Data Privacy and Cybersecurity

Subscribe to Data Privacy and Cybersecurity via RSS

The FCA is considering whether alternative data could introduce new risks to market integrity.

By Rob Moulton, Fiona Maclean, Stuart Davis, and Charlotte Collins

The FCA’s recently published Insight article explores how alternative data might give rise to market abuse risks. The article reports a significant increase in spending on alternative data in recent years, leading to questions about whether access to such data might provide recipients of the data with an unfair informational advantage over other market participants.

While traditional sources of data, such as a company’s financial statements, may contain inside information and must be treated appropriately before they are made public, the nature of alternative data is less clear-cut. Alternative data does not come from the company itself, and may derive from (or be extrapolated from) a number of sources. Alternative data may allow those with access to know things about a company that others in the market do not know, or that the company itself does not know. This may be the case, even if, as is frequently the case, the pool of structured/unstructured data used by the analytics engine is in the public domain. Evidently, this could provide trading opportunities that put the holder of such information at an advantage, as compared with other market participants.

A key example of where alternative data has raised concerns recently is in relation to so-called “secret polling”. The government has had exchanges with the FCA concerning the potential use of private polling data to obtain a trading advantage in advance of election results. The regulator’s view is that, while the Market Abuse Regulation (MAR) might be engaged by such activities, MAR would only apply if the underlying information were to constitute inside information. This is unlikely to be the case, unless the information met the MAR recital 28 test of information “routinely expected by the market” to be published, such as weekly BBC opinion polls. Therefore, MAR does not restrict the sharing of polling information that is not inside information. However, this position clearly raises political questions of fairness, as those able to pay for and access the data may well gain an advantage in the market, and those providing the data may not understand the use to which it will be put.

The US agency has used a no-action letter to enable a sandbox-like approach to blockchain-based trade settlements.

By Stephen P. Wink, Cameron R. Kates, Shaun Musuka, and Deric Behar

In what may be the first regulator-approved application of blockchain technology for the settlement of US equities trades, the Division of Trading and Markets of the US Securities and Exchange Commission (SEC) recently granted no-action relief to Paxos Trust Company (Paxos) to conduct a two-year “feasibility study” of a securities settlement service using distributed ledger technology. During this period, Paxos will be permitted to operate as a clearing agency under Section 3(a)(23) of the Securities Exchange Act without needing to register as a clearing agency under Section 17A(b)(1) of the Act. The no-action relief for the Paxos Settlement Service (PSS) is limited to clearing a volume-restricted number of trades per day of highly liquid publicly traded equities, for at most seven eligible broker-dealers.

The US derivatives regulator continues to foster FinTech adoption and leadership in US markets.

By Yvette D. Valdez, Douglas K. Yatter, and Deric Behar

The US Commodity Futures Trading Commission (CFTC) has affirmed its commitment to engaging the fast-moving financial technology world by elevating its LabCFTC unit to be an independent operating office within the CFTC, reporting directly to Chairman Heath Tarbert. LabCFTC is the agency’s FinTech hub, led since October 10, 2019, by Chief Innovation Officer and Director Melissa Netram. The announcement about LabCFTC’s new status was made at the agency’s second annual FinTech conference, “Fintech Forward 2019: Exploring the Unwritten Future,” held on October 24, 2019.

LabCFTC initiatives such as the annual FinTech conference provide a way for FinTech innovators to access the CFTC, while also allowing the CFTC to keep apace of new technologies and ideas impacting the financial markets. The CFTC also uses the forum to evaluate the potential of new technology for agency oversight activities.

Insights from Latham’s flagship event: Managing the risk and promise of digitisation in financial services.

By Fiona Maclean, Stuart Davis, and Alistair Wye

In a bid to keep pace with rapid advances in cloud adoption across financial services, regulators have published a raft of new guidance in the past year. Most recently, the European Insurance and Occupational Pensions Authority launched guidelines for insurers and reinsurers on outsourcing to cloud providers in July 2019, while the European Banking Authority (EBA) published updated guidance on outsourcing that came into effect on 30 September 2019, covering both cloud and other outsourcings.

We discussed some of the challenges facing financial institutions in the evolving area of cloud compliance at our recent event entitled Balancing the Scales: Managing the Risk and Promise of Digitisation in Financial Services. One key issue highlighted in the discussion is that the new EBA guidelines do not contain an overarching split between cloud and non-cloud arrangements, and there are no general exclusions or exceptions for new entrants or FinTech providers. Entities subject to the EBA guidelines will therefore face additional administrative burdens that they must balance with the need to stay ahead of the competition.

The FSB is reviewing cloud provider concentration risk in the latest example of regulator concern over reliance on leading cloud providers by financial services institutions.

