Author Archives: ar5883

SEC Enforcement Actions Reflect Expansion of SEC’s AML Compliance Focus: Broker-Dealers, Investment Advisers, Registered Investment Companies, and Individuals Must Take Note

by Michael J. Leotta, David H. Tutor, and Cindy M. Bi

From left to right: Michael J. Leotta, David H. Tutor, and Cindy M. Bi (Photos courtesy of WilmerHale)

The SEC recently announced AML-related charges against an individual registered representative for failing to escalate red flags of potentially suspicious activity, as well as charges against a registered investment adviser for causing mutual funds it advised to fail to adopt an AML program reasonably designed for its business. Taken together, these enforcement actions reflect the continued expansion of the SEC’s efforts to police AML compliance beyond the traditional charges against broker-dealers for failures to file Suspicious Activity Reports (“SARs”). The SEC is not only willing to penalize a broker-dealer or its compliance personnel who fail to file timely SARs, but is also willing to charge individuals and entities that contribute to or cause AML failures.

Continue reading →

CFPB Issues Request for Information on Data Brokers

by Kirk Nahra, Ali Jessani, and Samuel Kane

Left to Right: Kirk Nahra, Ali Jessani, and Samuel Kane (Photos courtesy of Wilmer Cutler Pickering Hale and Dorr LLP)

On Wednesday, March 15, the Consumer Financial Protection Bureau (CFPB) announced an inquiry into data brokers, issuing a “Request for Information Regarding Data Brokers and Other Business Practices Involving the Collection and Sale of Consumer Information.” This request for information (RFI) seeks information about: (1) the data broker market generally, including brokers’ information collection practices, the industry’s effects on consumers, and potential safeguards or controls to regulate data broker activity; and (2) individuals’ experiences in interacting with data brokers. The CFPB intends to use responses to the RFI to inform future rulemaking under the Fair Credit Reporting Act (FCRA). Public comments are due by June 13.

While any issuance by the CFPB of data broker regulations is far from imminent, the CFPB’s RFI is indicative of a growing appetite at both the federal and state levels to bring greater oversight to bear not just on data brokers, specifically, but on commercial uses of personal data more generally — a trend that we have seen on display with recent FTC enforcement actions and rulemaking activities, potential federal privacy legislation, and various state privacy law proposals, to name but a few examples. Continue reading →

Russia Sanctions After One Year: United States Imposes New Round of Restrictions

by Mark Chalmers, Billy Hicks, Kendall Howell, Paul D. Marquardt, Will Schisa, Daniel P. Stipano, and Charles Marshall Wilson

Top row from left to right: Mark Chalmers, Billy Hicks, and Kendall Howell. Bottom row from left to right: Paul D. Marquardt, Will Schisa, Daniel P. Stipano, and Charles Marshall Wilson. (Photos courtesy of Davis Polk & Wardwell LLP)

One year after Russia’s invasion of Ukraine, the United States and its allies imposed a new round of sanctions targeting Russia’s metal, mining, and banking sectors and signaled an increased focus on enforcement.

On February 24, 2023, the United States and its allies marked the one-year anniversary of Russia’s invasion of Ukraine with a new round of sanctions and export control restrictions targeting Russia’s economy and financial system. Consistent with the U.S. sanctions response from the outbreak of the conflict, the latest round of sanctions focused on Russia’s banking sector and export-oriented industries –adding several major Russian financial institutions to the SDN List and targeting Russia’s metal and mining sector. On the same day, the U.S. Department of Commerce, Bureau of Industry and Security (BIS) released new rules significantly expanding and modifying the export control restrictions applicable to Russia and Belarus, which may require exporters to re-examine their processes for product classification.

Continue reading →

“Not a Flash in the Pan” – Government Enforcers Say Sanctions and Export Control Enforcement Against Corporations Is Here to Stay

Editor’s Note: the NYU Program on Corporate Compliance and Enforcement is publishing reactions to the American Bar Association’s annual White Collar Crime National Institute in Miami on March 2 and 3, 2023.

From left to right: Michael Kim Krouse, Amy Jeffress, Jayce Born, and Baruch Weiss (photos courtesy of Arnold & Porter LLP)

by Michael Kim Krouse, Amy Jeffress, Jayce Born, and Baruch Weiss

Hot on the heels of DAG Monaco’s speech this morning, this afternoon featured a timely panel on the government’s enforcement agenda for sanctions and export controls. The speakers included Matthew Axelrod, Assistant Secretary for Export Enforcement, Bureau of Industry and Security, US Department of Commerce; Matthew Olsen, Assistant Attorney General, National Security Division, US Department of Justice; Andrea Gacki, Director, Office of Foreign Assets Control, US Department of Treasury; and Steve Francis, Acting Executive Associate Director for Homeland Security Investigations, US Department of Homeland Security.

