survey of over 1,200 of the top mobile apps in 19 countries by the Global
Privacy Enforcement Network ("GPEN") has found that 85% of the apps reviewed
were non-compliant, failing to provide even the most basic privacy information
In addition, 43% failed in their obligation
to tailor privacy notices to smaller screens and almost 30% unlawfully requested
excessive personal data from users.
Concerns for users are compounded given the
lightning speed at which new apps are hitting the market.Last year, for example, in excess of 1
million apps were reported to be available via Apple's iOS App Store.
developers care about these findings?
In short, yes, especially given that the UK
privacy regulator, the Information Commissioner's Office ("ICO"), has recently
conducted research that demonstrates that around half of app users have decided
against downloading an app due to privacy concerns at some point in time.
Risk for developers does not stop there
As has been well reported elsewhere, privacy
regulators in Europe now have the power to fine developers "on the spot" who
breach relevant laws.For example, in
the UK, the ICO has the power to issue fines up to £500K (approximately US$800K).
Some regulators, including the ICO, have further
announced that "mobile" has now been moved to the top of the enforcement
agenda.In other words, the regulators
do have a stick and they appear willing to use it.
When brand damage associated with any
enforcement action (such actions are published) and potential civil action is
thrown into the mix, this could well compound problems, or even sound the death
knell, for any developer who chooses to ignore privacy compliance.
app developer - what should I do?
The ICO has published
guidance for app developers to help them understand their legal obligations
when collecting personal data and to ensure users' privacy.By adhering to this guidance, developers will
be much less likely to fall foul of EU/UK privacy laws and find themselves on
the end of an enforcement action.
The guidance covers key issues such as how to
communicate privacy related information to users, how to obtain meaningful
consent from users (all in the context of a small screen), as well as how
developers should keep information within an app secure.
Top tips for privacy compliance during app
development include: (i) using "in-time" notifications when more intrusive data
is being collected, e.g., GPS location data; (ii) using links to separate
size of screens involved); and (iii) avoiding being legalistic in language used
in privacy notices.
This app sweep by GPEN is one of the latest
initiatives which suggests regulators are taking compliance issues in this area
much more seriously and that a greater use of enforcement action is on the
horizon.The time is ripe, therefore, for
developers to audit their data collection and data use activities and to review
the policies they have in place to assess their exposure to regulatory
enforcement.Transparency and clarity
are key.Adhering to such principles should
not only help keep the regulators at bay, but also have a significant effect on
a developer's bottom line.
isn't often that a supplier "fires" its customer, but it's not unknown. I have
worked with two clients recently whose suppliers have given notice of
termination without cause.
can you avoid or, if it does happen, manage through a supplier-initiated
the best position from a customer's perspective is not to give your supplier a
contractual right to terminate, except if there is an uncured material breach.
However, in many negotiations in which I have been involved over recent years,
suppliers are demanding a right to terminate for convenience, or a right to
give notice of non-renewal at the end of an initial term, or a subsequent
renewal term (which pretty much amounts to a termination for convenience).
are any number of reasons why a supplier may require a termination right. It
might be a new area of business, and they may not be able to project the
business case for supporting the business beyond a limited period. It may be a
line of business that is already costly to maintain, and they don't want to be
locked into a business that may become unprofitable. They may already have a
number of "troubled" client contracts, and be seeking an exit right for all new
contracts in order to avoid being locked into a bad deal.
you are forced to give your supplier a right to terminate for convenience (or
reject a renewal), then it's important to consider what you will need to do in
that circumstance. How long would it take you to move the services to an
alternative provider, or to ramp up the necessary resources to bring it
in-house? What information, software, tools, equipment and assistance will you
need from the supplier in order to make a successful transition?
companies are nimble at executing the sourcing process - that is, identifying
potential vendors, seeking proposals, selecting the appropriate supplier and
negotiating the terms of a new agreement with them. Even under the best circumstances,
the cycle can take many months to complete. Adding in the contingencies of
other business demands, availability of resources, and the availability and
willingness of suppliers to devote substantial time to the process, you could
be looking at a year or more to be in a position to transition from an existing
supplier to a replacement. If you planned and initiated the termination, you
would probably start working towards that well in advance, with consideration
of other projects that are being implemented within the company, seasonal peaks
and troughs and other business demands. In contrast, the notice of termination
from a supplier may come without warning, and will not necessarily be able to
be managed to accommodate your business cycles.
best protection you can have in a termination by the supplier is a long lead
time. It's not unreasonable to ask that the supplier provide a year's (or even
more) prior written notice. That will give you a reasonable amount of time to
work through the sourcing process to find and contract with a replacement
supplier, or to ramp up the resources and expertise to bring the services back
should also ensure that your contract contains detailed disengagement
provisions that specify the supplier's obligation to provide you with data,
cooperate with you and a replacement provider, and implement a well-planned and
well-executed transition. The contract should also be very clear about your
rights to resources on termination. Are you entitled to software (and, if so,
to source code), transfer of hardware, assignment of third party subcontracts,
including leases and licenses, and can you (or your new supplier) hire key
supplier employee that will ease the transition?
solid contract should deal with all of these issues regardless of who initiates
the termination, but may be more significant when termination is forced on you
by the supplier.
measures of supplier performance in the form of service levels are critical in
any outsourcing relationship.However,
they provide an incomplete picture of how well the supplier is performing and meeting
the client's business and IT objectives.A common complaint is that the service levels are green each month, but the
client is dissatisfied with the supplier's performance - typically due to the
supplier failing in areas that are difficult to measure quantitatively.
