Articles Posted in Regulatory and Compliance

Posted

In July, the Financial Conduct Authority (FCA – the financial regulatory body in the United Kingdom) issued a paper titled “Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions” (the Considerations).  The Considerations contain about five pages of checklist “Areas of interest” and related notes, which are stated to be things a firm subject to regulation by the FCA should consider when procuring ‘off the shelf’ technology solutions.

When do the Considerations apply?
We view the application of the Considerations as two-fold.  First, they supplement the existing IT-related banking regulations. Second, they are intended to apply to procurements where firms might not ordinarily consider applying FCA-originating guidelines.

Continue reading

Posted

The UK financial services regulator, the Financial Conduct Authority (FCA), has launched a guidance consultation in order to clarify and confirm its approach to the supervision of financial promotions in social media, including the use of character-limited forms (Examples of character-limited formats are Twitter (which limits tweets to 120 characters) and Vine (which limits videos to six-second loops).

The FCA has identified an increase in the use of character-limited social media (and social media generally) and warned of confusion among firms over the inclusion of regulatory information such as risk warnings (in compliance with the financial promotion rules) when communicating through social sites such as Twitter, Pinterest and Vine.  And, as the FCA makes clear, every communication (e.g. each tweet, Facebook page or insertion) must be considered individually and comply with the relevant rules.

Continue reading

Posted

In May earlier this year, the European Union’s top court held in favor of an individual who requested that Google remove the search results associated with his name.  In this particular case, a Spanish citizen requested that Google Spain remove an auction notice of his repossessed home from its search results, as the proceedings had been resolved for a number of years. The court held that individuals have the right to require search engines to remove personal information about them if the information is “inaccurate, inadequate, irrelevant or excessive.” This precedent established the “right to be forgotten,” which gives Europeans the right to require search engines to remove information about them from search results for their own names.  The ruling has not been met with universal applause, and in fact a U.K. House of Lords subcommittee recently declared the right to be forgotten misguided in principle and unworkable in practice.

Continue reading

Posted

Ofcom has published a call for input, entitled “Promoting investment and innovation in the Internet of Things“, regarding issues that might affect the development of the emerging Internet of Things (IoT) sector in the United Kingdom. Ofcom is the UK’s independent regulator and competition authority for the UK communications industry. It regulates the TV and radio sectors, fixed line telecoms, mobile devices, postal services, plus the airwaves over which wireless devices operate. It operates under a number of Acts of Parliament, in particular the Communications Act 2003.

IoT (which is also referred to as Cloud of Things or CoT) describes the interconnection of multiple machine to machine (M2M) applications and covers a variety of protocols, domains and applications (see J. Höller, V. Tsiatsis, C. Mulligan, S. Kamouskos, S. Avesand, D. Boyle: From Machine-to-Machine to the Internet of Things: Introduction to a New Age of Intelligence. Elsevier, 2014). These technologies and methodologies underpin smart applications and embedded devices that enable the exchange of data across multiple industry sectors, such as heart monitoring implants, factory automation sensors, industrial robotics applications, automotive sensors and biochip transponders. A 2013 report by Gartner suggested that by 2020 there will be nearly 26 billion connected IoT devices.

Continue reading

Posted

The General Affairs Council, on 23 July 2013, adopted a regulation of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the Internal Market. Until the new regulation, the E-Signatures Directive (1999/93/EC) provided the only EU rules relating to e-signatures and said nothing about trust services.  The E-Signatures Directive is to be repealed with effect from July 2016 when, with some exceptions, the new regulation will start to apply.

The new regulation sets out rules for cross-border electronic trust services (electronic identification schemes) within the EU (the new rules will only cover cross-border aspects of electronic identification; issuing means of electronic identification remains a national prerogative. The general position at English law remains unchanged – sophisticated electronic signatures are not necessary for the formation of a binding contract) and creates a legal framework for:

  • electronic signatures,
  • seals and time stamps,
  • electronic documents,
  • electronic registered delivery services, and
  • certificate services for website authentication.

Continue reading

Posted

At a recent conference, the Twelfth Annual Corporate Accountability Conference, 12 June 2014, Cercle National Des Armées, Paris, Pierre Poret, Counsellor, Directorate for Financial and Enterprise Affairs at the The Organisation for Economic Co-operation and Development, told the audience, referring to the OECD’s Risk Management and Corporate Governance report, that “too often, in the enterprise, there was little or no board-level responsibility, with the burden (and oversight responsibility) [for risk management] effectively stopping at the level of the line manager“.  According to Monsieur Poret, the OECD’s findings showed that companies’ boards often played only a very limited role in risk management and that risk management standards were often set at too high a level, with outsourcing and supplier-related risk a key but much overlooked risk.

