NY Department of Financial Services Cybersecurity Regulation Now Effective

New York State’s “first-in-the-nation” cybersecurity regulation became effective on August 28, 2017.

The New York Department of Financial Services (“DFS”) cybersecurity regulation requires banks, insurance companies and other institutions regulated by the DFS (“covered entities”) to implement a cybersecurity program to protect consumer data (see previous coverage). A covered entity is required to have (i) a written cybersecurity policy or policies approved by the entity’s board of directors or a senior officer, (ii) a “Chief Information Security Officer” in place to protect data and systems, and (iii) other relevant “controls and plans” intended to fortify the safety of the financial services industry.

Firms also will be required to submit a Certification of Compliance annually that concerns the firm’s cybersecurity compliance program. The first such Certificate must be submitted by February 15, 2018. The DFS now requires covered entities to submit notices of certain cybersecurity events to the DFS Superintendent within 72 hours of any occurrence. Covered entities will be able to report cybersecurity events through the DFS online cybersecurity portal.  Institutions also will be able to use the portal to file notices of exemption.

DFS Superintendent Maria Vullo commented on the program:

“With cyber-attacks on the rise and comprehensive federal cybersecurity policy lacking for the financial services industry, New York is leading the nation with strong cybersecurity regulation requiring, among other protective measures, set minimum standards of a cybersecurity program based on the risk assessment of the entity, personnel, training and controls in place in order to protect data and information systems.”


Lofchie Comment: As if the life of a compliance officer trying to manage technology risk was not worrisome enough, the NY DFS has now added a state-wide regulatory burden to their job. On the positive side, there is a three-day weekend coming.

U.S. Imposes Economic Sanctions against Venezuela

On August 24, 2017, The White House imposed a new round of economic sanctions against Venezuela.

In an Executive Order titled “Imposing Additional Sanctions with Respect to the Situation in Venezuela,” the government levied restrictions intended to “prevent U.S. persons from contributing to the Government of Venezuela’s corrupt and shortsighted financing schemes while mitigating market disruptions and harm to investors” (see U.S. Treasury Department Office of Foreign Assets Control (“OFAC”) FAQs on Sanctions and Corresponding General Licenses).

Specifically, the Executive Order bans transactions related to the following:

  • new debt with a maturity of longer than 90 days of Petroleos de Venezuela, S.A. (“PdVSA”) (Venezuela’s state-owned oil and natural gas company);
  • new debt with a maturity of longer than 30 days, or new equity, of the Government of Venezuela;
  • bonds issued by the Government of Venezuela before the effective date of the Executive Order;
  • dividend payments or other distributions of profits to the Government of Venezuela from any entity owned or controlled, directly or indirectly, by the Government of Venezuela; and
  • purchasing securities, directly or indirectly, from the Government of Venezuela, other than new debt with a maturity of less than or equal to 90 days (for PdVSA) or 30 days (for other Government of Venezuela debt).

OFAC also issued four General Licenses to allow for (i) a wind-down period for contracts and other agreements that were effective prior to the Executive Order’s effective date; (ii) transactions involving CITGO Holding, Inc. (which is owned by PdVSA); (iii) dealings in certain specified Government of Venezuela bonds that would otherwise be prohibited; and (iv) all transactions that relate to “the provision of financing for, and other dealings in new debt related to the exportation or reexportation . . . of agricultural commodities, medicine, medical devices, or replacement parts and components for medical devices.”

FRB Seeks Comments on Proposed Repo-Based Reference Rates

The Board of Governors of the Federal Reserve System (“FRB”) issued a request for public comment on a proposal to publish three new benchmark interest rates based on overnight repurchase agreement (“repo”) transactions backed by Treasuries.

According to the FRB, the following rates would be produced in coordination with the Office of Financial Research:

  • Secured Overnight Financing Rate, which would be the “broadest measure of rates on overnight Treasury financing transactions” by including tri-party repo data from Bank of New York Mellon (“BNYM”), as well as cleared bilateral and General Collateral Financing (“GCF”) repo data from the Depository Trust & Clearing Corporation (“DTCC”). This rate was recently chosen by the Alternative Reference Rates Committee to be used as the alternative to U.S. dollar LIBOR.
  • Tri-Party General Collateral Rate, which would be based only on tri-party repo data from BNYM only.
  • Broad General Collateral Rate, which would be based on tri-party repo data from BNYM, as well as cleared GCF repo data from DTCC.

