Photo of Katherine Mooney Carroll

Katherine Mooney Carroll’s practice focuses on advising U.S. and international financial institutions on U.S. regulatory matters, including recent reforms pursuant to the Dodd-Frank Act, regulatory aspects of bank M&A, cybersecurity and privacy matters, and compliance with U.S. sanctions and anti-money laundering laws.

In the aftermath of the Facebook-Cambridge Analytica data privacy controversy, Senators Edward J. Markey (D-Mass.) and Richard Blumenthal (D-Conn.) introduced a federal data privacy bill on April 10, 2018 titled the Customer Online Notification for Stopping Edge-provider Network Transgressions Act, or the CONSENT Act (the “Act”).  While the Act is unlikely to pass in the near term given the lack of a Republican sponsor, it reflects increasing attention to privacy concerns in the United States, including consideration by both federal and state legislatures of significantly more prescriptive privacy requirements. Continue Reading CONSENT Act: Proposed Legislation a Sign of Potential U.S. Consent to Greater Privacy Protections?

On October 27, 2017, the Hong Kong Securities and Futures Commission (“SFC”) issued Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading (the “Guidelines”), a set of baseline cybersecurity requirements that all persons licensed or registered with the SFC and engaged in internet trading will be required to implement. The Hong Kong Monetary Authority (“HKMA”) simultaneously issued a circular to CEOs of Registered Institutions requiring them to apply the Guidelines.

The new guidelines should be viewed as requirements for securities and futures dealers and asset managers registered with the SFC and banks supervised by the HKMA (which include a number of foreign banks that operate branches in Hong Kong). For e-commerce firms and other companies that do business in or have connections to Hong Kong, the new guidelines should additionally be viewed as relevant guidance for best practices in cybersecurity.

Click here, to continue reading.

On October 18, the Consumer Financial Protection Bureau (the “CFPB”) released the Consumer Protection Principles: Consumer-Authorized Financial Data Sharing and Aggregation (the “Principles”).  The Principles represent a cautious step forward by the CFPB in providing guidance on how institutions holding customer accounts (such as banks) should share information with service providers, including “fintech” companies that obtain customer authorization to access their account information in order to provide services to such customers.  Such data aggregation-based service providers can provide useful products and services to consumers, such as fraud screening, identity verification, personal financial management and bill payment, and promote competition in the financial services market.  With respect to fraud screening and identity verification services in particular, in the aftermath of the recent Equifax breach, the appeal of such services is obvious.  However, with additional sharing of data comes additional risks—the increase in data access points, albeit consumer-authorized, presents new challenges from a cybersecurity and privacy perspective, increasing the possibility of consumers inadvertently losing control of their information. Continue Reading CPFB Releases Consumer Protection Principles for Consumer-Authorized Financial Data Sharing and Aggregation

Last week, the Financial Stability Board (“FSB”) released the results of its stocktake on existing regulations and supervisory practices in G20 jurisdictions with respect to cybersecurity in the financial sector.  The FSB is an international body that coordinates the work of national financial authorities and international standard-setting bodies, and the stocktake — essentially a survey — was requested by the G20 Finance Ministers and Central Bank Governors in March 2017. Continue Reading Financial Stability Board Highlights Multiplicity of Cybersecurity Regulations in the Financial Sector

As the implementation of China’s first comprehensive cybersecurity law (the “CCL”) progresses, concern is mounting in the international business community regarding the law’s expansive scope, prescriptive requirements and lack of clarity on a range of critical issues. Vocalizing such concern, on September 25, 2017, the United States government asked China to halt its implementation of the CCL and highlighted potential issues with the CCL to members of the World Trade Organization. Since the CCL’s passage, several regulations have been released by the principal agency responsible for its implementation that were intended to implement the provisions of the CCL, but in some cases appear to have further expanded its scope while leaving some critical questions unanswered. In the face of such uncertainties, foreign companies operating in China are advised to familiarize themselves with the requirements of the CCL and its implementation rules and adopt measures to enhance their preparedness for the full implementation of the CCL.

Click here, to continue reading.

For additional coverage of topics related to international trade and sanctions, we invite you to subscribe to our International Trade and Sanctions Watch blog, here.

New York’s new cybersecurity regulations (the “Regulations”) become effective on August 28, 2017, marking a significant milestone in what is likely to be a new era in cybersecurity regulation on both a national and international level.

As governments grapple with how best to address cyber threats to their citizens, businesses and national security, there is an increasing focus on the potential use of regulatory requirements to impose minimum cybersecurity standards, particularly in the financial services sector. As more states and nation states adopt cybersecurity requirements, financial institutions are facing increased compliance costs and potentially a diversion of resources away from risk mitigation to compliance with regulatory requirements. As the Regulations come into effect, we briefly take stock of their requirements, their impact on international best practices, and related global developments.

Click here, to continue reading.

On August 1, 2017, the United States Court of Appeals for the D.C. Circuit held that policyholders of the health insurer CareFirst had standing to sue the company after their information was compromised during a cyberattack.

Wading into a vigorously contested area between plaintiffs and companies that have suffered data breaches, the court held that the policyholders’ elevated risk of identity theft and medical fraud was a sufficient injury to bring suit—even without any evidence that plaintiffs had actually suffered such harm. In so holding, the D.C. Circuit came down on one side of a circuit split, which may ultimately need to be resolved by the Supreme Court.

Click here, to continue reading.