The Behavioral Code: Four Behavioral Science Insights for Compliance and Enforcement
by Benjamin van Rooij and Adam Fine
With each new corporate scandal and case of major illegal corporate behavior or wrongdoing, regulators and prosecutors will face tougher questions about why they have not been able to prevent damages. Increasingly, this will mean that compliance and regulatory enforcement become an ex-ante affair, where corporate managers and government officials seek to influence behavior before damage happens, rather than the ex-post model of assigning liability after the fact or defending the corporation against such liability.
Getting Ready for 2023: What Companies Can Do Now to Prepare for New Privacy Laws
by Jeremy Feigelson, Avi Gesser, Johanna Skrzypczyk, Michael Bloom, Michael R. Roberts, Tricia Reville, and Kate Saba
The Virginia Consumer Data Protection Act (“VCDPA”) and amendments to the California Consumer Privacy Act (“CCPA”)—enshrined in the California Privacy Rights Act (“CPRA”)—take effect on January 1, 2023. In addition, the Colorado Privacy Act (“ColoPA”) takes effect on July 1, 2023. These developments have companies understandably concerned about complying with a patchwork of state laws.
How can companies prepare?
Real Estate and Money Laundering: FinCEN Issues Advanced Notice of Regulations for the Real Estate Industry
by Peter Hardy, Richard Andreano, Jr., Michael Robotti, and Nikki Hatza
On December 6, FinCEN announced that it was issuing an Advanced Notice of Proposed Rulemaking (“AMPRM”) to solicit public comment on potential requirements under the Bank Secrecy Act (“BSA”) for certain persons involved in real estate transactions to collect, report, and retain information. If finalized, such regulations could affect a whole new set of professionals and one of largest industries in the U.S.—an industry which, heretofore, has not been subject to the requirements of the BSA, with limited exceptions.
AMLA 2020: New Penalties for Concealing Transactions Involving Senior Foreign Political Figures
by Barak Cohen, David B. Massey, Jamie A. Schafer, David Sewell, and Paul M. Korol
On New Year’s Day 2021, Congress passed the Anti-Money Laundering Act of 2020 (AMLA 2020). The AMLA 2020 included sweeping reforms aimed at strengthening protections against money laundering, terrorism financing, and other illegal activities.
In this article, we examine two new criminal penalties established by the AMLA 2020. In a nutshell, these penalties prohibit concealing or falsifying information related to ownership or control of funds in transactions involving senior foreign political figures and entities designated to be of primary money laundering concern. This is a potentially significant new tool providing for criminal prosecution targeting a broad swath of intermediaries who may be involved in facilitating transactions involving senior foreign political officials, including brokers, nominees, lawyers and any other person or entity that may communicate with a financial institution in the course of a transaction falling under these provisions.
Recommendations for Combating Bribery of Foreign Officials
by Kara Brockmeyer, Andrew M. Levine, Bruce E. Yannett, Ada Fernandez Johnson, and Katelyn McNelis
On November 26, 2021, the Organization for Economic Cooperation and Development (the “OECD”) published revised anti-corruption guidelines, the Recommendation for Further Combating Bribery of Foreign Officials (the “2021 Recommendation”). These guidelines update the original recommendation from 2009 and significantly expand the expectations of member countries regarding anti-corruption enforcement.
New York Department of Financial Services Issues Final Guidance on Managing the Financial Risks of Climate Change for Insurers
by Marion Leydier, William Torchiana, Roderick Gilman, Sarah Mishkin and Samuel Saunders
On November 15, 2021, the New York State Department of Financial Services (“DFS”) issued detailed final guidance (the “Final Guidance”) addressing how New York domestic insurers should analyze and manage the financial risks of climate change.[1] The Final Guidance builds on the DFS’s proposed climate guidance released in March 2021.[2]
The Final Guidance reflects relatively limited changes from the proposed guidance. The changes include additional guidance on the time horizon insurers should consider when integrating climate risks into business decisions; how insurers should manage uncertainty related to climate change; and how the guidance applies to insurers that are part of groups. The DFS notes that it expects insurers to implement its guidance relating to board governance and to have specific plans in place to implement the guidance relating to organizational structure by August 15, 2022. The DFS plans to issue further guidance on the timing for implementation of more complex areas that will take insurers longer to implement, such as those relating to risk appetite, analysis of the impact of climate risks on existing risk factors, reflection of climate risks in the Own Risk and Solvency Assessment (“ORSA”), scenario analysis and public disclosure, but the DFS notes that it encourages insurers to begin working on these now.
