Subject to Inquiry

Subject to Inquiry

THE LATEST ON GOVERNMENT INQUIRIES AND ENFORCEMENT ACTIONS

Government Investigations and White Collar Litigation Group
Enforcement and Prosecution Policy and Trends

DOJ Takes Down AlphaBay, the World’s Largest Dark Web Marketplace

The U.S. Department of Justice has announced the seizure of AlphaBay, the largest criminal marketplace on the Internet, which was used to sell stolen financial information, identification documents and other personal data, computer hacking tools, drugs, firearms, and a vast number of other illegal good and services throughout the world.

AlphaBay was the largest dark web market with estimated annual sales of hundreds of thousands of dollars, which made it nearly ten times the size of the infamous Silk Road dark web marketplace that was shut down by the government in 2013. AlphaBay operated as a hidden service on The Onion Router (“Tor”) network, which hid the locations of its underlying servers and the identities of its administrators, moderators, and users.  Its user interface was configured like a conventional e-commerce website, where vendors could sell illegal goods or services in exchange for paying a percentage of the transaction as a commission to AlphaBay.

AlphaBay had a dedicated section of the website where users could purchase stolen credit cards and financial information, as well as stolen personal identifying information (PII) – even offering specific search controls to allow potential buyers to search the listings by location (city, state and country), social security number, birth year, credit limit, PIN number, seller, seller rating, price, and more.

The international operation to seize AlphaBay’s infrastructure was led by the United States and involved cooperation with law enforcement authorities in Thailand, the Netherlands, Lithuania, Canada, the United Kingdom, and France, as well as the European law enforcement agency Europol. On July 5, Alexandre Cazes, a Canadian citizen residing in Thailand, was arrested by Thai authorities on behalf of the United States for his alleged role as the creator and administrator of AlphaBay.  On July 12, Cazes apparently took his own life while in custody in Thailand.

The Federal Bureau of Investigation (FBI) and the Drug Enforcement Administration (DEA) have seized millions of dollars’ worth of cryptocurrencies that represent the proceeds of AlphaBay’s illegal activities, including at least 1,943 Bitcoin, 8,669 Ethereum, 3,691 Zcash, and 11,993 Monero. Cazes and his wife had also amassed numerous other high value assets, including luxury vehicles, residences and a hotel in Thailand.

Prior to its takedown, there were over 250,000 listings for illegal drugs and toxic chemicals on AlphaBay, and over 100,000 listings for stolen and fraudulent identification documents and access devices, counterfeit goods, malware and other computer hacking tools, firearms and fraudulent services. Comparatively, the Silk Road dark web marketplace reportedly had approximately 14,000 listings for illicit goods and services at the time of seizure in 2013 and was the largest dark web marketplace at the time. These numbers indicate that the use of dark web marketplaces for illegal commerce will only continue to grow, despite the closure of AlphaBay.

In his public remarks regarding the seizure of AlphaBay, Attorney General Jeff Sessions stated, “This is likely one of the most important criminal case of the year. Make no mistake, the forces of law and justice face a new challenge from the criminals and transnational criminal organizations who think they can commit their crimes with impunity by ‘going dark.’ This case, pursued by dedicated agents and prosecutors, says you are not safe.  You cannot hide. We will find you, dismantle your organization and network.  And we will prosecute you.”

Financial Institution Regulation

CFPB Issues Game-Changing Rule On Arbitration Clauses

On Monday, July 10, 2017, the Consumer Financial Protection Bureau (CFPB) issued a game-changing final rule regarding the use of arbitration clauses in consumer contracts.  The Rule is effective 60 days following its publication in the Federal Register and applies only to contracts entered into more than 180 days after that date.  The final rule comes as no surprise—as we reported here, here, and here, the Bureau has forecast for more than a year its intentions to engage in this rulemaking.

