Search Results for: NS0-404 Schulungsunterlagen šŸ©± NS0-404 Fragen&Antworten šŸ• NS0-404 Zertifikatsfragen šŸš‹ āž  www.itzert.com šŸ ° ist die beste Webseite um den kostenlosen Download von ā®† NS0-404 ā®„ zu erhalten šŸ¦—NS0-404 Fragen Antworten

Posted
By

Pharmaceutical and Life Sciences companies operate in a demanding environment and face diverse challenges such as pricing pressure, increased regulatory requirements and mounting costs. With this backdrop, they have, starting with non-core functions, such as IT, facilities management, finance and human resources, before moving to secondary core functions, such as research and development, manufacturing, logistics, warehousing and brokerage, increasingly looked to outsourcing so as to better focus on core competencies, access specialized expertise and achieve cost-saving benefits.

In this blog post, a closer look at some of the key challenges faced by those operating in the Pharmaceutical and Life Sciences sector is taken from an outsourcing perspective.

Regulatory Environment
As might be expected, the Pharmaceutical and Life Sciences sector is subject to an extensive network of rules and regulations. At EU-level, there are a number of European Directives such as Directive 2001/83/EC relating to medicinal products for human use, Directive 2001/20/EC relating to the implementation of good clinical practice in the conduct of clinical trials on medicinal products for human use, and Commission Directive 2003/94/EC laying down the principles and guidelines of good manufacturing practice in respect of medicinal products for human use and investigational medicinal products for human use.

In the UK, the Medicines & Healthcare products Regulatory Agency (MHRA) regulates medicines, medical devices and blood components for transfusion. Its responsibilities include ensuring that medicines etc. meet applicable standards of safety, quality and efficacy and that the supply chain for medicines, medical devices and blood components is safe and secure.

The EU operates a mutual recognition system intended to allow products to move unhindered between national marketsā€”each other member state has an equivalent national competent authority to the MHRA, such as Franceā€™s National Agency for the Safety of Medicine and Health Products and Germanyā€™s Federal Institute for Drugs and Medical Devices. The national competent authorities work closely with the European Medicines Agency (EMA) and the European Commissionā€”the Commissionā€™s principal role in the European medicines regulatory system is to make binding decisions based on the scientific recommendations delivered by the EMA and publish guidance defining required good practices.

Consequently, outsourcing and other commercial agreements made by Pharmaceutical and Life Sciences companies must reflect the heavy regulatory burden to which they are subject and will include provisions dealing with topics such as audits and inspections, retention of documents, protection of sensitive and other confidential information and data, adherence to company policies, and compliance with laws and regulations, in addition to schedules which detail the scope of service, the system of performance management (i.e., service levels and service credits) and the applicable commercial model and charging structures. The third party providerā€™s adherence to and compliance with GxPs (see below) is another key area.

Good X Practice (GxP)
GxP is a general term for good (anything…) practice and refers to applicable quality guidelines and regulations. These guidelines are used in many sectors including pharmaceutical, medical devices/software and food industriesā€”their overall intent is to ensure that products are safe for consumers and to ensure the integrity of data used to make product-related safety decisions. In this context ā€œXā€ can mean Manufacturing (GMP), Clinical (GCP), Laboratory (GLP), Storage (GSP), Distribution (GDP), Pharmacovigilence Practice (GVP) etc.

Organisations needing to comply with GMP and/or GDP include those holding a manufacturer’s licence, a wholesale dealer licence or a blood establishment authorisation, as well as non-UK sites employed by UK marketing authorisation (MA) holders.

In the context of Pharmaceutical and Life Sciences outsourcing generally, two of the most common good practices are GMP and GDP, as they can apply across a range of outsourced activities and functions such as contract manufacturing, integrated facilities management, logistics, brokerage and warehousing:

  • GMP is the minimum standard that a medicines manufacturerā€™s production processes must meet. Products must (a) be of consistent high quality, (b) be appropriate to their intended use, and (c) meet the requirements of the MA or product specification.
  • GDP requires that medicines are obtained from the licensed supply chain and are consistently stored, transported and handled under suitable conditions, as required by the MA or product specification.

