Category Archives: Uncategorized
Steering the AI Ship: Is Your Board Ready to Navigate Complexity in a Dynamic Regulatory Environment?
by Meghan Anzelc, Ph.D., Christina Fernandes-D’Souza, and Avril Ussery Sisk
Left to right: Meghan Anzelc, Ph.D., Christina Fernandes-D’Souza, Avril Ussery Sisk (Photos courtesy of authors)
Artificial intelligence (AI) has rapidly leapt to application in an ever-broadening range of human endeavors. We are in a very dynamic era, and as AI becomes more ubiquitous, there is a great deal of on-going discussion about how it will be harnessed for advancement across all aspects of our lives. Coupled with society’s understanding of exciting AI possibilities, there are growing calls for caution, and a reticence regarding placement of trust in private entities to protect the community from threats and potential misuse. There is also the increasing perception of weakness in the governance of AI by the private entities promoting the benefits and rapidly adopting the technology.
It May Not Be Worth the Paper (or Pixel) It’s Written On (Part 1): A Fresh Look at Letters of Assurance Used to Bolster Sanctions and Export Controls Compliance
by Brent Carlson and Michael Huneke
Left to right: Brent Carlson and Michael Huneke (Photos courtesy of the authors)
“The world has changed. And we must change with it.” So stated Assistant Secretary of Commerce for Export Enforcement Matt Axelrod at a recent summit in California.[1] This simple statement reflects the increasingly complex challenges companies now face in navigating export controls and sanctions in a world driven by new geopolitical realities.
These challenges call into questions past assumptions about compliance programs. The foundation of a robust compliance program starts with the reliability of the inputs relied upon to make informed, risk-based decisions. In the halcyon days of the post-Cold War era, export controls took on an administrative character. In that environment, certifications from counterparties—themselves the targets of the due diligence—were taken largely at face value. Yet today passive reliance, without more, carries profound risks because export controls and sanctions enforcement has already become more of a white-collar corporate enforcement environment driven by Russia’s continued ability to secure U.S.-brand microelectronics (both legacy and new production). Certifications alone accordingly may not be worth the paper they are written on—or the pixels of which they are made—especially when other data includes “red flags” that cast doubt on certifications’ veracity.
Treasury and FSOC Sharpen Focus on Risks of AI in the Financial Sector
by Alison M. Hashmall, David Sewell, Beth George, Andrew Dockham, Megan M. Kayo and Nathaniel Balk
Top left to right: Alison M. Hashmall, David Sewell and Beth George. Bottom Left to Right: Andrew Dockham, Megan M. Kayo and Nathaniel Balk. (Photos courtesy of Freshfields Bruckhaus Deringer LLP)
On June 6-7, 2024, the Financial Stability Oversight Council (FSOC or the Council) cosponsored a conference on AI and financial stability with the Brookings Institution (the FSOC Conference). The conference was billed as “an opportunity for the public and private sectors to convene to discuss potential systemic risks posed by AI in financial services, to explore the balance between encouraging innovation and mitigating risks, and to share insights on effective oversight of AI-related risks to financial stability.” The FSOC Conference featured noteworthy speeches by Secretary of the Treasury Janet Yellen (who chairs the Council), as well as Acting Comptroller of the Currency Michael Hsu. And in a further sign of increased regulatory focus on AI in the financial industry, the Treasury Department also released a request for information on the Uses, Opportunities, and Risk of Artificial Intelligence (AI) in the Financial Services Sector (the AI RFI) while the conference was happening – its most recent, and most comprehensive, effort to understand how AI is being used in the financial industry.
In this blog post, we first summarize the key questions raised and topics addressed in the AI RFI. We then summarize the key takeaways from FSOC’s conference on AI and discuss how these developments fit within the broader context of actions taken by the federal financial regulators in the AI space. Lastly, we lay out takeaways and the path ahead for financial institutions as they continue to navigate the rapid development of AI technology.
Creating A European Union-Wide Anti-Money Laundering/Counter Financing of Terrorism Regime (Part I): The Anti-Money Laundering Authority
Photo courtesy of the author
Introduction
Since 2018, when the then-European Commissioner for Justice Věra Jourová described the Danske Bank money-laundering catastrophe[1] as “the biggest scandal in Europe”[2], the European Commission (EC), as the politically independent executive arm of the European Union (EU)[3], has worked assiduously to repair the substantial defects in Europe’s anti-money laundering and counter-financing of terrorism (AML/CFT) mechanisms.
