In August 2017, the Office of Compliance Inspections and Examinations (“OCIE”) of the Securities and Exchange Commission released the results of its second Cybersecurity Initiative, which examined cybersecurity-related preparedness and implementation efforts by 75 regulated financial entities. The resulting OCIE Risk Alert depicts an industry demonstrating heightened sensitivity to cyber risks, but also experiencing gaps between policy ambition and day-to-day execution, and confronting growing pains associated with accelerated change, including the introduction of significant new policies and procedures that may lack focus or consistent implementation. While the Risk Alert directly addresses the cybersecurity procedures of broker-dealers, investment advisers, and other SEC-regulated entities, companies in all industries should consider assessing their practices with respect to the issues highlighted by the SEC. Continue reading
In an anticipated and important decision, the Second Circuit Court of Appeals overturned a district court’s order requiring the unsealing of an independent monitor’s report detailing HSBC’s compliance with a deferred prosecution agreement. United States v. HSBC Bank USA, N.A. (Nos. 16-308, 16- 353, 16-1068, 16-1094, July 12, 2017). In so doing, the Second Circuit substantially limited a district court’s power to scrutinize DPAs, thereby following a course similarly embraced by the D.C. Circuit (as discussed in our prior memo).
In the district court, Judge Gleeson granted the joint request by DOJ and HSBC to approve the DPA, subject to the Court’s ongoing oversight of the DPA’s implementation pursuant to the Court’s asserted “supervisory authority”—a decision we discussed in our earlier memo. As part of its oversight, the Court ordered the government to file under seal an independent monitor’s report, which eventually led to a member of the public requesting access to the report. Construing that request as a motion to unseal, the Court granted the motion, finding that the monitor’s report was a “judicial document” subject to the public’s qualified First Amendment right of access. The government and HSBC appealed. Continue reading
As we have observed, in its early days, the Trump Administration has stressed its intention to maintain continuity in white-collar enforcement, including through its recent extension of the FCPA Pilot Program. Consistent with that approach, the first FCPA action under the new administration was a Pilot Program declination, closing an investigation without enforcement action other than disgorgement. Continue reading
Earlier this year, we noted that it was difficult, if not impossible, at that point to predict with confidence how the new administration might change white-collar criminal law enforcement priorities and practices. Three months later, however, some clearer signals are beginning to appear. In a pair of speeches delivered last week, on April 18 and April 20, Acting Principal Deputy Assistant Attorney General Trevor McFadden, a Trump Administration appointee, gave strong indications that the Department of Justice will continue to engage in active white-collar criminal enforcement, without substantial changes in direction from the previous administration. And in a speech yesterday, Attorney General Jeff Sessions promised continued prosecution of corporate fraud and misconduct and strong enforcement of the Foreign Corrupt Practices Act and other anti-corruption laws.
In his more detailed speeches, McFadden rejected what he called the “myth” that DOJ under AG Sessions was not interested in prosecuting white-collar crime. Continue reading
Last fall, with some fanfare, the New York State Department of Financial Services (DFS) announced proposed cybersecurity regulations. As we previously reported, in a break from prior, high-level standards, the proposed regulations shifted toward a more prescriptive approach, mandating specific policies, onerous government notification requirements, and hands-on oversight from corporate leaders. Commentators and financial industry groups pushed back during the comment period. In response, on December 28, 2016, DFS released revised regulations, which, subject to further comment, will now become effective on March 1, 2017. Continue reading
As ever-increasing cyber attacks target companies in the financial sector and beyond, financial regulators in New York and Washington, D.C. have focused their attention on cybersecurity risk. On October 19, federal banking regulators sought comments, due January 17, 2017, on enhanced cyber risk-management standards for major financial institutions. Meanwhile, the New York State Department of Financial Services (DFS) recently announced detailed regulations, requiring covered institutions — entities authorized under New York State banking, insurance, or financial services laws —to meet strict minimum cybersecurity standards. And yesterday, the Department of Treasury’s Financial Crimes Enforcement Network (FinCEN) issued an advisory on the reporting of cyber events under the Bank Secrecy Act. Continue reading