Weekly RoundUp
November 18, 2015

Financial Services Weekly News

Cybersecurity Regulatory Update. Reflecting the greater emphasis banking and other regulators have placed on cybersecurity, this week’s regulatory developments section includes two updates on this topic. The New York Department of Financial Services (NYDFS) has issued a letter addressed to members of the Financial and Banking Infrastructure Committee signaling the possible issuance by NYDFS of cybersecurity regulations. Separately, the Federal Financial Institutions Examination Council (FFIEC), which is composed of representatives of the federal bank regulatory agencies, the Consumer Financial Protection Bureau, the National Credit Union Administration and a state banking regulator, has updated one of its examination handbooks, including the addition of examination procedures related to cybersecurity. Like the NYDFS, the FFIEC in its Management booklet urges financial institutions to appoint a Chief Information Security Officer (CISO) and goes on to suggest that the CISO should have authority to function as an enterprise-wide risk manager with a strategic role within the organization and not merely as a production resource related to IT operations. Similarly, although the Management booklet is focused on the role of an institution’s board of directors and senior management in establishing and implementing an appropriate risk management framework for information technology, the booklet emphasizes the importance of adequately supervising third-party vendors and technology providers, which is a topic addressed extensively in other FFIEC guidance as well as guidance issued by other regulators. The FFIEC guidance goes on to note that a separate cybersecurity program is not currently a requirement under federal law but points out that financial institutions must address cybersecurity risks through their information security program. While the emergence of cybersecurity as a distinct threat addressed by regulatory guidance is a relatively recent phenomenon, this week’s developments underscore the attention regulators are paying to this topic and suggest the possibility that more regulation at both the federal and state levels—and associated compliance challenges—could be on the way.

Regulatory Developments

MSRB Publishes Compliance Advisory for Municipal Advisors

On Nov. 12 the Municipal Securities Rulemaking Board (MSRB) published its first municipal advisor compliance advisory, developed to assist municipal advisors with understanding and implementing the regulatory framework created by the MSRB. The 15-page advisory highlights fundamental regulatory requirements for municipal advisors and identifies risks associated with a failure to implement adequate compliance controls.

NYDFS Releases Potential New Cybersecurity Rules

On Nov. 9 the NYDFS published a letter to 18 other federal and state regulators outlining the NYDFS’ expected cybersecurity regulation requirements. The requirements, which would apply to any NYDFS regulated entity, would require financial institutions to designate a CISO, implement comprehensive written information security policies and procedures, conduct quarterly vulnerability assessments and create more stringent procedures for notification of cyber incidents and management of third party service providers. The NYDFS expressed that it hoped the letter would “spark additional dialogue, collaboration and, ultimately, regulatory convergence” among the recipient regulators.

FFIEC Issues Updated Management Booklet

The FFIEC has issued a revised Management Booklet, which is one of a series of 11 booklets that make up the FFIEC Information Technology Handbook. The Management booklet was last updated in 2004, and the most recent release reflects a comprehensive rewriting of the booklet. The updated booklet addresses how IT risk management relates to overall enterprise-wide risk management and includes updated examination procedures related to cybersecurity and information technology risk management.

FINRA Proposes Rule Changes to Implement a Tick Size Pilot Program under Regulation NMS

On Nov. 13 FINRA filed with the SEC two proposed rule changes to implement the Regulation NMS Plan to Implement a Tick Size Pilot Program (the Plan). The first proposes the adoption of FINRA Rule 6191(a) to implement the Plan’s quoting and trading requirements, and the second proposes to adopt FINRA Rule 6191(b) and amend FINRA Rule 7440 to implement the data collection requirements of the Plan. The Plan is designed to allow the SEC, market participants and the public to study and assess the impact of increment conventions on the liquidity and trading of the common stocks of small-capitalization companies.

