Showing posts with label DATA BREACHES. Show all posts
Showing posts with label DATA BREACHES. Show all posts

Saturday, March 7, 2015

THREE CHARGED FOR ROLES IN HACKING EMAIL SERVICE PROVIDERS IN U.S.

FROM:  U.S. JUSTICE DEPARTMENT
Friday, March 6, 2015
Three Defendants Charged with One of the Largest Reported Data Breaches in U.S. History
One Of The Defendants Has Already Pleaded Guilty

An indictment was unsealed yesterday against two Vietnamese citizens who resided in the Netherlands, for their roles in hacking email service providers throughout the United States.  The guilty plea of one of the defendants was also unsealed at the same time.  In addition, a federal grand jury returned an indictment this week against a Canadian citizen for conspiring to launder the proceeds obtained as a result of the massive data breach.

Assistant Attorney General Leslie R. Caldwell of the Criminal Division, Acting U.S. Attorney John A. Horn of the Northern District of Georgia, Special Agent in Charge J. Britt Johnson of the FBI’s Atlanta Field Office, Special Agent in Charge Reginald Moore of the United States Secret Service’s (USSS) Atlanta Field Office and Special Agent in Charge Veronica F. Hyman-Pillot with the Internal Revenue Service-Criminal Investigation’s (IRS-CI) made the announcement.

“These men — operating from Vietnam, the Netherlands, and Canada — are accused of carrying out the largest data breach of names and email addresses in the history of the Internet,” said Assistant Attorney General Caldwell.   “The defendants allegedly made millions of dollars by stealing over a billion email addresses from email service providers.  This case again demonstrates the resolve of the Department of Justice to bring accused cyber hackers from overseas to face justice in the United States.”

“This case reflects the cutting-edge problems posed by today’s cybercrime cases, where the hackers didn’t target just a single company; they infiltrated most of the country’s email distribution firms,” said Acting U.S. Attorney Horn.  “And the scope of the intrusion is unnerving, in that the hackers didn’t stop after stealing the companies’ proprietary data—they then hijacked the companies’ own distribution platforms to send out bulk emails and reaped the profits from email traffic directed to specific websites.”

“Large scale and sophisticated international cyber hacking rings are becoming more problematic for both the law enforcement community that is faced with the challenges of identifying them and laying hands on them, but also the fortune 500 companies that are so often their targets,” said Special Agent in Charge Johnson.  “The federal indictments, apprehensions and extraditions in this case represents several years of hard work as the FBI and its cadre of cyber trained agents and technical experts acted quickly to stop the ongoing damage to the numerous victim companies as a result of these individuals’ hacking activities.  In August 2012, the FBI, with the assistance of its legal attaches stationed abroad and in conjunction with Dutch law enforcement officials, executed a search warrant in the Netherlands that disrupted continued compromises of those companies while allowing U.S. authorities to advance its investigation.  That investigation targeted not only the hackers but the businesses that helped monetize the data that was stolen from those victim companies.  This case further reflects the productive partnership of the FBI and the U.S. Secret Service in aggressively addressing this 21st century crime problem.”

“Our success in this case and other similar investigations is a result of our close work with our law enforcement partners,” said Special Agent in Charge Moore.  “The Secret Service worked closely with the Department of Justice and the FBI to share information and resources that ultimately brought these cyber criminals to justice.  This case demonstrates there is no such thing as anonymity for those engaging in data theft and fraudulent schemes.”

“Those individuals who line their pockets with money gained through deceiving others should know they will not go undetected and will be held accountable,” said Special Agent in Charge Hyman-Pillot.  “IRS Criminal Investigation is committed to unraveling financial transactions to ensure that those who engage in these illegal activities are vigorously investigated and brought to justice.”

According to allegations in the indictments, between February 2009 and June 2012, Viet Quoc Nguyen, 28, a citizen of Vietnam, allegedly hacked into at least eight email service providers (ESPs) throughout the United States and stole confidential information, including proprietary marketing data containing over one billion email addresses.  Nguyen, along with Giang Hoang Vu, 25, also a citizen of Vietnam, then allegedly used the data to send “spam” to tens of millions of email recipients.  The data breach was the largest in U.S. history and was the subject of a Congressional inquiry in June 2011.

