Home
Resources
CUBE RegNews: 2...

CUBE RegNews: 23rd October

Greg Kilminster

Greg Kilminster

Head of Product - Content
Copy link Copy linkCopy to clipboard
Share on X Share on Facebook Share on Linkedin

Posted: 2024-10-23

OCC finalises recovery planning guidelines

The Office of the Comptroller of the Currency (OCC) has finalised revisions to its recovery planning guidelines for large national banks and savings associations. These changes aim to strengthen banks' preparedness for severe financial stress and reduce systemic risks. 


Some context 

The updated guidelines expand their scope to cover banks with at least $100 billion in assets, reflecting the growing focus on ensuring the resilience of large institutions that could pose wider financial risks. These revisions also emphasise the importance of testing recovery plans and accounting for non-financial risks such as operational and strategic challenges. 


Key takeaways 

  • Expanded scope: The guidelines now include banks with $100 billion or more in assets, increasing the number of institutions required to comply. 
  • Testing standards: Banks must implement and test their recovery plans to ensure they are actionable in a crisis. 
  • Non-financial risks: Recovery planning must now address operational and strategic risks, not just financial threats. 


Next steps 

The new guidelines take effect on January 1, 2025, with staggered deadlines for full compliance. 

Banks must enhance their recovery planning processes, with a focus on testing and addressing both financial and non-financial risks, to meet the 2025 requirements and ensure resilience during periods of financial stress. 


Click here to read the full RegInsight on CUBE's RegPlatform.



CFPB finalises consumer protection rule

The Consumer Financial Protection Bureau (CFPB) has finalised a landmark rule designed to enhance consumers’ rights, privacy, and control over their personal financial data. The rule will require financial institutions to provide individuals with access to their financial data and allow for seamless transfer to other providers at no cost. This development is expected to enhance competition within the banking and financial services sectors by empowering consumers to switch to providers offering superior rates and services more easily. 


Some context 

The rule, which addresses Section 1033 of the Consumer Financial Protection Act (CFPA), represents a significant step toward implementing a more competitive "open banking" framework in the United States. Open banking aims to give consumers greater flexibility and transparency by enabling them to manage and share their financial data securely. The CFPB has highlighted how this rule will drive competition across payments, credit, and banking markets by removing barriers for consumers who wish to switch providers or access better financial products. 


Director Rohit Chopra cut to the chase bluntly, stating, "Too many Americans are stuck in financial products with lousy rates and service." By allowing consumers to control their financial data, the rule aims to improve customer service standards and reduce prices for financial products such as loans and credit. 


Key takeaways 

  • Consumer control and data mobility: Under the new rule, consumers will have the right to access data associated with their financial products—ranging from bank accounts and credit cards to payment apps and mobile wallets—and transfer it to other financial providers. This includes transaction details, account balances, payment initiation information, and bill payment data. Crucially, institutions must provide this data without imposing any fees, ensuring that consumers can move their banking history to a competitor seamlessly. 
  • Increased competition and consumer choice: By making it easier for consumers to switch providers, the rule is expected to drive more competition in the financial services industry. Consumers will now be empowered to shop around for better rates, such as higher interest on savings accounts or lower loan rates, without being penalised or facing cumbersome processes. 
  • Enhanced privacy protections: The CFPB’s rule also addresses privacy concerns by banning the misuse of consumer data for purposes other than those authorised by the consumer. Third-party companies accessing the data will only be able to use it to provide the requested service and cannot leverage it for unrelated commercial purposes, such as targeted advertising. This prohibition on "bait-and-switch" practices ensures that consumers remain in control of how their data is used. 
  • Ending "screen scraping": The rule also encourages a move away from the practice of "screen scraping," which involves third parties using consumer credentials to access financial data indiscriminately. This outdated method poses significant security risks, and the CFPB hopes to replace it with more secure forms of data sharing. 


Next steps 

Compliance with the rule will be introduced in phases. Larger financial institutions must comply by April 2026, while smaller institutions will have until April 2030. Certain small banks and credit unions will be exempt from the requirements. 


The CFPB's final rule represents the first in a series of planned regulations aimed at accelerating responsible open banking in the US. The bureau plans to continue refining these rules to include additional financial products and services, providing consumers with even more options to manage their financial data securely. 


Click here to read the full RegInsight on CUBE's RegPlatform.



