FCM Settles CFTC Charges Resulting from Cybersecurity Failure

A futures commission merchant (“FCM”) settled CFTC charges for failing to enact sufficient cybersecurity measures and to notify customers of a $1 million cyber breach.

According to the Order, the FCM, Phillip Capital Inc. (“PCI”) failed to implement sufficient cybersecurity and customer disbursement policies and procedures that ultimately allowed hackers to access their email systems and withdraw customer funds. After discovering $1 million in customer funds had been withdrawn, PCI (i) approved reimbursement of the mistakenly wired customer funds, (ii) notified the CFTC Division of Swap Dealer and Intermediary Oversight the day of the fraudulent wire and (iii) implemented measures to prevent further fraudulent transfers. The CFTC found that PCI failed to disclose in a timely manner the material facts of the cyber breach and fraudulent wire to current and prospective customers.

The CFTC credited PCI the $1 million restitution as a result of its prompt reimbursement of the customer funds upon discovery of the fraud. PCI also agreed to (i) cease and desist from further violating CFTC Rules, (ii) report remedial efforts to the CFTC and (iii) pay a civil monetary penalty of $500,000.

LOFCHIE COMMENTARY

This enforcement action is an illustration of both (i) what can go wrong in connection with a cybersecurity failure and (ii) how much the task of compliance has changed as a result of the need to deal with cybersecurity, as well as other technology, issues.

The firm’s initial problems resulted from the fact that its employees were deemed not be up to their cybersecurity tasks. Allegedly, the firm’s IT Manager “had limited training in cybersecurity, and cybersecurity was not broadly within the IT Engineer’s sphere of responsibility.” Apparently, neither the firm’s CCO, who was responsible for maintaining the firm’s Information Systems Security Program (“ISSP”), nor the CCO’s staff was qualified to manage cybersecurity defenses or problems. Even when firm employees discovered the breach, they failed to respond adequately and the hacker immediately rebreached the system. (The firm was arguably lucky that the hacker was so impatient. Had the hacker bided his time following the firm’s initial discovery, it is certainly possible that a second breach might have gone undiscovered for a longer period.)

The firm’s cybersecurity weakness was exacerbated by the fact that it had very weak “change of address” and disbursement policy controls. That was not of itself a cyber failure, but had those policies been up to speed, it is very likely that the major damage from the cyber failure itself could have been averted.

Finally, the firm failed to provide timely notice as to the breach. These days, firms must anticipate the possibility of a breach. While it seems unattractive to go public with information as to the breach, it is also risky not to do so.

SEC Provides Proxy Voting Guidance, Clarifies Obligations of Advisers

In a three-to-two vote, the SEC approved (i) guidance on an investment adviser’s responsibilities in proxy voting and in vetting any advice that the adviser may itself receive from a proxy advisor, and (ii) an interpretation and related guidanceon rules for solicitation of proxies and proxy voting advice.

Proxy-Advisor Guidance

In the proxy-adviser guidance, the SEC clarified an investment adviser’s fiduciary duty and obligations under Advisers Act Rule 206(4)-6 (“Proxy Voting”) in connection with an adviser’s proxy voting for clients. In its guidance, the SEC:

  • recognized that the adviser-client relationship should not be handled with a “one-size-fits-all” approach; and
  • recognized the wide variety of ways that investment advisers can use proxy advisory firms’ services while fulfilling their fiduciary duty to clients.

SEC Commissioner Elad L. Roisman voted in favor of the guidance, asserting that it (i) conforms to the Proxy Voting Rule’s flexible, principles-based approach to investment advisers’ proxy voting responsibilities, (ii) modernizes the Staff Legal Bulletin 20 (“SLB 20”) and (iii) highlights the importance of serving a client’s best interests.

SEC Commissioner Robert J. Jackson, Jr. dissented, expressing concern that the guidance would further concentrate the “proxy-advisory industry” due to the additional costs of compliance. According to Mr. Jackson, smaller institutions may not be able to bear the necessary costs, which could lead smaller investors to opt out of voting. Mr. Jackson noted that although the “role of proxy advisors has been hotly debated for decades,” all sides know that a competitive market helps both investors and issuers.

