Limited-Risk AI—A Deep Dive Into Article 50 of the European Union’s AI Act

by Martin Braun, Anne Vallery, and Itsiq Benizri

Left to right: Martin Braun, Anne Vallery and Itsiq Benizri (photos courtesy of the authors)

This blog post focuses on the transparency requirements associated with certain limited-risk artificial intelligence (AI) systems under Article 50 of the European Union’s AI Act.

As explained in our previous blog post, the AI Act’s overall risk-based approach means that, depending on the level of risk, different requirements apply. In total, there are four levels of risk: (1) unacceptable risk, in which case AI systems are prohibited (see our blog post on prohibited AI practices for more details); (2) high risk, in which case AI systems are subject to extensive requirements, including regarding transparency; (3) limited risk, which triggers only transparency requirements; and (4) minimal risk, which does not trigger any obligations.

Continue reading →

SEC Adopts Amendments to Regulation S-P That Require Reporting Breaches of “Sensitive Customer Information”

by Mike Borgia and Andrew Lewis

From left to right: Mike Borgia and Andrew Lewis (Photos courtesy of authors)

Broker-dealers, registered investment advisors, and funds are now required to report breaches of “sensitive” nonpublic personal information (NPI) to affected individuals.

On May 15, the Securities and Exchange Commission adopted amendments to Regulation S-P, which covers broker-dealers, registered investment advisors (RIAs), and investment companies (funds). These entities are now required to report data breaches affecting “sensitive customer information,” which is “any component of customer information alone or in conjunction with any other information, the compromise of which could create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information.”

The amendments were originally proposed on March 15, 2023 (covered in a previous post). The amendments will go into effect 60 days after they are published in the Federal Register.

Continue reading →

Second Circuit: Crypto Exchange Binance Subject to U.S. Securities Laws to Avoid a Regulatory Vacuum

by David Livshiz, Timothy Howard, Andrew Gladstein, Peter Linken, Jacob Johnston, and Seve Kale

Left to right: David Livshiz, Timothy Howard, Andrew Gladstein, Peter Linken, and Seve Kale (photos courtesy of authors)

A recent Second Circuit decision underscores that decentralized crypto exchanges with no claimed “home” jurisdiction face a substantial likelihood of exposure to U.S. securities laws. In Williams v. Binance, 96 F.4th 129 (2d Cir. 2024), the Second Circuit held plaintiffs adequately alleged crypto token purchases made on Binance’s trading platform by U.S. persons were domestic transactions and subject to U.S. securities laws on two independent grounds. First, it was plausible that plaintiffs’ purchase orders were matched with sellers on servers located in the U.S. Second, Binance’s Terms of Use stated orders became irrevocable once they were sent to Binance, which the plaintiffs alleged occurred from their homes in the United States. The Court’s extraterritoriality analysis focused on Binance’s express disclaimer of a physical presence or geographical headquarters and the inapplicability of any other country’s securities regime. These factors created the possibility of a regulatory vacuum absent imposition of U.S. securities laws. Underscoring this point, the Court reasoned that “[e]ven if the Binance exchange lacks a physical location, the answer to where [it matches transactions] cannot be ‘nowhere.’” Williams, 96 F.4th at 138.

It will take years before the full implications of Williams become clear; but what is already clear is that U.S. courts are likely to be skeptical of corporate structures that appear to leave a company immune from litigation anywhere. This skepticism is particularly relevant to crypto exchanges and other decentralized actors, which may not have or maintain a traditional “home” jurisdiction or base. Such decentralized actors may wish to consider taking steps to reduce the risk of exposure to U.S. securities laws, including affirmatively establishing a domicile outside the U.S. by opening a non-U.S. office or otherwise formally submitting to regulation by another nation, using servers data centers, and other computer network infrastructure outside of the United States, and drafting terms of service or other contractual agreements to provide that transactions become irrevocable in a location outside the U.S.

Continue reading →

Strategic Communications Considerations When a Government Investigation Becomes Public Through Voluntary Self-Reporting or Other Means

by Cari Robinson

Photo courtesy of the author

The SEC, DOJ, and nationwide USAOs are increasingly encouraging organizations to self-report misconduct, fully cooperate with authorities, and meaningfully remediate. In return, companies may receive reduced penalties, up to and including a government agreement not to criminally prosecute and a declination to bring a civil enforcement action.

However, in addition to being costly and time-consuming, self-reporting presents reputational risks. There also is always a possibility that a sensitive matter will leak. In any event, having complementary legal and crisis communications strategies in place can help companies avoid costly missteps and mitigate reputational damage.

Continue reading →

SEC Staff Provides Guidance on Cyber Form 8-K Reporting

by Scott Kimpel

Photo courtesy of Hunton Andrews Kurth LLP

On May 21, 2024, staff of the U.S. Securities and Exchange Commission (“SEC”) published additional interpretive guidance on reporting material cybersecurity incidents under Form 8-K.

Since December 18, 2023, when the SEC’s rules for reporting material cybersecurity incidents under Item 1.05 on Form 8-K took effect, we have identified 17 separate companies that have made disclosures under the new rules. Since that date, several other companies also have made disclosures regarding cybersecurity incidents under other Form 8-K items. A large majority of those companies reporting under Item 1.05 have either not yet determined that the triggering incident was material, or determined that the event was in fact immaterial.

