Skip to main content
Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations


Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • NYDFS settles with title insurance company for $1 million

    Privacy, Cyber Risk & Data Security

    On November 27, the NYDFS entered into a consent order with a title insurance company, which required the company to pay $1 million for failing to maintain and implement an effective cybersecurity policy and correct a cybersecurity vulnerability. The vulnerability allowed members of the public to access others’ nonpublic information, including driver’s license numbers, social security numbers, and tax and banking information. The consent order indicates the title insurance company discovered the vulnerability as early as 2018. The title insurance company’s failure to correct these changes violated Section 500.7 of the Cybersecurity Regulation.

    In May 2019, a cybersecurity journalist published an article on the existence of a vulnerability in the title insurance company’s application, that led to a public exposure of 885 million documents, some found through search engine results. The journalist noted that “replacing the document ID in the web page URL… allow[ed] access to other non-related sessions without authentication.” Following the cybersecurity journalist’s article, and as required by Section 500.17(a) of the Cybersecurity Regulation, the title insurance company notified NYDFS of its vulnerability, at which point NYDFS investigated further. The title insurance company has been ordered to pay the penalty no later than ten days after the effective date.

    Privacy, Cyber Risk & Data Security State Issues Securities NYDFS Auto Insurance Enforcement

  • SEC charges crypto firm for failing to register and mitigate risk factors


    On November 20, the SEC filed a complaint in the U.S. District Court of the Northern District of California against a crypto trading platform, which allows customers to buy and sell crypto assets through an online market, for allegedly acting as an unregistered securities exchange, broker, dealer, and clearing agency. The SEC is also claimed defendant’s business practices, internal controls, and recordkeeping were inadequate and presented additional risks to consumers, that would also be prohibited had defendant been properly registered with the commission. For instance, the SEC cited practices including commingling billions of dollars of consumers’ cash and crypto assets with defendant’s own crypto assets and cash, which defendant’s 2022 independent auditor identified as “a significant risk of loss."

    Director of the SEC’s Division of Enforcement, Gurbir S. Grewal said, “[Defendant’s] choice of unlawful profits over investor protection is one we see far too often in this space, and today we’re both holding [defendant] accountable for its misconduct and sending a message to others to come into compliance.”

    The SEC seeks to (i) permanently enjoin defendant from violating Section 5 and section 17A of the Exchange Act; (ii) permanently enjoin defendant from offering or selling securities through crypto asset staking programs; (iii) disgorge defendant’s allegedly illegal gains and pay prejudgment interest; and (iv) impose a civil money penalty.

    Securities SEC Cryptocurrency Enforcement California Digital Assets Broker

  • IOSCO releases report advising country regulators on crypto asset regulation


    On November 16, the International Organization of Securities Commissions (IOSCO) released a report titled “Policy Recommendations for Crypto and Digital Asset Markets” for centralized financial bodies to put forth parallel, global policies on crypto assets, including a country’s stablecoin.

    IOSCO’s report aims to protect retail investors from illegal crypto-asset market activities, including regulatory non-compliance, financial crime, fraud, market manipulation, and money laundering that have led to investor losses. The report puts forth 18 policy recommendations summarized within six key themes: conflicts from firms doing too much at once; market manipulation, insider trading, and fraud; cross-border risks and regulatory cooperation; operational and technological risks; and retail access, suitability, and distribution. ISOCO maintains its principles on global regulation are within the “same activities, same risks, same regulation/regulatory outcomes.” IOSCO also mentioned it plans on releasing a second report on decentralized finance before the year’s end.

    Securities International Of Interest to Non-US Persons Cryptocurrency Digital Assets Risk Management

  • FTC, DOJ convene with G7 on AI policy future


    On November 8, the FTC and DOJ met with the G7 Competition Authorities and Policymakers’ Summit on how to better regulate AI while addressing its competitive concerns. The Summit took place in Tokyo, Japan, and both the FTC’s and the DOJ’s Antitrust Division participated with the international group. The G7 issued a statement on how generative AI can pose not only anti-competitive risks, but also risks in “privacy, intellectual property rights, transparency and other concerns.” All policymakers shared concerns on how to best enforce fair competition laws with AI, iterating that “existing competition law applies to [AI]” and that they were “prepared to confront abuses if AI becomes dominated by a few players with market power.” The G7 stated a need to enforce competition laws and “develop policies necessary to ensure that principles of fair competition are applied to digital markets.”

