Information Governance

On 3 November 2017, the German regulator for the financial sector, the Federal Financial Supervisory Authority (“BaFin”), published a new circular titled Rundschreiben 10/2017 (BA) vom 3. November 2017 – Bankaufsichtliche Anforderungen an die IT (in English: Circular 10/2017 – Regulatory Requirements for IT-Systems – “BAIT”). The BAIT is available in German language at the BaFin’s website. The final version of the BAIT incorporates a number of revisions that result from the submissions made by stakeholders in the course of a prior public consultation.

Scope of the BAIT

The BAIT’s purpose is to give guidance on the BaFin’s interpretation of the statutory requirements under Section 25a(1) s. 3 no. 4 and 5 and Section 25b of the German Banking Act (Kreditwirtschaftsgesetz – KWG). The BAIT sets out the BaFin’s understanding of how reasonable technical/organisational features of IT systems used within financial institutions should look like, taking in particular into account the requirements for IT security and a sufficient emergency concept. The BAIT also addresses the increased engagement of third party IT suppliers that carry out a wide range of processes on behalf of regulated financial institutions, Section 25b of the German Banking Act.Continue Reading German Federal Financial Supervisory Authority (BaFin) publishes circular on regulatory requirements for financial institutions’ IT systems

The EU Commission recently launched a Public consultation on Building the European data economy. The objective behind the consultation is to feed into the Commission’s future policy agenda on the European data economy in 2017.

The data economy

In its Communication entitled “Building a European Data Economy,” the Commission has re-identified (from its 2012 Communication) the need to upgrade the EU’s legal regarding the trade of data.
Continue Reading Building the EU data economy: time for an upgrade?

In its speech at the FT Cyber Security Summit, the FCA has outlined its approach to cybersecurity in financial services firms. In addition to this, the Group of 7 (“G7”) has issued an 8-point framework for the financial sector as a push for financial firms to design a cybersecurity strategy.

We explore each piece of guidance below.
Continue Reading FCA and G7 issue cybersecurity guidelines for the financial sector

TheCityUK and Marsh have jointly published a report urging UK financial and related professional services sectors to step up their efforts to address cyber risk. The report (headed “Cyber and the City”) suggests that cybersecurity is still not being given the priority it deserves, particularly given the substantial disruption, costs and reputational damage that can

In a sign of the continuing significance of the U.S. Supreme Court’s recent ruling in Spokeo v. Robins, 136 S. Ct. 1540 (May 24, 2016), another federal court has cited that ruling in dismissing claims for lack of Article III standing. In Gubula v. Time Warner Cable, Inc., No. 15-cv-1078 (E.D. Wis. June

The Council of the European Union adopted the EU Network and Information Security (NIS) Directive (the ‘Directive’) 17 May, ready for final adoption by the European Parliament. The Directive, initially proposed in 2013, has been progressing through the EU legislative procedure for some time. As we reported in December last year, the Directive covers

Responding to the increasingly significant threats to customer payment information, the Payment Card Industry Security Standards Council (‘PCI SSC’) has published an update to its data security standard (‘PCI DSS’). Version 3.2 seeks to protect cardholder data by introducing:
Continue Reading PCI Council Reacts Again to Data Security Threats

The long-awaited General Data Protection Regulation was published in the Official Journal of the European Union on 4 May 2016. This means that the most comprehensive reform to the EU’s omnibus data protection law in 20 years will apply throughout the European Union from 25 May 2018.

We have written in previous posts (here

It is commonplace to turn on the television news and hear of a new data breach from a large retailer or someone else. No one wants the legal problems (not to mention the embarrassment and the hit to reputation) from having their systems breached. Consequently, data security is on everyone’s mind.

However, many companies have

On 22 December 2015, the European Commission announced its next steps towards completing the single market for cross-border parcel delivery. The Commission’s aim is to enhance price transparency and regulatory oversight of the parcel market over the coming year, thereby providing consumers and businesses with better access to digital goods and services across Europe.

Cross-border parcel delivery is considered to be one of the key drivers of e-commerce, and forms part of the Commission’s strategy on achieving a Digital Single Market (‘DSM’). The Commission believes that affordable and high-quality, cross-border delivery can build consumer trust in cross-border online sales, and can stimulate the growth of e-commerce. However, high prices and inefficient deliveries between Member States have deterred consumers and businesses from buying and selling online.
Continue Reading European Commission targets cross-border parcel delivery as part of its Digital Single Market Strategy