GDPR: Key Changes to Know

The Global Data Protection Regulation is set to shake up the way that companies process the personal data of EU citizens. GDPR will officially apply to all member states and companies (referred to as “data processors” or “data controllers”) processing EU citizen data on May 25, 2018. The change from the previous Data Protection Directive to the new GDPR requires adopting new policies and procedures! Here are some key changes to note:

In General- Broader Scope and Stiffer Penalties

  1. The reach of GDPR is much greater than the Data Protection Directive. The language is broad and meant to be sweeping.
  2. It applies to:
  • Data processors and data controllers who monitor and collect the data of EU citizens.
  • Most companies with an online presence operating in the EU or whose customers are EU citizens.
    • This is especially problematic for companies providing services online, because their business is likely to have captured an EU citizen’s data at some point or will in the future.

The penalties for companies who are found to be noncompliant with GDPR are hefty. They are tiered and range all the way up to the higher of 20 million Euros or 4% of annual global turnover. This is a staggering fine that companies will seek to avoid at all costs.

1. More Stringent Consent Requirements

GDPR will effectively ban “bundling” consent as well as the practice of pre-checking boxes for data subjects to un-check. Consent must be unambiguous and revocable. Consent must also be independently obtained for the processing of data for different reasons. This means that if a company wishes to obtain a subject’s data for various reasons consent must be obtained for each reason, and consent must not be implied.

Consent Checklist

Have you:

  • Put in place consent “click throughs” on your website?
  • Inserted language into the click through consents pertaining to children and whether you will be controlling or processing their data?
  • Have you unbundled your consent click throughs to form multiple check boxes for each discrete incident of data processing?

2. Stricter Notification Requirements

Notification of a data breach is required within 72 hours of the breach to the appropriate authorities and to the data subjects impacted. Strict new notification requirements would prevent future Equifax situations (in which a data breach occurred and data subjects were not notified until months after).

Notification Checklist

Have you:

  • Put in place specific procedures to report potential data breaches in an efficient and prompt manner?
  • Ensured that your company is taking a “privacy by design” approach to data processing and new projects?

3. Tougher Compliance and Accountability

Companies are now required to keep records of their data privacy efforts and of their Privacy Impact Assessments (“PIA”).

Compliance and Accountability Checklist

Have you:

  • Allocated budget for a Data Protection Officer?
  • Implemented measures to easily “erase” a data subject?
    • (Remember! Data erasure was established by Europe’s highest court in 2014)
  • Put in place methods of documenting Privacy Impact Assessments (PIAs) and Data Protection Impact Assessments (DPIAs) for new projects your company takes on to ensure early privacy risk detection?

PSD2 and its Impact on Banking, FinTech and Consumers

The European Union’s introduction of the Payment Services Directive 2 (PSD2) sparked much discussion in the financial services industry. The infographic below explains[1] the directive and its effect on the industry and consumers[2].


Family Office Insights sits down with Mary Kopczynski, the founder of 8of9, to discuss how she and her team breathe new life into regulatory issues for the financial services sector.

Read Here


As technology advances and regulations change, adaptation and evolution are key to surviving inevitable regulatory storms.

 8of9 has officially transformed into an industry leading RegTech firm. Our mission is to translate complex information into simple solutions. We use specialized tools developed by subject matter experts to demystify confusing regulations. We identify and manage regulatory change and its impact on our clients while seamlessly implementing focused and cost-effective strategies at the intersection of regulation and technology.

 We prides ourselves on being the right experts who use innovative thinking, cutting edge RegTech products, and trained human capital to help our clients weather any regulatory storm.

 8of9 is a nerd farm: we’re always upgrading our knowledge to analyze and interpret complex information to ease the burden on our clients.

We have cultivated a wide range of trusted relationships across the entire regulatory ecosystem and we look forward to building a solution that is tailored to your needs.

Translation: 8of9 turns regulatory chaos into opportunity


Your Next Project Manager


1. Experience: From RWA Reductions, to Living Will, to FATCA and more, our team has a global breadth of exposure to cross-teams and in all regions.