Most significantly, the Rule accomplishes the following:

  • Bans the use of arbitration clauses to bar class actions. The Rule bans covered providers of certain consumer financial products and services from using arbitration clauses to bar consumers from filing or participating in class action lawsuits.
  • Requires covered providers to provide the CFPB with records related to their arbitration proceedings. Covered providers that engage in arbitration must provide the CFPB with records relating to initial claims and counterclaims, answers thereto, and awards issued. The CFPB will also collect correspondence covered providers receive from arbitrators regarding (1) determination that an arbitration agreement does not comply with the arbitrator’s “due process or fairness standards”; and (2) dismissal of an action due to a covered provider’s failure to pay required fees.

The CFPB intends to begin publishing this information starting in July 2019 and stated that it will publish additional details of how covered providers should comply. The Bureau stated that gathering and publishing these records will make “the individual arbitration process more transparent” and “enable the CFPB to better understand and monitor arbitration, including whether the process itself is fair.”

Notably, the Rule does not ban the use of clauses to require arbitration of individual actions, but covered providers must include in their agreements specific language to inform consumers that the agreement may not be used to block class action litigation.

The CFPB’s latest regulatory move takes aim at banks and credit card and other covered companies and sets the stage for legal challenges and political battles with Congress and the Trump Administration.

The primary legal question surrounding the Rule’s validity is whether it comports with the Federal Arbitration Act (FAA) and recent Supreme Court rulings that arguably implicitly approve of pre-dispute class-action waivers. For example, in AT&T Mobility LLC v. Concepcion, 563 U.S. 333, 347-48 (2011), the Supreme Court held that the FAA preempted California state law, which deemed such class-action waivers unconscionable in consumer cases.  Then, in American Express Company v. Italian Colors Restaurant, 133 S. Ct. 2304, 2309 (2013), the Court rejected the argument that class action litigation is necessary to preserve the opportunity to assert low-value, statutory claims.

In a possible preview of argument in support of the Rule, the CFPB, in its Executive Summary of the Rule, cited its authority under the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank) to issue regulations that are in the public interest, for the protection of consumers, and based on findings consistent with the Bureau’s study of arbitration.  The CFPB also mentioned Congress’s prohibition of arbitration agreements in the residential mortgage market and the Military Lending Act’s prohibition of such agreements in certain forms of credit extended to servicemembers and their families.  Yet these examples are acts of Congress.

Critics of the Rule point out that the Rule may contradict the CFPB’s research into arbitration.  Dodd-Frank required the CFPB to study the use of mandatory arbitration clauses in consumer financial markets.  The CFPB’s study, released in March 2015 and reported on here, arguably indicates that arbitration is often faster, less expensive, and a more effective way for consumers to resolve disputes with companies compared to class action litigation.  Of the 562 class actions the CFPB studied, the average cash settlement per consumer was $32.35, and the litigation generally took two or more years.  By comparison, the average amount received by a consumer in arbitration was $5,389, and the timeframe for the proceedings averaged two to seven months.

In addition to legal challenges, the Rule may face opposition in Congress. In a July 7 letter, Congressman Jeb Hensarling (R-Tex.), chair of the House Financial Services Committee and longtime CFPB critic, threatened CFPB Director Richard Cordray with possible contempt if the CFPB issued the Rule before supplying the Committee with certain information about the agency’s deliberations and conversations with consumer groups.  Moreover, Congress has the power to overturn the Rule within 60 days of finalization under the Congressional Review Act.

President Trump has already taken some action to begin to dismantle parts of Dodd-Frank through Executive Order and Presidential Memoranda signed on April 21.  And questions remain about whether President Trump may remove Cordray as the constitutionality of the CFPB’s leadership structure awaits decision in the U.S. Court of Appeals for the District of Columbia.  As we reported, the D.C. Circuit granted the CFPB’s petition for rehearing en banc in PHH Corporation v. Consumer Financial Protection Bureau.  The court held oral argument on May 24 and has yet to issue an opinion.

Even if President Trump is able to replace Cordray, questions remain about whether his successor could unilaterally stay the compliance date of the Rule. In another recent D.C. Circuit case, Clean Air Council v. Pruitt, the court held that the Environmental Protection Agency (EPA) lacked authority to stay the compliance date of an EPA rule concerning greenhouse gas emissions and vacated the stay.  Thus, any new CFPB head may be able to issue a notice of proposed rulemaking to reconsider the Rule, but may not be able to unilaterally stay the Rule’s compliance date.

