Author Archives: Jeremiah Evans

DOJ Announces Compliance Certifications to Be Considered as Part of Corporate Criminal Resolutions

by Greg D. Andres, Uzo Asonye, Martine M. Beamon, Angela T. Burgess, Robert A. Cohen, Daniel S. Kahn, Tatiana R. Martins, Fiona R. Moran, Paul J. Nathanson, and Patrick S. Sinclair

In a pair of speeches, the Assistant Attorney General of DOJ’s Criminal Division emphasized its focus on compliance and announced that he has instructed his prosecutors to consider requiring chief executive officers and chief compliance officers to certify to (1) the accuracy of annual reports submitted pursuant to corporate resolutions, and (2) the effectiveness of their company’s compliance program prior to releasing the company from its obligations under a resolution agreement.

Continue reading

Corporate Criminal Enforcement as a Defense to Companies’ Political Influence

by Jennifer Arlen

Countries around the world are reforming their laws governing corporate criminal liability. Jurisdictions and scholars arguing against broad corporate liability, often rely on the claim that corporate civil liability should be as effective as it can impose equally large sanctions on companies. Yet corporate liability is only effective when enforcement officials have the resources and political will to pursue large politically-influential corporations. In the U.S., effective deterrence thus requires that companies be subject to both criminal and civil liability for their organizational misconduct as federal civil enforcement is less effective than criminal enforcement because large companies can more easily leverage their influence with members of Congress or White House officials to blunt civil corporate enforcement. Civil enforcement also tends to be less committed to ensuring that individual wrongdoers are sanctioned. Continue reading

Diverse Internal Investigation Teams Drive Better Results

by Karin Portlock and Jabari Julien

Recent years have seen an uptick in corporate internal investigations of discrimination and harassment on the basis of protected characteristics and increased attention to corporate diversity, equity, and inclusion policies and practices.  When companies look for teams to investigate these issues, they should prioritize diverse teams, which perform better than homogeneous ones in core investigative functions and drive better and more thorough results for clients.

Continue reading

Treasury Department publishes national strategy for combating terrorist and other illicit financing

The United States Treasury Department’s national strategy provides priorities and supporting actions to guide U.S. regulatory efforts to address the most significant illicit finance threats and risks to the U.S. financial system.

On May 13, 2022, the United States Department of the Treasury (the Treasury Department) published the 2022 National Strategy for Terrorist and Other Illicit Financing (the 2022 Strategy), which provides measures to increase transparency in the U.S. financial system and strengthen the U.S. anti-money laundering/countering the financing of terrorism (AML/CFT) framework. Built upon the Treasury Department’s 2020 Strategy, the 2022 Strategy addresses the risks identified in the 2022 National Money LaunderingTerrorist Financing, and Proliferation Financing risk assessments and considers the unique challenges resulting from changes to the illicit finance risk environment and major deficiencies in the U.S. AML/CFT regime.1 Illicit finance risks include threats related to fraud, drug trafficking, cybercrime, professional money laundering, corruption, human trafficking and terrorist financing. In addition, according to the 2022 Strategy, the most significant vulnerabilities to the U.S. financial system include compliance deficiencies at regulated institutions, the misuse of legal entities, non-financed real estate transactions, and virtual assets and cash transactions.  

While the 2022 Strategy does not impose additional regulatory requirements, financial institutions should ensure that their AML/CFT compliance programs take into account the threats and vulnerabilities identified within the 2022 Strategy and the National Risk Assessments and, to the extent necessary, implement internal controls to address such risks.

Continue reading

Priorities, Trends and Developments in Enforcement and Compliance

by Joon H. Kim, Matthew C. SolomonVictor L. HouLisa Vicens, and Samuel Levander

2021 was a year of transition for white-collar criminal and regulatory enforcement. As courthouses reopened and trials resumed, newly-installed heads of law enforcement authorities looked to reset priorities and ramp up enforcement in the first year of the Biden administration. Policy priorities shifted toward enforcement against sophisticated financial institutions, corporates and their executives, in contrast to the previous administration’s focus on retail investors and schemes with identifiable victims. While the shift at the SEC was more immediately visible with major new enforcement priorities, investigations and resolutions, the DOJ adopted policies and announced new initiatives that will likely only find expression in 2022.

Continue reading

Time to Update Cyber Incident Response Plans, Especially for Banks Subject to the New 36-Hour Breach Notification Rule

by Luke Dembosky, Avi GesserJohanna SkrzypczykMichael R. RobertsAndy Gutierrezand Michelle Huang

As cyberattacks continue to plague U.S. companies, cybersecurity remains a core risk, even for businesses that have invested heavily in technical measures to protect their systems.  As a result, cybersecurity best practices have evolved to include not only preventative measures, but also robust preparations for responding to cyber incidents, so that companies can improve their resilience, decrease the time it takes to detect and effectively respond to an attack, and reduce the overall damage.  Because nearly every company will at some point face a successful attack, regulators, insurers, auditors, and investors view an incident response plan (“IRP”) as a key element of a reasonable cybersecurity program.

