeting methods that they utilise while not necessarily limiting ads to the
group of clients to whom their products are suitable. Regarding the joint efforts by IOSCO
members to address regulatory arbitrage, please see Chapter 8.
6.8. Regulatory challenges in supervising cross-border online marketing and communication
118. IOSCO members typically use a full set of administrative sanctions ranging from warnings and
suspensions to withdrawal of license against firms that engage in unlawful online marketing and
distribution on a cross-border basis without authorization. In general, most members have
sanctioning powers on the individual firms that they regulate, but some can request websites to be
shut down as described in Chapter 8. The majority of the regulatory regimes require firms
providing digital financial services in their jurisdiction to be licensed. These requirements typically
allow firms to perform marketing and distribution abroad, however, as long as the service is
provided within the home jurisdiction (when local customers are also being served or services are
located in the home jurisdiction), the firm should be authorised given the general licensing
requirements of the respective regulator are met.
119. The majority of IOSCO members allow regulated firms to operate through different internet
domains or use of different trading platforms. The name of these domains or platforms may differ
from the regulated firm’s corporate name. Therefore, several members require firms to disclose to
their customers the internet domains which may have a different name than the legal entity. The
rule of clear, fair and not misleading information to investors prevails in most cases.
120. The vast majority of IOSCO members do not differentiate between supervision of online marketing
and distribution activities targeted at domestic customers versus those targeted at foreign
customers. Most members oblige firms to comply with the local rules. Few members stipulate that
foreign customers’ local law will have to be taken into consideration by the firm.
6.9. Firms’ activity through different internet domains
121. Use of different internet domains can increase the reach to a wider population. 25% of the firms
operate through different internet domains in order to target a wider audience.72 Some firms also
72

While European and the Middle East (with one exception) firms do not operate through different domains,
this is not the case in Asia. Firms in Asia state that there are cases of different internet domains where the
company is a licensed entity in various countries and in other cases because they operate several investment
platforms targeting different customer segments. In Africa different domains are also used to broaden the
company´s reach or for group structure and/or trademarks purposes. In the Americas, all the firms providing
cross-border activities use more than one domain, with the aim of obtaining a maximum reach. For North
American survey participation, see footnote 4.

31

use separate domains for the different services they offer. Firms also operate through different
internet domains per jurisdiction in order to align information to the respective compliance
requirements. They use the geographical IPs to re-route individuals to the right domain to ensure
that they comply with the appropriate regional legislation. Several firms did not explain how they
ensure customers are informed in line with the respective regulatory requirements if they rely on a
single domain.
122. Firms use different internet domains for a number of reasons. Firstly, the use of different internet
domains allows them to protect their business against user error. For example, firms prefer
purchasing domains with similar spellings to avoid customer confusion. This in turn helps prevent
brand poaching because competitors with similar names may often create unnecessary confusion
for customers. Secondly, and more importantly, the use of different internet domains allows firms
to segment their customers and reach out to new markets. The rising trend towards geographic
domains allows firms to add a location specific extension to reach out to more customers. Thirdly,
and in addition to reaching out to more customers, the use of different internet domains with
specific geographic location allows firms to increase their visibility under different search engines
(e.g., Google’s SEO).
123. Given the anonymity and the ease of changing domains on the internet, the use of different internet
domains may create risks related to investor protection and challenges in compliance with the
relevant regulatory and disclosure requirements, as well as identifying whether the website belongs
to a firm that is authorised under national law. It becomes difficult for IOSCO members to attribute
liability to the firm. Importantly, when firms increase the number of internet domains for daily
business, this adds to the pre-existing cross-border challenges because of the jurisdictional overlap.
Measure 7: Clarity about legal entities using internet domains
IOSCO members should consider requiring firms, when they offer products through multiple
internet domains, to adopt policies and procedures requiring clear, fair, and not misleading
disclosure about who the underlying legal entity is offering the product and under what license
(and from which jurisdiction). This disclosure should also cover the scope and limitation of services.
IOSCO members should also consider prohibiting firms from redirecting clients to a third country
website to avoid the regulatory requirements in a jurisdiction.
Additionally, IOSCO members may wish to consider keeping an open register which could enable
the public to check and confirm whether a website belongs to a firm authorised to provide services
in the jurisdiction and under the law.
6.10. Regulatory cross-border cooperation
124. There is consensus across the IOSCO membership that effective regulatory and cooperation
techniques are enhanced and enforced through discussions of issues of common interests. Most
members provide assistance to their foreign counterparts under information sharing arrangements
and the European members abide by the EU laws on cross-border aspects within the EU. Chapter
8 talks about the enforcement aspect and the measures that may contribute to address the
enforcement challenges that may emanate from cross-border offerings.

32

Chapter 7 – Inappropriate Behaviour and Risks
125. Online marketing and distribution can enable inappropriate behaviour and thus increase the risks
that investors are exposed to. This is mainly due to the following reasons:

Asymmetric information between firms and customers: One of the main drivers of
inappropriate and risky behaviour in online marketing and distribution is the asymmetry of
information between the customer and the firm. The survey findings showcase incidents of
deceptive advertisements in online marketing that misrepresent facts to the customer.

Anonymity in online offerings: Some firms mentioned that customers are unable to identify
the legitimacy of firms when they are targeted by fraudulent and fake firms disguised as wellknown firms. These fake firms can pretend to be associated with other companies, steal and
use their marketing materials and spoof their e-mail addresses. Such activity not only damages
the reputation and brand value of the imitated company, but also may result in retail investor
harm.

Use of online platforms: Online platforms can facilitate channelling of huge amount of
advertisements with no or poor oversight. The pure amount can be a regulatory challenge.

Target audience without investment knowledge and experience: Marketing financial services
on social media platforms like TikTok and Instagram target a relatively young audience, who
might not be familiar with investing. Such advertisements often do not properly display
essential information on the potential risks.

IT illiteracy on the retail investor side: Firms may take advantage of consumers who may lack
adequate IT skills by releasing their personal information online without their consent.

7.1 Commonly Observed Inappropriate Behaviour
126. Some of the commonly observed inappropriate behaviour are the following:

Pretending to be a credible source to extract information – impersonation;

Junk e-mails that overpromise returns;

Bulk targeting; 73

Hacking and other cyber security violations; and

Fake success stories by using influencers.

127. Furthermore, as the dependency on technology increases, so do operational risks and hacker
threats. The following chapter analyses the regulatory perspective from an enforcement point of
view and shares good practices from IOSCO members.

73

Bulk targeting is sending the same e-mail campaign to people in the same geographic location in a bulk
without customizing.

33

Chapter 8 – Enforcement
128. In line with Principle 11 of the IOSCO Objectives and Principles for Securities Regulators,74
IOSCO members are encouraged to evaluate whether their powers are sufficiently robust and
flexible to be effective and dissuasive against misconduct.
129. This part of the Report developed by Committee 4 highlights the relevance of international
cooperation and identifies and promotes for IOSCO members an Enforcement Toolkit with
potential enforcement approaches that may contribute to more effectively curb cross-border online
misconduct globally, as a complement and further specification of those explored in the Retail
OTC Leveraged Report published in 2018. 75 Given their ongoing importance, IOSCO will continue
to focus on these issues.
130. The identified measures are complementary and should be seen as part of a holistic approach to
coordinate efforts to deliver more consistent global enforcement outcomes in this area.
131. Educational materials, warnings and updates on enforcement actions are another critical
complement to mitigate and address risks posed by online marketing and distribution to retail
investors. Digital fraudsters are always on the move and often hide behind a “digital veil” that
makes it difficult for IOSCO members to locate, identify and take action against them. Well
informed investors are the first line of defence against fraud and unlicensed operators. So IOSCO
continues to support retail investors with targeted and solid financial education initiatives. 76 Such
initiatives could work alongside the measures identified in the Policy and Enforcement Toolkits to
help raise investor awareness of the specific risks associated with the cumulative effect of increased
complexity of financial products and services, the rapid pace of innovation, ongoing gamification
trends and increasing levels and volumes of self-directed trading by retail investors. Raising public
awareness of illegal schemes and of regulators’ enforcement actions in an impactful way is an
additional and critical tool that authorities can use to limit cross-border online misconduct and
retail investor harm and to deter future illegal activity. 77

74

Under IOSCO Principle 11, “the Regulator should have comprehensive enforcement powers.” (see IOSCO
Objectives and Principles of Securities Regulation, May 2017). According to the IOSCO Methodology for
Assessing the Implementation of the IOSCO Objectives and Principles of May 2017 the regulator should have
comprehensive powers, including detection, investigation and sanctioning powers. Furthermore, in the
IOSCO Report on Credible Deterrence In The Enforcement Of Securities Regulation, June 2015, IOSCO
noted that “to keep pace with financial innovation and illicit practices, regulators should consider regularly
evaluating, and, as appropriate, revising regulatory and enforcement strategies, priorities and tools”.

75

The toolkit described in the 2018 Report explores issues raised by unlicensed entities offering OTC leveraged
products to retail investors, with a particular focus on unlicensed binary options firms and activities carried
out by them. The measures included in the 2018 Report cover five areas: (i) Formal enforcement actions; (ii)
Cooperation with international and local partners; (iii) Laws that facilitate or strengthen enforcement actions;
(iv) Information gathering; and (v) Raising awareness with relevant stakeholders such as advertising
facilitators, mobile application providers, banks and payment platforms.

76

The IOSCO Retail Market Conduct Task Force Consultation Report of March 2022 (cited) highlights
considerations for the Investor Education Toolkit. In January 2022, the three European Supervisory
Authorities – the European Banking Authority (EBA), the European Insurance and Occupational
Pensions Authority (EIOPA) and the European Securities and Markets Authority (ESMA) – published a Joint
ESAs thematic repository on financial education and digitalisation initiatives of national competent
authorities, with a specific focus on cybersecurity, scams and fraud. The repository contains 127 national
initiatives that provide consumers with helpful information on how to improve their financial literacy.

