Regulators on both sides of the Atlantic continue to monitor and address cryptoasset and distributed ledger technology activities. We recently posted on the guidance issued by the US Financial Crimes Enforcement Network on cryptocurrencies and in another post touched upon differences in the regulatory treatment of cryptoassets across jurisdictions. Today we report on two new developments relating to the treatment of cryptoassets by UK and US regulators.

The Federal Trade Commission (FTC) will hold public hearings on March 25-26 in Washington, DC, on “Competition and Consumer Protection in the 21st Century.” Titled, “The FTC’s Role in a Changing World,” the hearings pose downstream risk to the fintech community, especially to smaller enterprises that may lack the resources and knowledge to comply with any complex new regime.

A recent letter from a bipartisan group of 31 state attorneys general to the Federal Trade Commission (FTC) asks the agency to both continue and enhance its various identity theft rules. The group, led by attorneys general Ellen Rosenblum (D-OR) and Kevin Clarkson (R-AK), points to the challenges presented by emerging technologies being regulated by dated rules. While the concept of regulatory obsoleteness is not new, the speed at which new technologies now emerge means that rules can become dated quickly.

The Joint Committee of the European Supervisory Authorities (the ESAs) issued a report on 7 January 2019 on the status of regulatory sandboxes and innovation hubs following consultations with national regulators across the European Union.

The report compares the innovation hubs and regulatory sandboxes established in 21 EU member states and three EEA states, flagging too that Hungary and Spain are in the process of establishing regulatory sandboxes.

The ongoing and accelerating pace of developments in the realm of cryptoassets in multiple jurisdictions warrants continual review and monitoring. In a report issued earlier this month on the implications of cryptoassets, the international Financial Stability Board (FSB) stated that, while cryptoassets do not currently pose a material risk to global financial stability, vigilant monitoring is needed in light of the speed of market developments. The FSB believes that due to risks such as low liquidity and the use of leverage, market risks from volatility, and operational risks, cryptoassets lack the key attributes of sovereign currencies and do not serve as a stable store of value or a mainstream unit of account. The financial stability implications of these cryptoasset characteristics include an impact on confidence in, and reputational risk to, financial institutions and regulators; risks arising from financial institutions’ exposures to cryptoassets; and risks arising if cryptoassets were to become widely used in payments and settlement. Therefore, regulators are encouraged to “keep an eye on things” as cryptoassets continue to spread throughout the world economy.

The UK Financial Conduct Authority (FCA) issued a press release on August 7 announcing that it has joined 11 other financial regulators from around the world to create the Global Financial Innovation Network (GFIN), building on its proposals earlier in the year to create a “global sandbox.” The network is intended to provide fintech firms a more efficient way to interact with regulators as they test new ideas across different markets and to create a new framework for regulators to cooperate on areas of innovation. This announcement continues a regulatory trend of being more hospitable to fintech innovation, as we have previously discussed.

On February 16, 2017, the New York Department of Financial Services (DFS) released its final self-described “first-in-the-nation”cybersecurity regulations (the Rules). The Rules become effective March 1, 2017, but will be phased in on a staggered basis beginning 180 days after the effective date. Proposed cybersecurity regulations were initially released on September 13, 2016 to become effective January 1, 2017, but on December 28, 2016, the DFS delayed the effective date and simultaneously issued a revised proposal. Morgan Lewis submitted comment letters recommending several modifications to both the initial proposal and the revised proposal.

Although the DFS did take comments into account in initial revisions, the Rules still raise important operational, compliance, and risk management concerns for financial institutions, financial services companies, insurance firms, and other DFS-regulated entities (Covered Entities). The Rules have only minimal changes from the revised proposal, aside from certain changes made to the exemptive provisions, in particular with regard to Covered Entities that are insurance enterprises.

The New York Department of Financial Services (NYDFS) has just issued proposed cybersecurity rules (Proposal) applicable to NYDFS-regulated firms (Covered Entities). The Proposal would impose mandatory “minimum requirements,” including the requirement that each Covered Entity establish a cybersecurity program and a cybersecurity policy that addresses 14 areas, including customer data privacy, vendor and third-party service provider management, risk assessment, incident response, audit trail, encryption, and periodic testing requirements. The Proposal also includes requirements for an annual compliance certification made by the board of directors and notification to NYDFS of “cybersecurity events.”

Comments on the Proposal are due by November 12, 2016 and the Proposal indicates that Covered Entities should be prepared to comply by June 30, 2017—180 days after the proposed January 1, 2017 effective date.

For a fuller discussion of the Proposal, please read our LawFlash on this subject.

The Federal Financial Institutions Examination Council (FFIEC) has issued a joint statement warning financial institutions of the increasing frequency and severity of cyber attacks involving extortion, including ransomware, denial of service, and theft of sensitive customer information that is used to extort victims. In turn, financial institutions are advised to develop and implement effective programs to identify, protect, detect, respond to, and recover from these types of cyber attacks. Actions to be taken include conducting ongoing risk assessments, assuring the security of systems and services, protecting against unauthorized access, and a number of other specific measures. In addition, financial institutions that are victims of cyber extortion are advised to notify law enforcement agencies and their primary regulatory agencies, especially if sensitive customer information is accessed, and consider filing Suspicious Activity Reports.

While the joint statement specifically states that it does not purport to create any new regulatory expectations, in fact it recommends a series of specific measures that should be taken in cyber-extortion situations, and reminds financial institutions of their prudential and compliance obligations under current regulatory guidance. More generally, the joint statement underscores the financial agencies’ continuing – and perhaps increasing – concerns over cybersecurity and data breaches.

Financial institutions therefore should treat the joint statement as a regulatory directive on appropriate preventative and response strategies for cyber breaches involving extortion, as well as a reminder to make cybersecurity and data protection a top governance and operational priority that their regulators will regularly test during the examination and supervision process. The FFIEC statement contains links and references to existing guidance and resources from the FFIEC, FBI, and other agencies that, as a threshold manner, financial institutions should review and ensure have been incorporated into their compliance and risk management processes, as appropriate.

In a recent letter to the 18 members of the Financial and Banking Information Infrastructure Committee (FBIIC), Acting Superintendent of the New York Department of Financial Services (NYDFS) Anthony Albanese requested collaboration and regulatory convergence among the members on cybersecurity standards for financial institutions. FBIIC member organizations include the eight federal financial institution regulatory agencies, the US Department of the Treasury, two Federal Reserve Banks, the National Association of Insurance Commissioners, the Conference of State Bank Supervisors, and the Securities Investor Protection Corporation.

Acting Superintendent Albanese stressed the need for coordinated efforts with relevant state and federal agencies to develop a comprehensive cybersecurity framework, addressing the most critical issues while preserving flexibility to address NYDFS-specific concerns. In NYDFS’s view, potential regulations would require a financial institution to maintain a cybersecurity program covering 12 key areas:

  1. Information security
  2. Data governance and classification
  3. Access controls and identity management
  4. Business continuity and disaster recovery planning and resources
  5. Capacity and performance planning
  6. Systems operations and availability concerns
  7. Systems and network security
  8. Systems and application development and quality assurance
  9. Physical security and environmental controls
  10. Customer data privacy
  11. Vendor and third-party service provider management
  12. Incident response, including by setting clearly defined roles and decision making authority