SEC fines firms for cybersecurity breaches

The US Securities and Exchange Commission (SEC) has charged Unisys, Avaya, Check Point and Mimecast with providing materially misleading disclosures about cybersecurity risks and breaches. The charges come as part of a wider investigation into companies affected by the SolarWinds Orion software breach. In addition, Unisys faces charges for violating disclosure controls and procedures. 


Some context 

Cybersecurity breaches pose significant risks for public companies, yet accurate and timely disclosures are crucial for investor confidence. The SolarWinds Orion software hack, first discovered in 2020, exposed many organisations to unauthorised intrusions. Companies impacted by this breach are required under federal securities law to provide clear and accurate disclosures to the market regarding any risks or incidents. 


The SEC’s investigation revealed that all four companies had experienced intrusions but had either minimised or framed the incidents hypothetically in their public disclosures. This has raised concerns about transparency and compliance with federal securities laws, which mandate that companies must not mislead shareholders by downplaying material risks. 


Key takeaways 

  • Misleading disclosures: All four companies were found to have provided incomplete or inaccurate information about their cybersecurity incidents. The companies knew that their systems had been breached, but the disclosures issued to the public failed to reflect the full scope of the breaches. 
  • Unisys, for instance, had suffered two SolarWinds-related intrusions involving large data exfiltrations. However, it referred to cybersecurity risks as hypothetical in its disclosures, despite knowing these incidents had already occurred. 
  • Avaya minimised the breach by stating that only a “limited number” of email messages were compromised, when in reality, at least 145 files in its cloud file-sharing environment had been accessed. 
  • Check Point used vague language, referring to cyber risks in generic terms, even though it knew about the unauthorised access to its systems. 
  • Mimecast downplayed the severity by failing to disclose the type of code and encrypted credentials that were exfiltrated by the attackers. 
  • Penalties: The companies have agreed to the following civil penalties to settle the charges: 
  • Unisys: $4 million 
  • Avaya: $1 million 
  • Check Point: $995,000 
  • Mimecast: $990,000 
  • Controls violations: In addition to misleading disclosures, Unisys was also found to have deficient disclosure controls and procedures, contributing to the misleading nature of its public communications about the intrusions. 
  • Compliance with federal securities laws: The SEC found that each company violated provisions of the Securities Act of 1933, the Securities Exchange Act of 1934, and related rules. By minimising the extent of known cybersecurity breaches, these companies misled investors about the true state of their cybersecurity risks. 


Next steps 

Each company has agreed to cease future violations of the relevant laws and has committed to enhancing its cybersecurity controls. The SEC highlighted the importance of clear and truthful disclosures regarding material cyber incidents, especially in risk-factor statements. Moving forward, companies are expected to ensure that their cybersecurity risks are communicated accurately to shareholders and that any incidents are fully reported, rather than being framed as hypothetical or downplayed. 


Click here to read the full RegInsight on CUBE's RegPlatform.



SFC’s Process Review Panel publishes annual report

The Process Review Panel (PRP) for the Securities and Futures Commission (SFC) has published its 2023–24 annual report, outlining key findings from its review of 60 cases. These cases, selected from the SFC’s monthly closed case lists, led to several recommendations aimed at improving the SFC’s processes, especially in areas of enforcement, technology use, and procedural efficiency. 


Some context 

The PRP serves as an independent body tasked with reviewing the SFC’s internal procedures to ensure transparency and fairness in its regulatory actions. The review process focuses on the adequacy of the SFC’s operations rather than the outcomes of individual cases. 


Key takeaways 

  • Use of technology: The PRP highlighted the success of the SFC’s WINGS platform, which simplifies licence applications and regulatory reporting. It recommended expanding WINGS to support other SFC divisions, specifically the Corporate Finance Division (CFD). The SFC has responded positively, confirming a feasibility study to assess this expansion. 
  • Procedural inefficiencies in enforcement: The PRP flagged delays in several enforcement cases, with processing times stretching between two to four and a half years. These delays, attributed to resource allocation issues and repeated reassignments of duties, were seen as undermining the deterrent effect of enforcement actions. The PRP urged the SFC to improve manpower deployment and consider streamlined procedures for less complex cases. 
  • Corporate governance: In one case, the PRP noted the lack of disciplinary action against the senior management of a licensed corporation despite internal control failures. It recommended that the SFC consider administrative actions, such as issuing advisory letters, when formal disciplinary measures are not feasible. The SFC agreed to evaluate this approach in cases of technical breaches. 
  • Cross-jurisdictional cooperation: The PRP stressed the importance of enhanced cooperation between the SFC and foreign regulators, particularly in cases involving individuals outside Hong Kong. The SFC acknowledged the challenge and noted its ongoing efforts to strengthen ties with Mainland China’s securities regulator (CSRC). 