Continue reading →

BIS Primes the Corporate Enforcement Engine: A Fresh Look at What Recent BIS Actions & Statements Mean and a Proposed Framework for How U.S. Companies Can Best Prepare

by Brent Carlson and Michael Huneke

From left to right: Brent Carlson and Michael Huneke (Photos courtesy of authors)

The risk of corporate criminal enforcement actions for export controls evasion or diversion is significantly increasing. Recent actions and statements by the Department of Commerce’s Bureau of Industry & Security (“BIS”) suggest that, beyond saber-rattling, BIS is deliberately priming the corporate enforcement engine with the fuel for an enforcement wave that will follow the Foreign Corrupt Practices Act (“FCPA”) “playbook” that the U.S. Department of Justice (“DOJ”) has successfully deployed for the last two decades.

The fuel comes in the form of official, multiagency guidance documents and other actions that describe circumstances indicating a “high probability” of misconduct, which as we have previously written is a freestanding basis for enforcement actions under both the FCPA and the Export Administration Regulations (“EAR”).[1] Such agency actions by BIS notably include the issuance to U.S. companies of lists of counterparties under cover of what BIS officials describe as “red flag” letters. Since our prior analysis,[2] BIS has reemphasized the significance of such letters and underscored the importance of how U.S. companies respond.

Continue reading →

FinCEN and SEC Move Closer to New AML Requirements for Investment Advisers & ERAs

by Joel M. Cohen, Claudette Druehl, Marietou Diouf, Tami Stark, Prat Vallabhaneni, and Robert DeNault

Top: Joel M. Cohen, Claudette Druehl, and Marietou Diouf
Bottom: Tami Stark, Prat Vallabhaneni, and Robert DeNault
(Photos courtesy of White & Case LLP)

On May 13, 2024, FinCEN and the SEC jointly proposed a new rule that would require SEC-registered investment advisers and exempt reporting advisers to maintain written customer identification programs (CIPs). The new rule supplements a proposal in February to impose requirements on investment advisers similar to those that have existed for broker-dealers since 2001, as a means to address illicit finance and national security threats in the asset management industry.

For investment advisers who do not currently have an AML/CFT program, this compliance obligation will create a large shift in the way they operate. This will require significant legal time and attention, but it will be time well spent considering potential regulatory exposure and likely indemnification obligations which flow through commercial agreements in favor of counterparties.

Continue reading →

Biden National Security Memorandum Bolsters CISA Role for Cybersecurity Oversight in Critical Infrastructure

by Beth Burgin Waller and Patrick J. Austin

Beth Burgin Waller and Patrick J. Austin (photos courtesy of Woods Rogers Vandeventer Black PLC)

The Biden Administration recently rolled out a new critical infrastructure memorandum, titled National Security Memorandum on Critical Infrastructure Security and Resilience (NSM-22) which is intended to set forth the role of the federal government, including responsibilities for specific federal agencies, in protecting U.S. critical infrastructure.

NSM-22 serves to supplant PPD-21, formally known as the Presidential Policy Directive — Critical Infrastructure Security and Resilience (pdf). PPD-21, a memorandum issued during the Obama Administration, designated 16 critical infrastructure sectors that will be subject to additional oversight through the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Pursuant to CIRCIA, entities operating in critical infrastructure sectors will be obligated to report “covered cyber incidents” within 72 hours of the entity developing a reasonable belief that a cyber incident occurred. In addition, critical infrastructure entities must report ransom payments within 24 hours after a payment is made. CIRCIA delegated rulemaking authority to the Cybersecurity and Infrastructure Security Agency (CISA). We wrote about CISA’s proposed rule containing cyber incident reporting requirements in a recent article.

Continue reading →

Keeping Deferred Corporate Charges Deferred: Some Dos and Don’ts

by John Savarese, Randall Jackson, and Michael Holt

Left to right: John Savarese, Randall Jackson, and Michael Holt (Photos courtesy of Wachtell, Lipton, Rosen & Katz)

At the heart of every white-collar deferred prosecution agreement (DPA) is the deferral of filed criminal charges and a promise by DOJ to dismiss those charges at the end of a fixed term if the company has lived up to its remedial and other commitments. Breaches of these agreements are rare. But DOJ’s recent letter advising the U.S. District Court for the Northern District of Texas that Boeing breached its obligations under a January 2021 DPA (entered into with DOJ to resolve criminal charges relating to Boeing’s mishandling of FAA reporting concerning its 737 MAX aircraft following fatal crashes of two of those planes) provides a telling reminder of the critical need for companies to design and carry out an effective and comprehensive plan to abide by all terms established under a DPA.

Continue reading →

Crypto Experts React to Recent SDNY Ethereum Fraud Indictment

The NYU Law Program on Corporate Compliance and Enforcement (PCCE) is following the U.S. Attorney’s Office for the Southern District of New York’s recent indictment of two individuals for allegedly attacking and stealing $25 million from the Ethereum blockchain. The indictment in the case, United States v. Peraire-Bueno, 24 Cr. 293 (SDNY), is available here. Below, several crypto experts and former prosecutors provide their reactions to the case.

Left to right: Maria Vullo, Daniel Payne, Elizabeth Roper, Usman Sheikh, Justin Herring, and Robertson Park (photos courtesy of the authors)

Continue reading →