On April 6, 2016, after more than five years of anticipation, the Department of Labor (DOL) issued the final fiduciary rule and related guidance. The final fiduciary rule amends and expands the definition of a fiduciary that provides “investment advice” to reflect changes in the financial industry and the state of investment advice as it exists today, reports Sherman & Howard LLC.

“The final rule focuses on ‘conflicts of interest,’ and serves to sweep in a large number of investment advisers who were not previously treated as fiduciaries under the Employee Retirement Income Security Act of 1974 (ERISA). To temper the scope and impact of the final rule, the DOL also issued two new prohibited transaction exemptions (along with certain amendments to existing exemptions),” the report says.

in the article, the firm offers guidance intended to address concerns of these investment advisers with respect to certain prohibited transactions under ERISA and the Internal Revenue Code, while still protecting retirement plans and participants.

Read the article.

By Rob Scott
Scott & Scott LLP

I am a technology lawyer representing banks and other financial institutions in technology transactions. As you might imagine, many of my clients are investing heavily in security products and services. In some instances, they are considering cloud solutions to enhance their customers’ experiences. Financial institutions are regulated by the Gramm, Leach, Bliley Act, (“GLBA”) which is codified at 16 CFR 314. GLBA defines financial institutions as all business, regardless of size, that are significantly engaged in offering financial goods or services. GLBA includes both privacy and safeguard rules related to customer information. These rules require financial institutions to implement adequate administrative, procedural, and technical safeguards designed to safeguard customer information.

What is a service provider under GLBA Safeguard’s Rule?

GLBA extends to the financial institution’s vendors by operation of law if the vendor meets the definition of service provider. A service provider is defined as:

Any party that is permitted access to a financial institution’s customer information through the provision of services directly to the institution.

Given the complexity of hosted and cloud based services, it is sometimes difficult to determine if a vendor meets the service provider definition under GLBA. This is an important threshold issue in any transaction because GLBA has specific rules regarding vendor due diligence and required contract provisions for contracts with service providers.

What is customer information under GLBA Safeguard’s Rule?

At the beginning of a new project, counsel should discuss the potential operational and legal risks of the proposed transaction. It is critical to understand where the data will reside and how it will be moved, shared, and stored. Counsel should keep probing until clear on the question of whether the proposed transaction involves customer information as that term is defined under GLBA 16 C.F.R. 313(n) which provides:

(n)
(1) Nonpublic personal information means:
(i) Personally identifiable financial information; and
(ii) Any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available.

(2) Nonpublic personal information does not include:
(i) Publicly available information, except as included on a list described in paragraph (n)(1)(ii) of this section; or
(ii) Any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived without using any personally identifiable financial information that is not publicly available.

(3) Examples of lists —
(i) Nonpublic personal information includes any list of individuals’ names and street addresses that is derived in whole or in part using personally identifiable financial information (that is not publicly available), such as account numbers.
(ii) Nonpublic personal information does not include any list of individuals’ names and addresses that contains only publicly available information, is not derived, in whole or in part, using personally identifiable financial information that is not publicly available, and is not disclosed in a manner that indicates that any of the individuals on the list is a consumer of a financial institution.

I look to 313(n) for the definition of customer information even though it is in the GLBA Privacy Rule. The GLBA Safeguards Rule’s definition of customer information is contained in 16 CFR 314.2 and reads as follows:

Customer information means any record containing nonpublic personal information as defined in 16 CFR 313.3(n), about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates.

Therefore, I have to understand whether the vendor will be permitted access to any record containing personally identifiable financial information or any list, description or grouping derived using personally identifiable financial information. If I conclude that that data in question includes personally identifiable financial information then I continue to the next line of questions.

What is permitted access under GLBA?

After determining whether or not customer information is at risk, counsel should evaluate the proposed architecture and service delivery options. These questions may include: How the vendor will deliver services? Where are the applications hosted? Who owns the hardware? To properly apply the GLBA safeguards rules, everyone should understand how the vendor will interact with customer data throughout the project life cycle. It is usually pretty easy to determine whether the vendor will be permitted access to customer data if they are hosting in the vendor’s cloud. More difficult permission cases include service and support of on-premises applications where service providers are given access to customer data to trouble-shoot or resolve issues. I assume all vendors whose applications store customer information to be service providers under GLBA’s safeguards rule unless I am convinced otherwise during the client interview. Rarely, the client will present a use case involving an on-premises deployment of an application where the vendor never has access to the application. Most of the time, even when on-premises deployments are further evaluated, the vendor is a service provider because they are permitted access to the application during implementation or when performing maintenance and support. A vendor is not a service provider under GLBA merely because a compromise of the vendors system could lead to access to customer data. Accordingly, the GLBA safeguards rule is triggered only when access is given by permission, either through the contract or operationally.

