Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • EU-U.S. releases statement from Joint Financial Regulatory Forum

    Federal Issues

    On December 8, participants in the EU-U.S. Joint Financial Regulatory Forum met, including officials from the Treasury Department, Fed, CFTC, FDIC, SEC, and OCC, and issued a joint statement. The statement regarded ongoing dialogues from December 4-5 and focused on six themes: “(1) market developments and financial stability; (2) regulatory developments in banking and insurance; (3) anti-money laundering and countering the financing of terrorism…; (4) sustainable finance; (5) regulatory and supervisory cooperation in capital markets; and (6) operational resilience and digital finance.”

    The joint statement acknowledged how risks to the EU and U.S. financial sectors have been mitigated in recent months, e.g., inflation risks, although lingering concerns remain regarding the impact of increased interest rates, high levels of private and public sector debt, and the ongoing geopolitical situations. Participants reaffirmed the significance of strong prudential standards for banks, effective resolution frameworks—particularly across borders—and robust supervisory practices, along with effective macroprudential policies. Finally, the conversations covered recent cryptoasset market changes and updates on regulatory and enforcement initiatives in the U.S.

    Federal Issues EU Of Interest to Non-US Persons Financial Crimes Department of Treasury

  • EBA report recommends environmental and social risk enhancements for financial sector

    On October 12, the European Banking Authority (EBA) announced the publication of a report on the role of environmental and social risks in the prudential framework of credit institutions and investment firms. The report recommends risk-based enhancements to the risk categories of the Pillar 1 framework, which sets capital requirements, noting that environmental and social risks are “changing the risk picture for the financial sector” and are expected to be more prominent over time. The report puts forward recommendations for actions over the next three years as part of the revised capital requirements regulations. Specifically, the EBA is proposing to: (i) include environmental risks as part of stress testing programs; (ii) encourage the inclusion of environmental and social factors as part of external credit assessments by credit rating agencies; (iii) encourage the inclusion of environmental and social factors as part of due diligence requirements and valuation of immovable property collateral; (iv) require institutions to identify whether environmental and social factors constitute triggers of operational risk losses; and (v) develop environment-related concentration risk metrics as part of supervisory reporting. With respect to revisions to the Pillar 1 framework, the report proposes: (i) the possible use of scenario analysis to enhance the forward-looking elements of the prudential framework; (ii) changes to the role that transition plans could play in the future; (iii) reassessing the appropriateness of revising the internal ratings-based supervisory formula and the corresponding standardized approach for credit risk to better reflect environmental risk elements; and (iv) the introduction of environment-related concentration risk metrics under the Pillar 1 framework.

    Bank Regulatory EU Of Interest to Non-US Persons ESG Capital Requirements Stress Test

  • EU-U.S. release statement on Joint Financial Regulatory Forum

    Federal Issues

    On July 20, participants in the U.S.-EU Joint Financial Regulatory Forum, including officials from the Treasury Department, Federal Reserve Board, CFTC, FDIC, SEC, and OCC, issued a joint statement regarding the ongoing dialogue that took place from June 27-28, noting that the matters discussed during the forum focused on six themes: “(1) market developments and financial stability risks; (2) regulatory developments in banking and insurance; (3) anti-money laundering and countering the financing of terrorism (AML/CFT); (4) sustainable finance and climate-related financial risks; (5) regulatory and supervisory cooperation in capital markets; and (6) operational resilience and digital finance.”

    Participants acknowledged that the financial sector in both the EU and the U.S. is exposed to risk due to ongoing inflationary pressures, uncertainties in the global economic outlook, and geopolitical tensions as a result of Russia’s war on Ukraine. During discussions, participants emphasized the significance of strong bank prudential standards, effective resolution frameworks, and robust supervision practices. They also stressed the importance of international cooperation and continued dialogue to monitor vulnerabilities and strengthen the resilience of the financial system. Participants took note of recent developments relating to, among other things, recent bank failures, digital finance, the crypto-asset market, and the potential adoption of central bank digital currencies.