Part of the value of an IRP comes from the process of drafting it, which involves making decisions about how an incident will be handled (e.g., who should be drafting communications to impacted employees, who has the authority to shut down parts of the network, which incidents will be escalated to senior management, etc.).  Determining these issues over the course of several weeks while drafting the IRP and consulting with the relevant individuals is much better than working through them for the first time under the stress and time constraints of an actual incident.  Well-drafted IRPs also provide checklists of things to do when an incident occurs (e.g., preserve evidence, contact the FBI, notify the insurer, draft a public statement, determine a point-of-contact for external inquiries, etc.).

Continue reading

A New Era of Federal Trade Commission (“FTC”) Privacy and Cybersecurity Oversight: Top Ten Things Companies Should Know When Assessing FTC Compliance and Exposure

by Luke Dembosky, Avi GesserTed HassiPaul D. RubinJim Pastore, Johanna Skrzypczyk, Leah Martin, Melissa Runstenand Christopher S. Ford

Companies developing FTC compliance programs, or under investigation by the FTC’s Bureau of Consumer Protection, should be aware of significant developments impacting the Commission’s regulatory authority and enforcement priorities.

Despite a number of recent judicial defeats that have significantly hampered the FTC’s ability to obtain: (1) injunctive relief when purported violative behavior is not ongoing; and (2) monetary remedies in federal court under Section 13(b) of the Federal Trade Commission Act (the “FTCA”), new FTC Chair Lina Khan has indicated that the FTC intends to aggressively enforce existing FTC consumer protection laws—and in particular alleged privacy and cybersecurity violations.

Continue reading

Further Clarity on Liability of Local Representatives Under the UK GDPR Expected

by Kelly Hagedorn and Matthew Worby

Companies not established in the UK who process the personal data of UK-based individuals are required to appoint a representative in the UK pursuant to Article 27 of the UK GDPR. This requirement may become less practical (and more expensive), depending on the outcome of a UK Court of Appeal case between Baldo Sansó Rondón and LexisNexis Risk Solutions. The case will reportedly be heard in early 2022.

This case relates to the appointment of representatives under the EU GDPR, but will have significant impact in the UK because the UK GDPR framework contains an identical requirement to appoint a UK-based representative. As noted below, it will be interesting to see how EU jurisdictions subsequently interpret the liability of Article 27 Representatives required under the EU GDPR, in light of the UK paving the way on this issue.

Continue reading

New York Department of Financial Services Issues Final Guidance on Managing the Financial Risks of Climate Change for Insurers

by Marion Leydier, William Torchiana, Roderick Gilman, Sarah Mishkin and Samuel Saunders

On November 15, 2021, the New York State Department of Financial Services (“DFS”) issued detailed final guidance (the “Final Guidance”) addressing how New York domestic insurers should analyze and manage the financial risks of climate change.[1] The Final Guidance builds on the DFS’s proposed climate guidance released in March 2021.[2]

The Final Guidance reflects relatively limited changes from the proposed guidance.  The changes include additional guidance on the time horizon insurers should consider when integrating climate risks into business decisions; how insurers should manage uncertainty related to climate change; and how the guidance applies to insurers that are part of groups. The DFS notes that it expects insurers to implement its guidance relating to board governance and to have specific plans in place to implement the guidance relating to organizational structure by August 15, 2022. The DFS plans to issue further guidance on the timing for implementation of more complex areas that will take insurers longer to implement, such as those relating to risk appetite, analysis of the impact of climate risks on existing risk factors, reflection of climate risks in the Own Risk and Solvency Assessment (“ORSA”), scenario analysis and public disclosure, but the DFS notes that it encourages insurers to begin working on these now.

The Final Guidance comes as U.S. financial regulators and policy makers, including the U.S. Department of Treasury, the U.S. Securities and Exchange Commission (“SEC”) and the Federal Reserve Bank, are focused on the potential systemic risk that climate change poses to the financial sector.[3]

Insurance and other prudential regulators outside of the U.S. are also addressing climate-related risks, and the DFS notes that the Final Guidance is modeled on publications and guidance from international regulators and networks, including the Bank of England Prudential Regulation Authority, the International Association of Insurance Supervisors (“IAIS”), the European Insurance and Occupational Pensions Authority (“EIOPA”), the European Central Bank and the Network for Greening the Financial System.[4]

An overview of recent actions by regulators and lawmakers in the U.S., EU and UK related to climate change and other environmental, social and governance topics is provided in the Firm’s ESG update newsletter, available here.

Continue reading

SEED Findings on the SEC Enforcement Actions Against Public Companies and Their Subsidiaries in Fiscal Year 2021

by Anat Carmy-Wiechman, Giovanni Patti, and Peter Robau

In a new report (PDF: 0.99 MB), the NYU Pollack Center for Law & Business, in collaboration with Cornerstone Research, investigated recent trends in enforcement via the Securities Enforcement Empirical Database (SEED). Below, we highlight some of the key findings. Continue reading