Commentaries

Bridging the Week by Gary DeWaal: April 15 – 19 and April 22, 2019 (Privacy Requirements No Secret; Not Quite the "Thrilla in Manila")

Jump to: AML and Bribery    Between Bridges    Bridging the Week    Compliance Weeds    Cybersecurity    My View    Position and Trade Reporting    Supervision    UK Regulation (sans Liquidity and Capital)   
Email Print
Published Date: April 21, 2019

The watchdog arm of the Securities and Exchange Commission – the Office of Compliance Inspections and Examinations – issued a Risk Alert summarizing breakdowns in compliance by broker-dealers and investment advisers of their obligations regarding customer information privacy notices and associated policies and procedures. Separately, the New York State Department of Financial Services and a recently declined applicant for a BitLicense engaged in a heated public brawl regarding the cause of the license declination. It was not commensurate with the excitement of the legendary 1975 "Thrilla in Manila" between Muhammad Ali and Joe Frazier, but the fireworks were extraordinarily dramatic by the standards of routine regulatory interactions in a non-litigation setting. As a result, the following matters are covered in this week’s edition of Bridging the Week:

Video Version:

Article Version

Briefly:

Among the most common deficiencies, said OCIE, were that registrants (1) did not provide initial or annual privacy notices or opt-out rights notices to customers; (2) did not have written policies and procedures designed to ensure the security and confidentiality of customer records and information to protect against their compromise; and (3) where policies and procedures existed, they were inadequate.

Under SEC Regulation S-P (click here to access), BDs, IAs and investment companies must provide a “clear and conspicuous” notice to customers describing their policies and practices by no later than when the customer relationship is initiated, and thereafter no less than annually. Such registrants must also provide a notice to each customer advising it of its right to opt out of some sharing of private customer personal information with nonaffiliated third parties. Impacted registrants must also maintain policies and procedures for customer records and information “reasonably designed” to ensure the material's security and confidentiality, protect against anticipated threats to such records’ and information’s integrity, and protect such records and information against unauthorized access that could cause material harm or inconvenience to any customer.

OCIE said that BD and IA policies and procedures did not always address (1) customer information stored on personal devices of registrants’ employees; (2) the transmission of emails containing customer personally identifiable information (PII) that might be unencrypted; (3) training and monitoring; (4) the sending of customer PII to locations outside of a registrant’s network; (5) the inventorying of all systems that contain PII; and (6) how a firm would address a cybersecurity incident. OCIE said that impacted registrants also did not always apply their policies and procedures in relationships with outside vendors. Sometimes customer PII was maintained in unsecured physical locations, customer log-in information was provided to more employees than authorized under the firm’s policies and procedures, and departed employees sometimes retained access to restricted customer information.

OCIE recommended that all registrants review their written policies and procedures to ensure their compliance with Regulation S-P.

In August 2017, OCIE issued a report saying that registrants “increased cybersecurity preparedness” since 2014 after reviewing 75 registrants, including BDs, IAs and investment companies. However, OCIE also concluded that firms’ cybersecurity policies and procedures were not uniformly tailored to their business because they were too vague or general and were not always followed or enforced. In some cases, policies and procedures did not reflect actual practices. (For background, click here for the article “SEC Watchdog Finds Cybersecurity Policies Better But Not Always Enforced” in the August 13, 2017 edition of Bridging the Week.)

Separately, the Commodity Futures Trading Commission adopted a final rule that eliminated the requirement for certain registrants to provide an annual privacy notice to all customers provided they solely share nonpublic information with nonaffiliated persons in certain enumerated circumstances, and they have not changed their policies and practices regarding the disclosure of nonpublic PPI since their most recently required privacy notice was provided to customers. (Click here for additional information regarding the CFTC final rule when it was in its proposed form in the article “NFA Proposes Guidance Amendments to Enhance Cybersecurity” in the December 9, 2018 edition of Bridging the Week.) The CFTC’s amended rule will be effective 30 days after it is published in the Federal Register.

Compliance Weeds: The CFTC maintains an equivalent set of rules as Regulation S-P with virtually identical requirements (click here to access CFTC Part 160). These rules apply to futures commission merchants, retail foreign exchange dealers, commodity trading advisors, commodity pool operators, introducing brokers, swap dealers and major swap participants.

Additionally, both the SEC and CFTC require designated registrants to maintain an identity theft prevention program that aims to detect, prevent and mitigate identity theft in connection with the opening and maintenance of any covered account. This program must be appropriate in light of the size and complexity of the financial institution, and the nature and scope of its activities. A covered account includes an account for personal, family or household purposes that is intended to permit multiple payments or transactions. This includes a brokerage account or an account at an investment company. However, a covered account also includes any account at a financial institution “where there is a reasonable or foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation or litigation risks.” (Click here to access the SEC’s Identity Theft Red Flags Rule (Regulation S-ID) and here for the CFTC’s equivalent set of rules (CFTC Part 162).)

