Author Archives: Sabrina Solow

The SEC’s New Risk Alert Warns about the Use of Alternative Data

by Andrew J. CeresneyAvi Gesser, Julie M. Riewe, Kristin A. Snyder, Jonathan R. TuttleCharu A. Chandrasekhar, and Mengyi Xu

On April 26, 2022, the Division of Examinations (“EXAMS”) of the Securities and Exchange Commission (the “SEC”) issued a Risk Alert titled “Investment Adviser MNPI Compliance Issues” (“Risk Alert”) on the use of alternative data.  The Risk Alert outlines EXAMS’ recent observations on compliance deficiencies related to Section 204A of the Investment Advisers Act of 1940—including deficiencies relating to policies and procedures for alternative data—and Rule 204A-1 (the “Code of Ethics Rule”).  Based on the Risk Alert, and the recent SEC enforcement action in this area, we offer three takeaways for investment advisers to reduce their risk when purchasing and using alternative data.

Continue reading

Utah Joins the Comprehensive State Privacy Law Club

by Avi GesserJohanna N. Skrzypczyk, Michael R. Roberts, and Alessandra G. Masciandaro

On March 24, 2022, Utah enacted a comprehensive consumer privacy law, the Utah Consumer Privacy Act (“UCPA”). The UCPA, effective on December 31, 2023, is largely consistent with other comprehensive state privacy laws, but includes several key differences. The UCPA is set to be reviewed by the attorney general who must submit a report to the legislature by July 1, 2025.

In prior posts, we have written about the evolving state privacy law landscape, including how to prepare for state privacy laws coming into effect in 2023 here; various aspects of the CCPA and CPRA, including here and here; and the Virginia Consumer Data Protection Act (“VCDPA”) here. For purposes of this post, we refer collectively to the CCPA/CPRA, VCDPA, and ColoPA as the “State Privacy Laws.”

Continue reading

The Value of AI Incident Response Plans and Tabletop Exercises

by Avi GesserAnna Gressel, Michael R. Roberts, Corey Goldstein, and Erik Rubinstein

Today, it is widely accepted that most large organizations benefit from maintaining a written cybersecurity incident response plan (“CIRP”) to guide their responses to cyberattacks.  For businesses that have invested heavily in artificial intelligence (“AI”), the risks of AI-related incidents and the value of implementing an AI incident response plan (“AIRP”) to help mitigate the impact of AI incidents are often underestimated.

Continue reading

FinCEN and OCC Assess $140 Million in Civil Penalties Against USAA Federal Savings Bank for Failure to Implement and Maintain Anti-Money Laundering Program

by Jonathan J. Rusch

Delay, Thomas Jefferson once wrote, “is preferable to error.”[1] When it comes to corporate compliance, however, significant and unjustified delay in implementing compliance programs can lead not merely to error, but to substantial business costs that can include business disruption, revenue losses, fines, penalties, and settlement costs.[2]

On March 17, the Financial Crimes Enforcement Network (FinCEN) announced that it had imposed a $140 million civil penalty against USAA Federal Savings Bank (USAA FSB) for willful violations of the Bank Secrecy Act (BSA) and its implementing regulations. In particular, USAA FSB admitted “that it willfully failed to implement and maintain an anti‑money laundering (AML) program that met the minimum requirements of the BSA from at least January 2016 through April 2021”, and “that it willfully failed to accurately and timely report thousands of suspicious transactions to FinCEN involving suspicious financial activity by its customers, including customers using personal accounts for apparent criminal activity.”[3]

Continue reading

Compliance Programs Introduced in Response to Enforcement by the Australian Securities and Investments Commission

By Ian Ramsay and Mihika Upadhyaya

Compliance programs are an established feature of the Australian regulatory landscape. The Australian Securities and Investments Commission (ASIC) has, since the early 2000s, regularly settled enforcement actions on the basis that the alleged offender would, among other matters, implement or improve a compliance program. In addition, courts may, on application by ASIC, order a person who has contravened certain sections of the Australian Securities and Investments Commission Act 2001 (ASIC Act) or the Corporations Act 2001 (Corporations Act) to implement a compliance program.