SEC Commissioner Allison Herren Lee voted against the guidance, saying that it “creates significant risks to the free and full exercise of shareholder voting rights.” Specifically, Ms. Lee criticized the guidance stating it:

  • would increase costs and “time pressure”;
  • would require more issuer involvement, despite “widespread agreement” that it would “undermine the reliability and independence of voting recommendations”; and
  • should undergo a notice and comment period or a cost-benefit analysis.

Interpretation and Guidance on Proxy Voting Advice

The SEC also provided an interpretation of SEA Rule 14a-1 (“Solicitation of Proxies – Definitions”). The SEC stated that proxy voting advice by a proxy advisory firm generally constitutes a solicitation under federal proxy rules. The SEC clarified that solicitations that are exempt from proxy filing requirements nonetheless remain subject to SEA Rule 14a-9 (“False or Misleading Statements”).

Commissioner Roisman supported the interpretation of SEA Rule 14a-1, emphasizing that it reiterates previous SEC statements that proxy voting advice is generally considered a “solicitation” under the rule. Mr. Roisman said that the interpretation will not interfere with proxy advisory firms’ ability to rely on information and filing exemptions under the federal proxy rules. Further, Mr. Roisman stated that the guidance on Rule 14a-9 offers “helpful” information on proxy voting advice, such as what information proxy advisors should disclose.

Commissioner Lee opposed the interpretation of SEA Rule 14a-1, stating that the SEC is planning to review the solicitation rules and may soon change the underlying exemptions. Ms. Lee highlighted the potential compliance burdens, which would force market participants to implement processes to comply with a regulatory framework that may soon change.

Future Actions

SEC Chair Jay Clayton stated that the interpretation and guidance provided a “first step” toward modernizing the proxy system. Mr. Clayton added that the SEC is also considering recommendations to amend SEA Rule 14a-2(b) (“Solicitations to Which § 240.14a-3 to § 240.14a-15 Apply”), which provides information and filing requirement exemptions. These exemptions, according to Mr. Clayton, were “adopted decades ago and warrant a fresh look.”

LOFCHIE COMMENTARY

Investment advisers will need to take a close look, and a periodically ongoing look, at their proxy voting policies. Advisers should be mindful that nothing obligates them to vote their clients’ shares, as long as an adviser has made it clear in its agreement with its clients that it will not do so. For many advisers, voting shares will not be worth the effort.

Separately, the very interesting aspect of declaring that proxy advisors are subject to SEA Rule 14a-9 is that it imposes on proxy advisors a more significant burden to justify or support their advice and to disclose any conflicts related to that advice. Query whether the threat of liability under SEA Rule 14a-9 changes the way that proxy advisors go about their business?

CFPB Highlights Analysis on the Use of Non-Traditional Data in Credit Process

The CFPB highlighted the results of an analysis comparing the uses of traditional and non-traditional sources of information by consumers in the credit process.

In 2017, the CFPB granted no-action relief from certain Regulation B requirements to Upstart Network, Inc. (“Upstart Network”) to use alternative data (such as education and employment history) and machine learning for the purpose of an underwriting and pricing model. The no-action letter was contingent on Upstart Network providing the CFPB with information about compared results between (i) its credit underwriting and pricing model (a tested model) and (ii) a more standard model. Upstart Network was tasked with answering:

whether the Alternative Model’s use of alternative data and machine learning would increase access to credit; and
if the Alternative Model’s underwriting or pricing results create greater disparities than the traditional model (i.e., race, ethnicity, sex, age).
Based on the information gathered by Upstart Network, the CFPB found that:

access-to-credit comparisons showed the Alternative Model approved 27 percent more applicants than the traditional model, in addition to yielding 16 percent lower average annual percentage rates (“APRs”) for approved loans;
the expansion of credit access increased the acceptance rates in the Alternative Model for all tested races, ethnicity and sex segments by 23-29 percent while decreasing the average APRs by 15-17 percent;
“near prime” consumers in the Alternative Model with FICO scores between 620 and 660 were approved nearly twice as frequently;
applicants under 25 years of age in the Alternative Model were 32 percent more likely to be approved; and
consumers in the Alternative Model with incomes under $50,000 were 13 percent more likely to be approved.

LOFCHIE COMMENTARY

Should the regulators be approving credit models based on whether they are happy with the results? What happens if another credit scoring metric produces different or less favored results: does that metric become illegal to use without regard to the process of its production or its accuracy?