We will continue to monitor developments surrounding the Rule as it progresses towards implementation.

Financial Institution Regulation

Treasury Department Recommends Broad Reforms to CFPB

The Department of the Treasury recently cited the CFPB’s “unaccountable structure and unduly broad regulatory powers,” in suggesting reforms to address the CFPB’s “regulatory abuses and excesses.” The Department’s recommendations were made as a part of its report, A Financial System that Creates Economic Opportunities: Bank and Credit Unions, issued in response to President Trump’s Executive Order 13772 on Core Principles for Regulating the United States Financial System. The report covers a number of topics, but includes a significant section addressing the perceived concerns with and proposed changes to the CFPB’s structure and practices.

In the report, the Department pointed to a number of core issues with the CFPB it believes necessitate sweeping reforms, including a lack of accountability, the CFPB’s failure to provide adequate notice to regulated parties, the CFPB’s heavy reliance on enforcement actions, the limited availability of no-action letters providing guidance; the use of administrative actions to circumvent federal court procedures and applicable statute of limitations; the CFPB’s failure to adequately review outdated and unnecessary regulation requirements; and the CFPB’s failure to verify consumer complaints before including the information in its public database.

In light of this strong criticism, the Department has suggested a number of changes, intended to curb the abuses it noted in its review:

  • Improved Accountability: The Department proposes making the CFPB Director removable at will by the President or restructuring the CFPB, so it is led by an independent multi-member commission or board to increase accountability. Similarly, the Department recommends substantially altering funding such that the CFPB is funded through the annual appropriations process and is not permitted to retain funds from the Consumer Financial Penalty Fund.
  • Improved Transparency on Agency Positions: Many of the Department’s concerns center around a failure of the CFPB to clearly delineate its positions on banking practices before proceeding with enforcement actions. To rectify this failure, the Department recommends issuing clear rules subject to public comment before bringing enforcement actions, clarifying the CFPB’s position on what actions it considers unfair and deceptive, and increasing the availability of no-action letters.
  • Ending Abuses in Enforcement Actions: The Department notes significant misuses of administrative actions in its review and proposes limiting or altogether cutting out the use of administrative proceedings in favor of more formal federal court proceedings to address this concern.
  • Reviewing Regulations: The Department suggests a regular (at least every ten year), review of CFPB regulations for any that are outdated, unduly burdensome, or unnecessary.
  • Locking Down the Consumer Database: Given the concerns with reputational risk associated with the CFPB’s failure to verify consumer complaints before adding them to the public database, the Department recommends limiting database access to federal and state agencies only, much like the FTC’s analogous database.

This Report is the first in a series of four in response to the Executive Order, so more recommendations are likely forthcoming.

 

Compliance, Financial Institution Regulation

CFPB Provides Updated Guidance Related to Loan Forgiveness Program

On Thursday, June 22, 2017, the Consumer Financial Protection Bureau (CFPB) provided updated guidance for supervisory examinations of student loan servicers.  Richard Cordray, the Director of the CFPB, gave prepared remarks in Washington D.C.  He explained his concerns related to the Public Service Loan Forgiveness program and how certain practices may be delaying or denying borrowers’ access to this debt relief.

The Public Service Loan Forgiveness program allows those who accept certain public service jobs to have their debt forgiven after ten years.  Director Cordray discussed a new CFPB report that highlights complaints concerning practices of student loan servicers that may hamper the program’s intentions.  The report focused on analyzing a year of complaints from borrowers, which reflected a delay or denial of promised debt relief.  Primarily, the complaints included incorrect, untimely, or inadequate information from servicers about borrowers’ eligibility for loan forgiveness.  Other complaints from borrowers included slow payment processing and receiving inaccurate denial letters that can lead to qualified payments being miscounted or not properly credited.
Cash

The CFPB’s updated exam procedures attempt to guide “how examiners assess risks to consumers and review servicers’ compliance with the law when they administer this program,” seeking to guarantee stronger oversight of servicers’ administration of the program.  Further, the examiners will “scrutinize whether servicers are telling consumers what they need to do to qualify for loan forgiveness” and check “whether servicers accurately calculate the number of qualifying payments to make sure that borrowers get their full benefits.”  Cordray emphasized that “borrowers working in public service should not miss out on key consumer benefits because their student loan servicer failed to comply with the law.”  The updated guidelines counsel agency examiners to ensure that loan servicers are informing borrowers about their requirements and obligations for loan forgiveness.  Additionally, examiners ought to confirm that loan servicers accurately track the progress of borrowers and warn those that may be mistaken as to their pathway to loan forgiveness.

