Category Archives: Corporate Compliance

You Want What?: Responding to Individual Requests Under the GDPR

 by Jeremy Feigelson, Jane Shvets, and Christopher Garrett

With the EU General Data Protection Regulation (“GDPR”) in force for less than two months, many companies are already experiencing an increase in requests from individuals seeking to obtain a copy, or request correction or erasure, of their personal data under Articles 15 to 17 of the GDPR.

Do we have to respond?

Yes. A response is required even if the response is that the company will not honour the request because a relevant exemption applies. Continue reading

CFTC Announces Two Significant Awards By Whistleblower Program

by Breon S. Peace, Nowell D. Bamberger, and Patrick C. Swiber

On July 12 and 16, 2018, the U.S. Commodity Futures Trading Commission (“CFTC”) announced two awards to whistleblowers, one its largest-ever award, approximately $30 million, and another its first award to a whistleblower living in a foreign country.[1]  These awards—along with recent proposed changes meant to bolster the Securities and Exchange Commission’s (“SEC” or “Commission”) own whistleblower regime—demonstrate that such programs likely will continue to be significant parts of the enforcement programs of both agencies and necessarily help shape their enforcement agendas in the coming years.

The Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank”) authorized the CFTC to pay awards of between 10 and 30 percent to whistleblowers who voluntarily provide original information to the CFTC leading to the successful enforcement of an action resulting in monetary sanctions exceeding $1 million.[2]  Following the introduction of implementing rules, the CFTC’s program became effective in October 2011.  Over the next six-and-a-half years, the CFTC has paid whistleblower bounties on only four prior occasions, with awards ranging from $50,000 to $10 million.  The $30 million award announced last week, thus, reflects a significant increase.  This week’s award to a foreign whistleblower also represents another first for the CFTC’s program and reflects the global scope of the program. Continue reading

UK Financial Conduct Authority Issues Near-Final Rules on Extension of Senior Managers and Certification Regime and Introduces New Financial Services Directory

by Karolos Seeger, Simon Witney, and Andrew Lee

Following the consultation papers published in July and December 2017, the UK Financial Conduct Authority (“FCA”) on 4 July 2018 provided responses to the industry feedback it received and issued near-final rules on extending the Senior Managers and Certification Regime (“SMCR”) to almost all FCA-regulated firms.[1] Notably, the FCA has confirmed that the new rules will apply from 9 December 2019. We summarise below the limited changes from the FCA’s initial SMCR proposals, the main features of which have been covered in our previous client updates.[2]

In addition, the FCA has published a consultation paper regarding the introduction of a new directory of financial services workers (the “Directory”).[3] This will be available from 10 December 2019 for banks, building societies, credit unions and insurers, and from 9 December 2020 for all other firms. The key aspects of the Directory and firms’ significant related notification obligations are outlined below. Continue reading

Department of Justice Offers Incentive for Antitrust-Based Corporate Compliance

by Michael W. Peregrine and Mary N. Strimel

Board-level audit and compliance committees should support efforts to revise the organizational compliance plan to incorporate specific provisions focused on antitrust law-related guidelines.  This is especially important given the Department of Justice’s (“DOJ”) plans to credit pre-existing compliance programs that incorporate such provisions.  A company’s General Counsel, perhaps teaming with the Chief Compliance Officer, can support the committee in this initiative.

In a recent speech,[1] Principal Deputy Assistant Attorney General (“DAAG”) Andrew Finch stated that the Antitrust Division is examining whether, and to what extent, to recognize and credit pre-existing compliance programs, potentially during charging or at sentencing.  This consideration might mirror the approach taken by the Canadian Competition Bureau, which announced last month that it would recommend fine discounts of up to 20% for companies that have a “credible and effective” compliance program.[2]  Continue reading

Governance and Culture – The Conversation Boards are Having Now

by Ben Morgan and Holly Insley

Corporate governance has long been an area of focus for boards and recent proposals in the UK have ensured that this remains the case.

The Financial Reporting Council consulted in late 2017 on proposed changes to its Corporate Governance Code for quoted companies.  The final text of the changes is expected to be published this summer, for introduction in 2019. 

