Author Archives: Jason Kelly

The Impact of Executive Order 13924 and Its Implementing OMB Memorandum on Administrative Enforcement

by Anand S. Raman, Austin K. Brown, and Darren M. Welch

In late August 2020, to little notice, the Office of Management and Budget issued a memorandum (the OMB Memorandum) that is likely to have significant implications for administrative enforcement, extending well into the Biden administration and beyond.

The OMB Memorandum implemented Executive Order 13924, titled “Executive Order on Regulatory Relief To Support Economic Recovery,” which was issued on May 19, 2020, to address a number of topics designed to support the nation’s recovery from the COVID-19 pandemic. Section 6 of the executive order set forth several principles for “Fairness in Administrative Enforcement and Adjudication” and directed the heads of agencies to “revise their procedures and practices in light of them.” The OMB Memorandum, in turn, provided detailed guidance, covering a wide range of topics, including the conditions under which liability should be imposed, penalties, transparency and discovery, tolling agreements, and consent order duration.

Continue reading

France Makes U-Turn on Corporate Successor Criminal Liability

by Antoine F. Kirry, Alexandre Bisch, Aymeric D. Dumoulin, and Ariane Fleuriot

On November 25, 2020, the French Court of Cassation (France’s Supreme Court) issued a landmark decision[1] whereby public limited liability companies may now be held criminally liable for the prior criminal conduct of the companies they acquire through “mergers by acquisition.”[2] This decision departs from existing case law. It will likely create an increased post-merger criminal liability risk for acquiring companies and a correlative incentive to enhance their pre-merger due diligence efforts.

Continue reading

Health Data Made in France – Is France Moving Towards a Sovereign Cloud Requirement for Health Data?

by Ronan Tigner and Alex van der Wolk

Since the decision of the European Court of Justice (“ECJ”) in the Schrems II case, transfers of personal data from the EU to the United States have been under scrutiny. The ECJ reviewed the situation where personal data are sent from an EU affiliate to its U.S. headquarters as part of how the company structured its business-as-usual practices. But what the ECJ did not consider is whether the mere fact that an EU company is affiliated with a U.S.-headquartered company is problematic, even if no transfer of personal data to the United States takes place.

Whether merely being affiliated with a U.S.-headquartered company is a problem from a data transfer perspective is precisely what a number of associations (“claimants”) and the French data protection authority (“CNIL”) argued in a recent appeal before the French Council of State. This question arose in the context of a case involving Microsoft Ireland in respect of its hosting of French public health data. The claimants and the CNIL argued that any affiliation of an EU hosting provider, in this case Microsoft Ireland, with a U.S. parent company, in this case Microsoft U.S., is in and of itself problematic. The claimants and the CNIL contended that because of such affiliation, U.S. authorities could have jurisdiction over data held by Microsoft Ireland in the EU. As a result, the claimants called for the immediate suspension of the use of Microsoft Ireland, even though Microsoft Ireland had already committed to storing the data in a pseudonymized form in the EU. The French Council of State, however, denied the immediate suspension of the use of Microsoft. While this seems like a good outcome for transatlantic commerce, the Council’s decision suggests that in the future, organizations will be required to use a French-based cloud solution. We provide further details below.

Continue reading

FinCEN and Federal Reserve Propose to Significantly Lower Threshold for International Funds Transfers Under Recordkeeping and Travel Rules

by Jamie L. Boucher, Eytan J. Fisch, Khalil N. Maalouf, Ernst-Wesley Laine, Malika Moore, Greg Seidner, and Javier A. Urbina

On October 27, 2020, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) and the Board of Governors of the Federal Reserve System (Federal Reserve, together with FinCEN, “the Agencies”) published a joint notice of proposed rulemaking to amend the Recordkeeping Rule[1] and Travel Rule[2] regulations under the Bank Secrecy Act (BSA). The proposed amendments would reduce the applicable threshold for international funds transfers from $3,000 to $250 and, consistent with FinCEN’s existing guidance, formally extend these rules to cover convertible virtual currencies (CVCs) and digital assets used as legal tender. The threshold for domestic funds transfers would remain unchanged at $3,000.

