Theta Lake Blog

On March 3, 2021, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) announced its 2021 Exam Priorities—the first such missive in the pandemic era. The Commission’s ability to be flexible and nimble in its approach to 2020 exams and plans for this year are laudable. To bolster that effectiveness, the recently created Event and Emerging Risk Examination Team will improve and expand OCIE’s rapid response capabilities. (I wrote more about the EERT here). Based on this year’s priorities, OCIE and EERT will be very busy in 2021.

Typically, when we think about data breaches or loss, we picture scenarios where vast troves of personal data are accessed through brute force attacks or phishing attempts, resulting in thousands or millions of records being impacted. However, the release of smaller amounts of data, even a single PDF document or PowerPoint slide, can have serious and damaging ramifications for an organization.

On December 1, 2020, Canada's Office of the Privacy Commissioner (“OPC”) issued a report on a data security incident at the Quebec-based financial services firm Desjardins.  The Desjardins incident involved an insider at the firm who accessed, collected, and leaked the personal information of over 9.7 million customers and users from Canada and elsewhere during a two year period—a staggering amount of data over an extended period of time.   

While most startup founders would prefer not to pore over laws, regulations and interpretive materials to design a perfect product, it’s an essential exercise for those developing financial services solutions. For fintechs and the other finserv-related startups (e.g., regtech, suptech, etc.) understanding the regulatory obligations of customers and prospects will be core to your mission. In some cases, the process of interpretation and analysis might be a heavy lift involving expert outside counsel, lobbying efforts, and specialized consulting services.