It’s clear that the flexibility regulators including ESMA, the FCA, FINRA, and the SEC offered financial services firms around the relatively unfettered use of modern collaboration and chat tools like Zoom, Microsoft Teams, and Webex by Cisco during the pandemic has come to an end. No action relief issued at the outset of COVID-19 has expired, and regulatory missives in the second half of 2021 indicate a marked change of tone and expectations for firms using dynamic communication platforms.
As enterprise communications technologies have evolved, the related challenge of managing business rules for groups permitted to use them and communicate with one another have become more complex. In financial services, business information barriers prohibit communications between specific groups to mitigate the risk of misuse of material non-public information (“MNPI”) to prevent market abuse and insider dealing. Information barriers requirements are spelled out in FINRA Rules 2241 and 2242, Section 204A of the Investment Advisers Act, in FCA’s SYSC 10.2 Rule as well as the SEC’s Exchange Act Section 15(g), which requires broker-dealers to:
Last month Theta Lake submitted a response to a request for comment from several federal banking agencies including the Federal Reserve, the Consumer Financial Protection Bureau, and the Office of the Comptroller of the Currency about the use of Artificial Intelligence (AI) and Machine Learning (ML) in financial services. In our response, we described how Theta Lake uses AI in its Security and Compliance Suite, offered thoughts about how the agencies might create a framework for assessing AI risk, and outlined a few standard practices that would facilitate strong AI development in the future.
On March 3, 2021, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) announced its 2021 Exam Priorities—the first such missive in the pandemic era. The Commission’s ability to be flexible and nimble in its approach to 2020 exams and plans for this year are laudable. To bolster that effectiveness, the recently created Event and Emerging Risk Examination Team will improve and expand OCIE’s rapid response capabilities. (I wrote more about the EERT here). Based on this year’s priorities, OCIE and EERT will be very busy in 2021.
Typically, when we think about data breaches or loss, we picture scenarios where vast troves of personal data are accessed through brute force attacks or phishing attempts, resulting in thousands or millions of records being impacted. However, the release of smaller amounts of data, even a single PDF document or PowerPoint slide, can have serious and damaging ramifications for an organization.
On December 1, 2020, Canada's Office of the Privacy Commissioner (“OPC”) issued a report on a data security incident at the Quebec-based financial services firm Desjardins. The Desjardins incident involved an insider at the firm who accessed, collected, and leaked the personal information of over 9.7 million customers and users from Canada and elsewhere during a two year period—a staggering amount of data over an extended period of time.
While most startup founders would prefer not to pore over laws, regulations and interpretive materials to design a perfect product, it’s an essential exercise for those developing financial services solutions. For fintechs and the other finserv-related startups (e.g., regtech, suptech, etc.) understanding the regulatory obligations of customers and prospects will be core to your mission. In some cases, the process of interpretation and analysis might be a heavy lift involving expert outside counsel, lobbying efforts, and specialized consulting services.