SEC Enforcement Actions Reflect Expansion of SEC’s AML Compliance Focus: Broker-Dealers, Investment Advisers, Registered Investment Companies, and Individuals Must Take Note

by Michael J. Leotta, David H. Tutor, and Cindy M. Bi

Photos of the authors

From left to right: Michael J. Leotta, David H. Tutor, and Cindy M. Bi (Photos courtesy of WilmerHale)

The SEC recently announced AML-related charges against an individual registered representative for failing to escalate red flags of potentially suspicious activity, as well as charges against a registered investment adviser for causing mutual funds it advised to fail to adopt an AML program reasonably designed for its business. Taken together, these enforcement actions reflect the continued expansion of the SEC’s efforts to police AML compliance beyond the traditional charges against broker-dealers for failures to file Suspicious Activity Reports (“SARs”).  The SEC is not only willing to penalize a broker-dealer or its compliance personnel who fail to file timely SARs, but is also willing to charge individuals and entities that contribute to or cause AML failures.    

Continue reading

Remarks of Enforcement Director Ian McGinley at the New York University School of Law Program on Corporate Compliance and Enforcement: “The Right Touch: Updated Guidance on Penalties, Monitors, and Admissions”

Editor’s Note: On October 17, 2023, the NYU Law Program on Corporate Compliance and Enforcement (PCCE) hosted Ian McGinley, the Director of Enforcement for the Commodity Futures Trading Commission (CFTC) to announce updated enforcement guidance to CFTC staff on penalties, monitors, and admissions. Director McGinley’s remarks were followed by a fireside chat and moderated Q&A with questions from the audience, and later by a moderated panel of former CFTC enforcement directors and senior enforcement counsel. The updated staff guidance is available here.

by Ian McGinley

Photos of the authorsThank you for that introduction, Professor Arlen.  It is an honor to make this announcement as part of NYU’s Program on Corporate Compliance and Enforcement, one of the marquee programs in the world on these topics.  I’m also delighted to be back at NYU Law School, my alma mater.  As a student, I frequently attended the incredible events in Lipton Hall, often sitting in the back row.  So, it’s quite a thrill to move from the nosebleeds to the podium.

Since I joined the CFTC as the Director of Enforcement, I’ve had the pleasure of getting to know a group of people whose reputation preceded it.  From outside the CFTC, my observation had always been that the Division—under the leadership of numerous former Directors that are here tonight—worked aggressively to protect the public and ensure the integrity of markets.

Continue reading

UK ICO Publishes Guidance on Workplace Monitoring

by Sarah Pearce and Olivia Lee

From left to right: Sarah Pearce and Olivia Lee. (Photos courtesy of Hunton Andrews Kurth LLP)

On October 3, 2023, the UK Information Commissioner’s Office (“ICO”) published new Guidance on lawful monitoring in the workplace, designed to help employees comply with their obligations under the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018 (“DPA”).

Continue reading

Ctrl-Alt-Delete: California Legislature Passes Delete Act

by Nancy Libin and Patrick J. Austin

Photos of the authors

From left to right: Nancy Libin and Patrick J. Austin. (Photos courtesy of Davis Wright Tremaine LLP)

Legislation requires data brokers to register with the California Privacy Protection Agency and comply with a one-stop consumer deletion mechanism by 2026

The wave of data privacy legislation in California continues as lawmakers passed a bill that will impose new obligations on data brokers. Senate Bill 362, also known as the Delete Act, will amend California’s existing data broker law by subjecting all data brokers to mandatory registration with the California Privacy Protection Agency (CPPA), imposing new disclosure obligations, and requiring data brokers to comply with a “one-stop” mechanism to be established by the CPPA whereby California consumers can request data brokers to delete their personal data. This one-stop deletion mechanism would have to be established by January 1, 2026, and honored by data brokers starting August 1, 2026.

The Delete Act, awaiting signature by the Governor, will become law no later than October 14, 2023, unless signed earlier or vetoed. 

Below is an overview of notable provisions and regulatory requirements.

Continue reading

SEC Takes First Rule 21F-17(a) Action Against Private Company

by Benjamin Calitri

Benjamin Calitri. Photo courtesy of Kohn, Kohn & Colapinto, LLP.

On September 8th, the SEC announced its first enforcement action against a private company for violation of Rule 21F-17(a). Rule 21F-17(a) prohibits any person from “tak[ing] any action to impede an individual from communicating directly with the Commission staff about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement.” In other words, this rule prevents companies from silencing whistleblowers.

The Commission already has a strong record of enforcing this rule among public companies, but its recent $225,000 sanction against Monolith Resources marks the first time the Commission has charged a privately held company, that is not a broker or investment advisor, for violating this rule.

Continue reading

Eight GDPR Questions when Adopting Generative AI

by Avi Gesser, Robert Maddox, Friedrich Popp, and Martha Hirst

Photos of the authors

From left to right: Avi Gesser, Robert Maddox, Friedrich Popp, and Martha Hirst. (Photos courtesy of Debevoise & Plimpton LLP)

As businesses adopt Generative AI tools, they need to ensure that their governance frameworks address not only AI-specific regulations such as the forthcoming EU AI Act, but also existing regulations, including the EU and UK GDPR.

In this blog post, we outline eight questions businesses may want to ask when developing or adopting new Generative AI tools or when considering new use cases involving GDPR-covered data. At their core, they highlight the importance of integrating privacy-by-design default principles into Generative AI development and use cases (see here).

If privacy is dealt with as an afterthought, it may be difficult to retrofit controls that are sufficient to mitigate privacy-related risk and ensure compliance. Accordingly, businesses may want to involve privacy representatives in any AI governance committees. In addition, businesses that are developing their own AI tools may want to consider identifying opportunities to involve privacy experts in the early stages of Generative AI development planning.