2. History: Clients who are overwhelmed by the technology and infrastructure aspects of regulatory compliance most often retain 8OF9. We have a history of managing the mess, and creating opportunity.

3. Thought Leadership: 8OF9 commissioned by IBM and top software companies including Seal Software and Exari to write white papers on change strategy for a variety of financial regulation topics.

4. Regulatory Change Skills: We have specialized regulatory expertise coupled with practical business analyst skills.

5. Technical Skills: 8OF9 has exposure to dozens of technology platforms, including collateral, credit, legal, and trade booking systems. We have helped test many of them for new regulations already!

6. Major Nerdery: Many of our Nerds have dual graduate degrees and we think financial regulation is fun. No Joke.

7. Affordable: Thanks to our lean and mean infrastructure, our day rates are very competitive.

8. Practical Project Support: 8OF9 identifies the next steps AND gets them done. We do not waste time by allowing problems to surface, we identify, manage and solve!

9. FUN: We are a nerdfarm of charismatic leaders who make [*]it happen!


Your Next Project Manager



8of9’s Regulatory Executive Education Program ensures that 8of9 project managers to have a front-to-back understanding of a bank and all of its functions and departments. Given the importance and difficulty of Recovery and Resolution planning, 8of9 brought in a Treasury expert to speak with us.

The Treasury department of a bank is responsible for balancing and managing the daily cash flow to and from the variety of departments within the bank. The department also handles the bank’s investments, assets, and liabilities. Ultimately, the key responsibility for the Treasury department is liquidity management. Treasury must ensure that the bank has adequate funds to continue its activities in all circumstances, particularly in stressed scenarios. In order to be successful in this area, the Treasury department must monitor, manage and report the bank’s liquidity position. This includes both defining a liquidity profile and reporting.

In order to define a liquidity profile, the Treasury department must continually assess several critical factors such as the amount of a liquidity buffer to maintain, the mix of short-term vs. long-term debt, whether that debt is at a fixed rate or a floating rate, and whether certain deals involve a mix of different currencies. In order to meet reporting requirements, Treasury must monitor certain information that is required by regulation including contractual and contingent liabilities, the amount of cash on hand, and the amount unencumbered liquid assets.

The speaker explained to us that the difference between liquidity and funding is that liquidity is the governance framework of the bank’s funds whereas funding is the execution of that framework. Treasury’s key task in funding is to execute funding transactions at the lowest cost. This involves developing a funding plan, which requires an understanding of the available funding opportunities in both unsecured and secured markets. Unsecured funding tends to come from deposits (both retail and institutional banking), interbank borrowings, commercial paper and medium term notes, long-term debt (senior and capital notes), funded swaps, and intraday and overnight loans from clearing banks. Secured funding can be found in repurchase agreements, securities lending and secured bonds.

Treasury is also responsible for ensuring that regulatory and business capital requirements are met. With respect to the regulatory capital requirements, Treasury has to ensure capital buffers are maintained for the Financial Stability Board’s total loss-absorbent capacity (“TLAC”) and stress testing for CCAR. For a bank’s capital structure, Treasury must ensure that a capital structure and capital actions are in place.

Overall, our discussion of the Treasury department’s role at a bank was a valuable experience. We learned how essential the Treasury department of the bank is to daily operations. The discussion also highlighted how important regulatory change management is to Treasury.  Much like project management, the success of Treasury depends on planning and execution.


Your Next Project Manager



The Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank”) requires certain financial firms to periodically submit a resolution plan to the Board of Governors of the Federal Reserve System (the “Fed”) and the Board of Directors of the Federal Deposit Insurance Corporation (the “FDIC,” and together with the Fed, the “Agencies”). Each plan, known colloquially as a Living Will, must describe the firm’s strategy for rapid and orderly resolution in the event of material financial distress or failure of the company. These plans provide a blueprint for regulators and bankers for how to unwind these significant institutions with minimal impact to the taxpayer.

