by Britt Mosman, David Mortlock, Elizabeth P. Gray, J. Christopher Giancarlo, and Samuel Hall
This is Part III of a three-part post. For Part I, providing an overview of sanctions compliance issues for the cryptocurrency industry, click here. For Part II, discussing blocked coins, blocked persons, and sanctioned regions, click here.
by Britt Mosman, David Mortlock, Elizabeth P. Gray, J. Christopher Giancarlo, and Samuel Hall
This is Part II of a three-part post. For Part I, providing an overview of sanctions compliance issues for the cryptocurrency industry, click here. Part III will discuss restricted transactions, blocking and rejecting crypto transactions, and compliance considerations.
Fortunately, there are some clear rules of the road. Certain cryptocurrencies have been blocked outright, and U.S. persons are prohibited from dealing in them or facilitating any dealings in them. In March 2018, President Trump issued Executive Order 13827 to prohibit U.S. persons from dealing in digital currencies that were issued by, for, or on behalf of the Government of Venezuela after January 9, 2018. The Order was a response to the Maduro regime’s launch of its own sovereign cryptocurrency, the “Petro,” in part to circumvent U.S. sanctions.
by Britt Mosman, David Mortlock, Elizabeth P. Gray, J. Christopher Giancarlo, and Samuel Hall
In recent years, the U.S. government has become increasingly focused on regulating the use of virtual currencies as a means of addressing a host of financial crimes and malign activities. As entities and individuals (“persons”) in this space find themselves subject to various, sometimes overlapping regulatory regimes, the compliance environment has become increasingly treacherous. One area of particular concern for those dealing with cryptocurrencies is U.S. economic sanctions, as is evidenced by the recent settlement between the Treasury Department’s Office of Foreign Assets Control (“OFAC”) and BitPay Inc. (“BitPay”), discussed below. Indeed, sanctions hold some of the most complicated compliance issues in one hand, and some of the largest penalties in the other, and they do not always—or perhaps rarely—fit cryptocurrency transactions neatly.
This post provides an overview of sanctions compliance principles for the cryptocurrency industry and discusses some key issues of which persons in the crypto space should be mindful, including:
As this post makes clear, some of the relevant prohibitions remain ambiguous and leave significant questions unanswered. In turn, some crypto transactions and related regulations may warrant license and guidance requests to OFAC or even legal challenges, including Administrative Procedure Act (“APA”) challenges, in U.S. courts to resolve those ambiguities. But at a minimum, there are certain basic steps that should be taken to comply with U.S. sanctions.
by Brian V. Breheny, Raquel Fox, Marc S. Gerber, Andrew J. Brady, Caroline S. Kim, Ryan J. Adams, Andrew T. Bond, Leo W. Chomiak, Jeongu Gim, Blake M. Grady, and Khadija Lalani
On August 6, 2021, the Securities and Exchange Commission (SEC) approved[1] the Nasdaq Stock Market’s (Nasdaq) proposal to amend its listing standards to encourage greater board diversity and to require board diversity disclosures for Nasdaq-listed companies. Subject to transition periods and limited exceptions, Nasdaq-listed companies will be required to (i) publicly disclose board-level diversity statistics on an annual basis using a standardized matrix template under Nasdaq Rule 5606 and (ii) have, or disclose why they do not have, a minimum of two diverse board members under Nasdaq Rule 5605(f).[2] The mandatory “board diversity matrix” disclosure and the “comply or explain” board diversity framework are described in greater detail below. This post reflects updates from Nasdaq guidance issued August 13, 2021.
by Jeremy Feigelson, David Sarratt, Jim Pastore, Johanna N. Skrzypczyk, H. Jacqueline Brehmer, and Christopher S. Ford
On July 19, 2021, California Attorney General Rob Bonta announced his first-year enforcement update on the California Consumer Privacy Act (CCPA), and unveiled a tool to help the Attorney General’s office (CAAG)—the primary enforcer of the CCPA until the California Privacy Protection Agency takes over—identify CCPA violations.
Over a year ago, on July 1, 2020, the first day of enforcement, the CAAG sent a number of statutorily-required violation notices to companies, making clear that the CAAG planned to aggressively enforce the statute. Last week’s update is a clear continuation of this trend, with the CAAG introducing a new tool that California residents can use to easily report violations to the Attorney General’s office. The CAAG also put the market on notice by providing enforcement statistics and examples of potential enforcement actions. Both the tool and examples provide much-needed guidance on the CAAG’s enforcement priorities for the CCPA.
