Data-Centric Security Strategies and Regulatory Compliance

In the wake of a recent spate of cybersecurity breaches, the practice of data-centric security has received renewed attention from business leaders concerned about the integrity of critical data. As defined by a PKWare white paper, data-centric security focuses on protecting data itself, rather than the systems that contain it.1 Central to the concept of data-centric security is the notion that the systems established to store and guard data sometimes crumble in the face of cyberattacks.1 Given that all manner of data storage systems have shown themselves to be vulnerable, it is hard to argue with this foundational principle. Rather than offering prescriptions for the improvement of systems, then, data-centric security places safeguards around the data itself – safeguards which are automatically applied and regularly monitored to ensure data security.1

Data-centric security strategies have several key advantages over the “network-centric” models currently employed by many firms.2 As discussed, data-centric strategies account for the proclivity of security networks to succumb to cyberattacks by securing the data itself. In addition, because security measures are built into data, “security travels with the data while it’s at rest, in use, and in transit,” a characteristic of data-centric strategies that facilitates secure data sharing and allows firms to move data from system to system without having to account for inevitable variations in security infrastructure.3 Moreover, data-centric security allows for easy access to data (a cornerstone of productivity in any firm) without compromising data security. In fact, Format-Preserving Encryption (FPE) – the specific type of encryption employed by many data-centric strategies4 – “maintains data usability in its protected form,” striking a balance between security and accessibility.5 Clearly, data-centric strategies provide stronger, more all-encompassing, and eminently manageable modes of data protection.

But perhaps the most important aspect of data-centric security is its essential role in any security regime compliant with New York State cybersecurity regulations. In fact, as the data security company Vera has noted, “the new rules are focused not just on protecting information systems but on securing, auditing and the disposition of data itself.”6 New York’s determination to advance data-centric security is evident in certain provisions of the recent cybersecurity regulation, the most important of which mandate that companies “restrict access privileges not only to systems but to the data itself.”6 Moreover, New York State’s cybersecurity regulations reflect the priorities of data-centric security because they require firms to “implement an audit trail system to reconstruct transactions and log access privileges,” a system which allows the security of individual pieces of data to be monitored automatically.6 New York regulators have already recognized the benefits of data-centric security strategies. Now, with the assistance of legal experts well-versed in cybersecurity compliance, companies concerned about their data security can too.

____________________________________________________________________________________

  1. https://pkware.cachefly.net/webdocs/pkware_pdfs/us_pdfs/white_papers/WP_Data_Centric_Security_Blueprint.pdf
  2. https://www.symantec.com/blogs/expert-perspectives/data-centric-security-changing-landscape
  3. https://www.comforte.com/fileadmin/Collateral/comforte_FS_tokenization_vs_FPE_WEB.pdf?hsCtaTracking=8a3a11b3-5ba3-4e1a-a41f-78bb92d22458%7C358952c5-4dff-4793-bbeb-8835361c3b14
  4. https://www.1stmarkets.de/en/blog/blog-article-3
  5. https://www.techpowerusa.com/wp-content/uploads/2018/03/MicroFocus.Techpower-Big-Data-eBook-2018-9434.pdf
  6. https://www.vera.com/wp-content/uploads/2018/02/Veras-Guide-to-the-NY-DFS-Regulations.pdf

Cybersecurity Compliance Could Have Saved Capital One Millions

A recent cybersecurity breach involving one of the country’s largest financial services firms illustrates both the necessity of strong cybersecurity regulations and the imperative for credit card holders to jealousy safeguard their personal information. In a criminal complaint filed July 29th, 2019 at the U.S. District Court for the Western District of Washington, the federal government alleged that Paige A. Thompson, a computer engineer, had taken advantage of a gap in Capital One’s cloud security to obtain the personal financial records of millions of the company’s customers in the U.S. and abroad.1 Thompson, who used the online alias “erratic,” allegedly exploited a defect in Capital One’s firewall to access confidential financial information stored on the servers of the Cloud Computing Company, a Capital One service provider.1 Despite Capital One’s claim that “no credit card account numbers or log-in credentials were compromised and less than one percent of Social Security numbers were compromised,” the episode is a reminder that without robust cybersecurity measures and a broad-based commitment to personal data security, information stored with American financial institutions remains vulnerable to cyberattack.2 In fact, had Thompson been more careful to remain anonymous,3 the data breach could well have become catastrophic.

