Author Archives: Michelle Louise Austin

Employers Take Note: State AGs Urge FTC to Step Up Scrutiny of Employee Restrictions

by Debbie L. Berman, Andrew W. Vail, Aaron J. Hersh, and Amit B. Patel

Eighteen state attorneys general are increasing their activism, looking for additional tools to challenge employers’ restrictions on employees.  In addition to potential state law tools, they now are urging the Federal Trade Commission to increase antitrust enforcement to try to invalidate or severely limit the use of non-compete agreements, no-poach agreements and merger activity.  Employers should take note that government enforcers may be increasingly focused not just on antitrust issues affecting consumers, but also as they relate to the marketplace for workers. Continue reading

Anti-Money Laundering and Sanctions: Trends and Developments Emerging Under the Trump Administration

By David S. Cohen, Franca Harris Gutierrez, Sharon Cohen Levin, Ronald I. Meltzer, Jeremy Dresner, David M. Horn, Zachary Goldman, Michael Romais and Semira Nikou

I. Executive Summary

Bank Secrecy Act/anti-money laundering (BSA/AML) and sanctions matters continue to be a core focus of regulators, law enforcement agencies, policymakers and Congress, and the story of the Obama and Trump Administrations on AML and sanctions is one of general continuity. Policymakers are turning to sanctions with increasing frequency and launching programs that are increasingly complex, and regulatory and enforcement agencies are devoting significant resources and attention to AML. Congress continues to debate BSA reform, while the Treasury Department and federal banking regulators have encouraged financial institutions to use technology to support BSA compliance, in the hope of making the process more effective and efficient.

As Congress, the executive branch and regulators all continue to focus a great deal of attention on AML and sanctions issues, the expectations of financial institutions to prevent financial crime are growing. Sanctions regulations are becoming more numerous, are reaching more deeply into securities markets and are branching into new areas of technology—such as cryptocurrency. Simultaneously, the AML regime’s push toward greater transparency in a number of contexts, from virtual currency regulation to beneficial ownership reform, means that financial institutions will shoulder greater responsibility for knowing their customers and their customers’ activities. Strict distinctions among different categories of financial crime are starting to collapse, as an increasing number of sanctions programs and FinCEN advisories focus on issues such as corruption and misappropriation of assets by politically exposed persons (PEPs). Continue reading

PCCE Seeking New Executive Director

After a wonderful and successful year, PCCE’s current Executive Director, Allison Caffarone ’03, will be stepping down to join Hofstra Law School. Allison was a tremendous addition to PCCE. Among other things, she was responsible for organizing our two most recent events, The New Face of AML Enforcement and Compliance and A New Model for Incentivizing Antitrust Compliance Programs.  She also is organizing (and will stay to finalize) our fall conference.  Please join us in recognizing Allison’s hard work. Thank you Allison for everything you did during your time here as PCCE’s Executive Director.

In light of Allison’s imminent departure, PCCE is seeking a new Executive Director. We are looking for people with enforcement experience and are open to speaking with people transitioning out of the government and into private practice. While we would prefer a candidate who would be interested in working with us long term, we are willing to work with short-term arrangements as well. We would need the candidate to be able to start anywhere between now and October 12, 2019.

A full description of the job is below: Continue reading

CFTC Releases Enforcement Manual in Hopes of Increasing Transparency

by Paul M. ArchitzelElizabeth L. Mitchell, Petal P. WalkerMatthew Beville, and Seth Davis

Intending to bring greater transparency to the operation of its enforcement program, the Commodity Futures Trading Commission’s (CFTC or Commission) Division of Enforcement (the Division) recently, for the first time, made public its Enforcement Manual (Manual).[1] The Manual provides market participants, industry professionals and the enforcement bar with insights into the Division’s detections, investigations, and pursuit of violations (and potential violations) of the Commodity Exchange Act (CEA) and the regulations thereunder. According to CFTC Director of Enforcement James McDonald, this move is intended to “promote fairness, increase predictability, and enhance respect for the rule of law.”

The public release of the Manual brings CFTC practice in line with those of other enforcement agencies, including the Department of Justice and the Securities and Exchange Commission (SEC).[2] The Manual provides a roadmap of the life cycle of a CFTC enforcement action, from the opening of an investigation through the Wells process to resolution. Although the Manual provides broad insight into the general policies and procedures that guide the work of the Division’s Staff, it does not provide concrete guidance on how those general policies may be applied in particular cases. 

Below, we highlight several of the Manual’s more significant provisions. Continue reading

French Anti-Corruption Authority Raises Alarm About M&A Transactions

by Antoine F. Kirry, Frederick T. Davis, and Alexandre Bisch

The French Anti-Corruption Authority (AFA) is zeroing in on corruption risks hidden in acquisition targets of French companies, in France and overseas.