The Final Guidance comes as U.S. financial regulators and policy makers, including the U.S. Department of Treasury, the U.S. Securities and Exchange Commission (“SEC”) and the Federal Reserve Bank, are focused on the potential systemic risk that climate change poses to the financial sector.[3]
Insurance and other prudential regulators outside of the U.S. are also addressing climate-related risks, and the DFS notes that the Final Guidance is modeled on publications and guidance from international regulators and networks, including the Bank of England Prudential Regulation Authority, the International Association of Insurance Supervisors (“IAIS”), the European Insurance and Occupational Pensions Authority (“EIOPA”), the European Central Bank and the Network for Greening the Financial System.[4]
An overview of recent actions by regulators and lawmakers in the U.S., EU and UK related to climate change and other environmental, social and governance topics is provided in the Firm’s ESG update newsletter, available here.
Assistant Attorney General Talks About DOJ Criminal Division Priorities, Where Resources Are Going
by Valarie Hays and Michael Kim Krouse
The Assistant Attorney General (AAG) for the Criminal Division, Kenneth Polite, Jr.—who previously held positions as a US Attorney, law firm partner, and in-house counsel—was interviewed Wednesday, December 1, at the American Conference Institute’s Foreign Corrupt Practices Act (FCPA) conference.
Here are some key takeaways from the wide-ranging discussion:
Second Circuit Rules Foreign State-Owned Bank Does Not Have Sovereign Immunity From Criminal Prosecution
by Carmine Boccuzzi, Jr., Jonathan Kolodner, Rahul Mukhi, Boaz Morag, Rathna Ramamurthi, Hyatt Mustefa, and Matthew Slater
The U.S. Court of Appeals for the Second Circuit recently held in U.S. v. Halkbank[1] that a Turkish state-owned bank did not have sovereign immunity from criminal charges that it engaged in a conspiracy to launder $20 billion of Iranian oil and gas proceeds in violation of U.S. sanctions.
While the district court had joined other Circuit courts in ruling that the Foreign Sovereign Immunities Act (“FSIA”) does not confer on foreign sovereigns immunity from criminal prosecutions, the Second Circuit declined to decide that unsettled issue, except insofar as it held that the FSIA is not the only source of criminal jurisdiction over a foreign sovereign. Instead, the Second Circuit assumed arguendo that the FSIA confers immunity in the criminal context and held that the conduct at issue would fall under the FSIA’s commercial activity exception to immunity.
Banking Regulators Finalize 36-Hour Data Breach Notification Rule
by Luke Dembosky, Avi Gesser, Satish Kini, Gregory Lyons, Johanna Skrzypczyk, Christopher Ford, Alex Mogul, and Erik Rubinstein
On November 18, 2021, federal banking regulators published a Final Rule that imposes new notification requirements on banking organizations for certain cybersecurity incidents.
Most significantly, the Final Rule requires that banking organizations notify their primary federal regulator within 36 hours after experiencing a material or potentially material cybersecurity event.
The Final Rule will go into effect on April 1, 2022, with a required compliance date of May 1, 2022.
The regulators – the Federal Deposit Insurance Corporation (“FDIC”), the Office of the Comptroller of the Currency (“OCC”) and the Federal Reserve Board (“FRB”) (together the “Agencies”) – first published a proposed rule about ten months ago, which we covered on the Data Blog. Much of the proposed rule was carried over into the Final Rule, but there are a few key differences, which we identify below.