Big data raises lot of important social/moral questions; and “disparate impact” is one of the more complex ones. For some background discussion of “big tech,” “big data” and credit scoring, see “Big tech in finance: opportunities and risks,” particularly the discussion of credit provision beginning on page 60, and Senate Banking Committee Considers Testimony on Consumer Data Vendors.

Global Regulators Express Concern with Libra Network’s Ability to Protect Consumer Data

Data protection and privacy enforcement regulators expressed concern with the lack of information provided by Facebook and other members of the Libra Network regarding the proposed cryptocurrency.

In a joint statement, the UK Information Commissioner’s Office and authorities from Albania, Australia, Canada, Burkina Faso, the European Union and the United States expressed doubt about the Libra Network’s ability to protect consumer data given the (i) current lack of transparency regarding the digital currency and infrastructure and (ii) Facebook’s recent misuse of consumer data, which “had not met the expectations of regulators, or their own users.” The regulators warned that once Libra is launched, it could give the network access to “millions of people’s personal information.” Given these issues, the regulators emphasized that they were “surprised and concerned” that more information has not been provided regarding the network’s data protection efforts.

To achieve some clarity, the regulators called on the Libra Network to answer a number of very broadly phrased questions regarding data protection and privacy, and the ability of individual consumers to protect their information, including by deleting their accounts.

Monopoly Money: Facebook Executive Responds to Regulatory Concerns over Proposed Cryptocurrency

A Facebook executive responded to regulatory concerns over the company’s proposed blockchain-based cryptocurrency, “Libra.”

In testimony before the U.S. Senate Committee on Banking, Housing and Urban Affairs, Facebook subsidiary Calibra executive David Marcus emphasized that Facebook will not release Libra until it has addressed regulatory concerns and received the necessary approvals.

Mr. Marcus clarified that, among other things:

– Libra is like cash and will serve as a payment tool, “not as an investment”;

– Libra Reserve will be subject to its respective government’s monetary policies;

– Libra Association does not intend to compete with sovereign currencies or engage in the “monetary policy arena”;

– Facebook will hold a leadership role until the Libra network launches, after which Facebook will have the same voting power as all other members;

– Libra Association will be supervised by the Swiss Financial Markets Supervisory Authority and intends to register as a money services business with the Financial Crimes Enforcement Network;

– Libra will adhere to anti-money laundering and Bank Secrecy Act requirements; and

– Libra Association “cannot . . . and will not” monetize data from the blockchain.

Mr. Marcus outlined the structure and management of Calibra, established “to provide financial services using the Libra Blockchain.” Mr. Marcus distinguished Libra and Calibra, saying that the entities are separate and that they will not exchange individual customer data. Additionally, Mr. Marcus noted that, with exceptions, Calibra will not share customers’ accounts and financial information with Facebook, and that the information will not be used for ad targeting. Facebook said that Calibra will increase user activity on Facebook, thereby generating greater advertising revenue.

COMMENTARY / STEPHEN LOFCHIE

The principal point of the statement was to assert that Libra will be operated in full compliance with all relevant national laws. As to one of the key questions concerning whether Libra coins might be a “security,” Mr. Marcus stated that it would not be because “Libra is a payment tool, not an investment. People will not buy it to hold like they would a stock or bond, expecting it to pay income or increase its value. Libra is like cash.”

Notwithstanding Mr. Marcus’ assertion, Libra raises a number of very difficult (or at least unresolved) legal questions. Unlike “stablecoins” that are completely linked to the value of a single currency (they are just representations of bank deposits), it is intended that Libra will be backed by a reserve of a number of different currencies. The relative proportions of various currencies to be held in the reserve is uncertain. The fact that Libra is not simply a virtual dollar means that, at least under current law, each purchase and sale of a Libra could be a taxable event for U.S. taxpayers. There are also securities law issues raised by, for example, the fact that the determination of the assets to back a Libra will involve discretion as to the purchase and sale of securities.

From a business standpoint, Mr. Marcus suggests that the real market for Libra may be outside of the United States or of any developed economy. Rather, the market for Libra could be principally in countries where the local currency is volatile or where there is significant uncertainty as to the soundness of the banking system. That actually makes a good deal of sense. Consumers in the United States may not have much use in their daily lives for a currency tied to a global basket of other currencies and securities that fluctuates each day, even if not that much, against the dollar. On the other hand, consumers in Venezuela might find such a currency very appealing.

