This post summarizes the EDPB’s stated positions on these points and explores the implications for firms providing payment services in the European Economic Area (EEA).
Companies subject to New York’s Cybersecurity Regulation are acting quickly to finalize their compliance obligations as the fifth “due date,” September 4, 2018, quickly approaches.
By September 4, 2018, Covered Entities must ensure that their cybersecurity programs have in place certain additional safeguards:
- an audit trail that shows detection of and response to material cybersecurity events;
- written security procedures, guidelines, and standards for the development of in-house applications and for the evaluation and testing of externally developed applications;
- data retention policies and procedures for the disposal on a periodic basis of nonpublic information no longer necessary for business operations;
- risk-based policies, procedures, and controls to monitor the activity of authorized users and detect unauthorized access; and security controls, such as encryption, to protect non-public business relations and personal information.
Notably, for this upcoming deadline, Covered Entities that have received a limited exemption must still comply with the regulatory provision regarding data retention policies and procedures for the periodic disposal of nonpublic information. (more…)
On August 7, a group of regulators from 11 jurisdictions published a consultation (the Consultation) on the Global Financial Innovation Network (the GFIN), which aims to promote international cooperation on innovation and the use of technology in financial services (FinTech) and in regulatory processes (RegTech).
The group — which includes the U.S. Consumer Financial Protection Bureau, the UK Financial Conduct Authority (the FCA), the Hong Kong Monetary Authority (HKMA) and the Monetary Authority of Singapore (MAS) — is one of the first major collaborative efforts on FinTech and RegTech issues among regulators in developed financial services markets. The Consultation builds on the FCA’s proposal earlier this year to create a “global sandbox” for innovative financial services firms.
This post summarizes the proposed role of the GFIN, the issues on which its founding regulators are consulting and how these may affect financial services firms.
On June 29, the day after California Governor Jerry Brown signed the California Consumer Privacy Act (CCPA) into law, Data Matters provided a summary of the important new legislation. In doing so, we noted that the law was scheduled to go into effect on January 1, 2020 and that, if and when it did, it would be the “broadest privacy law in the United States” and “may well have an outsize influence on privacy laws nationwide.” Because of this, we further predicted that “[t]he coming months will no doubt stimulate considerable legislative and litigation activity to test the acceptability of [the CCPA’s] effects on interstate commerce, free speech, commercial innovation, reasonable regulatory burdens and meaningful privacy protection.” (more…)
In October 2017, the National Association of Insurance Commissioners (NAIC) adopted an Insurance Data Security Model Law. According to NAIC’s news release announcing this development, the Model Law was meant to build on the organization’s cybersecurity progress and create a “platform that enhances our mission of protecting consumers.” (For more information on the development of the Model Law, see our prior coverage.) (more…)
On May 24, 2018, President Donald Trump signed into law the Economic Growth, Regulatory Relief, and Consumer Protection Act (the Act). The Act is effective immediately except as otherwise stated in certain provisions.
The Act makes many significant modifications to the postcrisis financial regulatory framework, although it leaves the core of that framework intact.
One major consequence of the Act may be an increased potential for mergers, acquisitions and organic growth among regional and midsize banks, as well as community banks, because of provisions that increase the thresholds that must be met before various financial regulatory requirements apply.
Whether you are marking today with a glass of champagne, a shot of whiskey, or a hot cup of tea, today marks a significant day for privacy professionals world-wide.
Here’s to all of the privacy professionals who have put in so many hours to prepare for the GDPR, fully effective as of Friday May 25, 2018 at midnight in Brussels; that is 6 PM eastern on Thursday, May 24th for toasting purposes.
For business executives, policymakers, and consumers who have become aware of the GDPR in recent weeks and are interested in learning more, visit our GDPR resource page here.
The British Private Equity & Venture Capital Association has issued a Guide to GDPR for the Funds Industry focusing on practical guidance, including explanations of what the GDPR is and why it is relevant for the funds industry. Authors included Sidley lawyers William RM Long, Geraldine Scali, Vishnu Shankar, Francesca Blythe, Denise Kara and Eleanor Dodding.
The GDPR, or the General Data Protection Regulation, is a new EU data privacy law that comes into force on 25 May 2018. The GDPR is intended to provide a single harmonised data privacy law that applies across the EU and is appropriate for the use of Personal Data in the 21st century. The GDPR imposes many new data protection requirements on the collection, use and disclosure of Personal Data which will be relevant to firms and imposes significant fines of up to 4% of annual worldwide turnover.
The Guide describes how key parts of the GDPR will apply to firms and key obligations and issues for firms to consider in dealing with the GDPR. Read more.
On April 3, 2018, the Financial Crimes Enforcement Network (FinCEN) issued new frequently asked questions (FAQs) regarding its customer due diligence rule (CDD Rule).
The CDD Rule applies to banks, broker-dealers in securities, mutual funds, futures commission merchants and introducing brokers in commodities (collectively, covered financial institutions or CFIs).
The CDD Rule includes four core elements of customer due diligence, each of which should be included in the anti-money-laundering (AML) program of a CFI: (1) customer identification and verification, (2) beneficial ownership identification and verification, (3) understanding the nature and purpose of customer relationships to develop a customer risk profile and (4) ongoing monitoring for reporting of suspicious transactions and, on a risk basis, maintaining and updating customer information. The second element — the beneficial ownership requirement — is new. FinCEN has described the other elements as preexisting AML program requirements for CFIs, although the third and fourth prongs were, at most, implicit requirements.
FinCEN issued new FAQs on the CDD Rule on July 19, 2016. These FAQs are timely because the May 11, 2018 compliance date for the CDD rule is fast approaching.
Here, we summarize several key takeaways regarding the beneficial owner requirement from the new FAQs.
On February 21, 2018, the U.S. Securities and Exchange Commission issued interpretive guidance (the Guidance) to assist public companies in drafting their cybersecuritydisclosures in SEC filings. See 83 FR 8166 (Feb. 26, 2018). In his public statement accompanying the issuance of this guidance, SEC Chairman Jay Clayton said he believed that “providing the Commission’s views on these matters will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors.”1 In this new guidance, the SEC is likely intending to signal how it may focus future enforcement concerning the cybersecurity disclosure obligations of public companies, and their underlying disclosure controls, procedures and certifications. (more…)