Financial Services Weekly News - September 2017 #3

by Goodwin


Editor's Note

Cybersecurity Returns to Center Stage. The Equifax breach and recent news that the Securities and Exchange Commission’s (SEC) EDGAR test filing system was hacked in 2016 have brought cybersecurity back to center stage in Washington. SEC Chairman Jay Clayton issued a statement highlighting the importance of cybersecurity to the agency and market participants, and detailing the agency’s approach to cybersecurity as an organization and as a regulatory body. Meanwhile, various industry trade groups wrote a letter to Congress to advocate a sweeping uniform national law to deal with data breaches that would preempt the existing patchwork of state laws. These and other recent developments are covered below.

Regulatory Developments

CFTC Director of the Division of Enforcement Announces Cooperation and Self-Reporting Program

On September 25, James McDonald, the Director of the Division of Enforcement (the Division) for the Commodity Futures Trading Commission (CFTC), discussed the CFTC’s cooperation and self-reporting program. Noting the need for other enforcement strategies besides tough prosecution, Director McDonald described a program built around the principles of optimal deterrence, proper incentives, and the alignment of interests and incentives between the CFTC and the business community. Under the program, the CFTC expects a company to (1) voluntarily and promptly self-report wrongdoing (meaning before threat of disclosure or of a government investigation, and it must be made independent of any other legal obligation), (2) fully cooperate with the Division throughout the investigation, and (3) timely and appropriately remediate to ensure the misconduct does not happen again. Where a participant complies in these three areas, the Division will recommend a “substantial reduction” in the otherwise applicable penalty. The level of compliance will determine the level of reduction and in some “extraordinary circumstances” the Division might go as far as to recommend declining to prosecute a case. The hope, Director McDonald explained, is that the program will complement other independent reasons to self-report.

SEC Chairman Clayton Issues Statement on Cybersecurity

On September 20, SEC Chairman Jay Clayton issued a statement highlighting the importance of cybersecurity to the agency and market participants, and detailing the agency’s approach to cybersecurity as an organization and as a regulatory body. The statement is part of an ongoing assessment of the SEC’s cybersecurity risk profile that Chairman Clayton initiated upon taking office in May. Components of the initiative include the creation of a senior-level cybersecurity working group to coordinate information sharing, risk monitoring, and incident response efforts throughout the agency. The statement provides an overview of the SEC’s collection and use of data and discusses key cyber risks faced by the agency, including a 2016 intrusion of the SEC’s EDGAR test filing system. In the statement, Chairman Clayton acknowledged that the SEC’s EDGAR test filing system had been hacked in 2016 and may have provided the basis for illicit gain through trading. The statement also outlines the management of internal cybersecurity risks, including the incorporation of cybersecurity considerations in disclosure-based and supervisory efforts, coordination with other government entities, and the enforcement of the federal securities laws against cyber threat actors and market participants that do not meet their disclosure obligations.

Cybersecurity Regulation Back on Center Stage After Data Breach

The issue of cybersecurity is back in front of Congress in the wake of the news of the data breach at Equifax Inc., which reportedly has affected approximately 143 million consumers. Various industry trade groups, including the National Retail Federation, wrote a letter to Congress to advocate a sweeping uniform national law to deal with data breaches that would preempt the existing patchwork of state laws. Importantly, the letter points out that data breaches most strongly affect the financial services industry. According to the 2017 Verizon Data Breach Investigations Report, up to 24% of all data breaches are in the financial services industry, more than any other industry. View the LenderLaw Watch blog post.

House Contemplates Reforming the Federal Reserve’s Responsibilities

On September 12, the U.S. House of Representatives’ Financial Services Subcommittee on Financial Institutions and Consumer Credit and the Subcommittee on Monetary Policy and Trade conducted a joint hearing titled, “Examining the Relationship Between Prudential Regulation and Monetary Policy at the Federal Reserve.” A link to the videotaped testimony is located here. The Federal Reserve not only regulates and supervises various financial institutions, but also conducts monetary policy. The purpose of the hearing was to determine whether the Federal Reserve’s dual responsibilities of both regulation and monetary policy “complement or conflict” with one another. Witnesses included Dr. Charles Calomiris, a Columbia Business School professor of financial institutions, Dr. Stephen G. Cecchetti, the Rosen Family Chair in International Finance at Brandeis International Business School, and Jim Sivon, a partner at Barnett Sivon & Natter, P.C, who spoke on behalf of the Financial Services Roundtable. All three witnesses spoke in favor of reforming the way the Federal Reserve operates. View the LenderLaw Watch blog post.

Client Alert: Planning for the Approaching CEO Pay Ratio Disclosure Requirement

It appears likely that the CEO pay ratio disclosure rule adopted by the SEC in 2015 will require companies that are subject to the rule to begin including CEO pay ratio disclosure for 2017 compensation in their proxy statements or Form 10-K annual reports to be filed in 2018. Companies that will be subject to these disclosure requirements should continue to prepare to comply with the CEO pay ratio disclosure rule, or begin doing so if they have not already started. For more information, read the client alert issued by Goodwin’s ERISA and Executive Compensation and Public Companies practices.

Client Alert: NYSE Proposes Change in Material News Releases After Closing

The New York Stock Exchange has filed a proposal that will prohibit listed companies from issuing material news after the close of trading (generally 4:00 p.m. Eastern Time) until the earlier of the publication of the company’s official NYSE closing price or five minutes after the close of trading. For more information, read the client alert issued by Goodwin’s Public Companies practice.

Enforcement & Litigation

SEC Staff Extends No-Action Letter Relief Regarding Auditor Independence Requirements Under the Loan Rule

On September 22, the SEC’s Division of Investment Management issued a letter extending the relief offered to Fidelity Management & Research Company in a no-action letter (NAL) originally issued in June of 2016 (previously covered in the Roundup) and which was set to expire in December of this year. The extension makes no changes to the scenarios or representations in the original NAL and extends the assurances such that they will be withdrawn upon the effectiveness of any amendments to the Loan Rule designed to address the concerns expressed in the NAL.

DOJ Obtains $907,000 Settlement for Auto Lender’s Repossession of Active Duty Servicemembers’ Vehicles

On September 18, the Department of Justice (DOJ) announced that it had entered into a $907,000 settlement with an auto loan lender and servicer (Defendant). In its complaint, filed the same day in the United States District Court for the Northern District of Texas, the DOJ alleged that the Defendant had violated the Servicemembers Civil Relief Act (SCRA), 50 U.S.C. § 3901, et seq. by failing to obtain court orders prior to repossessing vehicles owned by covered active duty servicemembers. View the Enforcement Watch blog post.  

It’s About Context: CFPB Wins Bench Trial Against Third-Party Servicer for Deceptive Advertising

On September 8, a judge in the Northern District of California assessed a statutory penalty of $7.93 million against Nationwide Biweekly Administration, Inc. (Nationwide) and issued an injunction prohibiting further deceptive advertising, after a bench trial in CFPB v. Nationwide Biweekly Administration, Inc., Case No. 3:15-cv-02106-RS (N.D. Cal. Sept. 8, 2017). The judgment was based on Nationwide’s advertising for a fee-based accelerated mortgage loan repayment service, which the Consumer Financial Protection Bureau (CFPB) had alleged was unfair and deceptive. The court concluded that, taken individually, none of Nationwide’s statements were untruthful, but taken together, the court found that the “net effect” of the advertising would be misleading to the average consumer. View the LenderLaw Watch blog post.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Goodwin | Attorney Advertising

Written by:


Goodwin on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.