fill this gap, we recommend to our clients that a quarterly "key stakeholder
satisfaction survey" be included in the outsourcing contract as a service level.This service level is a subjective
determination by the client of its level of satisfaction with the supplier's
performance.A meaningful service level
credit applies if the supplier fails to achieve an acceptable rating.
how it works.A small group of key client
stakeholders - typically senior representatives within IT and the business who
are impacted by the outsourcing - meet on a quarterly basis to review and rate
the supplier's performance during the previous quarter.Together, they complete a "survey" that evaluates
the supplier in key areas, such as account management, operational management,
financial management, knowledge management, business enablement and innovation,
value of services and overall customer experience.The completed survey will include specific
comments, observations, concerns and recommendations for improvement, together
with the key stakeholders' overall rating of the supplier for the quarter.The results of the survey are then shared
with the supplier's account management team and discussed as part of a
quarterly performance review meeting.
overall rating is on a scale of 1 - 5 based on the key stakeholders' collective
determination of how well the supplier is meeting expectations and perceived to
be adding value and contributing to client success.A service level credit may be assessed if the
supplier is failing to meet expectations on a consistent basis.The amount of the credit is scaled based on
the degree to which the supplier is failing to do so. Like other service levels, credits are
typically based on a percentage of the supplier's fees for the measurement
might be expected, many suppliers initially resist a credit-bearing subjective
measure of their performance.However, our
experience has been that most suppliers will ultimately accept this service
level.A key element in gaining supplier
acceptance of this service level is allaying fears that the client will use
this service level as simply a means to trim some money off the supplier's
charges each quarter.This often comes
through a realization that the client needs to provide honest appraisals of the
supplier's performance in order for this service level to be an effective tool for
the client to drive improved performance and that performance improvements are
far more valuable to the client's business than the amount of any financial
credit the client could collect under this service level.
has shown us that a key stakeholder satisfaction service level is a powerful
tool for clients to focus the supplier's attention on the areas that matter
most to the client and fill the gaps in what can be captured through traditional
"objective" service level measures.As a
result, we think this SLA should be on every client's "top 10" list of most
important outsourcing provisions and is well worth the time and effort spent on
negotiations with suppliers to make it part of the contract.
the Financial Conduct Authority (FCA
- the financial regulatory body in the United Kingdom) issued a paper titled "Considerations for firms thinking of using
third-party technology (off-the-shelf) banking solutions" (the Considerations).The Considerations contain about five pages
of checklist "Areas of interest" and related notes, which are stated to be
things a firm subject to regulation by the FCA should consider when procuring 'off
the shelf' technology solutions.
When do the Considerations apply? We view
the application of the Considerations as two-fold.First, they supplement the existing
IT-related banking regulations. Second, they are intended to apply to
procurements where firms might not ordinarily consider applying FCA-originating
Supplementing existing regulation
The preamble to the Considerations says that they are separate to, and do not
replace, the existing IT-related matters that are assessed by regulators.This means they do not replace existing
Threshold Conditions and the requirements set out in Systems and Controls
(SYSC) 8 of the FCA Handbook (the Handbook)
- these are the general outsourcing requirements, and have been in place since
existing rules, as their name suggests, focus on "controls".When firms outsource critical or important
operational functions - defined as those that would materially impair a firm's
ability to comply with regulatory obligations - they remain fully responsible
for all those obligations. The Handbook requires compliance in a number of
related areas such as reporting, audit and co-operation with the regulator, all
of which must be documented as part of the outsourcing agreement.
summary, the existing rules provide a good compliance framework of general
outsourcing evaluation: have you evaluated the vendor? Can you incentivise /
penalise the vendor? Can you get out of the arrangement? etc.
Considerations also concern themselves with issues of general application,
there is an overlap with the existing rules. For example, Areas of Interest such as
"Oversight of service provider" and "Due diligence" are to a large degree,
covered by the requirements of specific controls within the SYSC 8.1
Considerations take a very different approach to the existing regulations is in
their technology and sourcing specificity.Areas of Interest such as "Multi-tenancy", "Service levels", "User
Administration" and others clearly demonstrate a much greater focus on issues specific
to IT procurement.The Considerations
are a "ground up" set of notes relating to issues that would need to be
considered by a firm's subject matter experts, rather than a more generic set
of oversight controls.
Application to different types of
firms have applied the existing IT-related banking regulation to the
procurement of large-scale, "bespoke" services such as IT infrastructure and
hosting services.Buying these services
has usually involved contracting on the basis of the purchasing firm's terms
and conditions, and with significant involvement of the various "buying"
functions e.g. IT, procurement, commercial, legal, and regulatory.
existing rules may not have been considered as applying to off-the-shelf
products, as many banking products, or many of the "as a service" type third
party solutions that were not part of the IT landscape in 2007.
are intended to specifically catch and address these types of procurements; areas
of interest include "Data Segregation", "Multi-tenancy", "Track record" and
"Scalability".These are topics specific
to the procurement of off-the-shelf products, often remotely hosted, and
sometimes provided by new entrants to the market or relatively small providers
rather than the IT megaliths.
context, it is no surprise that the Considerations refer to "application[s] for
undertaking a new regulated business activity".The Considerations are talking to the procurement by banks (including
many of the newer financial providers, known as 'challenger banks') of core banking
platforms (such as Oracle Flexcube or Temenos T24) or narrower and more
specialised products such as platforms that support OTC trade reconciliations
or other multi-party trading platforms.
of procurements may well have been subject to the existing regulations, but
many times the regulations weren't considered material or relevant, and many
organisations did not think too deeply about the application of regulation to
these products.Unlike outsourcing
agreements, contracts for off the shelf IT products are often concluded on the
vendor's paper, and the "as a service" restrictions (imposing a more
restrictive business and delivery model) have acted as a blocker to negotiating
some of the fundamental areas that the Considerations now require a focus on.