The threshold in the proposed rules is significantly lower than the minimum threshold of $1,000 or €1,000 recommended by the Financial Action Task Force (FATF), an intergovernmental body that develops anti-money laundering and counter-terrorism financing standards and promotes their effective implementation.[3] FATF’s recommended threshold has been adopted by the European Union and by a vast number of jurisdictions around the world.

Continue reading

DOJ Issues Cryptocurrency Enforcement Framework

by J. Christopher Giancarlo, Elizabeth P. GrayJustin L. BrowderConrad G. Bahlke, and Richard M. Borden 

On October 1, 2020, the Cyber-Digital Task Force (“Task Force”) of the United States Department of Justice (“DOJ”) issued a Cryptocurrency Enforcement Framework (“Framework”).[1]  The Framework summarizes threats posed by illicit uses of cryptocurrency, the applicable laws that the DOJ and other federal regulatory agencies apply in seeking to identify and mitigate such threats, and the ongoing challenges faced by the DOJ in prosecuting criminal conduct in the digital asset ecosystem.  The Framework details an extensive array of federal, state, and international laws and regulations that apply to cryptocurrencies and reflect the emerging approach to cryptocurrency regulation and enforcement by federal and state governments.  While the extensive patchwork of regulations suggests a need for harmonization, the Framework refrains from calling for any new or amended legislation, regulation, or other rules.  It also does not discuss the government’s use of sophisticated technology to track cryptocurrency transactions and develop its cryptocurrency-related cases.  Importantly, the Framework does not advocate for legal or regulatory suppression of cryptocurrency, as some initial commentators suggested.

Continue reading

CFTC Issues New Enforcement Guidance on Cooperation Recognition in Its Orders

by David Meister, Jocelyn E. Strauber, Jonathan Marcus, Theodore M. Kneller, Chad E. Silverman, and Daniel B. O’Connell

On October 29, 2020, the Commodity Futures Trading Commission (CFTC) Division of Enforcement (Division) issued a memorandum (Guidance) providing guidance for Division staff to follow when recommending the recognition of an entity’s self-reporting, cooperation or remediation in CFTC orders settling administrative enforcement proceedings.[1]

The Guidance, which appears to focus primarily on the language to be used in orders that settle enforcement actions, states that it is intended to further the CFTC’s recently stated strategic goal of providing clarity. It does not change the Division’s existing practices for evaluating self-reporting, cooperation or remediation, including for purposes of recommending penalty reductions, which were set forth in various advisories from January to September 2017 (Advisories).[2] The Guidance does not touch on, for example, the amount of credit (e.g., with respect to the amount of a penalty discount) the Division will recommend for self-reporting, cooperation or remediation. Instead, for the first time, the Division is formalizing when and how Division staff will recommend self-reporting, cooperation or remediation be “recognized” — i.e., described — in CFTC orders.

Continue reading

The SFO Publishes Its Internal Guidance on Deferred Prosecution Agreements

by Karolos Seeger, Robin Lööf, and Aisling Cowell

On October 23, 2020, the United Kingdom’s Serious Fraud Office (the “SFO”) published the chapter on deferred prosecution agreements (“DPAs”) from its Operational Handbook, including how it “engages with companies where a DPA is a prospective outcome.[1] The SFO has made clear that this guidance is for internal use only and was published “in the interests of transparency”; it is not authoritative. Although the guidance does not contain new information or changes from existing DPA practice, it is useful in setting out the SFO’s consolidated approach in respect of DPAs. It does not supersede or replace previous guidance and should be considered alongside the legislation covering entry into a DPA (Schedule 17 of the Crime and Courts Act 2013) and the DPA Code, which is authoritative, as well as previous guidance, including the Corporate Co-operation Guidance.

So far, the SFO has concluded eight DPAs, with a ninth DPA awaiting approval by the court on 30 October 2020.