SEC Chair Jay Clayton Responds to Criticism of Reg. Best Interest

SEC Chair Jay Clayton refuted criticism of the SEC’s recently adopted rulemaking package designed to strengthen protections afforded retail investors on services provided by broker-dealers and investment advisers. The rulemaking package consists of (i) Regulation Best Interest (“Reg. BI”), (ii) the Form CRS Relationship Summary, (iii) an interpretation of investment advisers’ fiduciary duty (the “Fiduciary Interpretation”), and (iv) an interpretation of the “solely incidental” prong of the broker-dealer exclusion under the Advisers Act.

In a speech in Boston, Mr. Clayton responded to seven claims that he believes are inaccurate, asserting that:

1. It is unrealistic to believe that it is possible to eliminate all conflicts of interest, and Reg. BI goes as far as is practicable in addressing broker-dealer conflicts of interest.

2. Reg. BI’s principle-based approach is preferable to a more prescriptive approach to the definition of “best interest,” which assumes that it would be possible to identify the “best” transaction for a particular investor.

3. The Fiduciary Interpretation applicable to investment advisers does not weaken the existing fiduciary duty but, rather, codifies existing SEC practices.

4. The Fiduciary Interpretation does require advisers to “avoid” conflicts.

5. The standards of conduct requirements under Reg. BI and the Fiduciary Interpretation cannot be met by disclosures alone, but require that firms act in the best interest of their customers.

6. Imposing an ongoing monitoring requirement on broker-dealers would not enhance Reg. BI and effectively would impose on them the duty to act as investment advisers.

7. The Form CRS Relationship Summary, along with online education resources, will provide material assistance to retail investors in understanding the duties they are owed by financial service providers.

STEVEN LOFCHIE COMMENTARY

When Regulation Best Interest was proposed, then-Commissioner Stein dissented from the proposal, saying it did not go as far as the DOL’s Fiduciary Rule Proposal; and while Commissioner Jackson voted to allow the proposal to go forward, he also criticized it as not going far enough. This should have served as a warning to Chair Clayton than any regulation that he adopted short of an imitation of the DOL’s Fiduciary Rule was going to be the target of substantial criticism. Chair Clayton proceeded on the basis that there was some middle ground of compromise that would satisfy detractors. That was simply not going to be the case.

Now, in many respects, we have ended up with the worst of all possible situations: (i) the Reg. BI adopting release fails to make any strong intellectual argument for why it is not reasonable to expect that broker-dealers can be fiduciaries to their clients; (ii) Reg. BI fails to make any distinction between sophisticated and unsophisticated natural person clients (treating Warren Buffett no different from a high school dropout); (iii) Reg. BI imposes significant new obligations on broker-dealers that very well may reduce the willingness of broker-dealers to provide “full-service” brokerage to retail investors and instead result in retail investors seeking any level of advice to potentially pay a much higher charge to an investment adviser; (iv) Reg. BI fails to satisfy any of the critics who wanted a fiduciary obligation imposed on broker-dealers; and (v) states are adopting their own “suitability” rules – urged on by Commissioner Jackson – thereby moving U.S. securities regulation away from a unitary system of regulation to a fractured Brexit system. See generally Cadwalader memorandum: Choose One – Best Interest or Full Service (Apr. 26, 2018); see also SEC Adopts Regulation Best Interest (June 6, 2019).

SIFMA Dismisses State Fiduciary Proposal; Advocates for a Uniform Federal Standard

SIFMA criticized New Jersey’s proposal to create a state fiduciary standard, calling a federal standard the “optimal approach” compared with an “uneven patchwork” of state laws.

In a comment letter, SIFMA emphasized that Regulation Best Interest (“Reg. BI”) will better protect investors and avoid confusion, as compared to a state-by-state approach. According to SIFMA, New Jersey’s proposal would (i) impose costly and burdensome regulations on firms, (ii) incentivize firms to restrict their brokerage services in New Jersey and (iii) cause many middle-class investor to lose access to advice altogether.

Specifically, SIFMA stated that the proposal would:

create, in certain instances, a burdensome ongoing fiduciary duty;

establish an “impossible ‘best of’ standard for recommendations of account-types, asset transfers, purchases, sales or exchanges of securities, and transaction-based compensation”;

enact requirements duplicative of Reg. BI; and

fail to address certain common brokerage activities, such as principal trading.

