Communications, Media and Technology

This article highlights predictions from Global KPMG Legal Services leadership from around the world on how data, privacy and cyber security issues will affect the future of legal functions and legal practice. As predictions, they are not intended to guarantee any future outcomes.

Today’s legal teams are challenged by rapid technological innovations. Generative artificial intelligence (gen AI) and other new technologies are being adopted across legal functions and broader businesses at breakneck speed. While productivity is being pushed to new heights, organizations are being exposed to a new range of risks, including data privacy breaches, loss of attorney-client privilege, heightened regulatory scrutiny, ransomware and related reputational damage.

At the same time, new abilities to access, manipulate and analyze huge pools of data are compelling legal professionals, regulators and policy innovators to balance technology’s potential to drive positive social change against the dangers of exposing large swathes of sensitive personal information.

How will these trends reshape the legal functions of the future? Here are KPMG professionals’ top five predictions:

1. As gen AI becomes ever more embedded into legal function processes, legal teams will need to understand how and when to keep humans in the loop to maintain the skills needed to guard against the related risks.

The application of gen AI and other new technologies to legal work will significantly increase efficiency and productivity. These gains will grow as legal professionals get more comfortable with these powerful solutions and continue to develop more constructive ways to employ them.

Dependence on gen AI will grow apace, however, and legal teams will need to stay vigilant about the attendant risks. For example, using gen AI to inform legal advice could lead to data breaches that could affect privilege. And eventually, as gen AI subsumes ever more routine legal activities previously done by junior lawyers and paralegals, there will be fewer people in the organization with the skills to do that type of work.

Legal professionals will need to avoid the tendency to simply accept that a computer’s output is correct without questioning the reasoning behind it. They will need to develop the skills to work backwards from the output to explain how a legal conclusion was derived and independently verify whether it is accurate. Attorneys will also need to be purposeful in determining which processes are a good fit for AI and where they still need to maintain the skills to verify the legitimacy and accuracy of AI output.

2. A raft of new legislation will emerge to address a wide array of AI-related issues.

As new AI legislation is enacted, legal teams will move beyond building AI for their own use cases to advising their businesses on the AI implementation. Legal departments will need to understand all of these different rules so they can establish legal frameworks that enable the organization to innovate and use AI. This use must follow ever-evolving new laws and regulations and must proceed in a safe and trusted way.

Within these frameworks, legal teams need to set business-optimized guardrails so they can make the most of business opportunities while preventing their organizations from incurring risk.

Smart use of technology will be a key to managing these new compliance obligations. gen AI and large language model AI can ingest, decipher, summarize and automate data and regulatory and compliance rules to a much wider degree than any current technology. Legal professionals who learn how to use technology for both improving productivity and policing its use will have a distinct competitive advantage.

3. Privacy laws and approaches to open data innovation will continue to diverge. The more AI is relied on, the more the risks increase, leading to more rigorous requirements aimed at protecting personal data on one hand while enabling its use for productivity gains and positive social change on the other.

Revolutionary AI systems have enormous potential to help solve various societal problems, such as disease and vendor diversity-based discrimination. However, these systems require copious amounts of personal data to create reliable statistical conclusions, raising issues about whether the right permissions and safeguards are in place for processing that data.

Regulatory restrictions on data usage, such as data localization and data sovereignty rules, will continue to increase. However, there will be some push and pull as some jurisdictions, such as the UK, attempt to simplify those rules in order to encourage innovation, sharing of data and open data. For example, the EU Data Act aims to allow public authorities to make public data available for purposes of the wider community via a public data trust.

Legal teams are likely to increase their use of AI-enabled privacy technology to demonstrate compliance as new data protection legislation comes onstream. This technology can also make legal data analysis more efficient and ultimately help make legal decisions more consistent.

4. With gen AI’s ability to create and transform, data sources will become more opaque and harder to trace, leading to more data privacy and intellectual property disputes.

As machine learning, large language models and gen AI continue to advance and collect huge volumes of data, it will become increasingly difficult to trace and verify the sources used to train these technologies. Currently, we have seen disputes over AI’s use of copyrighted texts and artworks in generating new works. The inability to prove who “owns” a source of original data could frustrate attempts to gain intellectual property protection for AI-generated results.

Challenges in tracing data could also cause companies to run afoul of data privacy legislation by hampering their ability to comply with legislated data subject rights, such as access or erasure requests.

In-house privacy teams will need to expand their focus to streamline processes and controls and adapt to AI-related risks and regulations. Legal departments will also need to have the ability to quickly develop internal policies, procedures and controls to keep up with the pace of new usage.

5. Legal departments will be on the front lines of defending against cyber attacks and upholding organizational resilience.

