The impact of technology on financial services, markets, and regulation was much in the news last week. Concerns included cyber security and the use by regulators of technology. While each of these topics is significant and of interest on a standalone basis, together they help illustrate the extent to which issues of technology are likely to continue to expand from both a compliance and regulatory perspective. This expansion is likely to be accompanied by an increase in regulators' expectations regarding the level of resources and expertise that regulated financial service firms devote to technology issues, including most significantly issues of risk and compliance.
Cybersecurity. On Wednesday, March 26th, the Securities and Exchange Commission hosted a roundtable discussion on cybersecurity and the issues and challenges raised for market participants and public companies. In light of the very different concerns and risks faced by different participants, the panelists generally were opposed to the issuance of prescriptive rules by the SEC addressing cybersecurity, but instead favored a principles based approach and increased information sharing among regulators and market participants. As of the 29th, the SEC had not yet posted an archived webcast and transcript.
The SEC's roundtable follows close on the heels of the SEC's announcement that it will examine cybersecurity compliance by registered advisers. For their part, broker-dealers can also expect continued attention from the Financial Industry Regulatory Authority, Inc. ("FINRA"), which also identified cybersecurity as one of its examination priorities for 2014. FINRA identified the "integrity of firms' policies, procedures and controls to protect sensitive customer data" and stated that its "evaluation of such controls may take the form of examinations and targeted investigations." See Law360 article "SEC Is Focusing On Cybersecurity — And So Should You," by Winston & Strawn partners Steven Grimes and Glen Barrentine, published March 25, 2014.
Impact of Technology on Regulation. The possible impact of technology and, more particularly, big data, on regulation was highlighted both in a thoughtful speech on Tuesday, the March 25th by the Commodity Futures Trading Commission ("CFTC") Commissioner Scott D. O'Malia and by SIFMA's comments on FINRA's Comprehensive Automated Risk Data System ("CARDS") proposal.
Commissioner O'Malia's address was the keynote address at the SWIFT Institute's Future of Financial Standards Forum. Commissioner O'Malia characterized the current supervisory mindset as unacceptably focused "on the filing of forms and compliance checks." Instead, Commissioner O'Malia urged consideration of the possibilities available by integrating "technology solutions into each and every one of our workflows and processes." In Commissioner O'Malia's view, doing so would require agreement on standardized data fields and reporting formats. Indeed, in Commissioner O'Malia's view, this "standard-setting process should have been the foundation of the CFTC's rules for the reporting and disclosure of massive amounts of new market data. The failure to use a common metric increases the risk of misapplication and misunderstanding of critical market information. The result is a waste of resources -- for both regulators and market participants."
Perhaps in line with Commissioner O’Malia’s thinking, FINRA had previously issued its CARDS proposal which would allow FINRA to collect on a standardized, automated and regular basis, information relating to account ownership, account activity and security identification. Commenting upon the CARDS proposal, the Securities Industry and Financial Markets Association ("SIFMA"), a trade group for the brokerage industry, stated that it could not support the current proposal as the proposal lacked technical details including required data elements, data standardization, and an explanation of how the data will be stored, protected and used. Notwithstanding SIFMA’s objections, it seems likely that concerns regarding efficiency and economics will increasingly drive regulators to mandate data standardization requirements that are designed to allow regulators to more easily and effectively comb through large amounts of data, giving them an all but real time view of the behavior of their regulated entities. Indeed, initiatives, such as the SEC’s Large Trader Reporting rule and its mandated Consolidated Audit Trail proposal, already exist. More such initiatives are likely to follow.