David-Manuel Santos Da Silva, 33, of Montreal, Canada, was also indicted by a federal grand jury on March 4, 2015, for conspiracy to commit money laundering for helping Nguyen and Vu to generate revenue from the “spam” and launder the proceeds.

According to allegations in the indictments, Da Silva, the co-owner, president and a director of 21 Celsius Inc., a Canadian corporation that ran Marketbay.com, entered into an affiliate marketing arrangement with Nguyen that allowed the defendants to generate revenue from the computer intrusions and data thefts.

As an affiliate marketer, Nguyen allegedly received a commission on sales generated from Internet traffic that he directed to websites promoting specific products.  Nguyen allegedly used the information stolen from the ESPs to send “spam” emails to tens of millions of customers and provided hyperlinks to allow the purchase of the products.  These products were marketed by Da Silva’s Marketbay.com.

Between approximately May 2009 and October 2011, Nguyen and Da Silva received approximately $2 million for the sale of products derived from Nguyen’s affiliate marketing activities.

Vu was arrested by Dutch law enforcement in Deventer, Netherlands, in 2012 and extradited to the United States in March 2014.  On Feb. 5, 2015, Vu pleaded guilty to conspiracy to commit computer fraud.  He is scheduled to be sentenced on April 21, 2015, before U.S. District Judge Timothy C. Batten Sr. of the Northern District of Georgia.  Nguyen is a fugitive.

Da Silva was arrested based upon charges set forth in a criminal complaint at Ft. Lauderdale International Airport on Feb. 12, 2015, and is scheduled to be arraigned today in Atlanta before Magistrate Judge E. Clayton Scofield III.

The charges contained in an indictment are merely accusations, and defendants are presumed innocent unless and until proven guilty.

This case is being investigated by the FBI with the assistance of the USSS and IRS-CI.  Law enforcement in the Netherlands and the Criminal Division’s Office of International Affairs also provided valuable assistance.  This case is being prosecuted by Trial Attorney Peter Roman of the Criminal Division’s Computer Crime and Intellectual Property Section and Assistant U.S. Attorney Steven D. Grimberg of the Northern District of Georgia.

Friday, February 7, 2014

CFTC CHAIRMAN WETJEN'S TESTIMONY BEFORE SENATE COMMITTEE

FROM:  COMMODITY FUTURES TRADING COMMISSION  

Testimony of Acting Chairman Mark P. Wetjen Before the U.S. Senate Committee on Banking, Housing & Urban Affairs, Washington, DC

February 6, 2014

Good morning Chairman Johnson, Ranking Member Crapo and members of the Committee. Thank you for inviting me to today’s hearing on the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank”) and customer information security. I am honored to testify as Acting Chairman of the Commodity Futures Trading Commission (“CFTC”). I also am pleased to join my fellow regulators in testifying today.

Now is a good time for not only this Committee, but all stakeholders in the CFTC to reflect on the agency’s progress in implementing financial reform and what the future might bring for this agency and the markets it oversees.

Due to Dodd-Frank and the efforts of my colleagues and staff at the CFTC, today there is both pre-trade and post-trade transparency in the swaps market that did not exist before. The public now can see the price and volume of swap transactions in real-time, and the CFTC’s Weekly Swaps Report provides a snapshot of the swaps market each week. The most liquid swaps are being traded on regulated platforms and exchanges, with a panoply of protections for those depending on the markets, and regulators themselves have a new window into the marketplace through swap data repositories (“SDRs”).

Transparency, of course, is helpful only if the information provided to the public and regulators can be usefully employed. Therefore, the CFTC also is taking steps to protect the integrity of that data and ensure that it continues to be reliable and useful for surveillance, systemic risk monitoring, and the enforcement of important financial reforms.

These transparency rules complement a number of equally important financial reforms. For example, the counterparty credit risks in the swaps market have been reduced as a large segment of the swaps market is now being cleared – as of last month, about 70 percent of new, arm’s-length swaps transactions were being cleared. Additionally, nearly 100 swap dealers and major swap participants (“MSPs”) have registered with the CFTC, bringing their swaps activity and internal risk-management programs under the CFTC’s oversight for the first time. We also have strengthened a range of futures and swaps customer protections.