SIFMA advised New Jersey to “substantially revis[e]” its proposal to avoid these potential consequences.

COMMENTARY / STEVEN LOFCHIE

The establishment of heavier federal and state burdens on broker-dealers providing clients with recommendations, combined with the potential great diversity of state regulation, is yet another blow to the business model of “full-service brokerage,” in which broker-dealers provide “suitable” recommendations to individual clients and are compensated by their receipt of securities execution fees. If broker-dealers are going to be tasked as fiduciaries in making any recommendation to investors, then they need to consider whether the economics of undertaking this obligation without being expressly compensated for it makes sense. (See generally the Cabinet memorandum Choose One – Best Interest or Full Service.)

Leaving aside the heavier burden the regulators would impose on broker-dealers, the complexity of a 50-state regulatory regime (combined with an already very complex regulatory regime) simply makes things worse for firms registered as broker-dealers. The number of broker-dealers will continue to decline, the ability of investors to obtain intermittent investment recommendations outside of a formal advisory relationship (and the associate fees) will continue to decline, and regulators will continue to bemoan the increased concentration of financial service firms (as if they were not a principal driving force of that concentration). (Cf. CFTC Commissioner Dan Berkovitz Wants Agency to Focus on Competition and Position Limits.)

Staying with the difficulties that will be created by a fifty-state regulatory regime, Commissioner Jackson’s dissent to the adoption of Regulation Best Interest was particularly disappointing. The Commissioner favored an even stricter regime imposed on broker-dealers than Regulation Best Interest provided. However, rather than accept the disappointment of the outcome, and perhaps win the day in another administration, he essentially advocated for each state to go its own way. While this may provide the Commissioner with what he believes to be a victory on this issue, the overall effect on the U.S. economy of this victory and others of a similar nature, not only in the area of financial regulation, is extremely damaging. In effect, it is advocating for a mini-Brexit, with each jurisdiction establishing its own regulatory regime, and so losing the benefit of a single unified market operating under a consistent sent of rules.

SEC Commissioner Hester Peirce Says SEC Will Closely Monitor Reg. BI Implementation

SEC Commissioner Hester M. Peirce urged critics “to take a fair look” at what Regulation Best Interest (“Reg. BI”) says before “proclaim[ing] it a success or failure.” She expressed the “agency’s commitment to monitor the [new rule] to ensure that investors in all income and wealth brackets are able to choose either a broker-dealer or an investment adviser.”

In a statement at the Open Meeting on Reg. BI and Related Actions, Ms. Peirce emphasized that there is more work to be done to ensure that the regulation helps investors without inflicting an unnecessary regulatory burden on broker-dealers. She asked firms to keep the SEC informed of any challenges or issues that arise throughout Reg. BI’s implementation. For example, Ms. Peirce raised concerns about small firms and broker-dealers who may be forced to change their names or registration status as a result of Reg. BI.

Ms. Peirce cautioned that the “very ambitious” compliance period will require firms to start their implementations immediately. Ms. Peirce said that the SEC should monitor Reg. BI’s implementation to ensure that, among other things, it does not exacerbate the trend of declining broker-dealers.

Additionally, Ms. Peirce noted improvements in the final Form CRS Relationship Summary and suggested ways to make disclosures more accessible. Specifically, Ms. Peirce encouraged the SEC to utilize online platforms and move away from paper-based documentation.

STEVEN LOFCHIE’S THOUGHTS…

Commissioner Peirce’s statement, while strongly in support of Reg. BI and the related rulemakings, nonetheless raises the issue as to whether the new requirements put further downward pressure on the full-service broker-dealer business model for retail investors. While it is certainly important for the agency to monitor the implementation process, and then determine whether the rule is properly calibrated to preserve the full-service business model, the practical reality is that if the rule has gone too far and materially damages the model, the damage done will likely not be reversible. It will take years of watching for the SEC to make any judgment as to the effect of Reg. BI on the full-service model (and any such judgment will be inherently subjective) and then it would take years more to make any rule revision. Businesses are much more easily destroyed than they are created.