Continue reading

Why Ethical AI Initiatives Need Help from Corporate Compliance

by Avi GesserBruce E. Yannett, Douglas S. ZolkindAnna R. Gressel, and Adele Stichel

Artificial intelligence (AI) is becoming part of the core business operations at many companies. This widespread adoption of AI has led to a proliferation of corporate “ethical AI” principles and programs, as companies seek to ensure that they are using AI fairly and responsibly, and in a manner consistent with the growing expectations of customers, employees, investors, regulators, and the public.

But ethical AI programs at many companies are struggling. Recent reports of AI ethics leaders being fired, resigning, or bringing whistleblower claims illustrate the friction that is common between ethical AI teams and executives who are trying to gain efficiencies and competitive advantages through the adoption of AI.

Continue reading

Model Destruction – The FTC’s Powerful New AI and Privacy Enforcement Tool

by Avi GesserPaul D. Rubin, and Anna R. Gressel

A recent FTC settlement is the latest example of a regulator imposing very significant costs on a company for artificial intelligence (“AI”) or privacy violations by requiring them to destroy algorithms or models. As companies invest millions of dollars in big data and AI projects, and regulators become increasingly concerned about the risks associated with automated decision-making (e.g., privacy, bias, transparency, explainability, etc.), it is important for companies to carefully consider the regulatory risks that are associated with certain data practices. In this Debevoise Data Blog post, we discuss the circumstances in which regulators may require “algorithmic disgorgement” and some best practices for avoiding that outcome.

Continue reading

Prepared Remarks of FinCEN Acting Director Das at the NYU Law Program on Corporate Compliance and Enforcement

Himamauli Das 

NYU Law’s Program on Corporate Compliance and Enforcement (PCCE)
March 25, 2022

Good morning and thank you for inviting me to be a part of your discussions this year. I want to start by thanking Jennifer Arlen and the staff at NYU’s Program on Corporate Compliance and Enforcement for focusing on the effectiveness of corporate compliance programs.

Current events often make clear the importance of compliance programs that are well designed and effective in preventing bad actors from exploiting the financial system. As the pandemic began to unfold in 2020, FinCEN pivoted its efforts to focus on the effects that COVID-19 was having on a range of illicit finance threats around the world. We issued guidance and advisories to advise financial institutions of trends that we were seeing related to COVID-19 medical fraud, imposter scams, cyber-enabled crime, and the defrauding of the unemployment insurance system. And, we assisted law enforcement and financial institutions in the recovery of stolen funds via fraud and other COVID-19 related crimes.

Continue reading

Data Minimization – Recent Enforcement Actions Show Why Some Companies Need to Get Rid of Old Electronic Records

by Avi GesserJohanna Skrzypczyk, and Michael R. Roberts

Since we last wrote about data minimization, there have been several regulatory developments that illustrate the increasing operational and regulatory risks of keeping large volumes of old data. As cyber threats continue to grow, and consumers gain more privacy rights over their personal data, businesses need robust data minimization programs that can significantly reduce the amount of sensitive data they collect and maintain. In this post, we discuss recent enforcement actions and regulatory requirements for getting rid of old data and offer six tips for complying with these developing obligations.

Continue reading

District Court Addresses Issues Arising from Corporate Investigations and Voluntary Cooperation with DOJ

by Andrew M. Levine, Jane Shvets, and Bruce Yannett

A judge in the District Court of New Jersey recently held that voluntary cooperation with a DOJ investigation is insufficient by itself to establish personal jurisdiction over a foreign entity but can broadly waive privilege. This ruling, issued on February 1, 2022 by Judge Kevin McNulty, involves the ongoing trial of former Cognizant executives Gordon Coburn and Steven Schwartz.[1] Coburn and Schwartz allegedly violated the Foreign Corrupt Practices Act (the “FCPA”) in connection with Cognizant’s business in India, the basis of Cognizant’s settlement with the SEC and its declination with disgorgement with DOJ in 2019.[2]

Continue reading