    Federal Issues Bank Regulatory Financial Crimes Digital Assets Of Interest to Non-US Persons EU Department of Treasury Federal Reserve CFTC FDIC SEC OCC Anti-Money Laundering Combating the Financing of Terrorism

  • European Data Protection Board clarifies GDPR transfers

    Privacy, Cyber Risk & Data Security

    On July 18, the European Data Protection Board (EDPB) published an information note to provide clarity on data transfers under the GDPR to the United States following the European Commission’s adoption of the adequacy decision as part of the EU-U.S. Data Privacy Framework on July 10. The information note also addresses available redress mechanisms under the framework, as well as a new redress mechanism relating to the area of national security. As previously covered by InfoBytes, the European Commission concluded that the U.S. “ensures an adequate level of protection – comparable to that of the European Union – for personal data transferred from the EU to U.S. companies under the new framework.” With the adoption of the new adequacy decision, personal data can now be transferred securely from the EU to U.S. companies participating in the framework without having to implement additional data protection safeguards.

    The information note clarified that transfers based on adequacy decisions do not require supplementary measures. However, transfers to the U.S. not included in the “Data Privacy Framework List” will require appropriate safeguards, such as standard data protection clauses or binding corporate rules. The EDPB emphasized that U.S. government safeguards put in place in the area of national security (including the redress mechanism) will “apply to all data transfers to the [U.S.], regardless of the transfer tool used.” Additionally, EU individuals whose data is transferred to the U.S. based on the adequacy decision may use several redress mechanisms, including submitting complaints with the relevant U.S. organization, while EU organizations may seek advice from their national data protection authority to oversee related processing activities. Moreover, regardless of the transfer method used for sending personal data to the U.S., EU data subjects can submit complaints to their national data protection authority to utilize the new redress mechanism concerning national security. The national data protection authority, in turn, will ensure that the complaint is sent to the EDPB, which will transmit the complaint to the appropriate U.S. authorities.

    The EDPB noted that the European Commission will conduct a review of the adequacy decision one year after it enters into force to ensure all elements have been fully implemented and are effective. Depending on the findings, the European Commission will decide, in consultation with the EDPB and the EU member states, whether subsequent reviews are warranted.

    Privacy, Cyber Risk & Data Security Of Interest to Non-US Persons EU European Data Protection Board GDPR EU-US Data Privacy Framework

  • CFPB, EU start talks on AI, digital finance

    Federal Issues

    On July 17, CFPB Director Rohit Chopra and Commissioner for Justice and Consumer Protection of the European Commission Didier Reynders issued a joint statement announcing the start of new dialogue on consumer financial protection with a primary focus on digital developments in the financial sector and ways to improve policy and regulatory cooperation.

    Chopra and Reynders stressed that there are significant implications for both businesses and households from the digitalization of the financial services sector, including impacts on pricing, customer service, competition, and privacy. They noted that financial institutions are increasingly deploying automated decision-making processes, leveraging artificial intelligence technologies, and developing and introducing new financial products and services, such as Buy Now, Pay Later. Chopra and Reynders also commented that digital payments are becoming “increasingly offered and controlled by Big Tech.” They warned these developments, if not properly regulated, “could increase consumers’ exposure to fraud and manipulation, limit their product options over time, threaten their control over their own data, and force them to accept more expensive personalized pricing for the same products and services compared to other consumers.” Chopra and Reynders also cautioned that policymakers must do more to keep pace with evolving markets and ensure consumer protection.

    The dialogue will address topics relating to:

    • The deployment of automated decision-making and data processing and implications for consumers;
    • Risks associated with emerging credit options, including the potential risks of over-consumption and over-indebtedness for consumers who use these products;
    • Measures for exploring ways to assist over-indebted consumers in managing and repaying their debt sustainably;
    • Digital transformation and access to fair financial services, including to unbanked and underbanked consumers, as well as those who prioritize protecting their personal data; and
    • Competition, privacy, security, and financial stability implications associated with big tech companies that offer financial services.

