The US Securities and Exchange Commission (SEC) Office of Compliance Inspections and Examinations (OCIE) published a report on January 27 outlining various industry practices and approaches to managing and combating cybersecurity risks and maintaining operation resiliency. The OCIE observed these practices through conducting thousands of examinations, and hopes that organizations can use the report to enhance their own cybersecurity preparedness and operational resiliency.
NEWS FOR LAWYERS AND SOURCING PROFESSIONALS
The Clearing House (the oldest banking association and payments company in the United States) recently released a model agreement as a voluntary starting point to facilitate data sharing between financial institutions and fintech companies.
The model agreement is intended to provide a standardized foundation that speeds up data access agreement negotiations; as the Clearing House notes, “[L]egal agreements between banks and fintechs have sometimes taken 12 months or more to be developed and finalized and have become a significant bottleneck to API adoption.” Additionally, the model agreement is designed to reflect the Consumer Financial Protection Bureau’s consumer protection principles on data sharing and aggregation, providing confidence to the contracting parties that the terms address key regulatory issues.
Russia’s Central Bank, the financial markets regulator in Russia, might soon receive the right to block websites. On 24 January, the State Duma, the lower house of the Russian parliament, approved amendments in the first reading to the Federal Law "On Information, Information Technologies and Protection of Information" and the Civil Procedure Code (the Proposed Amendments).
The Proposed Amendments are designed to give the Central Bank the right to block websites violating financial market legislation or used to maintain fraudulent activities.
A significant fine imposed by the UK’s Financial Conduct Authority (FCA) on an established UK insurer is further evidence of the increased scrutiny being placed on outsourcing arrangements by the financial services regulator, and also of the importance the regulator places on issues that directly impact retail customers.
The FCA is the UK’s “conduct” regulator, with a focus primarily on the regular business conduct of financial services businesses, as compared to the “macro” focus (safety and soundness) of the Prudential Regulatory Authority (PRA) – although there is overlap between the stated remits of the FCA and the PRA, and outsourcing arrangements are subject to scrutiny by both bodies.
Washington, DC partners Giovanna M Cinelli, Kenneth J. Nunnenkamp, and Stephen Paul Mahinka and Boston partner Carl A. Valenstein recently published a LawFlash on the recent action taken by the Committee on Foreign Investment in the United States (CFIUS) to implement a pilot program under the Foreign Investment Risk Review and Modernization Act (FIRRMA). FIRRMA, which was enacted in August 2018, reformed the CFIUS screening process for foreign investment in the United States and, among other things, permits CFIUS to establish pilot programs to test the viability of certain of its provisions. The LawFlash addresses the objectives and the scope of the announced pilot program, including the countries and types of investments covered by the program. It also describes the new requirement for mandatory declarations "for certain transactions involving investments by foreign persons in certain U.S. businesses that produce, design, test, manufacture, fabricate, or develop one or more critical technologies" implemented by the pilot program. The pilot program becomes effective November 10, 2018.
For more information on the pilot program, please read the LawFlash.
European financial institutions (competent authorities, credit institutions, and investment firms as defined in EU Regulation No. 575/2013, collectively Institutions) have been instructed to comply with the European Banking Authority’s (EBA’s) recommendations when outsourcing to cloud service providers (Recommendations) as of July 1, 2018.
With cloud-based solutions offering new products geared to potentially reduce infrastructure costs and improve services, outsourcing to cloud-based services providers is becoming progressively more popular by Institutions. This trend has prompted the EBA to issue the Recommendations, with the expectation that Institutions will use their best efforts to comply.
We are seeing more merger and acquisition activity among technology services companies as European companies are seeking to expand their presence in US markets. Just this week, another acquisition of a growing US-based technology company by a global technology services leader headquartered in France was announced.
On July 22, French multinational company Atos—a global leader in technology services and digital transformation—announced that it entered into a definitive merger agreement with US-based Syntel. The acquisition, subject to regulatory approval, is scheduled to close by the end of 2018. Syntel, based in Michigan, is a global IT company specializing in cloud, mobile, analytics, and automation services. The purchase of Syntel is intended to strengthen Atos’s presence in the banking, financial services, and insurance (BFSI) industries, with Syntel generating a substantial portion of its revenue from BFSI and large global banks. The acquisition also will increase the North America presence of Atos and expand Atos’s workforce in India, adding 23,000 employees—18,000 of which are based in India—to Atos’s current headcount of about 97,000.
Just when we finally figured out how to contract for “cloud” services and SaaS, here comes blockchain—the next disruptor for IT, businesses and, yes, us lawyers.
So what is blockchain? This is one of the best definitions that we have found from the Wall Street Journal, CIO Explainer: What Is Blockchain?
A blockchain is a data structure that makes it possible to create a digital ledger of transactions and share it among a distributed network of computers. It uses cryptography to allow each participant on the network to manipulate the ledger in a secure way without the need for a central authority. Once a block of data is recorded on the blockchain ledger, it’s extremely difficult to change or remove. When someone wants to add to it, participants in the network—all of which have copies of the existing blockchain—run algorithms to evaluate and verify the proposed transaction. If a majority of nodes agree that the transaction looks valid…then the new transaction will be approved and a new block added to the chain.
As blockchain technologies grow from an academic novelty to hubs of commerce, state and federal regulators are taking notice. Understanding what actions are regulated and by whom—and how to comply with those regulations—is essential to keep a company focused on innovation rather than litigation. As part of its First Cup of Coffee Briefing Series, Andrew J. Gray IV, a partner in our Palo Alto office, is hosting an interactive event on issues and best practices for regulatory compliance in the blockchain space.
Speakers at the event include Morgan Lewis partner Nathan J. Hochman and associate Jacob J.O. Minne, along with Dean Nicolls and Frank Marques from JUMIO, an online mobile payment and identity verification company.
In the upcoming GSVLabs Fidelity Accelerator program event, Morgan Lewis partner Don Shelkey of our Boston office will participate in a mentorship event for financial technology startups focused on intellectual property issues. The GSVLabs event is part of a broader program focused on mentoring financial technology startups on a broad range of business and legal issues.
The event will be held on February 14, 2018, in Boston.