Next steps 

The SFC has committed to exploring the PRP’s recommendations, particularly around streamlining enforcement processes and expanding the use of technology. It will also continue building cross-border regulatory cooperation to enhance enforcement capabilities. These actions are expected to improve both the efficiency and effectiveness of the SFC’s regulatory oversight in the coming year. 


Click here to read the full RegInsight on CUBE's RegPlatform.



EBA clarifies procedures for assessing tokens

The European Banking Authority (EBA) has released a decision clarifying the procedures for assessing the significance of asset-referenced tokens (ARTs) and e-money tokens (EMTs) under the Markets in Crypto Assets Regulation (MiCAR). The decision also outlines the process for transferring supervisory powers from national competent authorities (NCAs) to the EBA for significant ARTs (s-ARTs) and significant EMTs (s-EMTs). 


Some context 

The introduction of MiCAR marks a pivotal change in the supervision of crypto assets within the European Union, creating a regulatory framework that seeks to ensure the stability and transparency of this evolving market. Under MiCAR, ART and EMT issuers are subject to assessments of their significance, which can trigger a transfer of supervisory responsibilities to the EBA. For significant tokens, supervisory colleges will be established, involving both the EBA and relevant national authorities. 


Key takeaways 

  • Harmonised reporting and supervision transfer: The EBA's decision introduces a harmonised reporting framework for NCAs, including standardised reference periods and submission deadlines. This should ensure consistency in how significance assessments are conducted and facilitate a smooth transfer of supervisory responsibilities between NCAs and the EBA for s-ARTs and s-EMTs. 
  • Significance assessments: ART and EMT issuers are required to report data necessary for the establishment of supervisory colleges, which will oversee significant tokens. The EBA’s decision outlines the procedural steps and timelines for consultations involving NCAs, the European Central Bank (ECB), and national central banks when determining whether a token qualifies as significant. 
  • Procedural templates: The EBA has provided templates to streamline the process, including those for NCAs to notify voluntary classification requests and for relevant authorities to provide comments on draft decisions to classify tokens as significant or not. 
  • Supervisory roles: The EBA will take on direct supervision of issuers of s-ARTs, while the supervision of s-EMTs, issued by electronic money institutions, will be shared between the EBA and the issuer's home NCA. The EBA will coordinate with other competent authorities if issuers also engage in broader financial services. 


Next steps 

This decision forms part of the EBA’s broader engagement with NCAs to ensure effective supervision of ARTs and EMTs under MiCAR. Issuers and NCAs are expected to align with the procedural guidelines, with a focus on ensuring smooth transitions in supervisory responsibilities. The EBA will continue to monitor compliance, conduct inspections, and enforce regulations where necessary to maintain oversight of significant ARTs and EMTs. 


Click here to read the full RegInsight on CUBE's RegPlatform.



ASIC publishes annual report

The Australian Securities and Investments Commission (ASIC) has released its Annual Report for 2023–24, outlining significant regulatory achievements and the ongoing transformation of its operations. The year saw ASIC intensify its enforcement activities, enhance consumer protections, and adapt to emerging challenges in areas such as artificial intelligence (AI), sustainable finance, and scams. 


