Category Archives: Compliance

Incoming DFS Chief Calls Cyber the “Number One Threat” Facing Industry and Government

by Craig A. Newman and Alejandro H. Cruz

The incoming chief of New York’s top financial services regulator called cybersecurity “the number one threat facing all industries and governments globally” during a speech on Friday, April 12, 2019 at the Association of the Bar of the City of New York.

Linda Lacewell, acting superintendent of the New York State Department of Financial Services (“DFS”), made her remarks at an event focused on insurance regulation and they come at a time when the state’s sweeping cybersecurity regulation — initially implemented more than two years ago — is now in full force. Lacewell, a former federal prosecutor, was nominated in January 2019 by New York Governor Andrew Cuomo to head DFS, which oversees banking and insurance in the state. Lacewell was Cuomo’s chief of staff. Her confirmation has not yet been scheduled. Continue reading

Teaching Compliance Part I of III

by Veronica Root Martinez 

This is the first in what is a three-part series of blog posts describing my experience teaching compliance at Notre Dame Law School.

I first began teaching a compliance course in the fall of 2015.  At the time, there were not many compliance courses being taught within law schools, and I was aware of only one casebook on the subject.  I began, as many professors do, by gathering syllabi from individuals currently teaching the topic.  Most of the syllabi I was able to obtain were of courses taught by practitioners that included significant skills-based components, which, although valuable, was not where I wanted to focus.

Instead, I decided to tackle teaching the course in a manner that I hoped would allow students to think through the different roles they might play within compliance efforts, followed by a few classes dedicated to specific compliance areas in an attempt to allow students to better understand how their role might look in practice.  To do so, I draw on enforcement, compliance, behavioural ethics, and professional responsibility materials.  Each class session has one dedicated case study to help students understand the concept being presented. Continue reading

DOJ Updates FCPA Corporate Enforcement Policy

By Jonathan S. Kolodner, Lisa Vicens, and Lorena Michelen

In a recent speech at the annual ABA White Collar Crime Conference in New Orleans, Assistant Attorney General Brian Benczkowski of the Criminal Division of the Department of Justice (“DOJ”) announced certain changes to the FCPA Corporate Enforcement Policy (“the Enforcement Policy” or “Policy”) to address issues that the DOJ had identified since its implementation.[1]  These and other recent updates have since been codified in a revised Enforcement Policy in the Justice Manual.[2] 

The Enforcement Policy, first announced by the DOJ in November 2017, was initially applicable only to violations of the FCPA, but was subsequently extended to all white collar matters handled by the Criminal Division.[3]  The Policy was designed to encourage companies to voluntary self-disclose misconduct by providing more transparency as to the credit a company could receive for self-reporting and fully cooperating with the DOJ.  Among other things, the Enforcement Policy provides a presumption that the DOJ will decline to prosecute companies that meet the DOJ’s requirement of “voluntary self-disclosure,” “full cooperation,” and “timely and appropriate remediation,” absent “aggravating circumstances” – i.e. relating to the seriousness or frequency of the violation.  For more information on the Enforcement Policy, read our blog post explaining it

The most significant recent changes to the Enforcement Policy include eliminating the prohibition on a company’s usage of ephemeral instant messaging applications to receive full credit for “timely and appropriate remediation.”  Additionally, the modified Enforcement Policy (1) now makes clear that one requirement of cooperation, de-confliction of witness interviews, should not interfere with a company’s internal investigation; (2) confirms based on an earlier announcement, that the Policy applies in the context of a merger and acquisition (“M&A”), if an acquiring company discovers and self-discloses misconduct in a target; and (3) implements a change announced months before by the Deputy Attorney General that a company only needed to provide information about individuals “substantially involved” in the offense.  These changes are discussed in greater detail below. Continue reading

OFAC Takes Enforcement Action Against U.S. Parent Company for its Recently Acquired Chinese Subsidiary’s Iran Sanctions Violations

by Brad S. Karp, H. Christopher Boehning, Jessica S. Carey, Christopher D. Frey, Michael E. Gertzman, Roberto J. Gonzalez, Richard S. Elliott, Rachel M. Fiorill, Karen R. King, Joshua R. Thompson

Enforcement Action Shows the Importance of Pre-Acquisition Sanctions Due Diligence and Post-Acquisition Sanctions Compliance Enhancements

On March 27, 2019, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) announced a $1,869,144 settlement agreement with Connecticut-based Stanley Black & Decker, Inc. (“Stanley Black & Decker”), a manufacturer of industrial tools and household hardware, regarding 23 apparent violations of OFAC’s Iran sanctions regulations.[1] OFAC determined that Stanley Black & Decker’s Chinese subsidiary, Jiangsu Guoqiang Tools Co. Ltd. (“GQ”), knowingly provided power tools and spare parts to Iranian end-users.[2] According to OFAC, GQ’s shipments were made via third-party intermediaries, located in the United Arab Emirates and China, with the knowledge that the products were ultimately destined for Iran.[3]  Under U.S. law, non-U.S. companies owned or controlled by U.S. companies are required to adhere to Iran sanctions as if they were U.S. persons.  The settlement,  along with the Kollmorgen Corporation (“Kollmorgen”) settlement in February 2019, signals the Trump Administration’s willingness to hold U.S. parent companies liable for their subsidiaries’ Iran sanctions violations, which is an area that, prior to this year, had seen little enforcement activity to date. Continue reading

