Bridging the Week by Gary DeWaal: April 15 – 19 and April 22, 2019 (Privacy Requirements No Secret; Not Quite the "Thrilla in Manila")
The watchdog arm of the Securities and Exchange Commission – the Office of Compliance Inspections and Examinations – issued a Risk Alert summarizing breakdowns in compliance by broker-dealers and investment advisers of their obligations regarding customer information privacy notices and associated policies and procedures. Separately, the New York State Department of Financial Services and a recently declined applicant for a BitLicense engaged in a heated public brawl regarding the cause of the license declination. It was not commensurate with the excitement of the legendary 1975 "Thrilla in Manila" between Muhammad Ali and Joe Frazier, but the fireworks were extraordinarily dramatic by the standards of routine regulatory interactions in a non-litigation setting. As a result, the following matters are covered in this week’s edition of Bridging the Week:
- SEC OCIE Makes No Secret of Need for Broker-Dealers and Investment Advisers to Up Their Procedures Regarding the Privacy of Customer Records and Information (includes Compliance Weeds);
- Thrilla in Manhattan – NY Regulator and Declined BitLicense Applicant Engage in Extraordinary Public Brawl in Media Blog (includes My View); and more.
- SEC OCIE Makes No Secret of Need for Broker-Dealers and Investment Advisers to Up Their Procedures Regarding the Privacy of Customer Records and Information: The Office of Compliance Inspections and Examinations of the Securities and Exchange Commission issued a Risk Alert, describing issues it detected during recent inspections at SEC-registered broker-dealers and investment advisers related to requirements regarding privacy notices to customers, as well as policies designed to safeguard customer records and information.
Among the most common deficiencies, said OCIE, were that registrants (1) did not provide initial or annual privacy notices or opt-out rights notices to customers; (2) did not have written policies and procedures designed to ensure the security and confidentiality of customer records and information to protect against their compromise; and (3) where policies and procedures existed, they were inadequate.
Under SEC Regulation S-P (click here to access), BDs, IAs and investment companies must provide a “clear and conspicuous” notice to customers describing their policies and practices by no later than when the customer relationship is initiated, and thereafter no less than annually. Such registrants must also provide a notice to each customer advising it of its right to opt out of some sharing of private customer personal information with nonaffiliated third parties. Impacted registrants must also maintain policies and procedures for customer records and information “reasonably designed” to ensure the material's security and confidentiality, protect against anticipated threats to such records’ and information’s integrity, and protect such records and information against unauthorized access that could cause material harm or inconvenience to any customer.
OCIE said that BD and IA policies and procedures did not always address (1) customer information stored on personal devices of registrants’ employees; (2) the transmission of emails containing customer personally identifiable information (PII) that might be unencrypted; (3) training and monitoring; (4) the sending of customer PII to locations outside of a registrant’s network; (5) the inventorying of all systems that contain PII; and (6) how a firm would address a cybersecurity incident. OCIE said that impacted registrants also did not always apply their policies and procedures in relationships with outside vendors. Sometimes customer PII was maintained in unsecured physical locations, customer log-in information was provided to more employees than authorized under the firm’s policies and procedures, and departed employees sometimes retained access to restricted customer information.
OCIE recommended that all registrants review their written policies and procedures to ensure their compliance with Regulation S-P.
In August 2017, OCIE issued a report saying that registrants “increased cybersecurity preparedness” since 2014 after reviewing 75 registrants, including BDs, IAs and investment companies. However, OCIE also concluded that firms’ cybersecurity policies and procedures were not uniformly tailored to their business because they were too vague or general and were not always followed or enforced. In some cases, policies and procedures did not reflect actual practices. (For background, click here for the article “SEC Watchdog Finds Cybersecurity Policies Better But Not Always Enforced” in the August 13, 2017 edition of Bridging the Week.)