Recently, the National Futures Association revised its 2016 requirement that members maintain a written Information Systems Security Program that addresses the risk of unauthorized access or attack on their information technology systems and how they would respond if attacked. The new amendments, effective April 1, 2019, modified requirements related to training, ISSP approval and notice to the NFA of cybersecurity incidents. (Click here for details in the article “NFA Proposes Guidance Amendments to Enhance Cybersecurity” in the December 9, 2018 edition of Bridging the Week.)

The consequences of not complying with specific regulatory edicts regarding customer information protection and not responding to cyber-hacks in a manner deemed appropriate by a regulator can be costly, and additionally result in reputational harm. Both the SEC and CFTC, as well as the UK Financial Conduct Authority, have brought enforcement actions against and fined registrants for not, in their view, responding appropriately in response to a cybersecurity breach, under either a specific prohibition or a general failure to supervise. (Click here for background in the article “UK Bank Fined GB £16.4 Million Related to Cyber‑Attack Because of Employee Breakdowns” and related Compliance Weeds in the October 14, 2018 edition of Bridging the Week.)

Earlier this year, the Financial Industry Regulatory Authority released a report on effective cybersecurity practices it observed at member firms related to branch office controls, phishing, insider threats, penetration testing and mobile devices. (Click here for details in the article “FINRA Publicizes Effective Practices at Members to Mitigate Cybersecurity Risks” in the January 6, 2019 edition of Bridging the Week.)

It’s always a good time for registrants to review the adequacy of their customer information protection and cybersecurity policies and procedures, and ensure programs mandated by such procedures are followed scrupulously. Training and testing should occur regularly.

(Click here for details of DFS’s action against Bittrex, and Bittrex’s public response at the time in the article “New York State Department of Financial Services Revokes Crypto Exchange’s Safe Harbor to Operate Without BitLicense” in the April 14, 2019 edition of Bridging the Week.) DFS’s principal office is in New York City.

In an article by Shirin Emami, the DFS’s Executive Deputy Superintendent for Banking, the agency castigated Bittrex’s defense of its conduct in a press statement on April 10, 2019. Ms. Emami claimed that Bittrex’s defense “continues to misstate the facts and it presents a misleading picture about the denial.” Ms. Emami said that Bittrex’s initial applications for licenses contained “many deficiencies” although NY DFS “repeatedly” advised Bittrex of regulatory requirements and how it could address its applications’ weaknesses. Ms. Emami claimed that DFS’s suggestions were generally rejected. According to Ms. Emami, “Bittrex made promises and representations to obtain virtual currency and money transmitter licenses in New York, was given every opportunity by DFS to meet the required regulatory requirements and was denied because it failed to deliver.”

Bittrex passionately disputed DFS’s new allegations, and concluded that “[t]he actions of the NY DFS show that it was focused on retribution rather than consumer protection.” In particular, Bittrex claimed that DFS’s criticism that its transaction monitoring system was manual was disingenuous; under applicable rule, noted Bittrex, transaction monitoring may be automated or manual. (Click here to access Rule 504.3(a) of the NY DFS Superintendent’s Regulations related to transaction monitoring.)

In other regulatory and legal developments involving cryptoassets:

According to FinCEN, Mr. Powers failed to adhere to applicable requirements when, from December 6, 2012 through September 24, 2014, he acted as an exchanger of virtual currency by buying and selling bitcoin to and from others, and conducted over 1,700 transactions as a money transmitter. FinCEN claimed that Mr. Powers continued to act as an unregistered money transmitter even after it published guidance on March 18, 2013 warning that persons in the business of exchanging convertible virtual currencies are money transmitters and must register as MSBs (click here to access the relevant FinCEN guidance). FinCEN also indicated that, during the relevant time, Mr. Powers “processed transactions that bore strong indicia of illicit activity” without reporting such activity. This included activity with customers doing business on the darknet website Silk Road – a location associated with illegal drug sales.

To resolve his enforcement action, Mr. Powers consented to pay a fine of US $35,000 and never to engage in activity that would constitute a money service business.

In the relevant consultation paper, the FCA observed that, while security tokens fall within its regulatory perimeter, cryptocurrencies (which the FCA labels “exchange tokens”) and utility tokens are likely outside its oversight. Notwithstanding, the FCA noted that certain payment tokens pegged to fiat currency (e.g., stablecoins) may be subject to UK requirements related to e-money and that under some circumstances, stablecoins pegged to fiat currencies, other commodities or assets (e.g., gold), or baskets of other cryptoassets may constitute securities if they resemble funds or a derivative. (Click here for details on the FCA’s prior consultation paper in the article “UK Financial Conduct Authority Proposes Guidance Regarding Cryptoassets; Says Cryptocurrencies and Utility Tokens Generally Outside Regulatory Perimeter” in the January 27, 2019 edition of Bridging the Week.)

