Financial institutions — responsible for the personal information of thousands of customers — have long been heavily regulated by both state and federal agencies. As a result, the sector has developed a reputation for strong compliance programs.
“Their compliance regimes and spending on the IT necessary to protect customer information is very robust,” said Marc Berner, U.S. Financial Institutions Product Lead, Allied World.
Some have surmised that banks, insurers and asset managers might relax those regimes, however, amid promises from the current presidential administration to loosen its regulatory grip.
“There was an expectation that the regulatory environment would become more tepid. So far we’ve observed a mixed-bag depending on the type of regulator and class of business,” Berner said. “For example, it is widely viewed that the May 2018 rollback of certain Dodd-Frank provisions fell far short of unwinding the heightened regulatory framework for financial institutions that was put in place following the global credit crisis.”
In addition, ever-evolving cyber attacks and the rise of cryptocurrency represent blind spots in regulatory oversight, and as these trends evolve, they will challenge financial institutions to ensure their cybersecurity and cryptocurrency activities don’t fall afoul of regulators who are likewise trying to keep up.
Enforcement actions brought around these emerging risks may draw stakeholder lawsuits soon after and represent a significant professional and management liability risk. To stay a step ahead, here are the regulatory trends financial institutions should watch:
Some Regulators Scale Back, but the SEC Remains Vigilant
Regulatory enforcement activity has varied slightly from agency to agency since the 2016 presidential election. A November 2018 research report by law firm Winston & Strawn reported that bank enforcement activity had declined 20% since January 2017, compared to the previous 20 months.
“When you look at some of the banking regulators — the FDIC, the OCC, the CFPB, the Federal Reserve — there’s been a decline in enforcement actions,” Berner said.
The SEC, however, remains as vigilant as ever. After a modest 4% drop from 2016 to 2017, overall SEC enforcement activity was up 8.8% in 2018. In particular, actions against investment advisors and securities broker/dealers rose sharply.
Overall, hopes of a more lenient regulatory environment have gone and likely will continue to go unfulfilled. But this hasn’t changed the way that U.S. financial institutions do business or approach risk management.
“It’s important to recognize that there hasn’t been a correlating diminishment of institutions’ preparedness,” Berner said. “We haven’t come across a risk where anyone’s decreased their spending and resource allocation to audit and compliance because of a perceived lack of regulatory enforcement.”
Emerging Cyber Regulations Will Raise the Bar on Compliance
In the cybersecurity world, the regulatory enforcement narrative looks slightly different.
“There has not been a lot of activity in the cybersecurity practices area,” Berner said. “Enforcement activity across various regulators at the federal level has been inconsistent.”
One notable exception, however, is the $1 million fine that the SEC levied against investment brokerage firm Voya Financial Advisors Inc. after a 2016 breach. Over a six-day period, scammers called Voya’s customer support line impersonating various company contractors, requesting to have their passwords reset. Using the new passwords, the hackers were able to create new user accounts, infiltrate the corporate network and eventually access the personal information of 5,600 customers.
According to the SEC’s order, Voya’s “failure to terminate the intruders’ access stemmed from weaknesses in its cybersecurity procedures, some of which had been exposed during prior similar fraudulent activity.” The agency charged Voya with violating the Safeguards Rule and the Identity Theft Red Flags Rule, which together are intended to protect customers from unauthorized access to their personally identifiable information (PII) and subsequent identity theft.
“This was the first time the agency leveraged the identity-theft rule as a tool to bring an enforcement action, and could be a leading indicator that companies should be aware more actions are likely to come in the future,” Berner said.
State-level action has generally been more aggressive on the cyber front. “State regulators are not necessarily impacted by high profile federal politics, so they’ve had more freedom to pursue cases against financial institutions following a breach,” Berner said.
The New York State Department of Financial Services, for example, released a set of comprehensive cybersecurity rules in 2017. These require all covered institutions to implement a detailed cybersecurity plan and enact a cybersecurity policy, designate a chief information security officer and create an ongoing reporting system for cybersecurity events.
“All 50 states have some form of a breach notification law, but New York State is a good example of a strict regulatory regime for financial institutions. It’s possible more states will follow suit,” Berner said.
Crypto Currency is a New Regulatory Target
The regulatory framework surrounding cryptocurrency is still in its infancy, but various regulators do have a stake in more closely controlling this volatile asset, including the SEC, CFTC, IRS, Treasury and State agencies.
“I think the notion behind cryptocurrency when it started was that it wouldn’t be regulated. But it’s become such a big phenomenon that a lot of regulators are throwing their hat in the ring to make the investing environment safe for consumers,” Berner said.
Initial coin offerings (ICOs) have attracted the attention of the SEC, which released an investigative report in 2017 concluding that tokens sold in ICOs are considered securities, and that ICOs can be used as vehicles to raise capital or participate in investment opportunities — thus falling under the purview of SEC regulation.
The SEC also cautioned that cryptocurrency is susceptible to “increased risk of fraud and manipulation because the markets for these assets are less regulated than traditional capital markets.” So far, the commission has brought roughly a dozen enforcement actions against various ICOs.
“The SEC’s stated approach is to balance investor protection with the need to encourage innovation,” Berner said. Demand for insurance protection against the risks associated with cryptocurrency currently outstrips supply, Berner added.
Though coin offerings are the biggest challenge for underwriters, “ancillary risks associated with asset management — i.e., managing storage facilities like crypto wallets — are more insurable. That’s where brokers have been more successful putting some capacity together,” he said.
Leverage Insurer Expertise to Address Emerging Risk
What does all of this mean for financial institutions as they try to fulfill their obligations to both customers and stakeholders while remaining in compliance in the face of new and emerging risks? The answer may lie in choosing an insurance partner with demonstrated expertise in financial services’ management liability exposures and a history of adaptability.
“The financial institutions business can be volatile. The credit crisis years have produced a lot of loss activity, and the cyclical nature of economics presents a difficult risk environment in the FI space,” Berner said. “For that reason, Allied World came into the market taking a very measured approach. Our strategy has always been to act conservatively and expand our product offerings as we grow, which we feel is the best way to adjust to shifting exposures.”
Allied World entered the FI management and professional liability space with its Side A DIC policy, but has continually updated the product to react to emerging risks. “We’ve revised that policy, called Executive ForceField®, four times to make sure that we’re on the leading edge of terms and conditions,” Berner said.
The insurer also has a broad appetite. “There are very few classes of business we won’t look at,” Berner said.
Claims coordination helps underwriters stay abreast of how emerging exposures impact the liability landscape and existing policies. “We also work closely with claims leaders across various departments — including our cyber practice — to get their insight on how various exposures interact and overlap. We have a vastly experienced claim staff,” Berner said.