FRBNY Assesses Potential Impact of Cyberattacks on Payment Systems

The Federal Reserve Bank of New York (“FRBNY”) analyzed the potential impact of a cyberattack transmitted through a payment system against a (i) single large bank, (ii) group of smaller banks and (iii) common service provider.

In a report entitled “Cyber Risk and U.S. Financial System: A Pre-Mortem Analysis,” the FRBNY warned that an attack on a bank’s ability to send payments “would likely be amplified to affect the liquidity of many other banks in the system.” According to the FRBNY, the U.S. financial system would be impaired by such an attack on (i) any one of the five most active U.S. banks, (ii) several small to midsize banks that are associated through a shared vulnerability or (iii) a bank with a small number of total assets but a heavy payment flow.

Additionally, the FRBNY:

– compared cyber risk against the “broader theoretical literature on bank runs,” such as cyber and other shocks modeled in the theoretical literature;

– investigated the quantitative impact that a cyberattack can have on the financial system by studying the impairments of a cyberattack on a set of banks’ payment activities in Fedwire Funds Service;

– conducted a baseline scenario to highlight the high concentration of payments between large institutions within the wholesale payment network, and the great imbalance in liquidity that follows if a large institution does not remit payments to its counterparties; and

– considered scenarios involving multiple institutions that would be directly affected due to technological or other commonalities.

LOFCHIE COMMENTARY

Presumably, the bad guys know how to do this anyways, and the issues raised will focus the good guys on the risks.

FINRA Identifies 2020 Risk Monitoring and Examination Priorities

In its Risk Monitoring and Examination Priorities Letter (the “2020 Letter”), FINRA identified several areas of focus for 2020, including:

– Sales Practice and Supervision. FINRA will assess firms’ compliance with Regulation Best Interest (“Reg. BI”) and Form CRS. In addition, FINRA will focus on (i) communications to retail investors regarding private placements, (ii) use of different electronic communication channels (e.g., texting and social media), (iii) cash management and bank sweep programs, (iv) sales of IPO shares and (v) trading authorizations.

– Market Integrity. FINRA will monitor firms for compliance with current Order Audit Trail System (“OATS”) requirements, and implementation of Consolidated Audit Trail (“CAT”) reporting requirements. In addition, FINRA will address firms’ compliance with (i) direct market access requirements under Exchange Act Rule 15c3-5, (ii) best execution requirements under FINRA Rule 5310, and (iii) the requirements of Rule 603 (the “Vendor Display Rule”) and Rule 606 (“Disclosure of order routing information”) of Regulation NMS.

– Financial Management. FINRA will focus on (i) clearance and custody of digital asset transactions, (ii) liquidity management, (iii) compliance with net capital requirements in connection with underwriting commitments and (iv) the steps firms are taking to transition away from LIBOR.

– Firm Operations. FINRA will focus on (i) cybersecurity, (ii) technology governance programs and (iii) supervisory controls relating to customer confirmation and AML requirements.

Lofchie Commentary

Several of the financial management areas of focus are as to issues where there is not actually a rule in place; e.g., liquidity management and transition from LIBOR. That does not make them any less significant. Firms may want to consider how they institute operational procedures to deal with regulatory expectations where there is not a specific rule that drives the firm’s conduct.

WSJ: Positive Revival of Agency that Aids Exporters (Exim)

The Wall Street Journal reports this morning on the reauthorization of the Export-Import Bank of the United States (EXIM) for seven years.

– The move represents a positive step forward to enhance economic growth, financial stability, and national security.

– Exim’s educational opportunities and finance unleash meaningful network effects. Once small and medium sized companies overcome obstacles to exporting, new markets open.

– Conservative critics are justifiably worried about heavy-handed “industrial policy.” Yet, Exim activities fall far short of a well-intention public sector misallocating resources.

Congratulations to Chairman Kimberly Reed and Exim for the hard work and reforms needed to safeguard US financial and strategic interests!

SEC Commissioner Hester Peirce Questions Current Data Collection Practices

SEC Commissioner Hester M. Peirce questioned the agency’s current data collection process and analysis.