Summary Firms need
to approach their procurement processes for off-the-shelf platforms with a view
to ensuring checks against the "Areas of interest" in the Considerations.Applying the Considerations requires activity
by most of the functions of a firm involved in purchasing and implementing such
platforms, including IT, procurement, legal and others.Additionally, the Considerations should also
be thought of in the context of "traditional" material outsourcings in addition
to the existing rules and guidance.
of this blog first appeared in Banking Technology on 8th September
It seems intuitive that, by and large, employees prefer to use their own mobile devices, carrying only a single device for personal and work purposes, and having choice over the device to be used (please don't take away my iPhone). There has also been a hypothesis that there could be cost savings for companies that allow employees to BYOD because of the ability to defer the cost of the devices and service to the employee.
This is not to say that companies should abandon BYOD or that there is no business case for BYOD. However, the business case analysis now needs to take into account a different, hard cost in balancing the soft benefits of BYOD, which may be harder to quantify.
The UK financial services regulator, the Financial Conduct Authority (FCA), has launched a guidance consultation in order to clarify and confirm its approach to the supervision of financial promotions in social media, including the use of character-limited forms (Examples of character-limited formats are Twitter (which limits tweets to 120 characters) and Vine (which limits videos to six-second loops).
The FCA has identified an increase in the use of character-limited social media (and social media generally) and warned of confusion among firms over the inclusion of regulatory information such as risk warnings (in compliance with the financial promotion rules) when communicating through social sites such as Twitter, Pinterest and Vine. And, as the FCA makes clear, every communication (e.g. each tweet, Facebook page or insertion) must be considered individually and comply with the relevant rules.
The requirement for financial products to be fair and not misleading means consumers should have an appreciation of the relevant risks (through risk warnings) as well as the benefits of a particular product.The FCA's recommendations include not promoting more complex financial products through social media channels, and using embedded infographics to include relevant information. The FCA also confirms that use of the hashtag #ad is an acceptable way of complying with the rule that financial promotions for investment products are identifiable as such.
The FCA does not wish to block social media use but requires firms to adhere to existing guidelines. According to Clive Adamson, FCA director of supervision, the "FCA sees positive benefits from using social media but there has to be an element of compliance" and "financial promotions, whether on social media or traditional media, should be fair, clear and not misleading."
The FCA's consultation, which will close on 6 November this year, seeks feedback from firms on its proposed guidance. Feedback may be sent by email, or by post to Richard Lawes, Financial Promotions Team, The Financial Conduct Authority, 25 The North Colonnade, London E14 5HS.The FCA is also planning to commission research to better understand how consumers receive, use, and contextualise financial promotions via social media communications.
The FCA is not new to social media by any means.It published an update on financial promotions using new media in June 2010; it has deployed teams to monitor and engage with Twitter users; and it uses Salesforce.com's Radian6 application to mine data on social media platforms and to spot general trends.
Some of parts of the proposed guidance are also be relevant to broadcast and print media.
In May earlier this year, the European
Union's top court held in favor of an individual who requested that Google
remove the search results associated with his name.In this particular case, a Spanish citizen
requested that Google Spain remove an auction notice of his repossessed home
from its search results, as the proceedings had been resolved for a number of
years. The court held that individuals have the right to require search engines
to remove personal information about them if the information is "inaccurate,
inadequate, irrelevant or excessive." This precedent established the "right
to be forgotten," which gives Europeans the right to require search engines
to remove information about them from search results for their own names.The ruling has not been met with universal
applause, and in fact a U.K. House of Lords subcommittee recently
declared the right to be forgotten misguided in principle and unworkable in
must dedicate personnel to receiving and responding to requests.Given that the standard for removal is
subjective (is the information inaccurate, inadequate, irrelevant or excessive?),
Google itself has to be the arbiter of the requests.
has to maintain and bear of the cost of tools needed to track the information
and remove it from its search results.
This is not just an issue for companies
located in Europe.The
EU Court said that "even if the physical server of a company processing
data is located outside of Europe, EU rules apply to search engine operators if
they have a branch or a subsidiary in a Member State which promotes the selling
of advertising space offered by the search engine."
Meanwhile, in the White House special report
on Big Data issued in May earlier this year, the report recommended that
"[t]he United States should lead international conversations on big data that
reaffirms the Administration's commitment to interoperable global privacy
frame-works."How will the right to
be forgotten factor into establishing a global privacy framework? Neither
Congress nor the U.S. courts have shown much of an appetite for adopting a
stance similar to the European court, so there is little chance that the right
to be forgotten will be established in the United States. The fact that the EU
has adopted the right to be forgotten while the United States appears unwilling
to walk down the same path serves to highlight some of the difficulties that we
face in establishing a global privacy framework.
Ofcom has published a
call for input, entitled "Promoting
investment and innovation in the Internet of Things", regarding issues
that might affect the development of the emerging Internet of Things (IoT) sector in the United Kingdom.
Ofcom is the UK's independent regulator and competition authority for the UK
communications industry. It regulates the TV and radio sectors, fixed line
telecoms, mobile devices, postal services, plus the airwaves over which
wireless devices operate. It operates under a number of Acts of Parliament, in
particular the Communications Act 2003.
