As we prepare for a full schedule of events in 2024, the NYU School of Law Program on Corporate Compliance and Enforcement (PCCE) is taking a moment to reflect on our busy Fall 2023 program. In this post, we review our November 17, 2023 full day conference on Security, Privacy, and Consumer Protection.
(©Hollenshead: Courtesy of NYU Photo Bureau)
On November 17, 2023, the NYU Law Program on Corporate Compliance and Enforcement (PCCE) hosted a standing-room-only full-day conference on Security, Privacy, and Consumer Protection. The conference addressed issues such as managing effective cybersecurity and privacy compliance programs, the use of “dark patterns” to manipulate consumer choices, and whether privacy regulation and enforcement actions actually prompt firms to update their privacy policies. A full agenda of the conference, along with speaker bios, is available here. In this post, several participants from the panel titled The NYDFS Cybersecurity Rule Amendments and Their Implications for Firms Beyond the Financial Sector share further thoughts on the issue.
Left to right: Justin Herring, Matthew Levine, Cheryl James, Edward Stroz, and Alexander Southwell (Moderator)(©Hollenshead: Courtesy of NYU Photo Bureau)
by Alicyn Cooley and Matthew Levine
The approach of the Biden Justice Department to corporate and financial crime continues to emerge—or re-emerge. Corporations with federal criminal exposure must now, again (PDF: 463 KB), provide information on all individuals responsible for misconduct in order to receive cooperation credit from the Department of Justice. And corporations which resolve that exposure pursuant to Deferred Prosecution Agreements (DPAs) or Nonprosecution Agreements (NPAs) with DOJ will also now face the increased likelihood of independent monitorships—the use of which waned considerably in recent years, even before the Trump administration explicitly discouraged imposing them in 2018 (PDF: 4.9 MB).
In keynote remarks delivered yesterday at the American Bar Association’s National Institute on White Collar Crime, Deputy Attorney General Lisa Monaco announced these and other new DOJ policies and initiatives, all of which are reminiscent of the Obama Administration’s approach to corporate criminal enforcement. In particular, companies and practitioners should take note of DOJ’s stated commitments to: (1) equipping prosecutors with more information and tools—including monitors—to root out corporate crime and ensure corporations comply with the law and the requirements of their agreements with DOJ; (2) proactively using data accumulated about past corporate resolutions, including taking into account corporations’ full criminal and regulatory histories; and (3) standardizing approaches to corporate enforcement across DOJ and the U.S. Attorneys’ Offices.
In a prior blog post we discussed the important question of whether certain regulators – especially the SEC – have undercut effective compliance programs by sending mixed signals about when a Chief Compliance Officer should be held personally liable for the actionable compliance deficiencies of his or her firm.[1] Two important developments have occurred since then: (a) the issuance of an industry-side framework identifying factors that should be evaluated by the SEC in deciding whether to bring charges against a CCO; and (b) a recent SEC enforcement action against the CCO of an investment advisory firm based only on a finding of negligence. The SEC’s action in particular leaves open a number of consequential questions for industry participants.
Our prior post noted the report issued by the New York City Bar Association (“NYCBA”) Compliance Committee in February 2020 (“Report on Chief Compliance Officer Liability in the Financial Sector”), which recommended that regulators provide formal guidance about when it is appropriate to bring an enforcement action against a compliance officer.[2] Subsequently, in October 2020 SEC Commissioner Hester Peirce embraced this recommendation, going further to suggest that she might develop such a “draft framework” on her own to share with SEC colleagues. No meaningful word has yet emerged from Commissioner Pierce or the SEC on this topic since then.
Continuing its focus on consumer protection enforcement, the New York State Department of Financial Services (“DFS”) recently announced an investigation into alleged price spikes for six drugs connected to treatments of COVID-19 medical conditions.[1] According to DFS, its newly-formed Office of Pharmacy Benefits (“OPB”) commenced the investigations under Insurance Law § 111 into what it characterizes as “anomalously large spikes” in the prices of the six drugs, occurring since the onset of the COVID-19 pandemic. These medications are Ascor, Budesonide, Dexonto, Mytesi, Duramorph and Chloroquine phosphate, each of which has some actual or claimed therapeutic use for COVID-19 conditions.
Continuing its focus on consumer protection enforcement, the New York State Department of Financial Services (“DFS”) recently announced an investigation into alleged price spikes for six drugs connected to treatments of COVID-19 medical conditions.[1] According to DFS, its newly-formed Office of Pharmacy Benefits (“OPB”) commenced the investigations under Insurance Law § 111 into what it characterizes as “anomalously large spikes” in the prices of the six drugs, occurring since the onset of the COVID-19 pandemic. These medications are Ascor, Budesonide, Dexonto, Mytesi, Duramorph and Chloroquine phosphate, each of which has some actual or claimed therapeutic use for COVID-19 conditions.
Although regulators often seek to empower compliance officers within their institutions, a troubling question lingers as to whether regulators are undercutting this important message by simultaneously sending mixed or unrefined signals about when a Chief Compliance Officer should be held personally liable for the compliance failings of his or her firm. The director of the U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations recently urged investment firms to empower Chief Compliance Officers (CCOs), saying, “The CCO is not there to fill out irrelevant paperwork or serve as a scapegoat for the firms’ failings. A firm’s compliance department should be fully integrated into the business of the [regulated entity] for it to be effective.” Continue reading
The New York Department of Financial Services (“NYDFS”) recently sanctioned Deutsche Bank (“DB”) $150 million for BSA/AML deficiencies. According to the regulator’s factual findings, the compliance failures arose in connection with the bank’s private wealth relationship with Jeffrey Epstein, and correspondent banking relationships with Danske Bank Estonia (“Danske Estonia”) and FBME Bank (“FBME”), both located in Eastern Europe.
This latest enforcement action (PDF: 1.62 MB) against DB follows several others issued against the bank by NYDFS since 2015, including for improper conduct arising from LIBOR manipulation, sanctions violations, improper foreign exchange trading practices, and BSA/AML deficiencies in connection with money laundering arising out of equity trades at its London and Moscow branches.
The New York State Department of Financial Services (“NYDFS”) recently issued an enforcement action against the Industrial Bank of Korea (“IBK”) for violations of New York’s anti-money laundering and recordkeeping obligations. It is the first of either of these types of BSA/AML enforcement actions issued by the Department in some time; this is not surprising, given that NYDFS, like other regulators, has been consumed with responding to the COVID-19 pandemic. Continue reading
The Fraud Division of the U.S. Justice Department unsealed an indictment recently that charged three traders associated with a global U.S.-based bank with a racketeering conspiracy that involved alleged manipulation of the precious metals markets through “spoofing.” The indictment alleges numerous specific instances of spoofing, over an approximately eight-year period, intended to improperly affect prices for precious metals and related options. The U.S. Commodity Futures Trading Commission filed a parallel civil action against the three traders as well, likewise charging violations of commodities law reflecting attempts at market manipulation.
In announcing these charges, the head of DOJ’s Criminal Division, Brian Benczkowski, said this prosecution demonstrated the results of DOJ’s and the FBI’s increasing use of data analytics to develop prosecutorial leads. Speaking to reporters, Benczkowski said that he “expect[ed]to use it more in looking at other financial products and other trading behavior at desks at major financial institutions.” He emphasized that “[t]his is the type of case and the use of data that we expect to become the norm in the Criminal Division in the future.” Continue reading