As it has put these reforms in place, the CFTC has consistently worked to protect liquidity in the markets and ensure that end-users can continue using them to hedge risk as Congress directed.

The CFTC, in short, has completed most of its initial mandate under Dodd-Frank and has successfully ushered in improvements to the over-the-counter derivatives market structure for swaps, while balancing countervailing objectives.

Volcker Rule

In recent weeks, the Commission finalized the Volcker Rule, which was one of our last major rules under Dodd-Frank. The Volcker Rule was exceptional on account of the unprecedented coordination among the five financial regulators.

Congress required the banking regulators to adopt a joint Volcker Rule, but it also provided that the market regulators – the Securities and Exchange Commission (“SEC”) and the CFTC – need only coordinate with the prudential banking regulators in their rulemaking efforts. One of the hallmarks of the final rule is that the market regulators went beyond the congressional requirement to simply coordinate. In fact, the CFTC’s final rule includes the same rule text as that adopted by the other agencies. Building a consensus among five different government agencies was no easy task, and the level of coordination by the financial regulators on this complicated rulemaking was exceptional.

This coordination was thanks in no small part to leadership at the Department of the Treasury. Secretary Lew, Acting Deputy Secretary Miller, and others were instrumental in keeping the agencies on task and seeing this rulemaking over the finish line. Along with the other agencies, the CFTC received more than 18,000 comments addressing numerous aspects of the proposal. CFTC staff hosted a public roundtable on the proposed rule and met with a number of commenters. Through weekly inter-agency staff meetings, along with more informal discussions, the CFTC staff and the other agencies carefully considered the comments in formulating the final rule.

Differences with Proposal

The agencies were responsive to the comments when appropriate, which led to several changes from the proposed Volcker Rule I would like to highlight.

The final Volcker Rule included some alterations to certain parts of the hedging-exemption requirements found in the proposal. For instance, the final rule requires banking entities to have controls in place through their compliance programs to demonstrate that hedges would likely be correlated with an underlying position. The final rule also requires ongoing recalibration of hedging positions in order for the entities to remain in compliance.

Additionally, the final rule provides that hedging related to a trading desk’s market-making activities is part of the trading desk’s financial exposure, which can be managed separately from the risk-mitigating hedging exemption.

Another modification to the proposal was to include under “covered funds” only those commodity pools that resemble, in terms of type of offering and investor base, a typical hedge fund.

CFTC Volcker Rule Implementation and Enforcement

The CFTC estimates that, under its Volcker regulations, it has authority over more than 100 registered swap dealers and futures commission merchants (“FCMs”) that meet the definition of “banking entity.” In addition, under Section 619, some of these banking entities may be subject to oversight by other regulators. For example, a joint FCM/broker-dealer would be subject to both CFTC and SEC jurisdiction and in such circumstances, the CFTC will monitor the activities of the entity directly and also coordinate closely with the other functional regulator(s).

In this regard, Section 619 of the Dodd-Frank Act amended the Banking Holding Company Act to direct the CFTC itself to write rules implementing Volcker Rule requirements for banking entities “for which the CFTC is the primary financial regulatory agency” as that term was defined by Congress in Dodd-Frank. Accordingly, as Congress directed, the CFTC’s final rule applies to entities that are subject to CFTC registration and that are banking entities, under the Volcker provisions of the statute.

To ensure consistent, efficient implementation of the Volcker Rule, and to address, among other things, the jurisdiction issues I just mentioned, the agencies have established a Volcker Rule implementation task force. That task force also will be the proper vehicle to examine the means for coordinated enforcement of the rule. Although compliance requirements under the Volcker Rule do not take effect until July 2015, the CFTC is exploring now whether to take additional steps, including whether to adopt formal procedures for enforcement of the rule. As part of this process, I have directed CFTC staff to consider whether the agency should adopt such procedures and to make recommendations in the near future.