In addition to the good practice guides published by the European Commission (see footnotes 1 and 2), the MHRAā€”as the UKā€™s national competent authorityā€”publishes its own guidance.Ā  As with most regulators, the MHRA updates its guidance from time to timeā€”most recently on 23 May 2017 (an update to the GDP compliance report form).

Inspection and Audit
The MHRA inspects manufacturing and distribution sites for GxP compliance as part of the initial licensing/authorisation process and then periodically. Each manufacturer and wholesaler is given a risk rating or score by the MHRA based on the organisationā€™s compliance report, previous inspection history and organisational changes. No appeal is permitted, although reasons for the risk rating/score are provided once the inspection has taken place. Inspections of organisations with the highest rating or score are prioritised. The MHRA usually gives prior notice although the short-notice inspection programme means that little or no notification can be given, especially in cases of possible breach (e.g., where a report is received from a whistleblower or another MHRA department or regulator). Usually, however, the likely date of the next inspection is known as the MHRA includes this in its inspection reports.

At the inspection, the inspectors examine the systems used to manufacture and/or distribute medicines. Unless it is a short-notice inspection, the organisation will have completed and submitted to the MHRA a compliance report beforehand. The inspection team will interview relevant personnel, review documents and conduct site visits. Site visits may cover any facility or process involved in the production, purchase and distribution of medicines. Key areas likely to be inspected include:

  • manufacturing areas;
  • quality control (QC) laboratories;
  • stock and stock management;
  • storage areas;
  • temperature monitoring;
  • returns areas;
  • purchasing and sales functions; and
  • transportation arrangements.

Inspections can sometimes be carried out with other MHRA inspections such as good clinical practice or good pharmacovigilance practice. Product-related inspections can also be requested by the EMA. Where any function covered by the above scope has been outsourced to a third party provider, it is vitally important that the MHRA has the exact same access to the provider and its facilities and personnel.

Types of deficiencies
Deficiencies found during inspections are graded at 3 levelsā€”critical, major and other. These are defined in the ā€œCompilation of Community Procedures on Inspections and Exchange of Informationā€ published by the EMA. (See page 47.)

Type of Deficiency Definition Example
Critical Deficiency Any departure from Guidelines on Good Distribution Practice resulting in a medicinal product causing a significant risk to the patient and public health. This includes an activity increasing the risk of falsified medicines reaching the patients.

 

A combination of a number of major deficiencies that indicates a serious systems failure.

 Examples given by the EMA:

Purchase from or supply of medicinal products to a non-authorised person.

Storage of products requiring refrigeration at ambient temperatures.

Rejected or recalled products found in sellable stock.
Major Deficiency A non-critical deficiency which:

– a major deviation from Good Distribution Practice;

– has caused or may cause a medicinal product not to comply with its marketing authorisation in particular its storage and transport conditions; or

– indicates a major deviation from the terms and provisions of the wholesale distribution authorisation.

A combination of several other deficiencies, none of which on their own may be major, but which may together represent a major deficiency.

 No examples of major deficiencies are given by the EMA. However, the MHRA report on 2016 GMP inspections cited 449 major deficiencies in quality systems (in this category there were 38 critical and 772 other deficiencies). The next highest number of major deficiencies were in the categories of sterility assurance and production (also the second and third highest categories for critical deficiencies).

 
Other Deficiency A deficiency which cannot be classified as either critical or major, but which indicates a departure from Guidelines on Good Distribution Practice. No examples of other deficiencies are given by the EMA. However, a deficiency may be classified as ā€œotherā€ because it is judged as minor or because there is insufficient information to classify it as major or critical.

Pharmaceutical and Life Sciences companies contemplating outsourcing should design their performance management systems in the light of the above, with robust processes and remedies particularly in the event of any Critical or Major Deficiency attributable to the third party provider. Remedies may include service credits, corrective action and other remediation, and ultimately termination.