Separately, the Commodity Futures Trading Commission adopted a final rule that eliminated the requirement for certain registrants to provide an annual privacy notice to all customers provided they solely share nonpublic information with nonaffiliated persons in certain enumerated circumstances, and they have not changed their policies and practices regarding the disclosure of nonpublic PPI since their most recently required privacy notice was provided to customers. (Click here for additional information regarding the CFTC final rule when it was in its proposed form in the article “NFA Proposes Guidance Amendments to Enhance Cybersecurity” in the December 9, 2018 edition of Bridging the Week.) The CFTC’s amended rule will be effective 30 days after it is published in the Federal Register.
Compliance Weeds: The CFTC maintains an equivalent set of rules as Regulation S-P with virtually identical requirements (click here to access CFTC Part 160). These rules apply to futures commission merchants, retail foreign exchange dealers, commodity trading advisors, commodity pool operators, introducing brokers, swap dealers and major swap participants.
Additionally, both the SEC and CFTC require designated registrants to maintain an identity theft prevention program that aims to detect, prevent and mitigate identity theft in connection with the opening and maintenance of any covered account. This program must be appropriate in light of the size and complexity of the financial institution, and the nature and scope of its activities. A covered account includes an account for personal, family or household purposes that is intended to permit multiple payments or transactions. This includes a brokerage account or an account at an investment company. However, a covered account also includes any account at a financial institution “where there is a reasonable or foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation or litigation risks.” (Click here to access the SEC’s Identity Theft Red Flags Rule (Regulation S-ID) and here for the CFTC’s equivalent set of rules (CFTC Part 162).)
Recently, the National Futures Association revised its 2016 requirement that members maintain a written Information Systems Security Program that addresses the risk of unauthorized access or attack on their information technology systems and how they would respond if attacked. The new amendments, effective April 1, 2019, modified requirements related to training, ISSP approval and notice to the NFA of cybersecurity incidents. (Click here for details in the article “NFA Proposes Guidance Amendments to Enhance Cybersecurity” in the December 9, 2018 edition of Bridging the Week.)
The consequences of not complying with specific regulatory edicts regarding customer information protection and not responding to cyber-hacks in a manner deemed appropriate by a regulator can be costly, and additionally result in reputational harm. Both the SEC and CFTC, as well as the UK Financial Conduct Authority, have brought enforcement actions against and fined registrants for not, in their view, responding appropriately in response to a cybersecurity breach, under either a specific prohibition or a general failure to supervise. (Click here for background in the article “UK Bank Fined GB £16.4 Million Related to Cyber‑Attack Because of Employee Breakdowns” and related Compliance Weeds in the October 14, 2018 edition of Bridging the Week.)
Earlier this year, the Financial Industry Regulatory Authority released a report on effective cybersecurity practices it observed at member firms related to branch office controls, phishing, insider threats, penetration testing and mobile devices. (Click here for details in the article “FINRA Publicizes Effective Practices at Members to Mitigate Cybersecurity Risks” in the January 6, 2019 edition of Bridging the Week.)
It’s always a good time for registrants to review the adequacy of their customer information protection and cybersecurity policies and procedures, and ensure programs mandated by such procedures are followed scrupulously. Training and testing should occur regularly.
- Thrilla in Manhattan – NY Regulator and Declined BitLicense Applicant Engage in Extraordinary Public Brawl in Media Blog: In an extraordinary public sparring match through Coindesk’s daily blog on April 18, 2019, the New York State Department of Financial Services provided further insight into why, two weeks ago, it suspended Bittrex, Inc. from operating in New York as a cryptoasset exchange and denied it a BitLicense and money transmitter license. In response on the same blog post, Bittrex attacked the DFS for “overstepping its regulatory authority and changing rules and guidelines on the fly.”
(Click here for details of DFS’s action against Bittrex, and Bittrex’s public response at the time in the article “New York State Department of Financial Services Revokes Crypto Exchange’s Safe Harbor to Operate Without BitLicense” in the April 14, 2019 edition of Bridging the Week.) DFS’s principal office is in New York City.
