This month we cover increasing cyber risks and reg developments such as the Everalbum settlement and ESG guidance. As you consider your annual review of compliance and governance controls, refresh regulatory filings and keep pace with Q1 work, use the Warburton Report as a helpful resource to track developments and prepare training content.
Data Privacy and Risks
The FTC recently entered into a settlement with Everalbum concerning its use of AI for facial recognition. The FTC ordered Everalbum to delete any facial recognition models and algorithms it developed using photos or videos uploaded by its users without their consent. Previously FTC commissioners had allowed violators to retain their algorithms and technologies, and just delete the illegally gained data. This case raises new concerns about use of biometric technology, privacy considerations and trends to watch. Consider covering this case in training to show the evolving standards for use of customer’s data. The concerns involve more than protecting personally identifiable information (PII). Remedy of Destruction.
January 28, 2021 was Data Privacy Day, an annual global effort that generated awareness about the importance of privacy. Pew Research Center reported that 79% of Americans feel an increasing lack of control of their personal data. CSIAC recommends businesses follow many of the best practices and requirements financial services companies have built in to their internal controls:
- Follow reasonable security measures to keep individuals & data protected and save from unauthorized use;
- Consider adopting a privacy framework;
- Conduct an assessment of data collection practices including the privacy lase and regs that apply to your business;
- Maintain oversight of partners and businesses and their collection and use of your client’s personal data; and
- Be open and honest about collection, use and sharing of consumers’ personal information.
Consider calendaring awareness training on January 28 each year.
Cyber risks and ransomware attacks are on the rise as is indirect funding of organized crime by insurance companies processing claims to those who paid ransoms to regain access to data and systems after hacking attacks. UK National Cyber Security expert, Ciaran Martin calls the situation “close to getting out of control” due to the lack of legislation preventing insurance claim payouts for such ransom demands. This is a good reminder to discuss the topic with your board and/or senior management to consider options before there is a crisis.
Cyber Risks in Asia: The Monetary Authority of Singapore issued revised its Technology Risk and Management Guidelines.
In December, the SEC adopted a new Marketing Rule. The new rule is not effective until 18 months after it is published in the Federal Register. Further guidance is expected this year; however, the rule release includes advice based on existing SEC no-action letters. So it pays to review your program in the event you are subject to an exam and/or changes in market conditions. See the article in the Resources section for an overview of the potential impact on investment advisory business development.
On January 1, 2021, Congress overrode President Trump’s veto of the National Defense Authorization Act (NDAA) for the 2021 fiscal year. The NDAA includes the Anti-Money Laundering Act of 2020 (AMLA), the first major reform of the U.S. anti-money laundering (AML) since the 2001 USA PATRIOT Act. The updates to the AMLA include:
- Creating a non-public registry that tracks the beneficial owners of certain corporations
- Enhancing the AML Whistleblower Program similar to the Dodd-Frank Act’s SEC Whistleblower Program
- Expanding US regulators’ statutory authority to seek documents from foreign financial institutions
- Increasing penalties for BSA and AML violations
- Allowing Suspicious Activity Report (SAR) sharing with foreign affiliates
- Establishing priorities to govern AML/CFT policy
- Creating an annual reporting requirement to Congress of all Department of Justice (DOJ) settlements involving the Bank Secrecy Act (BSA)
McKinsey’s recent report on the defining trends for 2021 and beyond highlights the importance of keeping pace with changes in fintech and governance. Read the report to examine trends in digitally enabled productivity, stakeholder capitalism and the potential impact of the trends on your business and compliance risk assessments.
In a recent Harvard Business Review article, the author considers how shareholder centric or “agency theory” of governance is giving way to a model which focuses on what we have referred to as “sustainable governance” or a stakeholder focus where the priority is the health and resilience of the company itself. See Covid-19 impact on Corporate Governance. If your firm is considering ESG concepts, this is an important concept to understand and track.
Following the CFTC published report prepared by the Climate Related Market Risk Subcommittee, SEC acting Chair, Allison Herman Lee and Commissioner Caroline Crenshaw issued a joint statement regarding the failure of the SEC to address climate risk and seek better disclosure requirements under Regulation S-K.
Executives from Bank of America, Mastercard, KPMG, and about 60 other large companies announced on January 25, 2021, they’ll be adopting a new reporting framework for ESG in partnership with the World Economic Forum.
by Courtney Lang, Guest Columnist
Before President Biden’s inauguration, I outlined his administration’s top five opportunities to advance and repair the state of ESG investing in the U.S. President Biden’s nominees for Secretary of Labor, Martin J. Walsh, and Chair of the SEC, Gary Gensler, are strong picks to do just that.
As mayor of Boston, Walsh launched an ESG Investment Initiative with $200 million committed during his tenure. In 2020, Walsh was named Chair of Climate Mayors and Boston went to market with its first-ever series of green bonds, issuing $24 million to fund energy efficiency projects in the city. Given Walsh’s history of support for sustainability, those who want the DOL to include ESG factors in the definition of “pecuniary” for ERISA plan fiduciaries may remain reasonably optimistic.
Gensler’s track record on increased regulation and enforcement as former Chairman of the Commodity Futures Trading Commission following the Great Recession has many expecting the SEC to mandate ESG and climate-related disclosures under his leadership. In collaboration with Active Chair Allison Herren Lee and Caroline Crenshaw, Gensler’s confirmation could bring about a 3-2 consensus in favor of ESG on important matters. With Gensler at the helm, the SEC could enforce past guidance on the materiality of climate change, comment on the IFRS Sustainability Standards, establish an internal ESG task force, and reverse the amendment made to SEC Rule 14a-8.