77

The IOSCO Report on Retail OTC Leveraged Products, cited above, includes also a specific “Toolkit of
investor education materials with guidance about retail OTC leveraged products and firms offering them.” The
toolkit contains guidance to regulators in the following four areas: (i) Developing educational content about
retail OTC leveraged products; (ii) Informing the public about unlicensed or fraudulent firms; (iii) Using
different communication channels to reach targeted audiences; and (iv) Forging partnerships to increase the
effectiveness of educational measures. The IOSCO Report on Investor Education on Crypto-Assets, December
2020, contains additional guidance to regulators in the aforesaid areas in relation to crypto-assets.
34

132. The present work on the enforcement section complements the policy measures developed by
IOSCO Committee 3 to address and mitigate the risks posed by online (cross-border) marketing
and distribution by licensed firms.
8.1. IOSCO survey findings
133. This section describes the findings of the survey conducted among Committee 4 members about
their enforcement experiences related to digital marketing and distribution.
A. Investigatory and enforcement challenges
134. The survey responses showed commonalities when it comes to the identification of the practical
challenges faced by IOSCO members, notwithstanding diversity in legal frameworks and
enforcement approaches. Social media, and the Internet generally, display some unique features 78
(e.g., consistent with Committee 3 findings: nearly instantaneous communication with many users
in multiple jurisdictions at a relatively low cost; ease to create a site, account, email, direct
message, or webpage that appears legitimate; potential for anonymity; speed of change) that make
credible deterrence particularly difficult to achieve.
135. Many IOSCO members reported that investigations in the context of online marketing and
distributions of financial services and products are costly and time consuming. Although most
IOSCO members enjoy wide information gathering and enforcement powers, they still face
challenges in timely detecting, investigating and enforcing illegal activities in the essentially
borderless online environment, especially in tracing the flows of funds 79 and in determining the
geographic location of the operations and of persons responsible, the true identity of such persons
and the actual scale of harm to investors. This is due to a combination of different factors as
outlined below and it is perceived as complicating the ability to undertake swift and effective
enforcement actions.
136. Some IOSCO members noted that investigations and enforcement of illegal online activities may
be particularly challenging where new complex products such as crypto-assets are used. Further,
IOSCO members reported that where the activities of market participants are novel, determining
the scope of regulation can be difficult. Where crypto-assets are used, it may be more challenging
to trace the flow of funds and it may take a longer time to obtain information from another
jurisdiction due to regulatory differences.
Fast moving targets
137. Many IOSCO members reported that online illegal activities are essentially cross-border moving
targets. Perpetrators of online illegal activities tend not to “stay in one place”. They regularly
change domain names and locations as well as the target location of their fraudulent schemes after
the publication of alerts or warnings by the regulator or after a website is taken down. At a
relatively low cost, they migrate to new products, brands or jurisdictions to continue to defraud
investors. This migratory conduct creates significant challenges to many IOSCO regulators’
activities, even when specific investigatory techniques and enforcement powers, as described
below, are successfully used.
78

In the IOSCO Report on Securities Activities on the Internet, October 1998, IOSCO explored the main
characteristics of the Internet and how they may increase opportunities for misconduct by bad actors. The said
report also describes factors that should be taken into account by regulators to identify whether there are
sufficient ties to the local jurisdiction leading to their exercise of their regulatory authority. In this regard,
please also see the IOSCO Report on Securities Activities on the Internet II of June 2001. The IOSCO Report
on Retail OTC Leveraged Products, cited above, identifies particular challenges encountered by IOSCO
members in combating illegal activity (including sales of the products by unlicensed firms and fraud) arising
from the sale and offer of OTC leveraged products through online trading platforms.

79

Many regulators reported that mapping the flow of funds may be particularly challenging, particularly if
investors do not send their money directly to the entity operating the website and instead send funds via creditcard or payment processors to foreign intermediaries, including those opened by various nominee entities.
Obtaining information related to the scheme and tracing funds to off-shore entities or financial institutions is
time-consuming. A few regulators noted that, even when information is obtained, the information format can
be challenging to navigate and may require currency conversions and significant data entry to analyse the
output.
35

Multi-jurisdictional/complex structure, regulatory arbitrage and gaps
138. Many IOSCO members reported that online offers tend to be structured by setting up different
parts of the online marketing process in different jurisdictions and using multiple layers of letterbox entities or cloned names to elude investigations. Perpetrators often use different brand names
confusing investors. Introducing broker related activities by third parties may actually be hiding
unauthorised provision of investment services. OTC platforms and their data servers are often
deliberately incorporated in countries with regulatory gaps 80 or in uncooperative jurisdictions.
IOSCO members may face difficulties in obtaining information and documents from multiple
foreign regulators or from foreign website and social media providers. This makes the investigation
and collection of evidence a difficult and lengthy process and creates challenges to pursue legal
actions.
Private communication channels and “anonymizing” tools
139. Several IOSCO members reported that the use of encryption and private messaging (such as
through e-mail and smartphone apps) makes it difficult for regulators to gather valuable evidence.
In order to obtain the content of such messages, some IOSCO members may need to make a
petition to a court and to identify the individuals first. Sophisticated search engine optimisation
tools or cloaking techniques may be used by scam perpetrators to hide illegal activities so that a
monitoring algorithm and/or persons see a landing page with content completely different from the
one that potential investors are presented with. The ability to identify the offender is further
complicated by the fact that the products often are offered on a website that is registered through
a privacy registrar company which may be located in a jurisdiction with limited ability to access
the underlying subscriber information and/or is registered through a shell company operating in a
jurisdiction that is slow, unable or unwilling to provide information identifying the entities and
individuals associated with the shell company.
Inaccurate and transient nature of information
140. Many IOSCO members reported that information made available on a website or social media may
be deliberately inaccurate, partial, ephemeral or misleading by design, in order to conceal the true
nature or scope of the product or service and to circumvent the regulatory perimeter. Fake names
and virtual offices are often used to hide the identity and location of the persons behind the illegal
activity. Moreover, information made available, including false or misleading
marketing/promotional material and communications used to solicit investors, can be easily and
inexpensively erased or altered, posing regulatory and evidentiary issues for IOSCO members
attempting to build an investigation. Many apps do not preserve the content of communications.
Enforcement challenges
141. Many IOSCO members reported that it can be difficult at times to pursue legal action against
perpetrators of illegal online activity. This is the case for example where the persons behind the
activity cannot be located in order to be served due to the use of multiple layers of nominee entities
hiding the identity of the true operator. The collection of monetary sanctions from other
jurisdictions may also be challenging, especially if the person is not regulated. Similarly, it may be
difficult to have an asset freeze recognized and implemented abroad, and/or have the funds
repatriated at the conclusion of the case. Some survey respondents outlined that enhanced ability
to take sufficient and prompt actions to deal with illegal products or activities, faster cooperation
with foreign regulators and greater liaison with law enforcement authorities would enable them to
better tackle online harm.
B. Specific investigatory techniques
142. In order to keep pace with the challenges identified in the previous section, some IOSCO members
reported that they are increasingly adopting or are interested in exploring technology-based
investigatory techniques and approaches specific to online marketing and distribution activities.
These “specific investigatory techniques” complement the toolkit used for all methods of
solicitation or suspicious activities such as the power to require the production of information,
obtain statements, request assistance from other authorities, including foreign counterparts, and –
80

For example, they may be incorporated in jurisdictions in which the product is not regulated or where entities
are not required to retain robust records and regulators may lack the ability to obtain certain types of
information, such as trading and payment processor/bank account records.
36

in some cases – obtain subscriber and data traffic records from telephone service providers (TSPs)
and internet service providers (ISPs). Other IOSCO members are able to use their current detection
and investigation powers to address current and emerging threats.
Customer and Whistleblower Complaints
143. Many IOSCO members reported that given the multiplicity of websites, local customer
complaints, 81 whistleblower submissions (see examples in the box) 82 and other unsolicited
assistance are an important and crucial source of information for detecting illegal online activities.
Receiving prompt and detailed complaints is of particular relevance considering the speed of
change in the online environment. As reported by some respondents, obtaining evidence about
online illegal activities in a timely manner may otherwise be very difficult. Committee 3 findings
also show that, while IOSCO members usually do not have specifically dedicated units responsible
for online marketing and distribution related complaints, nearly all of them review customer
complaints related to online marketing and distribution. 83
Examples of IOSCO members that have established whistleblowing programs
• The
U.S.
CFTC
developed
a
whistleblowing
program
(see
https://www.whistleblower.gov/) based on monetary incentives, which has proven
to be a valuable source of information.

The OSC Ontario, Canada established a Whistleblower Program which offers
monetary awards and whistleblower protections and is a fruitful source of
information
for
hard
to
detect
forms
of
misconduct
(see
www.officeofthewhistleblower.ca).

The U.S. SEC established an Office of the Whistleblower to administer the SEC’s
program (see https://www.sec.gov/whistleblower).

Forensic evidence, undercover investigations and mystery shopping
144. Some IOSCO members have established specialized units and/or asked already existing
surveillance departments to gather forensic evidence through proactive Internet detection
activities.
145. In a few jurisdictions, IOSCO members are empowered to conduct undercover investigations and
mystery shopping in the context of online marketing and distribution of products and services,
using pseudonyms/non-real email addresses and, in certain cases, fake passports and/or bank
accounts. As reported by these IOSCO members, this may be a tool to verify ties to a local
jurisdiction and to gather information and evidence, including information useful to determine the

81

The public can be a useful source of information and intelligence to identify misconduct. Deterrence can be
enhanced when regulators have transparent, well known and easily accessible mechanisms for the public to
provide tips and make complaints about suspected or actual misconduct. See IOSCO Report on Credible
Deterrence In The Enforcement Of Securities Regulation, supra.

82

The relevance of developing programmes to encourage whistleblowing to regulators was highlighted in the
IOSCO Report on Credible Deterrence In The Enforcement Of Securities Regulation, supra.

83

According to Committee 3 findings, Abu Dhabi, Japan, UK, the Netherlands, and Chinese Taipei have
established dedicated internal structures to oversee customer complaints related to digital advertising and
distribution. In Italy, customer complaints are analyzed and logged in a database, where categorization is made
based on the provision of the service or activity involved. Enforcement teams then follow-up on such
complaints. In Israel, the handling of public inquiries under ISA’s internal procedure is the responsibility of
the Public Inquiries Officer. In another interesting example, the U.S. SEC and FINRA further require firms to
report customer complaints with statistical information on a quarterly basis. Such statistical information
includes customer complaints related to misinterpretation, suitability requirements, and marketing/ sales
communications and problem codes (Problem codes is a FINRA issued document which is used to categorize
complaints).
37

scale of potential harm and to identify and locate the persons behind the illegal activity. Examples
resulting from the survey responses are provided in the box below. 84
Examples of IOSCO members conducting undercover investigations and mystery
shopping

AFM Netherlands has been recently empowered to perform pseudo purchases with
a complete fake identity (including a fake passport and/or bank account under a false
name); however certain additional practical competences in order to make an
effective use of such new power have not yet been arranged for.

AMF Quebec conducts undercover operations to gather evidence on the web. The
investigator posing as an investor contacts the target under a false identity (asking
questions, including to identify and locate the perpetrator and to determine the scale
of harm, and requesting documentation) and becomes an investor. Accusations can
be laid against the target for the solicitation of the investigator posing as a potential
investor. Significant efforts from certain social media to eliminate fake accounts can
make it challenging for the regulator to create a false identity. BCSC British
Columbia uses special anonymous IP addresses to search social media and responds
to advertisements (feign interest in offers) and attends webinars covertly.

CONSOB Italy has a dedicated unit in charge of collecting forensic evidence through
non-traceable IP addresses and, to the extent possible (e.g., it is not possible to create
fake documents such as IDs), carrying out undercover operations under fake
names/emails, for example verifying whether the website enables registration from
Italian residents and give access to investment services/products. Once the
searches/checks are completed, the unit provides investigators with relevant
outcomes, including for instance non-mutable screenshots, information on persons
behind non-anonymous domains, outcomes of the undercover attempt to register and
open trading accounts, etc. These documents and information are further analyzed to
build the case and are often essential to move on with investigations around online
activities.

Tools to monitor websites and social networks
146. A few IOSCO members (see examples in the box below) are employing so-called scraping tools
and artificial intelligence to systematically monitor websites and/or social networks proactively,
e.g., where specific products are offered. Moreover, Committee 3 findings show that some IOSCO
members use third-party providers that utilize professional monitoring tools to scan social
networks. These technology-based tools enable investigators to explore and analyse data collected
from the web or social networks through keyword searches and to identify risky promotions or
potential harm.

84

On the use of mystery shopping techniques, see also the Committee 3 findings in Chapter 5.
38

Examples of IOSCO members using tools to monitor websites and social networks

AMF France monitors websites that are identified as being suspect with the help of
professional tools. An alert appears if something changes on those websites. Three specific
tools based on Artificial Intelligence have been developed: 1) FISH (FInancial Scam
Hunter): web scraping of financial websites and automatic scam qualification; 2) SPADE
(SPAm Detection): classification by an algorithm to determine the relevance of spam signals
received by a public-private partnership (Signal Spam); 3) WETREND: detection of weak
signals by topic modelling in order to discover upcoming and trending financial scams,
using spams from Signal Spam and complaints of investors. When a new financial
investment is detected on the internet, a legal analysis of its activities is carried out before
deciding on the further course of action.

