The Swiss Parliament Agrees on the Draft Bill of a New Data Protection Act
After three years of discussions and in a final debate, the Swiss parliament has agreed on the final draft bill of a new and modernized data protection law.
In particular, the National Council and the Council of States found a compromise on the these outstanding issues: (more…)
The U.S. Office of the Comptroller of the Currency Seeks Comment on Digital Innovation by Banks
The U.S. Office of the Comptroller of the Currency (OCC) has issued an Advance Notice of Proposed Rulemaking (ANPR)1 seeking input on how best to accommodate new technology and innovation in the business of banking, in connection with the OCC’s “comprehensive review” of its regulations at 12 C.F.R. part 7, subpart E (national banks), and part 155 (federal savings associations) (collectively, Rules). The ANPR offers industry participants an opportunity to shape future guidance and remove regulatory burdens to offering innovative new products, partnering with technology companies and enhancing operations through deployment of new technologies. The ANPR follows on the heels of regulators’ other efforts to address technological developments,2 with the caveat that the OCC is not seeking comment on authority to issue special purpose national bank charters.
FinCEN Issues Notice on Reporting COVID-19 Criminal and Suspicious Activities, Companion Advisory on COVID-19-Related Medical Scams
On May 18, 2020, the Financial Crimes Enforcement Network (FinCEN), as part of its COVID-19-related response, issued a Notice Related to the Coronavirus Disease 2019 (COVID-19) reminding financial institutions of certain Bank Secrecy Act (BSA) obligations and pertinent information regarding reporting COVID-19-related criminal and suspicious activity (the Notice). Contemporaneously, FinCEN issued an Advisory on Medical Scams Related to the Coronavirus Disease 2019 (COVID-19) (the Advisory).
In light of the Notice and Advisory, firms should (a) continue to comply with their BSA obligations; (b) include COVID-19 detail only when that detail relates to the reported suspicious activity; (c) review policies and procedures to notify and to provide COVID-19 information to government agencies, including verification of the requesting agency; (d) review the Advisory red flags related to medical scams; and (e) consider revising policies and procedures as appropriate.
COVID-19-related frauds are a special emphasis for law enforcement and regulatory agencies, so failing to detect and report those issues could be viewed as a significant flaw in a firm’s anti-money laundering (AML) program.
U.S. Warns of Threat to Financial Industry Posed by North Korean Cyberattacks
The U.S. Departments of State, the Treasury and Homeland Security and the Federal Bureau of Investigation issued a joint advisory (the Advisory) on April 15, 2020, discussing the threat to the international community posed by cyberattacks linked to the Democratic People’s Republic of Korea (North Korea), in particular highlighting concerns for the financial services sector. North Korea has been subjected to comprehensive international sanctions implemented to pressure its government to denuclearize. The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has implemented additional unilateral sanctions in response to other North Korean activities, including cyberattacks, human rights violations and money laundering. In addition to broad prohibitions on trade with North Korea, U.S. sanctions bar domestic financial institutions from conducting or facilitating any significant transaction in connection with trade with North Korea or on behalf of any person whose property has been blocked under executive orders imposing sanctions on North Korea. Foreign financial institutions risk secondary sanctions for engaging in the same. (more…)
Chambers 2020 Global Practice Guides for Data Protection & Privacy and Cybersecurity Available
The updated 2020 Chambers Global Practice Guides for Data Protection & Privacy and Cybersecurity, edited by Alan Charles Raul, are available, covering important developments across the globe and bringing expert legal commentary for businesses. Read the intros to each Guide here and here.
U.S. Office of the Comptroller of the Currency Updates Third-Party Relationships Risk Management Guidance
On March 5, 2020, the Office of the Comptroller of the Currency (OCC) issued an updated set of answers to frequently asked questions (FAQs)1 regarding risk management in national bank relationships with third parties to further supplement its 2013 guidance, OCC Bulletin 2013-29 (the Bulletin),2 and its 2017 FAQs (Prior FAQs) on the topic.3 Twelve of the 27 FAQs are new and elaborate on a wide range of topics, including the broad intended scope of third-party risk management obligations, obligations of banks where negotiating power or access to information is limited, oversight of cloud computing providers and data aggregators and use of third parties in model development or delivery of alternative data for credit underwriting.
SEC and FINRA Issue 2020 Examination Priorities (Including Cybersecurity) for Broker-Dealers and Investment Advisers
The U.S. Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) and the Financial Industry Regulatory Authority (FINRA) recently published their examination priorities (together, the Examination Priorities) for the 2020 calendar year.1 In general, the 2020 Examination Priorities continue recurring themes from recent prior years.
OCIE’s 2020 Examination Priorities for broker-dealers and investment advisers include the protection of retail investors (including compliance with new standard of care requirements and interpretations), cyber and information security risks, anti-money laundering compliance, firms engaging in the digital asset space and the provision of electronic investment advice.
FINRA’s 2020 Examination Priorities for member firms include those generally identified by OCIE for registered broker-dealers, as well as cash management and bank sweep programs, initial public offerings, liquidity management, trading authorizations and order routing and vendor display rule requirements, among others.
This post summarizes selected aspects of the Examination Priorities that may be of particular interest to broker-dealers and investment advisers. As always, firms should use the 2020 Examination Priorities to review their compliance and supervisory procedures carefully and make any necessary revisions. Firms also should be prepared to explain their compliance and supervisory policies in these areas in their upcoming SEC and/or FINRA examinations, as applicable, and provide documentation of relevant reviews.
URGENT: CFTC Warns Registrants of Cyber Threats and Requests Information by January 10 and/or January 20
On January 3, 2020, the Division of Swap Dealer and Intermediary Oversight (DSIO) of the U.S. Commodity Futures Trading Commission (CFTC) issued two cyber threat alerts regarding the hacking of approximately one dozen cloud service providers, as described in a Wall Street Journal article published December 30, 2019, entitled “Ghosts in the Clouds: Inside China’s Major Corporate Hack.”
One DSIO cyber threat alert was directed to swap dealers (SDs) and futures commission merchants (FCMs). Another was directed to commodity pool operators (CPOs), commodity trading advisors (CTAs), introducing brokers (IBs) and retail foreign exchange dealers (RFEDs). The National Futures Association (NFA) then sent a blast email to all NFA members in these registration categories (on behalf of the CFTC), with the DSIO alerts attached, further emphasizing to NFA members the information requested by DSIO and the deadlines for providing such information.
Fund Managers Targeted in Sophisticated Cyberattacks
There has been a spike in 2019 of targeted cyberattacks against Asia-based fund managers, especially those in a startup phase of business. Regulators worldwide, including the Securities and Futures Commission of Hong Kong, have issued guidelines for reducing and mitigating hacking risks. This post summarizes the practical measures that may be adopted to protect your firm against cyberattacks and the keys to successful crisis management in the event that an unauthorized data breach occurs. (more…)