Cyber security threats are likely to multiply in the future as cyber criminals become adept at using gen AI for writing ransomware, bypassing protections, spreading misinformation and other offences. Legal teams will be called on to respond to these risks on a number of fronts by:

• advising companies on consistent policies for responding to and dealing with ransomware attacks
• working with in-house technology or operational teams to implement or adopt appropriate cybersecurity technology to protect the organization’s data (in compliance with stricter data protection/cyber security laws).
• educating people across the company on cyber risks, including the guardrails needed to mitigate those risks and what red flags to watch out for
• ensuring that the people responsible for complying with data security and privacy legislation:
  • have the skills to understand the sources of cyber risks and related safeguards
  • maintain their human connections within the organization so they can ensure AI uses remain safe and secure.

Governments can also be expected to get involved to ensure businesses in their jurisdiction have appropriate cyber security policies and governance in place. In the near future, we are likely to see legislation enacted to mandate organizational resilience on adopting stronger cyber security technology and efficient response to cyber security breach. Legal professionals will need to help their organizations develop approaches to complying with these rules.

This article is prepared by Usman Wahid, Partner, Head of Technology Law at KPMG Law in the UK; Nadarashnaraj Sargunaraj, Head of Technology, Privacy and Cybersecurity, Zaid Ibrahim & Co. (in association with KPMG Law); and Isabel Simpson, Partner, Data Protection, Technology and Telecommunications Practice Group lead, EMA.

‍

With the constant evolution of technology, the regulatory landscape has evolved to accommodate the dynamic nature of financial technology. Regulatory bodies are actively engaging in dialogue with industry players to ensure that the sector is up to date and relevant while maintaining the integrity of the financial system.

The regulatory environment in Malaysia reflects a balance between fostering technological advancements and safeguarding the interests of both businesses and consumers in the rapidly evolving fintech ecosystem. In this article Jonathan Lim Hon Kiat, Co-Head Corporate TMT team highlights the key regulatory developments in Malaysia in 2023.

‍

“Audentes Fortuna Juvat” (Fortune Favours the Bold) – a Latin proverb that perhaps spurred the aspirations of many and sculpted the resilience of humanity to thrive above catastrophes, pandemics and economic downturns. This desire to rise beyond circumstances has led to the explosion of creative innovations that challenges traditional systems and propelling humanity to a new frontier.

The insurgence of digital innovations which redefined payment methods, delivery services, dining cultures, shopping experiences have woven itself into the fabric of our current lifestyle. That said, the maturing digital landscape which revolutionised the financial services sector and inculcated a seamless user culture, now demands for a further evolution of digital offerings.

Blockchain technology which shadows the spotlight introduction of the digital assets ecosystem has often been misunderstood as a co-dependent solution exclusive to the issuance of digital assets. Nonetheless, truth be told, Blockchain technology itself is neutral and its offering promotes, in all simplicity, the ability for a peer to peer maintenance and authentication of information.  This comes in useful whether for our day-to-day digital transactions, or to provide a decentralised infrastructure for digital assets offerings.

Fungible Tokens

The popularity of fungible tokens rose around 2017. The concept of a decentralised digital currency which operates free of any central control or the oversight of banks or government began to creep in and set its footprint in our nation’s financial ecosystem. The hedging and trading of Bitcoin coupled with alternative fund raising mechanisms such as Initial Coin Offerings (“ICO”) exploded in popularity amongst entrepreneurs and innovators, creating a fresh vertical of investment opportunities or offerings through the issuance of digital assets.

Unregulated as they were, the insurgence of ICOs, enticed the attention of global regulators where the US Securities and Exchange Commission (SEC) and the US Supreme Court applied the Howey’s Test to determine if digital asset offerings qualify as “investment contracts” and if so, those transactions are considered securities^[1] under the Securities Act of 1933 and the Securities Exchange Act of 1934.

Similarly in 2019, our Ministry of Finance issued the Capital Markets and Services (Prescription of Securities) (Digital Currency and Digital Token) Order 2019^[2] (the “Order”) which describes Digital Assets to encompass both Digital Currency and Digital Tokens. Digital Assets which fulfils the criteria as defined under the Order are prescribed as securities and are subject to the provisions of the Capital Markets and Services Act 2007 (the “CMSA”) which in turn falls within the purview of the Securities Commission of Malaysia (the “SC”).

Following the Order, the SC introduced additional frameworks which includes the introduction of the Digital Asset Exchange License (the “DAX”) under the Recognised Market Operator Guidelines (the “RMO Guidelines”), where parties with the proper set of expertise can obtain approval to operate a crypto trading platform.

To date we have four approved DAX consisting of Luno, Sinegy, Tokenized and MX Global. In a recent article,^[3] SC announced that over RM16 billion in digital assets and cryptocurrencies were traded in Malaysia between August 2020 and September 2021 amid an uptrend in prices of blockchain-based assets.