Technical/Quality Agreements
Technical Agreementsā€”also known as Quality Agreementsā€”are required wherever an outsourced activity is covered by applicable good practice Guides (e.g., GMP or GDP). In the case of GMP, the applicable EU rules relating to outsourcing are found in Chapter 7 of the EU GMP Guide which provides:

ā€œOutsourced activities must be correctly defined, agreed and controlled in order to avoid misunderstandings which could result in a product or operation of unsatisfactory quality. There must be a written contract between the Contract Giver and the Contract Acceptor which clearly establishes the duties of each partyā€¦ā€

ā€œTechnical aspects of the contract should be drawn up by competent persons suitably knowledgeable in related outsourced activities and Good Manufacturing Practice.ā€

Other requirements include:

  • a contract which covers all technical and other arrangements for the outsourced activities (and the related products or operations);
  • adherence to applicable regulations and the Marketing Authorisation for the in-scope product(s);
  • ultimate responsibility of the Contract Giver (i.e., the customer) for ensuring that its pharmaceutical quality system covers control and review of the outsourced activities and that adequate processes are in force;
  • clear definition of the responsibilities of both parties (i.e., the Contract Giver and the Contract Acceptor (i.e., the third party provider)), clearly stating who undertakes each step of the outsourced activity:
    • knowledge management;
    • technology transfer;
    • supply chain and subcontracting;
    • quality and purchasing of materials;
    • testing and releasing materials; and
    • undertaking production and quality controls (including in-process controls, sampling and analysis);
  • documented communication processes between the parties relating to the outsourced activities;
  • access to records (including in case of invocation of the documented defect procedures) and applicable document retention requirements; and
  • rights to audit the Contract Acceptor and any approved subcontractors.

Getting the Technical Agreement right
This is important. The Technical Agreement spells out the GxP responsibilities of each of the parties, their communication and assurance processes and will nearly always be reviewed by the MHRA (or indeed any other applicable regulator such as the U.S. Food and Drug Administration). The MHRAā€™s 2016 deficiency report gives the following example of deficiencies related to Technical Agreements sampled by them in the period.

Similar rules are set out in Chapter 7 of the GDP Guide. The ICH Good Manufacturing Practice Guide also requires a Technical Agreement in the context of the contract manufacture of APIs (active pharmaceutical ingredients).

Deficiency MHRA Example
Insufficiently detailed The Technical Agreement between Company A and Company B was insufficiently detailed. It only contained a series of bullet points covering Company Bā€™s activities, and did not describe the responsibilities of Company A.
Unclear lines of responsibility The Technical Agreement between Company A and Company C contained conflicting statements regarding the responsibility for customer verification.
Scope not described The Technical Agreement with Company D did not identify the products that were to be within the scope of the agreement.
Status of parties unclear The Technical Agreement with Company E did not identify which party was the Contract Acceptor and which was the Contract Giver.
No express requirements There was no explicit requirement in the Technical Agreement for temperature monitoring devices to be used for shipment of goods to Company F.

Relationship with outsourcing and other commercial agreements
GxP compliance requires clear, accurate and detailed Technical Agreements to ensure that the Contract Acceptor complies with applicable standards and technical requirements such as storage conditions, stock control and temperature monitoring. In the context of an outsourcing transaction or other commercial arrangement (such as a long term supply agreement), the Technical Agreement will sit alongside the outsourcing/commercial agreement. They are not standalone documentsā€”each should reference the other since they relate to the same set of activities but address different aspects of the relationship between the Contract Giver and the Contract Acceptor. It is important to ensure that the two documents work in concert with and are consistent with each other, and the relationship between the two agreements is clear (i.e., what happens if there is a contract breach and how are any limits on liability determined). Since template Technical Agreements often contain provisions which would typically be contained in the outsourcing / commercial agreement such as dispute resolution, change control and audit/inspection, care needs to be taken so that there is no overlap or conflict between them, ideally by removing any duplication or overlap.

Other points to watch include ensuring that the parties to the outsourcing/commercial agreement are the same as those to the Technical Agreementā€”if they are not (i.e., the third party providerā€™s function undertaking the quality-related aspects of an outsourced service resides in a different group entity to the primary provider, then address this through appropriate subcontracting provisions in the outsourcing/commercial agreement. The two agreements should also be co-terminousā€”the Technical Agreement doesnā€™t need to contain termination provisions, but should simply come to an end at the same time as the outsourcing/commercial agreement. Finally, the Technical Agreement should not contain any of the commercial terms (service levels, pricing, etc.) nor should it deal with legal terms such as confidentiality, warranty, indemnity and liabilityā€”all of which should be handled in the outsourcing/commercial agreement and its schedules.

