Skip to main content
Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations


Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • Senate Committee reports on AI use by hedge fund traders

    Privacy, Cyber Risk & Data Security

    On June 14, the U.S. Senate Committee on Homeland Security and Governmental Affairs released a report on the use of artificial intelligence (AI) by hedge funds to inform trading decisions. The report suggested that the increased use and reliance upon AI in the financial services sector could lead to greater risks to financial investors and markets. On par with these findings included, for instance, an observation that hedge funds and regulators may use inconsistent or unclear terms to define AI systems that could make it difficult to understand what types of systems are in use and how existing and proposed regulations could apply. The report also suggested this may complicate efforts to audit and assess hedge funds’ review processes and human moderation efforts. The report also suggested that the use of AI for trading purposes could amplify traditional investment industry risks.

    The Committee made several recommendations, including calling upon regulators to consider potential gaps in existing and proposed regulatory frameworks. The report concluded that Congress and regulators should seek to improve the public’s understanding of AI and establish guardrails to address risks related to the use of this technology in the financial services sector. 

    Privacy, Cyber Risk & Data Security Federal Issues Department of Homeland Security Artificial Intelligence Hedge Fund

  • New York Fed risk head delivers speech on emergent risks in finance

    Privacy, Cyber Risk & Data Security

    On June 11, the New York Fed’s Chief Risk Officer and head of the risk group, Mihaela Nistor, delivered a speech on the evolving landscape of risk management and emphasized the complexities of modern risks within the financial system. Nistor highlighted an increase in new risks around the world, from geopolitical conflicts and economic uncertainties to cyber threats, data privacy issues, and disruptive technologies. She then categorized these risks internal or external threats.

    Nistor first addressed the internal risk landscape within organizations and emphasized the need for organizations to develop a comprehensive view of risk within an enterprise, to identify priorities and allocate resources accordingly. The speech described the importance of building a strong risk culture within organizations to identify and mitigate risks proactively. One way to strengthen risk-management culture, according to Nistor, would be through a “portfolio view” that evaluated risks collectively across projects within an organization rather than in isolation. Nistor stated that this approach facilitated a better understanding of interdependencies and cumulative risk exposure. However, the remarks stress the importance of different management approaches that were tailored to allow flexibility to mitigate an identified risk.

    For external risk, Nistor focused on the importance of building resilience within organizations. Nistor noted that while external threats are often unpredictable, an organization can build resilience to meet emerging external risks by identifying critical assets and processes and developing contingency plans.


    Privacy, Cyber Risk & Data Security Federal Reserve Bank of New York New York Risk Management

  • Treasury requests information on AI in financial services sector

    Privacy, Cyber Risk & Data Security

    On June 6, the Department of the Treasury released a request for information (RFI) to collect from financial institutions, consumers, advocates, academics, and other stakeholders’ data on the uses, opportunities and risks presented by artificial intelligence (AI). The Treasury’s release stated that the Department will be interested in gaining greater insight into how AI would be used in risk management, capital markets, internal operations, customer service, regulatory compliance, and marketing. The RFI posed 19 questions related to general topics such as types of models, AI use, and barriers to entry, as well as questions focused on potential opportunities and risks associated with AI.

    The Secretary of the Treasury, Janet Yellen, discussed the RFI in her remarks at the Financial Stability Oversight Council (FSOC) Conference on AI and Financial Stability. Yellen noted that the Treasury would be convening a roundtable on AI and insurance and would support FSOC’s monitoring and analysis of AI’s impact on financial stability.