First, the data breach demonstrates the value of robust cybersecurity regulations. For example, if Capital One’s cybersecurity measures had met the stringent standards of the regulations issued by New York State’s Department of Financial Services that is now being enforced by the state’s new Cybersecurity Division, this problem may have been avoided. The DFS has committed itself to ensuring that “encryption and other robust security control measures” characterize the cybersecurity policies of the state’s financial services firms.5 Had Capital One encrypted or tokenized6 all of the data subject to the recent breach, it is possible that the effects of the cyberattack may have been less widespread. In fact, the criminal complaint against Thompson notes that “although some of the information” targeted by the cyberattack “has been tokenized or encrypted, other information[…]regarding their credit history has not been tokenized,” allowing “tens of millions” of credit card applications to be compromised.1 Of course, the cybersecurity regulations adopted by New York State are burdensome. But the alternative is even worse – especially considering that Capital One will “incur between $100 million and $150 million in costs related to the hack, including customer notifications, credit monitoring, tech costs and legal support,” a price tag that doubtless outstrips the costs of regulatory compliance.3

Pastore & Dailey is a leading firm in the drafting and implementation of procedures necessary to comply with federal and state securities and banking cybersecurity regulations and laws, which in this case could have saved Capital One millions if properly followed.

Second, the cyberattack bears out the importance of diligence in safeguarding financial information. According to Forbes, individuals worried about the security of their financial information can take a host of precautions: “[updating] passwords,” avoiding the use of e-mail accounts to share confidential information, “[establishing] two-factor authentication,” and so on.7 Cyberattacks like the one that recently struck Capital One have become a fact of life for many Americans who bank online, but they need not be costly. Common-sense precautions and security diligence can go a long way towards ensuring the integrity of your financial records.

Cryptocurrency Tax Consequences

A recent decision by the Internal Revenue Service (IRS) to clamp down on cryptocurrency back taxes has understandably concerned many investors and thrown a host of complicated legal questions into sharp relief. In an effort to collect capital gains taxes on cryptocurrency trades, the IRS recently sent out a series of letters to about 10,000 investors warning them that failure to account for capital gains accrued in cryptocurrency markets could invite an audit or the imposition of even harsher penalties.1 The IRS has reportedly sent out three types of letters – one gently reminding investors to update their tax returns, another warning about the costs of tax evasion, and a third threatening an audit if a response is not received – “depending on the severity of the [tax] issue.”1

The IRS’ legal authority to send such letters and threaten enforcement action is rooted in the designation of cryptocurrencies as taxable property, rather than as currencies. In explaining this classification, the key consideration employed by the agency is that while cryptocurrencies can “be used to pay for goods or services” just like regular currencies, they can also be “held for investment,” a status that makes cryptocurrency subject to capital gains taxes.2 Cryptocurrency’s status as taxable property has a host of ramifications for tax preparation, the most important of which will be summarized below.

Before any investor can assess their cryptocurrency-related tax liability, they need to tabulate their “taxable events.” Taxable events, according to CryptoTrader.tax, encompass the following: “trading cryptocurrency to fiat currency” or to another form of cryptocurrency, “using cryptocurrency for goods and services,” and “earning cryptocurrency as income.”3 (Importantly, these provisions apply to cryptocurrency “miners,” the individuals who are paid in cryptocurrency to maintain blockchain networks).3 Whenever any of these taxable events occur, cryptocurrency investors need to log the “fair market value” of the cryptocurrency (plus any fees associated with the cryptocurrency purchase, sale, or trade) and determine if they incurred any gains or losses in the transaction.3 The tax rate on each transaction is determined by the length of time for which the investment was held. That is, cryptocurrencies purchased, held, and sold within a year are subject to the short-term capital gains tax (equivalent to regular income tax rates).4 Because U.S. tax law seeks to incentivize long-term investing, assets purchased and held for more than a year are subject to the long-term capital gains tax, which is considerably lower than the short-term rate.4

Although these rules may seem complex and burdensome, there are many ways to minimize your cryptocurrency tax liability. First and foremost, investors can actually claim deductions on their cryptocurrency losses – just as capital losses are deductible for more conventional assets.3 Moreover, as Accounting Today notes, investors can avoid capital gains taxes by gifting or donating cryptocurrency.5 Because the long-term capital gains rate is lower than the short-term rate (as discussed above), investors can lower their tax bill by making long-term investments.5 Finally, investors can reduce their tax liability by immediately converting cryptocurrency that has appreciated in value into a fiat currency like U.S. dollars, rather than using it to purchase another form of cryptocurrency.5 This is because both the conversion to U.S. dollars and the act of purchasing another cryptocurrency with capital gains are both taxable events.5

Despite the uncertainty and mystique surrounding cryptocurrency, these novel investment opportunities are governed by laws and regulations familiar to any experienced investor. Common sense, sound legal advice, and diligence will prevent your cryptocurrency tax bill from growing exorbitant.

