Financial Services Alert - December 9, 2008

As briefly noted in the November 18, 2008 Alert, the FRB and the U.S. Treasury Department (together the “Agencies”) published a final rule (the “Rule”) implementing the provisions of the Unlawful Internet Gambling Enforcement Act of 2006 (the “Gambling Act”) that are applicable to financial services firms. 

The Gambling Act.  By way of background, the Gambling Act prohibits gambling businesses from accepting certain payments – including payments made by credit cards, electronic funds transfers, and checks – in connection with unlawful Internet gambling.  For purposes of the Gambling Act, unlawful Internet gambling is defined as a bet or wager made over the Internet that is unlawful where that bet or wager is initiated, received, or made.  The Gambling Act also directed the Agencies to prescribe rules requiring financial services companies participating in certain payment systems to implement policies and procedures reasonably designed to prevent or prohibit unlawful Internet gambling transactions.  The Rule was promulgated pursuant to that authority.

Designated Payment Systems.  The Rule generally applies to financial institutions (“Participants”) that operate, contract for, or otherwise participate in payments systems (“Designated Payment Systems”) that may be used to transfer money for purposes of unlawful Internet gambling.  Specifically, the Designated Payment Systems include automated clearing house systems; systems for credit, debit, pre-paid or stored-value cards; check collection systems; wire transfer systems and certain money transmitting businesses. 

Treatment of Intermediaries.  The Rule’s requirements to establish policies and procedures, in most cases, affect Participants that establish and maintain a relationship with the customer.  Accordingly, the intermediary services that process transactions in the Designated Payment Systems are often regarded by the Rule as exempt.  This means, for example, that the Participants other than the depository bank in a check collection system will not have an obligation for a transaction under the Rule. 

Focus on Commercial Customer Relationships.  The Rule also makes clear that the required policies and procedures should focus on commercial – and not consumer – customer relationships.  For guidance, the Rule supplies non-exclusive examples of policies and procedures that the Agencies deem to be reasonably designed to identify and block unlawful Internet gambling transactions.  Participants may tailor the examples provided to their business, and the Agencies emphasize that the Rule is intended to afford Participants with the opportunity to develop flexible, risk-based procedures.  In general, the policies and procedures the Rule deems satisfactory include, among other things, methods for a Participant to conduct due diligence when establishing commercial customer accounts, policies by which a Participant can conduct due diligence when in possession of actual knowledge that a commercial customer is engaged in unlawful Internet gambling, and procedures a Participant must follow on receiving an unlawful Internet gambling transaction. 

Safe Harbor .  The Rule provides a safe harbor for Participants that block transactions under the Rule’s requirements.  Specifically, a Participant that identifies and blocks a transaction, prevents the acceptance of its products or services in connection with a transaction, or otherwise refuses to honor a transaction, is protected from being liable to any party for such action if the transaction is in fact an unlawful Internet gambling transaction, if the Participant reasonably believes the transaction to be an unlawful Internet gambling transaction, or if the Participant prevents the transaction in reliance on its policies and procedures in an effort to comply with the Rule.

Effectiveness/Compliance Dates.  The Rule is effective on January 19, 2009, but the mandatory compliance date for the Rule for Participants is December 1, 2009, which is designed to give Participants ample time to develop necessary policies and procedures.  We would be pleased to work with financial services firms in their compliance efforts.

At its open meeting last week, the SEC adopted a number of changes to its rules regulating the credit rating agencies that register with it as Nationally Recognized Securities Rating Organizations (“NRSROs”).  Originally proposed in June 2008, these changes address conflicts of interest in the rating process and NRSROs’ reporting and disclosure obligations, particularly with respect to ratings for structured finance products.  The SEC also voted to propose additional changes to its NRSRO rules and Regulation FD affecting other disclosures related to the credit rating process.  These actions are the second of three phases of rulemaking that the SEC has undertaken with respect to NRSROs.  The first, which took place in 2007, created registration and oversight mechanisms for NRSROs.  The third, which was also proposed for public comment in June 2008, would eliminate references to ratings provided by NRSROs in SEC rules; no further action on this proposal has been taken to date.  (The impact of this proposal on rules under the Investment Company Act of 1940 and the Investment Advisers Act of 1940 was discussed in the July 8, 2008 Alert.)  The following description of last week’s SEC actions is based on the press release and fact sheet provided on the SEC website.  Formal releases with additional details, such as the effective date(s) of the rule changes adopted at the open meeting, have not yet been made publicly available.

Form NRSRO Disclosure.  The amendments revise Form NRSRO, the registration form used by NRSROs and applicants, to require disclosure of certain statistics regarding rating transitions (upgrades and downgrades) for each asset class of credit ratings and information regarding certain practices used in rating structured finance products

Public Availability of Records of Rating Actions.  The amendments will require an NRSRO to make publicly available a random sample of 10% of its issuer-paid credit ratings and their histories documented for each class of issuer-paid credit rating in which their ratings activity exceeds certain thresholds.