Brexit
It seems unlikely Brexit will have significant impact on outsourcing of GxP activities by UK-headquartered Pharmaceutical and Life Sciences companies from a GxP compliance perspectiveā€”in other words the need to comply will continue, albeit additional requirements will entail since technical speaking, from an EU viewpoint, the UK will become a third country from the stroke of midnight on 30 March 2019 (unless an extension is agreed by the UK and the EU27 in the forthcoming negotiations).

In a recently published Q&A, the European Commission made clear the UK-based manufacturers of APIs will be treated just the same as Chinese, Indian and other third country based manufacturers. For example, the export of APIs from the UK to the EU will require written confirmation fromĀ the ā€œcompetent authority of the exporting third countryā€ in order to verify a plant has been inspected and that its processes are up to the EMA standards. Ā Alternatively, the UK may be able to negotiate an exception (Switzerland has had one since 2012) based on an equivalency finding by the European Commission.

Posted
By

The European Banking Authority (EBA) has opened a consultation on its draft recommendations for financial institutions outsourcing to cloud service providers across all cloud-related domains including infrastructure as a service, platform as a service and software as a service. The recommendations are intended ā€œto clarify the EU-wide supervisory expectations if institutions intend to adopt cloud computing, so as to allow them to leverage the benefits of using cloud services, while ensuring that any related risks are adequately identified and managed.ā€ A public hearing will take place at the EBAā€™s Canary Wharf, London premises on 20 June 2017 and the consultation will close on 18 August 2017.

Continue reading

Posted
By

A number of major carriers have suffered high-impact IT events in the past several months. Estimates of losses in these cases have exceeded Ā£100m. This is on top of (no doubt significant) remedial costs, reductions in share price and reputational damage.

Such high-impact events are, in theory, unlikely to occurā€”the result of a series of unlikely events which when taken together have a catastrophic impact. Unfortunately for corporates, the probability of a high impact IT event is increasing. This is partly due to the increasingly interconnected and complex nature of IT infrastructures but also due to heightened cybersecurity risks. Failures tend not to be not localised to a particular geography or business but have global reach.

We advise airlines to consider and revisit their current business continuity and disaster recovery (BCDR) arrangements. In our experience, the reality of BCDR arrangements often falls below the stated requirements or capabilities of such solutions, whether provided by third-party IT providers or in-house.

Even if a BCDR arrangement is expressed as ā€œhotā€ or ā€œactive/activeā€ (which implies efficient and rapid fail-over in the event of a disaster), these arrangements are frequently implemented on narrowly defined basis. For example, while secondary IT infrastructure might be available and functioning in the event of a disaster, the airlineā€™s complex business applications may not function practically on this secondary infrastructure.

Why is this? The investment required to establish a true, close to fail-safe BCDR arrangement is high in terms of level of effort and cost, and frequently requiring the cooperation of application teams. Quite simply, some organisations take a chance such an event will not occurā€”a risk perhaps not accurately understood by anyone other than those individuals intimately familiar with the airlineā€™s BCDR arrangements.

A detailed review of BCDR arrangements would amongst other things entail:

  1. In addition to testing that BCDR infrastructure is available and operational, can the test determine if the airlineā€™s business critical applications will operate to acceptable service levels on the secondary infrastructure?
  2. Does the BCDR solution allow the airlineā€™s applications to interface with each other and, critically, interface with off-host systems such as those provided by alliance or code share partners and key third parties such as logistics providers?
  3. Are recovery time objectives and recovery point objectives sufficiently defined and ā€œfit for purposeā€? In particular, does the BCDR solution allow cutover with minimal impact on data currency and accuracy? If the BCDR solution does not result in access to up-to-date data (data synchronicity) which, for example, matches passengers to planes and baggage, then the operation of the applications may be largely irrelevant or significantly impaired.
  4. Does the airline, as part of its BCDR testing, regularly seek to cut over to its BCDR systems and operate the business or parts of the business from them? If not, why not? Does the IT/CIO team have faith that the BCDR arrangements can deliver when required?
  5. Does the airline sufficiently enforce its contracts with third-party suppliers, to ensure that BCDR obligations are being implemented in practice, with an attendant transfer of appropriate risk, or at least an understanding of risk transfer and residual risk?
  6. Finally, does the airline have in place a major incident teamā€”an ā€œA-Teamā€ from across the business and key external providers that can be mobilised at short notice to support the event? These individuals could make a critical difference to external suppliersā€™ posture and approach to resolving an issue, encouraging a ā€œfix firstā€ culture and avoiding the finger pointing politics that are often associated with service failures. If deficiencies are identified, then there is little doubt that investment will be required. Even if an airline believes it has outsourced this risk to a third-party hosting supplier, if the customer signed-off solution (as is typically the case) does not deliver a true business-enabling cut-over, then the airline can expect to have to spend to upgrade.
  7. An honest assessment of the above issues will determine the robustness of an airlineā€™s BCDR arrangements; a proactive approach, harmonised across the business, and with the support of relevant third-party suppliers, is key.