Volcker Rule: Lowering Risk in Banking Entities

The final Volcker Rule closely follows the mandates of Section 619 and strikes an appropriate balance in prohibiting banking entities from engaging in the types of proprietary trading activities that Congress contemplated when considering Section 619 and in protecting liquidity and risk management through legitimate market making and hedging activities. In adopting the final rule, the CFTC and other regulators were mindful that exceptions to the prohibitions or restrictions in the statute, if not carefully defined, could conceivably swallow the rule.

Banking entities are permitted to continue market making—an important activity for providing liquidity to financial markets—but the agencies reasonably confined the meaning of the term “market making” to the extent necessary to maintain a market-making inventory to meet near-term client, customer or counterparty demands.

Likewise, the final rule permits hedging that reduces specific risks from individual or aggregated positions of the banking entity.

The final Volcker Rule also prohibits banking entities from engaging in activities that result in conflicts of interest with clients, customers or counterparties, or that pose threats to the safety and soundness of these entities, and potentially therefore to the U.S. financial system.

The final Volcker rule also limits banking entities from sponsoring or owning “covered funds,” which include hedge funds, private equity funds or certain types of commodity pools, other than under certain limited circumstances. The final rule focuses the prohibition on certain types of pooled investment vehicles that trade or invest in securities or derivatives.

Finally, and importantly, the final Volcker Rule requires banking entities to put in place a compliance program, with special attention to the firm’s compliance with the rule’s restrictions on market making, underwriting and hedging. It also requires the larger banking entities to report key metrics to regulators each month. This new transparency, once phased-in, will buttress the CFTC’s oversight of swap dealers and FCMs by providing it additional information regarding the risk levels at these registrants.

TruPS Interim Final Rule

Even with resource constraints, the CFTC has been responsive to public input and willing to explore course corrections, when appropriate. With respect to the Volcker Rule, the CFTC, along with the other agencies, last month unanimously finalized an interim final rule to allow banks to retain collateralized debt obligations backed primarily by trust-preferred securities (TruPS) issued by community banks. The agencies acted quickly to address concerns about restrictions in the final rule, demonstrating again the commitment of the agencies at this table to ongoing coordination. In doing so, the CFTC and the other agencies protected important markets for community banks, as Congress directed.

Implementation Stage of Dodd-Frank

Looking ahead through the lens of what already has been done, it is clear that the Commission and all stakeholders will need to closely monitor and, if appropriate, address the inevitable challenges that will come with implementing the new regulatory framework under Dodd-Frank.

For the CFTC, only a few rulemakings remain to be re-proposed or finalized in order to complete the implementation of Dodd-Frank. Indeed, in just a matter of days, the compliance date for perhaps the last remaining, major hallmark of the reform effort will arrive: the effective date of the swap-trading mandate.

Rules the Commission is working to address in the coming months include capital and margin requirements for un-cleared swaps, rulemakings intended to harmonize global regulations for clearinghouses and trading venues, and finalizing position limits.

There are other important matters in the months ahead as well.

Allow me to mention some of these matters before the Commission as we move forward with Dodd-Frank implementation.

Made Available to Trade Determinations

As a result of the trade execution mandate, many swaps will, for the first time, trade on regulated platforms and benefit from market-wide, pre-trade transparency. These platforms are designed to improve pricing for the buy-side, commercial end-users, and other participants that use these markets to manage risk. Additionally, SEFs, as registered entities, are required to establish and enforce comprehensive compliance and surveillance programs.

The Commission’s trade execution rules complement our other efforts to streamline participation in the markets by doing away with the need to negotiate bilateral credit arrangements and removing impediments to accessing liquidity. This not only benefits the end-users that the markets are intended to serve, but also new entrants seeking to compete for liquidity who now are able to access the markets on impartial terms. In essence, the Commission’s implementation of the trade execution mandate supports a transparent, risk-reducing swap-market structure under CFTC oversight.

In recent weeks, the “Made Available to Trade Determinations” filed by four swap execution facilities (“SEFs”) have been deemed certified, making mandatory the trading of a number of interest rate and credit default swaps on regulated platforms.

