NY State Issues Final Cybersecurity Rules
On February 16, the New York Department of Financial Services (DFS) announced that it had issued its long-awaited cybersecurity regulation in final form. The rule, which was initially announced on September 13, 2016, and later revised in response to public comments, is set to take effect March 1, 2017, with deadlines between 180 days to up to two years in which to comply with the rule’s requirements. The rule will require banks, insurers and other financial services companies regulated by the DFS to set up a cybersecurity program aimed at protecting consumer information from cyberattacks. In issuing the final version of the rule, the DFS took into account the large number of public comments it received after it first issued the proposed regulation in September. Commenters were concerned about the “one-size-fits-all” approach to the regulated industries, and the technical and financial burden the rule would impose on small businesses, particularly with respect to reporting and encryption requirements. The final rule is designed to offer more flexibility to regulated businesses, with many of the rule’s requirements based on the covered entity’s own assessment of the areas in which it is most vulnerable.
On February 23, the Division of Investment Management of the SEC issued a guidance update on automated advisers (commonly referred to as robo-advisers) who rely on algorithms, provide advisory services over the internet, and typically offer limited direct human interaction with their clients. The SEC’s guidance emphasizes that robo-advisers are subject to the Investment Advisers Act of 1940 and focuses on the unique challenges that robo-advisers face, depending on their individual business models and operations, in connection with their legal obligations under the Investment Advisers Act. The guidance offers suggestions on how robo-advisers may address considerations particular to their business in the following areas: (1) substance and presentation of disclosures to clients about the robo-adviser and the investment advisory services it offers; (2) obligations to obtain information from clients to support the robo-adviser’s duty to provide suitable advice; and (3) adoption and implementation of effective compliance programs reasonably designed to address particular concerns relevant to providing automated advice. In addition to the Division of Investment Management’s guidance, the SEC’s Office of Investor Education and Advocacy issued an Investor Bulletin providing individual investors with information they may need to make informed decisions if they consider using robo-advisers.
Only one month after releasing its exam priorities for this year, on February 7, the SEC Office of Compliance Inspections and Examinations (OCIE) published a Risk Alert describing the five compliance topics most frequently identified in deficiency letters sent to investment advisers after the completion of an OCIE examination. For more information, view the client alert issued by Goodwin’s Private Equity Group.
On February 23, the Federal Reserve Board (Board) and the OCC issued guidance explaining how supervisors should examine for compliance with the swap margin rule, which established margin requirements for swaps not cleared through a clearinghouse. The guidance explains that the Board and the OCC expect swap entities covered by the rule to prioritize their compliance efforts surrounding the March 1, 2017, variation margin deadline according to the size and risk of their counterparties. The final rule incorporated a phase-in period for swap entities to begin exchanging variation margin with their swap counterparties. The phase-in period gave markets and firms time to adjust to the new requirements, which were adopted in October 2015. The guidance explains that swap entities’ compliance with counterparties that present significant credit and market risk exposures is expected to be in place on March 1, 2017, as laid out in the final rule. For other counterparties that do not present significant credit and market risks, the OCC and the Board expect swap entities to make good faith efforts to comply with the final rule in a timely manner, but no later than September 1, 2017. The Farm Credit Administration, the Federal Deposit Insurance Corporation and the Federal Housing Finance Agency also administer the final rule for institutions under their jurisdiction, but currently have no swap entities affected by this guidance. However, these agencies stated that they support the guidance issued by the Board and the OCC.
For the last three and a half years, the SEC has been considering whether to approve placement of the Winklevoss bitcoin ETF (COIN) on the Bats exchange. However, the SEC’s inaction will end by March 11, which is the SEC’s deadline to either reject COIN, or have it be automatically approved due to the SEC’s inaction. An approval of COIN would likely be a game changer for both the digital currency and the global financial markets, and could cause hundreds of millions of dollars to flow into it in the first week alone from traditional investors who have remained on the sidelines. View the Digital Currency and Blockchain Perspectives blog post.