    Privacy, Cyber Risk & Data Security Artificial Intelligence Consumer Protection Financial Services

  • FHA issues reporting requirements on significant cybersecurity incidents

    Privacy, Cyber Risk & Data Security

    On May 23, HUD issued Mortgagee Letter (ML) 2024-10 titled “Significant Cybersecurity Incident (Cyber Incident) Reporting Requirements” which required FHA-approved mortgagees to notify HUD when a “Cyber Incident” occurs. A Cyber Incident would be any unauthorized event that could harm information or computer systems, breaching security rules, and affecting a mortgagee’s ability to meet FHA program requirements. It also would include actions that threaten data confidentiality, integrity, or availability, potentially disrupting mortgage operations. Mortgagees must report all suspected Cyber Incidents to HUD's FHA Resource Center and Security Operations Center within 12 hours of detection. The report must include several details, including the mortgagee's name and ID, contact information, a description of the incident (including the date, cause, and impact to PII, login credentials, and IT systems), any affected subsidiary or parent companies, and the status of the mortgagee’s incident response, including whether law enforcement has been notified. The provisions of this ML are effective immediately and will be reflected in a forthcoming update to the HUD Handbook 4000.1.

    Privacy, Cyber Risk & Data Security HUD FHA

  • Maryland enacts child consumer protection laws

    Privacy, Cyber Risk & Data Security

    On May 9, the Governor of Maryland approved SB 571 (the “Act) to provide consumer online protections for children. The Act will afford protections from online products aimed at children or that are likely accessed by children. Specifically, the Act will require companies that provide online products “reasonably likely to be access[ed] by children” to prepare a data protection impact assessment (DPIA) for the online product. The DPIA will identify the purpose of the online product, how the product uses children’s data, determine if the product would be in children’s best interests, and include a description of the compliance steps the company will have taken to comply with the duty to act in a manner consistent with the best interests of children, among other requirements. The Act outlined several violations, including against processing data not in children’s best interests, profiling children, processing geolocation, using of dark patterns, or monitoring of children’s activities without first notifying the parent/guardian. The Act will go into effect on October 1.

    Privacy, Cyber Risk & Data Security State Issues Maryland Consumer Protection State Legislation

  • Maryland enshrines its consumer online data privacy act

    Privacy, Cyber Risk & Data Security

    On May 9, the Governor of Maryland approved SB 541 (the “Act”) which enacted the Maryland Online Data Privacy Act of 2024, setting forth new provisions for businesses and data processors under the state’s UDAP commercial code. The Act will prevent persons or processors from providing access to consumer health data unless contractually required, or from using a geofence within a certain distance from health or mental health facilities. The Act will enable consumers to exercise certain rights with respect to their data, including confirming use, accessing data, correcting inaccuracies, requiring deletion of data (unless protected by law), and opting out of targeted advertising or sales of one’s personal data. Consumers will also be able to designate an agent to opt-out on their behalf.

    The Act will prohibit controllers from selling sensitive data and from collecting, processing, or sharing sensitive consumer data unless “the collection or processing is strictly necessary to… maintain a specific product,” among others. The Act will enable controllers to limit collection to what would be “reasonabl[y] necessary” and establish data security practices. Controllers will also be forced to provide consumers with a privacy notice that will outline their use of the data and a consumer’s rights, as well as establish a secure method for a consumer to exercise such rights. The Act will not apply to financial institutions or to consumer credit data that is protected under the FCRA. The Act will go into effect on October 1, 2025.

    Privacy, Cyber Risk & Data Security Maryland State Issues State Legislation

  • NIST issues updated security requirements and assessment procedures for protecting controlled unclassified information

    Privacy, Cyber Risk & Data Security

    On May 14, the National Institute of Standards and Technology (NIST) released “Revision 3” to Special Publication 800-171 (Protecting Controlled Unclassified Information on Nonfederal Systems and Organizations) and 800-171A (Assessing Security Requirements for Controlled Unclassified Information) for federal contractors and other entities that do business with the federal government and handle controlled unclassified information. The revisions were intended to create better alignment with the controls set forth in Special Publication 800-53 Rev. 5 (Security and Privacy Controls for Information Systems and Organizations), realign controls based on new tailoring criteria, and to directly tie specific controls to the handling of controlled unclassified information. The revisions further implemented the framework set forth in Executive Order 13556 – Controlled Unclassified Information, and give the private sector more clarity by tailoring the moderate baseline for controls in Special Publication 800-53 Rev. 5 to withdraw the requirements that are, among other things, primarily the responsibility of the federal government, not directly related to the protection of controlled unclassified information, or are adequately addressed through other related controls. The updates will also allow for more specific tailoring of organizational controls to security standards, increasing flexibility. Finally, the assessment procedures in Special Publication 800-171A for determining whether a contractor or other entity would be compliant with Special Publication 800-171 was updated to align with the new revisions in Special Publication 800-171. These updates will come at a time when the Department of Defense will continue to implement the Cybersecurity Maturity Model Capability, covered by InfoBytes here.