    Chopra and Reynders will meet informally at least once per year to share insights and experiences on consumer financial issues. According to the statement, the dialogue will also involve staff discussions, bilateral meetings with subject matter experts, and roundtables with stakeholders. The cooperation and exchanges within the informal dialogue are expected “to occur in parallel with other forms of cooperation and exchanges between the European Union and the United States on various digital and financial services policies and regulations,” the joint statement said.

    Federal Issues Fintech CFPB Of Interest to Non-US Persons EU Artificial Intelligence Consumer Finance Buy Now Pay Later

  • European Commission approves transatlantic data-transfer framework

    Privacy, Cyber Risk & Data Security

    On July 10, the European Commission adopted an adequacy decision as part of the EU-U.S. Data Privacy Framework, concluding that the U.S. “ensures an adequate level of protection – comparable to that of the European Union – for personal data transferred from the EU to U.S. companies under the new framework.” In the announcement, European Commission President Ursula von der Leyen stated that the “new EU-US Data Privacy Framework will ensure safe data flows for Europeans and bring legal certainty to companies on both sides of the Atlantic.” She explained that with the new adequacy decision, personal data can now be transferred securely from the EU to U.S. companies participating in the framework without having to implement additional data protection safeguards. The framework will be administered by the Department of Commerce. Compliance by U.S. companies with their obligations under the framework will be enforced by the FTC.

    As previously covered by InfoBytes, Presidents von der Leyen and Biden announced in March 2022 that they had reached an agreement in principle on a new transatlantic data flows framework to foster cross-border transfers of personal data from the EU to the U.S. Under the framework, the U.S. agreed to implement reforms and safeguards to “strengthen the privacy and civil liberties protections applicable to U.S. signals intelligence activities.” The announcement followed negotiations that began after the Court of Justice of the EU issued an opinion in the Schrems II case in July 2020, holding that the EU-U.S. Privacy Shield did not satisfy EU legal requirements.

    The DOJ released a statement welcoming the European Commission’s adoption of the adequacy decision and expressing its eagerness to collaborate with the Commission, along with representatives from European data protection authorities, to ensure the ongoing implementation of data privacy safeguards.

    Privacy, Cyber Risk & Data Security Federal Issues Of Interest to Non-US Persons EU Consumer Protection Biden EU-US Data Privacy Framework Department of Commerce FTC

  • EU court says banks must meet GDPR obligation on data processing

    Privacy, Cyber Risk & Data Security

    On June 22, the Court of Justice of the European Union (CJEU) issued a judgment concluding that banks are not exempt from providing information upon request about when and why an individual’s data was accessed. However, banks are not necessarily required to name the people who accessed the data, the CJEU said. The Administrative Court of Eastern Finland issued a request for a preliminary ruling in an action seeking clarification on individuals’ rights when requesting information on data processing. The press release explained that a bank employee (who was also a customer of the bank) discovered that other bank employees consulted his personal data on several occasions. Doubting the lawfulness of these consultations, the now-former employee asked the bank for information on who accessed his data, the exact dates of the consultations, and the reasons why his data had been processed. The bank explained that it had consulted his data to check for a possible conflict of interest, but refused to disclose the employees’ identities, reasoning that this information “constituted the personal data of those employees.” A request made by the former employee to Finland’s Data Protection Supervisor’s Office to order the bank to provide him with the requested information was rejected, so the former employee brought an action before the Administrative Court of Eastern Finland, asking the Court of Justice to interpret Article 15 of the General Data Protection Regulation (GDPR).

    The CJEU clarified, among other things, that while the GDPR gives individuals the right to access information about why and when their data was accessed (including information relating to consultation operations carried out on the former employee’s personal data), it does not grant a right to know who accessed the information when following a controller’s instructions “unless that information is essential in order to enable the data subject effectively to exercise the rights conferred on him[.]” The CJEU acknowledged, however, that a “balance will have to be struck between the rights and freedoms in question” and that “[w]herever possible, means of communicating personal data that do not infringe the rights or freedoms of others should be chosen.” Furthermore, the CJEU determined that the fact that the controller is a bank, and that the former employee was both an employee of the bank and a customer, “has, in principle, no effect on the scope of the right conferred on that data subject.”