 

  1. https://www.cnn.com/2019/07/26/tech/irs-cryptocurrency-taxes/index.html
  2. https://www.irs.gov/pub/irs-drop/n-14-21.pdf
  3. https://www.cryptotrader.tax/blog/the-traders-guide-to-cryptocurrency-taxes
  4. https://www.investopedia.com/taxes/capital-gains-tax-101/
  5. https://www.accountingtoday.com/opinion/minimizing-tax-liability-for-crypto-invested-clients

Cryptocurrency in Capital Markets: From ICOs to STOs

In the wake of chronic price volatility and a series of enforcement actions against the chaotic and unregulated market for Initial Coin Offerings (ICOs), alternative financial instruments have recently been developed to help investors share in the precipitous growth of cryptocurrency and blockchain technology. At first, the ICO – an instrument that Investopedia.com defines as “the cryptocurrency space’s rough equivalent to an IPO in the mainstream investment world” – constituted the primary vehicle for investment in cryptocurrency.1 Under the terms of an average ICO, investors purchase an emergent cryptocurrency either with traditional currency or another, established cryptocurrency in the hopes that the emergent cryptocurrency will enter widespread usage and increase in value.2

Despite their seeming promise, many ICOs have faced regulatory headwinds and practical challenges from the start. In fact, several high-profile ICOs have been shut down because their issuers failed to comply with SEC securities regulations. In SEC v. Howey (1946), the Supreme Court set forth a canonical test for classifying financial products as securities, asserting that financial products should be regulated as securities when they constitute an “investment of money” as part of a “common enterprise” which entails “an expectation of profits [generated by a] promoter or third party.”3 Armed with this binding precedent, the SEC has classified cryptocurrencies as securities and has not shied away from clamping down on unregistered offerings. As recently as June 4th, 2019, the commission filed suit against the instant-messaging service Kik on the grounds that the company had “sold [cryptocurrency] tokens to U.S. investors without registering their offer and sale as required by[…]U.S. securities laws.”4 At issue in the Kik case was not just the company’s failure to register the offering with the SEC, but also the disconnect between cryptocurrency’s avowed purpose as a mode of exchange and its practical role as a store of value.5 That is to say, it becomes harder and harder to claim that cryptocurrencies are not securities when investors primarily acquire them in order to capitalize on price fluctuations.

Even though many ICOs have been registered after the fact to comport with securities regulations,6 they still constitute less than stable investment opportunities. According to a study conducted by Ernst and Young, “a lack of fundamental valuation and the due diligence process by potential investors is leading to extreme volatility of the initial coin offering (ICO) market,” trends which would presumably render them unacceptably risky choices for most investors.7

Faced with high levels of risk and the possibility of SEC enforcement, some investors are turning to Security Token Offerings (STOs) in order to acquire securitized cryptocurrency on capital markets. STOs typically offer securitized cryptocurrency “backed by real assets or things that have established value,” a characteristic that tends to immunize them against the price volatility of ICOs.8 STOs also have several key legal advantages over ICOs. Because the cryptocurrency offered is pegged to an identifiable group of revenue-generating assets, the issuers of the STO do not have to make the facile claim that their financial product is a mode of exchange and not merely a store of value. That is to say, as long as they are registered with the SEC and otherwise comply with securities regulations, STOs can be placed in essentially the same legal category as regular securities,5 a status which does not exempt them from federal oversight but can clear the way for the buying, selling, and trading of cryptocurrency on the open market. In this sense, STOs constitute safer, far less legally dubious vehicles for investors eager to take advantage of the cryptocurrency boom.