IoT (which is also
referred to as Cloud of Things or CoT) describes the interconnection of
multiple machine to machine (M2M) applications and covers a variety of protocols,
domains and applications (see J. Höller, V. Tsiatsis, C. Mulligan, S.
Kamouskos, S. Avesand, D. Boyle: From Machine-to-Machine to the Internet of
Things: Introduction to a New Age of Intelligence. Elsevier, 2014). These technologies and methodologies underpin smart
applications and embedded devices that enable the exchange of data across
multiple industry sectors, such as heart monitoring implants, factory
automation sensors, industrial roboticsapplications,
automotive sensors and biochip transponders. A 2013 report by Gartner suggested
that by 2020 there will be nearly 26 billion connected IoT devices.
Ofcom sees potential
benefits across a range of sectors including healthcare, transport and energy,
and wants to gain a better understanding of the role that it should play to
ensure that the UK takes a leading role in the emergence of IoT. Given that the
availability of radio spectrum will be an important issue in the development of
IoT, Ofcom looks certain to have a key part to play. Ofcom's view is that, generally
speaking, "industry is best placed to drive the development, standardisation
and commercialisation of new technology" but, given the significant commercial
benefits expected to flow from development of IoT, Ofcom is interested to
learn whether it "should be more proactive; for example, in identifying and
making available key frequency bands, or in helping to drive technical
Input is invited by 1
October 2014. Ofcom expects to develop a
view on next steps during the last quarter of 2014. Apart from helping to
define Ofcom's role, Ofcom also seeks specific inputs on:
spectrum requirements, such as the scale and nature of demand, suitable
frequency bands and the suitability of a licensed or licensed exempt approach;
issues, such as network resilience and security, data privacy and the
protection of commercially sensitive data; and
Øthe need for address
types, such as Internet Protocol (IP) addresses, to identify connected devices.
The General Affairs Council, on 23 July 2013, adopted a regulation of the
European Parliament and of the Council on electronic identification and trust
services for electronic transactions in the Internal Market. Until the new regulation, the E-Signatures Directive
(1999/93/EC) provided the only EU rules relating to e-signatures and said
nothing about trust services.The E-Signatures
Directive is to be repealed with effect from July 2016 when, with some
exceptions, the new regulation will start to apply.
The new regulation sets out rules for cross-border electronic
trust services (electronic identification schemes)within the EU (the new rules will only cover
cross-border aspects of electronic identification; issuing means of electronic
identification remains a national prerogative. The general position at English
law remains unchanged - sophisticated electronic signatures are not necessary
for the formation of a binding contract) and creates
a legal framework for:
registered delivery services, and
services for website authentication.
The regulation is broader than just
e-commerce.According to the
Council's press release, the new regulation
will provide "a common foundation for
secure electronic interaction between businesses, citizens and public
authorities.It seeks to increase the
effectiveness of public and private online services, electronic business and
electronic commerce in the EU and to enhance trust in electronic transactions
in the internal market. Mutual recognition of electronic identification and
authentication is vital, for instance in making cross-border healthcare for
European citizens a reality."
The rules provide a system for mutual
recognition of electronic identification.As the press release states, "member
states are required to recognise, under certain conditions,means of electronic identification of
natural and legal persons falling under another member state's electronic
identification scheme which has been notified to the Commission. It is up to
the member states to choose whether they want to notify all, some or none of
the electronic identification schemes used at national level to access at least
public online services or specific services."
Member states may decide
to join the scheme for recognising each other's notified e-identification means
as soon as the necessary implementing acts are in place, which is expected to
take place in the second half of 2015. Mandatory mutual recognition is expected
to start in the second half of 2018.
The Council expects the new rules to give
rise to opportunities for private suppliers of electronic identities.An EU trust mark will be created to identify
trust services which meet certain strict requirements.
The report is the
output of the OECD's peer review process which is designed to facilitate
effective implementation of the OECD Principles and to assist market
participants, regulators and policy makers.The process covers the corporate governance framework and practices relating
to corporate risk management of the 26 jurisdictions that participate in the
OECD Corporate Governance Committee. Its
findings are based on general survey responses from participating jurisdictions
as well as an in-depth review of corporate risk management practices in Norway,
Singapore and Switzerland.
The report, which
analysed both private sector and state-owned enterprises, found that "while risk-taking is a fundamental driving
force in business and entrepreneurship, the cost of risk management failures is
still often underestimated, both externally and internally, including the cost
in terms of management time needed to rectify the situation."Risk governance standards tend to be very
high-level.This limits their practical usefulness,
says the OECD, as they should be more operational.And in the nonfinancial sectors, risk
management is less prevalent. "Outsourcing- and supplier-related risks
...deserve attention in both the financial and the nonfinancial sector."
The effectiveness of
an enterprise's risk management culture can be critical to an organisation's
success (or failure).The OECD lists accounting frauds (Olympus,
Enron, WorldCom, Satyam, Parmalat), foreign bribery cases (Siemens) and
environmental catastrophes (Deep Water Horizon, Fukushima) to demonstrate that
the headlines are not restricted to the financial sector; cases where wrong-doing
was compounded by corporate governance failure and deficient risk management
systems, with company boards which failed to fully appreciate the risks that
the companies were taking (if they were not engaging in reckless risk-taking
The typical modern
enterprise has a complex supply chain with a multitude of third party and
outsourced relationships.In the
absence of an adequate risk management and assurance framework, says the OECD, reliance
on these outsourced and third party relationships can quickly contaminate the
organisation, especially if "only lip
service only is paid to important parts of the company's value chain that are
outsourced".A risk management
framework should address all dependence on key suppliers or joint venture
partners, with particular sensitivity to suppliers or other third parties
located in countries that may follow different standards from the home country.Companies with diverse, global supply chains
should operationalise strategies to cope with the risks which result from a
lack of control over their suppliers and contractors spread out across various parts
of the world.