In a speech before the National Economists Club, Ms. Peirce expressed concern that regulators’ data collection requirements are too far-reaching. According to Ms. Peirce, regulators are increasingly expanding data requirements without adequately considering (i) the underlying costs to regulators, market participants and investors, (ii) the usefulness of the information, and (iii) the potential cybersecurity risks. She:

  • questioned whether the information collected by Form PF is useful enough to outweigh the burden of compliance on hedge funds and other private funds; and
  • expressed concern that the Consolidated Audit Trail (or “CAT”) – which will collect data from broker-dealers across the county – is costly and a significant cybersecurity liability.

Ms. Peirce urged the SEC to invite academics and market participants to analyze the data collected, raise questions and suggest regulatory solutions. She stated that oftentimes market participants are better at “identifying problems and generating solutions” than the regulators. To encourage independent assistance, Ms. Peirce advised the SEC to make it easier for market participants to access the available data.

Ms. Peirce also addressed recent feedback calling on regulators to foster “sustainable finance,” (a/k/a “building a financial system that fosters a better, more sustainable society”). She stated that such a system should be formed by the free market, and should not be “dictated by a few powerful financial regulators.”

LOFCHIE COMMENTARY

In a world where every website is under potential attack from hostile nation states and from criminal organizations, why would one take the risk of gathering so much financial information in one place? The U.S. government has been successfully hacked; very sophisticated data companies have been successfully hacked; large financial institutions have been successfully hacked. There appears no obvious justification for accumulating so much financial information in a single location, as there can be no assurance that it can be kept safe for all time. Put another way, if the regulators cannot attest that, even if the site is hacked, the benefit of collecting and aggregating the financial information will nonetheless outweigh the harm, then it seems imprudent to proceed.

Form PF, as previously described, is “fundamentally useless.” See, e.g.SEC Requests Comments on Form PF. Anyone with knowledge of the relevant subject areas can look at the questions and see that they will not generate meaningful data; it’s not even necessary to look at the responses to see that the entire data collection effort has been a 99% waste.

Facebook CEO Mark Zuckerberg Defends Libra

In testimony before the House Financial Services Committee, Facebook CEO Mark Zuckerberg defended his company’s proposed virtual currency, “Libra.” The Committee also considered several bills related to technology and the financial services industry.

Mr. Zuckerberg emphasized that Facebook would not launch the Libra payment system until it has the support of U.S. regulators. He warned that, while these issues are being “debate[d],” China and other countries are working to launch similar payment systems. He argued that since Libra would be backed by U.S. dollars, it would “extend” U.S. financial leadership. He also addressed several concerns, assuring the legislators that:

– a recent white paper co-authored by Facebook (see previous coverage) was intended to start a dialogue with financial experts and regulators, rather than serve as the “final word”;

– Facebook does not intend to “circumvent” regulators; and

– the intended purpose of Libra is to provide for the transfer of money through an online payment system, not to be a replacement for sovereign currency.

Mr. Zuckerberg also affirmed Facebook’s commitment to preventing discrimination among Facebook’s advertisers. To “combat[]” discrimination, he stated, Facebook has made specific changes to policies in order to prevent discriminatory advertisement targeting. For example, Facebook banned the use of age, gender or zip codes in housing and credit advertisements.

Committee members at the hearing discussed several bills concerning technology and finance related to issues raised by the testimony. These included:

H.R. Draft “Keep Big Tech Out of Finance Act” would prohibit large platform utilities (i.e., Facebook) from (i) being authorized as, or affiliating with, a U.S. financial institution or (ii) operating a digital asset that is intended to be “widely used” as a method for exchange, pursuant to the Federal Reserve.

H.R. Draft “Stablecoins Are Securities Act of 2019” would make clear that a managed stablecoin is subject to the same securities laws’ requirements as other securities that are meant to protect investors, such as disclosure, antifraud and conflicts of interest.

H.R. Draft “Bill to Prohibit the Listing of Certain Securities” would limit issuers of stablecoins access to capital markets prohibiting certain trading on U.S. national securities exchanges.

H.R. Draft “Designing Accounting Safeguards to Help Broaden Oversight and Regulations on Data” would create more “transparency” on how consumer data is collected by requiring commercial data operators to disclose (i) the type of user data collected, (ii) an examination of how valuable the user data is and (iii) third-party contracts involving the collection of the data.

H.R. Draft “Diverse Asset Managers Act” would require SEC registrants to (i) consider at least one “diverse” asset manager when seeking asset management services and (ii) report to the SEC the extent to which diverse asset managers are used.