Enforcement & Litigation
On February 14, the SEC announced the settlement of two enforcement actions involving inadequate disclosures during battles for corporate control of publicly traded companies. In the first case, the SEC found that a Texas-based oil refinery company made inadequate disclosures in SEC filings about “success fee” arrangements with two investment banks retained by the company to defend against a hostile takeover bid. The company agreed to settle the case without admitting or denying the findings in the SEC’s order and will not be required to pay a penalty due to its remedial acts and cooperation with the SEC’s investigation. In the second case, the SEC found that groups of investors failed to properly disclose ownership information during a series of campaigns to influence or exert control over companies. In each of these campaigns, the groups collectively owned more than five percent and sometimes even more than 10 percent of the target companies’ outstanding common stock. Required ownership filings were either incomplete, untimely or altogether absent. Without admitting or denying the findings, the investors consented to the SEC’s order and each agreed to penalties between $30,000 and $180,000.
On February 17, the California Department of Business Oversight (California DBO) announced that it had entered into a $225 million consent order with a national mortgage servicer following an investigation by a third-party auditor into loans serviced by the company in California between January 1, 2012, and June 30, 2015. The servicer had agreed to the audit as a result of a previous consent order it entered with the California DBO on January 23, 2015. Pursuant to the terms of that consent order, the servicer had agreed to service no new loans in California while the audit was pending. The completion of that audit, and the consent order entered into on February 17, 2017, allows the company to service new loans in California. View the Enforcement Watch blog post.
On February 14, the Federal Trade Commission (FTC) announced that it had entered into a stipulated order with a student loan debt collector, resolving allegations that the debt collector violated the Fair Debt Collection Practices Act (FDCPA) and Federal Trade Commission Act (FTC Act) in its servicing of over two million accounts in 2014. In its complaint, which was simultaneously filed in the U.S. District Court for the Southern District of Texas, the FTC alleged that the debt collector left voicemail messages disclosing consumers’ debts to third parties without their permission. View the Enforcement Watch blog post.
Earlier this month, the Northern District of Illinois struck the class allegations in Cholly v. Uptain Group, Inc., a single-count TCPA case filed against a medical services provider and a debt collector based on allegedly autodialed calls the plaintiff received. The defendants had sought to dismiss the complaint on several grounds, but had also filed a motion to strike the plaintiff’s class allegations. Although the court denied the defendants’ efforts to dismiss the case, it granted the motion to strike. The court’s analysis in its opinion striking the class allegations may prove a useful guide for defendants in other TCPA actions as they map out their own litigation strategies. View the LenderLaw Watch blog post.
Join Fintech Sandbox, the DCU Fintech Innovation Center and the Boston Fintech Meetup in bringing together the ecosystem to support startups and help technologies thrive. Goodwin is a sponsor. For more information, please view the event website.
LendIt USA 2017 – March 7
LendIt USA is the world's largest marketplace lending event, bringing together over 4,000 members of the global online lending ecosystem. Goodwin is a sponsor. For additional information, please visit the event website.
Alison Douglass, partner in Goodwin’s Financial Industry Practice and ERISA Litigation Practice, and Scott Webster, chair of Goodwin’s ERISA & Executive Compensation Group, will be panelists at the Callan Associates Workshop. The discussion will focus on “Facing Today’s Challenges: Toward More Effective Fiduciaries.”
Goodwin is pleased to present this event created specifically to address issues faced by trustees, officers and in-house counsel at colleges, universities and research institutions. We are delighted to present David Greene, President of Colby College, as our keynote speaker. David is a highly respected leader in education and business and will provide an inspiring perspective on his experience with public/private partnerships focused on revitalizing cities and neighborhoods where schools are located. The symposium will also feature a panel discussion with in-house counsel at higher education institutions concerning the relationships between schools and their students, as well as interactive sessions led by industry experts and thought leaders on privacy and cybersecurity and recent developments in 403(b) plan excessive fee litigation. For more information, please visit the event website.