Recognising the potential innovation where alternative fund raising is conducted through a tokenised regime, the SC in 2020 introduced under the RMO Guidelines and the Digital Assets Guidelines (the “DA Guidelines”), the Initial Exchange Operator framework (the “IEO”), where companies are able perform to tokenised fundraising exercises through approved licensed IEO Operators in a regulated environment. Unlike ICOs, the IEO is positioned to provide better clarity and a supervised environment to marginalised fraudulent propositions in view to protect investor interests while promoting legitimate value propositions.

Whilst value propositions with their respective white papers can now be vetted through an IEO platform, continuous efforts in ensuring public confidence was further promoted through the introduction of a registration regime under the DA Guidelines for Digital Custodians. The introduction of a DAX coupled with an IEO platform and a Digital Custodian framework, seems to complete the architecture which provides sufficient broad strokes for “check and balance” whilst balancing minimal interference in the economic growth of the decentralised market in Malaysia.

To date, SC has approved the registration of two   IEO platform operator, namely Kapital DX Sdn Bhd and Pitch Platforms Sdn Bhd^[4]. Perhaps, while “the gold standard” was the economic totem of the age, digital assets may spring as the lifeblood of a parallel yet alternative financial system potentially setting the foundation for an alternative standard or a metaverse economy.

Non Fungible Tokens

Non Fungible Tokens or NFTs has recently dominated the headlines of the crypto world. Whilst fungible tokens are starting to firm its grip and gain its traction in the financial world, spinning away from stable coins and government backed coins, NFTs has generated immense interest in recent months. The ideation years in creating an authentication token for purposes of embracing intellectual properties has now come into fruition when Ethereum introduced the ERC-721 standard.

To put it simply, NFTs are digital tokens that provide representation of rights, authentication or guarantee of ownership to digital images, videos, games and other forms of digital assets. NFTs are non-fungible in nature.  In other words, each NFT is uniquely identifiable. Generally, when a NFT is bought or sold, the asset never changes hands. Rather, the transfer of the asset is recorded and the ownership of the asset is assigned in the blockchain.

Due to the NFTs’ unique characteristics, unlike fungible tokens, further uncertainty looms over the regulatory vertical in determining whether such digital tokens would fall within the definition or parameters of a security. In the US, the Commodity Futures Trading Commission (the “CFTC”) interprets commodities to include cryptocurrencies such as bitcoin.^[5] However, the CFTC has yet to provide an official guidance about whether NFTs should be considered commodities or whether NFTs should be treated as securities under the Securities Act of 1933 and the Securities Exchange Act of 1934.

Separately, the Financial Conduct Authority in UK suggests that generally, NFTs are likely to be ‘unregulated tokens’. In Singapore, the Monetary Authority of Singapore adopts the approach to differentiate NFTs under its existing laws. Whether an NFT will be regulated is subject to whether that NFT warrant a utility, payment or security characteristic.

That said, it is noteworthy that, the European Union in its recent issuance of the ‘Markets in crypto-assets Regulation’ (MCA) (which is expected to be in force in 2025) expanded the definition of crypto assets to include NFT.

Whilst global regulators seem to be distant in navigating the regulations pursuant to NFTs, closer to home, it would seem that NFTs may arguably fall out of the criteria as set out in the Order. Nonetheless, it remains useful to thread with caution as the influx of new methods of using NFTs, especially through NFT gaming (where NFTs are mined for returns in fiat currency), remains untested and may potentially assume the risk of being prescribed as securities under the Order.

To date, the SC has yet to clarify whether NFTs is prescribed as a security. Thus, NFTs remain a white space of which regulation are yet to be put in place by the Malaysian regulators.

Difference between Fungible Tokens and Non Fungible Tokens^[6]

Medium of Exchange

Undeniably, with the significant influx of investments and fiat currencies into the crypto market, the concept of embracing digital assets as a medium of exchange has begun to gain traction. Pioneers in the global payment system space, such as Visa, has emerged to embrace the acceptance of digital currencies as a medium of exchange. Likewise in Japan, crypto currencies such as bitcoin and ethereum have been accepted as a medium of exchange, however it is treated very much like an asset rather than an alternative currency.

Similarly, onshore retailers^[7] have begun to accept cryptocurrencies as a medium of exchange for their goods and services. Nonetheless, in a joint statement between Bank Negara Malaysia and SC published on 6 December 2018, BNM announced that digital currencies and digital tokens are not recognised as legal tender nor as a form of payment instrument that is regulated by BNM.^[8] This position has recently been reaffirmed by the current Deputy Finance Minister II.^[9]

That said, the doctrine of freedom of contract^[10] is embedded in the Malaysian Contracts Act 1950 which states that all agreements are contracts if made with the free consent of parties competent to contract, for a lawful consideration and lawful object. Whilst cryptocurrencies has yet to obtain legal tender status, it remains recognised as a medium of exchange as upheld by the Courts of Malaysia in the case of Luno Pte Ltd & Another v Robert Ong Thien Cheng.^[11]  Nonetheless, while parties are free to adopt digital assets as a medium of exchange,^[12] such adoption does not exempt parties from compliance with other laws and regulations that are relevant to the said transaction (e.g. tax regimes).