However, investment in, and regular testing of, appropriate BCDR solutions is critical in mitigating potentially catastrophic events.

Posted
By

The European Commission has published its Brexit mandate with a clear focus on ā€œcitizensā€™ rights, the financial settlement and new external borders,ā€ with the Commissionā€™s chief Brexit negotiator, Michel Barnier, planning to ā€œpay great attention to Ireland during the first phase of negotiations.ā€ In his Next Steps toward Brexit Client Alert, Pillsbury partner Tim Wright explores some key issues including safeguarding of EU citizens, settlement of UK financial obligations, and sorting out the Irish border situation.

 

Posted
By

Software giantā€™s victory in ā€œindirect useā€ case is cause for concern for companies worldwide.

On February 16, 2017, the High Court of Justice in the United Kingdom held that Diageo plc, a global drinks company, was liable for unauthorized use of SAP software as a result of failing to secure ā€œNamed Userā€ licenses for its customers and sales representatives who used certain third party applications running on a Salesforce platform that accessed and exchanged data with SAP systems. While the decision does not have direct application outside the United Kingdom and may be appealed by Diageo, it is an important win by SAP and a significant cause for concern for companies licensing SAP software. The decision may embolden SAP to be even more aggressive in attempting to extract additional license and support fees from customersā€”which could potentially run into tens of millions of dollars for many companiesā€”based on alleged ā€œindirectā€ uses of SAP software. We encourage licensees of SAP software to get in front of this issue by undertaking an assessment of whether they are at risk for claims of indirect use by SAP.

 

To read the full alert on the Pillsbury site click hereā€¦

Posted
By

Recently, governments and rule-making bodies across Europe, the UK and globally, appear to be paying increasing attention to the need for the development of legislative and regulatory frameworks in the expanding field of artificial intelligence (AI) and robotics. With the growing use of these technologies across a wide range of industry sectors, we expect to see new laws and regulations being introduced in this area in the coming years, across a broad spectrum of legal disciplines including intellectual property rights and product liability. Ā Discussed below are some recent developments in this area in the European Union, the United Kingdom, the United States and Japan.

European Union

The European Commissionā€™s Legal Affairs Committee recently published a report calling for EU-wide rules governing AI and robotics[1]. Rapporteur Mady Delvaux (S&D, LU) said: ā€œA growing number of areas of our daily lives are increasingly affected by robotics. In order to address this reality and to ensure that robots are and will remain in the service of humans, we urgently need to create a robust European legal frameworkā€.

The Committee makes certain suggestions and recommendations including:

  • Regulator ā€“ a new pan-European agency to regulate AI and robotics, with mandatory registration of ā€œsmart autonomous robotsā€.
  • Legal status or personhood ā€“ the creation of a distinct legal status for AI and robots.
  • Social Impact ā€“ recognising the potential of ā€œbig societal changesā€ resulting from AI and robotics, especially in the labour markets, the Committee urges the Commission to closely follow such trends, and to examine new employment models as well as the viability of current tax and social systems for robotics.
  • Insurance ā€“ a mandatory insurance scheme to cover harm and damage caused by AI and robots. Further, a fund should be set up to ensure that victims are compensated in cases of accidents caused by driverless cars.
  • Code of Conduct ā€“ guidance for engineers covering the ethical design, production and use of robots, including incorporation of ā€œkillā€ switches so that robots can be turned off in emergencies.

