Are U.K. Courts Pushing Back Against DOJ’s Global Reach?

by Evan Norris and Alma M. Mozetic

On July 31, 2018, the High Court of England and Wales denied the U.S. Justice Department’s request for the extradition of Stuart Scott, a British foreign exchange trader indicted in 2016 as part of the DOJ Fraud Section’s multi-year effort to investigate and prosecute foreign currency market manipulation.  The decision in Scott v. Government of the United States of America marks the second time in 2018 that DOJ has lost an extradition fight in London.  The Department has reportedly indicated that it will appeal.  If the decision stands, Scott will join a handful of U.S. court cases that have the potential to impact DOJ’s ability to reach across the globe to pursue foreign nationals for violations of the FCPA and other financial fraud statutes. Continue reading

DOJ Announces Public Release of the Cyber-Digital Task Force’s First Report; Impact on and Role of the Private Sector Likely to be a Focus in the Coming Months

By Anne E. Railton and James D. Gatta

On July 19, 2018, Attorney General Jeff Sessions announced the public release of the first report produced by the Department of Justice’s (DOJ) Cyber-Digital Task Force, which the Attorney General established in February to combat cyber-enabled threats confronting the United States and, specifically, to answer two fundamental questions: First, what is the DOJ doing to address global cyber threats?  And second, what can the DOJ do to accomplish this mission more effectively?  In discussing the report at the Aspen Security Forum on July 19, Deputy Attorney General Rod J. Rosenstein explained that the Report answers the first question, “providing a detailed assessment of the cyber threats confronting America and the Department’s efforts to combat them.” Continue reading

Deputy Assistant Attorney General Matthew Miner Announces that FCPA Corporate Enforcement Policy Will Apply to Mergers and Acquisitions

by Nicolas Bourtin, Theodore Edelman, Sergio Galvis, Aisling O’Shea and Nathaniel Green

During a speech delivered on July 25, 2018 at the American Conference Institute 9th Global Forum on Anti-Corruption Compliance in High Risk Markets, Deputy Assistant Attorney General Matthew Miner, who oversees the U.S. Department of Justice’s (“DOJ”) Fraud Section (which includes the DOJ’s Foreign Corrupt Practices Act (“FCPA”) Unit), announced that successor companies that identify potential FCPA violations in connection with a merger or acquisition and disclose that conduct to the DOJ will be treated in conformance with the DOJ’s FCPA Corporate Enforcement Policy (the “Policy”).  Continue reading

You Want What?: Responding to Individual Requests Under the GDPR

 by Jeremy Feigelson, Jane Shvets, and Christopher Garrett

With the EU General Data Protection Regulation (“GDPR”) in force for less than two months, many companies are already experiencing an increase in requests from individuals seeking to obtain a copy, or request correction or erasure, of their personal data under Articles 15 to 17 of the GDPR.

Do we have to respond?

Yes. A response is required even if the response is that the company will not honour the request because a relevant exemption applies. Continue reading

CFTC Announces Two Significant Awards By Whistleblower Program

by Breon S. Peace, Nowell D. Bamberger, and Patrick C. Swiber

On July 12 and 16, 2018, the U.S. Commodity Futures Trading Commission (“CFTC”) announced two awards to whistleblowers, one its largest-ever award, approximately $30 million, and another its first award to a whistleblower living in a foreign country.[1]  These awards—along with recent proposed changes meant to bolster the Securities and Exchange Commission’s (“SEC” or “Commission”) own whistleblower regime—demonstrate that such programs likely will continue to be significant parts of the enforcement programs of both agencies and necessarily help shape their enforcement agendas in the coming years.

The Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank”) authorized the CFTC to pay awards of between 10 and 30 percent to whistleblowers who voluntarily provide original information to the CFTC leading to the successful enforcement of an action resulting in monetary sanctions exceeding $1 million.[2]  Following the introduction of implementing rules, the CFTC’s program became effective in October 2011.  Over the next six-and-a-half years, the CFTC has paid whistleblower bounties on only four prior occasions, with awards ranging from $50,000 to $10 million.  The $30 million award announced last week, thus, reflects a significant increase.  This week’s award to a foreign whistleblower also represents another first for the CFTC’s program and reflects the global scope of the program. Continue reading