Continue reading

The Final Colorado AI Insurance Regulations: What’s New and How to Prepare

by Avi Gesser, Erez Liebermann, Eric Dinallo, Matt Kelly, Corey Jeremy Goldstein, Stephanie D. Thomas, Samuel J. Allaman, and Basil Fawaz

Photo of authors

Top left to right: Avi Gesser, Erez Liebermann, Eric Dinallo and Matt Kelly
Bottom left to right: Corey Jeremy Goldstein, Stephanie D. Thomas, Samuel J. Allaman and Basil Fawaz
(Photos courtesy of Debevoise & Plimpton LLP)

On September 21, 2023, the Colorado Division of Insurance (the “DOI”) released its Final Governance and Risk Management Framework Requirements for Life Insurers’ Use of External Consumer Data and Information Sources, Algorithms, and Predictive Models (the “Final Regulation”). As discussed below, the Final Regulation (which becomes effective on November 14, 2023) reflects several small changes from the previous version of the regulation that was released on May 26, 2023 (the “Draft Regulation”). A redline reflecting these changes can be found here.

The most substantive change is the requirement that insurers must remediate any detected unfair discrimination. This change is especially significant in light of the DOI’s release of its draft regulation on Quantitative Testing for Unfairly Discriminatory Outcomes for Algorithms and Predictive Models Used for Life Insurance Underwriting (the “Draft Testing Regulation”) on September 28, 2023, which requires insurers to estimate the race and ethnicity of all proposed insureds that have applied for life insurance coverage and then conduct detailed quantitative testing of models that use external consumer data and information sources (“ECDIS”) for potential bias. The Testing Regulation provides that certain results of that prescribed testing methodology will be deemed to be unfairly discriminatory and thereby require the insurer to “immediately take reasonable steps . . . to remediate the unfairly discriminatory outcome . . .”  We will be writing much more about our concerns over the Draft Testing Regulation in the coming weeks.

In this Blog Post, we discuss the Final Regulation, how it differs from the Draft Regulation, and what companies should be doing now to prepare for compliance.

Continue reading

Companies Face Increased Criminal Enforcement Risk From Aging Infrastructure-Related Disasters

by Alexander C.K. Wyman, Aron Potash, and Mikaela Wynne Gilbert-Lurie

From left to right: Alexander C.K. Wyman, Aron Potash, and Mikaela Wynne Gilbert-Lurie. (Photos courtesy of Latham & Watkins LLP)

Utilities and energy companies can implement strategies to mitigate risks from more frequent environmental disasters and infrastructure failures.

In the early morning of June 11, 2023, a tanker truck carrying gasoline up I-95 in Philadelphia crashed and caught fire, and the overpass above buckled and collapsed. The section of the highway is critical to the roughly 160,000 vehicles that cross it daily. The immediate cause of the collapse is believed to be either the heat from the flames or the impact of the explosion weakening the steel beams supporting the overpass. Some, however, identified a more fundamental problem: “the fragility of the state’s aging infrastructure.”[1]

While the I-95 collapse presents a recent example of the significant risks associated with the US’s aging infrastructure, it is by no means unique. Many of the roads, bridges, dams, and electrical grids that keep the country running are decades old and often in need of repair. Infrastructure failures combined with environmental disasters can be catastrophic, and the consequences dire, for the public, the environment, and the utility or corporate entity potentially responsible for operating the failed infrastructure component. Moreover, a vicious cycle is often at work with respect to the environment and infrastructure failures in which, for example, extreme weather causes an infrastructure breakdown that in turn may result in environmental damage.

Continue reading

Seven Steps to Mitigate Hazing Risks

by Helen V. Cantwell, Mary Beth Hogan, Arian June, Daniel Alford, Omid Golmohammadi, and Michael Compton McGregor

Top left to right: Helen V. Cantwell, Mary Beth Hogan, and Arian June. Bottom right to left: Daniel Alford, Omid Golmohammadi, and Michael Compton McGregor. (Photos courtesy of Debevoise & Plimpton LLP)

Hazing and abuse in athletics at academic institutions have reached a boiling point recently, with high-profile allegations levied at top universities. These incidents are not only painful for those students personally affected, but they can also result in intense media coverage, reputational harm, and legal actions.

As recent events have shown, it is imperative for academic institutions to have a plan for both preventing and addressing hazing. The best approach is to be proactive, as no institution is above scrutiny and most, if not all, institutions have room for improvement. In order to help mitigate potential legal, financial and reputational risks, administrators and board trustees at these institutions should consider taking the following steps:

Continue reading

SEC Files Two More Actions Alleging Employee Severance Agreements Violated Whistleblower Protections

by Sidney Bashago, Angela T. Burgess, Adam Kaminsky, Emily Roberts, Veronica M. Wissel, Martine M. Beamon, Jennifer S. Conway, Kyoko Takahashi Lin, and Travis S. Triano

From top left to right: Sidney Bashago, Angela T. Burgess, Adam Kaminsky, Emily Roberts, and Veronica M. Wissel From bottom left to right: Martine M. Beamon, Jennifer S. Conway, Kyoko Takahashi Lin, and Travis S. Triano. (Photos courtesy of Davis Polk & Wardwell LLP)

The SEC has announced settlement of enforcement actions against two companies stemming from each company’s use of separation agreements that allegedly violated Dodd-Frank whistleblower protection rules. The settled enforcement actions demonstrate that whistleblower protection remains a priority for the SEC’s Enforcement Division.

Continue reading