As the financial services sector becomes ever more reliant on new technologies to decrease costs and create more efficient systems, it becomes more vulnerable to cyber attacks. On October 11, 2016, the Group of Seven (“G7”) industrial nations agreed on a set of guidelines to combat the cyber risks that are “growing more dangerous and diverse, [and] threatening to disrupt our interconnected global financial systems and the institutions that operate and support those systems.” These issues have been particularly visible following a number of high profile cybersecurity attacks at financial institutions.
On Sept. 6, the Hong Kong Monetary Authority (the HKMA) announced two initiatives targeted at raising Hong Kong’s profile as a fintech hub: the setting up of the Fintech Innovation Hub (the Hub) and the Fintech Supervisory Sandbox (the Sandbox).
On September 13, 2016, the New York State Department of Financial Services (“NYDFS”) proposed regulations outlining minimum requirements for NYDFS-regulated entities to address cybersecurity risk (“Proposed Regulations”). The NYDFS regulates entities and products that are subject to New York insurance, banking and financial services laws. Because the scope of the Proposed Regulations includes any entity “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law,” the Proposed Regulations will cover a broad range of entities in the banking, insurance and financial services industries, including insurance producers and premium finance companies.
Securities and Exchange Commission Chair Mary Jo White emphasized the agency’s focus on cybersecurity preparedness and response at a conference in Washington, D.C. in mid May, stating “we can’t do enough in this sector.” Reuters reports that Chair White views cybersecurity as the biggest risk facing the financial system, quoting her as saying that “what we [have] found…is a lot of preparedness, a lot of awareness but also….policies and procedures [that] are not tailored to [entities’] particular risks.”
On May 24-25, 2016, the Cybersecurity (EX) Task Force of the National Association of Insurance Commissioners (NAIC) held a two-day interim meeting in Washington, D.C. to discuss the Task Force’s preliminary draft of a model law outlining data security standards applicable to insurance licensees. The Draft Insurance Data Security Model Law (“the Draft Model Law”), first released for public comment on March 2, 2016, would apply to all licensed insurers, producers and other persons licensed or required to be licensed (or authorized or required to be authorized, or registered or required to be registered) pursuant to state insurance laws (“Insurance Licensees”).
On May 17, 2016, the European Council formally adopted the Network and Information Security Directive (the “NIS Directive“) at first reading. According to the Council press release, the NIS Directive is meant to increase cooperation among EU Member States on the vital issues of cybersecurity.
The NIS Directive was first proposed by the European Commission in 2013 as part of the EU’s Cyber Security Strategy. The formal adoption of the NIS Directive by the Council follows on from the political agreement reached in December 2015. It must now be approved by the Parliament at second reading. The NIS Directive is expected to enter into force in August 2016, after which Member States will have 21 months to implement it into their national laws.
On Monday, May 16, the Supreme Court addressed the question of whether an alleged violation of the Fair Credit Reporting Act (FCRA), without allegation of concrete injury, is ever sufficient for Article III standing. The case, Spokeo Inc. v. Robbins, No. 13-1339 (2016), involved a class action against data broker Spokeo Inc.. The plaintiff, Thomas Robins, alleged that Spokeo violated the FCRA by inaccurately reporting online that he was a wealthy, married man with children and a graduate degree when he was actually unmarried and out of work. He argued that those inaccuracies could have hurt his chances with potential employers. The district court dismissed Mr. Robins’s case for failure to show any actual harm from the false information, but in 2014, the U.S. Court of Appeals for the Ninth Circuit allowed the case to move forward based on its analysis that Mr. Robins’s injury allegation was particularized because he alleged that Spokeo violated his individual rights when it handled his information.
On March 21, the federal banking agencies and the Financial Crimes Enforcement Network (collectively, the Agencies) published interagency guidance to issuing banks on the application of the joint regulations implementing the customer identification program (CIP) requirements set forth in Section 326 of the USA PATRIOT Act (the CIP Rule) to their prepaid cards. The guidance clarifies that a bank should apply its CIP to the cardholders of certain prepaid cards issued by the bank and other prepaid access devices that meet the criteria in the guidance. The guidance is largely consistent with current industry practice.
On January 5, the Financial Industry Regulatory Authority (FINRA) released its annual Regulatory and Examination Priorities Letter (Letter) to highlight risks that FINRA believes could adversely affect investors and market integrity. This year’s Letter differs from those in the past in focusing on three broad, principle-based concerns in addition to the usual list of narrowly focused areas that examiners will certainly review. These broad areas are 1) culture, conflicts of interest and ethics; 2) supervision, risk management and controls; and 3) liquidity. The discussion is helpful because it explains FINRA’s overarching concerns, philosophy and its potential basis for pursuing enforcement actions. Firms should read this discussion carefully and internalize its principles. Firms should be able to document and demonstrate to FINRA their appropriate regulatory and ethical culture and how they actively identify and manage potential conflicts of interest. Likewise, in today’s highly automated and data-dependent markets, firms must be able to demonstrate that their procedures and policies related to cybersecurity, technology management and data quality are up to date, adequately resourced and strictly followed.
On December 17, 2015, the Executive/Plenary Committees of the National Association of Insurance Commissioners (NAIC) unanimously adopted an amended version of the Cybersecurity “Bill of Rights.” Renamed the “NAIC Roadmap for Cybersecurity Consumer Protections,” the document now states that while the NAIC believes consumers are entitled to the delineated protections, not all are currently provided for under state law.