NACHA Government Relations Update - March 3, 2016

Posted March 1, 2016

FDIC, Fed, and OCC Announce Higher Threshold for 18-Month Examination Cycle Eligibility
On Feb. 19, 2016, The Federal Deposit Insurance Corporation, Federal Reserve Board of Governors issued a joint press release announcing implementation of an “interim final rule” from the Fixing America’s Surface Transportation (FAST) Act of 2015, allowing more financial institutions to be eligible for an 18-month examination cycle (vs. 12 months for other banks). Changing the qualifying threshold from $500 million to $1 billion will make around 617 more financial institutions as well as 26 U.S. branches and foreign bank agencies potentially eligible for the longer examination cycle.

 
DOJ, DHS, Treasury and Other Cyber Officials Discuss 'Next Steps to Fighting Cyber Threats'
Financial Services Roundtable Event "Next Steps to Fighting Cyber Threats: Implementing Cyber Information Sharing"
Feb. 24, 2016

 
Featuring:

  • Brett DeWitt, Staff Director, Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, U.S. House Committee on Homeland Security
  • Josh Alexander, Professional Staff, U.S. Senate Select Committee on Intelligence
  • Gabriel Taran, Assistant General Counsel for Infrastructure Programs (Acting), Office of the General Counsel, U.S. Department of Homeland Security
  • Leonard Bailey, Special Counsel for National Security, U.S. Department of Justice
  • Edward Roback, Deputy Director of the Office of Critical Infrastructure Protection and Compliance Policy, U.S. Department of Treasury
  • John Carlson, Chief of Staff, FS-ISAC
  • Jeewon Kim Serrato, Counsel, Debevoise & Plimpton LLP
  • Nathan Taylor, Partner, Morrison and Foerster
  • Moderated by FSR’s BITS President Chris Feeney and BITS SVP Murray Kenyon 

This event examined Congressional intent for the Cyber Information Sharing Act (CISA), the implementation of CISA within the financial services industry and the application of the law to existing cyber security policies. In February, the Department of Homeland Security issued preliminary guidance on how the private sector and government will communicate threat data as part of the Cybersecurity Information Sharing Act. DHS will be accepting feedback on the guidelines, and will issue a final document in advance of the statutory deadline of June 2016. 

 
House Judiciary Committee Hearing
“International Conflicts of Law Concerning Cross Border Data Flow and Law Enforcement Requests”
February 25, 2016

 
Witness List
Panel 1:

  • David Bitkower, Principal Deputy Assistant Attorney General, Department of Justice 

Panel 2:

  • Brad Smith; President and Chief Legal Officer, Microsoft
  • Michael Chertoff, Executive Chairman and Co-Founder, The Chertoff Group
  • David Kris, former Assistant Attorney General for National Security, Department of Justice
  • Jennifer Daskal, Assistant Professor, American University Washington College of Law. 

On Feb 25, 2016, the House of Representatives Judiciary Committee held a hearing to examine the laws governing law enforcement’s access to electronic data. The Department of Justice wants to retain its ability to request data regardless of where it is stored and to clarify this right in countries outside the U.S that might have passed conflicting laws. There is an effort to fix the situation legislatively by updating the Electronic Communications Privacy Act (ECPA). The hearing focused on the following topics 1) conflicts between U.S. and foreign law; 2) Legislative attempts to remedy these conflicts; 3) balkanization of data; 4) encryption.

  • Conflicts between U.S. and foreign law: The current U.S. law allows the government to subpoena information from companies located in the U.S. without regard to where the data is stored. Members of Congress asked Mr. Bitkower whether the Stored Communications Act (SCA) was silent as to procedures for obtaining data stored outside the U.S., but Bitkower said that in fact the law is very clear. In Bitkower's view, the Department of Justice has the ability to subpoena the information from the companies, and is not responsible for where the information is stored because it has no way of knowing. In instances where the information is stored in a country whose law does not allow the expropriation of the data to another country, Bitkower said companies are to notify the Department of Justice and they will "work on it" with them. At the same time, companies who receive unilateral legal orders from foreign governments for data stored in the U.S., the Electronic Communications Privacy Act (ECPA) prohibits its disclosure without first going through an international legal process via the U.S. government similar to a Mutual Legal Assistance Treaty (MLAT). Brad Smith of Microsoft provided the Committee with an overview of several instances where this conflict is causing real problems for Microsoft and other companies and said the situation is getting worse. Several witnesses said this conflict presents an incentive for foreign jurisdictions to assert localization requirements to ensure their law enforcement agencies can access the data.
  • Legislative attempts to remedy these conflicts: The Congressional role for addressing these conflicts appears to fall into two categories: updating the ECPA through legislation like H.R. 1174/S. 512 the Law Enforcement Access to Data Stored Abroad Act and other outdated legislation like the SCA and Wiretap Act; and updating MLATs and reaching other bilateral and eventually international agreements through which law enforcement can obtain evidence in another country. Some members on the Committee admonished Bitkower for the Justice Department not briefing the committee members prior to a Washington Post article being published unveiling negotiations between the U.S. and United Kingdom. Bitkower also said the negotiations depended on Congress making exceptions to the SCA such as the statutory prohibition on disclosure of communications data for lawful requests from foreign partners with which the United States has a satisfactory executive agreement. These and other examples are discussed in more detail in the witness testimony.
  • Data Balkanization: Countries moving forward with data localization requirements was mentioned frequently as one outcome from not fixing the current framework for requesting electronic data. Witnesses warned our international partners are growing more frustrated and that localization requirements that could result from not addressing these issues will make it more difficult and costly for U.S. technology firms to do business.
  • Encryption: Several members of the committee brought up the Apple case with the second panel of witnesses. Both Brad Smith and Michael Chertoff argued that encryption was necessary to protect our citizens and Smith announced that Microsoft not only agreed with Apple but would be filing an amicus brief next week in support of Apple's position. The Judiciary Committee is set to hold a hearing on Mar. 1, where Apple's General Counsel Bruce Sewell, FBI Director James Comey, and Manhattan District Attorney Cyrus Vance will testify. 

 
 Legislative Tool Kit
House 2016 Calendar (also in bottom right hand bar)
Senate 2016 Calendar (also in bottom right hand bar)​​
 

Access: Public