There have been some questions in this context about the trading of so-called “package transactions,” which often include a combination of financial instruments and at least one swap that is subject to the trade execution requirement. I have directed Division of Market Oversight (“DMO”) staff to hold an open-to-the-public roundtable, which will take place February 12, and to further examine these issues so that the CFTC can further consider the appropriate regulatory treatment of basis trades falling within the meaning of a “package transaction.”

Data

In order for the Commission to enforce the significant Dodd-Frank reforms, the agency must have accurate data and a clear picture of activity in the marketplace.

Last month, with the support of my fellow commissioners, I directed an interdivisional staff working group to review certain swap transaction data, recordkeeping and reporting provisions under Dodd-Frank. The working group, led by the director of DMO, will formulate and recommend questions for public comment regarding compliance with Part 45 reporting rules and related provisions, as well as consistency in regulatory reporting among market participants.

We have seen an incredible shift to a transparent, regulated swaps marketplace, and this is an appropriate review to ensure the data we are receiving is of the best possible quality so the Commission can effectively oversee the marketplace. I have asked the working group to review the incoming public comments and make recommendations to the Commission in June.

Concept Release on Risk Controls and System Safeguards for Automated Trading Environments

The CFTC’s Concept Release on Risk Controls and System Safeguards for Automated Trading Environments provides an overview of the automated trading environment, including its principal actors, potential risks, and responsive measures taken to date by the Commission or industry participants. It also discusses pre-trade risk controls; post-trade reports; system safeguards related to the design, testing and supervision of automated trading systems; and additional protections designed to promote safe and orderly markets. Within the release, the Commission asks 124 questions and is seeking extensive public input.

To give the public more time to provide comments, the CFTC extended the comment period, which continues through February 14.

Position Limits

The futures markets have a long history of embracing speculative position limits as a tool to reduce unwarranted price fluctuations and minimize the risk of manipulation, particularly in the spot month, such as corners and squeezes. Our proposed position limits rule builds on that history, increases transparency, and lessens the likelihood that a trader will accumulate excessively large speculative positions.

The Commission’s proposed rule respects congressional intent and addresses a district court decision related to the Commission’s new position-limits authority under Dodd-Frank.

The comment period on the re-proposed rule closes February 10, and I look forward to reviewing the public input.

International Coordination

Given that the U.S. has nearly delivered on its G20 commitments to derivatives reform, and the European Union is close behind, financial regulators recently have focused more time on the developing global market structure for swaps.

The G20 commitments were a reaction to a global financial crisis. Although the causes of that crisis are not as clear as some suggest, few would disagree that liquidity constraints at certain firms were at least exacerbated by exposures to derivatives.

The plain truth is that risk associated with derivatives is mobile and can migrate rapidly across borders in modern financial markets. An equally plain truth is that any efforts to monitor and manage global systemic risk therefore must be global in nature.

Risk mobility means that regulators in the U.S. and abroad do not have the luxury of limiting their oversight to financial activities occurring solely within their borders. Financial activities abroad may be confined to local markets in some cases, but the financial crisis, and more recent events, make clear that the rights and responsibilities that flow from these activities often are not.

Perhaps as important, Congress reacted to the financial crisis by authorizing the CFTC to oversee activities conducted beyond its borders in appropriate cases. It could have limited the CFTC’s oversight to only those entities and activities located or occurring within our shores, but it did not. In fact, Congress recognized in Dodd-Frank that even when activities do not obviously implicate U.S. interests, they can still create less obvious but legally binding obligations that are significant and directly relevant to the health of a U.S. firm; and which in the aggregate could have a material impact on the U.S. financial system as a whole.

So it is clear to me that the CFTC took the correct approach in adopting cross-border policies that account for the varied ways that risk can be imported into the U.S. At the same time, the CFTC’s policies tried to respect the limits of U.S. law and the resource constraints of U.S. and global regulators. That is in part why, last December, the CFTC approved a series of determinations allowing non-U.S. swap dealers and MSPs to comply with Dodd-Frank by relying on comparable and comprehensive home country regulations, otherwise known as “substituted compliance.”

