Tag Archives: John P. Carlin

CFPB Issues Final “Open Banking” Rule Requiring Covered Entities to Provide Consumers Access and Transferability of Financial Data

by Jarryd Anderson, Jessica S. Carey, John P. Carlin, Roberto J. Gonzalez, Brad S. Karp, and Kannon Shanmugam

Photos of authors

Top Left to Right: Jarryd Anderson, Jessica Carey, and John Carlin. Bottom Left to Right: Roberto Gonzalez, Brad Karp, and Kannon Shanmugam. (photos courtesy of Paul Weiss)

On October 22, 2024, the Consumer Financial Protection Bureau (“CFPB” or “Bureau”) published a 594-page Notice of Final Rulemaking for its “Personal Financial Data Rights” rule, commonly known as the “Open Banking” rule, which will require covered entities—generally, providers of checking and prepaid accounts, credit cards, digital wallets, and other payment facilitators—to provide consumers and consumer-authorized third parties with access to consumers’ financial data free of charge.[1] Covered entities are required to comply with uniform standards to provide access to this financial data through consumer and developer interfaces.[2] The rule imposes requirements on authorized third parties (such as fintechs), as well as data aggregators that facilitate access to consumers’ data, including required disclosures to consumers regarding the third parties’ use and retention of the requested data and a requirement that the data only be used in a manner reasonably necessary to provide the requested product or service (thus foreclosing selling the data or using it for targeted advertising or cross selling purposes).[3]

Continue reading

The Year That Was: Key Cybersecurity and Privacy Developments in 2023 and Issues for 2024

by John P. Carlin, Jeh Charles Johnson, Jeannie S. Rhee, Peter Carey, and Steven C. Herzog

From left to right: John P. Carlin, Jeh Charles Johnson, Jeannie S. Rhee, Peter Carey, and Steven C. Herzog. Photos courtesy of Paul, Weiss, Rifkind, Wharton & Garrison LLP.

At the beginning of the year, we predicted that the use of personal information and the protection of data in an evolving threat environment would be the focus of increased legislation, regulation, and regulatory enforcement. And 2023 delivered, with both threat actors and regulators presenting new challenges for technology and legal teams. At the same time, these teams are navigating how to harness the burgeoning potential of rapidly evolving artificial intelligence applications while mitigating associated security, legal, and related risks. Amidst all of the noise, we break down below ten key developments of 2023 that contributed to an increasingly complex legal and data security landscape and prompted business leaders to increase resources and attention to bolster their defenses and ensure compliance with their growing list of legal obligations. We predict a continued flurry of activity in 2024. Continue reading

FinCEN and BIS Issue Joint Notice Emphasizing That Financial Institutions Should Monitor for Possible Export Control Violations

by Jessica S. CareyJohn P. Carlin, Roberto J. Gonzalez, Brad S. KarpRichard S. ElliottDavid Fein, David KesslerNathan Mitchell, and Jacobus J. Schutte

photos of the authors

Top left to right: Jessica S. Carey, John P. Carlin, Roberto J. Gonzalez, Brad S. Karp, and Richard S. Elliott.              Bottom left to right: David Fein, David Kessler, Nathan Mitchell, and Jacobus J. Schutte. (Photos courtesy of Paul, Weiss, Rifkind, Wharton & Garrison LLP)

On November 6, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”) and the U.S. Department of Commerce’s Bureau of Industry and Security (“BIS”) jointly issued a notice (the “Notice”) announcing a new Suspicious Activity Report (“SAR”) key term, “FIN-2023-GLOBALEXPORT,” that financial institutions should reference when reporting potential efforts by individuals or entities seeking to evade U.S. export controls.[1]

Continue reading

DOJ and FinCEN Take Coordinated Action Against Bitzlato Cryptocurrency Exchange and Its Owner

by Jessica S. Carey, John P. Carlin, Roberto J. Gonzalez, David Kessler, and Simona Xu.

Photographs of post authors

From left to right: Jessica S. Carey, John P. Carlin, Roberto J. Gonzalez, David Kessler, and Simona Xu.

On January 18, 2023, federal authorities in Miami arrested Anatoly Legkdymov, founder and majority owner of Bitzlato Ltd, a peer-to-peer, global cryptocurrency exchange registered in Hong Kong. Bitzlato had processed approximately $4.58 billion worth of cryptocurrency transactions since May 3, 2018.[1] Legkdymov was charged by a complaint in the Eastern District of New York (“EDNY”) with knowingly conducting a money transmitting business that transmitted illicit funds for ransomware actors in Russia and failing to implement an effective anti-money-laundering (“AML”) program. On the same day, the U.S. Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”) issued an order pursuant to Section 9714(a) of the Combating Russian Money Laundering Act[2] — the first one of its kind — identifying Bitzlato as a “primary money laundering concern” and prohibiting U.S. financial institutions from transacting with Bitzlato, effective on February 1, 2023 (the “Bitzlato Order”).[3] Concurrently, law enforcement authorities in Europe shut down Bitzlato’s digital platform, hosted on servers in France, seized $19.5 million of its cryptocurrency assets and arrested four more Bitzlato executives in Cyprus and Spain.[4]

Continue reading

Theft of Federal Funds Highlights Expanding Cyber Threat from Foreign Actors

by John P. Carlin, Jeh Charles Johnson, Jeannie S. Rhee, Steven C. Herzog, and David Kessler

Photos of the authors

From Left to Right: John P. Carlin, Jeh Charles Johnson, Jeannie S. Rhee, Steven C. Herzog, and David Kessler

The Secret Service has reported that APT41, a hacking organization, stole roughly $20 million in federal COVID-19 relief funds by obtaining access to the computer systems of a number of U.S. states beginning in mid-2020.[1]  According to the Secret Service, APT41 is a “Chinese state-sponsored, cyberthreat group that is highly adept at conducting espionage missions and financial crimes for personal gain.”[2]  While experts are uncertain regarding whether the breach by APT41 was ordered by the PRC government or merely tolerated, the Secret Service announcement marks the first public confirmation by a federal agency of a state-affiliated hacking group breaching U.S. cyber defenses to steal federal funds. According to the government, the hackers obtained unemployment insurance funds and Small Business Administration loans from more than a dozen states.[3]  The true scope of the breach remains unclear, with officials speculating that government networks in all 50 states were likely targeted.[4]  The Secret Service has further linked the APT41 intrusion to the organization’s broader efforts to access and interrogate state networks.[5]

Continue reading