The EU AI Act is Officially Passed – What We Know and What’s Still Unclear

by Avi Gesser, Matt KellyRobert Maddox, and Martha Hirst 

Photos of authors.

From left to right: Avi Gesser, Matt Kelly, Robert Maddox, and Martha Hirst. (Photos courtesy of Debevoise & Plimpton LLP)

The EU AI Act (the “Act”) has made it through the EU’s legislative process and has passed into law; it will come into effect on 1 August 2024. Most of the substantive requirements will come into force two years later, from 1 August 2026, with the main exception being “Prohibited” AI systems, which will be banned from 1 February 2025.

Despite initial expectations of a sweeping and all-encompassing regulation, the final version of the Act reveals a narrower scope than some initially anticipated.

Continue reading

The Supreme Court’s Business Docket: October Term 2023 in Review

by John F. Savarese, Kevin S. Schwartz, Noah B. Yavitz, Adam L. Goodman, and Akua Abu

Photos of the authors

Left to right: John F. Savarese, Kevin S. Schwartz, Noah B. Yavitz, Adam L. Goodman, and Akua F. Abu. (Photos courtesy of the authors)

In early July, the Supreme Court concluded its most consequential Term in years, with a flood of decisions on contentious issues ranging from abortion access to the regulation of social media companies and gun possession to presidential immunity. The Court’s business docket was no less active. While the Consumer Financial Protection Bureau narrowly survived a constitutional challenge to its funding mechanism, the Court’s conservative majority elsewhere struck body blows to the administrative state—including the long-anticipated reversal of the Chevron doctrine of judicial deference to agency interpretation of ambiguous statutes. Beyond this headline-grabbing showstopper, the Court issued a string of commercially significant decisions, affecting bankruptcy, arbitration, securities, and employment law. We summarize below the key business decisions from this Term and flag a few key cases to watch in the coming Term.

Continue reading

SEC Releases New Guidance on Material Cybersecurity Incident Disclosure

by Eric T. JuergensErez LiebermannBenjamin R. Pedersen, Paul M. Rodel, Anna Moody, Kelly Donoghue, and John Jacob

Photos of authors.

Top left to right: Eric T. Juergens, Erez Liebermann, Benjamin R. Pedersen, and Paul M. Rodel. Bottom left to right: Anna Moody, Kelly Donoghue, and John Jacob. (Photos courtesy of Debevoise & Plimpton LLP)

On June 24, 2024, the staff of the Division of Corporation Finance of the Securities and Exchange Commission (the “SEC”) released five new Compliance & Disclosure Interpretations (“C&DIs”) relating to the disclosure of material cybersecurity incidents under Item 1.05 of Form 8-K. A summary of the updates is below, followed by the full text of the new C&DIs.  While the fact patterns underlying the new C&DIs focus on ransomware, issuers should consider the guidance generally in analyzing disclosure obligations for cybersecurity events.

Continue reading

Cyber Experts React to Court Decision in the SEC’s SolarWinds Enforcement Action

Editor’s Note: PCCE has been watching the developments in the SEC’s enforcement action against SolarWinds and its CISO over allegedly misleading disclosures and controls failures related to the compromise of its Orion product by putative Russian hackers. In this post, cybersecurity experts and lawyers discuss the recent decision by U.S. District Judge Paul Engelmayer to dismiss most of the SEC’s claims in the case.

Photos of the authors

Top left to right: Randal Milch, Judy Titera, James Haldin, and Alan Wilson. Bottom left to right: Matthew Beville, Elizabeth Roper, and Jerome Tomas. (Photos courtesy of authors)

Continue reading

FinCEN Requires Reporting From Dissolved Companies

by Matthew Bisanz, Adam D. Kanter, Brad A. Resnikoff, and Marcella Barganz

Photos of the authors.

From left to right: Matthew Bisanz, Adam D. Kanter, Brad A. Resnikoff, and Marcella Barganz. (Photos courtesy of Mayer Brown LLP)

On July 8, 2024, the Financial Crimes Enforcement Network (“FinCEN”) issued interpretive guidance explaining that the beneficial ownership information (“BOI”) reporting requirement applies to certain legal entities that have been dissolved or otherwise ceased to exist after January 1, 2024. This new guidance dramatically expands the reporting requirement under the Corporate Transparency Act (“CTA”) and raises significant issues regarding compliance and liability for noncompliance.

The new guidance is effective immediately. Persons who own or manage entities that will dissolve in 2024, or have already dissolved this year—or which were not dissolved irrevocably—should review the guidance to determine their reporting obligations.

Continue reading

It May Not Be Worth the Paper (or Pixel) It’s Written On (Part 1): A Fresh Look at Letters of Assurance Used to Bolster Sanctions and Export Controls Compliance

by Brent Carlson and Michael Huneke

photos of the authors

Left to right: Brent Carlson and Michael Huneke (Photos courtesy of the authors)

“The world has changed. And we must change with it.” So stated Assistant Secretary of Commerce for Export Enforcement Matt Axelrod at a recent summit in California.[1] This simple statement reflects the increasingly complex challenges companies now face in navigating export controls and sanctions in a world driven by new geopolitical realities.

