Cybersecurity attacks have increasingly garnered significant attention this summer—and financial regulators are taking notice and taking action. Earlier in August, the Securities and Exchange Commission (“SEC”) announced the indictment of nine players in a major hacking ring. The ring was designed to obtain corporate announcements prior to their public release, to give purchasers of the illegally obtained information an edge in securities trading. The attack combined old-school securities fraud with new-school cybercrime, and served as a reminder of financial markets’ potential vulnerabilities from the ingenuity of cybercriminals.
On April 10, 2015, the FTC closed its data security investigation of a securities firm after one of its employees moved the personal information of the certain of the firm’s wealth management clients to personal devices and a personal website. Ultimately, the personal data became available on publicly accessible websites.
SEC Launches Cybersecurity Examination Initiative – Promoting Cyber Preparedness
On April 15, 2014 the Securities and Exchange Commission (SEC) Office of Compliance Inspections and Examinations (OCIE) released a Risk Alert announcing that the agency will be examining 50 registered broker-dealers and investment advisers in order to assess cybersecurity preparedness in the securities industry.1 The announcement was accompanied by a sample request for information and documents. According to OCIE, the examinations will focus on “cybersecurity governance, identification and assessment of cybersecurity risks, protection of networks and information, risks associated with remote customer access and funds transfer requests, risks associated with vendors and other third parties, detection of unauthorized activity, and experiences with certain cybersecurity threats.”
Global Banking & Finance Review
Over two years ago, in January 2012, the European Parliament published a proposal for an EU Regulation on Data Protection (the Regulation) to replace the current European Data Protection Directive. Whilst the Regulation raises significant issues for all industries, the financial services sector has been particularly concerned given the billions of financial records and transitions handled yearly. Due to its potential impact, the proposed Regulation has been one of the most lobbied pieces of European legislation in European Union history. According to reports, the European Parliament’s Civil Liberties Committee, which has been negotiating the Regulation, has received over 4,000 amendments.
Recent data breaches at retailers like Target have increased awareness about growing cybersecurity threats. Broker-dealers in particular need to reevaluate their own cybersecurity preparedness in light of several recent events:
- FINRA’s launch of a cybersecurity sweep, publicly announced on the FINRA website on February 6, 2014;
- The inclusion of cybersecurity as a priority in the SEC’s National Examination Program for 2014 and FINRA’s 2014 Annual Regulatory and Examination Priorities Letter;
- The White House’s February 12, 2014 release of the much-anticipated Framework for Improving Critical Infrastructure Cybersecurity; and
- An upcoming SEC public roundtable on cybersecurity issues, to be held in Washington, DC on March 26, 2014.
The EU Commission has stated it believes that between 2001 and 2003, the number of people engaged in business online will have trebled and the number of transactions to buy and sell goods and/or services over the Internet will have multiplied by twenty. The UK’s Department of Trade and Industry estimates that the e-commerce industry is worth in excess of £57 billion in the UK alone. One of the difficulties experienced by businesses that wish to conduct e-commerce is the increasing need to know not just about the legal requirements of their own jurisdiction, but also the legal requirements of those jurisdictions where their customers are located. Whilst for consumers one of the biggest hurdles is the continued lack of trust and confidence in the Internet as a means of purchasing goods and services. (more…)
In order to encourage consumer confidence in buying goods and services over the Internet the EU has adopted Directive EC 97/7 on the protection of consumers in respect to distance contracts (the “Distance Selling Directive”). In the UK, the Distance Selling Directive has been implemented by The Consumer Protection (Distance Selling) Regulations 2000 (“the Regulations”). The Distance Selling Directive provides an agreed minimum level of consumer protection throughout the EU, requiring businesses to provide certain information to consumers before and after ordering goods and services at a distance such as over the Internet or by phone providing consumers with rights of withdrawal and regulating certain marketing methods. (more…)
The Directive regarding the distance marketing of consumer financial services is an essential part of the Commission’s strategy to develop an internal market for retail financial services. The strategy, as set out in the Commission’s Communication on E-Commerce and Financial Services, is part of the Financial Services Action Plan. This sets out the Commission’s wider goal of creating a fully integrated European market in financial services by 2005 to complement the introduction of the euro. The aim of the Directive is to harmonise Member States’ rules on the distance marketing of consumer financial services, thereby raising the level of consumer protection whilst enabling service providers to market their services across the EU without unnecessary obstacles.
This paper will deal with the application of:
- section 21 of the Financial Services and Markets Act 2000 (the “FSMA“);
- the Financial Services and Markets Act 2000 (Financial Promotion) Order 2001 (the “Financial Promotion Order“) and amendments thereto; and
- the financial promotion rules in the Conduct of Business Sourcebook (“COBS“).
This paper is intended to give an overview of the main aspects of the above rules and how they apply to online financial promotions.