Author Archives: Joseph P Facciponti

Second Circuit: Crypto Exchange Binance Subject to U.S. Securities Laws to Avoid a Regulatory Vacuum

by David Livshiz, Timothy Howard, Andrew Gladstein, Peter Linken, Jacob Johnston, and Seve Kale

Left to right: David Livshiz, Timothy Howard, Andrew Gladstein, Peter Linken, and Seve Kale (photos courtesy of authors)

A recent Second Circuit decision underscores that decentralized crypto exchanges with no claimed “home” jurisdiction face a substantial likelihood of exposure to U.S. securities laws. In Williams v. Binance, 96 F.4th 129 (2d Cir. 2024), the Second Circuit held plaintiffs adequately alleged crypto token purchases made on Binance’s trading platform by U.S. persons were domestic transactions and subject to U.S. securities laws on two independent grounds. First, it was plausible that plaintiffs’ purchase orders were matched with sellers on servers located in the U.S. Second, Binance’s Terms of Use stated orders became irrevocable once they were sent to Binance, which the plaintiffs alleged occurred from their homes in the United States. The Court’s extraterritoriality analysis focused on Binance’s express disclaimer of a physical presence or geographical headquarters and the inapplicability of any other country’s securities regime. These factors created the possibility of a regulatory vacuum absent imposition of U.S. securities laws. Underscoring this point, the Court reasoned that “[e]ven if the Binance exchange lacks a physical location, the answer to where [it matches transactions] cannot be ‘nowhere.’” Williams, 96 F.4th at 138.

It will take years before the full implications of Williams become clear; but what is already clear is that U.S. courts are likely to be skeptical of corporate structures that appear to leave a company immune from litigation anywhere. This skepticism is particularly relevant to crypto exchanges and other decentralized actors, which may not have or maintain a traditional “home” jurisdiction or base. Such decentralized actors may wish to consider taking steps to reduce the risk of exposure to U.S. securities laws, including affirmatively establishing a domicile outside the U.S. by opening a non-U.S. office or otherwise formally submitting to regulation by another nation, using servers data centers, and other computer network infrastructure outside of the United States, and drafting terms of service or other contractual agreements to provide that transactions become irrevocable in a location outside the U.S.

Continue reading →

Strategic Communications Considerations When a Government Investigation Becomes Public Through Voluntary Self-Reporting or Other Means

by Cari Robinson

Photo courtesy of the author

The SEC, DOJ, and nationwide USAOs are increasingly encouraging organizations to self-report misconduct, fully cooperate with authorities, and meaningfully remediate. In return, companies may receive reduced penalties, up to and including a government agreement not to criminally prosecute and a declination to bring a civil enforcement action.

However, in addition to being costly and time-consuming, self-reporting presents reputational risks. There also is always a possibility that a sensitive matter will leak. In any event, having complementary legal and crisis communications strategies in place can help companies avoid costly missteps and mitigate reputational damage.

Continue reading →

SEC Staff Provides Guidance on Cyber Form 8-K Reporting

by Scott Kimpel

Photo courtesy of Hunton Andrews Kurth LLP

On May 21, 2024, staff of the U.S. Securities and Exchange Commission (“SEC”) published additional interpretive guidance on reporting material cybersecurity incidents under Form 8-K.

Since December 18, 2023, when the SEC’s rules for reporting material cybersecurity incidents under Item 1.05 on Form 8-K took effect, we have identified 17 separate companies that have made disclosures under the new rules. Since that date, several other companies also have made disclosures regarding cybersecurity incidents under other Form 8-K items. A large majority of those companies reporting under Item 1.05 have either not yet determined that the triggering incident was material, or determined that the event was in fact immaterial.

Continue reading →

BIS Primes the Corporate Enforcement Engine: A Fresh Look at What Recent BIS Actions & Statements Mean and a Proposed Framework for How U.S. Companies Can Best Prepare

by Brent Carlson and Michael Huneke

From left to right: Brent Carlson and Michael Huneke (Photos courtesy of authors)

The risk of corporate criminal enforcement actions for export controls evasion or diversion is significantly increasing. Recent actions and statements by the Department of Commerce’s Bureau of Industry & Security (“BIS”) suggest that, beyond saber-rattling, BIS is deliberately priming the corporate enforcement engine with the fuel for an enforcement wave that will follow the Foreign Corrupt Practices Act (“FCPA”) “playbook” that the U.S. Department of Justice (“DOJ”) has successfully deployed for the last two decades.

The fuel comes in the form of official, multiagency guidance documents and other actions that describe circumstances indicating a “high probability” of misconduct, which as we have previously written is a freestanding basis for enforcement actions under both the FCPA and the Export Administration Regulations (“EAR”).[1] Such agency actions by BIS notably include the issuance to U.S. companies of lists of counterparties under cover of what BIS officials describe as “red flag” letters. Since our prior analysis,[2] BIS has reemphasized the significance of such letters and underscored the importance of how U.S. companies respond.

Continue reading →

FinCEN and SEC Move Closer to New AML Requirements for Investment Advisers & ERAs

by Joel M. Cohen, Claudette Druehl, Marietou Diouf, Tami Stark, Prat Vallabhaneni, and Robert DeNault

Top: Joel M. Cohen, Claudette Druehl, and Marietou Diouf
Bottom: Tami Stark, Prat Vallabhaneni, and Robert DeNault
(Photos courtesy of White & Case LLP)

On May 13, 2024, FinCEN and the SEC jointly proposed a new rule that would require SEC-registered investment advisers and exempt reporting advisers to maintain written customer identification programs (CIPs). The new rule supplements a proposal in February to impose requirements on investment advisers similar to those that have existed for broker-dealers since 2001, as a means to address illicit finance and national security threats in the asset management industry.