Embracing Change

Perhaps it is no longer appropriate to assess this space from the safety of an observation tower.   With the new norm and the volatility of the present economic climate, the insurgence of an alternative yet parallel financial system may be a healthy development.  As we embrace these changes, regulation remains the key in balancing both economic and social interest.

“Entrepreneurship rests on a theory of economy and society. The theory sees change as normal and indeed as healthy. And it sees the major task in society – and especially in the economy – as doing something different rather than doing better what is already being done. That is basically what Say, two hundred years ago, meant when he coined the term entrepreneur. It was intended as a manifesto and as a declaration of dissent: the entrepreneur upsets and disorganizes. As Joseph Schumpeter formulated it, his task is “creative destruction.”
― Peter F. Drucker, Innovation and Entrepreneurship: Practice and Principles

If you have any questions or require any additional information, you may contact Jonathan Lim or the Zaid Ibrahim & Co partner you usually deal with.

Jonathan Lim is a corporate partner in the Communications, Multimedia and Technology practice group of Zaid Ibrahim & Co, and helms the Fintech portfolio of the firm. He is also serving as the Secretary for the Fintech Association of Malaysia for the term 2021/2022.

The views expressed here are the writers’ own.

This article is for general information only and is not a substitute for legal advice.

[1] ‘Howey Test’ (Investopedia) <https://www.investopedia.com/terms/h/howey-test.asp>: Securities are fungible and tradable financial instruments used to raise capital in public and private markets. The public sales of securities are regulated by the SEC. The definition of a security offering was established by the Supreme Court in a 1946 case called SEC v. W.J. Howey Co. In its judgment, the court derives the definition of a security based on four criteria (a) the existence of an investment contract, (b) the formation of a common enterprise, (c) a promise of profits by the issuer, and (d) the use of a third party to promote the offering.

[2] Please see here for a copy of the Capital Markets and Services (Prescription of Securities) (Digital Currency and Digital Token) Order 2019.

[3] Ahmad Naqib Idris, ‘SC: Over RM16b in cryptocurrencies, digital assets traded in Malaysia as at September 2021’ The Edge Malaysia (26 October 2021) <https://www.theedgemarkets.com/article/sc-over-rm16b-cryptocurrencies-digital-assets-traded-malaysia-september-2021>.

[4] ‘SC Registers Two Initial Exchange Offering (IEO) Operators’ (Fintech News, 23 March 2022) <https://fintechnews.my/30958/blockchain/sc-registers-two-initial-exchange-offering-ieo-operators/>.

[5] Commodity Futures Trading Commission, ‘Bitcoin Basics’ (CFTC) <https://www.cftc.gov/sites/default/files/2019-12/oceo_bitcoinbasics0218.pdf>.

[6] See ‘Difference between FT and NFT’ (Social NFT, 20 April 2021) <https://socialnft.market/difference-between-ft-and-nft/> and Gwyneth Iredale, ‘The Difference Between Fungible and Non-Fungible Tokens’ (101 Blockchains, 24 March 2021) <https://101blockchains.com/fungible-vs-non-fungible-tokens/>.

[7] Team Luno, ‘Where to Spend Bitcoin in Malaysia’ (Luno, 7 August 2021) <https://discover.luno.com/spend-bitcoin-in-malaysia/>.

[8] Please see ‘Joint Statement on Regulation of Digital Assets in Malaysia’ (Bank Negara Malaysia, 6 December 2018) <https://www.bnm.gov.my/-/joint-statement-on-regulation-of-digital-assets-in-malaysia>.

[9] Kevin Helms, ‘Malaysia’s Deputy Finance Minister: Crypto Not Suitable as Means of Payment or Store of Value’ (Bitcoin.com, 3 March 2022) <https://news.bitcoin.com/malaysias-deputy-finance-minister-crypto-not-suitable-as-means-of-payment-or-store-of-value/>.

[10] Ooi Boon Leong & Ors v Citibank NA [1984] 1 LNS 26.

[11] [2019] 1 LNS 2194.

[12] Please see ‘Half a Bitcoin Used to Buy 3 Acres of Land in Sabah’ (Property Guru, 11 January 2018) <https://www.propertyguru.com.my/property-news/2018/1/167836/half-a-bitcoin-used-to-buy-3-acres-of-land-in-sabah>.