AFM Netherlands uses scraping tools to monitor websites where specific products are
offered, such as CFDs.

CNMV Spain has been applying an ongoing systematic search for unauthorised entities
throughout the Internet environment.

ISA Israel conducts proactive technological monitoring of ventures by professional
monitoring tools that scan social networks by keywords.

UK FCA has been working on building a “Web Scraping” platform to support a number of
cases, which includes the detection of risky financial promotions advertised to consumers
through search engines and via websites. A custom built front-end will allow supervisors to
build a scraping request either through the use of search engine/search terms, or through
entering URLs directly. The tool then scrapes data from the web and will allow supervisors
to explore and analyse the data, once it has been collected, for example through keyword
searches, for the purpose of efficiently identifying risky promotions and potential harm
within the scraped results. The data is used to identify the priority results and to take action.
The regulator intends to look to further build out such products and add additional
capabilities to the tool to support other use cases.

U.S. CFTC’s LabCFTC launched the Project Streetlamp competition (see
https://www.challenge.gov/challenge/project-streetlamp/) to challenge innovators to utilize
technology, including artificial intelligence and innovative approaches to detect foreign
entities that should be – but are not – registered with the CFTC. The competition was
intended to generate information that ultimately helps customers make more informed
decisions about whether to trade with, or through, these unregistered foreign entities.

Communication with third-parties such as ISPs, criminal authorities or the financial police
147. Some IOSCO members have had discussions with ISPs, social media entities and other providers
of electronic intermediary services asking them to actively vet/ban posts connected to investor
scams 85 or have entered into protocols with criminal authorities, the financial police or other
stakeholders (including associations of supervised entities or the advertising and media sector) to
strengthen cooperation against potential scams. For example, some authorities are exploring
mechanisms to foster collaboration by supervised entities to inform investors about the risks or
possibilities of fraud. Directly communicating with the possible perpetrators of frauds or scams on
social media to warn of the possible illegality and consequences of acting as they may plan is
another type of action used to disrupt frauds and scams.
85

Working with ISPs, social media entities and other websites to have them remove content on a voluntary basis
may not be appropriate in every circumstance. Foreign domains cannot be blocked as the service providers
usually require formal local court orders or may not cooperate with regulators.
39

Examples of communications between IOSCO members and third-parties against online
illegal activities

The Australian ASIC engages newer technology stakeholders, e.g., moderators of online
forums to understand how they monitor posts and deal with poor conduct and internet
search platforms to discuss their search structures such that investors are not being
misled on the results that are provided for certain searches. Moreover, ASIC reported
that, further to ASIC’s engagement activity, Google amended its financial product and
services policy, with effects from August 30, 2022, to expand their verification program
for financial services advertisers to Australia. According to the new policy, financial
services advertisers in Australia need to demonstrate that they are authorised by ASIC,
and have completed Google’s advertiser verification program in order to begin
promoting their products and services.

The Dutch AFM reported to have had discussions with social media parties in order to
ask them to actively monitor/try to ban investor scams. A difficulty which is
encountered is that these scam parties use a technique named ‘cloaking’, in which the
monitoring algorithm and/or persons see another landing page different from that seen
by potential investors.

The French AMF entered into a protocol with the financial police defining the
framework for cooperation which enables the parties to share their knowledge in order
to ensure more effective identification of trends in new financial scams and carry out
joint prevention and awareness-raising initiatives among the general public. The
cooperation framework will be extended to include training for police officers in charge
of receiving complaints to familiarise them with the financial market sectors. A special
task force has been created on digital intelligence, which allows French institutions and
government departments to exchange information on digital intelligence tools and best
practices.

The Spanish CNMV entered into a Memorandum of Understanding for the Action Plan
against Financial Fraud with 18 other government bodies and enforcement agencies in
Spain. The aim of this Memorandum of Understanding, which was signed on April 29,
2022, is to define and articulate measures to help reduce the capacity for action and
expansion of financial fraud attempts, to restrict the promotion or advertising of
activities to attract new victims, as well as to provide investors and clients of financial
services with the necessary tools and knowledge to detect and prevent these practices.
The signatories will create a monitoring committee which will be responsible for
assessing possible new fraud patterns, proposing new measures and analysing the
development of these phenomena in Spain. Organizations from the economic and
financial sphere, the judicial system and State Security Forces, the advertising and
media sector, among others, will attend these meetings as signatories of the agreement.

CONSOB Italy transmits a specific report to the criminal authority for each suspected
case of illegal activity, including activity perpetrated online. CONSOB is also a
signatory to protocols on cooperation with financial police bodies to facilitate its
supervisory activity.

The OSC Ontario, Canada reported having had some degree of success in working with
ISPs, social media entities and other websites in the jurisdiction to have them remove
content (i.e., posts and advertisements) on a voluntary basis. The regulator uses “knockand-talks” disruption tools where staff from the regulator (usually with the assistance of
a police officer from a law enforcement partner agency) knock on the door of a subject
and tell them to cease and desist. This can be effective in furthering the investor
protection mandate and more rapid than a drawn out investigation and hearing process,
although it may not be appropriate in every circumstance.
40

Examples of communications between IOSCO members and third-parties against online
illegal activities

The UK FCA reported that, if the website is based in the UK, the web host will generally
cooperate with the regulator’s request for a website to be taken down. If the web host is
based abroad, the response is far more variable.

C. Enforcement approaches
148. The survey showed that most respondents are able to exercise existing powers to take action for
violations in the area of digital marketing and distribution. They generally reported a broad range
of measures to use and sanctions they can impose, which may include for instance placing
limitations on the activities of firms and monetary sanctions.
149. Some IOSCO members are empowered to shut down or block access to illegal websites directly
(see the examples in the box) or apply for court orders restricting the activities (including website
shutdown), freezing assets or obtaining search warrants. Other authorities reported some positive
experience in persuading local web hosts to cooperate with their request for a website to be taken
down voluntarily, whilst noting this may not be appropriate in every circumstance, in particular as
regards foreign websites. As the ability to take quick actions to stop violations is critical to
minimize investor harm, the power to shut down or block access to illegal websites directly or the
existence of appropriate mechanisms for obtaining a court order for this purpose on an urgent or
prompt basis are reported as being particularly important to support the effectiveness of the
enforcement action. For example, a positive experience was reported by a regulator in relation to
the fact that it may directly require ISPs to block access to an illegal website from its country
regardless of whether the domain and hosting are within the member jurisdiction and without the
need to identify the persons behind it first. However, even when powers to shut down or block
access to illegal websites are successfully used, operators of the websites often set up new websites
under a new name.

41

Examples of IOSCO members empowered to shut down or block access to illegal websites (or
order removal of unlawful content) directly

The Italian CONSOB can, with regard to anyone who offers or carries out investment
services via web without being qualified, order that the unauthorized investment services
provider cease the infringement. Furthermore, CONSOB can suspend and/or prohibit the
public offering of financial instruments and other financial products (and the related
advertising) carried out without a prospectus. Moreover, CONSOB can directly order the
providers of Internet connectivity, operators of other telecommunication networks and
providers of telecommunication services to ban the access to the website (including foreign
website) from Italy. The power can be exercised in cases of unauthorised provision of
investment services/activities as well as in cases of public offers of financial
instruments/products without prospectus. The power proved to be the most effective way to
promptly stop online illegal activities of foreign entities and supported the credibility of
CONSOB in the fight against online illegal misconduct. From July 2019 until September 7,
2022, CONSOB blocked access from Italy to 749 illegal websites. On the homepage of
CONSOB’s website (www.consob.it), the section “Watch out for scams!” provides useful
information for the purpose of warning investors in relation to unauthorized financial
initiatives.

The Dutch AFM may, in certain circumstances, order the explicit display of a warning to
consumers when they access an online interface, order a hosting service provider to remove,
disable or restrict access to an online interface or order domain registries or registrars to
delete a domain name.

In British Columbia recent amendments to the legislation seems to allow the regulator to
order a website to not disseminate certain information but this has not been tested yet.

42

Examples of IOSCO members effectively using court processes to shut down or block access to
illegal websites

The CNV Argentina may present a proper pleading to the court asking for the shutdown,
but this kind of measure has not been taken yet and there is no related leading case in the
national courts.

The French AMF Chairman can judicially require the blocking of websites. The procedure
makes it possible for the regulator to act before the judicial tribunal (which has agreed to
organize an audience approximately every 2 months) in order to systematically compel the
ISPs in the French national territory, after formal notices are sent to the operator and to the
website host. Interestingly, if after the blocking order the offer remains accessible from other
websites, it is possible to go back to the judge for the blocking of “bypassing sites” with a
simple request by the Chairman of the regulator and without the change of host requiring
formal notice to be sent to the new host.

The DFSA (Dubai) can make an application to the DIFC courts for cease orders and
injunctions, which it would do if the subject of the orders/injunctions was outside of the
DFSA’s jurisdiction.

The Japan FSA may seek a court order to cease or prohibit concerned illegal activities
including shutdown of the websites.

The AMF Quebec can be empowered by judgements obtained from administrative tribunals
or quasi criminal (penal) courts to require a company owning a website to close down a
website or withdraw it from public access.

The CMB Turkey may request the Court to ban Internet access if the domain and hosting
are within the country.

The UK FCA may seek a court order to cease or prohibit concerned illegal activities
including shutdown of the websites.

The U.S. SEC and the U.S. CFTC have the power to seek emergency relief in federal district
court to halt ongoing fraud, such as a temporary restraining order against a person or entity
from violating the federal securities and derivatives laws.

D. Relevance of international cooperation and cooperation with other partners
150. Determining the geographical location of operations and of the persons behind the illegal activities,
ascertaining the identity of such persons and of the victims and tracking down the flow of funds
are complex and often unsuccessful efforts without substantial resources and effective international
cooperation.
151. Many of the survey responses show that the existing IOSCO sharing and cooperation frameworks
– i.e., formal requests for assistance under the IOSCO Multilateral Memorandum of Understanding
(“MMoU”) and Enhanced MMoU (EMMoU) – are generally useful in gathering material
information and concluding investigations successfully.
152. In some cases, cooperation may not be timely or fully satisfactory. Another challenge reported by
many respondents pertains to difficulties in obtaining assistance from local regulators where
regulatory differences and gaps are exploited or arbitraged.
153. Several respondents suggested potential improvements in international cooperation (both under the
existing frameworks and through additional forms of collaboration). For example, the survey
responses underline that there might be opportunities to improve the quality of requests for
assistance and their execution under the existing frameworks and the efficiency in response times,
compatibly with the complexity of the investigations at stake. The survey responses also indicate
value in improving prompt sharing of intelligence. Some respondents also suggested that IOSCO