Those approvals by the CFTC reflect a collaborative effort with authorities and market participants from each of the six jurisdictions with registered swap dealers. Working closely with authorities in Australia, Canada, the EU, Hong Kong, Japan, and Switzerland, the CFTC issued comparability determinations for a broad range of entity-level requirements. And in two jurisdictions, the EU and Japan, the CFTC also issued comparability determinations for a number of key transaction-level requirements.

It appears at this time that the substituted compliance approach has been successful in supporting financial reform efforts around the globe and a race-to-the-top in global derivatives regulation. Last month, for example, the European Union (“EU”) agreed on updated rules for markets in financial derivatives, or the Markets in Financial Instruments Directive II (“MiFiD II”), reflecting great progress on derivatives reform in the EU. Other jurisdictions that host a substantial market for swap activity are still working on their reforms, and certainly will be informed by the EU’s work and the CFTC’s ongoing coordination with foreign regulators.

As jurisdictions outside the U.S. continue to strengthen their regulatory regimes and meet their G20 commitments, the CFTC may determine that additional foreign regulatory requirements are comparable to and as comprehensive as certain requirements under Dodd-Frank.

The CFTC also has made great progress with the European Commission since both regulators issued the Path Forward statement last summer, and we are actively working with the Europeans to ensure that harmonized regulations on the two continents promote liquidity formation and sound risk management. Fragmented liquidity, and the regulatory and financial arbitrage that both drives and follows it, can lead to increased operational costs and risks as entities structure around the rules in primary swap markets.

Harmonizing regulations governing clearinghouses and trading venues, in particular, is critical to sound and efficient market structure. Even if firms are able to navigate the conflicts and complexities of differing regulatory regimes, regulators here and abroad must do what they can to avoid incentivizing corporate structures and inter-affiliate relationships that will only make global financial firms more difficult to understand, manage, and unwind during a period of market distress.

Conversely, this translates to open, competitive derivatives markets. It means efficient and liquid markets. A global regime is the best means to avoid balkanization of risk and risk management that may expose the U.S. financial system over time to risks that are unnecessary, needlessly complex, and difficult to predict and contain.

In light of the CFTC’s swaps authority, and the complexities of implementing a global regulatory regime, the Commission is working with numerous foreign authorities to negotiate and sign supervisory arrangements that address regulator-to-regulator cooperation and information sharing in a supervisory context. We currently are negotiating such arrangements with respect to swap dealers and MSPs, SDRs, SEFs, and derivatives clearing organizations.

As a final note on cross-border issues, on February 12 the Global Markets Advisory Committee (“GMAC”), which I sponsor, will meet to discuss the November 14, 2013, CFTC staff advisory on applicability of transaction-level requirements in certain cross-border situations.

The CFTC and Customer Information Security

The CFTC takes our responsibility to protect against the loss or theft of customer information seriously. However, the CFTC’s funding challenges, and thus our limited examinations staff, have an impact on the agency’s ability to examine and enforce critical rules that protect customer privacy and ensure firms have robust information security and other risk management policies in place.

The Gramm-Leach-Bliley Act was enacted in 1999 to ensure that financial institutions respect the privacy of their customers. Part 160 of the CFTC’s regulations was adopted pursuant to the Gramm-Leach-Bliley Act and addresses privacy and security safeguards for customer information. Under the law, swap dealers, FCMs and other CFTC registrants must have “policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information.” These policies and procedures are designed to protect against unauthorized access to customer records or information.

The CFTC is working to strengthen our registrants’ compliance with the law. The agency is poised to release a staff advisory to market participants outlining best practices for compliance. The advisory recommends, among other best practices, that registrants should assess existing privacy and security risks; design and implement a system of procedures and controls to minimize such risks; regularly test privacy and security controls, including periodic testing by an independent party; annually report to the board on these issues; and implement an incident response program that includes notifying the Commission and individuals whose information was or may be misused. In addition, the CFTC has recently issued new customer protection regulations that include, among other regulations, new requirements for risk management by firms. Security safeguards are an element of risk management that needs to be addressed by this new regulation.

Last year, the CFTC also issued interpretive guidance, mirroring that of other financial agencies, clarifying that reporting of suspected financial abuse of older Americans to appropriate law enforcement agencies does not violate the privacy provisions within Part 160 of the Commission’s rules.

