WSGR FinTech Update - March 2017

by Wilson Sonsini Goodrich & Rosati

Wilson Sonsini Goodrich & Rosati

Wilson Sonsini Goodrich & Rosati is pleased to introduce the first in a series of monthly updates from the FinTech practice. The purpose of the updates is to provide timely information on issues of interest to WSGR’s FinTech clients and friends of the firm. We hope you find them to be a useful resource.

As shown below, our inaugural issue includes an article regarding new cybersecurity rules for entities regulated by the New York State Department of Financial Services, as well as an article summarizing recent guidance issued by SEC Staff to robo-advisers.

A Reminder for Entities Regulated by the New York State Department of Financial Services (DFS):

On March 1, 2017, the new cybersecurity rules go into effect. The Cybersecurity Requirements for Financial Services Companies are designed to help protect business and customer information and the IT systems of the entities that DFS regulates. While the Cybersecurity Requirements take effect on March 1, 2017, regulated entities have 180 days to comply. The final requirements are available here.

Who Is Regulated? 

The Cybersecurity Requirements apply to companies “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law” (“covered entities”). Covered entities include banks, savings and loans, trust companies, check cashers, credit unions, money transmitters, lenders, insurers, holding companies, investment companies, mortgage brokers, originators, and servicers, and certain other regulated types of companies doing business in New York. Smaller covered entities are exempt from certain components of the Cybersecurity Requirements, but they are required to file an exemption form with DFS.

What Information Is Regulated?

The Cybersecurity Requirements apply to electronic “nonpublic information,” which includes certain business information and personally identifiable information. Specifically, nonpublic information encompasses business-related information that, if compromised, would have a material adverse impact on the covered entity’s business, operations, or security. Nonpublic information also includes information about an individual’s identity, financial accounts, and health condition and payments, similar to many state breach notification laws. 

What Are Covered Entities Required to Do?

Implement a Cybersecurity Program Based on a Risk Assessment. Under the Cybersecurity Requirements, covered entities are required to develop a cybersecurity program based on an annually updated risk management plan designed to protect data and systems, detect cyberattacks, and respond to and recover from cyberattacks to mitigate negative effects. Compliance includes implementing and maintaining a written cybersecurity policy based on risk assessments that cover at least 14 specific areas.

The Cybersecurity Requirements impose specific obligations related to improving a company’s cybersecurity posture, such as the following:

  • Designate a person to perform the functions of a Chief Information Security Officer (CISO). 
  • Maintain in-house application development standards.
  • Perform annual system/network penetration testing and bi-annual vulnerability assessments.
  • Implement auditing mechanisms to help protect system and data integrity.
  • Limit staff system and data access privileges, and assess whether multi-factor authentication (MFA) should be used. MFA must be used for external access to internal networks.
  • Encrypt all nonpublic information both in transit over external networks and at rest. If encryption is not feasible, covered entities must implement effective alternative controls that are approved by the CISO and reviewed by the CISO at least annually.
  • Dispose of nonpublic information when it is no longer necessary for a legitimate business purpose and retention is not required by applicable law.
  • Provide adequate data security training to cybersecurity personnel.
  • Document material improvements to the company’s systems, policies, and cybersecurity program, and make such documentation available to DFS upon request. 

Assess Vendor Information Security. The Cybersecurity Requirements also require covered entities to implement written policies and procedures governing how they ensure that vendors are properly securing systems and data, including, to the extent applicable:

  • Perform a risk assessment of the vendor.
  • Identify the minimum cybersecurity practices required to be met by vendors.
  • Evaluate the adequacy of vendors’ cybersecurity practices.
  • Assess vendors’ cybersecurity practices periodically.
  • Perform due diligence of vendors and contractual protections of covered entities’ information.

Provide Data and System Breach Notice to DFS. Covered entities should have a written incident response plan to meet their obligations under the Cybersecurity Requirements. The Cybersecurity Requirements call for notice to DFS within 72 hours when (1) there was an “act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System” and (2) notice is required to any other regulator or there is a reasonable likelihood of materially harming any material part of normal operations.

Senior Management Has an Active Role

Senior management is required to annually review the company’s cybersecurity policy. The CISO is also required to report, at least annually, to a covered entity’s board of directors or equivalent senior management information about the company’s cybersecurity posture. DFS may request copies of these reports at any time. Finally, the company must certify to DFS that it complies with the Cybersecurity Requirements.