___________________________________________________________________________________

  1. https://www.investopedia.com/terms/i/initial-coin-offering-ico.asp
  2. Ibid.
  3. https://consumer.findlaw.com/securities-law/what-is-the-howey-test.html
  4. https://www.sec.gov/news/press-release/2019-87
  5. https://selfkey.org/stos-vs-icos-a-comprehensive-introduction-for-2018/
  6. https://www.clearyenforcementwatch.com/2019/02/sec-issues-first-ico-enforcement-action-against-a-self-reporting-token-issuer/#_ftn3
  7. https://www.ey.com/en_gl/news/2018/01/big-risks-in-ico-market–flawed-token-valuations–unclear-regulations-heightened-hacker-attention-and-congested-networks
  8. https://gomedici.com/2018-recap-move-over-icos-its-time-for-stos

FLSA: Congressional Intent and Gaming the System

Despite its status as a seemingly antiquated piece of New Deal legislation, the Fair Labor Standards Act (FLSA) has constituted the battleground for a long-running legal conflict over the right of employees to claim overtime. The Supreme Court issued its first major FLSA ruling in A.H. Phillips Inc. v. Walling (1945), a decision which established strict construction of the law’s provisions for exemption (a status that precludes overtime pay) as the legal norm. The case, which involved A.H. Phillips’ decision to deny overtime pay to employees in its warehouse and central office, demonstrated the Court’s determination to vindicate congressional intent. Writing for the majority, Justice Murphy noted that because the act constituted “humanitarian and remedial legislation” and comported with “the announced will of the people,” its provisions for exemption should not be subjected to jurists who might “abuse the interpretative process.”1 The provisions of the law at issue, the Court held, should be applied only to “those plainly and unmistakably within its terms and spirit,” setting the stage for narrow construction of the FLSA’s rules for overtime exemption and affirming the central purpose of the law: to ensure that workers in low-wage industries receive fair pay for the hours they work.2

Ironically, however, there has been a recent rash of otherwise well-off plaintiffs eager to claim non-exemption under the FLSA and obtain additional compensation, a development which surely contradicts the intent of the law’s framers. In fact, as Law360 notes, “almost all of Wall Street’s biggest banks have been hit with lawsuits alleging that they violated the Fair Labor Standards Act by classifying brokers as administrators rather than as sales people,” a classification which would render them exempt from FLSA overtime rules.3 These claims lack merit – especially in light of guidelines published by the Department of Labor that assert that “[e]mployees in the financial services industry generally meet the duties requirements for the administrative exemption.”4 Even in light of the obvious weakness of these assertions, the alarming fact that workers in the financial services industry (a field generally known to be lucrative) lodged such claims at all demonstrated that the intent of the law needed to be clarified again by the nation’s highest court.

The Supreme Court did just that in Encino Motorcars v. Navarro (2018), a landmark FLSA case on par with A.H. Phillips. Writing for the majority, Justice Thomas rejected a claim that “service advisors” employed by an auto dealership met the definition of nonexempt workers under the FLSA.5 Even more importantly, Encino Motorcars signaled the Court’s willingness to apply a broad standard in assessing exemption under the law, rather than a narrow standard that grants exemption only to those employees “plainly and unmistakably within [the FSLA’s] terms and spirit.”1 Although the Court’s recent decision constitutes a departure from precedent, it vindicates both the intent of the FLSA’s drafters and reaffirms the common-sense understanding that employees should be remunerated only in proportion to their willingness to work hard and accomplish the tasks set before them. In other words, both congressional intent and common sense dictate that financial services employees should be paid a salary reflecting the quality of their work product, not merely the hours they work. They are professionals, after all.

  1. A.H. Phillips v. Walling (1945), Murphy, J. Majority opinion.
  2. Ibid.
  3. https://www.law360.com/articles/34738/investment-banks-take-the-offensive-in-flsa-suits?copied=1, para. 2
  4. https://www.dol.gov/whd/overtime/fs17m_financial.pdf, para. 3
  5. Encino Motorcars v. Navarro (2018), Thomas, J. Majority opinion.

