by Jai R. Massari, Eric McLaughlin, Gabriel D. Rosenberg, Margaret E. Tahyar, Zachary J. Zweihorn, Adam Greene, and Dana E. Seesel
Federal banking regulators continue to signal their attention to banks’ relationships with third parties, and particularly with fintechs. We think that these developments should be of interest to larger banking organizations as well.
by David Bitkower, Brandon D. Fox, Shoba Pillay, David B. Robbins, and Moshe Broder
The Department of Justice (DOJ) announced a new Civil Cyber-Fraud initiative which will use the False Claims Act (FCA) to enforce government contract cybersecurity requirements. The initiative will be led by the Fraud Section of the DOJ Civil Division’s Commercial Litigation Branch. DOJ believes it can bring its experience and resources from its civil fraud enforcement, procurement, and cybersecurity focused attorneys to make this a successful initiative.
by Jeremy Feigelson, Avi Gesser, Anna Gressel, Andy Gutierrez, and Johanna Skrzypczyk
This is Part I of a two-part post.
Two huge cross-currents are sweeping the world of facial recognition—and head-on into each other. Companies are eagerly adopting facial recognition tools to better serve their customers, reduce their fraud risks, and manage their workforces. Meanwhile, legislatures and privacy advocates are pushing back hard. They challenge facial recognition as inherently overreaching, invasive of privacy, and prone to error and bias. Legal restrictions of different kinds have been enacted around the country, with more seemingly certain to come.
How will the tension sort itself out between new use cases on the one hand and the push for legal restrictions on the other – and when? And what’s a company to do right now, with facial recognition opportunities presenting themselves today while the law remains a moving target?
This two-part series aims to help. In this Part 1, we lay out the current laws governing facial recognition in the United States. In Part 2, we assess where the law is headed and offer some practical risk-reduction strategies.
by Joseph J. Torres and Katherine M. Funderburg
The #MeToo movement caused a significant amount of legislative activity across the country, addressing, among other things, limits on the use of nondisclosure agreements in settlements of sexual harassment claims.[1] Expanding on those protections, California Governor Gavin Newsom has signed into law the Silenced No More Act (S.B. 331), which imposes new, expanded restrictions on the use of nondisclosure agreements (NDAs) in settling bias and harassment claims by employees under various California statutes. The new law, which was passed by the state Senate on August 30, takes effect on January 1, 2022.
by Avi Gesser, Anna R. Gressel, and Mengyi Xu
On September 7, 2021, the Board of the International Organization of Securities Commissions (“IOSCO”) issued a final report (PDF: 446 KB) entitled “The Use of Artificial Intelligence and Machine Learning by Market Intermediaries and Asset Managers” (the “Report”), which aims to assist IOSCO members in supervising their regulated entities over the use of AI and ML.
While non-binding, the Report is likely to serve at least as a key frame of reference—if not as a benchmark—for the development of more tailored supervisory approaches by securities regulators around the globe. While the concepts in the Report are not new, they reflect an acknowledgement that existing regulations may not be sufficient to mitigate the wide variety of AI-risks, and that new and tailored regulations targeting asset managers and market intermediaries’ use of AI may be needed.
by Anne Cortina Perry, Anthony S. Barkow, Charles D. Riely, Lori B. Day, Tali R. Leinwand, and Anna Windemuth
Recent activity by two federal regulators underscores an increasingly obvious reality: when a company is confronted with harassment and discrimination complaints, government agencies will scrutinize its response and may bring enforcement actions. For months, video game maker Activision Blizzard (“Activision”) has been dealing with negative publicity and litigation relating to allegations that it allowed pervasive sexual harassment and discrimination to occur and failed to appropriately respond. Just three weeks ago, Activision confirmed that the US Securities and Exchange Commission (“SEC”) was investigating the sufficiency of its disclosures.[1] In the latest news concerning the company, Activision publicly disclosed two weeks ago that it was resolving a case with the US Equal Employment Opportunity Commission (“EEOC”) by making an $18 million payment to establish a victim fund.[2] This client alert analyzes these developments, the other civil and regulatory issues faced by Activision, and discusses steps companies can take when confronted with harassment or other work conduct allegations.
Compliance continues to be an important aspect of settlements in corporate prosecutions. In a recent article, “Testing Compliance,” Greg Mitchell and I argue that neither companies, but particularly not government regulators and enforcers, should treat compliance as “hope-based,” where they ask whether it seems well-intentioned or likely to comply with best practices. Instead, they should empirically test compliance to find out whether it in fact works. It is understandable that companies do not generate self-critical testing data, when government does not require it. But it is most troubling of all that governments have not incentivized generation of information about what actually works.
by Nell Minow
ESG has passed the tipping point. For investors, ESG, which stands for Environmental, Social, and Governance factors, has gone from a nice-to-have to a have-to-have. ESG is the fastest growing area of investment, with every major financial institution and every significant institutional investor having one or more ESG options. U.S. ESG index funds reached over $250 billion in 2020. More significantly, ESG factors are permeating every aspect of even the most traditional investment vehicles. A 2020 survey of 809 institutional asset owners, investment consultants and financial advisers found that 75 percent of them use ESG factors in their investment strategies, up from 70 percent in 2019. Nearly 13 percent of respondents were pension plan sponsors. Corporate executives and board members are scrambling to catch up.
Cryptoassets and the underlying blockchain technologies are becoming increasingly mainstream, with stablecoins, decentralized finance (DeFi), and digital representation of ownership (NFTs) rapidly gaining footing. While these technologies have attractive features, and may yet prove revolutionary for our economy, this rapid growth also poses significant risks, implicating longstanding principles of prudential regulation, market integrity, and investor protection. The challenge facing U.S. regulators and lawmakers is one of balance: to protect investors and market integrity, and curb excesses that could significantly harm the economy, while preserving the technology’s benefits for market participants and the U.S.’s position at the industry’s vanguard. Following are some considerations which could help strike an appropriate balance on some of the most salient issues posed by cryptoassets’ rapid growth.
by Luke Dembosky, Avi Gesser, Satish Kini, HJ Brehmer, and Scott Caravello
This is Part II of a two-part post. For Part I, which provides a general overview of OFAC’s updated ransomware advisory and the ways that victim companies can reduce their sanctions risks, click here.
On September 21, 2021, the U.S. Department of the Treasury’s Office of Foreign Asset Control (“OFAC”) released an updated advisory (PDF: 252 KB) (the “Advisory”) on the sanctions risks associated with facilitating ransomware payments. The Advisory applies to victims of ransomware attacks, as well as companies that facilitate payments to threat actors, including financial institutions. In Part 1, we discussed the Advisory generally, and ways that victim companies can reduce their sanctions risks. In this Part 2, we discuss the measures that financial institutions can adopt to mitigate their ransomware sanctions risks, and why those compliance controls differ from the steps being taken by victims.