43

could consider encouraging further members to become signatories to the EMMoU (since ISP and
TSP subscriber records are critical in investigating cross-border online marketing and distribution
of financial services and products) and enhancing dialogue with less cooperative jurisdictions.
Some respondents indicated that it would be desirable to enhance the powers of authorities to take
appropriate actions in curbing the unauthorised or fraudulent marketing and distribution of
financial products and services through online channels. It was further noted that, to the extent
assistance can be provided in relation to new products (such as crypto-assets) or in cross-border
recovery of sanctions or when requiring undertaking of remedial/corrective actions, it would
support credible deterrence and facilitate a faster worldwide response to illegal online misconduct.
154. Furthermore, some respondents suggested enhancing current liaisons with criminal law
enforcement agencies, which often play a crucial role in enforcement actions against illegal online
activities in many IOSCO member jurisdictions, and to undertake initiatives to make ISPs and web
hosting providers more accountable in the efforts towards preventing online scams and prohibiting
anonymous website registrations.
155. Those suggestions were considered in the preparation of the Enforcement Toolkit described in
section 8.2 below.
8.2. Enforcement Toolkit
Measure 1: Proactive technology-based detection and investigatory techniques
IOSCO members could consider whether to use proactive technology-based monitoring tools and
approaches, where appropriate, to support the detection and investigation of potentially illegal
digital conduct.
156. IOSCO members are encouraged to regularly review their investigatory techniques and resources
and to retool their kits as appropriate, to facilitate detection and prosecution of illegal activity.86
This includes illegal activity conducted using digital means.
157. As a complement to other detection and investigation techniques, IOSCO members could consider
the use of technology-based investigatory tools and approaches, such as automated algorithmic
searches over the Internet and social media based on scraping software or artificial intelligence,
undercover investigations and mystery shopping. These specific tools may help minimize manual
work and foster more efficient and proactive approaches, contributing to improvement of the
overall effectiveness of members in timely detection, investigation and prosecution of illegal
digital activity.
Guidance on the application of the measure
158. Becoming promptly aware of online illegal activities and obtaining sufficient evidence on which
to ground an enforcement case can be a challenge because of the vastness and ephemeral nature of
the Internet and the constant surveillance that is necessary. Detection may be made harder by
several factors explored in section 8.1.
159. Complaints, whistleblower submissions and unsolicited assistance are and remain an indispensable
source of information to be encouraged or incentivized (including through relevant investor
education and raising awareness initiatives) as they could provide valuable information to the
authorities in order to identify potential misconduct and to minimize the harm that could have
occurred. 87 They can be supplemented by online monitoring tools, which can contribute to more
timely and effective investigations. Programs for the systematic surveillance of Internet and social
media, such as scraping tools, have proven to be a very useful practical tool, with appropriate
human resources and processes and periodic review to ensure they remain appropriate and
effective, and consistent with jurisdictions’ applicable laws. 88 Moreover, certain IOSCO members
86

See the IOSCO Report on Credible Deterrence In The Enforcement Of Securities Regulation, supra.

87

Ibid.

88

See the IOSCO Report on Securities Activities on the Internet, supra, which states that “Regulators and SROs
should strengthen surveillance of Internet activities by routinely monitoring for unauthorized or fraudulent

44

have the legal authority to conduct undercover investigations and mystery shopping to assess the
accuracy of information and gather forensic evidence in a timely fashion.89 Where appropriate and
consistent with jurisdictions’ applicable laws, IOSCO members could consider taking steps to be
able to conduct such undercover activities as part of their toolkit to be effective and dissuasive
against misconduct.
160. It is also important that IOSCO members have qualified technical personnel and adequate
resources to keep pace with technological developments. Targeted capacity building initiatives by
IOSCO and IOSCO members – such as specialized technology training, e.g., on tracing and
tracking crypto-asset transactional information – may serve to enhance the abilities of IOSCO
members to investigate and prosecute online illegal activities. Through IOSCO and a greater
engagement at the level of the Technology Applied to Securities Markets Enforcement Conference
(“TASMEC”), 90 IOSCO members could continue to share expertise and existing experience and
learn from each other about common patterns or fraudulent schemes as well as about specific
techniques and advanced technologies explored in surveillance/investigatory activities. 91 IOSCO
members could also engage with other agencies, beyond securities or other financial regulators,
that may have gained significant expertise in the development and use of digital surveillance
technologies.
Measure 2: Powers to promptly take action where websites are used to conduct illegal securities
and derivatives activity, and other powers effective in curbing online misconduct
IOSCO members could consider seeking additional powers to be more effective in promptly
curbing illegal online conduct, including the power to shut down or block access to illegal
websites, or seeking a legal order to do so, where appropriate.
161. The regulator or other competent authority could consider additional enforcement powers to be
effective against illegal activity. In particular, in order to minimize investor harm, it is important
for IOSCO members to have the legal authority, or seek a legal order, to promptly take action to
terminate access to online products/services by the public once those online products and services
are identified to be illegal, fraudulent, or unauthorised. Still, websites are moving targets, closing
and opening quickly under different names/domains to elude investigations. Therefore, it remains
key that subscriber data and certain traffic data are maintained by TSPs. ISPs and electronic
communication providers and that regulators are able to obtain and share such data in order to work
out who is actually behind the setting up of the website(s) and contribute to enhance investor
protection on a global scale.
Guidance on the application of the measure
162. Timely detection and prosecution of fraudulent online content is crucial for protecting investors
from investment scams, but as survey results indicated in section 8.1 this is extremely challenging
for IOSCO members due, among other things, to the sheer volume of content, the anonymity that
fraudsters can hide behind online and the cross-border nature of online misconduct.
activities”. The Report also states that “Regulators and SROs need to learn new methods for conducting
surveillance and must become familiar with Internet-specific methods for locating and sharing information”.
89

On the importance of the role that mystery shopping can exercise to identify mis-selling practices and improve
the effectiveness of investor protection, see for example the European Parliament Report on “Further
development of the Capital Market Union (CMU): improving access to capital market finance, in particular
by SMEs, and further enabling retail investor participation”, September 2020.

90

In recognition of the potential of technology to improve enforcement by increasing efficiency, enhancing
decision-making and deterring securities violations, IOSCO Committee 4, in collaboration with the Québec
Autorité des marchés financiers, agreed in 2017 to organize semi-annual conferences that allow regulators to
share existing data analytic practices and techniques for addressing enforcement issues.

91

In its report on Securities Activities on the Internet, supra, IOSCO recommended that “Regulators and SROs
should have staff sufficiently trained in current techniques for conducting surveillance on the Internet” and
they “should assist one another by exchanging details about techniques for monitoring Internet advertising,
offers of securities or financial services that may contain false or misleading information, and by sharing
expertise with regulators who have limited experience in this area”.
45

163. The speed at which the online environment changes makes it important that effective actions be
taken to promptly stop online illegal activities as a means by which to ensure investor protection.
164. Public warnings and cease and desist orders may be effective against a licensed entity or persons
located in the regulator’s jurisdiction, given the reputational effects and/or the ability to
meaningfully enforce the measures in its territory. For abusive activities from abroad/by foreign
entities, these measures may not be sufficient.
165. The power to shut down or otherwise block illegal websites promptly, either directly, via petition
to a court or in cooperation with another authority in the framework of appropriate cooperation
arrangements and consistent with jurisdictions’ applicable laws, may prove to be an effective
means of halting ongoing misconduct. For example, the regulator may be empowered to require
local providers of Internet connectivity, operators of other telecommunication networks and
providers of telecommunication services to promptly block access from its jurisdiction to illegal
websites, including where the website is hosted abroad, without the need to identify the persons
behind the online illegal activities first. Where shutting down, or halting access to, an illegal
website requires a petition to a court, the power of the regulator to seek emergency relief in court
or the establishment of procedures or protocols ensuring quick engagement with the court may be
critical in order to stop online misconduct effectively. IOSCO members are encouraged to be able
to take actions against illegal activity being conducted on websites at a national level. The ability
of IOSCO members to exercise this power consistently and in a coordinated manner (as discussed
under Measure 3) would be an important dissuasive element in curbing illegal online activities.
166. Even if websites are shut down, offenders may soon after open another website under a different
domain to continue to target investors in the same or in another jurisdiction. It is important that
IOSCO members have the appropriate powers to effectively identify the different entities involved
in online misconduct and the interconnections between them. Investigations may be costly and
time-consuming in light of the challenges described in Chapter 8.1. In this regard, IOSCO observes
again the relevance and effectiveness of the power to obtain and share subscriber and data traffic
records from TSPs, ISPs and electronic communication providers. An important complement could
include initiatives that require TSPs, ISPs and electronic communication providers to maintain this
type of information for a suitable period of time. 92
167. Powers to freeze assets on behalf of other IOSCO members would also be valuable to help prevent
dissipation of investor funds and bolster credible deterrence. 93
Measure 3: Increasing efficient international cooperation and liaising with criminal authorities
and other local and foreign partners
IOSCO members could consider ways to increase efficient cross-border cooperation and
collaboration in investigations and enforcement actions and enhancing liaison with criminal
authorities and other relevant local or foreign partners.
168. Enhanced cooperation among IOSCO members – which, among other things, includes timely
provision of information to each other – is a necessary prerequisite to obtain information needed to
deliver credible deterrence and preserve investor confidence as it allows IOSCO members to
overcome the tension between the territorial limits of their enforcement powers and the ubiquity

92

In the Report on Retail OTC Leveraged Products, supra, IOSCO noted that “The availability of information
from ISPs is important to enforcement actions. In order to investigate and prosecute domestic and crossborder securities violations, we recommend that regulators encourage or endeavor to ensure that ISPs
maintain subscriber data and certain traffic data”.

93

Regulators are encouraged by the Resolution on Cross-Border Cooperation to Freeze Assets Derived from
Securities and Derivatives Violations, Resolution of the IOSCO Presidents’ Committee, June 2006, to examine
the legal framework under which they operate and strive to develop, through law reform or otherwise,
mechanisms by which they or another authority within their jurisdiction could, on behalf of a foreign regulator,
freeze assets derived from suspected and established cross-border securities violations and thereby deny
wrongdoers the benefit of their ill-gotten gains.
46

of illegal online activities. 94 Increasing efficiency in cooperation among IOSCO members using
the existing mechanisms at their fullest capacities as well as through more expedited ways of
intelligence sharing and additional forms of collaboration in investigations and enforcement
actions will help to hold wrongdoers accountable for their online illegal activities. Enhanced liaison
with criminal authorities and other relevant local or foreign partners (including for instance the
financial police) would also support credible deterrence.
Guidance on the application of the measure
169. The importance of efficient and extensive international cooperation is apparent from some of the
unique features of online illegal activities being conducted across borders, such as the multijurisdictional nature of the misconduct (especially in that they are often carried out from disparate
locations or virtual offices located in less-regulated jurisdictions targeting victims around the
world), shifting the proceeds of violations abroad and wrongdoers fleeing easily to a foreign
country. In circumstances such as these, effective enforcement can be difficult to achieve when
cooperation is not available or accessible in a timely manner.
170. Although there is presently strong co-operation between many IOSCO members as facilitated by
the IOSCO MMoU and EMMoU, 95 which often prove useful in gathering material information
(especially in obtaining critical account records and mapping the flows of funds) and concluding
investigations successfully, there is opportunity to improve the ways in which IOSCO members
cooperate.
171. IOSCO members should consider adopting policies and procedures to provide for efficient crossborder cooperation. In addition, IOSCO should reiterate to its members the importance of
becoming Appendix A.1 signatories to the EMMoU, as well as the importance of an optimal
application of the principle of the fullest assistance permissible under the IOSCO MMoU, taking
into account that it is increasingly critical for IOSCO members to be able to obtain subscriber
records from TSPs, ISPs and electronic communication providers in relation to suspicious online
activity conducted from other jurisdictions.
172. More comprehensive consultations and proactive referrals under existing mechanisms to quickly
share information about multi-national digital violations are also important. Technical assistance
programs or MMoU/EMMoU guidance may serve to promote more proactive/unsolicited
assistance efforts.
173. Quality and timeliness of the information shared among IOSCO MMoU/EMMoU signatories and
the ability of the requesting authority to properly analyse the data received can be critical for the
success of investigations. In this respect proper staffing and resourcing of IOSCO members is
essential, but workshops and educational initiatives may also play a role (e.g., delivering guidance,
for example through a more detailed MMoU request template, or organizing workshops on how to
write an effective request for assistance or to foster timely responses). Exchange of information
with more efficient secured communication channels that make use of new technologies could be
explored.

