In our weekly regulatory roundup we give a brief overview of the most recent regulatory news and developments in the financial services sector. Courtesy of our partner firm, RegAlytics.ai.
RegAlytics US Alerts – 8/27/2021
FFIEC Issues Guidance on Authentication and Access to Financial Institution Services and Systems
The Federal Financial Institutions Examination Council (FFIEC), on behalf of its members, today August 11, 2021, issued guidance that provides financial institutions with examples of effective authentication and access risk management principles and practices for customers, employees, and third parties accessing digital banking services and information systems. The guidance: highlights the current cybersecurity threat environment including increased remote access by customers and users, and attacks that leverage compromised credentials, and mentions the risks arising from push payment capabilities; recognizes the importance of the financial institution’s risk assessment to determine appropriate access and authentication practices to determine the wide range of users accessing financial institution systems and services; supports a financial institution’s adoption of layered security and underscores weaknesses in single-factor authentication; discusses how multi-factor authentication or controls of equivalent strength can more effectively mitigate risks; includes examples of authentication controls, and a list of government and industry resources and references to assist financial institutions with authentication and access management. The new guidance replaces previous documents issued in 2005 and 2011.
New Cryptocurrency Reporting Requirements Will ‘Do a Lot of Damage’
U.S. Senate Banking Committee Ranking Member Pat Toomey (R-Pa.) today requested unanimous consent to adopt the Toomey-Warner-Lummis-Sinema-Portman amendment to fix digital asset reporting requirements in the infrastructure bill. Consideration of the bipartisan amendment, however, was blocked by other senators. U.S. Senate Banking Committee Ranking Member Pat Toomey (R-Pa.) today requested unanimous consent to adopt the Toomey-Warner-Lummis-Sinema-Portman amendment to fix digital asset reporting requirements in the infrastructure bill. Consideration of the bipartisan amendment, however, was blocked by other senators.
The Department of Financial Protection and Innovation published this response letter which concerns Bitcoin ATM kioks and its licensing under the MTA. “Under the MTA, a person may not engage in the business of money transmission in California unless the person is licensed, exempt from licensure, or an agent of a person licensed or exempt from licensure. Financial Code section 2003, subdivision (q), defines “money transmission” as: (1) selling or issuing payment instruments, (2) selling or issuing stored value, or (3) receiving money for transmission. REDACTED’s activities are limited to selling Bitcoin. This does not require an MTA license because it does not involve the sale or issuance of a payment instrument, the sale or issuance of stored value, or receiving money for transmission.
FINRA Reminds Firms of their Supervisory Obligations Related to Outsourcing to Third-Party Vendors
Member firms are increasingly using third-party vendors to perform a wide range of core business and regulatory oversight functions. FINRA is publishing this Notice to remind member firms of their obligation to establish and maintain a supervisory system, including written supervisory procedures (WSPs), for any activities or functions performed by third-party vendors, including any sub-vendors (collectively, Vendors) that are reasonably designed to achieve compliance with applicable securities laws and regulations and with applicable FINRA rules. This Notice reiterates applicable regulatory obligations; summarizes recent trends in examination findings, observations and disciplinary actions; and provides questions member firms may consider when evaluating their systems, procedures and controls relating to Vendor management. This Notice—including the “Questions for Consideration” below—does not create new legal or regulatory requirements or new interpretations of existing requirements. Many of the reports, tools or methods described herein reflect information firms have told FINRA they find useful in their Vendor management practices. FINRA recognizes that there is no one-size-fits-all approach to Vendor management and related compliance obligations, and that firms use risk-based approaches that may involve different levels of supervisory oversight, depending on the activity or function Vendors perform. Firms may consider the information in this Notice and employ the practices that are reasonably designed to achieve compliance with relevant regulatory obligations based on the firm’s size and business model.
Effect of Climate-Related Risk on the Pricing of Bank Loans
The United Nations Framework Convention on Climate Change reached an agreement to adopt a legally binding international treaty on climate change the objective is to limit global warming to well below two degrees Celsius. To achieve this long-term temperature goal, participating countries agreed on the need to reach a global peak of greenhouse gas emissions and working towards emissions reductions. The ambitious task of transitioning towards a low-carbon economy will likely have large financial implications for a wide range of industries, as their future business operations could be significantly affected by changes in climate policy and climate-related technology.
Treasury Announces Fossil Fuel Energy Guidance for Multilateral Development Banks
Department of the Treasury issued Fossil Fuel Energy Guidance for Multilateral Development Banks (MDBs), which is key Guidance in response to President Biden’s Executive Order 14008 on Tackling the Climate Crisis At Home and Abroad announced earlier this year. In its Guidance, Treasury advocates for MDB investments prioritizing clean energy, innovation, and energy efficiency, which will help achieve a clean and sustainable future consistent with the development goals of the Paris Agreement. U.S. Secretary of the Treasury Janet L. Yellen previewed Treasury’s MDB Guidance at the April 2021 G7 Leaders Summit on Climate and more recently discussed this with Heads of the MDBs in July 2021.
The Commodity Futures Trading Commission today announced that the U.S. District Court for the Southern District of New York entered a consent order against five companies: HDR Global Trading Limited, 100x Holding Limited, ABS Global Trading Limited, Shine Effort Inc Limited, and HDR Global Services (Bermuda) Limited. They are charged with operating the BitMEX cryptocurrency derivatives trading platform. The order requires the BitMEX entities to pay a $100 million civil monetary penalty, and provides that up to $50 million of the penalty may be offset by payments the BitMEX entities make or are credited pursuant to a Consent to Assessment of Civil Monetary Penalty entered by the Financial Crimes Enforcement Network. The order also prohibits BitMEX from further violations of the Commodity Exchange Act (CEA) and CFTC’s regulations as charged.
Pearson, a multinational educational publishing and services company, made material misstatements and omissions regarding a 2018 cyber intrusion that affected several million rows of student data across 13,000 school, district, and university AIMSweb 1.0 customer accounts in the United States. In its July 26, 2019 report furnished to the Commission, Pearson’s risk factor disclosure implied that Pearson faced the hypothetical risk that a “data privacy incident” “could result in a major data privacy or confidentiality breach” but did not disclose that Pearson had in fact already experienced such a data breach. On July 31, 2019, approximately two weeks after Pearson sent a breach notification to affected customers, in response to an inquiry by a national media outlet, Pearson issued a previously-prepared media statement that also made misstatements about the nature of the breach and the number of rows and type of data involved. it is hereby Ordered that: Respondent cease and desist from committing or causing any violations and any future violations of Sections 17(a)(2) and 17(a)(3) of the Securities Act, Section 13(a) of the Exchange Act, and Rules 12b-20, 13a-15(a), and 13a-16 thereunder. Respondent shall, within 10 days of the entry of this Order, pay a civil money penalty in the amount of $1,000,000 to the Securities and Exchange Commission.
Specifically, these emergency regulations will create a licensing structure, and provisions for responsible gaming and data privacy protections, to ensure consumer safety and gaming integrity for a new gaming market in our state. I respectfully request that you approve this request in writing to allow the Department to proceed with adoption of these emergency regulations. Once these emergency regulations are implemented, we intend to make these regulations permanent.