By Alan W. Avery, Nicola Higgs, and Fiona Maclean

The Financial Stability Board (FSB), an international body of G-20 central banks and supervisors, continues to scrutinize the use of cloud services by financial services institutions. The FSB previously noted its concerns about the concentration risk of cloud services in the financial markets in a report of February this year. In that report, the FSB encouraged regulators worldwide to review their national regulatory frameworks to ensure appropriate oversight of cloud providers.

In line with its previous guidance, FINRA has granted broker-dealer (but not custodian) status to a digital asset platform.

By Stephen P. Wink, Cameron R. Kates, Shaun Musuka, and Deric Behar

In a follow-up to the July 2019 SEC and FINRA joint staff statement (Joint Statement) clarifying the regulators’ position on the custody of digital asset securities by broker-dealers, on September 27, 2019, FINRA granted broker-dealer status to a digital asset firm. The recipient, Harbor Square Investments (HSI) — a subsidiary of a San Francisco-based FinTech startup eponymously named Harbor — helps issuers of alternative investments and private securities tokenize their offerings and bring the security tokens to market on its blockchain-based platform.

US lawmakers urge FSOC to designate cloud-based storage systems used by major banks as systemically important financial market utilities.

By Alan W. Avery, Victoria McGrath, and Pia Naib

In an August 22, 2019, letter addressed to Treasury Secretary Steven Mnuchin, in his capacity as chair of the Financial Stability Oversight Council (FSOC), Congresswoman Katie Porter and Congresswoman Nydia Velazquez urged Secretary Mnuchin to designate the three leading cloud-based storage systems used by major banks — Amazon Web Services, Microsoft Azure, and Google Cloud — as systemically important financial market utilities (SIFMUs). This designation would subject such cloud-based storage systems to supervision and regulation by the Board of Governors of the Federal Reserve System (Federal Reserve). Citing Title VIII of the Dodd-Frank Act, which was enacted to promote stability in the financial system, the Congresswomen highlighted the dependence on cloud services by banks and financial institutions for their data needs and the subsequent risks such services pose to the safety and stability of the financial system.

If adopted efficiently, the PCPD’s Ethical Accountability Framework should help organizations to demonstrate and enhance trust with individuals.

By Kieran Donovan

In October, 2018, Hong Kong’s Privacy Commissioner for Personal Data (PCPD) presented the findings of an inquiry into the ethics of data processing, commissioned by the PCPD with the help of the Information Accountability Foundation (IAF). The result of the inquiry, published as the Ethical Accountability Framework, provides an “instruction manual” for processing data in an ethical and accountable manner.

Following on the heels of the PCPD’s report, the Hong Kong Monetary Authority (HKMA) issued a Circular titled Use of Personal Data in Fintech Development, encouraging authorized institutions (AIs) to adopt the PCPD’s Ethical Accountability Framework.

By Andrew C. Moyle, Grace Erskine, and Charlotte Collins

As leading global financial and FinTech centres, the UK and Singapore will benefit from strengthening their cybersecurity alliance.

On 13 June 2019, the Bank of England, the Financial Conduct Authority, and the Monetary Authority of Singapore announced that they will be working together to strengthen cybersecurity in their countries’ financial sectors.

The regulators have characterised the aims of this new collaboration as “identifying effective ways to share information and exploring potential for staff exchanges”.

All three regulators have identified cybercrime as an increasing global problem. Speaking about the new initiative, Mark Carney, Governor of the Bank of England, said, “The average cost of cybercrime for financial services companies globally has increased by more than 40% over the past three years. Cyber risk is not constrained by geographic boundaries, making international cooperation essential to address this growing threat”.

As several PSD2 deadlines approach, PSPs must comply with reporting and notification requirements, as well as with their GDPR obligations.

By Christian F. McDermott, Fiona M. Maclean, and Jagveen Tyndall

Though the majority of the provisions relating to the revised EU Payment Services Directive (PSD2) came into force in the UK on 13 January 2018, the regulatory technical standards (RTS) and strong customer authentication measures (SCA) will come into force on 14 September 2019. The FCA has issued a helpful reminder setting out some important deadlines that payment service providers (PSPs) must meet to be compliant.

Application Programme Interfaces

PSD2 allows third party providers (TPPs) to build payment service infrastructures upon the existing platforms of financial institutions; such institutions must provide TPPs with access to client account information via open application programme interfaces (APIs). Financial institutions seeking to enable such access can do so by either constructing dedicated interfaces built on these APIs or through adjusting existing customer interfaces. In both instances, such interfaces and their accompanying customer authentication measures must be in place by 14 September 2019.