In an article by Shirin Emami, the DFS’s Executive Deputy Superintendent for Banking, the agency castigated Bittrex’s defense of its conduct in a press statement on April 10, 2019. Ms. Emami claimed that Bittrex’s defense “continues to misstate the facts and it presents a misleading picture about the denial.” Ms. Emami said that Bittrex’s initial applications for licenses contained “many deficiencies” although NY DFS “repeatedly” advised Bittrex of regulatory requirements and how it could address its applications’ weaknesses. Ms. Emami claimed that DFS’s suggestions were generally rejected. According to Ms. Emami, “Bittrex made promises and representations to obtain virtual currency and money transmitter licenses in New York, was given every opportunity by DFS to meet the required regulatory requirements and was denied because it failed to deliver.”
Bittrex passionately disputed DFS’s new allegations, and concluded that “[t]he actions of the NY DFS show that it was focused on retribution rather than consumer protection.” In particular, Bittrex claimed that DFS’s criticism that its transaction monitoring system was manual was disingenuous; under applicable rule, noted Bittrex, transaction monitoring may be automated or manual. (Click here to access Rule 504.3(a) of the NY DFS Superintendent’s Regulations related to transaction monitoring.)
In other regulatory and legal developments involving cryptoassets:
- FinCEN Sanctions Peer-to-Peer Virtual Currency Exchanger for Licensing and AML Violations: The Financial Crimes Enforcement Network of the US Department of Treasury brought and settled an enforcement action against Eric Powers for failing to register as a money service business (MSB), having no written anti-money laundering or related policies or procedures, and not reporting suspicious transactions and certain currency transactions, all as required by applicable law.
According to FinCEN, Mr. Powers failed to adhere to applicable requirements when, from December 6, 2012 through September 24, 2014, he acted as an exchanger of virtual currency by buying and selling bitcoin to and from others, and conducted over 1,700 transactions as a money transmitter. FinCEN claimed that Mr. Powers continued to act as an unregistered money transmitter even after it published guidance on March 18, 2013 warning that persons in the business of exchanging convertible virtual currencies are money transmitters and must register as MSBs (click here to access the relevant FinCEN guidance). FinCEN also indicated that, during the relevant time, Mr. Powers “processed transactions that bore strong indicia of illicit activity” without reporting such activity. This included activity with customers doing business on the darknet website Silk Road – a location associated with illegal drug sales.
To resolve his enforcement action, Mr. Powers consented to pay a fine of US $35,000 and never to engage in activity that would constitute a money service business.
- Cryptoassets Among FCA Top Priorities for Upcoming Year: The UK Financial Conduct Authority said in its 2019/2020 business plan issued last week that sometime during the upcoming year, it will publish a feedback summary and issue finalized perimeter guidance in response to its consultation paper on cryptoassets issued earlier this year.
In the relevant consultation paper, the FCA observed that, while security tokens fall within its regulatory perimeter, cryptocurrencies (which the FCA labels “exchange tokens”) and utility tokens are likely outside its oversight. Notwithstanding, the FCA noted that certain payment tokens pegged to fiat currency (e.g., stablecoins) may be subject to UK requirements related to e-money and that under some circumstances, stablecoins pegged to fiat currencies, other commodities or assets (e.g., gold), or baskets of other cryptoassets may constitute securities if they resemble funds or a derivative. (Click here for details on the FCA’s prior consultation paper in the article “UK Financial Conduct Authority Proposes Guidance Regarding Cryptoassets; Says Cryptocurrencies and Utility Tokens Generally Outside Regulatory Perimeter” in the January 27, 2019 edition of Bridging the Week.)
In its business plan, the FCA said that, during the upcoming year, it will also provide technical guidance to Her Majesty’s Treasury regarding extending the regulatory perimeter to capture exchange and utility tokens, as well as to extend anti‑money laundering requirements to certain unspecified activities involving cryptoassets.
