Businessmans crew working banking investment project modern office.Man holdingAn increasing number of financial institutions and fintech companies are coming together to create consortia or shared utility service providers that will identify, design, build and provide emerging technologies like blockchain and the possibility of using decentralized, distributed ledger technology that can be accessed and used by market participants to record information.

Rather than keeping its own record of numerous relevant events about a transaction each bank could instead, using blockchain technology, hold a copy of a ledger that is used to record this information according to a common standard, with every change in the information about a client, ownership to an asset traded or action performed between participants recorded in each copy of the ledger held by those participants. So the potential benefits of using blockchain to ensure that transactions are recorded accurately, that contracts are automatically performed according to their terms and that information about clients has been provided correctly by every market participant are clear. However, there are a number of challenges for any consortium trying to launch this technology to overcome.

Building a Consortium and Establishing the Benefits from Participating in it

Defining the objectives of the consortium and the role that each member will have in its success can be difficult to establish, with each participant often having different and competing interests. While some financial institutions will try to influence the consortium in that way so that the outcome will satisfy their particular standards and legal requirements, others may focus more on the potential financial return resulting from the successful exploitation of the technology. Still others may have joined to obtain a seat at the table. Service providers meanwhile may be interested in creating, marketing and launching the solution as quickly as possible in order to establish themselves as the preeminent players within the industry, to maximize the return on their investment and to expand their business into other areas with or without the partner banks. These differences can often create tension over the direction and operation of the consortium between members. To keep this system functioning properly it is very important to clearly define the rights and obligations of every participant in a memorandum of understanding executed at the start of the project.

Establishing Ownership and Exploitation of the Technology

Agreeing who will own and will be able to exploit the developed technology is critical to the success of any initiative. While the foundations of blockchain and similar technologies may be built on open source software which allows quick and free development, the project consortia will frequently require their members to contribute their own software, materials and know-how to the project, which may result in complex and thorough negotiations between the participants regarding the use of each other’s intellectual property. Otherwise consortium members risk losing control over their intellectual property, with rivals potentially able to use it to develop, monopolize and exploit the technology created from it, to the detriment of the contributing participant and others in the industry and the success of the initiative.

Understanding the Regulatory Environment in which the Technology will Operate

As banks and other financial institutions cannot outsource their responsibilities to regulators, the understanding of how new adapted technological solutions can be used in compliance with the laws and existing regulatory framework is crucial.

For example, while blockchain may allow financial institutions to share, validate and update information about the identities of the ultimate shareholders of common clients, it is important to protect privacy rights of individuals in different countries, such as the right to object to the distribution of information about them and the so called “right to be forgotten”. Similarly, although financial institutions may be willing to share information about the identity of its clients, a bank may not be able to accept any liability to other banks for any inaccuracies in the information it has provided, preventing those other banks from relying on it for anti-money laundering, client onboarding and other compliance purposes.

A Look Ahead

So while there are many potential benefits of using blockchain and other similar technologies in the financial services industry, there are also a number of strategic and legal challenges which the consortia developing them will need to overcome.

A version of this article was first published in Financial IT on 7 December 2016 – https://financialit.net/pdf/view/11782

Business conceptOn 7 November 2016, the Standing Committee of the National People’s Congress has formally passed China’s first comprehensive privacy and security regulation for cyberspace. Since the new Cyber Security Law (CSL) will come into effect on 1 June 2017, technology companies that are operating in or planning to expand to the Peoples Republic of China (PRC) are well advised to adapt their IT infrastructure and data architecture to the new law. Violations of the law may, at worst, lead to high fines, website shutdowns or license revocations. Some of the most significant changes brought about by the new law are briefly outlined below.

Who Is Affected and What Is New?

The CSL applies to operators of Critical Information Infrastructures (CIIs) and network operators. A network operator is defined as an operator of basic telecommunication networks, internet information service providers and key information systems. However, it is not clear which companies qualify as operators of CIIs. The exact definition of CIIs was left to the State Council of the PRC. So far, the Council has not given any specifications.

The new law includes several important and consumer protection provisions, but also some very controversial ones affecting technology companies.

Some provisions of the new law have aroused particular criticism. For example, instant messaging services and other companies qualifying as CIIs are only allowed to provide users with their full service if the users have registered under their real identities. In addition, CIIs are under an obligation to remove “prohibited content” from their service. In case of non-compliance with the latter requirement, CIIs are liable for a fine or worse. These requirements are believed to potentially restrict anonymity on the internet and to encourage self-censorship for online communication.

Under another controversial provision, companies are required to report to the relevant authorities any cyber security incident and vulnerabilities that they have experienced and to technically support and assist the authorities on national security matters and crime investigation. However, the nature and scope of the required technical support and assistance have not been defined. Thus, it is not clear whether the process might entail the provision of confidential information.

Among all the changes, the most significant change might be the so-called Data Localization Requirement. Under that provision, CIIs are required to store personal data and other important information within mainland China. However, it is not clear whether this provision only applies to personal data of Chinese citizens or to any personal data, including those of foreigners. In the first case, companies might be required to separate the personal data of Chinese citizens from the personal data of other individuals.

