Incoming DFS Chief Calls Cyber the “Number One Threat” Facing Industry and Government

by Craig A. Newman and Alejandro H. Cruz

The incoming chief of New York’s top financial services regulator called cybersecurity “the number one threat facing all industries and governments globally” during a speech on Friday, April 12, 2019 at the Association of the Bar of the City of New York.

Linda Lacewell, acting superintendent of the New York State Department of Financial Services (“DFS”), made her remarks at an event focused on insurance regulation and they come at a time when the state’s sweeping cybersecurity regulation — initially implemented more than two years ago — is now in full force. Lacewell, a former federal prosecutor, was nominated in January 2019 by New York Governor Andrew Cuomo to head DFS, which oversees banking and insurance in the state. Lacewell was Cuomo’s chief of staff. Her confirmation has not yet been scheduled. Continue reading

Two Truths and a Lie About Settlements in Bribery Cases

by Pascale Hélène Dubois, Kathleen May Peters, and Roberta Berzero

If we were playing “Two Truths and a Lie,” we would say the following: (a) settlement agreements are used in a variety of jurisdictions as an alternative to litigation; (b) settlement agreements can offer parties the opportunity to save time and resources while securing a predictable outcome; (c) there is a book that will tell you everything you need to know about settlements in bribery cases. The last, of course, is the lie. But only until Spring 2020.

What do settlements within the World Bank Group Sanctions System look like? Why do entities and individuals choose to enter into settlements with the Bank Group? How do settlements support the Bank Group’s mission to further development impact and contribute to safeguarding donor funds in the projects it finances worldwide? These and other questions will be addressed by the chapter “Settlements Within the World Bank Group Sanctions System” to be published in spring 2020 in the forthcoming book from Edward Elgar Publishing, “NEGOTIATED SETTLEMENTS IN BRIBERY CASES – A Principled Approach,” edited by Tina Søreide, Norwegian School of Economics (NHH), Norway and Abiola Makinwa, The Hague University of Applied Sciences, the Netherlands. Continue reading

Teaching Compliance Part I of III

by Veronica Root Martinez 

This is the first in what is a three-part series of blog posts describing my experience teaching compliance at Notre Dame Law School.

I first began teaching a compliance course in the fall of 2015.  At the time, there were not many compliance courses being taught within law schools, and I was aware of only one casebook on the subject.  I began, as many professors do, by gathering syllabi from individuals currently teaching the topic.  Most of the syllabi I was able to obtain were of courses taught by practitioners that included significant skills-based components, which, although valuable, was not where I wanted to focus.

Instead, I decided to tackle teaching the course in a manner that I hoped would allow students to think through the different roles they might play within compliance efforts, followed by a few classes dedicated to specific compliance areas in an attempt to allow students to better understand how their role might look in practice.  To do so, I draw on enforcement, compliance, behavioural ethics, and professional responsibility materials.  Each class session has one dedicated case study to help students understand the concept being presented. Continue reading

GDPR: What Happened To One-Stop-Shop Enforcement?

by Professor Lokke Moerel[1]

One-Stop-Shop

Companies will only have to deal with one single supervisory authority, not 28, making it simpler and cheaper for companies to do business in the EU.”

European Commission, at the time of the adoption of the GDPR

At the time of the adoption of the European General Data Protection Regulation (GDPR), the European Commission touted as the benefit for companies that the GDPR would bring a one-stop-shop enforcement mechanism (1SS), whereby in respect to controllers or processors with multiple establishments in the EU, the supervisory authority (SA) of the ‘main establishment’ of such controller or processor in the EU will serve as the ‘lead SA’ for its ‘cross-border processing’ activities.