The Committee singles out driverless vehicles as in ā€œurgent needā€ of a new rule book, ideally a global one, since a fragmented regulatory approach is likely to ā€œhinder implementation and jeopardise European competiveness.ā€

The United Kingdom

The UKā€™s Commons Select Committee for Science and Technology also issued a report, in October last year, on AI and robotics[2]. The report concludes that, whilst robotics and AI hold the potential to fundamentally reshape the way we live and work, the Government does not yet have an adequate strategy, and calls for a commission to be established in order to examine social, ethical and legal implications in this developing area.

Dr Tania Mathias, interim Chair of the Committee, said:Ā  “Government leadership in the fields of robotics and AI has been lacking. Some major technology companies ā€” including Google and Amazon ā€” have recently come together to form the ‘Partnership on AI’. While it is encouraging that the sector is thinking about the risks and benefits of AI, this does not absolve the Government of its responsibilities. It should establish a ‘Commission on Artificial Intelligence’ to identify principles for governing the development and application of AI, and to foster public debate.

The United States

The United States does not have and is not currently contemplating a comprehensive national approach to artificial intelligence and related technologies. Both public and private sectors are researching, developing and implementing artificial intelligence, robotics and automation at rates that far outpace law that addresses the same.

The bulk of federal agency guidance, state legislation, and court decisions are focused on two technologies: unmanned aerial vehicles (UAVs), also referred to as drones, and more recently, autonomous vehicles (i.e., self-driving cars). UAVs are of particular interest for their military and law enforcement use.

  • As of January 2017, thirty-three states have enacted laws about UAVs[3] and twenty states have considered laws on autonomous vehicles.[4]
  • The Federal Aviation Administration issued a regulation on UAVs in June 2016, which set parameters on where, when and how UAVs may be operated. Among other restrictions, the FAA requires a visual line of sight between the remote pilot and the UAV at all times.[5]
  • The Department of Transportation and National Highway Traffic Safety Administration jointly issued non-binding guidance in September 2016 on autonomous vehicles, including considerations for developers and a model state policy.[6]
  • Finally, the Obama administration, near the end of its tenure in 2016, issued a report titled ā€œPreparing for the Future of Artificial Intelligenceā€[7] and a corresponding national strategic plan on research and development of artificial intelligence.[8] The plans were drafted based on five workshops held during the year and contemplate avenues of further research, as well as how artificial intelligence may allow the government to improve its services delivery. It remains to be seen if the Trump administration will take action on this topic, which has since been removed from the White House website.

As other robotics products saturate the market, and until a tipping point is reached due to the increasing use and capabilities of artificial intelligence, U.S. lawmakers will likely continue to address related legal concerns in a piecemeal manner similar to that of UAVs and autonomous vehicles.

Japan

The Japanese Government recognizes the need for robot regulatory reform and has devised ā€œJapanā€™s Robot Strategyā€ and introduced a Robot Revolution Initiative (RRI) in 2015.

ā€œJapanā€™s Robot Strategyā€, devised by the Japanese Ministry of Economy, Trade and Industry (METI), is a series of policies for regulating robotics over a five-year strategic plan. It aims to ensure that Japan continues to maintain its reputation as a robotics superpower via regulation and deregulation methodologies that are well-balanced and promote safety standards for consumer protection. In that plan, METI encourages the use of core technologies such as artificial intelligence to develop ā€œNext Generation Robotsā€ in a variety of sectors. There is also a Robot Revolution Realization Council responsible for reviewing existing Japanese laws in light of these rapidly advancing robotic technologies. These laws include the Radio Law, Pharmaceuticals and Medical Devices Law, Industrial Safety and Health Act, Road Trafļ¬c Law, Road Transport Vehicle Act, Civil Aeronautics Act, Consumer Products Safety Act and ISO 13482 Safety Standard for Life-supporting Robots, amongst others. Ā Like the United States, Japan is also looking at measures to regulate the operation of uninhabited airborne type robots (UAVs).

As a result of its studies, the Robot Revolution Realization Council has recommended regulatory reform pursuant to its guidelines known as the ā€œImplementation of Robot Regulatory Reformā€. These guidelines call for the following (i) a legal framework for consumer protection and, at the same time, (ii) a new legal system or easing of current regulations (ā€œderegulationā€) to make effective use of robots. So, for example, field testing for robots is to be promoted and is a form of deregulation designed to enable regulators and manufacturers to uncover unanticipated robotic risks prior to actual implementation.

