SEC commissioner Luis Aguilar strongly urged his colleagues at a cybersecurity conference last month to push Reg SCI up on their priority lists, particularly in terms of widening the regulation’s coverage. Also in the news: The PCI Council updates its peer-to-peer encryption standard; the SEC proposes a rule that will enable companies to take back executive bonuses; and more.
SEC commissioner calls for Reg SCI expansion
The U.S. Securities and Exchange Commission commissioner is calling for the regulator to broaden the scope of Regulation Systems Compliance and Integrity (Regulation SCI), a rule that was passed last November to extend the SEC’s oversight to include the automated information systems of certain regulated entities, namely stock exchanges, plan processors, specific clearing agencies and alternative trading systems.
In a speech at the SINET Innovation Summit last month, Commissioner Luis Aguilar gave a sweeping speech on the challenges of tackling cybercrime. He spoke about the SEC’s “multifaceted” approach in meeting these challenges, including inspecting regulated entities and implementing new rules such as Reg SCI.
Aguilar (pictured left) praised several aspects of the rule: its risk-based approach, emphasis on helping entities develop procedures based on their unique risks, and mandates that require senior management and the board to be actively involved in cybersecurity. However, Aguilar also urged the SEC to expand its scope, because at the moment, it doesn’t cover many participants in the market, including over-the-counter market makers, stockbrokers and transfer agents. He added that this should be the SEC’s “top priority.”
In addition to improvements to Reg SCI, Aguilar entreated fellow commissioners to update the SEC’s guidelines so that public companies can better respond to cybersecurity incidents and provide “better and more timely information” on the specific risks and cyberattacks they face.
PCI Council updates P2P encryption standard
Last month, the Payment Card Industry Security Standards Council (PCI SSC) updated one of its eight security standards in response to feedback from early adopters in the market. The standard addresses point-to-point encryption (P2PE) tools, which encrypt account data in transit between the point of sale (POS) and the secure decryption environment.
According to PCI SSC, the update, which is laid out in the document PCI Point-to-Point Encryption Solution Requirements and Testing Procedures Version 2.0, provides more flexibility to P2PE solution providers, as well as to merchants that use P2PE. Specifically, the PCI SSC’s listings of validated P2PE solutions and applications will now include P2PE components, or services that fulfill particular P2PE requirements, to make it easier for these providers to develop PCI-compliant P2PE products for merchant customers. Additionally, P2PE v2 provides merchants more options on how to implement and manage P2PE technology: They can either manage P2PE tools for their POS locations, which includes enacting the rule’s requirements for separation of the two environments; or they can work with a P2PE solution provider to manage a PCI-compliant P2PE product based on their business needs.
New SEC rule to let companies “claw back” executive bonuses
A rule proposed by the SEC will enable companies that issue faulty financial statements to “claw back” their senior executives’ bonuses once those statements have been restated. The regulation will apply to companies listed on U.S. stock exchanges.
The proposed rule, required by the Dodd-Frank Act of 2010, targets executive bonuses (aka “incentive-based compensation”), the size and payment of which depend on whether a corporation meets or surpasses particular financial metrics. Currently, executives are allowed to keep their bonuses despite their companies correcting artificially inflated financial statements.
While current rules do allow companies to claw back compensation of CEOs or CFOs, the new rule will have a broader scope, including “any other person who performs policy-making functions for the company” in addition to senior officers, said the SEC. It will also apply to pay earned over the course of three years, versus one year under existing regulations.
Wells Fargo, Raymond James and LPL will pay $30M to overcharged clients
Wells Fargo & Co., Raymond James Financial Inc. and LPL Financial Holdings Inc., three of the largest brokerages in the U.S., will have to pay more than $30 million to clients they overcharged on mutual-fund sales, the Financial Industry Regulatory Authority (FINRA) announced Monday.
The wealth-management units of the three firms applied mutual-fund sales charges to the accounts of certain retirement-plan customers and charitable organizations, which should have been waived according to the Employee Income Security Act.
The three companies will not have to pay a fine, because they discovered the inappropriate charges themselves and reported the problems to FINRA. According to one regulator, the firms failed to adequately oversee the financial advisors selling the mutual funds because they didn’t provide them with “critical information and training.”