Resisting Hindsight Bias: A Proposed Framework for CISO Liability
by Andrew J. Ceresney, Charu A. Chandrasekhar, Luke Dembosky, Erez Liebermann, Julie M. Riewe, Anna Moody, Andreas A. Glimenakis, and Melissa Muse
Top left to right: Andrew J. Ceresney, Charu A. Chandrasekhar, Luke Dembosky, and Erez Liebermann. Bottom left to right: Julie M. Riewe, Anna Moody, Andreas A. Glimenakis, and Melissa Muse. (Photos courtesy of Debevoise & Plimpton LLP)
On October 30, 2023, the U.S. Securities and Exchange Commission (“SEC” or “Commission”) charged SolarWinds Corporation’s (“SolarWinds” or the “Company”) chief information security officer (“CISO”) with violations of the anti-fraud provisions of the federal securities laws in connection with alleged disclosure and internal controls violations related both to the Russian cyberattack on the Company discovered in December 2020 and to alleged undisclosed weaknesses in the Company’s cybersecurity program dating back to 2018.[1] This is the first time the SEC has charged a CISO in connection with alleged violations of the federal securities laws occurring within the scope of his or her cybersecurity functions.[2] In doing so, the SEC has raised industry concerns that it intends to—with the benefit of 20/20 hindsight, but without the benefit of core cybersecurity expertise—dissect a CISO’s good-faith judgments in the aftermath of a cybersecurity incident and wield incidents to second guess the design and effectiveness of a company’s entire cybersecurity program (including as it intersects with internal accounting controls designed to identify and prevent errors or inaccuracies in financial reporting) and related disclosures and attempt to hold the CISO liable for any perceived failures.
FinCEN and BIS Issue Joint Notice Emphasizing That Financial Institutions Should Monitor for Possible Export Control Violations
by Jessica S. Carey, John P. Carlin, Roberto J. Gonzalez, Brad S. Karp, Richard S. Elliott, David Fein, David Kessler, Nathan Mitchell, and Jacobus J. Schutte
Top left to right: Jessica S. Carey, John P. Carlin, Roberto J. Gonzalez, Brad S. Karp, and Richard S. Elliott. Bottom left to right: David Fein, David Kessler, Nathan Mitchell, and Jacobus J. Schutte. (Photos courtesy of Paul, Weiss, Rifkind, Wharton & Garrison LLP)
On November 6, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”) and the U.S. Department of Commerce’s Bureau of Industry and Security (“BIS”) jointly issued a notice (the “Notice”) announcing a new Suspicious Activity Report (“SAR”) key term, “FIN-2023-GLOBALEXPORT,” that financial institutions should reference when reporting potential efforts by individuals or entities seeking to evade U.S. export controls.[1]
Cybersecurity Experts React to NYDFS’s Amendments to its Cybersecurity Rules
Editor’s Note: The NYU School of Law Program on Corporate Compliance and Enforcement (PCCE) is following the New York State Department of Financial Services’ (NYDFS) recently announced amendments to its Part 500 Cybersecurity Regulations. In this post, cybersecurity experts offer their insight on the final amendments and the potential implications they have for corporate cybersecurity programs.
Top left to right: Johanna Skrzypczyk, Avi Gesser, Justin Herring, Kathleen McGee, and Edward Stroz.
Bottom left to right: Kellen Dwyer, Rebecca Hughes Parker, Elizabeth Ferrick, Grant Ankrom, and Alex Southwell. (Photos courtesy of the authors)
Assessing the Tornado Cash Indictment against FinCEN’s 2019 Guidance Applying Money Transmission Rules to Crypto Businesses
by Benjamin Gruenstein, Evan Norris, and Daniel Barabander
From left to right: Benjamin Gruenstein, Evan Norris, and Daniel Barabander. Photos courtesy of the authors
Introduction
On August 23, 2023, the U.S. Attorney’s Office for the Southern District of New York announced the unsealing of an indictment against Roman Storm and Roman Semenov charging, among other things, conspiracy to operate an unlicensed money transmitting business in connection with their role as founders of Tornado Cash, from at least March 2022 until August 8, 2022.[1] A significant focus of the indictment is the “secret note” that customers used when depositing to and withdrawing from Tornado Cash, a “mixing service” that the indictment alleges “combined multiple unique features to execute anonymous financial transactions in various cryptocurrencies for its customers.” (¶¶ 1, 15, 18, 24.) However, despite allegations that the secret note was transmitted through various components of Tornado Cash that the founders controlled when a customer withdrew funds, in reality, the customer never relinquished control over the secret note. Rather, she sent only a “proof” that revealed nothing about the secret note and could only be validated by the smart contract to send funds directly from the smart contract to the customer. In this way, the founders may have exercised “necessary” control over funds, meaning that when the customer used Tornado Cash, components of the system the founders allegedly controlled may have been necessary to send the message to transfer the value in that particular transaction. However, based on our review of how the secret note worked during the period when the founders are alleged to have conspired to operate a money transmission business, the founders did not exercise “sufficient” control, meaning these components could not have transferred value independently from the customer. This is because Tornado Cash and its founders had no ability during this period to access the secret note to dictate how funds would be transferred.
This distinction between types of control is critical. Under the U.S. Department of the Treasury’s Financial Crimes Enforcement Network’s (“FinCEN”) non-binding 2019 guidance, a “money transmitter” must have “total independent control” over customer funds to qualify as such, which we interpret based on our review of the guidance to require both “necessary” and “sufficient” control.[2] Without access to a customer’s secret note, the Tornado Cash founders could not have had the requisite control over customer funds to qualify as a money transmitter under FinCEN’s 2019 guidance.[3]