New DFS Cybersecurity Division

Perhaps as a signal of its commitment to fight cybercrime and stringently enforce its cybersecurity regulations, New York State recently established a “cybersecurity division”1 within the state’s Department of Financial Services (DFS). The creation of the division marks yet another step taken by New York State to guard against the dangers posed by cyberattacks, perhaps motivated by its status as the home of many prominent financial services firms. In addition, the presence of the division strongly suggests that the cybersecurity regulation2 issued by DFS in Spring 2017 [WB1] cannot be taken lightly by the state’s largest and most important financial services firms. Aside from the comprehensive nature of the regulation and the sizable power afforded to the new cybersecurity division, the novelty of New York’s recent innovations in cybersecurity regulation suggests their importance and staying power. In fact, as JDSupra notes, the creation of the new division more or less completed a years long process that has made “New York[…]the only state in the country that has a banking and insurance regulator exclusively designated to protect consumers and companies from the ever-increasing risk of cyber threats.”1

Some financial services firms, conscious of their vulnerability to cyberattacks, will doubtless welcome these additional steps. As a report from the Identity Theft Resource Center notes, financial services firms “are reportedly hit by security incidents a staggering 300 times more frequently than businesses in other industries.”3 Far from being mere annoyances, these cyberattacks are often extremely costly. In fact, according to a study from IBM and the Ponemon Institute, the cost to a financial services firm per record lost in a cyberattack was more than $100 greater than the cost to the average company.4 Moreover, cyberattacks can also cripple consumer confidence in financial services firms, causing them to lose business and endure even greater costs.5 In general, then, cyberattacks can damage both a financial services firm’s sensitive records and its public image, making them a grave threat to any such company’s bottom line.

It would be a mistake, however, to think about DFS regulation purely in terms of cost reduction. Regulation also entails costs – not least because compliance with the 2017 regulation can be investigated and punished by DFS’ new cybersecurity division. In fact, these new developments indicate that cybersecurity will not come cheaply, especially because the regulation imposes a bevy of new security requirements on top firms, costing them a not insignificant amount of time and money. From multi-factor authentication to training programs to the appointment of a “Chief Information Security Officer,” the now fully enforceable regulation will force financial services firms to foot the bill for a host of cybersecurity measures.6

  1. https://www.jdsupra.com/legalnews/new-york-creates-cybersecurity-division-20881/
  2. https://www.dfs.ny.gov/docs/legal/regulations/adoptions/dfsrf500txt.pdf
  3. https://www.idtheftcenter.org/wp-content/uploads/2019/02/ITRC_Generali_The-Impact-of-Cybersecurity-Incidents-on-Financial-Institutions-2018.pdf, pg. 3
  4. IBM and the Ponemon Institute, The Cost of a Data Breach (2017), summarized in https://www.idtheftcenter.org/wp-content/uploads/2019/02/ITRC_Generali_The-Impact-of-Cybersecurity-Incidents-on-Financial-Institutions-2018.pdf, pg. 6
  5. https://www.idtheftcenter.org/wp-content/uploads/2019/02/ITRC_Generali_The-Impact-of-Cybersecurity-Incidents-on-Financial-Institutions-2018.pdf, pg. 8
  6. https://www.dfs.ny.gov/docs/legal/regulations/adoptions/dfsrf500txt.pdf, pg. 5

Cryptocurrency Mining and the Danger of Halving

As cryptocurrencies continue to grow more sophisticated and widespread, the economic possibilities offered by cryptocurrency mining have drawn greater attention from prospective investors. Cryptocurrency mining, which helps to ensure that “transactions for various forms of cryptocurrency are verified and added to the blockchain digital ledger,”1 is a potentially profitable activity because a small amount of cryptocurrency is awarded to the “miner” able to verify the transaction fastest. On a large scale, cryptocurrency mining could potentially provide a solid revenue stream to a company able to overcome hurdles related to capital and operating costs. In the first place, the capital costs (in terms of computers, software, and other tools) that deter many would-be cryptocurrency miners would not constitute major impediments to any well-funded company intent on entering the field. But operating costs, rather than capital costs, constitute a larger problem for large-scale cryptocurrency mining companies. Because a certain amount of power is consumed whenever cryptocurrency is successfully mined, ensuring that the cost of electricity does not exceed the value of the cryptocurrency awarded is necessary before any such mining can be profitable. The power required to validate one cryptocurrency transaction, while not large on its own, adds up quickly in the context of large-scale mining operations. According to a report compiled by Coinshares, which provides cryptocurrency-related research and investment tools, companies and individuals mining Bitcoin (a popular cryptocurrency) consume roughly 41 terawatts a year in power.2 And according to that same report, investing in higher-quality equipment will not reduce the power requirement because “only the value of the [cryptocurrency] reward[…]can impact the network’s total electricity draw.”2 The solution, then, is to locate sources of cheap electricity – a solution which many cryptocurrency mining companies have already hit upon. In fact, the report notes that bitcoin miners tend to cluster in “regions dominated by cheap hydro-power,” especially the Pacific Northwest and Northeast regions of the United States.3 Although the influx of cryptocurrency mining operations into these areas has produced a measure of political backlash,4 it is not unreasonable to assume that the economic benefits conferred by such activities will soon outweigh such resistance.