    Privacy, Cyber Risk & Data Security Courts Of Interest to Non-US Persons GDPR Consumer Protection EU

  • U.S., UK enter agreement in principle on data flow

    Privacy, Cyber Risk & Data Security

    On June 8, President Biden presented an agreement in principle to allow for the free flow of data between the U.S. and the UK. Announced as part of the administration’s “Atlantic Declaration for a Twenty-First Century U.S.-UK Economic Partnership,” the “data bridge” would facilitate data flows between the two countries while ensuring strong, effective privacy protections. “​​The trusted and secure flow of data across our borders is foundational to efforts to further innovation,” the White House said in the announcement. “We are working to finalize our respective assessments swiftly to implement this framework.” A joint statement issued by the UK Secretary of State for Science, Innovation, and Technology, the Rt. Hon. Chloe Smith MP, and U.S. Secretary of Commerce Gina M. Raimondo reiterated the two countries’ commitment to establishing “a data bridge that would restore a robust and reliable mechanism for UK-US data flows.” The data bridge would also help facilitate data transfers to U.S. organizations that rely on other data transfer mechanisms under UK law, the joint statement said.

    Meanwhile, the U.S. and the EU are working to finalize the EU-US Data Privacy Framework (covered by InfoBytes here)—a replacement for the EU-U.S. Privacy Shield, which was annulled by the Court of Justice of the EU in 2020 after the court determined that data transferred under the EU-U.S. Privacy Shield would not be subject to the same level of protections prescribed by the EU’s General Data Protection Regulation.

    Privacy, Cyber Risk & Data Security Of Interest to Non-US Persons EU UK Biden GDPR EU-US Data Privacy Framework

  • U.S. and EU enter bilateral sanctions partnership

    Financial Crimes

    On May 16, the United States and the European Union entered into a bilateral partnership to strengthen working relationships and share sanctions expertise to address foreign policy goals. The U.S.-EU partnership’s foundation is premised on a collaborative approach for financial sanctions, in which the U.S. Treasury Department’s Office of Foreign Assets Control, the European External Action Service, and the European Commission Directorate-General for Financial Stability, Financial Services and Capital Markets Union will continue to work closely with partners around the world to ensure financial sanctions are fully contributing to member countries’ policy goals. Emphasizing that “[s]anctions are most effective when coordinated with a broad range of international partners who can magnify the economic and political impact,” Treasury stressed the importance of multilateral implementation to maximize the effectiveness of sanctions while minimizing unintended costs and compliance burdens.

    Financial Crimes Of Interest to Non-US Persons OFAC Department of Treasury EU OFAC Sanctions OFAC Designations

  • France fines facial recognition company additional €5.2 million for noncompliance

    Privacy, Cyber Risk & Data Security

    On May 10, the French data protection agency, Commission Nationale de l’Informatique et des Libertés (CNIL), fined a facial recognition company an overdue penalty payment in the amount of €5.2 million for failing to comply with an October order. As previously covered by InfoBytes, last fall CNIL imposed a €20 million penalty against the company for allegedly violating the EU’s General Data Protection Regulation (GDPR) after investigations found that the company allegedly processed personal biometric data without a legal basis (a breach of article 6 of the GDPR), and failed to take into account an individual’s rights in an “effective and satisfactory way”—particularly with respect to requests for access to their data (a breach of articles 12, 15 and 17 of the GDPR). CNIL reported that the company had two months after receiving the October order to stop collecting and processing data on individuals located in France “without any legal basis, and to delete the data of these individuals, after responding to requests for access it received.” Because the company did not submit proof of compliance within this time frame, CNIL imposed an additional fine on top of the original penalty.

    Privacy, Cyber Risk & Data Security Courts Of Interest to Non-US Persons EU France GDPR Enforcement

Pages

Upcoming Events