Given high profile
supplier failures such as Satyam Computer Services (subsequently rescued by Mahindra
Group although not before several significant customers including Merrill Lynch
(now a part of Bank of America) and State Farm Insurance terminated their
contracts with Satyam), as well as headline hitting events such as factory
fires and a building collapse in Bangladesh, companies should ensure that third
party supplier risk management is given adequate resource and attention,
including examining available insurance and other mitigation strategies such as
dual sourcing, supplier assessments, contract compliance reviews, exit
strategies and stress testing contractual remedies, where these have been
negotiated, such as step-in rights and exit plans.
head of the UK's Financial Conduct Authority, Chief Executive Martin Wheatley,
used a speech at Bloomberg, London given on 3 June 2014 to promote the FCA's
Project Innovate (the drafted text of Martin Wheatley's speech can be read at http://www.fca.org.uk/news/making-innovation-work).The FCA is the regulatory body that,
following reforms introduced by the Financial Services Act 2012, succeeded the
Financial Services Authority. It has supervisory powers over the conduct of
over 50,000 financial services firms in the UK, and authority to regulate the
prudential standards of those firms not covered by the Prudential Regulation
Authority. The PRA regulates deposit takers, insurers and significant
Innovate is intended to allow financial services firms to develop innovative
products for consumers.This has been
generally well received, with Wheatley describing Innovate as "an agreement to
grant waivers to products that do not necessarily follow FCA guidance to the
letter" where firms can show better outcomes for consumers.Part of the driving force behind Innovate,
which will resonate with business leaders across the UK, is to prevent good
products from drowning in the "overwhelming red tape that is inevitable as
we introduce more regulation, not just at UK but at a European level."
the need for regulators to keep pace with new technologies, rather than - as
present - running to catch up, and a desire for a regulatory environment that
supports innovation rather than acting as an entry barrier, Wheatley singled
out mobile banking, online investment and money transfer as priority areas, and
the emergence of London-based innovative companies such as WorldRemit,
Monitise, TransferWise and Nutmeg. Wheatley went on to cite digitalisation, big
data analytics, venture capital, virtual currencies, crowd funding and
peer-to-peer as important, transformational areas.
firms and start-ups can, in particular, be expected to benefit from the
Innovate approach which will encourage collaboration with the FCA in order to
develop new technologies that are compliant from day one, with a regulatory
environment that, instead of acting as a "drag anchor" supports innovation and
encourages the "brightest and most innovative companies to enter the sector".
Whether this marks a shift in the FCA's approach to digital currencies, such as
bitcoin, remains to be seen, with the regulator so far having kept a wide
probably too early to call a trend (more evolution than revolution) but this
initiative shows promising signs, with Wheatley recognising, and taking steps
to bolster, London's leading position in the European market in financial
technology (Wheatley cites growth of global investment in financial technology
having tripled over the 5 years to 2013 up to $2.9bn, with UK and Ireland the
fastest growing incubators, developing at an annual rate of 74% since 2008,
compared with 23% in Silicon Valley).A
single paper and a wider FCA consultation on potential handbook changes are due
later this year.In the meantime, the
FCA has started to engage with business including a number of start-ups and
organisations such as Tech City and Level 39. It has "opened a hub"
in its policy team to pull together expertise and provide support to advise
firms developing new models or products on compliance and how to navigate the
regulatory system, and by "looking for areas where the system itself needs
to adapt to new technology or broader change - rather than the other way
round". Wheatley also foreshadowed that a single paper combining all of
these initiatives, and wider FCA consultation on potential handbook changes,
are due later this year.
1, we noted that
financial institutions could find themselves potentially liable for committing an
Deceptive, or Abusive Act or Practice (UDAAP)
as a result of the actions of certain types of external service providers,
particularly those that interface directly with customers.In this Part 2, we will discuss how financial
institutions can mitigate the risk of UDAAP enforcement actions through their contracting
strategies with their service providers.
A New Wrinkle of Risk
In some ways, the
CFPB's UDAAP authority resembles other regulatory regimes in that it places
compliance obligations on both the issuer of the product as well as the
third-party service provider that helps effectuate a transaction involving such
a product.For example, export control
laws place Office of Foreign Assets Control compliance obligations on both parties
to a transaction.Data protection laws
apply both to the controller as well as the processor of data.HIPAA protections for health information
apply to the covered entity and its business associates.
In other ways, however,
the CFPB's UDAAP authority differs from other regulatory regimes because it expressly
imposes upon a financial institution an affirmative obligation to supervise closely
the behavior of its service providers.While
some other regulators may also impose express obligations (e.g., Office of the
Comptroller of the Currency), in many other regulatory contexts, any required
supervisory role is typically either less onerous and/or only implied by the
Of course, it is an outsourcing
best practice for a customer to have good management and oversight over its
service providers, but the CFPB's requirements go further.Indeed, this supervisory obligation may even
undercut a financial institution's rationale to outsource certain functions in
the first place and lead an institution to forego pursuing the outsourcing
relationship during an initial risk assessment if the institution believes the
potential service provider could expose the institution to UDAAP liability.
relationships involve some level of risk.Depending on the nature of the services, a bank may be handing over sensitive
data, management of key processing functions, or responsibility to keep IT
infrastructure safe and secure.