The FRB noted that since these rates are based on Treasury-backed repo data, they are “essentially risk-free.” FRB is proposing to use a “volume-weighted median” as the “central tendency measure” for the aforementioned rates. The FRB is also proposing to publish the reference rates and accompanying summary statistics at 8:30 a.m. Eastern time, each morning beginning in mid-2018.

FRB is soliciting comments from the public, which must be submitted within 60 days of publication in the Federal Register.

Lofchie Comment: Note that these rates are for fully collateralized transactions, while LIBOR was (at least in theory) a rate for uncollateralized transactions. It would be informative to see how these rates perform in terms of financial stress. For example, would it be the case that a “flight to safety” results in the Secured Overnight Financing Rate declining when rates generally are rising to reflect a perception of increased risk?

CFTC Enforcement Director McDonald Highlights Importance of Self-Reporting

In a “CFTC Talks” podcast interview with CFTC Chief Market Intelligence Officer Andrew Busch, CFTC Enforcement Director James McDonald detailed his role as head of enforcement and emphasized the need for the CFTC to incentivize self-reporting.

Mr. McDonald explained that he leads a large team of staff that investigates and brings enforcement actions for violations of the Commodity Exchange Act and CFTC rules. He remarked that an important aspect of effective enforcement is ensuring that market participants are aware of the level of supervision and oversight to which they are subjected; by holding bad actors accountable for their misconduct, Mr. McDonald said, the market knows the Enforcement Division is “on duty.”

Mr. McDonald also stressed the importance of striking a proper balance between holding violators accountable for their misconduct while also promoting cooperation. Market participants accused of wrongdoing, Mr. McDonald suggested, are more likely to be forthcoming if they know that they will receive a benefit in exchange for cooperation (such as a reduction in a civil monetary penalty). Mr. McDonald highlighted self-reporting as a particularly relevant example of incentivizing cooperation. He asserted that Division interactions with violators that self-report will not be a “game of gotcha,” and spoke to the importance of maintaining the integrity of the process:

“It’s not going to be, well, you self-reported. You told us about nine violations, but we went in and we found a tenth, so you’re not getting self-reporting credit.

We want to make it crystal clear to companies what we expect them to do in terms of self-reporting on the front end, but also what is fair for them to expect us to do on the back end.”

He vowed to make clear to market participants that the self-reporting benefits will be substantial, but also stressed that the self-report must be “real.” That is, it must not come as a result of legal obligation, or disclosure requirements, or as a result of already self-reporting to another agency.

Finally, Mr. McDonald gave a broad overview of his objective as the Director of Enforcement:

“[O]ur goal … as the Enforcement Division … is to try to figure out ways where our enforcement actions can be designed to have the broadest impact, or our enforcement policies can give the right incentives to companies so that they’ll comply with the law.”


Lofchie Comment: It is a cliché for regulators to tout the value of self-reporting, yet it is likewise unclear that regulators in fact sufficiently credit firms for doing so. See, for example, this recent CFTC enforcement action in which the benefits to the company of self-reporting were not so clear to outsiders as they seemingly were to the CFTC: “Japanese Bank Settles Spoofing Charges with CFTC.”

While this story happens to be about CFTC enforcement, as a practical matter the item could have been about many of the regulatory agencies. There are real societal benefits to encouraging self-reporting – in particular that the deficiencies of the self-reporting firm and the related necessary corrective actions may be communicated to the market as a whole, which could then potentially make the same corrections if needed – but these benefits are not going to be realized unless regulators are willing to provide self-reporting firms with something much closer to genuine amnesty (apart from the need to make restitution to injured parties).

Bondi on 10 Points for SEC Reform

The new leadership of the Securities and Exchange Commission (“SEC”) should seize the opportunity to review and improve the agency’s enforcement program.

CFS senior fellow Bradley J. Bondi offers a ten-point blueprint for the program.  Brad’s recommended measures would allocate resources more efficiently, strike a better balance between regulation and enforcement, and promote a closer adherence to the SEC’s mission.

The full report is available at

As always, CFS welcomes opinion.