    The G7’s report outlines its initiatives to promote and protect competition in digital markets, its commitment to address competition concerns, and its recognition of the need for internal cooperation on digital competition.

    Securities G7 FTC DOJ Antitrust AI

  • Bank of England and Financial Conduct Authority seek feedback on stablecoin regulatory proposals


    On November 6, the Bank of England and the Financial Conduct Authority (FCA) requested feedback on their proposal to regulate a form of cryptocurrency known as stablecoins. Stablecoins are a cryptoasset that “maintain a stable value relative to a fiat currency by holding assets as backing” and fall within the UK Government’s plan to regulate them for future retail payment use. In addition to retail use, the Bank of England and FCA’s wish to regulate stablecoins is meant to “prevent money laundering… and safeguard financial stability.”

    The Bank of England published a handy road map with similar regulators on how to best navigate rolling out new technological payment innovations, such as the digital pound. Each of the financial regulators provided two white papers: (i) the FCA’s discussion paper outlines how the FCA can regulate cryptoassets under the Financial Services and Markets Act 2000, including providing information on backing assets, custody requirements, and allowing overseas stablecoins used as a form of tender in the UK; and (ii) the Bank of England’s discussion paper examines proposed regulations for sterling-dominated stablecoins in the hopes of becoming widespread for retail use. Furthermore, this paper details proposed regulations for everyday use, including money transfers and providing digital wallets.

    Both regulators’ comment period is open until February 6, 2024.

    Securities Of Interest to Non-US Persons Digital Assets Cryptocurrency Stablecoins

  • UK Government finalizes cryptoasset guidance with financial promotions


    On November 2, the UK Financial Conduct Authority (FCA) finalized guidance informing individuals and firms regarding the communication and promotion of cryptoassets. The final guidance follows a consultation period that closed on August 10.

    In UK law, Section 21 of the Financial Services and Markets Act 2000 prohibits any person from, in the course of business, communicating a financial promotion – an invitation or inducement to engage in investment activity – unless such person is an authorized person, the content is approved by an authorized person, or another exemption applies.  The guidance describes the application of the financial promotion oversight regime to “qualifying cryptoassets” and expresses the expectation that all “cryptoasset financial promotions must be fair, clear and not misleading.”

    The guidance reiterates that it “does not create new obligations for firms but relates to firms existing regulatory obligations” and that persons and firms that act in accordance with the guidance will be considered “as having complied with the rule or requirement to which that guidance relates.”


    Securities UK Cryptocurrency Regulation Of Interest to Non-US Persons

  • SEC charges crypto company with fraud and anti-registration violations


    On November 1, the SEC charged a crypto company and its executive team with fraud through the unregistered sale of crypto asset securities. According to the complaint, the defendants represented in marketing materials, website, social media posts, and other communications with the public that a certain percentage of funds for each transaction would be retained and inaccessible by any party for a period of four years as a safety mechanism against asset misappropriation. Instead, the complaint alleges, the defendants accessed the funds and misappropriated tens of millions of dollars for various purposes, including manipulation of the market for the crypto asset, business expenses, investments in unrelated companies, and personal use. The complaint charges defendants with violating the registration and anti-fraud provisions of the Securities Act of 1933 and the anti-fraud provisions of the Securities Exchange Act of 1934.

    Securities Federal Issues Venture Capital Risk Management Digital Assets

  • SEC’s SAB 121 should be subject to congressional review, says GAO


    On October 31, the GAO opined that the SEC’s Staff Accounting Bulletin 121 (SAB 121) is a rule, and thus the SEC was required to submit it for congressional review. SAB 121 describes how SEC staff would expect entities to account for and disclose their custodial obligations for engaging in crypto-asset services, noting that crypto companies may have to present such obligations as a liability on their balance sheets. The GAO found that SAB 121 provides interpretive guidance, but the SEC failed to submit a report as required under the Congressional Review Act (CRA) before a rule can take effect.

