April 18, 2024

Submitted electronically via Regulations.gov
Lee Licata
Deputy Chief for National Security Data Risks
U.S. Department of Justice, National Security Division
Foreign Investment Review Section
175 N Street NE, 12th Floor
Washington, DC 20002

Re: Federal Register No. 2024-04594 Access to Americans’ Bulk Sensitive Personal Data and Government-Related Data by Countries of Concern

Dear Deputy Chief Licata:

The Securities Industry and Financial Markets Association (“SIFMA”)1 appreciates the opportunity to comment on the proposed rulemaking concerning bulk data transfers to countries of concern. SIFMA is the leading trade association for broker-dealers, investment banks, and asset managers operating in the U.S. and global capital markets. On behalf of our members, we advocate for legislation, regulation, and business policy affecting retail and institutional investors, equity and fixed income markets, and related products and services. We serve as an industry coordinating body to promote fair and orderly markets, informed regulatory compliance, and efficient market operations and resiliency. We also provide a forum for industry policy and professional development. SIFMA, with offices in New York and Washington, D.C., is the U.S. regional member of the Global Financial Markets Association (“GFMA”).

As you are aware, on February 28, 2024, President Biden announced an Executive Order (“EO”) 14117 directing the Department of Justice (“DOJ”) to promulgate regulations that restrict or prohibit transactions involving certain bulk transfers of sensitive personal data or United States Government-related data and countries of concern or covered persons.2 As directed by the EO, on
March 5, 2024, the Department of Justice (“DOJ”) published in the Federal Register an Advance Notice of Proposed Rulemaking (“ANPRM”) regarding “Access to Americans’ Bulk Sensitive Personal Data and Government-Related Data by Countries of Concern.”3 The proposals in the ANPRM contemplate establishing a comprehensive regime to prohibit and restrict certain types of bulk data transfers to countries of concern and covered persons, which will impact a broad cross-section of the economy including the financial services industry.

Our members conduct thousands of data transfers every hour, completing transactions on behalf of millions of investors around the globe. These transactions are subject to close regulation under the Bank Secrecy Act’s anti-money laundering programs as well as the OFAC sanctions regime. It is critical that, as the DOJ drafts the forthcoming proposed rule, it is precise in its language so that the financial marketplace is not disrupted.4

We appreciate that the ANPRM exempts transactions pertaining to financial services, payment-processing, and regulatory-compliance-related transactions. Our members welcome the opportunity to provide a targeted comment on this exemption to ensure, as the ANPRM aptly described, “carefully calibrated actions,” that are broad enough to not have harmful impacts on the
economy, yet precise enough for the DOJ to implement the important goals set out in President Biden’s Executive Order 14117.5

In this regard, we are focused on section 2(a)(v) of the EO which exempts otherwise prohibited or restricted transactions that are “ordinarily incident to and part of the provision of financial services, including banking, capital markets, and financial insurance services, or required for compliance with any Federal statutory or regulatory requirements, including any regulations, guidance, or orders implementing those requirements.”6 The EO directs the Attorney General to define the exemption in forthcoming regulations, as discussed in this ANPRM.7 The ANPRM proposes exempting “data transactions to the extent that they are ordinarily incident to and part of the provision of financial services.”8 The ANPRM then provides a list of five categories of inclusions under this exemption:

(i) Banking, capital-markets, or financial-insurance services;
(ii) A financial activity authorized by 12 U.S.C. 24 (Seventh) and rules and regulations thereunder;
(iii) An activity that is “financial in nature or incidental to a financial activity” or “complementary to a financial activity,” as set forth in section 4(k) of the Bank Holding Company Act of 1956 and rules and regulations thereunder;
(iv) The provision or processing of payments involving the transfer of personal financial data or covered personal identifiers for the purchase and sale of goods and services (such as the purchase, sale, or transfer of consumer products and services through online shopping or e-commerce marketplaces), other than data transactions that involve data brokerage; and
(v) Compliance with any Federal laws and regulations, including the Bank Secrecy Act, 12 U.S.C. 1829b, 1951–1960, 31 U.S.C. 310, 5311–5314, 5316–5336; the Securities Act of 1933, 15 U.S.C. 77a et seq.; the Securities Exchange Act of 1934, 15 U.S.C. 78a et seq.;
the Investment Company Act of 1940, 15 U.S.C. 80a–1 et seq.; the Investment Advisers Act of 1940, 15 U.S.C. 80b–1 et seq.; the International Emergency Economic Powers Act, 50 U.S.C. 1701 et seq.; the Export Administration Regulations, 15 CFR part 730, et seq.; or any notes, guidance, orders, directives, or additional regulations related thereto.9

We fully support the inclusion of each of these five categories of transactions. Exclusion of any of these areas could have significant and unwarranted impacts on the ordinary course of business transactions by requiring further regulatory restrictions on interactions with investors and counter-parties that are already been subject to extensive regulation under existing regimes. Failing toinclude these exemptions could dramatically expand the negative impact of the regulations on the global economy by making it more difficult to conduct regular business with U.S. companies and inhibiting the free flow of commerce. We appreciate that the ANPRM seeks comment on this topic and intend our comments to be focused on these questions, including:

43. What modifications, if any, should be made to the proposed definitions above to enhance clarity?
44. What, if any, unintended consequences could result from the proposed definitions?
45. Are there other types of data transactions that should be exempt? Please explain why.10

Our members strongly recommend that the DOJ interpret all five categories listed for inclusion under this exemption as automatically considered transactions “ordinarily incident to and part of the provision of financial services” without in any way limiting the broader meaning of this term. In particular, our members suggesting adding the clarification that data transfers that are “ordinarily incident to and part of” investment advisory relationships, broker-dealer transactions, and securities transfers are included as covered transactions that are “ordinarily incident to and part of the provision of financial services.” This inclusion is helpful to avoid unnecessarily burdening transfers that are otherwise already well-regulated by the various financial services self-
regulatory and other regulatory bodies.

The elaboration of this exemption is entirely consistent with the EO direction on this point. Banking transactions, capital markets transactions, and financial insurance services transactions, or transactions required for compliance with any Federal statutory or regulatory requirements, including any regulations, guidance, or orders implementing those requirements should be explicitly defined as transactions that are ordinarily incident and part of the provision of financial services as the EO makes clear.

* * * * * *

We appreciate your consideration of this request. If you have questions or would like to discuss these comments further, please reach out to Melissa MacGregor at [email protected].

Sincerely,

Melissa MacGregor
Managing Director & Associate General Counsel
SIFMA