CyberLex Insights on cybersecurity, privacy and data protection law

Category Archives: Regulatory Compliance

Subscribe to Regulatory Compliance RSS Feed

SEC issues Guidance on Public Company Cybersecurity Risk Disclosures

Posted in Cybersecurity, Financial, Regulatory Compliance

On Wednesday, February 21, 2018, the United States Securities and Exchange Commission (SEC) published cybersecurity risk disclosure guidance (the SEC Guidance) for public companies to assist them in preparing disclosure related to these types of risk and incidents. The SEC Guidance does not propose new rules or rule amendments that would impose new requirements, but… → Read More

IIROC Provides Additional Guidance on Proactive Management of Cyber-related Risks

Posted in Cybersecurity, Financial, Regulatory Compliance

On January 18, 2018, the Investment Industry Regulatory Organization of Canada (IIROC) released its Compliance Priorities Report for 2017/2018, identifying cybersecurity as a “high priority” issue that IIROC dealer members should address to improve investor protection and foster market integrity. The report also provides specific guidance on initiatives that dealers may undertake in 2018-19 to… → Read More

UK Financial Conduct Authority Proposes Global Fintech Regulatory Sandbox

Posted in FinTech, Regulatory Compliance

On February 14, 2018, the United Kingdom Financial Conduct Authority (FCA) published a proposal for a global regulatory sandbox.  The goal of a regulatory sandbox is to encourage innovation by allowing carefully-selected firms to test their concepts on a controlled subset of consumers without triggering full regulatory requirements at the outset.  This can be particularly… → Read More

Canadian Securities Administrators Weigh-in on the Applicability of Canadian Securities Laws to Cryptocurrencies, including Coins and Tokens

Posted in FinTech, Regulatory Compliance

On August 24, 2017, Staff of the Canadian Security Administrators (the “CSA”) released CSA Staff Notice 46-307 Cryptocurrency Offerings (the “CSA Notice”), published in all Canadian jurisdictions except Saskatchewan.[1] The CSA Notice addresses a number of considerations of relevance to Fintechs, investors and their advisors, including the potential applicability of Canadian securities laws to initial… → Read More

Transport Canada Launches Online “Drone Incident” Reporting Tool

Posted in Regulatory Compliance, UAVs

Transport Canada has announced the launch of a new incident-reporting tool “to keep Canadians safe from reckless drone use.” The new online reporting tool will allow people to report drone “incidents” from their mobile phones and will help Transport Canada “gather valuable information that will assist inspectors with investigations.” It serves as a single-entry-point for… → Read More

IIROC Issues Cybersecurity Report Cards to Dealer Firms

Posted in Cybersecurity, Regulatory Compliance

IIROC is providing all dealer member firms it regulates (Firms) with a confidential cybersecurity “report card” that will include: an individual assessment of the Firm’s cybersecurity preparedness program a comparison of the Firm’s cybersecurity practices against the industry and other Firms of similar size and business model a list of cybersecurity areas to which the… → Read More

CSA Issues New Guidance on Cybersecurity

Posted in Cybersecurity, Regulatory Compliance

Cybersecurity is top of mind for corporate boards and securities regulators alike. On September 27, 2016, the Canadian Securities Administrators (“CSA“) issued CSA Staff Notice 11-332 – Cyber Security (the “2016 Notice”).  The 2016 Notice updates the CSA’s previous notice on the same topic, CSA Staff Notice 11-326 Cyber Security (the “2013 Notice”) for reporting… → Read More

NY State Introduces Cybersecurity Regulations for Financial Services: Implications for Canadian Business

Posted in Cybersecurity, Financial, FinTech, Legislation, Regulatory Compliance

The New York State Department of Financial Services announced its  first state-level regulation for cybersecurity. The proposed regulation would apply to regulated banks, insurance companies, and other financial services institutions and has implications for Canadian organizations doing business with these entities. On September 13, 2016, the New York State Department of Financial Services (“DFS“) announced a… → Read More