LOFCHIE COMMENTARY

Facebook’s attempted entry into the digital currency market accelerated the inevitable: Congress and the financial regulators are more closely scrutinizing the entry of technology firms into the financial markets. What was not inevitable was Congressional overreaction. While it now seems universal practice to refer to Libra as a Stablecoin, it is not: it is an asset-backed coin (try “ABCoin”). Because the managers of Libra would have had the ability to shift the assets supporting Libra, Libra is not stable. Because of the management of the underlying assets backing the product, Libra almost certainly would have been a “security,” at least in the absence of an exemption, and therefore, it is not necessary to amend the securities laws to that end.

A true Stablecoin, whether backed by the dollar or another currency (or even a pool of currencies) may be issued as a custodial receipt that is not a security, and need not be regulated as a security. It would thus be a shame if such Stablecoins, which may very well provide an attractive alternative to other payment methods, were made impossible because of an overbroad reaction to Libra.

Mr. Zuckerberg is absolutely correct that the United States benefits if a global stablecoin backed by the dollar were to emerge. Facebook’s principal mistake, which arguably reflects a certain lack of sophisticated understanding of financial regulation, was to go forward with a managed ABCoin, rather than a true Stablecoin.

IRS to Ask Taxpayers about Virtual Currency Transactions

The IRS proposed an amended draft of the 2019 Form 1040 that includes a question about taxpayer virtual currency transactions.

As previously covered, the IRS provided updated guidance in the form of a revenue ruling and an FAQ on the tax treatment of virtual currency transactions. The FAQ addressed (i) when a cryptocurrency on a distributed ledger undergoes a protocol change that permanently divides the legacy from the existing distributed ledger (i.e., a “hard fork”) and (ii) when units of a cryptocurrency are delivered to the distributed ledger addresses of multiple taxpayers (i.e., an “airdrop”), typically following a hard fork.

The IRS proposed adding the following question to the 2019 Form 1040: “At any time during 2019, did you receive, sell, send, exchange, or otherwise acquire any financial interest in any virtual currency?”

Comments on the revised draft must be submitted to the IRS within 30 days after October 11, 2019.

FRB Vice Chair Randal Quarles Reviews FSB Activity

Federal Reserve Board Vice Chair Randal K. Quarles reviewed Financial Stability Board (“FSB”) activity and raised issues that continue to affect the global financial system. In a speech at the European Banking Federation’s European Banking Summit, Mr. Quarles highlighted the following:

OTC Derivatives. The FSB focused on the following issues as to OTC derivatives: (i) central clearing of standardized OTC derivatives, (ii) trading standardized OTC derivatives on an exchange or through an electronic trading platform, (iii) “reporting to trade repositories” and (iv) capital and margin requirements.

Prudential Bank Standards. Mr. Quarles addressed the work done by the Basel Committee to improve prudential standards for internationally active banking organizations (a/k/a “Basel III”). Mr. Quarles said that each of the 24 FSB jurisdictions have implemented the fundamentals of Basel III to incorporate risk-based capital and liquidity measures.

Key Attributes for Effective Resolution. As a solution to the “too-big-to-fail” dilemma, the FSB published “Key Attributes for Effective Resolution.” Mr. Quarles explained that the guidance offered procedures for national resolution regimes to follow if an important financial institution is failing.

Nonbank Financial Intermediation (“NBFI”). To better understand NBFI, the FSB conducted a “global monitoring exercise” and concluded that the overall size of NBFI to the global economy was $184 trillion. The FSB report also contained categories of NBFI activity and identified potential vulnerabilities.

Mr. Quarles also emphasized two issues the FSB is monitoring concerning the future of the global financial system.

– Financial Innovation. Mr. Quarles said that in response to an “explosion of financial innovation” in recent years, the FSB published a report on the potential implications and benefits of FinTech for the global financial system. Mr. Quarles highlighted multiple regulatory issues, such as (i) operational risks from third-party service providers, (ii) cyber risks and (iii) macrofinancial risks that may arise from FinTech activity.

– Market Fragmentation. While noting that market fragmentation will never “disappear,” Mr. Quarles explained that since the financial crisis, there have been growing concerns that globalization in the markets is slowing down. Mr. Quarles said that the FSB is working to assess the possible implications of market fragmentation, such as (i) the potential for regulatory “arbitrage” and (ii) an increased regulatory burden on firms.

FCM Settles CFTC Charges Resulting from Cybersecurity Failure

A futures commission merchant (“FCM”) settled CFTC charges for failing to enact sufficient cybersecurity measures and to notify customers of a $1 million cyber breach.