Despite the evident promise of large-scale cryptocurrency mining, some have suggested that the upcoming “halving” of the cryptocurrency awarded for mining Bitcoin might seriously eat into profits and upset the delicate balance of power costs.5 However, this is not likely to constitute a serious headache for the industry for several reasons. First, as a Forbes article on the “halving” notes, Bitcoin operates according to the basic principles of supply and demand. That is to say, as fewer and fewer Bitcoins are disbursed during the mining process, fewer are available to be traded, causing their price to increase. This would conceivably offset the “halving” somewhat. Moreover, the recent increase in miner fees6 (fees paid by blockchain users to miners which supplement the cryptocurrency awarded) could also counterbalance the “halving.” All in all, despite the obstacles posed by power costs, capital investment and the gradual reduction of cryptocurrency awarded, large-scale cryptocurrency mining promises both steady revenue and growth potential in the years to come.

  1. https://www.webopedia.com/TERM/C/cryptocurrency-mining.html
  2. https://coinshares.co.uk/assets/resources/Research/bitcoin-mining-network-june-2019-fidelity-foreword.pdf , pg. 6
  3. https://coinshares.co.uk/assets/resources/Research/bitcoin-mining-network-june-2019-fidelity-foreword.pdf, pg. 10
  4. https://www.politico.com/magazine/story/2018/03/09/bitcoin-mining-energy-prices-smalltown-feature-217230
  5. https://www.forbes.com/sites/forbesfinancecouncil/2019/05/10/what-will-the-next-halving-mean-for-the-price-of-bitcoin/#d8a2fc15f340
  6. https://www.coindesk.com/bitcoin-fees-jump-to-nearly-1-year-highs-but-why

Upon Information and Belief Requires More than Information and Belief

Under the Federal Rules of Civil Procedure, a party must allege fraud with particularity. FRCP 9(b). When a party alleges fraud upon information and belief, that is generally insufficient to meet the standards under FCRP 9(b) absent additional allegations that demonstrate the origin of the information and belief. This is a nuanced difference from the particularity requirement for claims that are not alleged upon information and belief. This subtle difference is discussed in the cases Exergen Corp. v. Wal-Mart Stores, Inc. 575 F.3d 1312 (Fed Cir. 2009) and Munro v. Lucy Activewear, Inc., 899 F.3d 585 (8th Cir. 2018).

In Exergen, the Court found that where deceptive intent was plead on information and belief and the Plaintiff did not plead either information on which it relied on or any plausible reasons for its belief, the pleading was insufficient. The Court further stated that the circumstances Plaintiff did allege do not plausibly lay out the elements required for a claim of deceptive intent. Similarly in Munro, where the Plaintiff’s allegations are based on information and belief and the Plaintiff’s complaint did not set forth any supporting facts showing that Defendant intended to defraud him, the Court found the Plaintiff did not adequately allege fraud under Minnesota law.

This rule is applied in multiple jurisdictions and one to consider carefully when pleading allegations on “information and belief.” (Mikityanskiy v. Podee, Inc., 2011 U.S. Dist. LEXIS 55746 (S.D.N.Y 2011) (a complaint that was made up entirely of allegations made on “information and belief” was not sufficient especially when some allegations were made of readily available facts) Easton Tech. Prods. v. FeraDyne Outdoors, LLC 2019 U.S. Dist. LEXIS 60313 (D. Del 2019) (pleading was not sufficient under Rule 9(b) standard because there were no allegations of underlying facts to support the allegations made on “information and belief”); Gamevice, Inc. v. Nintendo Co., Ltd 2018 U.S. Dist. LEXIS 221777 (N.D. Cal. 2018) (allegation of prosecution laches is insufficient when the complaint does not plead the specifics of which of the five patents at issue unreasonably delayed prosecution).