94

In the IOSCO Report on Credible Deterrence In The Enforcement Of Securities Regulation, supra, IOSCO
noted that “Although there is presently strong co-operation between many securities regulators, especially as
facilitated by the IOSCO MMoU, all jurisdictions can look for additional ways to improve cooperation, and
consequently deterrence”.

95

The IOSCO MMoU, which is based on the concept of the fullest assistance permissible, was put in place with
the goal of ensuring that a cooperative mechanism exists among IOSCO members at the international level to
facilitate the detection and deterrence of cross-border misconduct. The IOSCO EMMoU provides the
framework for additional assistance to be provided to regulators in the following areas: (a) Audit work papers,
communications and other information relating to the audit or review of financial statements; (b) Subscriber
and data traffic records held or maintained by TSPs; (c) Subscriber records held or maintained by ISPs and
other electronic communication providers; (d) Recordings of telephone conversations or other electronic
communications held or maintained by regulated persons; (e) Compelling physical attendance for testimony;
and (f) Where permissible, requiring or requesting the freeze or sequestration of funds or assets located in the
requested authority’s jurisdiction or, if not, advising and providing information on how to freeze assets, at the
request of another signatory.
47

174. More practical and expedited ways of sharing intelligence bilaterally with other jurisdictions may
be developed or further strengthened, especially when information is public. For instance, the
following practical approaches could be considered, whilst preserving full confidentiality of
information exchanged:
• Increased direct contacts between investigators in requesting and requested authorities’
jurisdictions, once a formal request for assistance under the IOSCO MMoU or EMMoU has
been accepted, in the interest of saving time and effort;
• Joint or parallel investigations into online illegal activities where permissible and appropriate;
• Facilitating submission of follow-up enquiries to progress investigations once a member has
agreed to assist in the case, and
• Encouraging the establishment of cooperative relationships to enhance proactive referral
networks.
175. IOSCO could consider developing ways to: (i) maximize use of public information, including the
sharing of information from public databases by less formal means, consistent with jurisdictions’
applicable law and regulations, and within short periods of time; and (ii) leverage the use of
existing methods of sharing information and intelligence to enable sharing of enforcement-related
information on emerging digital threats, including those arising from crypto-assets.
176. Additional forms of collaboration among IOSCO members in enforcement actions could contribute
to reduce investor harm and deliver credible deterrence. In particular, new collaboration
mechanisms may be developed to help ensure that the home regulator of wrongdoers undertake
actions to stop online illegal activities (including crypto-asset related misconduct) upon request of
the foreign regulator that has ascertained a violation. This may include protocols or similar
mechanisms among IOSCO members allowing the exercise of available powers to shut down or
block access to illegal website/social media pages or issuing cease trade orders consistently and in
a coordinated manner and exploring ways to facilitate cross-border recovery of monetary
sanctions.
177. Furthermore, closer international cooperation and coordination could be important with respect to
nascent products such as crypto-assets that can raise significant risks. 96 In some cases, cryptoassets are offered as cross-border products to investors by unlicensed and/or fraudulent firms and
platforms that try to avoid being registered in any jurisdiction by exploiting cross-border gaps and
engaging in regulatory arbitrage or that register in jurisdictions that do not have robust regulations.
In these cases, IOSCO members may not have jurisdiction over the individuals/entities engaged in
the misconduct, or the products being marketed online, and/or are unable to obtain critical
information needed, such as account records, in response to a request for assistance from a foreign
regulator. Additionally, the underlying products often change and mutate faster than the
supervisory regimes can amend their regulatory remit to regulate them. Without cross-border
assistance to obtain critical account records and the ability to identify and track down potential
victims, it can be difficult to develop and bring these types of cases.
178. According to Principle 15 of the IOSCO Objectives and Principles, “the regulatory system should
allow for assistance to be provided to IOSCO members who need to make inquiries in the discharge
of their functions and exercise of their powers.” IOSCO MMoU and EMMoU signatories are
encouraged to provide as much assistance as possible in response to proper requests for assistance
in securities and derivatives investigations involving new products or services or firms that provide
new products or services. IOSCO will continue to promote closer international coordination and
cooperation to address regulatory gaps in the area of crypto-assets. 97 To the extent that enhanced
96

On risks raised by some crypto-assets, see for example the warning published by the European Supervisory
Authorities – the European Banking Authority (EBA), the European Insurance and Occupational
Pensions Authority (EIOPA) and the European Securities and Markets Authority (ESMA) – on March 17,
2022: EU financial regulators warn consumers on the risks of crypto-assets. On the need for closer
international cooperation and coordination in relation to crypto-assets, see also International Monetary Fund,
Regulation of Crypto-assets, Fintech Note 3/2019.

97

In the Report on Investor Education on Crypto-Assets, supra, IOSCO underlined that “Due to the global spread
of interest in crypto-assets, internationally coordinated responses in certain areas, such as enforcement and

48

assistance could be provided on such matters, it may facilitate a faster worldwide response to
crypto-assets-related risks, including the risk of online mis-selling and fraud, and support credible
deterrence.
179. Furthermore, IOSCO members could consider creating/enhancing existing efforts to liaise with
criminal authorities and other law enforcement agencies. 98 This may include for example:
• Streamlined procedures to seek court approval with the necessary urgency when the regulator
has to rely on the criminal authority to exercise some of its powers, such as the power to shut
down or block access to illegal websites; and
• Cooperation arrangements facilitating the process for referring information on potential digital
violations.
Measure 4: Promoting enhanced understanding and efforts by, and collaboration with, providers
of electronic intermediary services with regards to digital illegal activities
IOSCO members could consider initiatives, individually and collectively through IOSCO, to
foster more meaningful understanding and efforts by, and collaboration with, providers of
electronic intermediary services in curbing digital illegal activities and anonymous website
registration, helping to enhance investor protection in the online environment.
180. IOSCO members, individually and collectively, could encourage efforts by providers of electronic
intermediary services, such as hosting services and ISPs, web hosting providers, domain registrars,
social media platforms, online advertising facilitators and other electronic communication
providers, to identify bad actors and to prevent, detect and tackle online illegal activities to help
enhance investor protection in the borderless online environment.
Guidance on the application of the measure
181. ISPs, hosting service providers, domain registrars, social media platforms, online advertising
facilitators and other electronic intermediary service providers can play a part in fostering an online
environment that is a safe and trusted place for cross-border distribution of financial services and
products to retail investors. 99

investor protection, may help provide clarity to businesses and investors. International coordination may limit
jurisdictional arbitrage and facilitate innovation in blockchain and crypto-asset technologies, while allowing
regulators to monitor developments to ensure fair and efficient markets, financial stability, and the protection
of investors”.
98

In the IOSCO Report on Credible Deterrence In The Enforcement Of Securities Regulation, supra, IOSCO
noted that “Potential wrongdoers may be deterred from engaging in misconduct when they know that securities
regulators are working with criminal authorities and other domestic, national and international agencies to
strengthen their detection, investigation, prosecution and sanctioning capabilities”. See also the Report on
Retail OTC Leveraged Products, supra.

99

The issue of electronic intermediary service providers’ accountability and transparency is increasingly
deserving attention at an international level. Several jurisdictions are introducing or considering introducing
diligence requirements for providers of electronic intermediary services, adapted to the type and nature of the
intermediary service concerned. For example, in the EU, following the political agreement reached on April
2022 between the European Parliament and the Council on the proposed Regulation on a Single Market for
Digital Services (Digital Services Act), a new framework is being established which defines clear
responsibilities and accountability for providers of intermediary services regarding illegal and harmful content,
and in particular online platforms, such as social media and marketplaces, by setting out clear due-diligence
obligations, including notice-and-action procedures for illegal content and an obligation for certain online
platforms to receive, store and partially verify and publish information on traders using their services. The EU
political agreement is now subject to formal approval by the co-legislators. Once adopted, the Digital Services
Act will be directly applicable across the EU. In the UK, since the end of the Brexit Implementation Period
on December 31, 2020, an exemption to the financial promotion restriction which could be used by online
platforms (specifically, the general exemption for electronic communications made from an establishment in
an EEA state other than the UK) has fallen away. As a result, the FCA has been looking at the operations of
the major online platforms to determine whether they are now subject to the restriction and, if so, whether they
are compliant. Where they are not, the FCA will take action to ensure consumers are protected.
49

182. IOSCO members are encouraged to renew efforts to achieve this measure. 100 In particular, IOSCO
members, individually and collectively, could undertake further initiatives in relation to providers
of electronic intermediary services with a view to:

a. Educating providers of electronic intermediary services on how they can help to more effectively
tackle online illegal activities worldwide and emphasizing that regulatory frameworks could set
out incentives to this purpose (which may include, where appropriate, proportionate due
diligence requirements on providers of electronic intermediary services and clear rules, subject
to conditional exemptions, for their liability with regard to the third-party information they
transmit or store) to better protect investors worldwide;

b. Encouraging providers of electronic intermediary services to no longer accept anonymous users

of Internet services carrying out financial activities, as a way to deter online illegal activities and
help IOSCO members to deliver credible deterrence and enhance investor protection globally.
Efforts to tackle online misconduct could also include encouraging electronic service providers
to obtain, and store for a reasonable period of time, certain essential information from
subscribers that use them to distribute financial services or products, making such information
accessible to IOSCO members to facilitate investigations of suspected illegal activities.
Similarly, it is important for TSPs, ISPs and other electronic communication providers to hold
subscriber and data traffic records for a reasonable period of time consistently with applicable
data protection legislation. Consistent with their jurisdiction’s applicable laws, IOSCO members
might also consider encouraging online advertising facilitators not to enable financial services
advertisers to promote financial services unless they demonstrate that they are authorized to
carry out such services;

c. Streamlining exchanges of necessary information from providers of electronic intermediary

services to IOSCO members, including through: (i) timely responses to regulators’ information
requests (such as for instance those intended to obtain subscriber and data traffic records from
TSPs, ISPs and other electronic communication providers, or information about persons behind
illegal distributions of financial services or products from hosting service providers); (ii) prompt
notification to the regulator of suspicions of illegal distributions of financial services and
products, providing all relevant available information;

d. Encouraging providers of electronic intermediary services to act expeditiously to identify the

actors and remove or disable access to information relating to illegal distributions of financial
services and products upon obtaining actual knowledge or awareness of such illegal content (for
instance through investigations on their own initiative or following receipt of a notice) and in
any case whenever a court, regulator or law enforcement authority requires such removal or
disablement. Providers could set-up appropriate mechanisms to receive notice of illegal
activities. Online platforms could publish aggregated information of such removal/disablement
actions and suspend, for a reasonable period of time, provision of services to firms that
frequently provide manifestly illegal content relating to the distribution of financial services or
products online. This would show credible engagement by online platforms to support members’
effort to deliver deterrence and investor protection; and

e. Encouraging search engines and social media websites to put warnings and measures issued by
IOSCO members against illegal distributions of investment services and products (including
orders to shut down or block access to illegal websites) in a prominent location on the user’s
screen.