According to the Order, the FCM, Phillip Capital Inc. (“PCI”) failed to implement sufficient cybersecurity and customer disbursement policies and procedures that ultimately allowed hackers to access their email systems and withdraw customer funds. After discovering $1 million in customer funds had been withdrawn, PCI (i) approved reimbursement of the mistakenly wired customer funds, (ii) notified the CFTC Division of Swap Dealer and Intermediary Oversight the day of the fraudulent wire and (iii) implemented measures to prevent further fraudulent transfers. The CFTC found that PCI failed to disclose in a timely manner the material facts of the cyber breach and fraudulent wire to current and prospective customers.

The CFTC credited PCI the $1 million restitution as a result of its prompt reimbursement of the customer funds upon discovery of the fraud. PCI also agreed to (i) cease and desist from further violating CFTC Rules, (ii) report remedial efforts to the CFTC and (iii) pay a civil monetary penalty of $500,000.

LOFCHIE COMMENTARY

This enforcement action is an illustration of both (i) what can go wrong in connection with a cybersecurity failure and (ii) how much the task of compliance has changed as a result of the need to deal with cybersecurity, as well as other technology, issues.

The firm’s initial problems resulted from the fact that its employees were deemed not be up to their cybersecurity tasks. Allegedly, the firm’s IT Manager “had limited training in cybersecurity, and cybersecurity was not broadly within the IT Engineer’s sphere of responsibility.” Apparently, neither the firm’s CCO, who was responsible for maintaining the firm’s Information Systems Security Program (“ISSP”), nor the CCO’s staff was qualified to manage cybersecurity defenses or problems. Even when firm employees discovered the breach, they failed to respond adequately and the hacker immediately rebreached the system. (The firm was arguably lucky that the hacker was so impatient. Had the hacker bided his time following the firm’s initial discovery, it is certainly possible that a second breach might have gone undiscovered for a longer period.)

The firm’s cybersecurity weakness was exacerbated by the fact that it had very weak “change of address” and disbursement policy controls. That was not of itself a cyber failure, but had those policies been up to speed, it is very likely that the major damage from the cyber failure itself could have been averted.

Finally, the firm failed to provide timely notice as to the breach. These days, firms must anticipate the possibility of a breach. While it seems unattractive to go public with information as to the breach, it is also risky not to do so.

SEC Provides Proxy Voting Guidance, Clarifies Obligations of Advisers

In a three-to-two vote, the SEC approved (i) guidance on an investment adviser’s responsibilities in proxy voting and in vetting any advice that the adviser may itself receive from a proxy advisor, and (ii) an interpretation and related guidanceon rules for solicitation of proxies and proxy voting advice.

Proxy-Advisor Guidance

In the proxy-adviser guidance, the SEC clarified an investment adviser’s fiduciary duty and obligations under Advisers Act Rule 206(4)-6 (“Proxy Voting”) in connection with an adviser’s proxy voting for clients. In its guidance, the SEC:

  • recognized that the adviser-client relationship should not be handled with a “one-size-fits-all” approach; and
  • recognized the wide variety of ways that investment advisers can use proxy advisory firms’ services while fulfilling their fiduciary duty to clients.

SEC Commissioner Elad L. Roisman voted in favor of the guidance, asserting that it (i) conforms to the Proxy Voting Rule’s flexible, principles-based approach to investment advisers’ proxy voting responsibilities, (ii) modernizes the Staff Legal Bulletin 20 (“SLB 20”) and (iii) highlights the importance of serving a client’s best interests.

SEC Commissioner Robert J. Jackson, Jr. dissented, expressing concern that the guidance would further concentrate the “proxy-advisory industry” due to the additional costs of compliance. According to Mr. Jackson, smaller institutions may not be able to bear the necessary costs, which could lead smaller investors to opt out of voting. Mr. Jackson noted that although the “role of proxy advisors has been hotly debated for decades,” all sides know that a competitive market helps both investors and issuers.

SEC Commissioner Allison Herren Lee voted against the guidance, saying that it “creates significant risks to the free and full exercise of shareholder voting rights.” Specifically, Ms. Lee criticized the guidance stating it:

  • would increase costs and “time pressure”;
  • would require more issuer involvement, despite “widespread agreement” that it would “undermine the reliability and independence of voting recommendations”; and
  • should undergo a notice and comment period or a cost-benefit analysis.

