Tag Archives: Satish M. Kini

OFAC Extends Recordkeeping Requirements

by Satish M. Kini, Robert T. Dura, Aseel M. Rabie, Jonathan R. Wong, and Yair Strachman

Photos of authors

Left to right: Satish M. Kini, Robert T. Dura, Aseel M. Rabie, Jonathan R. Wong, and Yair Strachman (Photos courtesy of Debevoise & Plimpton LLP)

Earlier this month, the U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”) issued an Interim Final Rule (“IFR”) to extend OFAC’s current recordkeeping requirements from five to 10 years. The IFR was published in the Federal Register on September 13, 2024, with public comments due by October 15, 2024. The new recordkeeping requirements are set to take effect on March 12, 2025.

The IFR follows amendments to the statute of limitations in the International Emergency Economic Powers Act (“IEEPA”) and the Trading with the Enemy Act (“TWEA”), two statutes that authorize many of OFAC’s sanctions programs. The new 10-year statute of limitations—codified at 50 U.S.C. §§ 1705(d) and 4315(d)—became effective on April 24, 2024, and was discussed in our Debevoise Client Update available here. In July 2024, OFAC issued guidance on how it interpreted the new statute of limitations and signaled that it also would extend its recordkeeping requirements, as we noted here.

Continue reading

DOJ National Security Division Issues First-Ever Declination Under Enforcement Policy

by Satish M. Kini, David A. O’Neil, Jane Shvets, Rick Sofield, Douglas S. Zolkind, Carter Burwell, Connor R. Crowley, and Hillary Hubley

Photos of the authors

Top left to right: Satish M. Kini, David A. O’Neil, Jane Shvets, and Rick Sofield. Bottom left to right: Douglas S. Zolkind, Carter Burwell, Connor R. Crowley, and Hillary Hubley. (Photos courtesy of Debevoise & Plimpton LLP)

Key Takeaways

  • Even in criminal national security matters, early self-reporting, remediation and cooperation can enable companies to avoid prosecution and penalties.
  • Federal enforcement agencies are continuing to collaborate in investigating and prosecuting criminal cases at the intersection of national security and corporate crime.
  • Multinational corporations and academic institutions should be aware of the risk of outsiders fraudulently affiliating themselves with legitimate institutions to skirt export control laws.

Continue reading

OFSI Publishes Updated Enforcement and Penalty Guidance

by Satish M. Kini, Jane Shvets, Karolos Seeger, and Konstantin Bureiko

Key takeaways:

  • On 8 June 2022, the United Kingdom’s Office of Financial Sanctions Implementation (OFSI) announced that its new strict liability enforcement standard and updated accompanying guidance would take effect on 15 June 2022.
  • The guidance reflects key measures in the Economic Crime (Transparency and Enforcement) Act 2022, including: the new strict liability test for imposing civil monetary penalties; changes to the review of monetary penalties; and a new ability for OFSI to publish details of breaches where it has not imposed a monetary penalty.

Continue reading

FinCEN Issues Advisory on Kleptocracy and Foreign Public Corruption

by Kara Brockmeyer, Andrew M. Levine, Satish Kini, Robert Dura, and Lily D. Vo

On April 14, 2022, the Financial Crimes Enforcement Network (“FinCEN”) released its “Advisory on Kleptocracy and Foreign Public Corruption” (the “Advisory”), directing covered financial institutions to focus their efforts on identifying the proceeds of foreign public corruption, which is a priority for the Biden administration.[1] The Advisory focuses on so-called “kleptocrats,” defined as individuals who use “their position and influence to enrich themselves and their networks of corrupt actors,” as well as other corrupt public officials who may launder the proceeds of their corruption through financial institutions.

Continue reading

Banking Regulators Finalize 36-Hour Data Breach Notification Rule

by Luke Dembosky, Avi Gesser, Satish Kini, Gregory Lyons, Johanna Skrzypczyk, Christopher Ford, Alex Mogul, and Erik Rubinstein

On November 18, 2021, federal banking regulators published a Final Rule that imposes new notification requirements on banking organizations for certain cybersecurity incidents.

Most significantly, the Final Rule requires that banking organizations notify their primary federal regulator within 36 hours after experiencing a material or potentially material cybersecurity event.

The Final Rule will go into effect on April 1, 2022, with a required compliance date of May 1, 2022.