SEC Final Rules Regarding Conduct of Broker-Dealers and Investment Advisors

On June 5, 2019, the Securities and Exchange Commission (“SEC”) approved new Rules and interpretations regarding the standards of conduct of broker-dealers (“BD”) and investment advisers (“IA”). The rules and interpretations were adopted pursuant to a grant of rulemaking authority in Section 913(f) of the Dodd-Frank Act and reflect a heightened standard for quality and transparency, enhancing the investors’ relationship with BDs and IAs.

The rules and interpretations are:

  1. Regulation Best Interest: The Broker-Dealer Standard of Conduct (“Reg BI”).
  2. Form CRS Relationship Summary; Amendments to Form ADV (“Form CRS”).
  3. Commission Interpretation Regarding Standard of Conduct for Investment Advisers (“IA Conduct Interpretation”).
  4. Commission Interpretation Regarding the Solely Incidental Prong of the Broker-Dealer Exclusion from the Definition of Investment Adviser (“BD Exclusion Interpretation”.
Regulation Best Interest

    Reg BI provides a new standard of conduct for BDs when making recommendations of securities transactions or providing investment strategy involving securities to a retail customer. The rule requires BDs to act in the “best interest” of their customers and place the interests of their customers ahead of their own or other interests. Broker-dealers must comply with four obligations when making recommendations to satisfy Reg BI. These four obligations are: (1) a disclosure obligation; (2) a care obligation; (3) a conflict of interest obligation; and (4) a compliance obligation.

    The disclosure obligation requires the BD to provide in writing full and fair disclosure of (1) all material facts relating to the scope and terms of the relationship as well as (2) all material facts relating to conflicts of interest associated with the recommendation.

    The care obligation requires BDs to exercise reasonable diligence, care and skill to (1) understand the risks, rewards, and costs associated with the recommendation and have a reasonable basis to believe that the recommendation is in the best interest of the customer; (2) have a reasonable basis to believe that the recommendation is in the best interest of a particular retail customer based on the customer’s investment profile; and (3) have a reasonable basis to believe that a series of recommended transactions is not excessive and is in the best interest of the retail customer.

    The conflict of interest obligation requires (1) identification and at a minimum disclosure or elimination of all conflicts of interests associated with such recommendations; (2) identify and mitigate any conflicts of interests that create an incentive for associated persons (“AP”) to place the other interests ahead of the interests of the customer; (3)(i) identify and disclosure any material limitations on the securities, and (ii) prevent such limitations and conflicts from causing the BD or AP to put other interests ahead of the interests of the customer; and (4) identify and eliminate any sales contests, sales quotas, bonuses, and non-cash compensation that are based on the sales specific securities or specific types of securities within a limited period of time.

    Finally, the compliance obligation requires the BD to establish, maintain, and enforce policies and procedures reasonably designed to achieve compliance with Reg BI.

    Form CRS

    Form CRS requires both BDs and IAs to provide retail investors with a short relationship summary document that provides certain information about the firm and the brokerage and/or investment advisor services it offers, including fees and costs, conflicts of interest, and whether or not the firm and its professionals have been disciplined. The Form CRS also includes specific instructions as to content, formatting, and length.

    IA Conduct Interpretation

    The IA Conduct Interpretation was issued to reaffirm and clarify its views on the fiduciary duties that investment advisers owe to their clients, including the Duty of Care and the Duty of Loyalty. This will apply to all investment advisers whether they are registered and/or have retail customers.

    Under the duty of care, IAs have additional duties such as, the duty to provide advice that is in the Best Interests of the Client, the Duty to Seek Best Execution, and the Duty to Provide Advice and Monitoring over the Course of the Relationship. Each of these three duties place an emphasis on the IA putting the interests of their customers before their own or other interests.

    BD Exclusion Interpretation

    The BD Exclusion Interpretation clarifies the scope of the BD exclusion from the definition of “investment adviser” in the Investment Advisers Act of 1940. The SEC realized that this exclusion allowed BDs to provide substantial amounts of investment advice and therefore it set out clear definitive limits to this exclusion.

    These limits include limitations on when a BD may exercise investment discretion and provide investment advice, which is only when it is in connection with their business to buy and sell securities. The investment advice cannot be the main goal of the transaction.

    The SEC also clarified that a BD may voluntarily and without any agreement with the customer review the holdings in a customer’s account for purposes of deciding whether to make an investment recommendation.