183. IOSCO members could share with each other experiences and good practices regarding
interactions with providers of electronic intermediary services and facilitate knowledge of
developments in this area, including with regard to their respective regulatory frameworks.
100

In the Report on Retail OTC Leveraged Products, supra, IOSCO encouraged IOSCO members to reach out to
mobile application providers, advertising facilitators and other relevant stakeholders to raise awareness of
illegal activities related to OTC leveraged products. The said Report presented examples of IOSCO members
that have raised awareness about binary options fraud and unlicensed firms offering binary options to retail
investors among mobile application stores and noted that this engagement has resulted in certain app stores
preventing unauthorized firms from offering binary options apps through their sites.
50

184. These initiatives could contribute to reduce the extent to which electronic intermediary services
are used to conduct illegal activities, thus increasing trust in the distribution of financial services
and products in the online world.
Measure 5: Additional efforts to address regulatory and supervisory arbitrage
IOSCO members could consider additional efforts to address regulatory and supervisory
arbitrage in the interest of facilitating international enforcement cooperation and enhancing
investor protection on a global scale.
185. Regulatory and supervisory arbitrage remains a significant source of harm to society as a whole
and diminishes the effectiveness of members’ enforcement actions. This is an issue of particular
relevance in the context of online marketing and digitalisation, as perpetrators of online illegal
activities tend to take advantage of regulatory gaps and differences through scams or shell
companies deliberately located in less-regulated jurisdictions. In such cases, IOSCO members may
not have jurisdiction over the individuals/entities engaged in the misconduct, or the products being
marketed online, and/or are unable to obtain critical information needed in response to a request
for assistance from a foreign regulator. Continuous efforts by IOSCO to promote regulatory and
supervisory efforts through initiatives targeted to jurisdictions more systematically involved in
illegal online activities is important to effectively deter and tackle online illegal activities and to
protect investors around the world.
Guidance on the application of the measure
186. IOSCO members may experience significant investigatory and enforcement challenges associated
with regulatory arbitrage in cases of illegal online misconduct. In some cases, requested IOSCO
members may not have the authority, or may not exercise their authority, to require entities situated
in their jurisdiction to be registered and supervised or to comply with appropriate record-keeping
requirements. In other cases, requested IOSCO members may lack the ability to obtain certain
types of information relating to emerging types of misconduct or products (including crypto-assets)
as they do not fall within their regulatory remit. Offenders may be able to make use of these
regulatory differences to escape enforcement action.
187. IOSCO members could consider the nature of emerging types of products, such as crypto-assets,
and determine whether they come within their regulatory framework. Regulation of these products
may be tailored to jurisdiction-specific features. Nevertheless, it is important for a regulator to
provide cooperation to a counterpart who has jurisdiction over such products and is seeking
assistance in investigating misconduct related to such products. International cooperation can help
reduce excessive risks of investor losses and potential damage to trust in the financial sector at a
global scale.
188. Outreach to non-cooperative jurisdictions (including through technical assistance programs) in
order to raise standards and to encourage authorities to more vigorously enforce their securities
laws, to seek IOSCO membership and to sign the MMoU/EMMoU is of paramount importance.
Dialogue has proven to be effective in the past when IOSCO addressed issues with jurisdictions
that were identified as having issues with cooperation. A similar exercise could be continued
towards jurisdictions most systemically burdened with online illegal activities to try to remedy
issues bilaterally with them through IOSCO.
189. IOSCO members can play a role in helping to ensure that differences in regulatory approaches and
enforcement policies of jurisdictions in respect of new products, including crypto-assets, does not
create a leeway for fraudulent/unauthorised online schemes to thrive, while supporting healthy
innovation and contributing to build trust in such products.

51

Chapter 9 – Conclusion
190. Various technological advancements are enhancing retail investors’ access to financial products
and services. These developments bring an increasing number of retail investors to capital markets
through online offerings and, in some cases, on a cross-border basis. Recent developments related
to online marketing and distribution, new online targeting techniques and the application of
behavioural knowledge, accompanied by increased retail participation, have resulted in an
escalation of innovative, but at times also harmful or even fraudulent online activity.
191. This Final Report largely draws on IOSCO members’ experiences and practices and aims to help
IOSCO members in providing protection for retail investors against harmful and fraudulent online
activity, to reduce supervisory and regulatory arbitrage and foster credible deterrence.
192. Some IOSCO members have expressed concern about the suitability of certain riskier products and
crypto-assets for retail investors, as well as the risk of fraudulent offerings via online platforms
and mobile tools. Furthermore, the exponential growth in the use of social media in online
marketing and distribution increasingly influences retail decisions, whereby retail investors are
closely monitoring social media activity and sharing investment tips and seeking information from
a wide variety of sources. This can also include the activities of influencers, who often give
financial advice without the required license. Social media in certain cases may promote scams.
Similarly, various digital apps and online trading platforms are using “gamification” techniques
and may exploit behavioural biases to influence retail trading behaviour. Hence, the responsible
use of social media in financial offerings increasingly becomes a regulatory concern.
193. This Final Report is an outcome of IOSCO efforts to address regulatory concerns and provide
policy and enforcement measures relating to digital trends to promote a high level of investor
protection. The overarching objective of this report is to identify and promote possible regulatory
and enforcement approaches that enhance the protection of retail investors who are increasingly
the recipients of online offerings and marketing techniques. It provides a variety of measures that
IOSCO members are encouraged to consider when determining their approach to online offerings
and marketing. It also proposes useful guidance on enforcement measures IOSCO members are
encouraged to use. Such measures could help IOSCO members in addressing fraudulent online
activity, leveraging innovative powers and technology-based detection and investigatory
techniques, as well as enhancing collaboration with other IOSCO members, criminal authorities,
other foreign and domestic authorities, and providers of electronic intermediary services.
194. Developments in online marketing and distribution, including via social media, will continue to
evolve rapidly. As products and services and potential harm to investors can propagate quickly in
the online environment, IOSCO members need to keep pace with such propagation and position
themselves to be able to monitor such developments. Therefore, IOSCO members should continue
to observe and consider changes in their respective markets and on a cross-border basis. IOSCO
will also continue to monitor the issues associated with online marketing and distribution of
services and products, with a view to ensuring that the considerations highlighted in the Final
Report remain relevant and appropriate.

52

ANNEX 1 – Glossary
1st party data
Data collected and owned by the company itself. For example, website data, mobile application data,
and CRM data.
2nd party data
Data collected as a result of corporate cooperation. This includes online campaign data and customer
journey data.
3rd party data
Data delivered by data providers, which is available on the market for purchase.
A/B testing
A/B testing is a way to test out changes in online marketing design or content. The test is between two
subjects, A and B. One is the original design (the control) and the other is the altered design (the
treatment).
Marketing affiliate
An affiliate marketing agency is an organization that facilitates some forms of online marketing by
matching merchants with marketers who promote products to consumers on social media, on
websites, and through email.
App store or app marketplace
An app store (or app marketplace) is a type of digital distribution platform for computer software
called applications, often in a mobile context. Applications or apps provide a specific set of functions
which, by definition, do not include the running of the computer itself.
Banner
Banner advertising refers to the use of a graphic that stretches across the website or online media
property. Banner advertising promotes a brand and/or gets visitors to visit the advertiser’s website.
BigTech
The largest and the most dominant companies in the IT industry of the US, namely the big 5
(Amazon, Apple, Facebook, Google and Microsoft).
Bulk targeting
Bulk targeting is sending the same e-mail campaign to people in the same geographic location in a
bulk without customizing.
Chat tool
A chat tool is an online interactive tool for communication between two or more people on the web.
One can talk in real time with other people in a chat room, typically by typing, though voice chat is
available.
Choice architecture
Choice architecture is the different ways in which choice can be presented to consumers. The way the
choice is presented, thus changes consumer choice.
Complex/non-complex instruments e.g., such as used in MiFID II – Source: Markets in
Financial Instruments Directive II (MiFID II)
Complex financial instruments require that you have both the knowledge and experience to
understand the risks. Examples of complex financial instruments include warrants and derivatives. To
understand the risks of these financial instruments, you must have both knowledge and experience of
the characteristics of the instrument, such as its complexity, technical structure and financial risks.

53

Cross-selling
The practice of selling additional products/services to existing customers.
Customer
Customers are individuals acting for personal, domestic or household purposes, not business or
professional purposes.
Customer journey
The customer journey is the complete sum of experiences that customers go through when interacting
with a company and/or brand through different channels and media.
Data aggregator
Compiling of information from databases with intent to prepare combined datasets for data
processing.
Desktop marketing
Desktop marketing is a type of marketing that utilizes internet and online based digital techniques
such as desktop computers and other digital media platforms to promote goods and services.
Digital channel
A digital channel is any online, mobile or other technological means through which a customer can
obtain and manage a financial product or service.
Display marketing
Digital display marketing allows businesses to place advertisements (banners) on websites, in apps,
and on other online platforms either directly or via ad networks.
Email advertising
A type of digital marketing tool wherein the customer receives promotional ads via email.
Feedback loops
A feedback loop is the part of a system in which some portion (or all) of the system’s output is used as
input for future operations. Feedback loops can be either negative or positive.
Foot-in-the-door
The “foot-in-the-door” technique is based on the idea of getting people to agree to a larger request later
by agreeing to a small request first, while they might not accept that large request if being asked outright.
In the days of door-to-door sales, if a salesperson got his foot between the doorframe and the door, then
the potential customer could not slam the door in his face.
Influencer marketing
Influencer marketing is (mostly) online video ads by a famous person with a substantial number of
online followers on social media.
Information technology filter
An information technology filter, also known as an IT-filter, program or section of information
technology code that is designed to examine each input or output request for certain qualifying criteria
and then process or forward it accordingly.
Interactive Content
Interactive content is a technique to engage the audience with the content, rather than just passively
reading, or watching content.
Lookalike Audience
Lookalike audience is a Facebook segmentation tool where a firm uses segmentation based on its
current customer base and its customers’ demographic data. It creates a way to reach new people who

54

are likely to be interested in a particular business because they have similar tastes to some pre-existing
customers.
Mystery shopping
Mystery shopping refers to test purchases of financial services or products. The assessment of
behaviour of participants when conducting test purchases of financial services or products shall be
understood as a set of actions designed to achieve the objectives stated in the national regulation
aiming at determining how financial services or products are offered or provided by the supervised
financial market participants or other persons.
Nudging
Nudging is any aspect of the choice architecture that alters people’s behavior in a predictable way
without forbidding any options or significantly changing their economic incentives.
Onboarding
Onboarding is the process of going through procedures to effectively familiarize a new customer with
one’s product or service.
Online marketing
Online marketing is the practice of leveraging web-based channels to spread a message about a
company’s brand, products, or services to its potential customers. The methods and techniques used
for online marketing include email, social media, display advertising, search engine optimization,
search engine advertising and more.
Online targeting
Online targeting is a method for targeting digital advertising impressions to appear to a select
audience of consumers based on their prior actions, those actions occurring either online or offline;
also called behavioural targeting.
Outsourcing
A business practice in which a regulated entity uses a service provider to perform tasks, functions,
processes, services or activities (collectively, “tasks”) that would otherwise be undertaken by the
regulated entity itself. The concepts and terms with relation to outsourcing are defined in the IOSCO
Principles on Outsourcing. 101
Pay-per-click advertising
An example of an internet advertising model wherein the advertiser pays the publisher when someone
clicks on the ad.
Personalisation
In the context of this survey, personalization is online targeting on an individual level.
Pool selling
The selling or distribution of chances in a betting pool.
Product Governance and Oversight e.g., such as used in MiFID II – Source: Markets in
Financial Instruments Directive II (MiFID II)
Product oversight and governance: the responsibilities of manufacturers in organising processes,
functions and strategies aimed at designing, operating and bringing products to market, and reviewing
them over the life of the product.
Programmatic Advertising
The use of buying digital advertising software where machines and algorithms purchase display
space.