In Precedent-Setting Case, Two Senior Corporate Executives Indicted for Failure to Report Under the Consumer Product Safety Act

by Jonathan J. Rusch

On March 29, the U.S. Department of Justice announced that on March 28, a federal grand jury in the Central District of California indicted two senior corporate executives with two corporations on multiple counts for their roles in a scheme involving defective and dangerous dehumidifiers made in China.  Simon Chu and Charley Loh, who served respectively as part owners, chief administrative officer, and chief executive officer of the same two corporations in California, were charged with (1) conspiracy (a) to commit wire fraud, (b) to fail to furnish information under the Consumer Product Safety Act (CPSA), and (c) to defraud the U.S. Consumer Product Safety Commission (CPSC); (2) wire fraud; and (3) failure to furnish information under the CPSA.  The Department indicated this was the first time that any individual had been criminally charged for failure to report under the CPSA. Continue reading

Cyber Monitoring Employees Part 2 – Insider Threats Continue After Employees Leave

By

We recently wrote about companies monitoring employees to reduce cybersecurity risks.  Those insider threat risks do not end when employees leave the company.  Sensitive company data in the hands of a disgruntled former employee is obviously a potential risk, but so is unauthorized access to confidential company information by a former employee acting in good faith.  Companies must therefore take steps to protect their data from walking out the door with exiting employees. Continue reading

Energy Market Manipulation Remains a Hot Issue at FERC

by Jonathan G. Cedarbaum, H. David Gold, and Nathaniel B. Custer

Since the passage of the Energy Policy Act of 2005, fraud and market manipulation have been top enforcement priorities of the Federal Energy Regulatory Commission (FERC or the Commission).  FERC’s most recent annual report on enforcement (PDF: 2.72 MB) shows that, in fiscal year 2018, FERC opened some 16 investigations into market manipulation (out of 24 total) and recovered almost $150 million in civil penalties and disgorgement of profits, much of which was from market manipulation cases. 

Recent case law, meanwhile, indicates that courts interpret FERC’s authority in this sphere permissively. The courts, for example, have sided with FERC in allowing considerable time to bring enforcement actions in market manipulation cases, notwithstanding statute of limitations defenses raised by the regulated entities subject to enforcement. 

Energy companies and other businesses subject to FERC’s enforcement authority should continue to monitor developments in this area and make sure that their compliance programs are up to date. Continue reading

CFTC Enters the Market for Anti-Corruption Enforcement

by Alice S. Fisher, Douglas K. Yatter, William R. Baker III, Douglas N. Greenburg, Robyn J. Greenberg, and Benjamin A. Dozier

New enforcement advisory encourages reporting of foreign corrupt practices that the agency intends to pursue under the Commodity Exchange Act.

On March 6, 2019, the Division of Enforcement (Division) of the US Commodity Futures Trading Commission (CFTC or Commission) announced that it will work alongside the US Department of Justice (DOJ) and the US Securities and Exchange Commission (SEC) to investigate foreign bribery and corruption relating to commodities markets.[1] CFTC Enforcement Director James McDonald announced the agency’s new interest in this area as the Division issued an enforcement advisory on self-reporting and cooperation for violations of the Commodity Exchange Act (CEA) involving foreign corrupt practices.[2]

For companies and individuals who participate in the markets for commodities and derivatives — or whose activities may impact those markets — the CFTC announcement adds a new dimension to an already crowded and complex landscape for anti-corruption enforcement. A range of industries, including energy, agriculture, metals, financial services, cryptocurrencies, and beyond, must now consider the CFTC and the CEA when assessing global compliance and enforcement risks relating to bribery and corruption. This article summarizes the new developments and outlines key considerations for industry participants and their legal and compliance teams. Continue reading

The Weakness in Two-Factor Authentication—Your Lost Phone Policy

by Avi Gesser, John R. Kapp, and Michelle Adler

Two-Factor authentication is one of the most common measures that companies use to reduce cyber risk, but it is not very effective if companies don’t also have a good lost phone protocols.

Various regulations and industry rules require two-factor authentication (also referred to as multi-factor authentication or MFA) including the NYDFS cyber rules (PDF: 97.5 KB), the NIST identification and authentication requirements, the Payment Card Industry (PDF: 1.05 MB) (“PCI”) Data Security Standard 8.3, as well as the proposed amendments to GLBA.

MFA involves confirming that a purposed user of a certain login credential and password is actually the authorized user, by employing an additional verification method, such as a passcode sent to an employee’s phone by text message or through an authenticator app like Duo or Google Authenticator.  But, not all forms of verification are equal.  In 2016, the NIST considered not recommending SMS messages as a form of second-factor authentication due to their susceptibility to being redirected by attackers. Continue reading

NFA Members Should Prepare for Onerous New Breach Notification Requirements

by Avi Gesser, Jai Massari, Kelsey Clark, and Daniela Dekhtyar-McCarthy

On April 1, 2019, new cybersecurity requirements outlined in the NFA’s Interpretive Notice to NFA Compliance Rules 2-9, 2-36 and 2-49 will come into effect.  These new requirements apply to NFA Members, including registered futures commission merchants, commodity trading advisors, commodity pool operators, introducing brokers, retail foreign exchange dealers, and swap dealers.  They are designed to “establish general requirements relating to Members’ information systems security programs (ISSPs) but leave the exact form of an ISSP up to each Member.”  These ISSP obligations relate to, among others, approval and third-party cyber diligence (see our previous blog post).

Perhaps the most significant new obligation is the imposition of onerous breach notification requirements, which require NFA Members to notify the NFA “promptly” of any cybersecurity incident related to its commodity interest business that results in:

  • any loss of customer or counterparty funds;
  • any loss of an NFA Member’s own capital; or
  • the NFA Member providing notice to customers or counterparties under state or federal law.

Continue reading