The CFPB, however,
appears to have added a new wrinkle of risk to what would otherwise be
considered a "standard" level of outsourcing risk - for certain services
related to consumer financial products or services, if a financial institution's
service provider engages in behavior that the CFPB finds unlawful under its UDAAP
authority, then the financial
institution itself is potentially
liable for the conduct of its service providers and could be subject to
A Delicate Balance
But this risk is not
insurmountable.A thoughtful vendor
management/contracting strategy can mitigate a financial institution's risk by
incorporating UDAAP obligations into its service provider contracts and sensibly
allocating the risk between the parties.In addition to addressing the risk responsibility in the contract, the
financial institution should consider establishing a service provider
monitoring and governance framework that expressly addresses UDAAP risk.
will want to implement specific solutions (which may even vary service provider
to service provider) to ensure that it sufficiently protects itself while at
the same time not being too heavy handed with its business partner.A financial institution and its counsel will
need to maintain that delicate balance between seeking the necessary protection
and creating obligations that can get in the way of doing business.
With this balance in
mind, there are two high-level procedural approaches a financial institution's counsel
may want to consider.
One method a financial
institution could employ is to execute single purpose "UDAAP Agreements" with
all of the relevant service providers across the enterprise.This approach is analogous to a company
requiring its service providers to enter into NDAs or (for HIPAA covered
entities) Business Associate Agreements.
Such an initiative
will likely take a fair amount of effort, but it could also bring significant
benefits.First, the institution is
starting out with standard terms.Assuming counsel is successful in limiting negotiation, then all the
relevant service providers are signing up to more or less the same obligations,
which creates consistency with respect to meeting the CFPB's duty to supervise.
Second, this approach gives
the institution room to be specific about what is required.Some service providers may not know their precise
obligations with respect to the prohibition on UDAAP, and having such clear
obligations may be beneficial to the financial institution in showing the CFPB
that the institution is taking its affirmative obligations seriously.
Finally, with respect
to those agreements already in place, a single purpose approach avoids having
to reopen and amend the existing terms.With respect to new agreements being negotiated, the single purpose
approach allows the institution to segregate the risk terms (e.g., liability
and indemnities) from the underlying commercial transaction, which may result
in more efficient negotiations.
Integrate the Terms
Another approach is to
integrate the UDAAP obligations into the underlying service provider
contract.Integrating the terms into an
underlying agreement may enhance the institution's leverage because each party
has the "let's get a deal done now" mentality if it is a new contract.
Integration of the
terms into the underlying transaction is also similar to the way many
outsourcing contracts deal with other regulatory issues like data protection and
export controls, so the approach is unlikely to surprise the service provider.Taking this approach may result in
negotiating "fewer words" because some aspects of compliance (e.g., reporting
and audit rights) may already be captured by other portions of the contract.
For those outsourcing
transactions that, in the grand scheme of things, present a comparatively lower
risk to the financial institution, a single purpose agreement may be too much
when simpler integrated terms would suffice.Compliance obligations with such low-risk transactions may simply be
handled in a standard "compliance with laws" section in the agreement.
With respect to
medium-risk to high-risk transactions, however, an institution will want to
guard against taking a simplistic approach to integration.In other words, the institution should resist
trying to address UDAAP by simply inserting a "compliance with Dodd-Frank"
obligation or "compliance with bank policies" obligation into the
contract.Although the service provider
may be more agreeable to closing the issue this way, the actual obligations to
prevent UDAAP violations are not spelled out.If CFPB examiners come looking for UDAAP violations, the bank may not
have a good story to tell about its good faith effort to mitigate risky UDAAP
behavior with that service provider.
Key Negotiation Points
In addition to
deciding on the best approach as described above, the financial institution
will need to able to negotiate the substantive UDAAP terms.Of course, a bank's negotiation strategy is
highly dependent on the nature of the deal, the leverage each party has, and whether
the particular relationship is high or low risk.
institution should focus on the following key areas of risk when negotiating
1.Liability.As we noted in Part 1, CFPB enforcement
actions to date have resulted in fines and restitution obligations that could run
into the hundreds of millions of dollars.Such penalties likely would vastly exceed an agreement's standard
liability cap on direct damages.Therefore, a bank's counsel should attempt to exclude such regulatory
fines from any liability caps.
2.Indemnities.A full indemnity from the service provider
for regulatory fines may also be appropriate depending on the nature of the
services, particularly for high-risk services that directly interface with an
3.Termination.An institution should also negotiate flexible
termination rights with the service provider, so that the institution can exit
a relationship in case the service provider engages in prohibited UDAAP
activity.CFPB examiners will likely
look favorably upon an institution with such flexible termination rights.
4.Operational Oversight.In addition to the traditional risk terms
described above, other business and operational terms warrant consideration as
well.To ensure that the institution is able
to exercise its heightened obligations to monitor and supervise, it should seek
frequent reporting and good recordkeeping practices from its service
providers.Strong audit rights on behalf
of the institution are also recommended by the CFPB.A robust governance framework with the
service provider may also be an important part of the financial institution's
ongoing monitoring and compliance efforts.
5.Performance Incentives.In its guidance documents, the CFPB has noted
that consumer complaints can serve as a leading indicator as to whether a UDAAP
has occurred.Not only should an
institution look to implement a process for how customer complaints get
analyzed and reported up to the bank, but also the institution should consider
tailor-made service levels for incentivizing the service provider to limit such
complaints in the first place.Implementing
such proactive performance measures will likely show CFPB examiners that the
institution is looking to curb violations before they occur.