Continue reading

FinCEN Requests Industry Input for Improving AML Program Effectiveness

by Marc-Alain Galeazzi, Barbara R. Mendelson, and Malka Levitin

On September 17, 2020, the Financial Crimes Enforcement Network (FinCEN) published an Advance Notice of Proposed Rulemaking (PDF: 274 KB) (ANPR) in the Federal Register, seeking comments on how to improve the effectiveness of anti-money laundering (AML) programs that financial institutions are required to have in place under the Bank Secrecy Act (BSA). In particular, the ANPR proposes imposing a requirement that certain financial institutions[1] establish and maintain an “effective and reasonably designed” AML program that would contain three core elements and objectives: (1) the assessment and management of risk; (2) compliance with BSA requirements; and (3) the reporting of information with a high degree of usefulness to the government.  Current regulations do not fully describe the objective of maintaining a BSA/AML compliance program.

The ANPR further seeks comment on whether the AML program regulations should incorporate an explicit requirement for a risk-assessment process and whether the Director of FinCEN should regularly issue a list of national AML priorities (so-called “Strategic AML Priorities”). Particularly, FinCEN requests comment regarding industry-specific considerations that FinCEN should evaluate with regard to the scope of the proposed rulemaking and whether any new rules should better reflect the variety of business models and risk profiles among financial institutions.

Continue reading

SEC Targets Issuers and Officers for Disclosure Violations Through Data Analytics

by John D. Hancock, John W. R. Murray, and Nicholas Anastasi

Just before the close of its fiscal year, the Securities and Exchange Commission (SEC) brought three noteworthy financial reporting cases against issuers that resulted from the agency’s increasingly sophisticated use of risk-based data analytics to detect disclosure violations.  On September 28, 2020, the SEC filed settled actions against two issuers, as well as two officers of one of them, for falsifying their reported earnings per share (EPS).  These actions, against Interface Inc., an Atlanta-based carpet manufacturing company, and its former chief financial and chief accounting officers, and Fulton Financial Corporation, a Pennsylvania-based financial services company, are the first to stem from the SEC Division of Enforcement’s EPS Initiative, which harnesses data analytics to uncover misleading earnings management and related misconduct. 

In the third action, filed on September 30, the SEC found that Hilton Worldwide Holdings failed to disclose travel-related executive perks, and noted that the action was generated by Enforcement’s “use of risk-based data analytics to uncover potential violations related to corporate perquisites.”  Interface, Fulton and Hilton agreed to pay penalties of $5.0 million, $1.5 million, and $0.6 million, respectively. 

Over the past decade, the SEC has developed a formidable set of technological tools and expertise that have enabled it to analyze massive amounts of data quickly and efficiently in order to identify misconduct.  These three recent actions, and the relatively large penalties imposed, signal that it will continue to prioritize financial reporting cases against issuers, both large and small, as well as their officers, utilizing these expanded capabilities.  Given that some of the underlying conduct occurred as far back as 2015, these cases also demonstrate that issuers should not derive any comfort from the passage of time.

Continue reading

FTC Data Privacy Enforcement: A Time of Change

by Rebecca Kelly Slaughter[1]

Keynote address delivered at the October 16, 2020 conference of New York University School of Law’s Program on Corporate Compliance and Enforcement, titled, Confronting Cybersecurity and Data Privacy Challenges in Times of Unprecedented Change.

Over the past year, our entire world has shifted. How we work, how we connect, how we learn, and how we shop have all changed. These changes were abrupt, unwelcome, and in many instances devastating. I am by nature an optimistic person, but it is hard to use the term “silver lining” in connection with events that have threatened or stolen the health and livelihoods of so many. Instead, I think often of Mary Oliver’s famous words: “Someone I loved once gave me a box full of darkness. It took me years to understand that this too, was a gift.”[2] When I think of the darkness that this year has given us, I draw the most hope from the awakening across so many spheres of life that things must change. My mother used to joke that my motto should be “change is bad,” because I am personally so resistant to change; to be clear, this was not a compliment. But my personal and our collective resistance to trying new approaches is, thankfully, waning. In the years to come, I hope that this collective opening up to change is the gift we bear forward out of today’s darkness.

As a Commissioner at the FTC, I want to embrace this openness to change and commit to exploring new approaches across our mission areas. And I want to focus my remarks today on opportunities for change in how we approach data privacy enforcement. To maximize the FTC’s enforcement effectiveness in data privacy, there are three areas in which I believe we need to shift our approach: (1) remedies, (2) case prioritization, and (3) more comprehensive use of our existing authority.

Continue reading