SEC Staff Issues Guidance to Robo-Advisers

Automated advisers (or “robo-advisers”) that provide advisory services directly to clients over the Internet or a mobile application should review their disclosure, suitability, and compliance practices in light of recent guidance published by the SEC’s Division of Investment Management (IM).1 For purposes of this guidance, IM generally characterizes robo-advisers as advisers registered under the Investment Advisers Act of 1940 that have limited human interaction with the client, rely primarily on a questionnaire to understand a client’s finances and investment goals, and employ an algorithm to generate a suggested investment portfolio for the client based on his or her responses to the questionnaire.

The guidance—which highlights three areas of Staff concern for robo-advisers: disclosures, suitability, and compliance—is summarized below.


A robo-adviser, like any adviser, must ensure that its disclosures provide accurate and comprehensive information about its advisory services to enable the client to make an informed decision before employing the adviser. For example, information about the use of any algorithm is critical, and the IM guidance provides a list of disclosures that a robo-adviser should consider providing regarding algorithms. In addition, a robo-adviser should provide disclosures about the inputs it uses to inform its recommendations. For example, a robo-adviser may only rely on questionnaire responses, or it may have access to other client account information that it uses. Further, a robo-adviser should disclose how and when a client should update information provided to the adviser. Moreover, a robo-adviser, like any adviser, must not mislead the client about the advisory services it provides.

In addition to providing adequate disclosures, a robo-adviser should examine when a client is able to view certain disclosures (e.g., before or after the client creates an account, completes a questionnaire, and/or engages the adviser). For example, it may be that certain disclosures are more appropriate for a client to read before completing the questionnaire. A robo-adviser may also wish to emphasize certain Internet disclosures by using pop-up boxes or tooltips,2 or enhance the clarity of certain advisory practices through the use of an FAQ. If the robo-adviser uses a mobile application as part of its business model, it should carefully consider how its disclosures appear through that mobile device format.


Robo-advisers typically rely on questionnaires to help ensure that the advice provided is suitable in light of a client’s finances and investment goals. Because a client generally has limited interaction with an advisory professional when completing the questionnaire, the client may answer questions incorrectly or provide inconsistent responses. An advisory professional, if available, could ask the client clarifying questions or have additional client discussions that would elicit information that could provide greater context. A questionnaire, by itself, cannot do so as easily.

In light of these limitations, a robo-adviser should be thoughtful when designing its questionnaire. A questionnaire should provide the robo-adviser with enough information about a client’s finances and investment goals to enable the adviser to provide suitable advice to the client on an ongoing basis. It should be sufficiently clear so as to avoid confusing and inconsistent responses. For example, the questionnaire could employ pop-up boxes or tooltips to provide additional information to the client to help ensure that he or she is providing responsive information. It could also warn a client (or not permit the client to submit the questionnaire) if he or she has responded inconsistently to different questions.

In addition, if a client is able to override the portfolio recommended by an algorithm and pursue a different investment course that is inconsistent with his or her questionnaire responses, a robo-adviser should implement a mechanism that can alert the client of this inconsistency.


As noted, the use of algorithms, limited human interaction with clients, and Internet- or mobile application-based investment advice are relatively unique features of robo-advisers. Robo-advisers should therefore develop practices and written policies and procedures that address the regulatory and compliance concerns that these features raise.

For example, to what extent is the algorithmic code tested and monitored to help ensure that it performs as represented? Who can alter the code, and what protections exist to safeguard access to the code? If the code is modified, to what extent and how are those changes disclosed to clients? How does the robo-adviser oversee a third party, if any, that develops or maintains the code?

Further, in light of limited human interaction with clients, how does the robo-adviser help ensure that its ongoing investment advice is suitable and appropriate for a client based on the client's current finances and investment goals? How does the robo-adviser collect that information and keep it current? Finally, because the Internet or a mobile application is very important to a robo-adviser’s advisory business, how robust is its cybersecurity program in detecting and preventing threats that could impact its operations?

1IM Guidance Update No. 2017-02 (Feb. 2017). The SEC’s Office of Investor Education and Advocacy also issued an Investor Bulletin to help investors make informed decisions when contemplating the use of a robo-adviser.

2A tooltip permits other information to appear in a text box when a mouse curser hovers over a particular portion of a web page.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Wilson Sonsini Goodrich & Rosati | Attorney Advertising

Written by:

Wilson Sonsini Goodrich & Rosati

Wilson Sonsini Goodrich & Rosati on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.