Recordkeeping and Reporting.  The amendments will require NRSROs to maintain the following additional records for inspection by the SEC staff: records regarding ratings changes, explanations for material differences between the results of quantitative models used in rating structured products and the final credit ratings issued, and records of any complaints regarding a credit analyst’s performance in various phases of the credit rating process.  In addition, an NRSRO will be required to provide the SEC with an annual report of the number of credit rating actions that occurred during the fiscal year for each class of security for which the NRSRO is registered.

Conflicts of Interest.  The amendments will impose the following restrictions designed to eliminate potential conflicts of interest affecting the credit rating process:

• An NRSRO may not issue a credit rating with respect to an obligor or security where the NRSRO or an affiliate of the NRSRO made recommendations to the obligor or the issuer, underwriter, or sponsor of the security about the corporate or legal structure, assets, liabilities, or activities of the obligor or issuer of the security.
• A person within an NRSRO who has responsibility for participating in determining credit ratings or for developing or approving procedures or methodologies used for determining credit ratings may not participate in any fee discussions, negotiations, or arrangements.
• An NRSRO may not allow a credit analyst who participated in determining or monitoring the credit rating to receive gifts, including entertainment, from the obligor being rated or from the issuer, underwriter, or sponsor of the securities being rated, other than items provided in the context of normal business activities, such as meetings, that have an aggregate value of no more than $25.

Proposed Rule Amendments.  The SEC is seeking comment on a proposed requirement that NRSROs disclose certain ratings history information and on a proposed requirement regarding mandatory information sharing by NRSROs that rate structured finance products.  The SEC is also proposing to amend Regulation FD to permit the disclosure of material non-public information to NRSROs regardless of whether they make their ratings publicly available.  Public comments on the proposed amendments must be received by the SEC within 45 days after their publication in the Federal Register.

The Financial Crimes Enforcement Network (“FinCEN”) released a final rule (“Final Rule”) easing certain currency transaction report (“CTR”) requirements for depository institutions.  In general and to detect criminal activity, depository institutions and others are required to file CTRs to report transactions in currency exceeding $10,000.  Existing CTR filing rules exempt from filing certain types of currency transactions posing a lower risk of criminal activity.  The Final Rule seeks to amend the existing requirements to streamline the reporting process and lower the burden on depository institutions to obtain exemptions from filing requirements for certain types of transactions.  The Final Rule was issued, in part, to respond to a General Accounting Office report issued in February 2008 which recommended that CTR requirements could be amended to ease the reporting burden while maintaining law enforcement efforts.

The Final Rule makes a number of changes to the CTR requirements.  The principal revisions are as follows:

• For customers that are other depository institutions, U.S. or state governments, or entities acting with governmental authority, depository institutions will no longer be required to review CTR exemptions annually or make a designation of exempt person filing.
• Depository institutions will be able to designate an otherwise eligible non-listed company or a payroll customer after either two months time (the requirement was previously twelve months) or after conducting a risk-based analysis of the legitimacy of the customer’s transactions.  The proposed rule, issued in April 2008, contained only the risk-based analysis exemption.
• For exempting nonpublic businesses conducting “frequent” transactions, the threshold has been lowered from eight transactions per year to five.
• FinCEN removed the existing requirement that depository institutions biennially renew a designation of exempt person filing for otherwise eligible Phase II customers, but retained a requirement to conduct an annual review of such customers.  Phase II customers include “non-listed businesses” and “payroll customers” as those terms are defined in 31 CFR 103.22(d)(2). 

The proposed rule would have required depository institutions to notify regulators when customers were no longer deemed subject to a CTR exemption, but this requirement was dropped from the Final Rule.  The Final Rule becomes effective on January 5, 2009.

In interpretive letter #1102 (“Letter 1102”), the OCC concluded that it is permissible under the National Bank Act (“NBA”) for the foreign branch of a national bank (the “Bank”) to engage in custodial clearing activities as a custodian clearing member (“CCM”) of the National Securities Clearing Corporation Limited (“NSCCL”), subject to lending limits and safety and soundness considerations.  Letter 1102 reasons that the NBA permits national banks and their branches to engage in custodian clearing activities, because clearing activities are functionally consistent with bank permissible credit and financial intermediation activities.  Letter 1102 also confirms that national banks and their foreign branches may contribute to funds and programs to guarantee the potential losses of others, as a condition of NSCCL membership, in order to engage in bank permissible activities, subject to lending limits.  The Bank’s exposure to the NSCCL for the defaults of other members is subject to the lending limit in 12 U.S.C. §84 or any lower limits set by its examiner-in-charge (“EIC”).

Letter 1102 requires that the Bank notify its EIC, in writing, of the proposed activities and receive written notification of the EIC’s supervisory no-objection before becoming an NSCCL member.  The no‑objection will be based on the EIC’s evaluation of the adequacy of the Bank’s risk measurement and management systems and controls to enable the Bank to engage in CCM activities on the NSCCL in a safe and sound manner, and the EIC’s evaluation of any other supervisory considerations relevant to NSCCL membership.