Alongside these updated exam procedures, the CFPB is conducting a campaign to make sure borrowers seeking to take advantage of the Public Service Loan Forgiveness program are fully aware of the tools available to ensure they can navigate the process and reap the benefits.  This campaign has a specific emphasis on awareness for first responders and teachers.

It will be important to continue watching the CFPB’s action and administration concerning this program, to gauge the effectiveness of these new guidelines and how it may impact the inner working of loan servicers.  Finally, how well the Public Service Loan Forgiveness program is perceived to be functioning could affect the survival of the program itself, given that the 2018 White House budget has suggested the elimination of the program altogether.

Compliance, Enforcement and Prosecution Policy and Trends, Financial Institution Regulation, Uncategorized

Proposed Rules Aimed at High-Risk Brokers Confirm FINRA Push for Firms to “Do Their Part”

Pen Financial Industry Regulatory Authority (FINRA) President and CEO Robert Cook spoke earlier this month at Georgetown University’s McDonough School of Business, where he outlined several proposals to further what he called one of FINRA’s “most important purposes”—“to protect investors from bad actors.”  Taking aim at “those who seek to evade regulatory requirements and harm investors for their own personal gain,” Cook outlined a series of new regulatory proposals he hopes will “further augment” FINRA’s “long-standing regulatory programs.”

The group of proposed regulations, approved by FINRA’s Board of Governors last month, is one component of FINRA360, “a multi-year exercise focused on creating an organization that is committed to continuous improvement.”

Among the proposals Cook outlined are rules that would:

  • reinforce the supervisory obligations of brokerage firms with respect to the continued employment of brokers with disciplinary records;
  • require heightened supervision by those firms of individuals with a disciplinary case pending on appeal;
  • grant adjudicators greater discretion to consider more severe sanctions when an individual’s history reveals repeated misconduct;
  • enable hearing panels to limit the activities firms and individuals may undertake while a disciplinary matter is pending;
  • increase fees related to FINRA’s statutory disqualification applications;
  • render more of an individual’s history relevant to a request for an exam waiver from FINRA; and
  • require disclosure in BrokerCheck of a firm’s status as a “taping” firm.[1]

It is vital for brokerage firms to remain abreast not only of proposed regulations, but also of the priorities they reveal—priorities that are bound to inform FINRA’s disciplinary and enforcement objectives.  The proposals outlined by Cook place special emphasis on the employment practices of member firms, beginning with the hiring process and extending to its ongoing supervision, and monitoring of its brokers.  In short, as Cook emphasized, member firms “must do their part.”

And importantly, FINRA will be on the lookout for those that don’t.  “FINRA is paying particular attention,” Cook made clear, to “whether firms establish appropriate supervisory and compliance controls” for high-risk brokers, and to “whether firms develop and implement a supervisory plan reasonably tailored to detect and prevent future misconduct by a particular broker based on prior misconduct and regulatory disclosures.”

Brokerage firms should act now to ensure a robust compliance and monitoring program is in place—one that not only satisfies the firm’s current supervisory obligations, but can also grow to meet additional regulatory requirements as they emerge.  Firms would do well, for instance, to follow Cook’s suggestion to “consider the need to adopt more rigorous supervisory procedures tailored to individuals who may pose a higher risk based on factors such as a recent history of customer complaints or disciplinary actions involving sales practice abuse or other customer harm.”  What shape those supervisory procedures take will depend, of course, on a number of factors.  But suffice it to say firms should feel comfortable with their ability to identify and root out any bad actors among their ranks.

Cook noted that FINRA will publish additional guidance in the coming months. We will continue to track this and other aspects of the FINRA360 initiative, as well as any related actions taken or guidance issued by FINRA.