In the first landmark enforcement decision under the GDPR, the French SA (CNIL) fined Google 50 million euros (the highest fine so far), despite the fact that the complaints (PDF: 1.03 MB) concerned a cross-border processing in the EU, which calls for 1SS enforcement. The CNIL considered that although Google has its EU headquarters in Ireland, this Irish entity ‘did not have a decision-making power’ in relation to the purposes and means of the relevant cross-border data processing activities. For that reason, the CNIL decided that the 1SS mechanism did not apply and that the CNIL was therefore competent to make a decision.[2]

This is noteworthy, as apparently the main complainant[3] filed similar complaints against Instagram, Facebook, and WhatsApp with the SAs of Austria, Belgium, and Germany, which all passed the complaints to the Irish SA (as the ‘lead SA’), as these companies have their EU headquarters in Ireland. Continue reading

The FTC Moves Toward a Rules-Based Approach to Cybersecurity Regulation for Financial Institutions

by Avi Gesser, Kelsey Clark, Jennifer E. Kerslake, and Eric McLaughlin

In our first Cyber Blog post, we predicted that the rules-based approach adopted by the NYDFS would become the model for cybersecurity regulation.  Two years later, we’re feeling pretty good about that prediction, as the FTC recently proposed incorporating a number of aspects of the NYDFS cybersecurity rules into its Standards for Safeguarding Customer Information rule (the “Safeguards Rule”).  The proposal would also expand the Safeguards Rule’s definition of “financial institution” to include “finders,” or companies that connect potential parties to a transaction.  As a reminder, the Safeguards Rule applies to financial institutions that are not regulated by the federal banking agencies, the SEC, or state insurance authorities, including non-bank mortgage lenders, payday lenders, finance companies, check cashers, money transmitters, collection firms, and tax preparers. Continue reading

DOJ Updates FCPA Corporate Enforcement Policy

By Jonathan S. Kolodner, Lisa Vicens, and Lorena Michelen

In a recent speech at the annual ABA White Collar Crime Conference in New Orleans, Assistant Attorney General Brian Benczkowski of the Criminal Division of the Department of Justice (“DOJ”) announced certain changes to the FCPA Corporate Enforcement Policy (“the Enforcement Policy” or “Policy”) to address issues that the DOJ had identified since its implementation.[1]  These and other recent updates have since been codified in a revised Enforcement Policy in the Justice Manual.[2] 

The Enforcement Policy, first announced by the DOJ in November 2017, was initially applicable only to violations of the FCPA, but was subsequently extended to all white collar matters handled by the Criminal Division.[3]  The Policy was designed to encourage companies to voluntary self-disclose misconduct by providing more transparency as to the credit a company could receive for self-reporting and fully cooperating with the DOJ.  Among other things, the Enforcement Policy provides a presumption that the DOJ will decline to prosecute companies that meet the DOJ’s requirement of “voluntary self-disclosure,” “full cooperation,” and “timely and appropriate remediation,” absent “aggravating circumstances” – i.e. relating to the seriousness or frequency of the violation.  For more information on the Enforcement Policy, read our blog post explaining it

The most significant recent changes to the Enforcement Policy include eliminating the prohibition on a company’s usage of ephemeral instant messaging applications to receive full credit for “timely and appropriate remediation.”  Additionally, the modified Enforcement Policy (1) now makes clear that one requirement of cooperation, de-confliction of witness interviews, should not interfere with a company’s internal investigation; (2) confirms based on an earlier announcement, that the Policy applies in the context of a merger and acquisition (“M&A”), if an acquiring company discovers and self-discloses misconduct in a target; and (3) implements a change announced months before by the Deputy Attorney General that a company only needed to provide information about individuals “substantially involved” in the offense.  These changes are discussed in greater detail below. Continue reading

Does the California Consumer Privacy Act Empower the Consumer and Generate Trust?

by Lynn Haaland

The California Consumer Privacy Act (CCPA) is an important development for companies doing business in California, that have revenues above a minimal threshold – which effectively means that the act will impact many of the largest companies doing business in the United States.  On Monday, February 25, 2019, Senate Majority Leader Hertzberg, who represents the eastern San Fernando Valley senate district and who was recently selected as Senate Majority Leader, addressed a group in downtown San Francisco about the CCPA.[1]  Senator Hertzberg, along with California State Assembly member Ed Chau, were the primary architects of the CCPA.  For this reason, Senator Hertzberg’s comments about the CCPA are worth paying attention to. Continue reading

OFAC Takes Enforcement Action Against U.S. Parent Company for its Recently Acquired Chinese Subsidiary’s Iran Sanctions Violations

by Brad S. Karp, H. Christopher Boehning, Jessica S. Carey, Christopher D. Frey, Michael E. Gertzman, Roberto J. Gonzalez, Richard S. Elliott, Rachel M. Fiorill, Karen R. King, Joshua R. Thompson