Research studies are also being conducted by Japanese universities and recommendations for robot laws have been proposed. The joint research of Waseda University Humanoid Robotics Institute and Peking University Law School, for example, proposes a three-level hierarchy of ā€œRobot Lawā€ comprising (i) ā€œThe Robot Safety Governance Actā€ to extend machine safety regulations to robotics, (ii) ā€œThe Humanoid Morality Actā€ to regulate the relationship between humans and robots, and (iii) ā€œRevisionsā€, being necessary modifications to existing Japanese laws to ensure that they do not conflict with these advanced robotics technologies.

According to a Government estimate published in the Japan Times in April 2016, ā€œAI technologies are expected to generate an economic return of around Ā„121 trillion in Japan by 2045ā€.[9] As a result of this anticipated rapid growth, the Japanese Government also plans to introduce some basic rules for AI research and development which will focus on privacy protection and developer accountability.

All of the above is consistent with Prime Minister Shinzo Abeā€™s efforts to revitalise the Japanese economy through so-called ā€œAbenomicsā€ which promotes the use of robotics and AI, amongst other things. Ā No doubt it will take some time for Japan to implement a sophisticated robotics legal regime, but will this be the saving grace of ā€œAbenomicsā€ which, to date, has arguablyĀ  decelerated economic growth and fuelled the continuance of deflation.

 

[1]Ā  http://www.europarl.europa.eu/news/en/news-room/20170110IPR57613/robots-legal-affairs-committee-calls-for-eu-wide-rules

[2] https://www.publications.parliament.uk/pa/cm201617/cmselect/cmsctech/145/145.pdf

[3] http://www.ncsl.org/research/transportation/current-unmanned-aircraft-state-law-landscape.aspx

[4] http://www.ncsl.org/research/transportation/autonomous-vehicles-self-driving-vehicles-enacted-legislation.aspx

[5] https://www.faa.gov/uas/media/Part_107_Summary.pdf

[6] https://www.transportation.gov/sites/dot.gov/files/docs/AV%20policy%20guidance%20PDF.pdf

[7]https://obamawhitehouse.archives.gov/sites/default/files/whitehouse_files/microsites/ostp/NSTC/preparing_for_the_future_of_ai.pdf

[8]https://obamawhitehouse.archives.gov/sites/default/files/whitehouse_files/microsites/ostp/NSTC/national_ai_rd_strategic_plan.pdf

[9] http://www.japantimes.co.jp/news/2016/04/15/national/japan-propose-basic-rules-ai-research-g-7-meeting/#.WLPLtU1PonV

Posted
By and

Effective March 1, 2017, first-in-kind regulations issued by the New York Department of Financial Services (New York DFS) will begin to affect a wide array of both depository and non-depository financial institutions. The new regulations will cascade certain requirements upon these financial institutionsā€™ third-party service providers, requiring the financial institutions to take a close look at their vendor relationships.

Who Is Covered?
The new regulations will specifically apply to ā€œCovered Entities,ā€ meaning any financial services firm that operates (or is required to operate) under a ā€œlicense, registration, charter, certificate, permit, accreditation or similar authorizationā€ by the New York DFS.Ā Just to name a few, this includes banks, credit unions, insurance companies, licensed lenders and loan servicers, money transmitters, and even those operating under New Yorkā€™s new virtual currency license.

What Do The Regulations Do?
Certain aspects of the regulations legally formalize what most financial institutions are most likely already doingā€”for example, maintaining a written cybersecurity policy tailored to the findings of periodic risk assessments.Ā Other aspects of the regulations, however, enter into a new territory of granularity that will seem striking for many financial services firms that may have at best considered these to be informal best practices.

Among other things, the new regulations will formally require Covered Entities to protect not only sensitive customer information (the prevailing standard under federal data security regulations), but crucial business-related information, as well.Ā Covered Entities will also be required to appoint a specifically designated Chief Information Security Officer (although such person may be outsourced to a third party), and must report certain ā€œCybersecurity Eventsā€ā€”which term even extends to unsuccessful attempts to access an information systemā€”to the New York DFS within 72 hours of occurrence.

Unlike prevailing cybersecurity regulations, which tend to be technology-agnostic, the regulations will require Covered Entities to adopt certain specified controls including multi-factor authentication systems and encryption technologies (or suitable alternatives) in specified circumstances.