Implementing such a contracting
strategy is an essential component of any financial institution compliance
program.Among other things, it likely
will go a long way in showing the CFPB that a good faith effort has been made
to comply with UDAAP rules and ultimately help the financial institution avoid
With the number of (internet) connected devices rapidly surpassing the number of internet people (actually, all people whether or not connected), we take this opportunity to explore some of the legal complexity brought about by all of this connectivity.
First, some background:
Introduction of IPv6 uses 128 bit addresses - limit: 340 Trillion addresses
This means that with the current population, we have the ability to address over 47,000 addresses/devices per person
The Sheep's Clothing
The Internet of Things has some wonderful benefits. For example:
You can now remotely control your thermostat to save energy;
You can monitor systems in your house when away to protect its physical security;
Companies can monitor the flow of goods and inventory through their systems;
Utilities can manage the flow of resources based on supply and demand through smart metering;
Distributers can monitor the movement of their fleets;
Municipalities can monitor flow of traffic on streets and availability of parking spaces;
And the list goes on as far as our imagination
But . . . the Internet of Things also creates huge amounts of information. And with that information, come all of the risks and challenges of having information.
Companies or other entities collecting or processing information need to protect the confidentiality of that information. Information about the things of individuals can disclose significant information about that individual.
For example, the GPS tracking on a cell phone may be used to tell the owner of an App where the person is going which could disclose private, or even Protected Health Information--imagine, if you will, a company that uses the GPS tracking to monitor the movement of its distributed sales force and learns that one of the sales personnel has been frequenting a certain kind of medical establishment.
Entities need to understand what information they may obtain, and need to develop clear policies and manage expectations of the users. In some countries, even having employees consent to such monitoring may not be enforceable given the "coerced" nature of employee "consent."
This gets even more concerning when companies are monitoring their customers rather than their employees. Although the monitoring may be for the most well-intentioned purposes, the company still possesses sensitive data. For example, the App on smartphones that tracks where people exercise using GPS also knows when people are exercising far from home. If someone was able to hack into that data, they would know when was a good time to break into the home or harm the user's family.
In addition to privacy concerns, there are also more direct employment concerns. Internet connected devices make it easier for employees to work whenever and wherever. This sounds great, but this also means that hourly employees may be encouraged to work outside of their normal work hours. Not only does the device facilitate this extra work, it also reports on it. There are reported cases where this has led to companies incurring unanticipated overtime liability for hourly employees responding to emails from their smartphones.
The Internet of Things also facilitates more direct monitoring--both by private companies and by the government.
Having this data also makes an entity subject to inquiries from law enforcement and in litigation. This volume of data compounds the classic eDiscovery problems which can drive huge costs in terms of gathering, reviewing, and providing data. In addition, a company may be faced with a decision of incurring the legal expense of defending a request for information to protect the privacy of its customers, or sharing the information and affecting its reputation with the customer-base.
Don't Get Eaten
So, what is the purpose of this blog post? The move to the Internet of Things is both unavoidable and, by-in-large, beneficial. By all means, get on board, or be left behind. But entities should be thoughtful and understand some of the associated risks so that they can be built into the decision-making process. By understanding the legal risks, systems can be designed to generate great benefits while accommodating legitimate legal concerns. Advanced awareness and planning can empower those who embrace the Internet of Things, rather than allowing them to be blindsided when it is too late.
Database marketing outsourcing is a strategic transaction for retailers. This type of outsourcing can facilitate the integration of diverse marketing channels e.g., web, social media, catalog and in-store sales) and enable more targeted and effective marketing to consumers.
Database marketing encompasses a potentially broad array of services, including:
Implementation and hosting of a CRM database marketing solution;
Data cleansing, matching, updating and enrichment;
There are a variety of different measures of supplier performance depending on the specific services to be provided by the supplier and the supplier's solution for providing those services. Typical service level measures include the following:
Solution Availability - This service level measures the availability of the components of the supplier's database marketing solution that are to be accessed and used by the customer in connection with the services, such as reporting datamarts. Similar to traditional IT measures of system availability, this service level holds the supplier accountable for the solution being available to the customer's authorized users without material degradation in performance during scheduled hours of operation (excluding scheduled maintenance windows). The supplier is responsible for the application, infrastructure and network elements of the solution managed by or on behalf of the supplier. Availability is normally in the 99.0 - 99.5% range.
Database Update Processing - Database marketing services typically involve the supplier updating customer data through cleansing, appends, enrichment and refreshes in accordance with a defined schedule. As a result, there should be one or more service levels that measure the supplier's successful completion of the scheduled updates in a timely manner. This service level is typically measured either as the percentage of scheduled updates that are completed on time during
the measurement period (e.g., monthly or quarterly) or in terms of a permitted number of misses over the course of a contract year. This service level is important in ensuring that the most up-to-date information about consumers is used in designing and implementing marketing campaigns and strategies.
System Response Times - This service level measures the response time of the supplier's system to queries executed by the customer's marketing department or other users. Because queries can vary considerably in terms of complexity, it is necessary to either classify queries by their complexity level (e.g., high, medium and low) with different response times for each classification or pre-define a limited set of common queries that the customer wants to measure (e.g., shopped in the past 12 months, generation of do not mail list) with a specified response time for each query. Failure to meet the required response times for a specified percentage of queries can trigger a service level failure or, alternatively, trigger a severity 1 or 2 incident which needs to be resolved within the required resolution time.
Marketing Campaign Execution - If the services include marketing campaign support, customers may want to include service levels that measure the supplier's timely completion of its responsibilities in connection with the campaigns. For example, the service level could measure the delivery of fulfillment files to direct mail or email vendors in a timely manner. The service level measure will need to be defined based on the specific roles and responsibilities of the supplier and customer in executing marketing campaigns.
