Category Archives: Enforcement

CFTC Begins Its Enforcement of NDA Rule with Action Against Trafigura

Photo courtesy of the author

On June 17, 2024, Trafigura Trading LLC (“Trafigura”) agreed to pay $55 million to settle charges brought by the Commodity Futures Trading Commission (“CFTC”) that they “traded gasoline while in knowing possession of material nonpublic information, . . . manipulated a fuel oil benchmark to benefit its futures and swaps positions,” and notably that they violated CFTC Regulation 165.19(b) by “requir[ing] its employees to sign employment agreements, and request[ing] that former employees sign separation agreements containing non-disclosure provisions prohibiting them from disclosing company information, with no exception for law enforcement agencies or regulators.” This is the CFTC’s first enforcement of Regulation 165.19(b).

Continue reading →

Dutch Data Protection Authority Imposes a Fine of 290 Million Euros on Uber

by Sarah Pearce and Ashley Webber

Left to right: Sarah Pearce and Ashley Webber (Photos courtesy of the Hunton Andrews Kurth LLP)

On August 26, 2024, the Dutch Data Protection Authority (the “Dutch DPA”), as lead supervisory authority, announced that it had imposed a fine of 290 million euros ($324 million) on Uber. The fine related to violations of the international transfer requirements under the EU General Data Protection Regulation (the “GDPR”).

The Dutch DPA launched an investigation into Uber following complaints from more than 170 French Uber drivers to the French human rights interest group the Ligue des droits de l’Homme, which subsequently submitted a complaint to the French Data Protection Authority (the “CNIL”). The CNIL then forwarded the complaints to the Dutch DPA as lead supervisory authority for Uber.

Continue reading →

Balancing Victim Compensation and Efficiency in Non-Trial Resolutions: A Comparative Perspective from the International Academy of Financial Crime Litigators

by Stéphane Bonifassi, Lincoln Caylor, Grégoire Mangeat, Léon Moubayed, Jonathan Sack, Andrew Stafford K.C., Wolfgang Spoerr, and Thomas Weibel

Top left to right: Stéphane Bonifassi, Lincoln Caylor, Grégoire Mangeat, Léon Moubayed. Bottom left to right: Jonathan Sack, Andrew Stafford K.C., Wolfgang Spoerr, and Thomas Weibel. (Photos courtesy of authors)

Introduction

Negotiated settlements for financial crimes offer a practical approach to resolving cases without lengthy trials. However, they pose a complex dilemma: how to balance efficiency with the need for victims to have a meaningful role in the proceeding and achieve adequate victim compensation. Across various jurisdictions, the approaches to non-trial resolutions reflect differing priorities, with some countries leaning towards expediency and others emphasizing victim rights. This is why the International Academy of Financial Crime Litigators published a working paper on the topic. This piece explores the current state of how victims of financial crime are being compensated in non-trial resolutions across different legal jurisdictions. Furthermore, it identifies some of the challenges and trade-offs lawmakers face when trying to infuse an optimal amount of victim involvement into the settlement process, providing suggestions on how victims of financial crime can be better heard and compensated in settlement procedures.

Continue reading →

Incident Response Plans Are Now Accounting Controls? SEC Brings First-Ever Settled Cybersecurity Internal Controls Charges

by Andrew J. Ceresney, Charu A. Chandrasekhar, Luke Dembosky, Erez Liebermann, Benjamin R. Pedersen, Julie M. Riewe, Matt Kelly, and Anna Moody

Top left to right: Andrew J. Ceresney, Charu A. Chandrasekhar, Luke Dembosky and Erez Liebermann. Bottom left to right: Benjamin R. Pedersen, Julie M. Riewe, Matt Kelly and Anna Moody. (Photos courtesy of Debevoise & Plimpton LLP)

In an unprecedented settlement, on June 18, 2024, the U.S. Securities & Exchange Commission (the “SEC”) announced that communications and marketing provider R.R. Donnelley & Sons Co. (“RRD”) agreed to pay approximately $2.1 million to resolve charges arising out of its response to a 2021 ransomware attack. According to the SEC, RRD’s response to the attack revealed deficiencies in its cybersecurity policies and procedures and related disclosure controls. Specifically, in addition to asserting that RRD had failed to gather and review information about the incident for potential disclosure on a timely basis, the SEC alleged that RRD had failed to implement a “system of cybersecurity-related internal accounting controls” to provide reasonable assurances that access to the company’s assets—namely, its information technology systems and networks—was permitted only with management’s authorization. In particular, the SEC alleged that RRD failed to properly instruct the firm responsible for managing its cybersecurity alerts on how to prioritize such alerts, and then failed to act upon the incoming alerts from this firm.