Transactions between financial institutions and their technology services providers are often regulated by GLBA. Lawyers need to determine whether the transaction involves personally identifiable financial information and if so, whether the vendor will ever be permitted access to any records at any time. These two issues will determine whether the vendor is a service provider under GLBA’s Safeguards Rule. Once the determination has been made, GLBA imposes numerous additional requirements for both the service provider and financial institution.

The statute of limitations on an unsuccessful job applicant’s Fair Credit Reporting Act claim began to run when he discovered that his credit report had been pulled, not when he learned that the employer’s action was an FCRA violation, according to the U.S. Court of Appeals for the Sixth Circuit.

Richard A. Roth wrote in Wolters Kluwer‘s Law & Business website that the general rule is that a statute of limitations begins to run when the facts giving rise to a claim are discovered, and the FCRA adheres to that general rule. The case is Rocheleau v. Elder Living Construction, LLC, Feb. 18, 2016, Siler, E.

“The job applicant asserted that the two-year limit began to run not when he discovered that the background report had been ordered but rather when he discovered that doing so was an FCRA violation,” Roth explained. But the appellate court disagreed.

Read the article.

Three bankers have left Goldman Sachs Group Inc. after the U.S. firm determined they breached internal guidelines in connection with the bank’s advisory role on the planned acquisition of a consumer company in the Middle East, reports Bloomberg News, citing sources familiar with the matter.

“The bankers who departed in December were involved in advising a potential buyer on an investment in fast-food company Kuwait Food Co., which operates KFC restaurants in the Middle East, said the people, who asked not to be identified because the matter is private,” the report says. “Two employees were based in Dubai and another in London, the people said.”

The company is thought to have discovered that two of the bankers didn’t identify themselves as bank employees when they met with the target company attended by other financial services firms. “The third banker was aware that colleagues participated in the meeting, two of the people said, and all three were deemed to not have adhered to the firm’s internal guidelines. Other employees were also disciplined as a result of the incident, the people said.”

Read the article.

Morgan Stanley will pay a $2.6 billion penalty to resolve claims related to Morgan Stanley’s marketing, sale and issuance of residential mortgage-backed securities (RMBS), the Justice Department reported Thursday.

The settlement constitutes the largest component of the set of resolutions with Morgan Stanley entered by members of the RMBS Working Group, which have totaled approximately $5 billion. As part of the agreement, Morgan Stanley acknowledged in writing that it failed to disclose critical information to prospective investors about the quality of the mortgage loans underlying its RMBS and about its due diligence practices. Investors, including federally insured financial institutions, suffered billions of dollars in losses from investing in RMBS issued by Morgan Stanley in 2006 and 2007.

“In today’s agreement, Morgan Stanley acknowledges it sold billions of dollars in subprime RMBS certificates in 2006 and 2007 while making false promises about the mortgage loans backing those certificates,” said Acting U.S. Attorney Brian J. Stretch of the Northern District of California. “Morgan Stanley touted the quality of the lenders with which it did business and the due diligence process it used to screen out bad loans.  All the while, Morgan Stanley knew that in reality, many of the loans backing its securities were toxic. Abuses in the mortgage-backed securities industry such as these helped bring about the most devastating financial crisis in our lifetime.  Our office is committed to dedicating the resources necessary to hold those who engage in such reckless actions responsible for their conduct.”

Read the announcement.

Wells Fargo has agreed to a $1.2 billion settlement to resolve a long-running mortgage dispute with the U.S. government, a move that slashes the bank’s 2015 profit by $134 million, reports The Charlotte News & Observer.

“The deal involves civil fraud claims brought in 2012 against the San Francisco-based bank, which the government had accused of ‘reckless’ underwriting practices that led to thousands of federally-insured loans defaulting,” according to the report. “The government said Wells Fargo’s false certifications that the loans met requirements for federal insurance resulted in hundreds of millions of dollars in insurance payouts.”

Read the article.

HSBC says it “successfully defended” an attack on its online banking system on Jan. 29 but services were disrupted on a key day for many people’s personal finances, reports The Guardian.

HSBC customers were locked out of internet banking for several hours after the company was targeted by online criminals in a denial of service attack.

The bank said it was working with the authorities to “pursue the criminals responsible.”

Read the article.

The recently signed FAST Act was conceived as a federal transportation bill, but it also contains a number of provisions targeted toward the financial services industry, which will have a considerable impact on the strategy and operations of community banks, reports Bracewell & Giuliani.

The report includes sections covering using Federal Reserve resources to offset the cost of the legislation, regulatory relief measures for small to medium sized banks, equalizing the registration threshold for holding companies, and codifying the “4(1½)” exemption.

The FAST Act includes several other capital markets provisions that facilitate access to the capital markets for emerging growth companies and smaller reporting companies, according to the authors, Sanford Brown, Lauren Bourke Chase, Justin Long and Joshua McNulty.

Read the article.