Continue reading →

Federal Court Holds Financial Institution Liable for Business Email Compromise Loss

by Michael Borgia, Dsu-Wei Yuen, Andrew Lorentz, and Michael Buckalew

From left to right: Michael Borgia, Dsu-Wei Yuen, and Andy Lorentz (Photos courtesy of Davis Wright Tremaine LLP)

While ransomware attacks usually grab the headlines, business email compromise (BEC) attacks continue to cause massive financial losses for businesses. The FBI’s Internet Crime Complaint Center (IC3), reported BEC losses in the United States of nearly $2.4 billion in 2021.[1] And the problem grew worse during the COVID-19 pandemic: losses from BECs increased 65 percent globally from July 2019 to December 2021.[2]

BECs typically involve a variety of social engineering techniques (for example, domain spoofing) to obtain credentials for a corporate email account. Once inside the email account, attackers typically search for discussions of upcoming vendor payments or other financial transactions and trick victims into transferring funds to an attacker-controlled bank account, instead of the account of the legitimate recipient. A very common type of BEC involves an attacker posing as a company’s vendor and emailing “updated” bank account details for electronic payment of the vendor’s invoices. While these misdirected funds sometimes can be recovered through quick reporting to the involved financial institutions and law enforcement, recovery efforts often are difficult. Attackers promptly disperse the funds by transferring them to multiple foreign bank accounts or converting them to cryptocurrency and transferring them to multiple wallets.

Continue reading →

California AG Announces Investigative Sweep of Mobile Applications for CCPA Compliance

by Kirk Nahra, Ali Jessani, and Genesis Ruano

From left to right: Kirk Nahra and Ali Jessani

In a press release on January 27, 2023, California Attorney General (“California AG”) Rob Bonta announced an investigative sweep focused on mobile applications’ compliance under the California Consumer Privacy Act (CCPA), particularly with respect to effective processing of opt-out provisions. Attorney General Bonta noted that his office “is working tirelessly to make sure that businesses recognize and process consumers’ opt-out requests,” reaffirming the office’s commitment to enforcement of CCPA opt-out provisions. To date, the California AG has sent investigative letters to businesses in the retail, travel, and food service industries, which control mobile apps that allegedly have failed to comply with the CCPA.

This press release from the California AG’s office comes at a time when the CCPA has recently been amended (and expanded) by the California Privacy Rights Act (CPRA) and when the California AG shares concurrent enforcement authority over the new law with the newly formed California Privacy Protection Agency (CPPA). The CPPA has been in the process of developing and finalizing rules for the CPRA, and neither the CPPA nor the California AG’s office can enforce the new provisions of the CPRA until July 1, 2023 (and only then for violations that occur after that date). Still, businesses should be aware that the CCPA is still in effect until that time and that the California AG is actively enforcing the law.

We have summarized key provisions from the press release and outlined potential compliance steps for businesses to consider as part of their CCPA/CPRA compliance programs. We are happy to answer any specific questions you may have.

Continue reading →

FinCEN Publishes Final Rule on Beneficial Ownership

by Greg D. Andres, Uzo Asonye, Kendall Howell, Paul D. Marquardt, Tatiana R. Martins, John B. Reynolds III, Will Schisa, Daniel P. Stipano, and Charles Marshall Wilson.

FinCEN’s final rule, which goes into effect January 1, 2024, establishes the requirements for reporting companies to submit their beneficial ownership and company applicant information to the agency, with minimal changes from the proposed rule.

On September 30, 2022, the Financial Crimes Enforcement Network (FinCEN) published the final Beneficial Ownership Information Reporting Rule (the Beneficial Ownership Rule or Final Rule), requiring certain legal entities to submit to FinCEN a report containing information related to the beneficial owner and company applicant of the reporting company (BOI Report or Report). FinCEN published the proposed Beneficial Ownership Information Reporting Rule (the Proposed Rule) on December 7, 2021, as we discuss extensively in this client update. In the Final Rule, FinCEN adopted the language and provisions of the Proposed Rule in most material respects, with certain modifications in response to comments received from the public. Those modifications, as discussed below, include changes to the reporting timeframes, minor updates to the content of the BOI Reports, and changes that clarify (and to a certain extent expand) the definition of “beneficial owner.”

Continue reading →