[1] Under current regulations, firms are required to tape record phone conversations between brokers and investors if a certain percentage of those brokers worked within the last three years at a broker-dealer expelled for sales practice violations.

Financial Institution Regulation

Debt Collector Defined: Supreme Court Exempts Debt Purchasers

780536983

On behalf of a unanimous Supreme Court, Justice Neil Gorsuch delivered his first opinion on June 12 to determine whether debt purchasers fall within the statutory language under the Fair Debt Collection Practices Act (FDCPA) as debt collectors. The Court determined that a company may collect debts that it purchased for its own account without triggering the statutory definition of a “debt collector” under the FDCPA.

The FDCPA, effective in 1978, was designed to protect consumers from abusive, deceptive, and unfair debt collection practices. The FDCPA defines a debt collector as any person who regularly collects, or attempts to collect, consumer debts for another person or institution. The Court’s June 12 opinion involved a typical debt collection scenario: the Petitioners borrowed money for the purpose of purchasing automobiles and they defaulted on those auto loans. The Respondent purchased the defaulted loans from the originator and sought to collect on the debt owed. Both the district court and the Fourth Circuit ruled against the Petitioners, holding that the Respondent did not meet the definition of a debt collector under the FDCPA because the company did not regularly seek to collect debts “owed . . . another.” Rather, the Respondent only collected debts that it purchased and owned, therefore not triggering the protections afforded to the Petitioners offered by the FDCPA.

The Supreme Court agreed with the lower courts and addressed the following Petitioner arguments:

  • The word “owed” in the statute is the past participle of the verb “to owe” suggesting that the debt collector definition must exclude loan originators but embrace debt purchasers like the Respondent.
  • Had Congress been aware of the emerging default debt market at the time it drafted the statute, Congress would have included debt purchasers under the language of the FDCPA.

Gorsuch countered that such past participles are “routinely used as adjectives to describe the present state of a thing” and “Congress also used the word ‘owed’ to refer to present debt relationships in neighboring provisions of the Act…” Further, despite Gorsuch’s classic description of “[d]isruptive dinnertime calls, downright deceit, and more besides drew Congress’s eye to the debt collection industry,” he noted that “it is not this Court’s job to rewrite a constitutionally valid text under the banner of speculation about what Congress might have done…”

The Court expressly provided that it did not address two related questions in the opinion. First, whether a third party collection agent for debts owed to others could qualify as a debt collection. Second, was there an alternative definition for “debt collector” available under the FDCPA, that would include an entity engaged “in any business the principal purpose of which is the collection of any debts.” This may set the stage for the next legal battle over the issue or, as the Court stated, “these are matters for Congress, not this Court, to resolve.”

Enforcement and Prosecution Policy and Trends

U.S. Supreme Court Indirectly Limits Important Component of DOJ’s FCPA Pilot Program

ForeignCorruptPracticesAct91089734_jpg On June 5, 2017, the U.S. Supreme Court unanimously held in Kokesh v. Securities and Exchange Commission, No. 16-529, that the SEC may not reach beyond the general five year statute of limitations period in order to obtain “ill-gotten gains,” a remedy known as disgorgement. Although the case did not involve a Foreign Corrupt Practices Act (“FCPA”) enforcement action, it nonetheless has important implications for FCPA enforcement and importantly, the DOJ’s recently-renewed Pilot Program.

Prior to this case, lower federal appeals courts had been divided over whether the five-year time limit applied to not only civil penalties, but also to the equitable remedy of disgorgement through which the government also seeks all of the funds obtained as a result of a party’s alleged misconduct. Thus, in some jurisdictions disgorgement proved an important tool for the government in cases involving aged conduct.

The five year statute of limitations at issue in Kokesh is a general one that applies in FCPA civil enforcement actions as well as in the securities laws underlying Kokesh. Indeed, the parties’ briefing in the case referenced the large amounts of disgorgement in FCPA cases and that disgorgement in FCPA cases often goes directly to the U.S. Treasury and not to any victims as they may be difficult to ascertain in the FCPA context.

