How the China Personal Information Protection Law Applies to Foreign Asset Managers

Since China’s Personal Information Protection Law (PIPL) came into effect in November 2021, there has been widespread uncertainty amongst offshore fund managers and investors with entities outside Mainland China as to how and whether the regime applies to them. Given the potential for foreign asset managers to overlook or misinterpret PIPL, this brief update outlines some guidance as to how PIPL can apply, and to whom, in a practical context.

(more…)

The Future of UK Open Banking: Joint Regulatory Oversight Committee Issues Recommendations

The committee of government and regulatory authorities responsible for open banking in the UK has set out its plans and timeframes for expanding and developing infrastructure, standards, and processes for the sector. Central among these are proposals to improve the performance of interfaces among relevant firms, mitigate financial crime risks, and ensure that end users receive sufficient information and are protected if something goes wrong. This Sidley Update summarises the proposals and key points for firms.

(more…)

Regulatory Update: National Association of Insurance Commissioners Spring 2023 National Meeting

The National Association of Insurance Commissioners (NAIC) held its Spring 2023 National Meeting (Spring Meeting) March 21–25, 2023. This Sidley Update summarizes the highlights from this meeting in addition to interim meetings held in lieu of taking place during the Spring Meeting. Highlights include continued development of accounting principles and investment limitations related to certain types of bonds and structured securities, continued discussion of considerations related to private equity (PE) ownership of insurers, new initiatives to address innovation and technology in the insurance sector, and continued development of a new consumer privacy protections model law.

(more…)

Broker-Dealers and Investment Advisers Should Double-Check Their “Identity Theft” Programs: SEC Division of Examinations Issues Risk Alert on SEC’s Identity Theft Red Flags Rule, Regulation S-ID

On December 5, 2022, the Division of Examinations of the Securities and Exchange Commission (SEC) released a Risk Alert discussing its observations on Regulation S-ID (Reg. S-ID) from recent examinations of SEC-registered investment advisers and broker-dealers.  Reg. S-ID, the SEC’s implementation of the identity theft red flags rule, requires SEC-regulated financial institutions and creditors to develop and implement an identity theft prevention program (Program) with written policies and procedures that are updated periodically.  The requirements for the Program are outlined in the text of Reg. S-ID, and there are guidelines in Appendix A to assist firms in creating and maintaining a compliant Program.  As Reg. S-ID applies to both SEC and Commodity Futures Trading Commission-regulated entities, financial institutions and creditors should consider their compliance programs accordingly.

(more…)

NY DFS Proposes New Class of Entities and More Detailed Regulations in Second Amendment to Cybersecurity Regulations

On November 9, 2022, the New York Department of Financial Services (DFS) published its proposed second amendment to its cybersecurity regulations (23 NY CRR Part 500). This proposal follows a July 29 pre-proposal and comment period. The amendment is available for a sixty-day comment period – until January 9, 2023 – after which the agency may adopt final regulations or issue a further revised version.

(more…)

CFPB Begins Rulemaking on Data Access and Portability

The Consumer Financial Protection Bureau (CFPB) on October 27, 2022 took the long-anticipated first step to issue a regulation implementing Section 1033 of the Dodd-Frank Wall Street Reform and Consumer Protection Act. This followed a preview by CFPB Director Rohit Chopra at the Money 20/20 conference on October 25 in which he outlined the “CFPB’s new approach to regulation,” which is designed to create “catalysts for more competition.” With respect to Section 1033, Director Chopra said that the CFPB is “exploring safeguards to prevent excessive control or monopolization by one, or even a handful of, firms” and will be working toward avoiding regulations that could be “rigged in favor of some players over others.” Director Chopra’s focus on competition as an essential element of consumer protection has been a hallmark of his directorship.

Data Matters: The Declaration for the Future of the Internet

On April 28, 2022, the White House announced, in partnership with 60 global partners, the launch of the Declaration for the Future of the Internet, also known as the “DFI.”

According to the White House briefing, the Declaration sets forth the shared principles regarding how parties should comport themselves with respect to the Internet, the digital ecosystem, and the digital economy. The Declaration affirms that the signatories are committed to defending the Internet, to governing it by a multi-stakeholder approach, and to promoting an open, free, global, interoperable, reliable, and secure Internet for the world. The State Department’s newly formed Bureau of Cyberspace and Digital Policy put out a nearly identical statement. (more…)

EU Data Governance Act – Edging Closer to a European Single Market for Data

On 6 April 2022, the European Parliament formally approved the Data Governance Act (“DGA”), which establishes a legal framework to promote the availability of data and increase trust in data sharing across sectors in the EU. Some of the key objectives of the new legislation include enabling the re-use of certain categories of protected public sector data and making it easier and safer for citizens and businesses to share their data with relevant stakeholders. (more…)

Data Protection in Financial Services Week 2022

WEBINAR

From February 28-March 3, Sidley and OneTrust DataGuidance hosted their annual Data Protection in Financial Services (DPFS) Week, a series of webinars looking at the impacts of data privacy across the financial sector. Industry speakers covered a range of issues including:

  • How the latest privacy and cybersecurity developments in Europe and the U.S. have impacted financial services
  • How new and existing privacy and cyber requirements intersect with finance-specific regulation
  • What financial organizations can do to keep ahead of the curve in the ever-evolving data privacy and cyber landscape
  • How to deal with and manage the key issues for 2022, such as AI, data governance, and international transfers

(more…)

U.S. Federal Bank Regulators Require Notifications For Material Cybersecurity Incidents

On November 18, 2021, a group of federal bank regulators announced a final rule requiring banks to notify their primary federal regulator of any “significant computer-security incidents.” Regulators must be notified no later than 36 hours after the bank has determined that the incident triggers the rule’s notification requirement. Further, bank service providers are now required to promptly notify all affected banks whenever a cybersecurity disruption lasts for four or more hours. (more…)