LegiStorm

Summary:

Multiple federal and state regulators oversee companies in the financial services industry. Regulatory authority is often directed at particular functions or financial services activities rather than at particular entities or companies. It is, therefore, likely that a financial services company with multiple product lines—deposits, securities, insurance—will find that it must answer to different regulators with respect to particular aspects of its operations. Five federal agencies oversee depository institutions, two regulate securities, several agencies have discrete authority over various segments of the financial sector, and several self-regulatory organizations monitor entities in the securities business. Federal banking regulators (the Office of the Comptroller of the Currency, the Federal Reserve, and the Federal Deposit Insurance Corporation) are required to promulgate safety and soundness standards for all federally insured depository institutions to protect the stability of the nation’s banking system. Some of these standards pertain to cybersecurity issues, including information security, data breaches, and destruction or theft of business records. The federal securities regulators (the Securities and Exchange Commission and the Commodity Futures Trading Commission) have asserted authority over various aspects of cybersecurity in securities markets and those who trade in them. This includes requiring publicly traded financial and nonfinancial corporations to file annual and quarterly reports that provide investors with material information, a category which could include information about cybersecurity risks or breaches. In addition, overseeing the securities industry are certain self-regulatory organizations—private organizations empowered by law or regulation to create and enforce industry rules, including those covering cybersecurity. These include the Financial Industry Regulatory Authority, which protects investors and oversees stock exchanges and those who trade on them. The National Futures Association has a similar role for U.S. futures exchanges and in the retail foreign exchange market. The Consumer Financial Protection Bureau issues and enforces federal consumer financial protection regulations, and it has certain consumer financial protection supervisory authority over depositories and consumer finance companies not otherwise federally regulated. The Federal Trade Commission has asserted authority over certain consumer finance operations of nonfinancial companies such as retailers and hotels. The basic authority that the federal regulators use to establish cybersecurity standards emanates from the organic legislation that established them and delineated the scope of their authority and functions. In addition, certain other laws such as the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, the Gramm-Leach-Bliley Act of 1999, and the Sarbanes-Oxley Act of 2002 include provisions affecting cybersecurity of financial services. Moreover, two executive orders address the critical role of financial services in the national economy. Complementing the laws and regulations, the regulators issue guidance under a variety of names, such as policy statements, supervision and regulatory letters, financial institution letters, bulletins, and other forms of communications. Not all regulation (or cybersecurity regulation) is done at the federal level. State governments charter and regulate state banks and all insurance companies. State securities regulators oversee securities sold within their state, and many states have laws requiring consumer notification of financial data breaches. In addition, New York State has taken advantage of the fact that the nation’s financial center, Wall Street, is located in the state to be very active in certain aspects of cybersecurity regulation. This report focuses on federal laws, regulations, and executive orders.