CFS Monetary Measures for July 2017

Today we release CFS monetary and financial measures for July 2017.  CFS Divisia M4, which is the broadest and most important measure of money, grew by 4.1% in July 2017 on a year-over-year basis versus 3.7% in June.

For Monetary and Financial Data Release Report:

For more information about the CFS Divisia indices and the data in Excel:

Bloomberg terminal users can access our monetary and financial statistics by any of the four options:

3) {ECST} –> ‘Monetary Sector’ –> ‘Money Supply’ –> Change Source in top right to ‘Center for Financial Stability’
4) {ECST S US MONEY SUPPLY} –> From source list on left, select ‘Center for Financial Stability’

Senator Warren Asks Bank CEOs to Publicly Take Positions on CFPB Arbitration Rule

Senator Elizabeth Warren (D-MA) sent letters to the CEOs of 16 major financial institutions asking for information related to the Consumer Financial Protection Bureau (“CFPB”) arbitration rule.

Both House and Senate Republicans have recently introduced resolutions to block the rule using the Congressional Review Act, and the House resolution was approved on July 25, 2017. In light of this effort, Senator Warren requested that the CEOs of the 16 banks publicly express whether they support or oppose the rule. Senator Warren pointed to the lobbying groups that represent these banks and questioned why the financial institutions themselves would not take a position publicly:

“These organizations represent your bank and your industry, but you – and other CEOs of large banks – have remained silent on the rule. If your lobbyists are taking such strong positions against the rule, is there a reason both you and your bank have been unwilling to take a public position?”

While asking the banks to take a public position, Senator Warren also maintained that the information would be used in order to contribute to a better understanding of potential effects that may come from a reversal of the rule:

“This rushed process leaves little time for public hearings and other traditional congressional fact-gathering. I am seeking this information so that the public, my colleagues, and I can better analyze the impact of reversing this CFPB rule.”

In addition to requesting information regarding the banks’ positions on the rule, Senator Warren solicited data on outcomes of customer arbitration cases against the banks. She also requested that the banks provide copies of internal or public documents that demonstrate the impact of the rule on customers or company profits, and asked that each of the banks respond to her letter by September 1, 2017.

Lofchie Comment: There is little mystery as to why banks might choose to “remain silent” at this stage. They do not want to subject themselves to overtly political attacks, or be used in an obvious political stunt by Senator Warren. Senator Warren’s requests for a mountain of information from these banks suggest that the information gathered to date by the CFPB is lacking and that the resolutions under the Congressional Review Act are warranted. The fact that the Senator feels it necessary to ask these questions, rather than being able to argue from evidence already gathered by the CFPB, seems like an admission that the rulemaking was insufficiently considered.

SEC Issues Report on Access to Capital and Market Liquidity

The SEC Division of Economic and Risk Analysis (“DERA”) issued a report on how Dodd-Frank and other financial regulations have impacted (i) access to capital and (ii) market liquidity.

The report contains analyses of recent academic work, as well as original DERA analyses of regulatory filings. The report is divided into two major parts: “Access to Capital – Primary Issuance” and “Market Liquidity.” Highlights of the DERA report include the following:

Access to Capital – Primary Issuance

  • Primary market security issuance has not decreased since the implementation of Dodd-Frank regulations.
  • Capital from initial public offerings has “ebb[ed] and flow[ed] over time,” and the post-crisis downturn is “broadly consistent with historical patterns of IPO waves.”
  • The introduction of the JOBS Act brought an increase in small-company IPOs, and “IPOs by [emerging growth companies] may be becoming the prevailing form of issuance in some sectors.”
  • Regulation A amendments, including an increase in the amount of capital allowed to be raised, resulted in an increase in Regulation A offerings.
  • JOBS Act crowdfunding provisions have allowed some firms to use crowdfunding to raise pre-revenue funds.
  • The private issuance of debt and equity increased significantly between 2012 and 2016, and amounts raised through exempt offerings were much higher than those raised through registered securities.

Market Liquidity

  • There is no evidence that the Volcker Rule has resulted in decreased liquidity, particularly with regard to U.S. Treasury Market liquidity.
  • Trading activity in the corporate bond trading markets has tended either to increase or to remain static.
  • The number of dealers participating in corporate bond markets has remained similar to pre-crisis numbers.
  • Dealers have reduced capital commitments, which is in line with regulatory changes, such as the Volcker Rule, that “potentially reduc[e] the liquidity position in corporate bonds.”
  • For small trades, transaction costs generally have decreased; DERA suggested that this might be due in part to the emergence of alternate trading systems as platforms for trading corporate bonds.
  • For certain larger or longer maturity corporate bonds, transaction costs have increased since post-crisis regulatory changes.

