Data privacy and security
7. Are there any data privacy and/or data security laws that would apply?

Yes, US federal law imposes privacy obligations on financial institutions, including foreign financial institutions with offices in the US, as outlined below.

Financial services firms must be aware of additional state requirements prior to conducting business out of a particular jurisdiction.

The Gramm-Leach-Bliley Act restricts financial institutions from disclosing certain "nonpublic personal information" ("NPPI") collected from or about individual "consumers" in connection with the provision of financial products and services to nonaffiliated third parties. NPPI includes information that a consumer or customer puts on an application; information about the individual from another source, such as a credit bureau; or information about transactions between the individual and the financial institution, such as an account balance. Indeed, even the fact that an individual is a consumer or customer of a particular financial institution is NPPI. A "consumer" is an individual who obtains or has obtained a financial product or service from a financial institution for personal, family or household reasons. Certain exceptions apply, including when disclosure is as follows:

  • With the customer's or consumer's consent
  • To process the customer's transactions
  • To maintain the customer account(s)
  • To comply with civil, criminal or regulatory investigations, or subpoenas or summons by federal, state or local authorities
  • To respond to judicial processes or government regulatory authorities with jurisdiction over the financial institution for examination, compliance or other purposes as authorized by law
  • For required institutional risk controls or for resolving disputes or inquiries
  • In connection with a proposed or actual sale, merger, transfer or exchange of all or a portion of a business or operating unit if the disclosure of NPPI concerns solely consumers of such business or unit
  • For specified other disclosures that a financial institution normally makes, such as to protect against or prevent actual or potential fraud; to the financial institution's attorneys, accountants and auditors; or to comply with applicable legal requirements, such as know-your-customer requirements and the disclosure of information to regulators

The Office of the Comptroller of the Currency ("OCC") has adopted the Interagency Guidelines Establishing Information Security Standards at 12 C.F.R., Part 30, Appendix B. The Interagency Security Standards require a bank using a cloud service provider to address service provider information security before signing a contract, as part of the terms of the contract, and on an ongoing basis after establishing a service provider relationship.

The Federal Financial Institutions Examination Council ("FFIEC") has published a guidance booklet on outsourcing practices, and it states that financial institutions may outsource many areas of operations, including all or part of any service, process or system operation. However, the use of a subcontractor or, in this case, a cloud service provider does not diminish the responsibility of the financial institution's senior management to ensure that the subcontractor's activity is conducted in a safe manner and in compliance with applicable laws and regulations.

That same FFIEC guidance warns, however, that financial institutions must not share US regulatory examination reports or information contained therein with either foreign regulators or foreign-based service providers without the express written approval of the appropriate US regulatory authority. The FFIEC recently issued the "Security in a Cloud Computing Environment" bulletin, which addresses key risks in cloud computing. Although this bulletin does not contain new regulatory expectations, it highlights examples of risk management practices related to the safe use of cloud computing services, and directs financial institutions to also review the FFIEC's IT Handbook and other documents providing general information on best industry practices.

Regarding broker-dealers ("BDs") and investment advisers ("IAs"), Securities and Exchange Commission ("SEC") Regulation SP and Regulation S-ID apply to both BDs and IAs. However, Regulation SP and Regulation S-ID are not the sole privacy and data security requirements that BDs and IAs must comply with, as there are additional requirements beyond the scope of the securities laws (generally state law requirements). With regard to information security, cybersecurity and data privacy, BDs are subject to a wide-ranging regulatory framework, which includes SEC rules, Financial Industry Regulatory Authority guidance, and federal and state law requirements. IAs are subject to SEC rules, as well as federal and state law requirements.

Commodity Futures Trading Commission entities (other than swap dealers) are subject to similar consumer data privacy rules under the commission's Rule 160.1-3.