In holding that the statute of limitations applies to disgorgement, the Supreme Court affected a critical component of the DOJ’s FCPA Pilot Program. DOJ guidance expressly requires that to be eligible for the Program’s main benefit of mitigation credit, a company must disgorge all profits resulting from the FCPA violation. Accordingly, published declinations pursuant to the Program have indicated substantial disgorgements.

It will be informative to monitor any change in DOJ’s approach to the Pilot Program following Kokesh. Potential effects include DOJ seeking to have parties agree to waive the statute of limitations as a condition of their participation in the Pilot Program or requesting full disgorgement to obtain cooperation credit, or a possible reluctance of private parties whose conduct occurred primarily outside of the statute of limitations to engage in the Pilot Program.

Enforcement and Prosecution Policy and Trends, Securities and Commodities

U.S. Supreme Court Rules Time Limits Apply to SEC Disgorgement Orders

780536984A unanimous United States Supreme Court held Monday, in Kokesh v. Securities and Exchange Commission, that the five-year statute of limitations under 28 U.S.C. § 2462 applies to disgorgement sought by the Securities and Exchange Commission. Previously, the Circuits had been split on this issue.

The issue in Kokesh was straightforward. Kokesh appealed a trial court judgment ordering disgorgement of nearly $35 million for conduct between 1995 and 2009. Kokesh argued that this disgorgement award was in the nature of a penalty or forfeiture, and thus subject to the five-year statute of limitations under § 2462.

Conversely, the SEC maintained that disgorgement, by its nature, is not a punitive remedy. Rather, because disgorgement is merely a remedy that prevents offenders from reaping ill-gotten gains, the SEC argued it is not subject to § 2462’s five-year statute of limitations.

The Court, however, in a unanimous opinion authored by Justice Sonia Sotomayor, disagreed with the SEC. It held that disgorgement “bears all the hallmarks of a penalty: It is imposed as a consequence of violating a public law and it is intended to deter, not to compensate.” Thus, “[t]he 5-year statute of limitations in § 2462 therefore applies when the SEC seeks disgorgement.”

This is the second time since 2013 that the Supreme Court has narrowed the SEC’s ability to obtain monetary relief in enforcement actions. In Gabelli v. SEC, the Court held that the SEC cannot use the “discovery rule” to extend the statute of limitations for civil penalties, though the Gabelli court expressly declined to address whether the statute of limitations under § 2462 applied to disgorgement.  Kokesh has now answered that question.

As disgorgement is a routine remedy for the SEC staff, the Court’s ruling will substantially impact the damages the SEC can obtain in investigations involving long-running conduct, like the conduct in Kokesh. For others subject to investigation, however, it may represent a pyrrhic victory, as the SEC staff may become even more aggressive in its use of tolling agreements, now with an eye towards extending the statutes of limitations for both liability and damages. Indeed, the SEC staff may seek tolling agreements at ever earlier stages of an investigation, including at the very outset of an investigation. Finally, the staff will may become less flexible with deadlines and requests for extensions, as it seeks to hasten the resolution of investigations in light of this newfound limitation.

Financial Institution Regulation, Securities and Commodities

SEC Issues Guidance in Wake of WannaCry Ransomware Attack

binarydataOn Friday, May 12, the WannaCry ransomware attack struck hundreds of thousands of users across the globe, causing major disruptions in private and public networks. The attack, which encrypts a user’s files and holds them for ransom, may infect a computer without any action taken by the user.  With similar attacks expected, and as we have previously discussed, businesses would be well served to proactively take steps to protect themselves from WannaCry and other malicious cyberattacks.

On the heels of yet another high profile cyberattack, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued an alert to broker-dealers, investment advisers, and investment companies warning them of WannaCry and reminding them of the importance of addressing cybersecurity issues to protect investors and clients.  Regulated entities are required by Regulation S-P, 17 C.F.R. § 248.30(a), to adopt written policies and procedures (administrative as well as technical) to safeguard the personally identifiable information of their investors, clients, and customers.  The regulation requires that these procedures be reasonably designed to protect against anticipated cyber threats and unauthorized access to or use of customer records or information.