DERA noted that it is difficult to quantify the effects of particular regulatory reforms, and that a variety of factors may contribute to market conditions.

Lofchie Comment: The conclusion reached by the Division of Economic and Risk Analysis – that there is no clear link between the Volcker Rule and decreased liquidity – contrasts sharply with the recent U.S. Treasury Report, which concluded that the rule’s “implementation has hindered marketmaking functions necessary to ensure a healthy level of market liquidity.” Similarly, a September 2016 study by FRB staff found that the Volcker Rule has had a “deleterious effect” on corporate bond liquidity. According to that study, dealers that are subject to Volcker requirements become less likely to provide liquidity during times of market stress.

Notably, DERA found that intraday capital commitments by dealers have declined by 68%. It is difficult to understand how a reduction in dealer inventory of this scale has no effect on liquidity. If that is really the case, then DERA should do more to identify the countervailing reasons that would explain the constancy of liquidity.

House Republican Staff Say CFPB Director Cordray Could Be in Contempt of Congress

Republican staff of the U.S. House of Representatives Committee on Financial Services (the “Committee”) released a report that lays out a case for instituting contempt of Congress proceedings against Consumer Financial Protection Bureau (“CFPB”) Director Richard Cordray.

In the staff report, the Republicans accuse Mr. Cordray of failing to comply with the Committee’s oversight of the CFPB, particularly regarding the recently adopted CFPB arbitration rule that concerns pre-dispute arbitration agreements. According to the report, Mr. Cordray refused consistently to comply with requests for records and documents related to the rule. In response, the Committee issued a congressional subpoena in order to compel the CFPB to produce the relevant records. The staff alleged that Mr. Cordray was legally obligated to address the congressional subpoena but failed to respond adequately. As a result, the Republicans accused Mr. Cordray of defaulting on the subpoena and asserted there is ample basis to proceed against Mr. Cordray for contempt of Congress.

Lofchie Comment: Agree or disagree with the policies of Mr. Cordray, it is just impossible to figure out how the CFPB fits within the structure of the government as established by the U.S. Constitution. The government has three branches: the Legislative (Article 1), the Executive (Article 2) and the Judicial (Article 3). Where does the CFPB fit into that structure? It seems troubling that the CFPB is not responsible to any of the branches. That is not a good way to run a railroad or a government.

OCIE Cybersecurity Report Shows “Overall Improvement”

The SEC Office of Compliance Inspections and Examinations (“OCIE”) examined 75 broker-dealers, investment advisers and investment companies as part of its Cybersecurity 2 Initiative to assess industry practices concerning cybersecurity preparedness. OCIE National Examination Program staff reported an overall improvement in awareness of cyber-related risks and the implementation of certain cybersecurity practices since the OCIE’s Cybersecurity 1 Initiative.

According to the OCIE Risk Alert, the Cybersecurity 2 Initiative examinations focused on written policies and procedures, and included more testing of controls. Specifically, it addressed:

  1. governance and risk assessment;
  2. access rights and controls;
  3. data loss prevention;
  4. vendor management;
  5. training; and
  6. incident response.

Notably, the OCIE found that all broker-dealers, all funds, and nearly all advisers examined in the Cybersecurity 2 Initiative maintained written cybersecurity policies and procedures around the protection of customer/shareholder records. These findings contrasted with those of the Cybersecurity 1 examinations. The OCIE also found firms that were not “adhering to or enforcing” policies and procedures, and firms where guidance for employees was too general. The OCIE report included recommendations for improving controls in their respective cyber programs.

In a related white paper on cyber risk, the Bank for International Settlements Financial Stability Institute evaluated the regulatory and supervisory initiatives in a number of leading jurisdictions, including Hong Kong SAR, Singapore, the United Kingdom and the United States. The report reviewed supervisory approaches to assessing the cyber-risk vulnerability and resilience of banks. The paper also identified a trend toward “threat-informed” testing frameworks, which use threat intelligence to design simulated cyber attacks when testing the cybersecurity of an entity.