101

See footnote 33.
55

Ranking possibilities
Possibilities to position marketing material of other information on a product or service in a hierarchy
or scale.
Retargeting – Source: IAB
The use of a pixel tag or other code to enable a third-party to recognize particular users outside of the
domain from which the activity was collected. It enables advertisers to show an ad specifically to
visitors that previously were exposed to or interacted with the advertisers’ creative (outings).
Search Engine Advertising (SEA)
Advertisements made within the sponsored listings of a search engine.
Segmentation
Segmentation is the process of dividing a market of potential customers into groups, or segments,
based on different characteristics. The segments created are composed of consumers who will respond
similarly to marketing strategies and who share traits such as similar interests, needs, or locations.
Search Engine Optimization (SEO)
The process of improving the volume and quality of traffic to a website from search engines via
search results.
Shoppable
A transaction that occurs directly within the social media post.
Shoppable quizzes
Shoppable quizzes are a type of personalized marketing technique which creates a series of questions
for the consumers to answer about their preferences (such as BuzzFeed quizzes).
Social media
Social media are forms of electronic communication (such as websites for social networking and
microblogging) through which users create online communities to share information, ideas, personal
messages, and other content (such as videos).
Social media influencer ads
Social media influencer ads are user-generated ads or endorsements from social media users that have
a large social media following and hence can “influence” customer trends.
Social Proof
It describes a psychological and social phenomenon wherein people copy the actions of others in an
attempt to undertake behaviour in a given situation.
Super Apps
A “SuperApp” is a cross-selling tool as an application which has numerous in-built functions for a
wide range of services, which may include both financial and non-financial services. The app is a onestop market where different apps are encompassed in one platform.
Target audience
A target audience is the intended audience for an ad, usually defined in terms of specific
demographics (age, sex, income, etc.), product purchase behaviour, product usage or media usage.
Voice marketing
Voice marketing is a process through which firms reach their customers via live or recorded audio
content.
Voice search engine optimisation
The process of optimizing your pages to appear in voice searches.

56

Web scraping
Extracting and copying data from a web page to a structured format using computer programs.
Whistleblower
Individuals who provide, information relating to a potential violation of securities laws to the
regulator in a manner established, by rule or regulation.

57

ANNEX 2 – List of regulators that contributed to the IOSCO Committee 3 survey
Regulator

Jurisdiction

Financial Services Regulatory Authority

Abu Dhabi

Australian Securities and Investments Commission

Australia

Investment Industry Regulatory Organization (IIROC)

Canada

Autorité Des Marchés Financiers (AMF Québec)

Canada

China Securities Regulatory Commission

China

Financial Supervisory Commission

Taiwan

Federal Financial Supervisory Authority (BaFin)

Germany

Securities and Futures Commission

Hong Kong

Israel Securities Authority

Israel

Commissione Nazionale per le Società e la Borsa (CONSOB)

Italy

Financial Services Agency

Japan

Securities and Exchange Commission

Nigeria

The Dutch Authority for the Financial Markets (AFM)

Netherlands

Polish Financial Supervision Authority

Poland

The Bank of Russia

Russia

Capital Market Authority

Saudi Arabia

Monetary Authority of Singapore (MAS)

Singapore

National Securities Market Commission (CNMV)

Spain

Swiss Financial Market Supervisory Authority

Switzerland

Capital Markets Board

Turkey

Financial Conduct Authority (FCA)

United Kingdom

Securities and Exchange Commission (SEC)

United States of America

Financial Industry Regulatory Authority (FINRA)

United States of America

Commodity Futures Trading Commission (CFTC)

United States of America

National Futures Association (NFA)

United States of America

58

ANNEX 3 – List of regulators that contributed to the IOSCO Committee 4 survey
Regulator

Jurisdiction

Comisión Nacional de Valores (CNV)

Argentina

Comissão de Valores Mobiliários (CVM)

Brazil

British Columbia Securities Commission (BCSC)

British Columbia, Canada

Ontario Securities Commission (OSC)

Ontario, Canada

Dubai Financial Services Authority (DFSA)

Dubai

The Autorité des marchés financiers (AMF)

France

Federal Financial Supervisory Authority (BaFin)

Germany

Hellenic Capital Market Commission (HCMC)

Greece

Securities and Futures Commission (SFC)

Hong Kong

Israel Securities Authority (ISA)

Israel

Commissione Nazionale per le Società e la Borsa (CONSOB)

Italy

Financial Services Agency (FSA)

Japan

Comisión Nacional Bancaria y de Valores (CNBV)

Mexico

Authority for the Financial Markets (AFM)

Netherlands

Securities and Exchange Commission (SEC)

Nigeria

Financial Supervision Commission (KNF)

Poland

Portuguese Securities Market Commission (CMVM)

Portugal

Autorité des marchés financiers (AMF)

Quebec

Comisión Nacional del Mercado de Valores (CNMV)

Spain

Financial Sector Conduct Authority (FSCA)

South Africa

Swiss Financial Market Supervisory Authority (FINMA)

Switzerland

Capital Markets Board of Turkey (CMB)

Turkey

Financial Conduct Authority (FCA)

United Kingdom

Commodity Futures Trading Commission (CFTC)

United States of America

Securities and Exchange Commission (SEC)

United States of America

59

ANNEX 4 – CHARTS
Regional Breakdown of Participating Firms to the Committee 3 survey

Classification of Participating Firms to the Committee 3 survey

Classification of Firms
1

Insurance Brokerage/Intermediation

2

Investment Advice

3

Other

7

Banking Services

8

Retail OTC Leveraged Products Trading

10

Financial Company

22

Asset Management and Fund Distribution

37

Brokerage Services
0

5

60

10

15

20

25

30

35

40

ANNEX 5 – Respondent IOSCO members’ approach to product governance
The below findings demonstrate the different approaches to product governance across different regions.
The table provides an overview on to what extent firms have developed internal rules, policies or
guidance applicable to product governance and target groups:
• Question 2a: Have you developed internal rules, policies or guidance relating specifically to
marketing through digital channels?
• Question 2b: If yes, are the rules, policies and guidance specific to investment products and services
offered online?
• Question 3: In your jurisdiction, are you familiar with product governance and oversight principles,
as for example used under MiFID II?
Question

2a

2b

3

Yes

No*

No

Yes

No

Yes

No

Total

67%

21%

12%

80%

20%

63%

37%

Europe

73%

23%

4%

83%

17%

92%

8%

Asia

77%

23%

0%

88%

12%

73%

27%

Mid-East

60%

40%

0%

60%

40%

40%

60%

Africa

67%

7%

27%

80%

20%

29%

71%

America

53%

16%

32%

70%

30%

47%

53%

61

ANNEX 6 – FEEDBACK STATEMENT
Feedback to the Consultation Report was submitted by twelve respondents.
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.

Association of the Luxembourg Fund Industry (ALFI)
CFA Institute
Comisión del Mercado Financiero (CMF Chile)
European Investors-VEB
Euronext
Fair Canada
Financial Planning Standards Board Ltd. (FPSB)
Institute of International Finance (IIF)
Japan Securities Dealers Association (JSDA)
Spanish CNMV Advisory Committee
SEC Thailand
World Federation of Exchanges

IOSCO is thankful for the responses received and has taken them into consideration when preparing
this Final Report. This Annex summarises the feedback received in response to the consultation
questions. 102
Overall, respondents welcomed IOSCO’s role in promoting international cooperative efforts to preserve
trust and confidence in financial markets and high investor protection in the rapidly evolving online and
social media investing landscape. Respondents were broadly in agreement with the Policy and
Enforcement Toolkits proposed by IOSCO, although some of them suggested improvements on
individual policy measures or on the underlying text explaining how measures could be practically
implemented, as described below.
Proposed Policy Toolkit as set out in the Consultation Report.
Measure 1: Firm level rules for online marketing and distribution
IOSCO members should consider requiring that firms have proper internal rules, policies,
processes and tools for their online marketing and distribution, and review them on a regular
basis. This should include that any use by firms of targeting, behavioural techniques and
gamification elements should be done in a way that ensures fair treatment of financial
consumers and aims to avoid potential financial consumer harm.
Respondents generally support the internal rules proposal. CNMV and IIF underline the importance
of level playing field among financial and non-financial entities engaging in marketing activities.
Further, IIF and Fair Canada highlight the option of increasing the scope of supervision for
marketing. Another proposal on equal treatment concerns the notion of “same business, same risk,
same rules” for alike financial products advertised, as supported by ALFI. Also, one respondent
proposed a product extension on the basis of information that is being advertised (FPSB).
IOSCO’s response: The supportive feedback received does not require any revision to the proposed
measure.
Measure 2: Firm level rules for online onboarding
IOSCO members should consider requiring that firms apply appropriate filtering
mechanisms, policies and procedures for financial consumer onboarding in line with the laws
and regulations of the firms’ jurisdiction, the financial consumers’ jurisdiction, and the

102
The Consultation Report asked the following consultation question: “Do market participant agree that the
proposed measures included in the policy and enforcement toolkits are appropriate for addressing the specific
risks arising from “retail marketing and distribution”? Are there any areas that are missing and/or merit IOSCO
consideration?”

62

jurisdiction where the products or services are being marketed or distributed. During the
onboarding process, the information provided should be clear, fair and non-misleading.
There is broad consensus on the measure. Proposals for additions range from provision of
information on renumeration, fees, and KYC (FPSB, SEC Thailand) to extending the focus of
onboarding regulation to outsourcing services (ALFI). Other factors to consider according to the
responses are consideration of the way of interactions requiring human contact, instead of solely
automated systems (CFA Institute), as well as taking into account the different jurisdictional
approaches (CMNV).
IOSCO’s response: IOSCO notes the useful feedback and suggestions, however thinks the proposals
do not merit a change in the proposed measure.
Measure 3: Responsibility for online marketing
IOSCO members should require, subject to a jurisdiction’s laws and regulations, that
management assumes responsibility for the accuracy of the information provided to potential
investors on behalf of the firm, including those provided via various social media channels,
including influencers, and the timely disclosure of necessary information regarding potential
risks and conflicts of interest to avoid potential financial consumer harm.
While there is general support for the measure, some responses raised particular caveats. CFA
Institute, CNMV, IIF, and SEC Thailand gave full support for the measure. Within this group,
CNMV and IIF highlight their preference for a principle-based approach to accompany the regional
and jurisdictional differences. Moreover, ALFI and VEB favor imposition of responsibility only for
what is under the firm’s control, such as the acts of contracted distributors, but prefer to leave out
others, for example influencers, in case they act independently.
IOSCO’s response: IOSCO notes the useful feedback and suggestions, however the proposals do
not merit a change in the proposed measure
Measure 4: Capacity for surveillance and supervision of online marketing and distribution
IOSCO members should consider whether they have the necessary powers and have adequate
supervisory capacity to oversee an increasing volume of online marketing and distribution
activity. IOSCO members should also consider ways to develop appropriate monitoring
programs for the surveillance of online marketing and distribution activities, including on
social media.
Within the context of domestic legal frameworks, considerations for enhancing surveillance
and supervisory capacity could include:
– the power to request access to content to detect illegal or misleading promotions;
– having regulatory channels in place to report consumer complaints for misleading and illegal
promotions; and
– suitable evidence tracking processes in place to cope with the fast pace and changing nature
of online information.
IOSCO members are encouraged to share experiences and good practices with each other
regarding supervision and surveillance of online marketing and distribution.
Responses are generally positive on the measure. Feedback from CMNV, IIF, and SEC Thailand
were very positive. CMNV as well as SEC Thailand have noted positive experience in surveillance
and monitoring. Responses from VEB, JSDA, and Euronext flagged the difficulties in monitoring
and surveillance. The responses note the difficulty in monitoring the size of online data, the speed of
its generation and record keeping challenges for reporting entities. CMNV also flags the importance
of cooperation among regulatory authorities and with other public authorities, as well as private
sector entities.
IOSCO’s response: IOSCO notes the useful feedback and suggestions, however the proposals do
not merit a change in the proposed measure.