Continue reading

Posted

The head of the UK’s Financial Conduct Authority, Chief Executive Martin Wheatley,

used a speech at Bloomberg, London given on 3 June 2014 to promote the FCA’s Project Innovate (the drafted text of Martin Wheatley’s speech can be read at http://www.fca.org.uk/news/making-innovation-work).  The FCA is the regulatory body that,

following reforms introduced by the Financial Services Act 2012, succeeded the Financial Services Authority. It has supervisory powers over the conduct of over 50,000 financial services firms in the UK, and authority to regulate the prudential standards of those firms not covered by the Prudential Regulation Authority. The PRA regulates deposit takers, insurers and significant investment firms.

Posted

In Part 1, we noted that financial institutions could find themselves potentially liable for committing an alleged Unfair, Deceptive, or Abusive Act or Practice (UDAAP) as a result of the actions of certain types of external service providers, particularly those that interface directly with customers.  In this Part 2, we will discuss how financial institutions can mitigate the risk of UDAAP enforcement actions through their contracting strategies with their service providers.

A New Wrinkle of Risk

In some ways, the CFPB’s UDAAP authority resembles other regulatory regimes in that it places compliance obligations on both the issuer of the product as well as the third-party service provider that helps effectuate a transaction involving such a product.  For example, export control laws place Office of Foreign Assets Control compliance obligations on both parties to a transaction.  Data protection laws apply both to the controller as well as the processor of data.  HIPAA protections for health information apply to the covered entity and its business associates.

Posted

The security community has been abuzz this week with the US. District Court of New Jersey’s April 7 ruling in Federal Trade Commission v. Wyndham Worldwide Corporation, et al. (see http://www.adlawaccess.com/wp-content/uploads/sites/137/2014/04/Opinion.pdf). Wyndham had asserted in a motion to dismiss that the Federal Trade Commission (“FTC”) did not have the authority to pursue enforcement actions against the hotelier related to data security. The District Court denied the motion and held that the FTC may in fact pursue claims related to data security under Section 5(a) of the FTC Act’s prohibition on unfair or deceptive acts or practices affecting commerce (see 15 U.S.C. 45(a)). While the significance of the holding is being debated in the legal community, this week’s decision highlights the Federal Government’s increasing emphasis on requiring certain baseline cybersecurity practices by the private sector.

The background facts of the case are fairly straightforward. The FTC brought suit against Wyndham Worldwide, Corp. in the wake of three separate security breaches that occurred between 2008 and 2011 and resulted in the theft of guests’ personal information (e.g., payment card account numbers, expiration dates, and security codes). The FTC alleges that after the initial two security incidents, Wyndham failed to implement reasonable and appropriate security measures which exposed consumers’ personal information to unauthorized access and resulted in consumer injury. Specifically, the FTC alleges that there were several problems with the Wyndham’s information security practices including wrongly configured software, weak passwords, and insecure computer servers.

So what does the Court’s holding mean for the private sector? Since, up until this case, the FTC’s data security actions have been settled out of court, this case marks the first time that the courts have ruled on the merits of the FTC’s authority related to data security actions. Fundamentally, the decision affirms that the FTC has the power to pursue enforcement actions for unreasonable cybersecurity practices under existing laws. The Court, however, cautioned that “this decision does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked.” It is also important to note that the Court’s decision did not include a verdict on Wyndham’s liability in the matter (interested parties should continue to watch as the matter continues).

Posted

Much has been said about the EU “Cookie” laws introduced by an amendment to the Privacy and Electronic Communications Directive in 2011.  Companies with European customers (including those in the US) have grappled with the law’s requirement to obtain informed consent from visitors to their websites before cookies can be used.

Not only being the subject of much academic debate, European regulators have also issued a series of guidance papers on the issue, including recent publications from the UK’s Information Commissioner’s Office and from the Article 29 Working Party, the group made up of representatives from the various EU privacy regulators.  These provide layers of at times arguably conflicting commentary on how to comply with the law.

Whilst question marks hang over key issues (e.g.