For investment advisers who do not currently have an AML/CFT program, this compliance obligation will create a large shift in the way they operate. This will require significant legal time and attention, but it will be time well spent considering potential regulatory exposure and likely indemnification obligations which flow through commercial agreements in favor of counterparties.

Continue reading →

Biden National Security Memorandum Bolsters CISA Role for Cybersecurity Oversight in Critical Infrastructure

by Beth Burgin Waller and Patrick J. Austin

Beth Burgin Waller and Patrick J. Austin (photos courtesy of Woods Rogers Vandeventer Black PLC)

The Biden Administration recently rolled out a new critical infrastructure memorandum, titled National Security Memorandum on Critical Infrastructure Security and Resilience (NSM-22) which is intended to set forth the role of the federal government, including responsibilities for specific federal agencies, in protecting U.S. critical infrastructure.

NSM-22 serves to supplant PPD-21, formally known as the Presidential Policy Directive — Critical Infrastructure Security and Resilience (pdf). PPD-21, a memorandum issued during the Obama Administration, designated 16 critical infrastructure sectors that will be subject to additional oversight through the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Pursuant to CIRCIA, entities operating in critical infrastructure sectors will be obligated to report “covered cyber incidents” within 72 hours of the entity developing a reasonable belief that a cyber incident occurred. In addition, critical infrastructure entities must report ransom payments within 24 hours after a payment is made. CIRCIA delegated rulemaking authority to the Cybersecurity and Infrastructure Security Agency (CISA). We wrote about CISA’s proposed rule containing cyber incident reporting requirements in a recent article.

Continue reading →

Keeping Deferred Corporate Charges Deferred: Some Dos and Don’ts

by John Savarese, Randall Jackson, and Michael Holt

Left to right: John Savarese, Randall Jackson, and Michael Holt (Photos courtesy of Wachtell, Lipton, Rosen & Katz)

At the heart of every white-collar deferred prosecution agreement (DPA) is the deferral of filed criminal charges and a promise by DOJ to dismiss those charges at the end of a fixed term if the company has lived up to its remedial and other commitments. Breaches of these agreements are rare. But DOJ’s recent letter advising the U.S. District Court for the Northern District of Texas that Boeing breached its obligations under a January 2021 DPA (entered into with DOJ to resolve criminal charges relating to Boeing’s mishandling of FAA reporting concerning its 737 MAX aircraft following fatal crashes of two of those planes) provides a telling reminder of the critical need for companies to design and carry out an effective and comprehensive plan to abide by all terms established under a DPA.

Continue reading →

Crypto Experts React to Recent SDNY Ethereum Fraud Indictment

The NYU Law Program on Corporate Compliance and Enforcement (PCCE) is following the U.S. Attorney’s Office for the Southern District of New York’s recent indictment of two individuals for allegedly attacking and stealing $25 million from the Ethereum blockchain. The indictment in the case, United States v. Peraire-Bueno, 24 Cr. 293 (SDNY), is available here. Below, several crypto experts and former prosecutors provide their reactions to the case.

Left to right: Maria Vullo, Daniel Payne, Elizabeth Roper, Usman Sheikh, Justin Herring, and Robertson Park (photos courtesy of the authors)

Continue reading →

Two New Keynote Speakers Added to PCCE’s 4th Annual Directors’ Academy

Matthew Olsen and Ismail Ramsey

We are honored to announce that Matthew Olsen, the Assistant Attorney General for the National Security Division at the U.S. Department of Justice, and Ismail Ramsey, the U.S. Attorney for the Northern District of California, will be additional keynote speakers at our 4^th Annual Directors’ Academy at NYU School of Law on October 31st and November 1st, 2024. The agenda and registration portal are available here.

Olsen, who leads the DOJ’s mission to combat terrorism, espionage, cyber crime, and other threats to the national security, and Ramsey, who, as U.S. Attorney for Northern California, is colloquially known as the “Sheriff of Silicon Valley,” overseeing investigations and cases concerning the leading technology companies in the world, will participate in a keynote and fireside chat titled New and Persistent Cyber Threats Overlooked by Boards and Management: Lessons for Boards. The session, which will take place on October 31st, will focus on providing board directors and senior management with the information they need to identify and manage the most critical cyber and national security-related threats to their firms, include the theft of intellectual property. It will be followed immediately by an expert panel to discuss board governance and oversight of cybersecurity. Both sessions will be moderated by Joseph Facciponti, PCCE’s Executive Director and former cybercrime prosecutor at the U.S. Attorney’s Office for the Southern District of New York.

Continue reading →

Former Aide to Madagascan President Sentenced for Soliciting Bribes Under UK Bribery Act

by Pamela Reddy, Robin Spedding, and Matthew Unsworth

Left to Right: Pamela Reddy, Robin Spedding, and Matthew Unsworth (photos courtesy of Latham & Watkins LLP)

Sentencing of Romy Andrianarisoa, the first ever foreign public official to be convicted under the UK Bribery Act of 2010, provides important takeaways.

On 10 May 2024, Romy Andrianarisoa was sentenced to three and a half years’ imprisonment for soliciting bribes contrary to Section 2 of the Bribery Act 2010 (Bribery Act). Andrianarisoa, former Chief of Staff to President Andry Rajoelina of Madagascar, requested substantial cash payments in exchange for helping UK-headquartered Gemfields Group Ltd (Gemfields) secure mining rights in the country. Her associate, French national Philippe Tabuteau, was also handed a 27-month sentence for his role in the scheme.

Continue reading →