FinCEN Issues First AML/CFT Policy Priorities

by Jonathan J. Rusch

The Anti-Money Laundering Act of 2020 (AML Act) (enacted as Division F of the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021), specifically stated Congress’s intention “to reinforce that the anti-money laundering and countering the financing of terrorism [(AML/CFT)] policies, procedures, and controls of financial institutions shall be risk-based.”[1] Among other significant changes in AML/CFT law, it revised the Bank Secrecy Act (BSA) to provide that one of the purposes of the BSA’s reporting requirements was to “prevent the laundering of money and the financing of terrorism through the establishment by financial institutions of reasonably designed risk-based programs to combat money laundering and the financing of terrorism.”[2]

The AML Act further stated that AML/CFT programs should be “(II) risk-based, including ensuring that more attention and resources of financial institutions should be directed toward higher-risk customers and activities, consistent with the risk profile of a financial institution, rather than toward lower-risk customers and activities.”[3]  To those ends, the AML Act directed the Secretary of the Treasury, in consultation with other agencies, to “establish and make public priorities for [AML/CTF] policy” within 180 days of the AML Act’s enactment, and to update those priorities at least once every four years.[4]

On June 30, the Financial Crimes Enforcement Network (FinCEN), an agency of the Treasury Department, announced that it had issued the first national AML/CFT Priorities pursuant to the AML Act, along with two Priorities Statements to provide guidance to covered institutions on how to approach the Priorities.[5]  This post will discuss the Priorities document and the two additional statements, and recommend immediate steps for covered institutions in response to these documents.

Continue reading

A Deficiency Letter to (Not From) The SEC: Please Provide More Transparency When Charging a Chief Compliance Officer With Personal Liability

by Matthew L. Levine

In a prior blog post we discussed the important question of whether certain regulators – especially the SEC – have undercut effective compliance programs by sending mixed signals about when a Chief Compliance Officer should be held personally liable for the actionable compliance deficiencies of his or her firm.[1] Two important developments have occurred since then:  (a) the issuance of an industry-side framework identifying factors that should be evaluated by the SEC in deciding whether to bring charges against a CCO; and (b) a recent SEC enforcement action against the CCO of an investment advisory firm based only on a finding of negligence.  The SEC’s action in particular leaves open a number of consequential questions for industry participants.

Our prior post noted the report issued by the New York City Bar Association (“NYCBA”) Compliance Committee in February 2020 (“Report on Chief Compliance  Officer Liability in the Financial Sector), which recommended that regulators provide formal guidance about when it is appropriate to bring an enforcement action against a compliance officer.[2]   Subsequently, in October 2020 SEC Commissioner Hester Peirce embraced this recommendation, going further to suggest that she might develop such a “draft framework” on her own to share with SEC colleagues.  No meaningful word has yet emerged from Commissioner Pierce or the SEC on this topic since then.

Continue reading

Seven Tips for Reducing CCPA Litigation Risks – Lessons from the First 18 Months

by Jeremy Feigelson, Avi Gesser, Jim Pastore, Johanna Skrzypczyk, Christopher S. Ford, Alexandra P. Swain, and HJ Brehmer

Since the implementation of the California Consumer Privacy Act (“CCPA”) 18 months ago, more than 75 lawsuits have been filed seeking damages using the Act’s private cause of action. The CCPA provides a cause of action to “[a]ny consumer whose nonencrypted and nonredacted personal information . . . is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures.” Consumers can seek damages for any harm actually incurred as well as statutory damages ranging from $100 to $750 per consumer per incident.

Not surprisingly, in these early days of CCPA private actions, plaintiffs are trying to push the boundaries of the law and testing who, when, and why a CCPA claim may be brought. In this post, we offer practical tips for reducing CCPA risk based on a review of the cases filed to date and the treatment of those cases in the courts. 

Continue reading

Colorado Consumer Privacy Bill Passes, Heads to Governor’s Desk

by Marian A. Waldmann Agarwal, Cynthia J. Rich, and Robert N. Famigletti

With the passage of SB21-190, Colorado is poised to become the third U.S. state—behind California and, most recently, Virginia—to enact a comprehensive consumer privacy law. On June 8, 2021, the Colorado Senate approved House amendments to the bill, which previously sailed through full Senate and House votes with overwhelming approval. The bill will soon be transmitted to Governor Jared Polis for his approval and, if enacted, the Colorado Privacy Act (CPA) will become operative on July 1, 2023.  

The CPA tracks closely with the recently-enacted Virginia Consumer Data Protection Act (VCDPA), including by distinguishing between data “controllers” (i.e., businesses that determine the purpose and means of processing personal data) and “processors” (i.e., businesses that process personal data on behalf of a controller), and by prescribing GDPR-like obligations. However, the CPA’s enforcement regime would mark a significant departure from the other state consumer privacy laws, empowering both the Colorado Attorney General (AG) and district attorneys to enforce violations of the Act and prescribing civil penalties of up to $20,000 per violation.