    Privacy, Cyber Risk & Data Security NIST Federal Issues

  • State attorneys general push Congress on federal consumer privacy legislation

    Privacy, Cyber Risk & Data Security

    On May 8, the Attorney General of California, Rob Bonta, and 15 other state attorneys general wrote a letter to Congressional leaders following the introduction of the American Privacy Rights Act (APRA) in Congress. The attorneys general encouraged Congress to set a “federal floor, not a ceiling” for consumer privacy rights, as APRA preempts state law under its current draft. The letter highlighted how states have “played a critical role” in setting new data privacy standards without curbing business practices or developments in technology. In addition, the attorneys general expressed concern that the APRA would limit some attorneys general to issue civil investigative demands (CIDs) because their CID authority would require a violation of state or federal law before issuance. The APRA, however, provided that “a violation of [the APRA] or a regulation promulgated under [the APRA] may not be pleaded as an element of any violation of [a state] law.” Despite these concerns, the attorneys general did express their support for other provisions of APRA, such as data minimization by default, stronger consent requirements, and protections for minors.

    Privacy, Cyber Risk & Data Security Congress California State Attorney General HIPAA

  • Fed, OCC, and FDIC release third-party risk management report for community banks

    Privacy, Cyber Risk & Data Security

    On May 3, the Fed, OCC, and FDIC (the regulators) released a report to help community banks assess their third-party relationship risk exposure. The report discusses key considerations in three areas: risk management, third-party relationship life cycle, and governance. In addition, the regulators’ report contained an appendix with additional resources, such as FFIEC interagency guidance and CISA cybersecurity protocols. With respect to risk management, the report suggested community banks apply more rigorous risk-management practices for third parties that support critical bank activities, such as those that could have a significant customer impact or have a significant impact on the bank’s financial condition. In describing the third-party relationship life cycle, the report identified five key stages of the life cycle – planning, due diligence, contract negotiation, ongoing monitoring, and termination. With respect to governance, the report described three key pillars: oversight and accountability, independent review, and documentation and reporting.

    Privacy, Cyber Risk & Data Security Third-Party Risk Management Communications Decency Act Bank Regulatory OCC Federal Reserve

  • Department of Commerce announces new actions related to Executive Order on AI

    Federal Issues

    On April 29, the National Institute of Standards and Technology (NIST) at the U.S. Department of Commerce released several announcements regarding the progress on President Biden's Executive Order on AI (covered by InfoBytes here). NIST released four draft publications aimed at enhancing AI systems' safety, security, and trustworthiness.

    The four draft publications include: (i) NIST AI 600-1 that offers a Generative AI Profile to help organizations identify and manage risks associated with generative AI; (ii) NIST SP 800-218A to expand on the Secure Software Development Framework (SSDF) and address concerns about malicious training data affecting AI systems, as well as provide potential risks and strategies for handling training data, including recommendations for analyzing data for signs of poisoning, bias, homogeneity, and tampering; (iii) NIST AI 100-4 that proposes technical methods to improve the transparency of AI-created or “synthetic” content; and (iv) NIST AI 100-5 which will outline a plan to encourage the global development of AI-related technical standards and seek feedback on areas for AI standardization, including methods for tracking the origin of digital content and shared practices for AI system testing and evaluation. Additionally, NIST is launching challenges to create methods for distinguishing between human and AI-generated content. Public comments on these initial drafts will be due by June 2.

    Federal Issues Privacy, Cyber Risk & Data Security NIST Artificial Intelligence Biden Executive Order


Upcoming Events