InfoBytes Blog

SEC Publishes Industry Alert on Cybersecurity

On February 3, the SEC released a set of publications – a Risk Alert and an Investor Bulletin – assessing the level of cybersecurity at broker-dealers and advisory firms and highlighting best practices that allow investors to help protect their online accounts. The Risk Alert contains observations based on examinations of more than 100 broker-dealers and investment advisers. The examinations focused on how the firms (i) identify cybersecurity risks; (ii) establish cybersecurity policies, procedures, and oversight processes; (iii) protect their networks and information; (iv) identify and address risks associated with remote access to client information, funds transfer requests, and third-party vendors; and (v) detect unauthorized activity.

SEC Privacy/Cyber Risk & Data Security

Senate Banking Committee Schedules Hearing on "Regulatory Relief"

On February 10, the U.S. Senate Committee on Banking, Housing, and Urban Affairs is scheduled to hold its first full committee hearing on financial regulation, “Regulatory Relief for Community Banks and Credit Unions.” Officials from both federal and state banking regulators will give prepared remarks.

Community Banks Bank Supervision Senate Banking Committee

New York DFS Urges CFPB to Adopt "Strong" Payday Loan Rules

On February 4, NY DFS Superintendent Benjamin Lawsky sent a letter to the CFPB urging the agency to adopt strong national rules for the payday loan industry. In his letter, Lawksy highlighted four steps the agency should consider in its drafting of rules including (i) making clear that state laws with stronger anti-payday-lending rules still apply to lenders; (ii) banning payday lenders from using “remotely created checks;” (iii) restricting the sharing of consumers’ personal information by payday lenders, lead generators and other third parties; and (iv) creating a rigorous “ability-to-repay” standard for payday loans.

CFPB Payday Lending NYDFS Agency Rule-Making & Guidance

New York DFS Revises BitLicense Framework for Virtual Currency Regulation

On February 4, New York DFS proposed revisions to its anticipated regulation of virtual currency companies. The DFS originally released a proposal on July 17, 2014, and on December 18, Superintendent Lawsky delivered remarks stating the DFS was revising its proposal to provide more flexibility to virtual currency startups. The revised proposal (i) gives DFS the option of renewing a conditional BitLicense if the virtual currency firm continues to meet operating criteria; and (ii) removes previous language stating that a firm operating a BitLicense is required to obtain addresses and transaction data for all parties to a virtual currency transaction. Regardless of the changes, virtual currency firms still must meet strict standards for consumer protection and anti-money laundering requirements.

Virtual Currency NYDFS

California Public Employees' Retirement System Settles with Credit Rating Agency

On February 3, the California Public Employees’ Retirement System (CalPERS) announced a $125 million settlement with a large credit rating agency and its parent company to resolve charges made in connection with the agency’s inflated ratings of three structured investment vehicle notes that collapsed during the financial crisis. The CalPERS settlement is separate from the DOJ’s settlement with the same credit rating agency. The state-operated retirement system will collect an additional $176 million from the State of California’s $210 million received from the DOJ settlement, for a total of $301 million.

Enforcement MBS Credit Rating Agencies

Fair Housing Organization Files Suit for Alleged Racial Bias

On February 3, the Fair Housing Justice Center (FHJC), a regional fair housing non-profit organization based in New York City, filed a complaint alleging that a large bank discriminated in its mortgage lending practices on the basis of race and national origin. According to the complaint, the organization hired nine “testers” of various racial backgrounds to inquire about obtaining a mortgage for first-time homebuyers. Specifically, the complaint claims that the bank’s loan officers (i) used neighborhood racial demographics to steer minority testers to racially segregated neighborhoods and (ii) offered different loan terms and conditions based on race or national origin. The plaintiff is seeking compensatory and punitive damages and injunctive relief to ensure compliance with fair housing and fair lending laws. FHJC et al v. M&T Bank Corp., No-15-cv-779 (S.D. NY. Feb. 3, 2014).

Mortgage Origination Fair Housing Fair Lending

Silk Road Operator Found Guilty

On February 4, a federal jury found Ross Ulbricht guilty on all seven federal charges brought against him in connection with his role in operating the Silk Road website, including narcotics and money laundering charges. According to the government, Mr. Ulbricht created, owned, and operated the website, which functioned as a criminal marketplace for illegal goods and services until the website was shut down in October 2013. This marketplace allowed individuals to sell controlled substances and illegal services, and included a Bitcoin-based payment system that allowed buyers and sellers to conceal their identities. According to Ulbricht’s attorneys, while Ulbricht did create the Silk Road, he turned over operation of the website to other individuals who eventually grew the site into the vast criminal marketplace.  Ulbricht faces a sentence of 20 years to life in prison and is scheduled to be sentenced by Judge Forrest on May 15.  Ulbricht’s attorney described the verdict as “very disappointing” and is planning to appeal. U.S. v. Ulbricht, No-14-cr-68 (S.D. NY. Feb. 3, 2014).