Though enforcement of CFTC Part 160 rules is a challenge given our limited resources, we have enforced them in the past. In one instance, the CFTC settled a case with an FCM when an employee of that FCM placed files containing sensitive personally identifiable information on a public website, and the FCM did not have effective procedures in place to safeguard customer information.

In addition to Part 160, the CFTC’s Dodd-Frank rules for DCMs, SEFs and SDRs require these entities to notify the CFTC of all cybersecurity incidents that could potentially or actually jeopardize the security of information.

Last spring, the CFTC and SEC adopted final “red flags” rules under the Dodd-Frank Act requiring CFTC and SEC registrants to adopt programs to identify and address the risk of identity theft. As the law required, our rules establish special requirements for credit and debit card issuers to assess the validity of change of address, but currently, the CFTC entities that must follow these identity theft rules do not issue credit or debit cards. A number of firms, however, do accept credit and debit cards for payment, which presents a different type of risk.

The CFTC also has adopted a rule regarding the proper disposal of consumer information requiring reasonable measures, such as shredding, to protect against unauthorized access.

Retail Payment Systems

The Commission’s new customer protection rules on risk management require FCMs to develop risk management policies that address risks related to retail payment systems, such as anti-money laundering, identity theft, unauthorized access, and cybersecurity.

The CFTC currently does not have the resources to conduct any direct examinations of retail payment systems. The CFTC does indirectly look at the risks of retail payment systems through designated self-regulatory organizations (DSRO). The DSRO covers the operational aspects of the money movement through their risk-based programs. Additionally, DSROs perform a review of anti-money laundering at FCMs looking at a number of aspects of a retail payment system – source of funds, cash transactions, customer identity, money laundering and staff training.

For the vast majority of our registrants, the retail payment system is through normal banking channels, such as wire transfers. Only a few of our registrants accept credit or debit cards, and none currently accept virtual currency payment systems. Virtual currency, however, does present new risk, as a firm would be interacting outside of bank payment channels, increasing the risk of hacking or fraud, among other cybersecurity issues. The CFTC is working with registrants that are seeking to accept virtual currencies to educate them about best practices.

Data Breach Response

The CFTC’s response to a data breach incident would include immediately assessing the situation with the registrant to understand the magnitude of the breach and its implications on customers and the marketplace. We would coordinate with other regulators and law enforcement and together determine the appropriate course of action. Our response would include an analysis of the data compromised, immediate notification to affected customers (unless law enforcement prohibits that notification), supporting customers by having the firm provide free credit monitoring services, ensuring customers know how to change user IDs and passwords, and having the firm closely monitor customer activity to look for signs of identity theft.

Looking ahead, the Commission is considering implementing rules under Gramm-Leach-Bliley to expand upon our current customer protection regulations with more specificity regarding the security of customer information.

Resources

To be effective, the CFTC’s oversight of these registrants requires technological tools and staff with expertise to analyze complex financial information. On that note, I am pleased that the House and Senate have agreed to an appropriations bill that includes a modest budgetary increase to $215 million for the CFTC, lifting the agency’s appropriations above the sequestration level that has been challenging for planning and orderly operation of the agency. The new funding level is a step in the right direction. We will continue working with Congress to secure resources that match the agency’s critical responsibilities in protecting the safety and integrity of the financial markets under its jurisdiction. We need additional staff for surveillance, examinations, and enforcement, as well as investments in technology, to give the public confidence in our ability to oversee the vast derivatives markets.

Conclusion

For the CFTC, the Volcker Rule was one of the last remaining rulemakings required by Dodd-Frank. Only a few rulemakings remain to be re-proposed or finalized in order to complete the implementation of the legislation. Indeed, in just a matter of days, the compliance date for perhaps the last remaining major hallmark of the reform effort will arrive: the effective date of the swap-trading mandate. Looking forward, the agency will continue working to ensure an orderly transition to, and adoption of, the new market structure for swaps, and adjusting as necessary.

Thank you again for inviting me today. I would be happy to answer any questions from the Committee.

Last Updated: February 6, 2014

Search This Blog

Translate

White House.gov Press Office Feed