Another Cybersecurity Proposal. On the heels of the New York State Department of Financial Services (NYDFS) issuing its proposed regulation that would require banks and insurance companies to institute comprehensive cybersecurity programs (as covered by the September 21 edition of the Roundup), the federal banking agencies issued their own advance notice of proposed rulemaking last week. Details are discussed below. While both proposals focus on enhanced cybersecurity programs, the federal proposal ups the ante for covered institutions (generally depository institutions and depository institution holding companies with total consolidated assets of $50 billion or more, the U.S. operations of foreign banking organizations with total U.S. assets of $50 billion or more, nonbank financial companies supervised by the Federal Reserve Board and certain third-party service providers) by requiring, among other things, that they have protections in place to get back online within two hours following a cyberattack and evaluate how their protections would prevent a cybersecurity breach from spreading to other firms in the financial system. The level of oversight of third-party service providers could be challenging. The proposal also would require that boards of directors play a more active role in overseeing cybersecurity risks and could set a new standard for liability for cyberattacks. The comments to the proposal, which are due on January 17, 2017, could be particularly interesting.

Regulatory Developments

Federal Banking Regulators Request Comment on Proposed Enhanced Cyber Risk Management Standards

On October 19, the Board of Governors of the Federal Reserve System (Board), the Office of the Comptroller of the Currency (OCC), and the Federal Deposit Insurance Corporation (FDIC) (collectively, the agencies) issued an advance notice of proposed rulemaking regarding enhanced cyber risk management standards for large and interconnected entities. The proposal would apply to depository institutions and depository institution holding companies with total consolidated assets of $50 billion or more, the U.S. operations of foreign banking organizations with total U.S. assets of $50 billion or more, financial market infrastructure companies and nonbank financial companies supervised by the Board and certain third-party service providers. The proposal addresses five categories of cyber standards: cyber risk governance; cyber risk management; internal dependency management; external dependency management; and incident response, cyber resilience, and situational awareness. Comments are due on January 17, 2017.

Client Alert: FINRA Announces Effective Date of New Capital Acquisition Broker Rules

FINRA has announced the adoption of the new Capital Acquisition Broker (CAB) rules. CABs, which will be able to act as brokers for merger and acquisition transactions and agents in private placements to institutional investors, will be registered with the SEC and subject to a reduced set of FINRA rules and compliance obligations. The CAB rules become effective on April 14, 2017. FINRA will accept applications for membership beginning January 3, 2017. This client alert answers questions about who should register as a CAB, what the reduced compliance obligations and limitations are on CABs and how to register or convert from a full FINRA member to a CAB member. For more information, view the client alert issued by Goodwin’s Financial Industry Practice.

CFPB Releases First-Ever Project Catalyst Innovation Highlights Report

On October 24, the Consumer Financial Protection Bureau (CFPB) released its first-ever Project Catalyst Report. The report highlights various market developments emerging from FinTech startups and traditional financial institutions (including new products, services, and trends) that, in the CFPB’s view, have the potential to produce benefits for consumers. The report also provides an overview of Project Catalyst’s work to promote consumer-friendly innovation and outlines the importance of ensuring consumer protections are built into emerging products and services from the outset. Project Catalyst was initiated by the CFPB in 2012 and is designed to encourage consumer-friendly innovation and entrepreneurship in markets for consumer financial products and services.

FinTech Flash: Living in the Regulatory World – What Happens, What Do I Do?

As FinTech companies move more and more into consumer financial services products, they move deeper and deeper into areas that are traditionally highly regulated. Even when they are providing services to a financial institution, they can face such regulatory scrutiny. This FinTech Flash will look at what type of regulators and scrutiny FinTech companies can face, what regulatory interactions can be like, and what FinTech companies can do to prepare for regulatory examinations. For more information, view the FinTech Flash issued by Goodwin’s FinTech Practice.

FinCEN Issues Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime

On October 25, the Financial Crimes Enforcement Network (FinCEN) issued an advisory to assist financial institutions in understanding their Bank Secrecy Act (BSA) obligations regarding cyber-events and cyber-enabled crime. The advisory also highlighted how BSA reporting helps U.S. authorities combat cyber-events and cyber-enabled crime and provided an in-depth discussion of how BSA regulations and requirements apply to the reporting of cyber-events, cyber-related crime, and cyber-related information, including examples of cyber-events that would mandate the filing of a SAR. In addition to the advisory, FinCEN has issued Frequently Asked Questions (FAQs) regarding the reporting of cyber-events, cyber-enabled crime, and cyber-related information through Suspicious Activity Reports.

Enforcement & Litigation

Mutual Fund Adviser Settles with SEC for Alleged  Fair Valuation and Disclosure Failures

On October 18, the SEC announced that a registered investment adviser has agreed to settle claims against it for, among other things,  improperly fair valuing certain mutual fund holdings and failing to disclose key aspects of its attempted remediation of the resulting pricing errors.  In the order, the SEC alleged that the adviser improperly valued certain bond securities held in the portfolios of certain mutual funds that it advises.  The improperly valued securities resulted in NAV errors, inaccurate performance figures and inflated asset-based fees.  The SEC further alleged that the adviser’s attempted remediation was insufficient as the adviser did not precisely calculate fund and shareholder losses in accordance with its NAV error correction procedures.  Additionally, the SEC asserted that the adviser did not properly disclose (1) certain details of its remediation process, namely that it was not based on a full application of the NAV error correction procedures and (2) that the remediation process compensated shareholders differently, depending on whether they invested directly or through an intermediary. Without admitting or denying the findings in the SEC’s order, the adviser agreed to (1) the entry of a cease-and-desist order and a censure, (2) pay a $3.9 million penalty, and (3) undertake a self-administered distribution to affected shareholders.

Q2 2016 Sees Increased Personal and Student Lending Enforcement

For the second quarter of 2016, Consumer Finance Enforcement Watch tracked 46 enforcement actions taken against consumer finance providers. This represents a slight decrease from the 50 enforcement actions that were tracked last quarter, and a decrease from the 56 actions that we tracked in the second quarter of 2015. Approximately two-thirds of Q2 enforcement actions were settlements (with or without consent orders), with the remainder resulting from court judgments, non-judgment court rulings, and new activity in ongoing enforcement actions. For more information including interactive charts, view the Enforcement Watch blog post.