63

Measure 5: Staff qualification and/or licensing requirements for online marketing
IOSCO members should consider requiring that firms assess the necessary qualifications for
digital marketing staff. IOSCO members may also consider requiring firms to have specific
staff qualification and/or licensing requirements for online marketing staff, similar to licensing
requirements for sales staff, if such regulatory requirements do not already exist or apply to
online marketing staff.
Overall, most responses favor qualification requirements for salespeople for financial products. The
main message of several responses focusses on the similarity between traditional marketing and
online marketing. CMNV and SEC Thailand do not favor the inclusion of any specific rules for
online marketing staff due to their existing principle based rules on marketing. ALFI and IIF do not
favor the measure as it would put stricter requirements on education of marketing staff as compared
with marketing practices in other industries. On technical issues, JSDA underlined their preferred
focus of regulation on people that actually interact with customers, whereas, FPSB pointed out to the
necessity of interaction with a human even when investing in a gamified environment.
IOSCO’s response: IOSCO notes the useful feedback and suggestions, however the proposals do
not merit a change in the proposed measure
Measure 6: Ensuring compliance with third country regulations
Where firms may have clients from jurisdictions other than where they hold a license, the
firm’s home regulator should consider requiring their domestic firms to have adequate policies
and procedures for onboarding these clients. For example, IOSCO members could require
firms to undertake due diligence to determine whether they are required to hold a license in a
prospective client’s home country and/or whether other regulatory obligations apply, and to
retain records of such due diligence.
Overall, there is strong support for the measure. CMF Chile, CNMV, ALFI, and SEC Thailand
completely agree with the measure. Moreover, the European respondents CMNV and ALFI point out
that the existing ESMA regulation covers third country interaction within the EU. IIF perceives
existing cross-border regulation as sufficient, however support additional measures to enhance
supervision, such as AI and SupTech applications.
IOSCO’s response: IOSCO notes the useful feedback and suggestions, however the proposals do
not merit a change in the proposed measure
Measure 7: Clarity about legal entities using internet domains
IOSCO members should consider requiring firms, when they offer products through multiple
internet domains, to adopt policies and procedures requiring clear, fair and not misleading
disclosure about who the underlying legal entity is offering the product and under what license
(and from which jurisdiction). This disclosure should also cover the scope and limitation of
services. IOSCO members should also consider prohibiting firms from redirecting clients to a
third country website to avoid the regulatory requirements in a jurisdiction.
Additionally, IOSCO members may wish to consider keeping an open register which could
enable the public to check and confirm whether a website belongs to a firm authorised to
provide services in the jurisdiction and under the law.
Responses unanimously agree with the measure on adopting policies for entities interacting with
clients from third countries. According to ALFI, redirecting clients to third countries for regulatory
circumvention is not relevant in the case of Europe because of the detailed regulation on marketing
communications, whose application is specified in the ESMA guidelines on marketing
communications. However, there are mixed opinions on the complete prohibition of redirecting
clients to third country websites. While CMNV would favor this measure only as a last resort, if the
circumvention of the regulation is the motivation of the firm, IIF voices concerns for competitive
disadvantages for regulated entities that would fall under this regulation. Further ALFI raises
concerns about the operational viability of a register for authorized firm’s websites.

64

IOSCO’s response: IOSCO notes the useful feedback and suggestions, however the proposals do
not merit a change in the proposed measure
Proposed Enforcement Toolkit as set out in the Consultation Report.
Measure 1 – Proactive technology-based detection and investigatory techniques
IOSCO members could consider whether to use proactive technology-based monitoring tools
and approaches, where appropriate, to support the detection and investigation of potentially
illegal digital conduct.
Respondents (Spanish CNMV Advisory Committee, World Federation of Exchanges, CFA Institute,
SEC Thailand, IFF) agree that strong surveillance systems that generate timely alerts and warnings
can play an important role in protecting investors from digital misconduct. ALFI pointed out that
technology driven solutions may offer valuable capabilities in the treatment and screening of large
amount of data/information, but an effective and efficient detection program would not
underestimate the human resources and processes associated with the use of technology and would
include periodic review of the effectiveness and adequacy of the tools, given that both the threats
(fraudulent technics) and opportunities (detection technics) are fast evolving. ALFI also noted that a
holistic digital threats detection and investigation program across different agencies (beyond
securities regulators) would allow for important experience sharing, economies of scale and would
shorten the time to implementation/update of the tools.
IOSCO’s response: IOSCO notes the useful feedback and suggestions, however the proposals do
not merit a change in the proposed measure. We have made some refinements in the measure’s
underlying text.
Measure 2 – Powers to promptly take action where websites are used to conduct illegal
securities and derivatives activity, and other powers effective in curbing online misconduct
IOSCO members could consider seeking additional powers to be more effective in promptly
curbing illegal online conduct, including the power to shut down or block access to illegal
websites, or seeking a legal order to do so, where appropriate.
Respondents were generally supportive of the measure. In particular, Spanish CNMV Advisory
Committee stressed that regulation must ensure the power to shut down or block access to illegal
websites by the internet services providers (ISPs), or the faculty to seek a legal order to do so.
CMF Chile suggested IOSCO could also mention that, in the event that these additional powers to
take actions should be performed by another organization, IOSCO members could establish
mechanisms to request support from competent organizations to curb online misconduct.
Spanish CNMV Advisory Committee and IFF also emphasised that regulators and supervisors should
strengthen their links with ISPs with the aim that such powers/faculties could be promptly and
effectively exercised.
Few respondents (ALFI, IFF) expressed some cautions regarding the implementation of the proposed
measure. In particular, ALFI, whilst acknowledging that the power to take action, as indicated in the
proposed measure, may support the mitigation of the risks associated with fraudulent activities,
underlined practical aspects that may be relevant to consider in light of implementation, such as (i)
the challenges to effective action in a cross border context with jurisdictions (potentially even not
represented by IOSCO members) with significantly diverging framework and granted power; (ii) the
need to avoid redundancy or contradictions with existing frameworks to which Internet Service
Providers – playing a role in the “blocking” of a website – are also subject; (iii) the significant time
that the process of blocking access (at the domain name or routine level) may take to adequately
balance freedom of speech and investor protection, which may impact on the timeliness of the
measure and potentially on its effectiveness.
IFF mentioned that, in the case of fake accounts impersonating regulated market participants, or
accounts otherwise engaging in illegal conduct (such as unlicensed advice), the power to remove a
fake or illegal account lies with the social media platform, not the financial service provider.
Regulators should develop strong links with “Bigtech” platforms such that any legal powers may be
promptly and effectively exercised. Such powers should be designed to avoid unintended
consequences. The target needs to be the platforms not the regulated firm that is being impersonated.
65

Such powers should not, de facto, give power to the regulator to override existing exemptions and
exclusions (for example, for cross-border business) from the scope of regulation.
IOSCO’s response: IOSCO notes the useful feedback and suggestions, however the proposals do
not merit a change in the proposed measure. We have made some refinements in the measure’s
underlying text.
Measure 3 – Increasing efficient international cooperation and liaising with criminal
authorities and other local and foreign partners
IOSCO members could consider ways to increase efficient cross-border cooperation and
collaboration in investigations and enforcement actions and enhancing liaison with criminal
authorities and other relevant local or foreign partners.
Respondents generally agreed with the proposed measure, given the cross-border nature of the online
marketing and distribution of financial services and products. CFA Institute pointed out that better
coordination and cooperation between different regulators could be in the form of joint task forces
for monitoring and reporting unusual activities and using automated technology to scrape data from
the internet and popular social media platforms.
IOSCO’s response: IOSCO notes the useful feedback and suggestions, however the proposals do
not merit a change in the proposed measure. We have made some refinements in the measure’s
underlying text.
Measure 4 – Promoting enhanced understanding by, and collaboration with, providers of
electronic intermediary services with regard to digital illegal activities
IOSCO members could consider initiatives, individually and collectively through IOSCO, to
foster more meaningful understanding by, and collaboration with, providers of electronic
intermediary services in curbing digital illegal activities and anonymous website registration.
Respondents were generally supportive of the measure. Fair Canada advocated that, where warranted
and feasible, IOSCO members should consider going beyond collaboration and consider whether
such service providers should assume greater legal responsibility for the content they host or agree
to have posted on their platforms. IFF highlighted that Regulators may also consider the
responsibility of online platforms, which may contribute to problematic market practices as described
by IOSCO based on their data-driven business models. Regulators should consider the degree to
which regulated firms can control these platforms and other unregulated intermediaries/service
providers.
IOSCO’s response: IOSCO has made changes to the measure and to the underlying text making it
explicit that IOSCO members could foster more meaningful understanding and efforts by providers
of electronic intermediary services to actively participate in curbing digital misconduct helping to
enhance investor protection.
Measure 5 – Additional efforts to address regulatory and supervisory arbitrage
IOSCO members could consider additional efforts to address regulatory and supervisory
arbitrage in the interest of facilitating international enforcement cooperation and enhancing
investor protection on a global scale.
The proposed measure received a positive feedback. Spanish CNMV Advisory Committee and IIF
provided a specific comment, noting that, whilst the industry supports regulatory initiatives to avoid
regulatory fragmentation, this should be done on a principle-based rather than “one-size-fits-all”
way, accounting for specificities of different jurisdictions. They also pointed out that industry (and,
according to one of such respondents, consumers) should be involved in additional efforts to address
regulatory and supervisory arbitrage.

66

IOSCO’s response: IOSCO notes the useful feedback and suggestions, however the proposals do
not merit a change in the proposed measure.
Furthermore, some of the more general comments received were the following:
Some respondents (FPSB, World Federation of Exchanges, CFA Institute, FPSB) stressed the need to
improve financial education among retail investors, also in the light of the increasing adoption of selfdirected investment behavior and gamification techniques. CFA Institute highlighted that financial
education programmes should be targeted during retail investors’ entire life cycle, including children in
primary schools, and could teach retail investors to distinguish valid and suitable products from too
risky and inappropriate investments.
FPSB proposed that IOSCO members might consider additional research and guidance on how market
participants should strike the balance between making retail investing fun and the risk of turning the
serious business of investing and financial planning into a game, with the potential to lead to negative
outcomes for investors and a loss of trust in the market.
ALFI pointed out that the overlap of the proposed measures with local developments and existing
framework requires consideration for an effective implementation and calls for coordination. In this
regard, we wish to note that, as mentioned in the Introduction, implementation of the measures indicated
in this Report may vary across IOSCO members, consistent with jurisdictions’ laws and regulations.
ALFI also mentioned further areas associated with digitalization that create risks for investor protection,
such as potential disruptive effects on markets and fair pricing resulting from social trending bubbles
facilitated by digital platforms or data protection issues. Such observations go beyond the scope of this
Report, which looks at digitalization from the perspective of marketing and distribution of financial
products and services.