DOJ Virtual Currency SDNY

Buckley Sandler Celebrates 2014 Pro Bono Work

On January 30, 2015, the firm held its annual Pro Bono Recognition Reception to recognize the dedication of our attorneys and paralegals to pro bono work throughout 2014. Joseph M. Kolar, chair of the firm’s pro bono committee and head of the Kolar Foundation of BuckleySandler, which focuses its giving to support and encourage members and employees of the firm who themselves are reaching out with their time and resources to help others in need, discussed the importance of pro bono work.

“The last line of the Pledge of Allegiance is ‘with liberty and justice for all.’ ‘Justice for all’ is hard to come by if you don’t have an attorney,” Kolar said.

Kolar was joined by Lise Adams, Assistant Director of the DC Bar Pro Bono Program, who emphasized the growing need for pro bono commitments from law firms and their attorneys. She also noted that pro bono benefits extend beyond simply helping the client and doing a good deed. It also provides opportunities for professional networking and to strengthen or expand your own practice.

“Pro bono is an annual commitment,” said Adams. “It is not one and done. It is a chance to change lives, develop professionally, and fulfill your ethical obligations under the bar.”

Kolar noted that the firm met its pro bono participation goals for 2014, thanking those who put in the hours and praising the work of pro bono coordinator, Stephanie Schlatter.  He also announced the pro bono committee’s higher goals for 2015, and encouraged everyone to recognize the need and find time to contribute.  In concluding remarks, co-managing partner John Kromer added his congratulations to the awardees and confirmed the importance of, and the firm’s commitment to, a sustained  involvement in pro bono work, both through the dedicated effort of members of the firm and the financial support of the Kolar Foundation of BuckleySandler for each pro bono organization with whom we  work.

The BuckleySandler attorneys and paralegals honored for their 2014 pro bono work include:

Partners:

• Valerie Hletko
• Caitlin Kasmar
• Joseph Kolar
• Fredrick Levin
• Clint Rockwell

Counsel:

• Ryan Pollard
• Jay Williams

Associates:

• Daniel Cheriyan
• Tim Coley
• Kate Contario
• Caroline Eisner
• Katherine Katz
• Sasha Leonhardt
• Matthew Newman
• Sherry-Maria Safchuk
• Brian Wegrzyn

Regulatory Attorneys:

• Brian Bartholomay
• Derrick Dyer
• Angela Parr
• David Rivera
• Sara Ruvic
• Eloise Stewart
• Darryl Toler

Pro Bono

FinCrimes Webinar Series Recap: Individual Liability - FinCrimes Professionals in the Spotlight

BuckleySandler hosted a webinar, Individual Liability: Financial Crimes Professionals in the Spotlight, on January 22, 2015 as part of its ongoing FinCrimes Webinar Series. Panelists included Polly Greenberg, Chief, Major Economic Crimes Bureau at the New York County District Attorney’s Office, and Richard Small, Senior Vice President for Enterprise-Wide AML, Anti-Corruption and International Regulatory Compliance at American Express. The following is a summary of the guided conversation moderated by Jamie Parkinson, Partner at BuckleySandler, and key take-aways you can implement in your company.

Best Practice Tips and Take-Aways:

• Be completely transparent with senior management and your board of directors when escalating issues and concerns. Document your requests for program enhancements and management responses.
• Assure yourself that your team is up to the task at hand, adequately resourced and knows that they can escalate anything that concerns them to compliance and/or senior management/the Board.
• When considering the quality of your compliance program, be sure that your program is tested internally by your compliance function, tested again by your organization’s internal audit team, and in addition is examined every few years by external counsel/consultant.
• If confronted with management unwillingness to commit adequate headcount and resources necessary to the compliance program, serious consideration has to be given to resigning and/or reporting these deficiencies.