The focus on governance extends beyond the quoted company arena.  Legislation laid before Parliament in June 2018 will, amongst other things, require large UK private companies to disclose in their annual directors’ report details of the corporate governance arrangements they have operated during the previous year. At the same time, a consultation has been launched on proposed corporate governance principles for large private companies, which the government hopes will be adopted by those companies as an appropriate framework when complying with the new governance-related reporting requirement. Continue reading

Potholes in Compliance: Hidden Risks Under Rule 506(d)’s Bad Actor Disqualification

by Joshua Pirutinsky

I. Introduction

Sometimes the unexpected happens. But preparing for the unexpected is the essence of the compliance function. The failure to effectively prepare for risks unrelated to your core business can be disastrous.  A seemingly innocuous compliance breach could disqualify your firm from participating in a private offering of securities under Rule 506(d), known as the “Bad Actor” Disqualification.   Being a Bad Actor can have detrimental, if not fatal, consequences for your firm – hence the critical importance of making known certain unknowns. Continue reading

Extending the “Failure to Prevent” Model of Corporate Criminal Liability in the UK

by Liz Campbell

Prosecuting corporate criminality is not straightforward. As a result of these difficulties, the UK Parliament is turning to an indirect form of corporate criminal liability: the Bribery Act 2010 introduced the corporate offence of failure to prevent bribery (FtPB), and this provision has been emulated with respect to the failure to prevent the facilitation of tax evasion in the Criminal Finances Act 2017.  

In brief, a relevant commercial organisation (C) is guilty of FtPB if a person associated with C bribes another person with the intention of obtaining or retaining business or an advantage for C.  An ‘associated’ person is an individual or body who ‘performs services’ for or on behalf of the organisation, and this definition was framed broadly intentionally.[1]  Crucially, the corporate entity can rely on the section 7(2) defence that it had “adequate procedures” in place designed to prevent persons associated with it from bribing. Continue reading

NIST Releases an Updated Version of its Cybersecurity Framework

by Sabastian V. NilesMarshall L. Miller, and Jeohn Salone Favors

Last week, the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) released an updated Cybersecurity Framework (PDF: 1,038 KB) that revises NIST’s baseline recommendations for the design of cybersecurity risk management programs.  In announcing its release, Commerce Secretary Wilbur Ross described the updated Framework as “a must do for all CEOs” and recommended that “every company” adopt the Framework as its “first line of defense.”  As with the prior version, the updated NIST Framework provides a useful tool to guide and benchmark company approaches to cybersecurity risk and will impact how regulators evaluate cybersecurity programs and incident responses across sectors. Continue reading

The Evolving First Line of Defense

by Michael Held

Keynote Address

Good morning.  It’s an honor to join you at the 1LoD Summit.  The views I express today are my own, not necessarily those of the Federal Reserve Bank of New York or the Federal Reserve System.[1]

I’ve heard it said that being in the risk control business can be, and often is, a thankless task. We get all the blame when something goes wrong, and none of the glory when things go right.  So, I want to start my remarks with a word of gratitude to you, my fellow travelers in the world of risk controls.  Thank you—not just for the invitation to speak today, but also for the work you perform each day at your firms. 

The growing sophistication and stature of the first line of defense is, in my view, an unqualified improvement in corporate governance—especially at financial firms.  Let’s begin with what you are defending.  Continue reading

FinCEN Releases Frequently Asked Questions Regarding Customer Due Diligence and Beneficial Ownership Requirements

by David S. Cohen, Franca Harris Gutierrez, Sharon Cohen Levin, Jeremy Dresner and Michael Romais

Last week the Financial Crimes Enforcement Network (FinCEN) issued much-anticipated Frequently Asked Questions (PDF: 387 KB) (FAQs) that provide additional guidance to financial institutions relating to the implementation of the new Customer Due Diligence Rule (CDD Rule), set to go into effect on May 11, 2018.[1] In general, the FAQs clarify certain issues that have caused implementation challenges for financial institutions. While FinCEN’s earlier guidance provided a general overview of the CDD Rule—including the purpose of the rule, the institutions to which it is applicable, and some relevant definitions—the new FAQs provide greater detail for financial institutions seeking to comply with the CDD Rule. The FAQs are meant to assist covered financial institutions in understanding the scope of their customer due diligence (CDD) obligations, as well as the rule’s impact on their broader anti-money laundering (AML) compliance. While the guidance is helpful in clarifying some of FinCEN’s expectations, the implementation challenge lies in applying the CDD Rule to a financial institution’s specific products and services.

As financial institutions work to meet the CDD Rule’s fast-approaching May 11 compliance deadline, they should pay special attention to the following key areas summarized below. Continue reading