Canada’s First Regulatory Sandbox for Fintech? OSC Announces Plans for “OSC LaunchPad” Innovation Hub

Posted in Financial, FinTech, Regulatory Compliance

OSC chair Maureen Jensen has announced that the OSC plans to launch an innovation hub for fintech entities. “OSC Launchpad” will be the first fintech hub for a Canadian securities regulator. Securities regulation in Canada impacts a number of fintech business models (including companies offering online advising, peer-to-peer lending, crowdfunding platforms and angel investor organizations)…. → Read More

RegTech Stepping Forward: UK Financial Services Regulator Publishes Results on RegTech Consultation

Posted in Big Data, Financial, FinTech, Privacy, Regulatory Compliance

What is RegTech? The UK’s financial prudential regulator, the Financial Conduct Authority (the “FCA”), has recently published its Feedback Statement on Call for Input: Supporting the development and adopters of RegTech, where it outlined the result of its earlier Call for Input on how to support the development of “RegTech”. “RegTech” is defined by the… → Read More

Proving Consent under CASL: CRTC Issues Enforcement Advisory Notice

Posted in CASL, Regulatory Compliance

The Canadian Radio-television and Telecommunications Commission (“CTRC”) has issued an Enforcement Advisory notice directed to businesses and individuals that send commercial electronic messages (“CEMs”) as part of their commercial activities. Notably, the sender of CEMs must have the consent of the recipient to send them a message, or else the message is considered spam. Section 13… → Read More

If you don’t got it, don’t flaunt it: FTC Issues Warnings to Companies Claiming APEC Privacy Certification

Posted in Privacy, Regulatory Compliance, Standards

The United States Federal Trade Commission (“FTC”) has issued warning letters to 28 companies claiming  to be certified participants in the Asia-Pacific Economic Cooperative (“APEC”) Cross-Border Privacy Rules (“CBPR”) system. This is an important reminder for companies, including Canadian companies, that the use of international certifications  is something in which regulators take a keen interest. Background… → Read More

Federal Privacy Commissioner Provides Submission on New Data Breach Notification and Reporting Regulations

Posted in Data Breach, Legislation, Privacy, Regulatory Compliance

The Office of the Privacy Commissioner of Canada (“OPC“) has provided its views on the data breach reporting and notification requirements that are soon to be prescribed by regulation under the Personal Information Protection and Electronic Documents Act, SC 2000, c 5 (“PIPEDA“). On June 18, 2015, the Digital Privacy Act (also known as Bill S-4)… → Read More

Mutual Fund Dealers Association of Canada releases Cyber Risk Management Guidance

Posted in Cybersecurity, Financial, Regulatory Compliance

Earlier last month, the Mutual Fund Dealers Association of Canada (MFDA) released a bulletin providing guidance on cybersecurity and cyber risk management for mutual fund distributors. The goal of the bulletin is to increase awareness for cyber vulnerabilities and to provide guidance for developing and implementing internal cybersecurity policies. The bulletin emphasizes the importance of… → Read More

IOSCO releases “Cyber Security in Securities Market” Report

Posted in Cybersecurity, Regulatory Compliance

The Board of the International Organization of Securities Commissions (IOSCO) released last month the report on its cyber risk coordination efforts.  The goal of the report is to provide an overview of the regulatory issues and challenges faced by various segments of the securities markets, in particular reporting issuers, market intermediaries and asset managers, and… → Read More

U.S. Online Payment Processor Dwolla Fined $100,000 for Misrepresenting Data Security Practices: Lessons for Canadian Companies

Posted in Cybersecurity, Payments, Regulatory Compliance

In March, 2016 the U.S. Consumer Financial Protection Bureau (“CFPB”) issued a Consent Order against Dwolla Inc., an online payment platform, for deceiving consumers about its information security practices. The CFPB levied a $100,000 civil monetary penalty against the company, a first for the CFPB. What is particularly notable is that there was no evidence that… → Read More