Continue reading

How Costly is Whistleblowing?

by Aiyesha Dey, Jonas Heese, and Gerardo Perez Cavazos

Regulators trying to curtail financial fraud, government procurement fraud, or tax fraud, among many other types of misconduct, increasingly rely on whistleblowers for tips. However, the concern is that whistleblowers face severe costs to help uncover corporate fraud. Yet, there is no large-sample evidence on the consequences for whistleblowers. We examine the costs for whistleblowers using information from lawsuits, a professional networking site, and background checks for up to 1,168 whistleblowers. In particular, we investigate the career, financial, and social consequences for whistleblowers that filed lawsuits under the False Claims Act (FCA) against firms accused of defrauding the government. Continue reading

China Constricts Sharing of In-Country Corporate and Personal Data Through New Legislation

by Patrick F. Stokes, Oliver Welch, Nicole Lee, Ning Ning, Kelly S. Austin, Judith Alison Lee, Adam M. Smith, John D.W. Partridge, F. Joseph Warin, Joel M. Cohen, Ryan T. Bergsieker, Stephanie Brooker, John W.F. Chesley, Connell O’Neill, Richard Roeder, Michael Scanlon, Benno Schwarz, Alexander H. Southwell, and Michael Walther

The People’s Republic of China is clamping down on the extraction of litigation- and investigation-related corporate and personal data from China—and this may squeeze litigants and investigation subjects in the future.  Under a new data security law enacted late last week and an impending personal information protection law, China is set to constrict sharing broad swaths of personal and corporate data outside its borders.  Both statutes would require companies to obtain the approval of a yet-to-be-identified branch of the Chinese government before providing data to non-Chinese judicial or law enforcement entities.  As detailed below, these laws could have far-reaching implications for companies and individuals seeking to provide data to foreign courts or enforcement agencies in the context of government investigations or litigation, and appear to expand the data transfer restrictions set forth in other recent Chinese laws.[1]

Continue reading

SEC Charges Issuer for Inadequate Cybersecurity Disclosure Controls: Action Suggests a More Active SEC Enforcement Role Concerning Disclosure Controls and Procedures for Cybersecurity

by Cathy Clarkin, Bob Downes, John Evangelakos, Nicole Friedlander, Tony Lewis, Sarah Payne, Steve Peikin, Kamil Shields and Rebecca Sobel

On June 15, 2021, the Securities and Exchange Commission (“SEC”) announced charges against First American Financial Corporation (“First American”) for failure to maintain adequate disclosure controls and procedures in violation of Exchange Act Rule 13a-15(a).[1]  The charges, which were simultaneously settled pursuant to a cease-and-desist order (the “Order”) imposing a $487,616 civil money penalty, related to a vulnerability in First American’s proprietary software application that caused tens of millions of document images—many containing consumers’ personal information—to be publicly accessible.  After being notified by a journalist about the vulnerability on May 24, 2019, First American issued a press release and subsequently filed a Form 8-K with the SEC.  According to the Order, however, the senior executives responsible for these disclosures were not informed prior to the time the disclosures were made that certain First American personnel had longstanding prior knowledge of the vulnerability, and that the vulnerability had not been remediated in accordance with the company’s policies.  In light of the action—and increased scrutiny by U.S. authorities concerning cybersecurity in the wake of nationally significant ransomware attacks and cyberattacks involving SolarWinds and Microsoft software—issuers should review and confirm the efficacy of their disclosure controls and procedures for analyzing and escalating key information about cybersecurity incidents and vulnerabilities.

Continue reading

The Forecast for the EU Whistleblowing Directive in Member States: Cloudy with a Chance of Implementation

By Alja Poler De Zwart and Mercedes Samavi

Do you work for an organization that does not know what to do with its whistleblowing hotline in Europe? Are you patiently waiting for any news on what is happening with the implementation throughout the European Economic Area (“EEA”) of the new EU’s Directive on the protection of persons who report breaches of European Union law (PDF: 1.5 MB) (the “Whistleblowing Directive”), while getting more and more concerned about the lack of information? Well, if it helps at all, you are not alone. Although the implementation deadline of December 17 appears quite far away for now, this is deceptive — especially for multinational organizations that have to start preparing to comply with likely varying local implementation requirements in multiple countries.

We have been monitoring the implementation progress in 30 EEA countries, and the outlook does not look that great. As far as we can tell, not a single country has managed to adopt its implementing law to date, and some countries appear to have not even started yet. The good news is that the majority of countries are in the middle of their implementation process, but whether local legislators will manage to agree on the bills soon enough to have them ready before December 17 is anyone’s guess. As eternal optimists, we hope for the best. But while we wait, we put together a short summary of our findings and thoughts to help provide some context.

Continue reading

Biden: The Fight Against Foreign and Transnational Corruption Is a National Security Interest

by Kimberly A. Parker, Jay Holtmeier, Christopher Cestaro, John F. Walsh, Edward C. O’Callaghan, Ronald C. Machen, Lillian Howard Potter, Chavi Kenney Nana, Zachary Goldman, Mandy Fatemi, and Gemma Bateman

On June 3, 2021, President Biden issued a National Security Memorandum establishing the fight against corruption both at home and abroad as a core United States national security interest and directing the development of a 200-day interagency review designed to culminate in a report and recommendations on how the United States government and its partners can better combat corruption, enhance transparency in the global financial system and promote good governance. When combined with the anti-money laundering (AML) legislation that entered into force with the January 2021 bipartisan passage of the National Defense Authorization Act for Fiscal Year 2021 (NDAA)[1]—the most significant reforms to US AML laws since the 2001 adoption of the USA PATRIOT Act—and a review of sanctions policy conducted by the Treasury Department, the Memorandum may lead to a heightened focus on illicit financial activity and corruption and may ultimately result in additional resources being allocated to anti-corruption and AML enforcement. Continue reading

Consequences of Wirecard Scandal: New Requirements for Corporate Governance and Audit of German Listed Companies

by Silke Beiter, Ferdinand Fromholzer, Johanna Hauser, and Finn Zeidler,

As a reaction to the spectacular collapse of Wirecard, a then-DAX-listed financial service provider, in June 2020, an Act on Strengthening the Financial Market Integrity (Finanzmarktintegritätsstärkungsgesetz – FISG) has now been adopted following several months of intense discussions. It enters into effect on 1 July 2021 with a transitional period for certain provisions. The Act establishes new requirements for the corporate governance and the audit of listed companies as well as other public-interest entities.
Continue reading