InformationWeek has posted a free on-demand webinar reviewing key industry cyber security trends affecting financial institutions and methods of preventing and responding to a breach.

“If you’re like most financial institutions, you have controls that identify breaches, but need proper procedures that’ll enable you to recover from such an event,” InformationWeek says on its Bank Systems & Technology site. “In addition, you now face regulatory guidance for developing cyber resilience within your security program. Your ability to respond quickly to cyber security incidents is critical to limiting the impact of a breach on your operations.”

The webinar discusses the current threats across the financial marketplace and explore strategies for implementing a successful incident response program as outlined in the Federal Financial Institutions Examination Council’s cyber resilience guidance.

Watch the on-demand webinar.

As China’s big banks expand in the U.S., they are testing how far U.S. judges can go in demanding account records located in China, The Wall Street Journal reports.

“In a closely watched case, Kering SA’s Gucci and its other luxury brands allege that some of their most troublesome counterfeiters have accounts with Bank of China Ltd. and have issued subpoenas for information about their transactions,” report Nicole Hong and Lingling Wei.

The Bank of China has responded that turning over account records would violate Chinese law.

Read the article.

National law firm Dykema has announced the addition of Elizabeth Khalil to its Government Policy & Practice Group in the firm’s Chicago office. Khalil will also spend time in the Washington, D.C., office, as well as in the firm’s Michigan and Texas offices.

Prior to joining Dykema, she served as Acting Special Assistant to Mark Pearce, Director of the Federal Deposit Insurance Corporation (FDIC)’s Division of Depositor and Consumer Protection (DCP).

In her previous role, Khalil acted as a key advisor on a number of special projects and initiatives and served as a liaison within DCP, across the FDIC, and with external units. She also served as Senior Compliance Policy Analyst, where she represented the FDIC and DCP in interactions with federal and state regulators and a variety of other stakeholders, such as the financial services industry, consumer advocates, the public and the press. A significant part of her work related to community banking, including providing technical assistance and addressing issues of interest to community banks. She worked on projects with the Federal Financial Institutions Examination Council and Consumer Financial Protection Bureau, including serving as chair of the interagency working group that produced the first social media-focused compliance risk management guidance issued to the banking industry.

She has experience in compliance law, regulations and policies relating to both banking and non-banking entities, including the examination and enforcement processes. She focuses on emerging compliance issues, particularly those related to technology and new uses of consumer information, as well as consumer lending and deposit issues and rules issued pursuant to the Dodd-Frank Act. Her work also focuses on issues involving mobile financial services and payment systems, including compliance issues relating to advertising, disclosures, and privacy and data security.

“Elizabeth’s insight and experience with government policy and financial matters will be an immediate asset to our clients since the nature of her practice is so extensive and cross-functional,” said Ed Weil, Director of Dykema’s Financial Industry Group. “I am delighted that she is joining the firm and am positive she will provide our clients with outstanding service.”

Prior to her time with the FDIC, Khalil was a Senior Associate at Hogan Lovells. She also previously served as a senior attorney in the Community and Consumer Law division of the Office of the Comptroller of the Currency. She is a frequent author and lecturer, and served as co-author and co-editor of the PLI Financial Institutions Answer Book. She received a J.D. from the University of Michigan Law School and a B.S., cum laude, from Georgetown University.

Insurers in the United States will face competing priorities for resources and time over the next 12 months, with cyber security preparedness challenging overall regulatory compliance readiness, argues Wolters Kluwer Financial Services and reported by Canadian Underwriter.

Wolters Kluwer Financial Services surveyed more than 300 insurance professionals in 2014 and 2015, tracking 10 factors across two consecutive 12-month periods to illustrate the overall level of regulatory and risk management pressures facing U.S. insurers.

“Overall, 60% of polled insurance professionals report that cyber security will receive escalated priority at their organization, followed by regulatory risk at 42%, notes a statement from the company, which offers risk management, compliance, finance and audit solutions and maintains operations in more than 170 countries,” reports Canadian Underwriter.

Read the report.

Frank Vogl, former senior World Bank official and international reporter for The Times of London, offers 10 specific recommendations to cure the banks of what he calls “their evil ways.” Bankers won’t like most of his proposals, he warns, but the time has come for radical reform.

“The immediate danger is that a continuation of current behavior by many large banks threatens to undermine our global financial system,” Vogl writes in an article for the Huffington Post.

Recommendation number 4 is: “Boards should establish precise guidelines for employee conduct and behavior and at least 50% of all pay to bank managers, including the chief executive officer, should be based on culture performance standards.”

And recommendation number 6 states: “Whistleblowers should be encouraged and protected so that managers can be swiftly alerted to wrongdoing.”

Frank Vogl is the co-founder of two nongovernmental anti-corruption organizations: Transparency International (TI) and the Partnership for Transparency Fund (PTF). He is president of Vogl Communications, Inc., Washington, DC — an international economics and finance consulting firm.

Read the article.