Section 165(d) of Dodd-Frank and the Rule promulgated by the Agencies thereunder provide the criteria for which firms must submit a plan to the Agencies. Eventually, all banking organizations with total consolidated assets of $50B or more and nonbank financial companies designated by the Financial Stability Oversight Council (the “FSOC”) must file annually according to a staggered schedule set by the Agencies. The amount and type of information submitted depends on the size of the firm (i.e., smaller firms will generally have smaller and less comprehensive plans). The first-wave filers, or those with $250B or more in nonbank assets, were required to submit their initial plans by July 1, 2012.1 The second-wave filers, or those with between $100B- $250B in nonbank assets, submitted their first plans by July 1, 2013.2 Both groups must submit an updated plan by July 1 annually. The third-wave filers, or those with between $50B-$100B in nonbank assets, filed their initial plans on December 31, 2013, and must file annually by December 31.3 FSOC also designated AIG and GE Capital to submit a plan, which they did on July 1, 2014.

The Agencies must review each plan and determine if the plan is not credible or would not facilitate an orderly resolution. The Agencies have the power to impose: (a) more stringent capital, leverage or liquidity requirements; (b) growth, activities, or operations restrictions; or (c) after 2 years and in conjunction with FSOC, divestiture requirements on firms who submit failing plans.

In August 2014, the Agencies provided mostly negative feedback on the first-wave filers’ 2013 plans (the 11 banks’ second submission). Common criticisms included (i) unrealistic or inadequately supported assumptions about behavior of customers, counterparties, investors, financial market utilities, and regulators, and (ii) the failure to make or identify the kinds of changes in firm structure and practices that would be necessary to enhance the prospects for orderly resolution. The Agencies urged certain banks to establish a less complex legal entity structure; to develop a holding company structure; to amend financial contracts to provide for a stay of certain early termination rights; to ensure continuity of shared services; and to demonstrate operational capabilities for resolution preparedness.

A few days after the Agencies announced the inadequacy of the first-wave filers’ 2013 plans, they also gave feedback on the third-wave filers’ initial submissions. The Agencies provided a tailored resolution plan template for third-wave filers to use in 2015 that focuses on nonbanking operations of the firm and interconnections/interdependencies between nonbanking and banking operations.

Each of these firms now has experience developing this colossal document with critical implications. Moreover, these firms must incorporate all subsequent regulatory guidance from the Agencies into their respective plans. For example, the Fed’s Enhanced Prudential Standards (EPS) under Dodd-Frank, announced in 2012, now applies to foreign-banking organizations (FBOs).4 EPS require substantial organizational shifts including enhanced stress-testing (CCAR), more stringent liquidity and holding company capitalization requirements, and alterations in legal entity structures. U.S. banks already discuss these requirements in their respective plans; FBOs must discuss these changes and adhere to the timeline(s) outlined by the Fed beginning in their 2015 submissions. The Agencies have potent punishment power for inadequate plans, so firms have essentially created a year-round process to ensure they do not submit a failing document.



1 The first-wave filers are: Bank of America, Bank of New York Mellon, Barclays, Citigroup, Credit Suisse, Deutsche Bank, Goldman Sachs, JPMorgan Chase, Morgan Stanley, State Street Corp., and UBS.

2 The second-wave filers are: Wells Fargo, BNP Paribas, HSBC, and RBS.

3 The third-wave filers include approximately 115 firms, the large majority of which are foreign financial firms doing business in the United States.

4 The Board’s Final Rule for foreign banking organizations was issued in February of 2014 as “Enhanced Prudential Standards for Bank Holding Companies and Foreign Banking Organizations“.






Buried Alive in Contracts?  How to Unlock Future Savings with  Contract Discovery and Analytics



In the post-2008 financial crisis environment, regulators often require financial institutions to report accurate data about their operations and exposures. Institutions must produce reliable information reasonably quickly, which requires both access to the information and a means to extract pertinent data.


Picture this: during a routine regulatory examination, a global investment bank receives an urgent request from its regulator to provide information about systemic risk inherent in its derivatives contracts, including how many contracts have third party guarantors.

Or perhaps this: a project team spends six months revising IT platforms to include data from legal agreements, only to have the regulator bring another uncovered product in scope at the last minute.