    The GAO’s opinion notes that the SEC maintains a different position than the GAO on the nature of SAB 121, arguing that SAB 121 is not a rule (and thus subject to CRA review), but instead is “guidance” indicating “how the Office of the Chief Accountant and the Division of Corporation Finance would recommend that the agency act,” and is not an agency statement from the full Commission. However, the GAO’s found that “[SAB 121] is a statement made by the SEC,” and that “a statement issued by a subset of the agency may still constitute an agency statement for CRA purposes.”

    Securities GAO CRA Congress

  • UK Government to regulate cryptoassets more strictly under a new regulatory regime


    On October 30, the HM Treasury of the UK Government released a report titled “Future Financial Services Regulatory Regime for Cryptoassets,” confirming its plans to regulate digital assets more strictly. The regulatory framework includes descriptions of requirements for the admission of digital assets to a trading venue, including disclosure documents. To make cryptocurrencies subject to the FCA’s rule-making powers, the HM Treasury expanded the definition of “specified instruments” to include digital currencies, but not its definition of “financial instrument.”

    The UK Government created the report based on stakeholder feedback on an extensive survey on cryptoassets. The report summarizes responses to 51 survey questions and provides explanations regarding the UK government’s intentions to proceed with the framework. The report outlines how the UK can attract more crypto businesses while also protecting consumer interests. Topics include, among other things, (i) confirmation that the proposed regime does not intend to capture activities relating to cryptoassets which are specified investments that are already regulated; (ii) information regarding the future FCA authorization process for cryptoasset activities; (iii) the UK government’s support for the use of publicly available information to compile appropriate disclosure and admission documents; and (iv) acknowledgment of the potential need for a staggered implementation for cross-venue data sharing obligations.  The report recognizes the rapidly evolving nature of the crypto sector and emphasizes that “the government continues to consider that developing a fully bespoke regime outside of the FSMA framework would risk creating an un-level playing field between cryptoasset firms and the traditional financial sector.”

    Any legislative changes in response to this report on how the UK Government regulates cryptoassets will occur in 2024, “subject to Parliamentary time.”

    Securities UK Cryptocurrency Regulation Of Interest to Non-US Persons

  • SEC announces 2024 examination priorities, excludes ESG


    On October 16, the SEC’s Division of Examinations announced that its 2024 examination priorities will focus on key risk factors related to information security and operational resiliency, crypto assets and emerging financial technology, regulation systems compliance and integrity, and anti-money laundering. SEC registrants, including investment advisers, investment companies, broker dealers, self-regulatory organizations, clearing agencies, and other market participants are reminded of their obligations to address, manage, and mitigate these key risks. Notably, ESG was a “significant focus area[]” in 2022 (covered by InfoBytes here) and 2023, but it is not directly mentioned in the 2024 examination priorities.

    According to the report, examiners plan to increase their engagement to support the evolving market and new regulatory requirements. Regarding information security and operational resiliency, examiners will focus on registrants’ procedures surrounding “internal controls, oversight of third-party vendors (where applicable), governance practices, and responses to cyber-related incidents, including those related to ransomware attacks.” Additionally, regarding crypto assets and emerging fintech, examiners will focus on registrants’ business practices involving compliance practices, risk disclosures, and operational resiliency practices. The SEC also mentioned in the “Crypto Assets and Emerging Financial Technology”  section of the report that it will assess registrant preparations for the recently adopted rule for broker dealer transactions that shortens the standard settlement cycle to one business day (previously two days) after the trade, which has a compliance date of May 28, 2024. Among other things, the SEC will also focus on whether registrants’ regulation systems compliance and integrity are “reasonably designed” to ensure the security of its systems, including physical security of the systems housed in data centers.

    SEC chair Gary Gensler said that the Division of Examinations plays an important role in “protecting investors and facilitating capital formation,” adding that the commission will focus on “enhancing trust” in the changing markets.

    Securities SEC Examination Digital Assets Fintech Compliance Privacy, Cyber Risk & Data Security


Upcoming Events