In its business plan, the FCA said that, during the upcoming year, it will also provide technical guidance to Her Majesty’s Treasury regarding extending the regulatory perimeter to capture exchange and utility tokens, as well as to extend anti‑money laundering requirements to certain unspecified activities involving cryptoassets.

In addition to dealing with cryptoassets, the FCA also disclosed that its top priorities for 2019/2020 included continuing to help enhance financial services firms’ culture and governance; working to promote operational resiliency at regulated firms (e.g., cybersecurity), including “setting clear expectations on outsourcing to third party service providers;” and enhancing the FCA’s own anti-money laundering capabilities. During the upcoming year, the FCA plans to continue to support a “smooth” post-Brexit transition.

My View: The case for a single federal regulator of cryptocurrency exchanges is overwhelming. Today, jurisdiction over such entities is practically divided among FinCEN (which generally requires exchangers of virtual currency to be registered as money service businesses), the states (many of which require such entities to register as money transmitters or in an equivalent manner, or in the case of New York, also mandate such entities to obtain a so‑called “BitLicense”) and the Commodity Futures Trading Commission (which exercises anti-fraud and anti-manipulation authority over transactions involving spot virtual currencies but does not functionally regulate such transactions day-to-day). (Click here for a general discussion of federal and state jurisdictional issues involving cryptoassets in the article “Digital and Digitized Assets: Federal and State Jurisdictional Issues” by the American Bar Association Derivatives and Futures Law Committee (March 2019).)

Although most states view cryptocurrency exchanges’ activities as implicating their requirements for money transmitters, many states do not. (Click here, e.g., for background in the article “Cryptocurrency Exchange Not a Money Transmitter Says Pennsylvania” in the January 27, 2019 edition of Bridging the Week.) Moreover, except for New York, none of the states or FinCEN regulate cryptocurrency exchange activities as traditional exchange conduct. As a result, requirements for such entities tend to emphasize anti-money laundering and US government sanctions’ compliance and cyber security protections, as well as capital and bonding, as opposed to monitoring and protecting against manipulative trading.

To me, this hodgepodge approach is a big problem waiting to happen and creates a too-high barrier to entry for legitimate firms that wish to provide innovative cryptoasset trading solutions.

More Briefly:

For further information

Another International Bank Settles Alleged US Sanctions Violations:

Cryptoassets Among FCA Top Priorities for Upcoming Year:
https://www.fca.org.uk/publication/business-plans/business-plan-2019-20.pdf

FinCEN Sanctions Peer-to-Peer Virtual Currency Exchanger for Licensing and AML Violations:
https://www.fincen.gov/sites/default/files/enforcement_action/2019-04-18/Assessment%20Eric%20Powers%20Final%20for%20Posting%2004.18.19_1.pdf

FINRA Proposes Rule Changes for Transaction Reporting; SEC Approves FINRA Rule Authorizing Electronic Signatures for Discretionary Accounts:

SEC OCIE Makes No Secret of Need for Broker-Dealers and Investment Advisers to Up Their Procedures Regarding the Privacy of Customer Records and Information:
https://www.sec.gov/files/OCIE%20Risk%20Alert%20-%20Regulation%20S-P.pdf

Thrilla in Manhattan – NY Regulator and Declined BitLicense Applicant Engage in Extraordinary Public Brawl in Media Blog:
https://www.coindesk.com/nydfs-why-we-rejected-bittrexs-application-for-a-bitlicense

The information in this article is for informational purposes only and is derived from sources believed to be reliable as of April 20, 2019. No representation or warranty is made regarding the accuracy of any statement or information in this article. Also, the information in this article is not intended as a substitute for legal counsel, and is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. The impact of the law for any particular situation depends on a variety of factors; therefore, readers of this article should not act upon any information in the article without seeking professional legal counsel. Katten Muchin Rosenman LLP may represent one or more entities mentioned in this article. Quotations attributable to speeches are from published remarks and may not reflect statements actually made. Views of the author may not necessarily reflect views of Katten Muchin or any of its partners or other employees.

Recent Commentaries

Categories

Archives



ABOUT GARY DEWAAL

Gary DeWaal

Gary DeWaal is currently Special Counsel with Katten Muchin Rosenman LLP in its New York office focusing on financial services regulatory matters. He provides advisory services and assists with investigations and litigation.


Social Media:

ABOUT KATTEN

Katten is a firm of first choice for clients seeking sophisticated, high-value legal services in the United States and abroad.

Our nationally recognized practices include corporate, financial services, litigation, real estate, environmental, commercial finance, insolvency and restructuring, intellectual property, and trusts and estates.

Our approximately 650 attorneys serve public and private companies, including nearly half of the Fortune 100, as well as a number of government and nonprofit organizations and individuals.

We provide full-service legal advice from locations across the United States and in London and Shanghai.

CONTACT US

Gary DeWaal
Katten Muchin Rosenman LLP
575 Madison Avenue
New York, NY 10022-2585

+1.212.940.6558




Request Information »

Join Mailing List »