In 2015, OCIE launched its cybersecurity examination initiative, and the SEC’s Division of Investment Management and FINRA simultaneously offered guidance to regulated entities on cybersecurity.  The OCIE alert serves as a reminder to regulated entities of their obligation to safeguard client data.  In conducting a recent examination of 75 SEC registered broker-dealers, investment advisers, and investment companies, OCIE found that 26% of investment advisers and investment companies surveyed did not conduct periodic risk assessments of critical systems to identify cybersecurity threats, and 57% of investment advisers and investment companies did not conduct penetration tests and vulnerability scans on critical systems.  Broker-dealers fared better, with only a 5% deficiency rate in both categories.

Both the SEC and FINRA have made enforcement of cybersecurity issues a focus, and recent SEC enforcement actions demonstrate its willingness to pursue firms that have suffered from cyberattacks and that lacked policies and procedures that the SEC deemed to be “reasonably designed” to safeguard customer information.  For example, R.T. Jones Capital Equities Management recently settled a cease-and-desist proceeding after an unauthorized, unknown intruder gained access to the personally identifiable information of over 100,000 individuals.  This breach cost R.T. Jones a $75,000 civil monetary penalty.

The WannaCry attacks and OCIE’s alert should serve as a reminder that regulators are watching how broker-dealers and other regulated entities safeguard customer data.  For a regulated entity, crafting effective cybersecurity policies and procedures is essential not only to preventing harmful and embarrassing attacks, but also to prevent a potentially costly regulatory action.  As a regulatory compliance matter, these policies and procedures are more than an IT policy and require scrutiny from well-advised in-house counsel.

Financial Institution Regulation, Securities and Commodities

FINRA President and CEO Robert Cook discusses FINRA360 and Consolidating Enforcement Divisions

On May 17, 2017, at the annual FINRA conference in Washington D.C., FINRA President and CEO Robert Cook discussed the recently-launched FINRA360 initiative: a top-to-bottom review of FINRA’s operations and organization.  Cook recognized that 2017 marks FINRA’s  ten-year anniversary since its “successful” but “complicated” merger of the National Association of Securities Dealers (NASD) and the regulatory arm of the New York Stock Exchange (NYSE).  He stated that, for the first time since its inception, FINRA now has occasion to conduct a “comprehensive, organization-wide self-assessment and improvement initiative.”

As part of FINRA360, Cook has been on what he dubbed a “listening tour.”  During the listening tour, Cook has met with member firms, investors, and others from inside and outside the brokerage industry.  He has also participated in a “continuing series of small member roundtables across the country,” gaining a great deal of useful feedback regarding how FINRA can improve.  As a result of the listening tour, Cook learned that FINRA should be asking itself the following three “key” questions:

  • Are our policies and programs focusing on the right issues, establishing the right standards, and dedicating resources to the right areas to best protect investors and market integrity while promoting healthy and vibrant capital markets?
  • Is our organization and operation optimally organized and managed to be the most effective and efficient self-regulatory organization that it can be?
  • Are we facilitating a constructive dialogue with members, investors, and other stakeholders to better understand their perspectives and develop an effective regulatory framework that is fully informed by the expertise and practical knowledge of its stakeholders?

CEO Cook provided a “concrete” example of a proposed improvement arising out of the FINRA360 initiative: consolidating FINRA’s enforcement programs.  He explained that FINRA has an enforcement program in its “member regulation group” and another in its “market regulation group.” He stated that, during the listening tour, he learned that stakeholders encounter these groups as “two different regulators.”  As a result, FINRA is trying determining whether these operations should be (1) “more coordinated” or (2) combined into one.  FINRA is weighing the pros and cons of each approach.

Consolidating the Member Regulation and Market Regulation groups would have significant effects.  As background, FINRA’s Member Regulation department examines firms and its employees to ensure compliance with its rules, as well as those of the SEC and the Municipal Securities Rulemaking Board.   FINRA’s Market Regulation department, on the other hand, oversees and regulates over-the-counter (OTC) trading of exchange-listed and non-exchange listed securities.

Be on the lookout for any FINRA notices requesting comments related to the FINRA360 initiative.