by Alexander Paul Okuliar and David J. Shaw
In just over two weeks as chair of the Federal Trade Commission (FTC or “Commission”), Lina Khan already appears to be making significant changes at the agency.[1] As one of her first acts, Chair Khan called for a Commission meeting on Thursday, July 1, 2021 to consider and vote on several important changes to agency rules and procedures, as well as to open several broad investigations. The actions taken at the FTC meeting anticipated the significant Executive Order signed by President Biden last Friday (on which we will shortly send a separate client alert). It was the first public meeting of the FTC in decades (although it won’t be the last – the FTC just announced another public meeting for July 21) and the matters adopted during the meeting promise to shape the direction of the agency and competition law enforcement in the United States for years. The agenda — published on June 24, 2021[2]— outlined votes on four issues.
by Antoine F. Kirry, Alexandre Bisch, Aymeric D. Duoulin, Fanny Gauthier, and Karolos Seeger
On July 7, 2021, a French National Assembly Committee led by MPs Raphaël Gauvain and Olivier Marleix, published a long-awaited 180-page evaluation report about France’s anti-corruption law of December 9, 2016 (the so-called “Sapin II Law”)[1]. While recognizing the significant progress made by France in its fight against corruption and tax fraud over the last five years, MPs suggest further strengthening the existing legal framework. Their 50 recommendations cover various topics, including the French-style deferred prosecution agreement; the self-reporting of corporate crimes; corporate criminal liability criteria; the introduction of a new pre-trial guilty plea; French extra-territorial enforcement of corruption crimes; and the role of the French anti-corruption agency. We provide below the main highlights of the report.
The Anti-Money Laundering Act of 2020 (AML Act) (enacted as Division F of the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021), specifically stated Congress’s intention “to reinforce that the anti-money laundering and countering the financing of terrorism [(AML/CFT)] policies, procedures, and controls of financial institutions shall be risk-based.”[1] Among other significant changes in AML/CFT law, it revised the Bank Secrecy Act (BSA) to provide that one of the purposes of the BSA’s reporting requirements was to “prevent the laundering of money and the financing of terrorism through the establishment by financial institutions of reasonably designed risk-based programs to combat money laundering and the financing of terrorism.”[2]
The AML Act further stated that AML/CFT programs should be “(II) risk-based, including ensuring that more attention and resources of financial institutions should be directed toward higher-risk customers and activities, consistent with the risk profile of a financial institution, rather than toward lower-risk customers and activities.”[3] To those ends, the AML Act directed the Secretary of the Treasury, in consultation with other agencies, to “establish and make public priorities for [AML/CTF] policy” within 180 days of the AML Act’s enactment, and to update those priorities at least once every four years.[4]
On June 30, the Financial Crimes Enforcement Network (FinCEN), an agency of the Treasury Department, announced that it had issued the first national AML/CFT Priorities pursuant to the AML Act, along with two Priorities Statements to provide guidance to covered institutions on how to approach the Priorities.[5] This post will discuss the Priorities document and the two additional statements, and recommend immediate steps for covered institutions in response to these documents.
In a prior blog post we discussed the important question of whether certain regulators – especially the SEC – have undercut effective compliance programs by sending mixed signals about when a Chief Compliance Officer should be held personally liable for the actionable compliance deficiencies of his or her firm.[1] Two important developments have occurred since then: (a) the issuance of an industry-side framework identifying factors that should be evaluated by the SEC in deciding whether to bring charges against a CCO; and (b) a recent SEC enforcement action against the CCO of an investment advisory firm based only on a finding of negligence. The SEC’s action in particular leaves open a number of consequential questions for industry participants.
Our prior post noted the report issued by the New York City Bar Association (“NYCBA”) Compliance Committee in February 2020 (“Report on Chief Compliance Officer Liability in the Financial Sector”), which recommended that regulators provide formal guidance about when it is appropriate to bring an enforcement action against a compliance officer.[2] Subsequently, in October 2020 SEC Commissioner Hester Peirce embraced this recommendation, going further to suggest that she might develop such a “draft framework” on her own to share with SEC colleagues. No meaningful word has yet emerged from Commissioner Pierce or the SEC on this topic since then.
by Jeremy Feigelson, Avi Gesser, Jim Pastore, Johanna Skrzypczyk, Christopher S. Ford, Alexandra P. Swain, and HJ Brehmer
Since the implementation of the California Consumer Privacy Act (“CCPA”) 18 months ago, more than 75 lawsuits have been filed seeking damages using the Act’s private cause of action. The CCPA provides a cause of action to “[a]ny consumer whose nonencrypted and nonredacted personal information . . . is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures.” Consumers can seek damages for any harm actually incurred as well as statutory damages ranging from $100 to $750 per consumer per incident.
Not surprisingly, in these early days of CCPA private actions, plaintiffs are trying to push the boundaries of the law and testing who, when, and why a CCPA claim may be brought. In this post, we offer practical tips for reducing CCPA risk based on a review of the cases filed to date and the treatment of those cases in the courts.