Continue reading →

US Antitrust Regulators Threaten Ephemeral Messaging Users and Their Counsel with Obstruction Charges

by Jeremy Calsyn, Nowell Bamberger, Charles P. Balaan, and Joseph M. Kay

Left to right: Jeremy Calsyn, Nowell Bamberger, Charles P. Balaan, and Joseph M. Kay (photos courtesy of Cleary Gottlieb Steen & Hamilton LLP)

In recent months, federal regulators have made statements that companies and their counsel may be subject to criminal prosecution if they fail to preserve ephemeral messaging data when they receive a subpoena or other legal process. In January 2024, the Deputy Assistant Attorney General for Criminal Enforcement at the DOJ Antitrust Division warned “failure to produce” ephemeral messaging may result in obstruction charges.[1] Speaking at the ABA Antitrust Spring Meeting in April 2024, a lawyer for the Antitrust Division echoed that the DOJ “will not hesitate to bring obstruction charges” against company counsel and their clients if clients fail to properly retain so-called “ephemeral messages.”[2] This is consistent with other recent warnings from the DOJ.[3]

The agencies’ focus on features of ephemeral messaging, which they argue can be used to hamper investigations, ignores the fact that ephemeral messaging applications have a legitimate role in the workplace where data security and management is paramount. Despite the advantages of ephemeral messaging, clients should be aware of the legal and other risks presented by these applications and implement clear information retention policies that account for the organization’s duty to preserve information for litigation and government investigations.

Continue reading →

DOJ National Security Division Issues First-Ever Declination Under Enforcement Policy

by Satish M. Kini, David A. O’Neil, Jane Shvets, Rick Sofield, Douglas S. Zolkind, Carter Burwell, Connor R. Crowley, and Hillary Hubley

Top left to right: Satish M. Kini, David A. O’Neil, Jane Shvets, and Rick Sofield. Bottom left to right: Douglas S. Zolkind, Carter Burwell, Connor R. Crowley, and Hillary Hubley. (Photos courtesy of Debevoise & Plimpton LLP)

Key Takeaways

Even in criminal national security matters, early self-reporting, remediation and cooperation can enable companies to avoid prosecution and penalties.
Federal enforcement agencies are continuing to collaborate in investigating and prosecuting criminal cases at the intersection of national security and corporate crime.
Multinational corporations and academic institutions should be aware of the risk of outsiders fraudulently affiliating themselves with legitimate institutions to skirt export control laws.

Continue reading →

Strategic Communications Considerations When a Government Investigation Becomes Public Through Voluntary Self-Reporting or Other Means

by Cari Robinson

Photo courtesy of the author

The SEC, DOJ, and nationwide USAOs are increasingly encouraging organizations to self-report misconduct, fully cooperate with authorities, and meaningfully remediate. In return, companies may receive reduced penalties, up to and including a government agreement not to criminally prosecute and a declination to bring a civil enforcement action.

However, in addition to being costly and time-consuming, self-reporting presents reputational risks. There also is always a possibility that a sensitive matter will leak. In any event, having complementary legal and crisis communications strategies in place can help companies avoid costly missteps and mitigate reputational damage.

Continue reading →

BIS Primes the Corporate Enforcement Engine: A Fresh Look at What Recent BIS Actions & Statements Mean and a Proposed Framework for How U.S. Companies Can Best Prepare

by Brent Carlson and Michael Huneke

From left to right: Brent Carlson and Michael Huneke (Photos courtesy of authors)

The risk of corporate criminal enforcement actions for export controls evasion or diversion is significantly increasing. Recent actions and statements by the Department of Commerce’s Bureau of Industry & Security (“BIS”) suggest that, beyond saber-rattling, BIS is deliberately priming the corporate enforcement engine with the fuel for an enforcement wave that will follow the Foreign Corrupt Practices Act (“FCPA”) “playbook” that the U.S. Department of Justice (“DOJ”) has successfully deployed for the last two decades.

The fuel comes in the form of official, multiagency guidance documents and other actions that describe circumstances indicating a “high probability” of misconduct, which as we have previously written is a freestanding basis for enforcement actions under both the FCPA and the Export Administration Regulations (“EAR”).[1] Such agency actions by BIS notably include the issuance to U.S. companies of lists of counterparties under cover of what BIS officials describe as “red flag” letters. Since our prior analysis,[2] BIS has reemphasized the significance of such letters and underscored the importance of how U.S. companies respond.

Continue reading →

Keeping Deferred Corporate Charges Deferred: Some Dos and Don’ts

by John Savarese, Randall Jackson, and Michael Holt

Left to right: John Savarese, Randall Jackson, and Michael Holt (Photos courtesy of Wachtell, Lipton, Rosen & Katz)

At the heart of every white-collar deferred prosecution agreement (DPA) is the deferral of filed criminal charges and a promise by DOJ to dismiss those charges at the end of a fixed term if the company has lived up to its remedial and other commitments. Breaches of these agreements are rare. But DOJ’s recent letter advising the U.S. District Court for the Northern District of Texas that Boeing breached its obligations under a January 2021 DPA (entered into with DOJ to resolve criminal charges relating to Boeing’s mishandling of FAA reporting concerning its 737 MAX aircraft following fatal crashes of two of those planes) provides a telling reminder of the critical need for companies to design and carry out an effective and comprehensive plan to abide by all terms established under a DPA.

Continue reading →

Crypto Experts React to Recent SDNY Ethereum Fraud Indictment

The NYU Law Program on Corporate Compliance and Enforcement (PCCE) is following the U.S. Attorney’s Office for the Southern District of New York’s recent indictment of two individuals for allegedly attacking and stealing $25 million from the Ethereum blockchain. The indictment in the case, United States v. Peraire-Bueno, 24 Cr. 293 (SDNY), is available here. Below, several crypto experts and former prosecutors provide their reactions to the case.

Left to right: Maria Vullo, Daniel Payne, Elizabeth Roper, Usman Sheikh, Justin Herring, and Robertson Park (photos courtesy of the authors)

Continue reading →