IIROC Releases Two Cybersecurity Resources: Best Practices Guide and Incident Planning Guide

Posted in Cybersecurity, Regulatory Compliance

Last week, the Investment Industry Regulatory Organization of Canada (“IIROC“) published two detailed guides to help IIROC-regulated firms protect themselves and their clients against cyber threats and attacks.  The creation of these guides was telegraphed at the beginning of the year  in IIROC’s annual consolidated compliance report for 2014/2015, released January 27, 2015, and underline IIROC’s increased focus… → Read More

Data Transfers from EU to US “unlawful”; EU Signals Enforcement Actions Possible After January, 2016

Posted in European Union, Privacy, Regulatory Compliance

On Friday, October 16, 2015, the Article 29 Working Party (“WP29”) released a statement on the decision of the Court of Justice of the European Union (“CJEU”) in the case Schrems v Data Protection Commissioner (C-362-14), the landmark decision which invalidated the decision of the European Commission underpinning the Safe Harbour framework by which personal… → Read More

U.S. Federal Financial Institutions Examination Council (FFIEC) Releases Cybersecurity Assessment Tool

Posted in Cybersecurity, Financial, Regulatory Compliance

On June 30, 2015, the FFIEC released its cybersecurity assessment tool designed to assist U.S. financial institutions and regulatory examiners identify inherent cybersecurity risks and determine preparedness level of financial institutions.  The cybersecurity assessment tool and other resources can be found at Background The FFIEC, which is composed of the Board of Governors of… → Read More

“Not Necessarily Regulation, but Regulation as Necessary”: Canadian Senate Committee Weighs in on Regulation of Digital Currency

Posted in Regulatory Compliance, Virtual Currency

In March of 2014, the Minister of Finance tasked the Standing Senate Committee on Banking, Trade and Commerce to examine the use of digital currencies. The Committee pursued an extensive fact-finding mission in Canada and in the United States, speaking with, amongst others, representatives from regulatory bodies, financial institutions, digital currency interest groups, law enforcement,… → Read More

“BitLicensing”: New York Virtual Currency Regulations Include Cybersecurity Program Requirement

Posted in Regulatory Compliance, Virtual Currency

On June 3, 2015, the New York Department of Financial Services (“NYDFS”) issued its final virtual currency regulations after spending a year considering multiple proposals and thousands of comment letter submissions. Notably, the New York regulations include a requirement that businesses providing virtual currency services establish and maintain a cybersecurity program. The New York regulations… → Read More

The Cheque Is No Longer in the Mail: Risks and Developments Relating to Cheque Imaging

Posted in E-Commerce, Regulatory Compliance

The Canadian Payments Association (the “CPA”) recently issued a 4 part article series on the security implications of image-based cheque clearing, in particular relating to duplicate items.   Image-based cheque clearing is possible in Canada as a result of the CPA’s Image Rule Project, a four-phase initiative that aimed to provide Canadian financial institutions with the… → Read More

SEC Issues Cybersecurity Guidance for Registered Investment Advisers and Registered Funds

Posted in Cybersecurity, Regulatory Compliance

Continuing its emphasis on the importance of cybersecurity, the U.S. Securities and Exchange Commission (SEC) recently recommended measures that registered investment companies (“funds”) and registered investment advisers (“advisers”) may wish to consider when addressing cybersecurity risks, including: periodic assessments of the information collected, technologies used, security controls and processes, and governance structures; development of strategies,… → Read More

IIROC’s New Policy Regarding Personal Information in Disciplinary Proceedings Takes Effect on May 1, 2015

Posted in Privacy, Regulatory Compliance

The policy provides guidance relative to the use and disclosure of personal information in proceedings brought pursuant to Rule 20 of the IIROC Dealer Member Rules and Part 10 of the Universal Market Integrity Rules (UMIR). This policy will replace IIROC’s “Policy on Requests for Access to Disciplinary Hearing and Settlement Hearing Records”. New Requirements… → Read More