Cybersecurity

This past week, co-defendants in a class action related to the theft of cryptocurrency engaged in their own lawsuit over alleged security failures.  IRA Financial Trust, a retirement account provider offering crypto-assets, sued class action co-defendant Gemini Trust Company, LLC, a crypto-asset exchange owned by the Winklevoss twins, following a breach of IRA customer accounts.  IRA claims that Gemini failed to secure a “master key” to IRA’s accounts, and that hackers were able to exploit this alleged security flaw to steal tens of millions of dollars of cryptocurrency.  This lawsuit demonstrates the growing trend of cryptocurrency thefts resulting from cyber breaches, and ensuing litigation activity.

Continue Reading Litigation Between FinTech Companies Follows Class Action Over Cryptocurrency Theft

On February 26, 2020, the Consumer Financial Protection Bureau hosted a symposium titled “Consumer Access to Financial Records.”  Video of the Symposium is available here.  The agenda included discussion among panelists from large financial institutions, fintechs, consumer groups, policy centers, and the CFPB.  Director Kathleen L. Kraninger also delivered brief opening remarks describing the history of regulation of financial data access.

Much of the symposium’s discussion focused on Section 1033 of the Dodd-Frank Act, which governs consumers’ rights to access their financial data.  While the CFPB has the authority to issue rules interpreting Section 1033, it has not done so (although it has issued non-binding “Consumer Protection Principles” on financial data sharing and aggregation).

Continue Reading CFPB Hosts Symposium on Consumer Access to Financial Records

On February 12, 2020, the Board of the International Organization of Securities Commissions (“IOSCO”) released a report titled Issues, Risks and Regulatory Considerations Relating to Crypto-Asset Trading Platforms.  The report describes the risks associated with crypto-asset trading platforms (“CTPs”) and sets forth key considerations for regulators in addressing such risks.  IOSCO is an association of primary securities and futures regulators from over 100 different nations.  The U.S. Securities and Exchange Commission and the Commodity Futures Trading Commission are ordinary and associate members, respectively, of IOSCO.

To prepare this report, IOSCO first issued a consultation report on May 28, 2019, which included a survey of the approaches member jurisdictions were currently undertaking or considering with respect to CTPs.  The final report draws upon the consultation report and includes a summary of the survey’s findings.

The report notes that many of the issues and risks associated with trading on CTPs are similar to the issues and risks associated with trading traditional securities or financial instruments on trading venues.  Consequently, IOSCO states that the three core objectives of securities regulation are relevant in the crypto-asset context.  The three core objectives are: (1) protection of investors; (2) ensuring that markets are fair, efficient and transparent; and (3) reduction of systemic risk.  Supporting these objectives are principles that foster efficient markets, including: effective price discovery, appropriate transparency, market integrity, and fair access.  The final report, to assist regulators in evaluating CTPs under their purview, sets forth the following list of key considerations:

Continue Reading IOSCO Issues Report on Risks Relating to Crypto-Asset Trading Platforms

On December 4, 2018, the Federal Trade Commission (“FTC”) announced that it is accepting public comments regarding its Identity Theft Detection Rules, 16 C.F.R. Part 681 (the “Rules”), as part of a systematic review of the Commission’s regulations and guidelines. The review of the Rules is particularly noteworthy because identity theft is among the top consumer complaints to the FTC, and has been an enforcement priority for the FTC’s Bureau of Consumer Protection.

Continue Reading FTC Solicits Public Comment on Identity Theft Detection Rules

Blockchain is a powerful innovation that is poised to bring substantial positive change to the financial services industry as well as many other industries.  Despite such promise, blockchain, like any emerging financial services technology, must be evaluated from the perspective of cybersecurity risk – both to an individual financial institution and to the broader and

On February 21, 2018, the U.S. Securities and Exchange Commission (the “Commission”) approved a statement and interpretive guidance that provides the Commission’s views on a public company’s disclosure obligations concerning cybersecurity risks and incidents (the “2018 Commission Guidance”). This guidance reinforces and expands upon previous cybersecurity disclosure guidance issued by the Division of Corporation Finance (the “Staff”) in October 2011  (the “2011 Staff Guidance”).  The 2018 Commission Guidance also focuses on two additional issues: (i) maintenance of comprehensive policies and procedures related to cybersecurity, including sufficient disclosure controls and procedures, and (ii) insider trading in the cybersecurity context.

Continue Reading SEC Adopts New Guidance on Public Company Cybersecurity Disclosures and Insider Trading

Following the Equifax data breach in 2017, there has been heightened awareness surrounding how credit reporting agencies handle consumers’ personal information. At the same time, recent high-profile attacks, such as the “WannaCry” ransomware attacks, have focused media and regulatory attention on vulnerabilities associated with unpatched systems. In response to these two concerns, on January 10,

Acting CFPB Director Mick Mulvaney made three important announcements this week.  First, on December 4, he announced a suspension of the agency’s collection of consumers’ personal information due to concerns about cybersecurity. Mulvaney, who said he is taking data security “very, very seriously” according to The Wall Street Journal report (paywall), explained that the Bureau should first hold itself accountable and ensure it has a rigorous data-security program before expecting the same from the financial services industry it oversees. In addition, Mulvaney revealed two of his immediate priorities for the Bureau under his leadership: hiring senior political appointees to work with the heads of the independent agency’s main divisions and reviewing more than 100 pending CFPB enforcement cases.

Continue Reading CFPB Acting Director Institutes Suspension of Data Collection, Reveals Plans to Bring in More Political Appointees, and Announces Review of Pending Enforcement Matters

On September 6, 2017, the Federal Reserve System (“FRS”) published a paper that identifies updated strategies and tactics for improving the U.S. payments system. The paper, entitled Strategies for Improving the U.S. Payment System: Federal Reserve Next Steps in the Payments Improvement Journey, refines the strategies set forth in a previous FRS paper, Strategies for Improving the U.S. Payment System, published in January 2015, and outlines nine tactics the FRS intends to pursue to advance progress on payment system improvements. The tactics fall into three broad categories: FRS service enhancements, FRS research, and industry collaboration efforts.

The new FRS paper retains without substantive change three of the five strategies outlined in the 2015 paper: speed, security, and collaboration. The fourth strategy outlined in the 2015 paper focused on achieving greater end-to-end efficiency for domestic and cross-border payments. The new paper divides this prior strategy into separate domestic and international components as follows: (1) efficiency—achieving greater end-to-end efficiency for domestic payments; and (2) international—working to enhance the timeliness, cost effectiveness, and convenience of cross-border payments. The tempered expectations for improving cross-border payments reflects concerns about compliance with anti-money laundering, terrorist financing, and economic sanctions requirements. The FRS also decided against enhancing the Fedwire Funds Service to make it easier for participating institutions to send cross-border payments.

The fifth strategy outlined in the 2015 paper—enhancing FRS payments, settlement and risk management services—has been eliminated. Instead, the FRS recharacterizes as tactics two types of potential enhancements to FRS services. First, the FRS will pursue enhancements to FRS settlement services to support real-time retail payments, such as assessing the demand for weekend hours. Second, the FRS will explore and assess the need, if any, for the FRS to engage as a service provider in areas beyond providing settlement services in a faster payments ecosystem. The American Banker reported that, while industry stakeholders generally support enhancements to the FRS’s settlement services, an expanded FRS role as a service provider is more controversial with support from small banks and credit unions and resistance from larger institutions.

Continue Reading Federal Reserve Updates Strategies and Tactics for Promoting Payment System Improvements