SEC's Stein Wants More Cyber Rules for Advisors, BDs

Editor’s note: This article first appeared in Human Capital, a newsletter by Washington Bureau Chief Melanie Waddell about the people who shape the financial regulatory space.

Welcome back to Human Capital! This week’s regulatory warrior is Kara Stein, a commissioner at the Securities and Exchange Commission, who’s been prodding SEC Chairman Jay Clayton behind the scenes to “prioritize” putting investment advisors and broker-dealers under the same cybersecurity rules as exchanges and clearing firms.

Stein, a Democrat, made her wishes known in a recent speech as she outlined why advisors and BDs should be put under what she dubs “Regulation SCI 2.0.”

Read on to hear about Stein’s cyber plans as well as the lowdown on yet another tech-related term: “TechFins.”

Advisors and Broker-Dealers Under Reg SCI

Stein noted in her speech the advent in November 2014 of Regulation SCI — which stands for systems compliance and integrity, and requires market participants like exchanges and clearing platforms to have written policies and procedures that prove their computer systems can bounce back from disasters.

But Reg SCI didn’t go far enough, Stein argues, and has “left out many participants” and other “key players” that possess investor information, such as broker-dealers, investment advisors and transfer agents.

She’s asked Clayton to prioritize what she calls Regulation SCI 2.0.

The securities regulator has long encouraged written policies and procedures, voluntary frameworks and codes of conduct to deal with cyber threats — but the industry is now facing a “cyber war,” Stein says.

The cost of cybercrime to businesses: The World Economic Forum states it will climb over the next five years to $8 trillion per year.

Nonbinding guidance and advice to market participants is helpful, Stein said, but “both government and businesses are in a new world.”

What’s needed? A more comprehensive take on “the cyber wars going on. All need to up their game to protect our critical systems, personal data and economy from cyber threats. Tepid responses from government and businesses are invitations that cybercriminals simply cannot ignore.”

We’ve heard of fintech – financial services firms that serve clients via technology — and even regtech. Now there’s “techfin”: technology companies that are beginning to enter the financial services space.

Stein points to a paper, “From FinTech to TechFin: The Regulatory Challenges of Data-Driven Finance,” that zeros in on new entrants to the financial sector — such as pre-existing technology and e-commerce companies — that have large pre-existing customer bases outside of financial services.

Loosely termed “techfins,” these firms have the capacity to “leverage the data gathered in their primary business into financial services.”

In other words: “Techfins represent an Uber moment in finance,” the paper asserts, with the “shift from financial intermediary (fintech) to data intermediary (techfin) raises implications for incumbent financial services firms, fintech startups and regulators.”