On April 13, the US Cybersecurity and Infrastructure Security Agency (“CISA”) and several other global cybersecurity agencies issued a practical roadmap for technology product design called “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default.” The document provides a clear articulation of CISA’s cybersecurity expectations, which signals a emerging paradigm shift noting that “[m]anufacturers are encouraged to take ownership of improving the security outcomes of their customers.” This transition finds CISA focusing more on software developers as responsible for consumer security as opposed to the governmental or private sector users of these applications.  

Generative AI refers to a set of technologies that produce new data based on the information they have been trained on–these applications “generate” new information like text or images based on their training data, hence the “generative” monniker. The most popular uses of generative AI, or “GAI,” have been as part of interactive chat applications like Open AI’s ChatGPT and Google’s Bard, image generating applications like Stable Diffusion, Midjourney, and DALL-E, and code generating systems like Copilot. 

In late-2022, the Financial Conduct Authority and Prudential Regulation Authority (the “Regulators”) jointly issued Discussion Paper DP5/22(the “Paper”) soliciting feedback on the use of artificial intelligence and machine learning in financial services. In particular, the Regulators requested information about the potential benefits and risks of AI, regulatory considerations, and the use of standards in the development of AI. Theta Lake submitted a response to the Paper to outline its unique approach to AI and thoughts on appropriate application to compliance together with organizational and security controls.

When it comes to dynamic messaging content from collaboration tools like Webex, Zoom, Slack, and Microsoft Teams as well as SMS, mobile messaging, and consumer applications like WhatsApp, the SEC’s updated recordkeeping Rule 17a-4 announced on October 12, 2022 signals a sea change for broker-dealers. The SEC replaced its antiquated “non-erasable, non-rewritable” electronic recordkeeping requirement in place since the late-90s with a technology-neutral approach centered around audit trail data, which provides far greater flexibility in implementation.

At Theta Lake, we welcome the modernization of Rule 17a-4 as it allows our financial services customers to more easily manage archiving controls for SEC-regulated electronic communications records.  In addition, the spirit and letter of the revised Rule aligns with Theta Lake’s modern approach to the capture, retention, and supervision of complex, interactive video, voice, chat, and email conversation data.

As we noted in our 2022 Modern Communications Security and Compliance Report, 97% of firms are using two or more communication tools, so the ability to seamlessly and compliantly capture dynamic data across a range of platforms is key.  With over 100+ platform integrations, Theta Lake enables easy and effective compliance with the SEC’s new recordkeeping requirements.

For customers, the updated Rule 17a-4(f) offers a flexible, audit trail-based option that makes it easier to retain dynamic data from electronic communications to databases and beyond.  The revised Rule 17a-4(f)(2)(i)(A) allows broker-dealers to:

To say that cryptocurrency has been a hot topic in financial services of late is a massive understatement. Coinbase announced (via Twitter, natch) that it submitted an application for registration as a Futures Commission Merchant under NFA and CFTC rules. However, the enthusiasm around Coinbase’s FCM announcement was likely offset by the withdrawal of its proposed interest-bearing Lend product after concerns about its security-like features prompted preliminary interest from the SEC. In other regulatory developments, the emergence of technologies for vetting and tracking digital assets for anti-money laundering and know your customer purposes are advancing rapidly. Look no further than MasterCard’s acquisition of CipherTrace as evidence of an increasing focus on transactional activity tracking and the lightning fact evolution of more mature AML/KYC processes for blockchain-based and other digital currencies.

It’s clear that the flexibility regulators including ESMA, the FCA, FINRA, and the SEC offered financial services firms around the relatively unfettered use of modern collaboration and chat tools like Zoom, Microsoft Teams, and Webex by Cisco during the pandemic has come to an end.  No action relief issued at the outset of COVID-19 has expired, and regulatory missives in the second half of 2021 indicate a marked change of tone and expectations for firms using dynamic communication platforms.

As enterprise communications technologies have evolved, the related challenge of managing business rules for groups permitted to use them and communicate with one another have become more complex. In financial services, business information barriers prohibit communications between specific groups to mitigate the risk of misuse of material non-public information (“MNPI”) to prevent market abuse and insider dealing. Information barriers requirements are spelled out in FINRA Rules 2241 and 2242, Section 204A of the Investment Advisers Act, in FCA’s SYSC 10.2 Rule as well as the SEC’s Exchange Act Section 15(g), which requires broker-dealers to:

Last month Theta Lake submitted a response to a request for comment from several federal banking agencies including the Federal Reserve, the Consumer Financial Protection Bureau, and the Office of the Comptroller of the Currency about the use of Artificial Intelligence (AI) and Machine Learning (ML) in financial services. In our response, we described how Theta Lake uses AI in its Security and Compliance Suite, offered thoughts about how the agencies might create a framework for assessing AI risk, and outlined a few standard practices that would facilitate strong AI development in the future.

On March 3, 2021, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) announced its 2021 Exam Priorities—the first such missive in the pandemic era. The Commission’s ability to be flexible and nimble in its approach to 2020 exams and plans for this year are laudable. To bolster that effectiveness, the recently created Event and Emerging Risk Examination Team will improve and expand OCIE’s rapid response capabilities. (I wrote more about the EERT here). Based on this year’s priorities, OCIE and EERT will be very busy in 2021.

Typically, when we think about data breaches or loss, we picture scenarios where vast troves of personal data are accessed through brute force attacks or phishing attempts, resulting in thousands or millions of records being impacted. However, the release of smaller amounts of data, even a single PDF document or PowerPoint slide, can have serious and damaging ramifications for an organization.