These common occurrences are requiring us to rethink how we face regulatory inquiries and emerging market events.

Per current de rigueur, most institutions would pull a data extract from whatever systems exist, lining up the data like apples to oranges and hiring human capital – overseas or elsewhere – to review the contracts…. again…for the new required data. This approach is costly, inefficient, and often disorganized. And the whole time, regulators are waiting, wondering why this request was not answered instantaneously….

New technology, particularly Contract Discovery and Analytics software, provides numerous benefits over the current approach. As a regulatory change solutions company who is often hired to clean these messes up, we at 8of9 have everything to gain from this inefficient process. But instead, we’re going to give you some reasons why the financial services industry should NOT hire us (or anyone for that matter) to review contracts manually without a solid software partner to assist.


Continue Reading


By Mary Kopczynski, J.D. Ph.D.  CEO & Founder, Eight of Nine Consulting, LLC


Technology in the contract management space has revolutionized business in almost every sector except for one elusive customer where the stakes could not be higher: the financial services industry. Why? Because when it comes to documents in the financial services sector, they are more than just generic buy/sell arrangements.



Technology in the contract management space has revolutionized business in almost every sector except for one elusive customer where the stakes could not be higher: the financial service industry. Why? Because when it comes to documents in the financial services sector, they are more than just generic buy/sell arrangements. The contract itself is also a product that may evolve and govern future business. This means the solution must not only cover the basic agreement plus the negotiation process; it must also capture the many terms and clauses included in the contract so that it can be acted upon at a later date. Software providers have attempted to produce tools that track certain features, but no product has delivered the complete solution required by the industry.


Continue Reading


How Contract Discovery and Analytics Technology by Seal Software Can Help Financial Institutions face Dodd- Frank’s Resolution and Recovery Planning Requirements



8of9, a regulatory solutions company, has reviewed Seal Software relative to its value in meeting the Resolution and Recovery Planning requirements of the Dodd-Frank Act.


Leveraging Seal Technology For Living Will Projects

A Living Will is a document produced by large financial institutions, giving regulators a roadmap of how to unwind or recover their businesses in a stressed economic scenario. In order to perform this analysis effectively, banks must have real-time awareness of all of their legal relationships with one another (easier said than done). The information gathering process is highly manual, complex, and overwhelming. Seal Software, headquartered in San Francisco, has developed cutting edge technology in contract discovery and analytics that accelerates access to critical contract information buried within unstructured contractual documents. This has enabled organizations to uncover key terms that could dramatically impact their business, empowering them to take informed action or respond to time-sensitive (regulatory) requests. 8of9 has reviewed Seal’s technology with respect to financial derivative contracts as a whole, but has recently considered the value proposition of using Seal technology on Living Wills projects to identify where and how using Seal can make the process more efficient.


Background on Resolution and Recovery Plans (“Living Wills”)

The 2008 financial crisis and ensuing civic criticism of Wall Street stirred regulators to reflect on the causes of the economic turmoil and develop ways to stabilize immense financial institutions to safeguard the world’s economy. The demise of Lehman Brothers in particular proved the potentially hazardous entanglement amongst financial institutions. Regulators and lawmakers determined that one of the largest obstacles to preventing the collapse was the inability of regulators and bankruptcy courts to wind-down banks in the event of economic turmoil without significantly impacting Main Street. These events prompted the Financial Stability Board (FSB) of the G-20 to declare in September of 2009 that “all systemically important financial firms should develop internationally-consistent firm-specific contingency and resolution plans to help mitigate the disruption of financial institution failures and reduce moral hazard. US Lawmakers responded in the 2010 Dodd-Frank Act by requiring each systemically important financial institution (“SIFI”) to create and submit to regulators a Resolution and Recovery Plan (“RRP”), colloquially dubbed a “Living Will.” Section 165 of Dodd-Frank obliges covered companies to submit an annual RRP to the Federal Reserve Board (“FRB”), the Federal Deposit Insurance Corporation (“FDIC”), and the Financial Stability Oversight Committee (“FSOC”, and together with the FRB and FDIC, the “Agencies”).


Continue Reading