In a statement reported yesterday, AFA representatives alerted would-be acquirers to the need to conduct in depth pre-acquisition anti-corruption due-diligences.  The AFA observed that most companies and investment bankers seem insufficiently aware of this need, and urged them not to underestimate the reputational damage that may result from potential corruption issues in target companies, in addition to potential sanctions. Continue reading

Ephemeral Messaging for Businesses: Balancing the Risks of Keeping and Deleting Data by Default

by Avi Gesser, Daniel F. Forester, and Mengyi Xu

One way for companies to decrease their cybersecurity risks, as well as their risks from new privacy regulations, is through data minimization—significantly reducing the amount of their data.  By deleting old data and collecting less new data, companies will have less sensitive information to protect and process in accordance with their regulatory obligations.  But getting rid of old data isn’t easy, in part because of the legal limitations on what can be deleted.  We have previously written about these challenges, as well as the benefits of data minimization, which include reducing:

  • the growth of a company’s data over time, and the associated storage costs;
  • lost productivity associated with searching large volumes of irrelevant data;
  • the cybersecurity and privacy risks of having large volumes of unneeded data, especially considering CCPA and GDPR-type rights of access and erasure;
  • internal audit and compliance risks;
  • contractual risks (e.g., obligations to clients and customers to delete data once it is no longer needed); and
  • the volume of documents that may be unhelpful to the company in potential, but not yet reasonably anticipated, litigation or regulatory inquiries.

Continue reading

The FTC Moves Toward a Rules-Based Approach to Cybersecurity Regulation for Financial Institutions

by Avi Gesser, Kelsey Clark, Jennifer E. Kerslake, and Eric McLaughlin

In our first Cyber Blog post, we predicted that the rules-based approach adopted by the NYDFS would become the model for cybersecurity regulation.  Two years later, we’re feeling pretty good about that prediction, as the FTC recently proposed incorporating a number of aspects of the NYDFS cybersecurity rules into its Standards for Safeguarding Customer Information rule (the “Safeguards Rule”).  The proposal would also expand the Safeguards Rule’s definition of “financial institution” to include “finders,” or companies that connect potential parties to a transaction.  As a reminder, the Safeguards Rule applies to financial institutions that are not regulated by the federal banking agencies, the SEC, or state insurance authorities, including non-bank mortgage lenders, payday lenders, finance companies, check cashers, money transmitters, collection firms, and tax preparers. Continue reading

Energy Market Manipulation Remains a Hot Issue at FERC

by Jonathan G. Cedarbaum, H. David Gold, and Nathaniel B. Custer

Since the passage of the Energy Policy Act of 2005, fraud and market manipulation have been top enforcement priorities of the Federal Energy Regulatory Commission (FERC or the Commission).  FERC’s most recent annual report on enforcement (PDF: 2.72 MB) shows that, in fiscal year 2018, FERC opened some 16 investigations into market manipulation (out of 24 total) and recovered almost $150 million in civil penalties and disgorgement of profits, much of which was from market manipulation cases. 

Recent case law, meanwhile, indicates that courts interpret FERC’s authority in this sphere permissively. The courts, for example, have sided with FERC in allowing considerable time to bring enforcement actions in market manipulation cases, notwithstanding statute of limitations defenses raised by the regulated entities subject to enforcement. 

Energy companies and other businesses subject to FERC’s enforcement authority should continue to monitor developments in this area and make sure that their compliance programs are up to date. Continue reading

CFTC Enters the Market for Anti-Corruption Enforcement

by Alice S. Fisher, Douglas K. Yatter, William R. Baker III, Douglas N. Greenburg, Robyn J. Greenberg, and Benjamin A. Dozier

New enforcement advisory encourages reporting of foreign corrupt practices that the agency intends to pursue under the Commodity Exchange Act.

On March 6, 2019, the Division of Enforcement (Division) of the US Commodity Futures Trading Commission (CFTC or Commission) announced that it will work alongside the US Department of Justice (DOJ) and the US Securities and Exchange Commission (SEC) to investigate foreign bribery and corruption relating to commodities markets.[1] CFTC Enforcement Director James McDonald announced the agency’s new interest in this area as the Division issued an enforcement advisory on self-reporting and cooperation for violations of the Commodity Exchange Act (CEA) involving foreign corrupt practices.[2]

For companies and individuals who participate in the markets for commodities and derivatives — or whose activities may impact those markets — the CFTC announcement adds a new dimension to an already crowded and complex landscape for anti-corruption enforcement. A range of industries, including energy, agriculture, metals, financial services, cryptocurrencies, and beyond, must now consider the CFTC and the CEA when assessing global compliance and enforcement risks relating to bribery and corruption. This article summarizes the new developments and outlines key considerations for industry participants and their legal and compliance teams. Continue reading

The Weakness in Two-Factor Authentication—Your Lost Phone Policy

by Avi Gesser, John R. Kapp, and Michelle Adler

Two-Factor authentication is one of the most common measures that companies use to reduce cyber risk, but it is not very effective if companies don’t also have a good lost phone protocols.

Various regulations and industry rules require two-factor authentication (also referred to as multi-factor authentication or MFA) including the NYDFS cyber rules (PDF: 97.5 KB), the NIST identification and authentication requirements, the Payment Card Industry (PDF: 1.05 MB) (“PCI”) Data Security Standard 8.3, as well as the proposed amendments to GLBA.

MFA involves confirming that a purposed user of a certain login credential and password is actually the authorized user, by employing an additional verification method, such as a passcode sent to an employee’s phone by text message or through an authenticator app like Duo or Google Authenticator.  But, not all forms of verification are equal.  In 2016, the NIST considered not recommending SMS messages as a form of second-factor authentication due to their susceptibility to being redirected by attackers. Continue reading