Significant Actions and Regulatory Statements

The discussion began by giving an overview of trends in enforcement actions in the last few decades, commenting that this topic has been simmering for a long time. In the Bank context, in the late 1980s a series of prosecutions against the Bank of New England, Shearson Lehman, and Bank Boston involved efforts to hold the institution as well as individuals liable. Largely, the government had success against the institutions on theories of collective knowledge and willful blindness but was less successful when prosecuting individuals.

In the brokerage context, the SEC has brought recent actions as part of the Compliance Program Initiative, including charges against compliance personnel when they were clearly responsible for the failure to adopt or implement adequate compliance programs. The SEC has signaled that it will take action against compliance officers if:

• They actively participated in misconduct;
• They helped mislead regulators; or
• They have clear responsibility to implement compliance programs or policies and wholly failed to carry out that responsibility.

Then identified recent enforcement actions taken against board members, including Pacific National Bank involving a failure to remedy deficiencies in that institution’s BSA program. In the Pacific National Bank case, the OCC levied individual fines against the bank’s chairman and three board members who served on its BSA compliance committee for failing to act in their official capacities to correct the failures.

Finally, identified remarks made by three key regulators at the November 2013 ABA/ABA and the March 2014 ACAMS conferences. These speeches reflect clear statements with respect to the government’s intention to hold individuals personally liable when the facts warrant. The remarks were made by:

• Jim Cole (Deputy Attorney General, retired Jan. 8, 2015)
• Thomas Curry (Comptroller of the Currency)
• Jennifer Shasky Calvery (Director, FINCEN)

Mr. Small then gave an overview of two significant enforcement actions that involved individual liability. The first case, Brown Brothers Harriman, was brought by FINRA in early 2014 and arose from penny stock transactions executed by the firm through an omnibus brokerage account structure. While the case resulted in an $8 million fine for Brown Brothers, the firm’s Global AML Compliance Officer, Harold Crawford, was also the subject of the enforcement action and was fined $25,000 and barred from working in a compliance function for one month. Crawford’s personal liability was premised on his alleged failure to effectively monitor suspicious activity and to report it as required. Mr. Small pointed out that there were references in the case to an internal Brown Brothers’ memorandum that was developed by their compliance group that cited the increase in potentially suspicious activity and recommended stopping the trades and discontinuing the omnibus brokerage structure that had been used to carry out the transactions. This memo was written in November 2011, and was not acted upon prior to FINRA’s action. Mr. Small observed that the Brown Brothers case was the first time that action was taken against an AML compliance officer for failures in the AML compliance program at their company. He further observed that the case raises the question of what a compliance officer should do if they are raising issues, but not receiving resources from management to address those issues.

The second action Mr. Small discussed, MoneyGram, also involved individual liability for a compliance officer. There, FINCEN and DOJ took joint action against MoneyGram related to a significant number of transactions initiated by MoneyGram that were connected to various fraud schemes. FINCEN and DOJ alleged that MoneyGram received a significant number of complaints from consumers but took no action to address them. FINCEN issued a $1 million civil money penalty against Thomas Haider, who served as ManeyGram’s Chief Compliance Officer from 2003-2008. DOJ filed a complaint to enforce the penalty and also seeking to bar Haider from employment in the financial services industry.

When asked how this case might bear on the design of a Financial Crimes compliance program, Mr. Small commented that it was his personal opinion that this case could be read as counseling against integrating an institution’s BSA compliance function with other functions, such as fraud monitoring if the compliance officer lacks the expertise or full authority over the integrated areas. For example, Mr. Haider had responsibility for performing due diligence on agents, terminating agents, and identifying fraud, in addition to suspicious activity monitoring and SAR filing. The first two of these tasks were ones over which he may not have had full authority and as to the fraud area one in which he lacked the expertise to properly oversee. The panelists agreed that while an institution’s compliance function must have unfettered access to the institution’s data, it is important that the compliance function does not take on responsibilities outside of its area of expertise.

Theories of Individual Liability

Ms. Greenberg then discussed the different theories that can be used to find individual liability. She emphasized that the underlying basis of criminal liability is criminal knowledge and intent to do a particular act. Ms. Greenberg explained that it can be easier to find liability for a corporation due to the theory of collective knowledge. Under this theory, the knowledge of the corporation’s employees is imputed to the corporation, and the corporation is bound by this collective knowledge. So, while no single employee might possess sufficient knowledge to support individual liability, numerous individuals’ knowledge may be combined and imputed to the corporation and this collective knowledge may be sufficient to hold the corporation liable.