Client Alert: Two Years and Essentially As Proposed: SEC Adopts Final Crowdfunding Rules

As reported our Nov. 4 Editor’s Note, on Oct. 30 the SEC adopted final rules to permit companies to offer and sell securities to non-accredited investors through “crowdfunding” as directed by Congress under the JOBS Act of 2012. Coming two years after the original proposed rules were published by the SEC on Oct. 23, 2013, the SEC’s final rules contain substantially all of the potentially burdensome SEC filing and public disclosure requirements that were contained in the proposed rules. It remains to be seen whether companies will conclude that the benefits of being able to raise up to $1 million in a 12-month period (the statutory fundraising cap) outweigh the potentially significant burdens and expenses of complying with the SEC’s initial and ongoing filing and public disclosure requirements. The final rules will become effective in May 2016 and may not be utilized by companies prior to that time. Goodwin Procter’s Crowdfunding practice issued a client alert discussing the final rules.

FDIC Proposes Update to Brokered Deposit FAQs

The Federal Deposit Insurance Corporation (FDIC) has requested comment on to its FAQs regarding identifying, accepting and reporting brokered deposits. The proposed revisions emphasize that determinations whether deposits must be classified as “brokered” are “very fact specific” and that “the FDIC always views these determinations on a case-by-case basis.” The proposed revisions also state that, if an institution was not aware that deposits should be treated as brokered prior to issuance of the FAQs, the FDIC would generally not require restatement of past Call Reports. The FDIC also highlighted that the proposed revisions, like the original FAQs, are based on existing law and prior precedent and are not intended to be new. To reinforce this point, the FDIC has proposed updating the FAQs to include additional footnote references to existing statutes, regulations and FDIC guidance. The proposed revisions include a discussion of when relationships with insurance agents, lawyers, accountants and other professionals may result in brokered deposits and when such arrangements may be sufficiently informal so that the professional would not be considered a deposit broker. In addition, the FDIC has proposed adding additional explanation of when dual employees of an insured depository institution may be considered deposit brokers, for instance, when a dual employee who is a registered representative of a broker-dealer recommends deposit products. The proposed revisions also includes additional discussion of why the primary purpose exception does not apply to general purpose prepaid cards as well as addressing the circumstances in which the FDIC would apply the primary purpose exception to funds associated with prepaid cards used by governmental agencies to deliver funds to beneficiaries of government programs. The FDIC has stated that it intends to update the FAQs annually, as needed. Comments on the proposed revisions are due by Dec. 28, 2015.

Enforcement & Litigation

SEC Fines Mutual Fund Adviser That Relied on False Performance Claims of Subadviser

On Nov. 16 the SEC announced that a mutual fund adviser had agreed to pay $16.5 million and submit to remedial sanctions and a cease-and-desist order to settled charges that it misled mutual fund investors and others with advertisements containing false historical performance about a major exchange-traded fund portfolio strategy called AlphaSector. In the Order, the SEC found that Virtus Investment Advisers (Adviser) had publicized a substantially overstated performance track record that it received from F-Squared Investments, Inc. (Subadviser), which it hired as subadviser for mutual funds and other clients that followed the AlphaSector strategy. Although the Subadviser had claimed that its performance data for the period from 2001 to 2008 was actual, the Subadviser admitted in a separate settled administrative proceeding that no assets of the Subadviser or its clients had tracked the strategy during that period. The Subadviser also admitted that it miscalculated the historical performance of AlphaSector during that time by incorrectly implementing signals earlier than they actually could have occurred. The SEC noted that, although the Adviser expressed skepticism about the AlphaSector track record at the outset of the relationship, the Adviser ultimately ignored red flags, failed to take steps to determine if the Subadviser’s buy or sell signals were used during the 2001-2008 period and had no records to support the calculation of the historical AlphaSector strategy track records that it advertised. These resulted in the Adviser’s violation of Advisers Act sections 204, 206(2) and 206(4) and related rules and also caused mutual funds that it advised to violate section 34(b) of the Investment Company Act.