A Look Ahead

The CSL brings a lot of changes in the fight against cyber security threats. However, the law should be criticized for its lack of legal certainty, mostly resulting from overly broad formulated terms. As the CSL comes to effect in less than three months, technology companies are allowed little time to adapt to the new provisions. Compliance may in particular be of crucial importance for multinational companies with regard to the Data-Localization Requirement, as cross-border data transfer may be daily business. It remains to be seen whether the legal uncertainties will somehow be eliminated by the relevant authorities. Until then, affected companies need to be very cautious.

 

This article was originally published on AllAboutIP – Mayer Brown’s  blog on relevant developments in the fields of intellectual property and unfair competition law. For intellectual property-themed videos, Mayer Brown has launched a dedicated channel available here.

Mobile phone users.On 12 August 2016, the Cyberspace Administration of China (“CAC”), the General Administration of Quality Supervision, the Inspection and Quarantine of China (“GAQSIQ”), and the Standardisation Administration of China (“SAC”) jointly released Several Guidelines to Strengthen National Cybersecurity Standardisation (the “Guidelines”). Under the Guidelines, mandatory national standards will be introduced to regulate critical fields such as major information technology infrastructure and classified networks in an effort to harmonise the current divergent local practice.

The National Information Security Standardisation Technical Committee will be the agency solely responsible for the review, approval, and release of national cybersecurity standards. The Guidelines propose to enhance the role of cybersecurity standards in guiding industrial development by, inter alia, establishing a standard-sharing mechanism for major cybersecurity projects as well as by incorporating standard requirements into the evaluation criteria of such projects and setting up professional qualifications. The Guidelines also stress the importance of establishing essential standards such as the “Internet +” Action Plans, “Made in China 2025,” and “Action Plans for Big Data” for critical projects such as big data security and cybersecurity audits. Finally, the Guidelines call for China’s active participation in international standard-setting activities with the aim of elevating China’s influence at the international level. As a sign of commitment to this, China will selectively adopt international standards which are deemed to suit China’s own situation.

The release of the Guidelines, on the one hand, is consistent with the Chinese government’s intent to have a tighter grip over China’s Internet and networks. On the other hand, standards unification will likely improve the transparency of cybersecurity governance and the predictability of cybersecurity enforcement, a positive step as we are still waiting for the finalisation of the draft Cybersecurity Law. While the content of the national cybersecurity standards may be redolent of heavy “Chinese characteristics,” there is a glimmer of hope as China has now signalled a desire to be involved in international cybersecurity standards-setting.

 

This article was originally published on AllAboutIP – Mayer Brown’s  blog on relevant developments in the fields of intellectual property and unfair competition law. For intellectual property-themed videos, Mayer Brown has launched a dedicated channel available here.

network cables connected to switchEfforts to coordinate and enhance cybersecurity across the European Union (“EU”) have taken a step forward with the publication on 19 July 2016 of the new Network and Information Security Directive (2016/1148/EU) (the “Directive”) in the Official Journal of the European Union. Member States will have until 9 May 2018 to transpose the Directive into their national laws.

The key objectives of the Directive are: (1) to introduce a set of minimum cybersecurity standards for network and information systems maintained by operators of essential services and digital service providers; (2) to ensure each Member State has in place strategies and resources relating to cybersecurity; and (3) to enhance cooperation amongst EU Member States for the prevention, detection and response to cyber-attacks. The Directive will have a direct impact on organisations that fall within the categories of “operators of essential services” and “digital service providers” both of which are given a particular meaning by the Directive.

Operators of Essential Services and Digital Service Providers

The Directive applies to operators of essential services and digital service providers. An operator of an essential service is considered to be an entity that provides a service that is essential for the maintenance of critical societal and/or economic activities, the provision of which relies on network and information systems, and in respect of which a cyber incident would have a significant disruptive effect on the provision of the service. Digital service providers are defined as organisations providing online marketplaces, online search engines and/or cloud computing services.

Security and Notification Obligations

Since the impact of disruption to operators of essential services are potentially more serious for the social and/or economic activities of the EU, the Directive draws a distinction between operators of essential services and digital service providers, imposing less strict obligations on the latter. The Directive permits Member States to adopt measures to achieve higher security standards for operators of essential services but not digital service providers (subject to each Member State’s right to safeguard their essential state functions, for example national security).

Implementation and Enforcement

The Directive also takes a differentiated approach to enforcement against operators of essential services and digital service providers. As one of the recitals explains, digital service providers should be subject to a light-touch, “reactive” supervisory approach. Therefore competent authorities will take action, if necessary, if they receive evidence that a digital service provider has not met the requirements. In contrast, competent authorities will have the power to initiate assessments of the security measures applied by operators of essential services. They can request information and evidence of effective implementation of security measures, including the results of security audits. Binding instructions may be issued to remedy any deficiencies identified. It will be up to Member States to set appropriate penalties for any failure by either operators of essential services or digital service providers to comply with the national rules implementing the Directive.

Click here to read the full Mayer Brown Legal Update on the Network and Information Security Directive.

 

This article was originally published on AllAboutIP – Mayer Brown’s  blog on relevant developments in the fields of intellectual property and unfair competition law. For intellectual property-themed videos, Mayer Brown has launched a dedicated channel available here.