These challenges call into questions past assumptions about compliance programs. The foundation of a robust compliance program starts with the reliability of the inputs relied upon to make informed, risk-based decisions. In the halcyon days of the post-Cold War era, export controls took on an administrative character. In that environment, certifications from counterparties—themselves the targets of the due diligence—were taken largely at face value. Yet today passive reliance, without more, carries profound risks because export controls and sanctions enforcement has already become more of a white-collar corporate enforcement environment driven by Russia’s continued ability to secure U.S.-brand microelectronics (both legacy and new production). Certifications alone accordingly may not be worth the paper they are written on—or the pixels of which they are made—especially when other data includes “red flags” that cast doubt on certifications’ veracity.

Continue reading

Treasury’s Report on AI (Part 2) – Managing AI-Specific Cybersecurity Risks in the Financial Sector

by Avi Gesser, Erez Liebermann, Matt Kelly, Jackie Dorward, and Joshua A. Goland

Photos of authors.

Top: Avi Gesser, Erez Liebermann, and Matt Kelly. Bottom: Jackie Dorward and Joshua A. Goland (Photos courtesy of Debevoise & Plimpton LLP)

This is the second post in the two-part Debevoise Data Blog series covering the U.S. Treasury Department’s report on Managing Artificial Intelligence-Specific Cybersecurity Risks in the Financial Services Sector (the “Report”).

In Part 1, we addressed the Report’s coverage of the state of AI regulation and best practices recommendations for AI risk management and governance. In Part 2, we review the Report’s assessment of AI-enhanced cybersecurity risks, as well as the risks of attacks against AI systems, and offer guidance on how financial institutions can respond to both types of risks.

Continue reading

State Immunity and the False Claims Act

By Joshua M. Baker

Photo of the author

Photo courtesy of the Young Law Firm.

While litigation under the False Claims Act (FCA) generally can be rather complex, bringing actions under this statute against state agencies involves the additional issue of potential immunity under the Eleventh Amendment. The inquiry as to whether a given state agency can successfully assert such immunity is nuanced and the analysis will vary depending on the jurisdiction in which the case is brought. At the most basic level, the resolution of this issue depends on how the agency is treated under state law. Specifically, courts will look at factors such as how much autonomy the agency has from the state government as such and how much of its funding comes from the state. 

Continue reading

FinCEN Proposes Comprehensive Updates to AML/CFT Program Rules

by David Sewell and Nathaniel Balk

photos of the authors

From left to right: David Sewell and Nathaniel Balk. (Photos courtesy of Freshfields Bruckhaus Deringer LLP)

On June 28, 2024, the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) issued a proposed rule (the Proposed Rule) to update anti-money laundering (AML) and countering the financing of terrorism (CFT) compliance obligations to reflect revisions to the Bank Secrecy Act (BSA) contained in the Anti-Money Laundering Act of 2020 (AML Act).[1]

FinCEN’s release marks the latest step in the ongoing implementation of the AML Act, which adopted the most significant revisions to the U.S. AML/CFT framework since the adoption of the USA PATRIOT Act in 2001. Although the Proposed Rule in large part clarifies, streamlines, and updates existing regulations, it includes several provisions that materially change AML/CFT compliance obligations for many financial institutions, including most notably a mandatory risk assessment process.

Below, we briefly summarize the Proposed Rule, including its scope, requirements, and potential implications, and highlight open questions and next steps.  

Continue reading

Balancing Victim Compensation and Efficiency in Non-Trial Resolutions: A Comparative Perspective from the International Academy of Financial Crime Litigators

by Stéphane Bonifassi, Lincoln Caylor, Grégoire Mangeat, Léon Moubayed, Jonathan Sack, Andrew Stafford K.C., Wolfgang Spoerr, and Thomas Weibel

Photos of authors.

Top left to right: Stéphane Bonifassi, Lincoln Caylor, Grégoire Mangeat, Léon Moubayed. Bottom left to right: Jonathan Sack, Andrew Stafford K.C., Wolfgang Spoerr, and Thomas Weibel. (Photos courtesy of authors)

Introduction

Negotiated settlements for financial crimes offer a practical approach to resolving cases without lengthy trials. However, they pose a complex dilemma: how to balance efficiency with the need for victims to have a meaningful role in the proceeding and achieve adequate victim compensation. Across various jurisdictions, the approaches to non-trial resolutions reflect differing priorities, with some countries leaning towards expediency and others emphasizing victim rights. This is why the International Academy of Financial Crime Litigators published a working paper on the topic. This piece explores the current state of how victims of financial crime are being compensated in non-trial resolutions across different legal jurisdictions. Furthermore, it identifies some of the challenges and trade-offs lawmakers face when trying to infuse an optimal amount of victim involvement into the settlement process, providing suggestions on how victims of financial crime can be better heard and compensated in settlement procedures.

Continue reading