Enforcement Action Shows the Importance of Pre-Acquisition Sanctions Due Diligence and Post-Acquisition Sanctions Compliance Enhancements

On March 27, 2019, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) announced a $1,869,144 settlement agreement with Connecticut-based Stanley Black & Decker, Inc. (“Stanley Black & Decker”), a manufacturer of industrial tools and household hardware, regarding 23 apparent violations of OFAC’s Iran sanctions regulations.[1] OFAC determined that Stanley Black & Decker’s Chinese subsidiary, Jiangsu Guoqiang Tools Co. Ltd. (“GQ”), knowingly provided power tools and spare parts to Iranian end-users.[2] According to OFAC, GQ’s shipments were made via third-party intermediaries, located in the United Arab Emirates and China, with the knowledge that the products were ultimately destined for Iran.[3]  Under U.S. law, non-U.S. companies owned or controlled by U.S. companies are required to adhere to Iran sanctions as if they were U.S. persons.  The settlement,  along with the Kollmorgen Corporation (“Kollmorgen”) settlement in February 2019, signals the Trump Administration’s willingness to hold U.S. parent companies liable for their subsidiaries’ Iran sanctions violations, which is an area that, prior to this year, had seen little enforcement activity to date. Continue reading

The Non-Data-Sharing Data-Sharing Network: One Anti-Money Laundering Innovation Requires a Closer Look

by Allison Caffarone

Financial authorities worldwide are focused on how new technologies can be used to more effectively combat money laundering and financial crime.  The UK’s Financial Conduct Authority (the “FCA”) is one of the leaders in the movement towards using financial technology (FinTech)[1] and regulatory technology (RegTech)[2] to fight money laundering.  In the FCA’s most recent conference on this issue, which was attended by over 100 technology firms, regulators, and law enforcement agencies from the US, Europe, the Middle East, and Asia, participants were tasked with developing proposals to address fifteen problem statements relating to how new technologies can more effectively combat money laundering and financial crime.  This article addresses one of the proposals that received significant attention during and subsequent to the conference.

The proposal, offered by a team from Santander Bank and others, called for financial institutions to use distributed ledger technology to develop a database of “bad actors” without requiring the institutions to share the underlying transactional data that led to the “bad actor” designation.  The goal for the database was to create a money laundering detection network to benefit all financial institutions in the ecosphere without running afoul of data privacy restrictions. This “Catch the Chameleon” proposal won the “Eureka” award at the conference for the “most original idea” and, according to the FCA website, will receive “support to progress” from Level 39, RegTech Associates and The Disruption House.  Following the conference, the proposal continued to receive attention from other major financial institutions.  For example, Credit Suisse highlighted the proposal in its letter (PDF: 338 KB) responding to FINRA’s request for comment on FinTech innovation,[3] deeming the proposal worthy of exploration. 

There is clearly merit behind the “Catch the Chameleon” proposal.  Data and information sharing between the private and public sectors and among and between the different institutions in the private sector is essential to combat money laundering.  Additionally, the use of distributed ledger technology to help facilitate the sharing of such information seems to have significant benefits, such as requiring relatively low implementation costs and allowing enforcement agencies to access a single source of data for all financial institutions in real time.[4]  However, there are at least three significant dangers of the platform or database as described on the FCA website, and in light of the heightened attention this proposal has received, these concerns are worthy of further discussion and exploration. Continue reading

In Precedent-Setting Case, Two Senior Corporate Executives Indicted for Failure to Report Under the Consumer Product Safety Act

by Jonathan J. Rusch

On March 29, the U.S. Department of Justice announced that on March 28, a federal grand jury in the Central District of California indicted two senior corporate executives with two corporations on multiple counts for their roles in a scheme involving defective and dangerous dehumidifiers made in China.  Simon Chu and Charley Loh, who served respectively as part owners, chief administrative officer, and chief executive officer of the same two corporations in California, were charged with (1) conspiracy (a) to commit wire fraud, (b) to fail to furnish information under the Consumer Product Safety Act (CPSA), and (c) to defraud the U.S. Consumer Product Safety Commission (CPSC); (2) wire fraud; and (3) failure to furnish information under the CPSA.  The Department indicated this was the first time that any individual had been criminally charged for failure to report under the CPSA. Continue reading