Category Archives: Risk management

Draft GDPR Transparency Guidelines Issued: What Does Your Privacy Policy Need to Contain?

by Jeremy Feigelson, Jane Shvets, Dr. Thomas Schürrle, Ceri Chave, Dr. Friedrich Popp, and Christopher Garrett

Late last year, the Article 29 Working Party (the “Working Party”) issued detailed draft guidance (the “Guidelines”) on transparency under the EU General Data Protection Regulation (the “GDPR”), which comes into force in May 2018. These Guidelines, which will be finalized following a consultation process, contain the Working Party’s interpretation of the mandatory transparency information that must be provided to a data subject by way of privacy policy or other disclosures.

One of the express requirements of the GDPR relates to how businesses communicate their use of a data subject’s personal information to that data subject at the point of data collection or consent, typically via a privacy policy or notice. Getting this right is crucial. Businesses will need to examine their current privacy policies and other disclosures closely, and consider whether these need revising not just in the light of the GDPR, but also to factor in the requirements listed in the Guidelines, which elaborate on existing GDPR provisions. While the Guidelines will not be binding, data protection authorities may take a dim view of businesses which fail to comply with the Guidelines without good reason, given that representatives from all of the EU data protection authorities are part of the Working Party. Businesses that fail to comply with the information duties under the GDPR will face fines of up to the higher of 4% of annual worldwide turnover or EUR 20 million. Continue reading

Securities Fraud Class Action Suits following Cyber Breaches: The Trickle Before the Wave

by Michael S. Flynn, Avi Gesser, Joseph A. Hall, Edmund Polubinski III, Neal A. Potischman, Brian S. Weinstein, Peter Starr and Jessica L. Turner

Overview

Large-scale data breaches can give rise to a host of legal problems for the breached entity, ranging from consumer class action litigation to congressional inquiries and state attorneys general investigations.  Increasingly, issuers are also facing the specter of federal securities fraud litigation.[1]

The existence of securities fraud litigation following a cyber breach is, to some extent, not surprising.  Lawyer-driven securities litigation often follows stock price declines, even declines that are ostensibly unrelated to any prior public disclosure by an issuer.  Until recently, significant declines in stock price following disclosures of cyber breaches were rare.  But that is changing.  The recent securities fraud class actions brought against Yahoo! and Equifax demonstrate this point; in both of those cases, significant stock price declines followed the disclosure of the breach.  Similar cases can be expected whenever stock price declines follow cyber breach disclosures.  Continue reading

Roadmap to an Effective Annual Review

by Michael C. Neus

As the year ends, SEC registered investment advisers to private funds start considering how to assess their firm’s compliance culture.  The Advisers Act of 1940 requires a formal annual review of the adequacy of “written policies and procedures reasonably designed to prevent violation of securities laws.”[1]  In other words, every year Chief Compliance Officers ask themselves how they can actually demonstrate their effectiveness.

Rather than viewing this process as a comprehensive narrative report identifying all deficiencies, perhaps a more useful construct is to think of the annual review as a way of collating and assessing activity throughout the year.  Paradoxically, assembling information used throughout the year makes the process easier than attempting a comprehensive one-shot evaluation.[2]   Effective annual reviews are more like a movie than a photograph. Continue reading

Russia Considers Enhanced Whistleblower Protections

by Jane Shvets, Anna V. Maximenko, and Elena Klutchareva

Effective anti-corruption compliance programs include protections for whistleblowers that raise corruption concerns.  Article 13.3 of Russia‘s 2008 Federal Law No. 273-FZ on Counteracting Corruption (the “Anti-Corruption Law”) addressed Russian lawmakers’ expectations regarding effective compliance programs.[1]  But the law was silent on whistleblower protections.  Recently proposed legislation in Russia may help address this gap.

Even before the Anti-Corruption Law came into effect, Russian law included several provisions that could be interpreted to provide some protection for whistleblowers.  For example, Russian employment law prohibits discrimination and sets out an exhaustive list of permissible grounds for dismissing an employee for cause; firing an employee for blowing the whistle on potential corruption is not among them.  As a result, firing an employee for whistleblowing could ran afoul of Russian employment law.  In addition, the Russian government can protect individuals whose security might be threatened as a result of their participation in criminal proceedings that involve alleged corruption.  The state might, for example, provide such witnesses with physical protection, relocate them, or even give them new identities. Continue reading

Keeping Score of FIFA’s Corruption, Compliance and Efforts for Reform – Part 2

by Brandon D. Fox

Part 2 – Changing the Game Plan

In late June, FIFA, the world’s governing soccer organization, released the “Garcia Report,” chronicling the extensive corruption and conflicts of interest that occurred in FIFA’s awarding of the men’s 2018 and 2022 World Cup venues. Part 1 summarized the report’s findings. Part 2 discusses how specific steps and safeguards can mitigate the risks of misconduct and ensure cooperation among FIFA officials – and at any organization.