The regulators – the Federal Deposit Insurance Corporation (“FDIC”), the Office of the Comptroller of the Currency (“OCC”) and the Federal Reserve Board (“FRB”) (together the “Agencies”) – first published a proposed rule about ten months ago, which we covered on the Data Blog. Much of the proposed rule was carried over into the Final Rule, but there are a few key differences, which we identify below.

Continue reading

The FTC’s Strengthened Safeguards Rule and the Evolving Landscape of Reasonable Data Security

by Jeremy Feigelson, Avi Gesser, Satish Kini, Johanna Skrzypczyk, Lily D. Vo, Corey Goldstein, and Scott M. Caravello

On October 27, 2021, the Federal Trade Commission (the “FTC”) announced significant updates to the Standards for Safeguarding Customer Information (PDF: 835 KB) (the “Safeguards Rule” or “Amended Rule”).  This rule, promulgated pursuant to the Gramm-Leach-Bliley Act, is designed to protect the consumer data collected by non-bank financial institutions, such as mortgage lenders and brokers, “pay day” lenders, and automobile dealerships, among many others (“subject financial institutions”).  The Amended Rule is likely to have a far-reaching ripple effect and inform the meaning of reasonable data security requirements industry-wide.  In this blog post, we highlight the Amended Rule’s more novel requirements and provide an overview of the potential impacts. 

Continue reading

OFAC and FinCEN Update Ransomware Guidance to Include New Red-Flag Indicators and Additional Sanctions Designations

by Luke Dembosky, Avi Gesser, Satish Kini, Aseel Rabie, and HJ Brehmer

On November 8, 2021, the U.S. Department of the Treasury (“Treasury”) announced a new set of sanctions against criminal ransomware actors, the virtual currency exchange Chatex and three companies providing material support and assistance to Chatex. By designating these entities, which have direct ties with the previously sanctioned SUEX OTC, S.R.O. (“SUEX”), Treasury is suggesting that it will continue to use all tools available to identify and take action against those involved in facilitating ransomware payments. 

Continue reading

OFAC’s Ransomware Advisory – How Banks Can Reduce Their Sanctions Risk for Client Cyber Ransom Payments (Part II of II)

by Luke Dembosky, Avi Gesser, Satish Kini, HJ Brehmer, and Scott Caravello

This is Part II of a two-part post. For Part I, which provides a general overview of OFAC’s updated ransomware advisory and the ways that victim companies can reduce their sanctions risks, click here.

On September 21, 2021, the U.S. Department of the Treasury’s Office of Foreign Asset Control (“OFAC”) released an updated advisory (PDF: 252 KB) (the “Advisory”) on the sanctions risks associated with facilitating ransomware payments. The Advisory applies to victims of ransomware attacks, as well as companies that facilitate payments to threat actors, including financial institutions. In Part 1, we discussed the Advisory generally, and ways that victim companies can reduce their sanctions risks. In this Part 2, we discuss the measures that financial institutions can adopt to mitigate their ransomware sanctions risks, and why those compliance controls differ from the steps being taken by victims.

Continue reading

OFAC’s Ransomware Advisory – Improved Cybersecurity Can Mitigate Sanctions Risk, and Other Takeaways (Part I of II)

by Luke Dembosky, Avi Gesser, Satish Kini, HJ Brehmer, and Sarah Q. Smith

This is Part I of a two-part post. For Part II, click here.

On September 21, 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) issued an updated advisory (PDF: 252 KB) (the “Advisory”) on sanctions risks associated with payments to threat actors in connection with cyber ransoms. The Advisory reminds companies that all parties associated with the payment of a cyber ransom—including victims, financial institutions, insurance firms and other companies facilitating payment—are responsible for ensuring that they do not violate U.S. law and can be subject to an OFAC enforcement action if they do.

Continue reading

FinCEN Updates Guidance for Financial Institutions Regarding Hemp-Related Business Customers

by Satish M. Kini, David G. Sewell, and Justin G. Maffett

On Monday, June 29, the Financial Crimes Enforcement Network (“FinCEN”) issued guidance (PDF: 289 KB) to financial institutions, addressing Bank Secrecy Act/Anti-Money Laundering (“BSA/AML”) obligations and expectations that apply when providing services to hemp-related businesses. Although last Monday’s guidance generally supplements and amplifies the December 3, 2019 interagency statement (PDF: 75.9 PDF) (which we described in a Client Update published late last year), we wanted to share the following notes and highlights:

Continue reading