The Post-Lucia Executive Order on ALJs

by Daniel Walfish

Last week, the White House, reacting to the Supreme Court’s June 21, 2018 decision in Lucia v. SEC, issued an Executive Order exempting Administrative Law Judges, or ALJs, from the competitive civil service. This post considers what the order might mean for the Securities and Exchange Commission and other agencies that use ALJs to adjudicate enforcement cases. Lucia held that the SEC’s ALJs are “officers” subject to the Constitution’s Appointments Clause, which means they have to be appointed by (as relevant here) the head of the agency – that is, the SEC’s Commissioners. Previously ALJs were hired through an examination-based process handled by the Office of Personnel Management, or OPM (effectively the human resources department of the federal government). OPM typically presented an agency with a list of eligible candidates ranked on the basis of the examination, among other things, and the agency selected an ALJ from among the top three candidates on the list. Continue reading

Two Recent Cases Highlight the Insider Trading Risks Associated with Cyber Breaches

by Avi Gesser, James H.R. Windels, Joseph A. Hall, Laura Turano, and Zachary Shapiro

The recent convictions of two traders for using hacked press releases and the settlement of SEC insider trading charges against a former Equifax manager highlight the significant insider trading risks companies face when dealing with a cyber event.  These risks come in two forms.

First, there is the risk that someone (either inside or outside the company) has gained unauthorized electronic access to material nonpublic information (“MNPI”) about the company or one of its business or transaction partners, and will use that information for illegal securities trading purposes.  On July 6, a jury in Brooklyn convicted two traders for securities fraud, money laundering and computer intrusion for using hacked press releases to trade on MNPI.  To reduce that risk, companies can adopt various cybersecurity measures such as two-factor authentication, access controls, encryption, phishing training, network segmentation, and system monitoring.  Davis Polk’s Cyber Portal 2.0, which is now available to our clients, provides detailed checklists and other resources to help companies reduce cybersecurity risks. Continue reading

To Disclose or Not to Disclose: Analyzing the Consequences of Voluntary Self-Disclosure for Financial Institutions

by F. Joseph Warin, M. Kendall Day, Stephanie L. Brooker, Adam M. Smith, Linda Noonan, Elissa N. Baur, Stephanie L. Connor, Alexander R. Moss, and Jaclyn M. Neely.

One of the most frequently discussed white collar issues of late has been the benefits of voluntarily self-disclosing to the U.S. Department of Justice (“DOJ”) allegations of misconduct involving a corporation.  This is the beginning of periodic analyses of white collar issues unique to financial institutions, and in this issue we examine whether and to what extent a financial institution can expect a benefit from DOJ for a voluntary self-disclosure (“VSD”), especially with regard to money laundering or Bank Secrecy Act violations.  Although the public discourse regarding VSDs tends to suggest that there are benefits to be gained, a close examination of the issue specifically with respect to financial institutions shows that the benefits that will confer in this area, if any, are neither easy to anticipate nor to quantify.  A full consideration of whether to make a VSD to DOJ should include a host of factors beyond the quantifiable benefit, ranging from the likelihood of independent enforcer discovery; to the severity, duration, and evidentiary support for a potential violation; and to the expectations of prudential regulators and any associated licensing or regulatory consequences, as well as other factors.  Continue reading

Cyber-Attacks and Stock Market Activity

by Dr. Daniele Bianchi and Dr. Onur Tosun

Security breaches and hacking cost publicly traded companies billions of dollars annually in stolen assets, lost business, and damaged reputations. Although detailed data are difficult to collate, the 2017’s annual Cost of Data Breach Study run by the Ponemon Institute for IBM estimated that the average per-capita cost of data breaches reached an all-time high of $225 (a 60% increase over the last decade). This is as much of a concern for businesses as it is for regulators.

As a matter of fact, the knock-on effect of a data breach can substantially affect a company’s reputation, resulting in abnormal customer turnover and loss of goodwill, which in turn affect firms’ policies and ultimately revenues and profits. For this reason, companies are often reluctant to reveal information about security breaches due to fear of both short-term and long-term market reactions.

Continue reading

UK Financial Conduct Authority Issues Near-Final Rules on Extension of Senior Managers and Certification Regime and Introduces New Financial Services Directory

by Karolos Seeger, Simon Witney, and Andrew Lee

Following the consultation papers published in July and December 2017, the UK Financial Conduct Authority (“FCA”) on 4 July 2018 provided responses to the industry feedback it received and issued near-final rules on extending the Senior Managers and Certification Regime (“SMCR”) to almost all FCA-regulated firms.[1] Notably, the FCA has confirmed that the new rules will apply from 9 December 2019. We summarise below the limited changes from the FCA’s initial SMCR proposals, the main features of which have been covered in our previous client updates.[2]

In addition, the FCA has published a consultation paper regarding the introduction of a new directory of financial services workers (the “Directory”).[3] This will be available from 10 December 2019 for banks, building societies, credit unions and insurers, and from 9 December 2020 for all other firms. The key aspects of the Directory and firms’ significant related notification obligations are outlined below. Continue reading