SEC Commissioner Criticizes Agency for Limiting Investor Access to New Products

SEC Commissioner Hester Peirce criticized the agency for limiting investors’ access to new types of investment products. The Commissioner described very slow progress in formalizing and standardizing the treatment of relief for exchange-traded funds (“ETFs”).

In remarks at the ETFs Global Markets Roundtable, Ms. Peirce highlighted the benefits of ETFs in general, saying that they (i) provide investors with a range of investment options, (ii) are easy to enter and exit with low transaction fees and (iii) offer lower operating expenses relative to those of comparable mutual funds. Ms. Peirce observed that the SEC exercises caution with respect to approving new types of ETFs. She noted that the SEC just authorized its first non-fully transparent actively managed ETF after eight years of thinking about it.

Ms. Peirce urged the SEC to move forward with more speed on other requests for exemptive relief for projects. She criticized SEC “indecision” in the treatment of leveraged and inverse ETFs. Ms. Peirce said that after issuing several orders granting two sponsors permissions to operate as leveraged and inverse ETFs, the agency got “cold feet” and has not issued any other permissions. Ms. Peirce added that the agency’s reluctance to permit more competitors to offer geared ETFs is another instance of its curtailing access to an investment product that would be helpful to some investors.

In addition, Ms. Peirce proposed that the Division of Investment Management explore the marketplace’s interest in acquiring exposure to bitcoin and other cryptocurrencies through a registered investment company. She noted that although there is interest from investors and sponsors, the SEC has not yet granted an exemptive application for an ETF or approved a rule permitting the operation of crypto ETFs or other exchange-traded products. She emphasized that she did not believe such ETFs were necessarily a good investment, but added that it ought to be for the market and not the regulators to decide.

LOFCHIE COMMENTARY

Commissioner Peirce highlights fundamental questions that financial regulators must confront. Where should the line be drawn between protecting investors (effectively prohibiting them from buying a variety of risky products) and allowing investors to make their own decisions? This is not a binary decision; it is a line-drawing exercise.

Regulators tend to move toward protection rather than toward allowing investors to make their own decisions based on mandated disclosures. There is a fair amount of empirical evidence to suggest that such protectionism may be a good way to go, at least in the overall and aggregate scheme of things. This is, perhaps, even more true as holders of wealth age and become less capable of making sound decisions.

Yet depriving individuals of economic freedom has aspects that are worrisome. By way of managed ETFs, for example, the government may be depriving investors of choices that might be good for them. Should regulators discourage investors from taking such risk? Should riskier investments not be funded? Is society better or worse off?

Bigger picture, if adults cannot be trusted to make economic decisions, even on the basis of full disclosure, on what basis should they be trusted to make other decisions? By what logic are people who cannot be allowed to make reasonable economic decisions to be trusted to elect political decision makers? Where the line should be drawn is debatable, but permitting failure has to be an option.

OCC Underscores Risks Facing Federal Banking System

In its Semiannual Risk Perspective for Spring 2019, the OCC described the condition of banks as “strong” as far as capital, leverage and short-term performance. The regulators highlighted a number of significant big-picture risks, particularly as to AML compliance and operations and FinTech:

AML. AML-related deficiencies “stem from three primary causes: inadequate customer due diligence and enhanced due diligence, insufficient customer risk identification, and ineffective processes related to suspicious activity monitoring and reporting, including the timeliness and accuracy of Suspicious Activity Report filings. Talent acquisition and staff retention to manage [] compliance programs and associated operations present ongoing challenges, particularly at smaller regional and community banks.”
FinTech. “Rapid developments in FinTech and ‘big tech’ firms, evolving customer preferences, and the popularity of mobile technology applications have significantly changed the way banks operate and consumers conduct their banking and financial activity. . . . [T]he pace of change and the transformative nature of technology may result in a more complex operating environment. . . . Changing business models or offering new products and services can, however, elevate strategic risk when pursued without appropriate corporate governance and risk management. New products, services, or technologies can result in greater reliance on third parties by some banks and a concentration of service providers by the industry as a whole.”

LOFCHIE COMMENTARY

A key takeaway from the OCC’s regulatory comments is that the regulators expect that there is likely to be a material reduction in the number of smaller banks. They are squeezed on the expense end from compliance costs and new technology costs, and squeezed on the revenue end from competition with FinTech firms and customers’ disinterest in traditional banking relationships.