Key takeaways 

  • Surveillance and enforcement: ASIC conducted 690 surveillances and initiated 168 formal investigations, representing a 25% increase from the previous year. Enforcement outcomes included 32 civil proceedings, resulting in AUS$90.8 million in civil penalties, and 18 criminal convictions. ASIC’s actions targeted a range of offences, from market misconduct to misleading practices in the growing area of sustainable finance. 
  • Consumer protection: A central pillar of ASIC's work this year has been its focus on protecting consumers from financial harm. Over 7,300 phishing and investment scam websites were taken down, significantly curbing online fraud. The Moneysmart website, a critical tool in ASIC’s consumer education efforts, saw more than 11 million visits, with 6.2 million users accessing its free financial management tools. ASIC also released a report on financial hardship support, calling for improved responses from banks and lenders to better assist customers facing financial difficulties. 
  • AI and sustainable finance regulation: As part of its mandate to address emerging risks, ASIC has started shaping its approach to regulating AI and sustainable finance. An AI symposium in May 2024 brought together industry and regulatory experts to discuss the risks and opportunities posed by AI, and the regulator has already succeeded in court actions relating to greenwashing claims
  • Business transformation: The past year has been a critical phase in ASIC’s transformation journey. The organisation underwent its most significant structural redesign in 15 years, improving decision-making processes and enhancing collaboration across teams. This redesign is part of a broader goal to make ASIC a more agile and effective regulator, bolstered by a focus on data analytics and digital capabilities. The integration of real-time alerts to detect scams and the transition of registry responsibilities from the Australian Taxation Office (ATO) to ASIC are key elements of this transformation. 
  • Engagement and collaboration: ASIC strengthened its engagement with stakeholders, including industry bodies, government, and consumer groups. It contributed to consultations on legislative reforms in areas such as financial advice, scams, and managed investment schemes. ASIC’s active participation in 16 inquiries and nine hearings reflects its commitment to transparency and collaboration in shaping regulatory outcomes. 


Next steps 

Looking to the future, ASIC remains focused on strengthening its enforcement capabilities and adapting to future challenges. The regulator will continue to invest in technology, enhance its surveillance tools, and ensure that it remains responsive to the evolving needs of the financial system. ASIC’s forward-looking strategy will also prioritise consumer protection and maintaining trust in Australia’s financial markets. 


Click here to read the full RegInsight on CUBE's RegPlatform.



DFSA issues complaints thematic review

The Dubai Financial Services Authority (DFSA) has released its latest thematic review on complaints handling within DFSA-authorised firms (AFs), highlighting key issues, trends, and practices in complaints management. The review sheds light on areas for improvement and examples of good practice and emphasises the importance of robust complaints-handling mechanisms as an indicator of firm culture and client outcomes. 


Some context 

DFSA regulations require AFs to have appropriate complaints-handling policies in place, particularly for retail clients. The review, which included surveys and visits to 29 firms, aimed to assess the effectiveness of these policies and identify areas where AFs could enhance their systems. 


Key takeaways 

  • Inconsistent definitions of complaints: While most firms aligned with the DFSA’s definition of a complaint, some inconsistencies were identified. A significant number of firms failed to include oral complaints or to document informal resolutions adequately. This gap led to underreporting, especially regarding expressions of dissatisfaction that did not escalate into formal complaints. 
  • Barriers to complaint submission: The review highlighted some AFs creating unnecessary hurdles for clients wishing to submit complaints. For instance, a small number of firms required complaints to be in writing, thus excluding verbal expressions of dissatisfaction from their records. In extreme cases, clients were directed through complex processes, deterring genuine feedback. 
  • Governance and oversight failings: Weaknesses in complaints governance were observed, with some firms failing to provide their governing bodies and senior management with sufficient information on complaints trends and outcomes. These governance lapses restircted management's ability to oversee complaints effectively, potentially missing opportunities for improvement. 
  • Low complaints volume: Despite a growing client base and increased activities, firms reported remarkably low complaint volumes. This discrepancy raises concerns that firms may not be adequately capturing and reporting all complaints, particularly those resolved informally. The DFSA expects this to change, with the review serving as a call to action for firms to improve reporting mechanisms. 
  • Good practices: The DFSA noted several instances of firms exceeding regulatory requirements. These included firms applying the same high standard of complaint handling to both retail and professional clients, using AI to flag potential complaints from client communications, and implementing remuneration policies that aligned staff incentives with effective complaint resolution. 


Next steps 

The DFSA expects all AFs to take immediate action in response to the findings. Firms should review and update their complaints-handling policies to ensure consistency with DFSA definitions and improve governance frameworks. In particular, AFs are urged to ensure that all complaints—whether written, oral, or informal—are recorded and addressed appropriately. The DFSA will continue monitoring firms' progress and expects improvements in the reporting of complaint volumes in future engagements. 


Click here to read the full RegInsight on CUBE's RegPlatform.