Ms. Greenberg also discussed the theory of willful blindness, which is primarily used under federal law. Under this theory, an individual has a subjective belief that there is a high probability that a fact exists but avoids learning whether the fact actually exists. Ms. Greenberg also pointed out that there is a similar concept under New York law called conscious avoidance.

Finally, Ms. Greenberg discussed the considerations taken into account in assessing whether it is appropriate to charge an individual in the corporate crimes context. Initially, authorities must consider whether there was criminal intent and whether that intent can be proven. They must also consider whether they can prove the level of knowledge required by the relevant statute, such as, knowingly, intentionally, or willfully. After deciding that there is probable cause to believe an individual had the required intent, Ms. Greenberg explained that the authority will then consider various factors in exercising prosecutorial discretion. In deciding whether to charge an individual in the corporate crime context, fairness is given much consideration. Ms. Greenberg observed that charging higher-level employees in this context may be more common than charging lower-level employees because higher-level employees bear more responsibility for the corporation and play a much larger role in influencing the corporate culture.

Considerations for Compliance Professionals

The panelists noted that it is very important for compliance professionals to have their areas of responsibility clearly defined, and to ensure that they have the control and expertise to manage these areas appropriately, as well as sufficient resources to carry out the compliance program effectively. It was pointed out that the areas most often associated with institutional and individual liability include:

• Failures in the culture of compliance within the organizations;
• Inadequate resources committed to BSA compliance;
• Weaknesses in the organization’s technology and transaction monitoring processes; and
• Inadequacies in the quality of risk management.

Mr. Small stressed the importance of being transparent with senior management and the board of directors when faced with a lack of resources, commenting that it is important to discuss the issue, listen to any proposed alternatives, and take a stance on what the best solution is. The panelists stressed the importance of documenting your requests and the responses and agreed that such documentation can be important to enforcement authorities in deciding whether to charge individuals. The panelists agreed that the trend towards increased individual liability could result in increased SAR filings. IT was suggested that it may be safer to file a SAR when in doubt but defensive SAR filing should be avoided if possible. He noted too that it is very important to thoroughly document decisions not to file.

Anti-Money Laundering SEC Bank Secrecy Act Financial Crimes

Digital Insights & Trends: What Keeps You Up At Night - Data INsecurity

We’re still wide awake, focusing on what keeps us (and our financial institution clients) up at night. Let’s pick up where we left off following our December webinar, but this time address data INsecurity from the perspective of its “other” victims, i.e., consumers. Last months’ webinar reviewed the benefits of risk-based approaches to organizational cybersecurity frameworks and identified potential obstacles to their achievement. Today, we’re thinking about another risk of cybersecurity breakdowns – the loss of consumer confidence. This risk threatens companies as surely as the regulatory, media and legal fallout.

Despite the proliferation of data breach notification and consumer financial privacy laws, data-breach-fueled identity theft is increasing. A recent report of the National Consumers League & Javelin Strategy reveals that consumer fraud victims don’t discriminate between business organizations and financial institutions when assigning blame for data breaches. Rather, they avoid doing business with all organizations involved. Ironically, nearly one-third of fraud victims take no action to prevent further fraud, even when they’ve been notified that their data has been compromised. The majority of consumer victims, according to the NCL/Javelin report, say both businesses and FIs should be held accountable, and want to be able to sue the breached companies. An even greater majority think the federal government should protect them -- and lawmakers are listening. Senator Amy Klobuchar (D-MN), for example, favors a national security breach notification law.

Financial institutions are between a rock and the proverbial hard place. Compromised financial information results in greatly increased fraud against affected consumers. However, many consumers don’t take action to prevent a breach from escalating into further incidents of fraud. (Partly, this results from lack of faith in the effectiveness of solutions like credit monitoring, and partly, consumers don’t know where to go for help.) Some consumers contact law enforcement or government agencies, but many simply avoid patronizing the companies involved as a result of diminished trust. An overwhelming number of victims believe the right course is action against companies where their information was breached.

Trust lost is hard to regain. Data breach responses are key to effective enterprise risk management, not only because of legal and enforcement risk, but because consumer loyalty, and its loss, have real, tangible, operational and financial consequences. In an effort to bolster consumer trust, companies should: be transparent in communicating their practices and controls with respect to the management and use of data; and provide guidance to their customers on actions that can be taken to protect their own data.

Note: Information in this article is based in part on the “Consumer Data Insecurity Report” produced by Javelin Strategy & Research (2014).

Risk Management Digital Insights and Trends Privacy/Cyber Risk & Data Security