The regulations formally make cybersecurity a C-suite level priority, requiring senior management to certify compliance with the regulations to the New York DFS on an annual basis.

How are Vendor Relationships Impacted?
Cognizant of the fact that most financial services firms operate through a diverse web of outsourced technology relationships, the new regulations require Covered Entities to adopt written policies and procedures designed to ensure the security of information systems and nonpublic information (again, including not just consumer information, but important business information, as well) that are accessible to, or held by, third-party service providers.Ā Such policies and procedures must be based on a Covered Entityā€™s required risk assessment, and must address, to the extent applicable:

  1. Identification and risk assessment of third-party service providers;
  2. Minimum cybersecurity practices required for such third-party service providers to do business with the Covered Entity;
  3. Due diligence processes used to evaluate the adequacy of such third-party service providersā€™ cybersecurity practices; and
  4. Periodic assessment of such third-party service providers based on the risk they present and the continued adequacy of their cybersecurity practices.

These policies and procedures must include relevant guidelines for due diligence and/or contractual protections relating to third-party service providers including, to the extent applicable, guidelines addressing the regulationsā€™ required compliance with multi-factor authentication and encryption requirements, as well as the third-party service providersā€™ obligations to notify the Covered Entity of a Cybersecurity Event impacting information systems or nonpublic information.

Concluding Thoughts
The compliance obligations under the new regulations will roll out on a staggered basis, over a two-year period, beginning March 1. Although Covered Entities will technically have until March 1, 2019, to have adopted the required third-party service provider oversight and contractual requirements indicated above, implementing these policies and conforming third-party contracts will necessarily be a lengthy process requiring a great deal of buy-in both from the Covered Entity itself and the third party on the other end of the vendor relationship.

With the two-year clock ticking effective March 1, financial institutions subject to the new regulations are advised to begin taking a careful look at their vendor relationships, and begin conforming their policies, procedures and third party agreements as soon as possible. The New York DFS itself has underscored this point, stating in the regulation that ā€œit is critical for regulated institutions that have not yet done so to move swiftly and urgently ā€¦ Adoption of the program outlined in these regulations is a priority for New York State.ā€

Posted
By

ā€œWe will follow two simple rules: buy American and hire American.ā€ While world leaders are pondering what these words from President Trumpā€™s Inaugural Address mean for international trade, a different question looms for U.S. Government contractorsā€”what is on the horizon as far as the Buy American Act and similar protectionist regulations?

To finish reading this article written by our Pillsbury colleagues click here.

Posted
By

The FCA has fined Aviva, the UK insurance group, Ā£8.2 million for failing to have appropriate controls over its outsourced service providers. According to the FCAā€™s press release, the fine would have been even larger at Ā£11.8 million but for a 30% discount due to Aviva for agreeing with the FCA to settle at an early stage.

The case related to a number of FCA Handbook breaches between 1 January 2013 and 2 September 2015, including breaches of Principles 3 and 10, the Outsourcing Chapter of SYSC and the Client Assets Sourcebook (CASS)ā€”rules which apply whenever a firm holds or controls client money or has custody assets as part of its business. Two Aviva group companies, Aviva Pension Trustees UK and Aviva Wrap UK had outsourced the administration of client money and external reconciliations in relation custody assets to third party administrators (TPAs). In what is the first CASS case in relation to oversight failures of outsourcing arrangements, the FCA found that the Aviva companies had ā€œfailed to put in place appropriate controls over ā€¦ [the TPAs] ā€¦ to which they had outsourced the administration of client money and external reconciliations in relation to custody assets ā€¦ [resulting] in Aviva failing to sufficiently challenge the internal controls, competence and resources of their TPAs.ā€

Continue reading

Posted
By

The UKā€™s financial services regulator, the Financial Conduct Authority (FCA), has recently published summaries of the responses it received to a Call for Inputs (CfI) on the use of big data in the retail general insurance (GI) sector as well as outlining its responses to the issues raised. Insurance companies, which are increasingly using big data (gleaned from social media, loyalty cards, aggregator sites and other such sources) to determine risk profiles and set premiums, can rest a little easier given that the FCA says that it has decided not to undertake a full market study or make a reference to the Competition and Markets Authority.

Continue reading