Leadership

FIFA’s problems started at the top.  FIFA’s investigators found an astounding number of executive committee members committed misconduct and showed disdain for the investigation.  FIFA’s failures were systemic and reflected a culture of corruption.  An organization’s culture cannot be fixed simply by strengthening rules or creating a targeted compliance program.  Indeed, these are meaningless if the leaders themselves are corrupt.  Executives must have integrity and show a commitment to everyone’s compliance with the law.  FIFA needs to identify candidates for its executive committee that have shown integrity and a dedication to complying with rules and laws. Continue reading

Keeping Score of FIFA’s Corruption, Compliance and Efforts for Reform – Part 1

by Brandon D. Fox

Part 1 – Foul Play

The first installment of this two-part series summarizes the Garcia Report’s findings of misconduct. Author Brandon Fox also focuses on the difficulties investigators faced as a result of leaders failing to cooperate and contrasts the misconduct and lack of cooperation to the U.S. Soccer Federation’s behavior.

In late June, FIFA, the world’s governing soccer organization, released the Garcia Report chronicling the extensive corruption and conflicts of interest that occurred in FIFA’s awarding of the men’s 2018 and 2022 World Cup venues.  This article summarizes the Garcia Report’s findings of misconduct, focusing on the difficulties investigators faced as a result of leaders failing to cooperate, and discusses how specific steps and safeguards can mitigate the risks of misconduct and ensure cooperation among FIFA officials – and at any organization. Continue reading

Insights for All Companies from the SEC’s Cybersecurity Examination of Regulated Financial Entities

By Sabastian V. Niles and Marshall L. Miller

In August 2017, the Office of Compliance Inspections and Examinations (“OCIE”) of the Securities and Exchange Commission released the results of its second Cybersecurity Initiative, which examined cybersecurity-related preparedness and implementation efforts by 75 regulated financial entities.  The resulting OCIE Risk Alert depicts an industry demonstrating heightened sensitivity to cyber risks, but also experiencing gaps between policy ambition and day-to-day execution, and confronting growing pains associated with accelerated change, including the introduction of significant new policies and procedures that may lack focus or consistent implementation.  While the Risk Alert directly addresses the cybersecurity procedures of broker-dealers, investment advisers, and other SEC-regulated entities, companies in all industries should consider assessing their practices with respect to the issues highlighted by the SEC. Continue reading

The Business’s Role in Implementing Risk Based Compliance at Financial Institutions

By Robert W. Werner

The compliance infrastructure for managing financial crime risk at financial institutions is intended to be based on utilizing a risk-based, rather than rule-based, approach.  A risk-based approach seeks to allocate resources commensurate with varying risk levels, reflecting the fact that financial institutions cannot eliminate all the risk of illicit activity occurring within an institution without completely shutting down all of its business.  To optimize compliance, financial institutions must balance the need to provide legitimate and critical financial services and products with appropriate controls designed to mitigate the financial crime risk associated with those services and products to appropriate levels.

Where activity would violate law or regulation, the calculus is easy because the activity is simply prohibited.  However, most legitimate activity will necessarily allow for some level of risk that it may be abused by criminals to facilitate illicit conduct or to exploit products and services for illicit purposes. Arriving at the right balance within this context requires an understanding of the risks, what level of controls can reasonably be put in place to mitigate that risk, and then making judgments based on an institution’s tolerance for reputational, regulatory and operational risk, about whether to engage in the activity.  This last element, the exercise of judgment, must be arrived at within the framework of an institution’s risk appetite statement. Continue reading

A “Wells Fargo” Briefing for the Audit Committee

by Michael W. Peregrine

The Board’s audit committee is well advised to receive an update on the risk and compliance lessons from the recent Wells Fargo sales practices controversy. The general counsel, teaming with the chief risk & compliance officer, would be well suited to deliver this update. As well-chronicled in the recently released special investigative report (“Report”), the “20/20” lessons from the controversy transcend the financial services industry, to offer value to corporate boards across industry sectors. These lessons demonstrate how matters of organizational structure, corporate culture, and risk identification and reporting can coalesce in undisciplined circumstances to create significant corporate exposure. In several respects, these lessons prompt comparisons to the conclusions reached by investigative counsel in the GM ignition switch controversy of 2014. This comparison may help underscore the basic risk oversight message to the audit committee; i.e., that these issues have arisen in several of the largest U.S. companies and may arise again without proper supervision. Continue reading

A Deliberate Process for Conducting a Compliance Risk Assessment

by Randall CookWaqas Shahid and Melanie Reed

A proactive, systematic risk assessment is an essential first step to developing and implementing any corporate compliance program, regardless of your industry or the compliance areas you are targeting. As US enforcement authorities have explained, “One-size-fits-all compliance programs are generally ill-conceived and ineffective because resources inevitably are spread too thin, with too much focus on low-risk markets and transactions to the detriment of high-risk areas.”[1] The Department of Justice specifically identified the effectiveness of a company’s compliance risk assessment as a foundational consideration when evaluating whether to bring charges against a company and in negotiating a plea or other remedies.[2] Moreover, in a corporate environment characterized by lean performance, tailoring your compliance program to your company’s actual risks is a business necessity.

A deliberate, iterative self-assessment methodology is crucial to obtaining the benefits of both mitigating enforcement risk and achieving a high-efficiency compliance program. Continue reading