The U.S. Court of Appeals for the Second Circuit (the “Second Circuit”) reversed a district court decision and held that an investment adviser that has (a) discretionary authority over clients’ accounts and (b) power of attorney to file suit on its clients’ behalf, but does not have ownership or title of the claims themselves, lacks constitutional standing to bring securities fraud actions in a representative capacity on its clients’ behalf.  The adviser in question, whose clients were institutional investors such as public employee pension funds, sought to bring a lawsuit as “the investment advisor and attorney-in-fact on behalf of certain purchasers of … debt securities issued by Adelphia [Communications Corporation]” against firms that provided underwriting, auditing and legal services in connection with the offering of those debt securities.   The suit alleged that those firms had violated Sections 11 and 12(a)(2) of the Securities Act of 1933, as amended, and Sections 10(b) and 18 of the Securities Exchange Act of 1934, as amended.  The case came before the Second Circuit on an interlocutory appeal from the District Court for the Southern District of New York (the “District Court”) denying a motion to dismiss the suit on the grounds that the plaintiff lacked constitutional standing to sue on its clients’ behalf.

The Injury-In-Fact Requirement.  The Second Circuit found that the District Court’s decision was inconsistent with its own authority in Advanced Magnetics, Inc. v. Bayfront Partners Inc., 106 F.3d 11 (2d Cir. 1997), and a Supreme Court decision rendered after the District Court’s decision, Sprint Communications Co., L.P. v. APCC Serv., Inc., 128 S. Ct. 2531 (2008).  The Second Circuit noted that the fundamental question was whether or not the named plaintiffs could demonstrate an “injury-in-fact,” i.e., whether the plaintiffs could show that they had personally suffered some actual or threatened injury as a result of the putatively illegal conduct of the defendants.  The Second Circuit viewed Sprint as making clear that the minimum requirement for injury-in-fact is that the plaintiff have legal title to, or a property interest in, the claim.  The Second Circuit therefore saw Sprint as implicitly supporting the holding of Advanced Magnetics that a mere power-of-attorney does not confer standing to sue in the holder’s own right, because a power-of-attorney does not confer an ownership interest in the claim.  The Second Circuit noted that nowhere in the appeal, in the proceedings in the District Court or in its complaint had the adviser alleged that its clients assigned title or ownership of their claims against the defendants to the adviser.  The Second Circuit also dismissed arguments that the adviser had satisfied the injury-in-fact requirements because it suffered reputational harm as a result of investing its clients’ assets in Adelphia securities and “informational injury” as a result of its reliance on allegedly untruthful information provided by Adelphia in connection with those investments.  The Second Circuit observed that the suit was brought on behalf of the adviser’s clients, not itself, so that the relief sought in the complaint would not remedy either of the harms the adviser alleged it suffered. 

Exceptions to the Injury-In-Fact Requirement.  The Second Circuit examined exceptions to the injury-in-fact requirement that permit a third party to have standing where it can demonstrate (a) a close relationship to the injured party and (b) a barrier to the injured party’s ability to assert its own interest.  The Second Circuit rejected the adviser’s assertion of a potential exception based on “investment manager standing,” finding that the investment adviser‑client relationship is not the type of close relationship the courts have recognized as creating such an exception and that the adviser has failed to demonstrate that, absent a recognition of its standing claim, there was a hindrance to its clients’ ability to protect their own interests.  On the latter point, the Second Circuit observed that the clients in question were relatively sophisticated parties with a demonstrated capacity to protect their own interests in the absence of the adviser’s intervention.  The Second Circuit went on to note that several of the adviser’s clients had filed parallel individual suits in the Adelphia litigation, and others had proceeded as part of a class action pursuing similar claims. 

The case was remanded to the District Court for further proceedings consistent with the Second Circuit’s opinion.

Massachusetts has issued comprehensive data security regulations that are scheduled to go into effect on May 1, 2009.  They apply to any business in possession of personal information of Massachusetts residents, whether or not that business maintains a presence in the state.  The first of their kind in the country, these rules apply regardless of industry or the number of Massachusetts residents whose data is involved.  These regulations impose very detailed data security and system requirements to protect personal information and may require renegotiation of relationships with vendors to obtain written certifications about vendor practices and personal information.

Goodwin Procter invites you to attend a free webinar on the new Massachusetts Data Security Regulations on January 15, 2009 from 12:30-2:00 EST.  This webinar will address the practical implications of these regulations for businesses nationwide.  Attorneys from Goodwin Procter's Privacy & Data Security Practice will examine the scope and requirements of the new rules; analyze the interrelationship between the Massachusetts rules and other information security requirements; explore best practices for information security policy development and implementation; and share views on current trends in this area, including other states that may be considering similar legislation.