UK FCA Consults on Changes to Strong Consumer Authentication, Dedicated Interfaces, and Guidance on Payment Services
On January 28, 2021, the UK Financial Conduct Authority (FCA) published Consultation Paper CP21/3, “Changes to the SCA-RTS and to the guidance in ‘Payment Services and Electronic Money – Our Approach’ and the Perimeter Guidance Manual” (Consultation Paper). This follows the FCA’s announcement in its 2020-21 business plan that payment services were one of its main supervisory priorities1 and its temporary guidance of July 9, 2020, on prudential risk management and safeguarding in light of the COVID-19 pandemic (Temporary COVID Guidance).
The FCA is proposing amendments to:
- the UK onshored versions of EU technical standards on strong customer authentication (SCA) and common and secure methods of communication (UK SCA-RTS);
- its Approach Document on Payment Services and Electronic Money (Approach Document); and
- its Perimeter Guidance Manual (PERG).
FINRA Issues 2021 Report on its Examination and Risk Monitoring Program
Released on February 1, the Financial Industry Regulatory Authority (FINRA) 2021 Report on its Examination and Risk Monitoring Program (Report) provides a roadmap for member firms to use to prepare for examinations and to review and assess compliance and supervisory procedures related to business practices, compliance, and operations. The Report replaces two of FINRA’s prior annual publications: (1) the Report on Examination Findings and Observations, which provided an analysis of prior examination results, and (2) the Risk Monitoring and Examination Program Priorities Letter, which highlighted areas FINRA planned to review in the coming year.
NAIC Insurance Data Security Law Annual Certifications: Is Yours Due By February 15?
Most cybersecurity professionals are aware of the New York Department of Financial Service’s requirement imposed on DFS-licensed entities to certify their cybersecurity program’s compliance on an annual basis (by April 15th of each year), but less well known is that numerous other states impose similar requirements on regulated insurance entities and that deadline for many states is coming up on February 15, 2021.
U.S. Office of the Comptroller of the Currency Finalizes Fair Access Requirements
On January 14, 2021, the U.S. Office of the Comptroller of the Currency (OCC) issued its controversial final rule (Rule)1 to establish a new requirement for covered banks to provide “fair access” to financial services to both natural persons and legal entities.2 The preamble to the Rule explains that it is intended to address situations in which large banks have denied access to financial services on the basis of a prospective customer’s industry affiliation or connection with a politically unpopular, but lawful, activity. The Rule instead requires, among other things, that access to all financial services at covered banks be provided on the basis of a person’s individual characteristics evaluated under quantitative, impartial risk-based criteria. The OCC claims that these fair access standards do not, however, require that a covered institution provide any specific type of financial service, do business with a particular person or industry, or operate in a particular market. Nonetheless, in part because of the perception that the Rule will impair the ability of banks to take into account issues like climate change in making underwriting decisions, the fate of the Rule under the Biden administration remains uncertain.
UK FCA Expectations on Call Recording in a Remote Working Environment — Market Watch 66
On 11 January 2021, the UK Financial Conduct Authority (FCA) published the 66th edition of its Market Watch newsletter. The newsletter sets out the FCA’s expectations for firms on recording telephone conversations and electronic communications when alternative working arrangements are in place, including increased homeworking in light of the COVID-19 pandemic.
The newsletter follows on from an update on 8 January 2021 to the market trading and reporting statement on the FCA’s Coronavirus (Covid-19): Information for firms webpage. In that update, the FCA notes that, given the extensive duration of alternative working arrangements during the pandemic, the FCA now expects firms to record all relevant communications (including voice calls) when working outside the office.
FinCEN Proposes Tracking and Reporting Virtual Currency Transactions Involving Unhosted Wallets
On December 18, 2020, the Financial Crimes Enforcement Network (FinCEN) issued a notice of proposed rulemaking (NPR) regarding a proposal to impose on banks1 and money service businesses (MSBs) new recordkeeping, reporting, and identity verification requirements in relation to certain transactions involving convertible virtual currency (CVC) or digital assets with legal tender status (legal tender digital assets or LTDA)2 if the counterparty to the transaction does not have an account with, including a digital asset wallet hosted by, a financial institution regulated under the U.S. Bank Secrecy Act (BSA) or certain foreign financial institutions not located in designated problematic jurisdictions. If adopted, the proposed rule will impose significant new burdens only on banks and MSBs involved in digital asset businesses and undercut the role of U.S. institutions in digital asset economies, including in the growing area of “decentralized finance.” The NPR proposes to exclude broker-dealers, futures commission merchants, and mutual funds, among others that are subject to the BSA from these new reporting requirements, but specifically requests the industry’s comment on whether these types of institutions should also be included within the scope of the rule.
Affected institutions will have very limited time to assess and comment on the NPR, as the comment period closes on January 4, 2021, notwithstanding two intervening federal holidays.
Comments Sought on Proposed Rulemaking: Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers
On December 15, 2020, the U.S. Federal Deposit Insurance Corporation (FDIC) approved and the federal banking agencies jointly announced on December 18 a notice of proposed rulemaking, Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers (NPR).1 The NPR is a joint proposal by the Office of the Comptroller (OCC), the Board of Governors of the Federal Reserve System (Board), and the FDIC.
Big Data: Legal and Compliance Considerations for Investment Managers
Sidley Partners Nathan J. Greene and Colleen Theresa Brown are co-authors of a new chapter of the PLI treatise Investment Adviser Regulation: A Step-by-Step Guide to Compliance and the Law focusing on legal and compliance considerations for use of Big Data. The chapter examines the expanding range of topics facing investment management lawyers and compliance professionals, as well as the attendant legal and operational risks. The chapter includes an introduction to the concepts of data, alternative data, big data and artificial intelligence; examples of an organization’s data users, likely sources of data, and organizational controls for data collection and processing; and a review of the ways different types of data are regulated.
TRM Podcast on DOJ’s Cryptocurrency Enforcement Framework features Sidley Partner Sujit Raman
Sidley’s newest partner, Sujit Raman, former U.S. Associate Deputy Attorney General at the Department of Justice (DOJ), was among three panelists on the TRM Talks inaugural podcast, titled “Unpacking DOJ’s Crypto Enforcement Framework.” The panel discussed the DOJ’s recently-published Cryptocurrency Enforcement Framework on legitimate uses of cryptocurrencies, the inherent risks and challenges, and the federal government’s enforcement strategies in this space.
Tune in at https://blog.trmlabs.com/trm-talks/unpacking-doj-crypto-framework.
Changes in Chinese Securities Law and Draft Data Security Law Affect Cross-Border Investigations
Recent changes to Chinese law have broad implications on cross-border data transfer in the course of investigations conducted by non-Chinese regulators. Clients work closely with counsel to navigate potential legal landmines in any defense of an investigation involving data from China.
Just over six months ago, on March 24, 2020, the People’s Republic of China’s (PRC) revised Securities Law (revised on December 28, 2019) (中华⼈民共和国证券法(2019年修订) went into effect. While the revised Securities Law affects many aspects of China’s securities law framework (including the registration of new securities for initial public offerings, disclosure requirements, and investor protection rules), a new “blocking” provision is particularly notable. Specifically, Article 177 of the revised Securities Law prohibits non-Chinese securities regulators from conducting investigations within China and prevents Chinese individuals and entities from providing information to such regulators without first receiving approval from the China Securities Regulatory Commission and/or other competent departments under the State Council.