Interpretation and Guidance on Proxy Voting Advice

The SEC also provided an interpretation of SEA Rule 14a-1 (“Solicitation of Proxies – Definitions”). The SEC stated that proxy voting advice by a proxy advisory firm generally constitutes a solicitation under federal proxy rules. The SEC clarified that solicitations that are exempt from proxy filing requirements nonetheless remain subject to SEA Rule 14a-9 (“False or Misleading Statements”).

Commissioner Roisman supported the interpretation of SEA Rule 14a-1, emphasizing that it reiterates previous SEC statements that proxy voting advice is generally considered a “solicitation” under the rule. Mr. Roisman said that the interpretation will not interfere with proxy advisory firms’ ability to rely on information and filing exemptions under the federal proxy rules. Further, Mr. Roisman stated that the guidance on Rule 14a-9 offers “helpful” information on proxy voting advice, such as what information proxy advisors should disclose.

Commissioner Lee opposed the interpretation of SEA Rule 14a-1, stating that the SEC is planning to review the solicitation rules and may soon change the underlying exemptions. Ms. Lee highlighted the potential compliance burdens, which would force market participants to implement processes to comply with a regulatory framework that may soon change.

Future Actions

SEC Chair Jay Clayton stated that the interpretation and guidance provided a “first step” toward modernizing the proxy system. Mr. Clayton added that the SEC is also considering recommendations to amend SEA Rule 14a-2(b) (“Solicitations to Which § 240.14a-3 to § 240.14a-15 Apply”), which provides information and filing requirement exemptions. These exemptions, according to Mr. Clayton, were “adopted decades ago and warrant a fresh look.”

LOFCHIE COMMENTARY

Investment advisers will need to take a close look, and a periodically ongoing look, at their proxy voting policies. Advisers should be mindful that nothing obligates them to vote their clients’ shares, as long as an adviser has made it clear in its agreement with its clients that it will not do so. For many advisers, voting shares will not be worth the effort.

Separately, the very interesting aspect of declaring that proxy advisors are subject to SEA Rule 14a-9 is that it imposes on proxy advisors a more significant burden to justify or support their advice and to disclose any conflicts related to that advice. Query whether the threat of liability under SEA Rule 14a-9 changes the way that proxy advisors go about their business?

CFPB Highlights Analysis on the Use of Non-Traditional Data in Credit Process

The CFPB highlighted the results of an analysis comparing the uses of traditional and non-traditional sources of information by consumers in the credit process.

In 2017, the CFPB granted no-action relief from certain Regulation B requirements to Upstart Network, Inc. (“Upstart Network”) to use alternative data (such as education and employment history) and machine learning for the purpose of an underwriting and pricing model. The no-action letter was contingent on Upstart Network providing the CFPB with information about compared results between (i) its credit underwriting and pricing model (a tested model) and (ii) a more standard model. Upstart Network was tasked with answering:

whether the Alternative Model’s use of alternative data and machine learning would increase access to credit; and
if the Alternative Model’s underwriting or pricing results create greater disparities than the traditional model (i.e., race, ethnicity, sex, age).
Based on the information gathered by Upstart Network, the CFPB found that:

access-to-credit comparisons showed the Alternative Model approved 27 percent more applicants than the traditional model, in addition to yielding 16 percent lower average annual percentage rates (“APRs”) for approved loans;
the expansion of credit access increased the acceptance rates in the Alternative Model for all tested races, ethnicity and sex segments by 23-29 percent while decreasing the average APRs by 15-17 percent;
“near prime” consumers in the Alternative Model with FICO scores between 620 and 660 were approved nearly twice as frequently;
applicants under 25 years of age in the Alternative Model were 32 percent more likely to be approved; and
consumers in the Alternative Model with incomes under $50,000 were 13 percent more likely to be approved.

LOFCHIE COMMENTARY

Should the regulators be approving credit models based on whether they are happy with the results? What happens if another credit scoring metric produces different or less favored results: does that metric become illegal to use without regard to the process of its production or its accuracy?

Big data raises lot of important social/moral questions; and “disparate impact” is one of the more complex ones. For some background discussion of “big tech,” “big data” and credit scoring, see “Big tech in finance: opportunities and risks,” particularly the discussion of credit provision beginning on page 60, and Senate Banking Committee Considers Testimony on Consumer Data Vendors.