In addition to dealing with cryptoassets, the FCA also disclosed that its top priorities for 2019/2020 included continuing to help enhance financial services firms’ culture and governance; working to promote operational resiliency at regulated firms (e.g., cybersecurity), including “setting clear expectations on outsourcing to third party service providers;” and enhancing the FCA’s own anti-money laundering capabilities. During the upcoming year, the FCA plans to continue to support a “smooth” post-Brexit transition.
My View: The case for a single federal regulator of cryptocurrency exchanges is overwhelming. Today, jurisdiction over such entities is practically divided among FinCEN (which generally requires exchangers of virtual currency to be registered as money service businesses), the states (many of which require such entities to register as money transmitters or in an equivalent manner, or in the case of New York, also mandate such entities to obtain a so‑called “BitLicense”) and the Commodity Futures Trading Commission (which exercises anti-fraud and anti-manipulation authority over transactions involving spot virtual currencies but does not functionally regulate such transactions day-to-day). (Click here for a general discussion of federal and state jurisdictional issues involving cryptoassets in the article “Digital and Digitized Assets: Federal and State Jurisdictional Issues” by the American Bar Association Derivatives and Futures Law Committee (March 2019).)
Although most states view cryptocurrency exchanges’ activities as implicating their requirements for money transmitters, many states do not. (Click here, e.g., for background in the article “Cryptocurrency Exchange Not a Money Transmitter Says Pennsylvania” in the January 27, 2019 edition of Bridging the Week.) Moreover, except for New York, none of the states or FinCEN regulate cryptocurrency exchange activities as traditional exchange conduct. As a result, requirements for such entities tend to emphasize anti-money laundering and US government sanctions’ compliance and cyber security protections, as well as capital and bonding, as opposed to monitoring and protecting against manipulative trading.
To me, this hodgepodge approach is a big problem waiting to happen and creates a too-high barrier to entry for legitimate firms that wish to provide innovative cryptoasset trading solutions.
- FINRA Proposes Rule Changes for Transaction Reporting; SEC Approves FINRA Rule Authorizing Electronic Signatures for Discretionary Accounts: The Financial Industry Regulatory Authority proposed a rule amendment to authorize additional time to members to report to the Transaction Reporting and Compliance Engine (known as “TRACE”) transactions in US Treasury Securities used to hedge a primary market transaction. While today such transactions must be reported on the same business day if executed through 5 p.m. ET, or by the next business day (T + 1) if executed after 5 p.m. ET, as proposed, all hedging treasury security transactions can be reported by T+1. Unrelatedly, the SEC approved a FINRA rule proposal to permit the use of electronic or manual signatures for discretionary accounts. Currently, only manual signatures are acceptable. FINRA also proposed rules to make permanent certain temporary rules currently in effect that address trading during periods of and after extraordinary market volatility.
- Another International Bank Settles Alleged US Sanctions Violations: UniCredit Bank AG agreed to pay over US $1.3 billion in sanctions to multiple federal and state regulators to settle allegations that it violated US sanctions against Iran by facilitating the movement of almost US $400 million through the US financial system from 2002 through 2011 on behalf of a number of sanctioned entities, including the Islamic Republic of Iran Shipping Lines. The sanctions – which included fines and forfeiture – were divided among multiple UniCredit Bank entities and were imposed by the US Department of Treasury’s Office of Foreign Assets Control, the Board of Governors of the Federal Reserve System, the New York State Department of Financial Services, the US Department of Justice and the NY County District Attorney’s Office. Two weeks ago, Standard Chartered Bank agreed to pay sanctions (including fines and forfeiture) in excess of US $1.1. billion to resolve US federal, state and local allegations, as well as claims by the UK Financial Conduct Authority, that the bank violated various US government sanctions programs, as well as maintained poor anti-money laundering controls. (Click here for background in the article “Multinational Bank Resolves Purported Breaches of US Sanctions Program and AML Breakdowns by Paying Over US $1.1 Billion to Multiple Government Overseers” in the April 14, 2019 edition of Bridging the Week.)