Incident Management - In addition to the measures described above, there should be a set of incident management service levels that measure the supplier's effectiveness in responding to and resolving issues that adversely impact the services. Similar to tradition IT measures, incidents are classified by severity level based on the impact to the customer's business and the services.
Key Stakeholder Satisfaction Survey - While the quantitative measures of supplier performance described above address many important aspects of the supplier's performance, they do not capture all aspects of performance that are critical to a successful relationship such as the quality of individuals assigned to the customer's account and the flexibility and customer-focus of the supplier in addressing service and change requests. It is not uncommon for a customer to be unhappy with the supplier's performance even though the supplier is consistently meeting the quantitative measures of performance. As a result, we recommend that customers negotiate a service level that provides for a quarterly evaluation by key customer stakeholders (e.g., CMO, CIO) of the supplier's performance. A modest portion of the supplier's fees should be at risk each quarter if it fails to achieve an acceptable score. Because stakeholder satisfaction is a subjective measure, the first reaction of many suppliers is to resist such a measure. With some effort, however, suppliers can often be persuaded that this is a rationale contract management
tool which if used correctly can also benefit them by providing frequent and candid feedback on their customer's perception of their performance.
Database marketing services involve suppliers managing sensitive consumer data on behalf of the customer. Data typically comes from two sources: (1) the customer's
database containing consumer contact, demographic and transactional information which is to be hosted and maintained by the supplier and (2) the supplier's (and/or
a third party's) databases of consumer contact and demographic information that are to be used to improve the accuracy and enrich the customer's database. As a result, there are several dimensions to addressing data related issues ranging from data license rights to data protection to the return of customer data at the end of the outsourcing contract.
Licensing of Supplier Data - Customers should give careful consideration to the terms of any data licensed by the supplier in connection with database
marketing services. If customers anticipate using any supplier furnished data in connection with co-branding or joint marketing with business partners, they will need to secure express license rights for those activities. In addition, suppliers typically license their data for specified terms (e.g., annual) that expire at the end of the services relationship. However, portions of the data licensed from the supplier may include updated consumer contact information (e.g., new postal or email address, new telephone number) that will be integrated into the customer's consumer records. This information cannot readily be removed from those records and it is not realistic to expect customers to revert to a consumer database with outdated information. As a result, customers should secure unlimited perpetual licenses to such data. To the extent that the customer's license to any data furnished by the supplier will terminate at the end of the services relationship, the supplier should be required to remove such data at no additional charge to the customer without adverse impact to the returned data.
Supplier Use of Customer Data - The outsourcing contract for database marketing services should include appropriate restrictions on the supplier's use of the customer's data. As a general matter, suppliers should agree to use customer data solely for the purpose of providing services to the customer. Suppliers may request the right to use de-identified, aggregated data for various purposes such as making improvements to their services generally and for research and publishing on
industry trends. Before granting this right, Customers are advised to carefully consider whether any of the proposed uses of this data could potentially reveal sensitive competitive information and to prohibit those uses. For example, if customer is dominant in a particular industry segment, the supplier's publication of trends in that segment could provide competitors valuable information about the customer's performance.
Protection of Customer Data - The consumer data hosted and stored by the supplier in a database marketing service contain highly sensitive personally identifiable information. As a result, customers should secure strong contractual commitments from the supplier regarding the protection of that information. These commitments should include:
a comprehensive security program that complies with all applicable data privacy / security laws and regulations and satisfies the customer's internal security policies;
ISO 27001 certification;
annual SOC 2, Type 2 reports, including prompt remediation of deficiencies indicated in the reports;
customer approval of supplier facilities used in delivering the services; and
prompt notice and full cooperation in addressing any security events.
If the supplier will not agree to unlimited liability for breach of its security commitments, the limitations on liability should provide for a significantly
higher cap on liability than the normal cap for performance failures. In addition, the supplier should be responsible for all reasonable costs incurred by customer in addressing security breaches, including investigation, forensics and legal costs; regulatory fines and penalties; and call center and credit monitoring costs.
Return of Customer Data - When the outsourcing contract with the supplier comes to an end, the customer will need to migrate the consumer data hosted by the supplier to another database marketing solution. The outsourcing contract should include commitments from the supplier to assist the customer with this transition. This should include a commitment by the supplier to return all of the customer's data in an industry standard format (e.g., delimited ASCII), together with configuration descriptions and other documentation relating to the data. Absent these commitments, the customer may find that there are significant operational and
financial hurdles in attempting to terminate its relationship with the supplier or negotiate favorable renewal terms.
Join two of our SourcingSpeak bloggers, Joe Nash and Meighan O'Reardon, as they explore "Cybersecurity as a Service," an emerging concept that allows companies to more centrally manage cybersecurity. They will highlight how these services may be leveraged by corporations looking to mature their cybersecurity capabilities and address cybersecurity risk from a legal,
operational and management standpoint. Topics that they will cover include:
How can these cybersecurity services be leveraged by an organization?
How should organizations be structuring themselves to best manage cybersecurity, and ultimately to limit their cybersecurity risk profile?
What is the preferable approach to create a comprehensive program for cybersecurity management? In-house, third-party sources or both?
What are some of the legal ramifications companies must keep in mind?
Pillsbury Global Sourcing advises buyers on all aspects of outsourcing and complex technology acquisitions. We have architected and negotiated deals worth over a half a trillion dollars on behalf of Fortune 500 clients. Blog content taps the insight of our people based in London, New York, Austin, San Francisco, and Washington, DC.