1. News
1.1. Data Privacy
1.1.1. Compliance Areas
1.1.1.1. International Data Transfer
1.1.1.1.1. "Schrems II"
1.1.1.1.2. Brexit and EU-UK Adequacy Decision
1.1.1.1.3. PRC Restrictions on Outward Transfers
1.1.1.2. Cookies
1.1.1.2.1. GDPR
1.1.1.2.2. CCPA
1.1.1.2.3. Main Challenge
1.1.1.3. Employee Monitoring
1.1.1.3.1. (October 13, 2020) EC/Amazon
1.1.1.4. HIPAA
1.1.1.4.1. Regulatory Developments
1.1.1.4.2. Enforcement/Litigation
1.1.1.4.3. Hot Topics
1.1.1.4.4. Trends
1.1.1.5. GDPR
1.1.1.5.1. Extraterritorial Application
1.1.2. Compliance Programs
1.1.2.1. General
1.1.2.1.1. Tips from AI Compliance
1.1.2.1.2. "Dynamic DSARs"
1.1.2.1.3. Compliance Toolkit from Belgian DPA
1.1.2.1.4. Tips on Identity Management Strategies
1.1.2.2. CCPA
1.1.2.2.1. Risks of "Service Provider" Approach
1.1.3. Legislation Tracker
1.1.3.1. U.S.
1.1.3.1.1. Federal
1.1.3.1.2. State
1.1.3.2. Global
1.1.3.2.1. China
1.1.4. Enforcement and Litigation
1.1.4.1. GDPR
1.1.4.1.1. (December 2020) Google RTBF Case)(Swedish Court)
1.1.4.1.2. Top Five Fines from 2020
1.1.4.2. HIPAA
1.1.4.3. FTC
1.1.4.4. Privacy Shield
1.1.4.4.1. (October 2020) Amazon
1.1.5. Emerging Technology
1.1.5.1. AI
1.1.5.1.1. Can look for inspiration from privacy frameworks, principles, assessments and design principles to create something similar for the AI domain.
1.1.5.1.2. GAO Report on AI in Healthcare
1.1.6. Events and Opportunities
1.1.6.1. Helsinki Information Law Moot
1.1.6.2. Bitkom Privacy Conference 2020
1.1.7. Thought Pieces and Opinions
1.1.7.1. What U.S. companies can learn from GDPR enforcement
1.1.7.1.1. Even if not covered by GDPR, U.S. companies should learn from GDPR enforcement cases (might be a harbinger of future U.S. legislation and enforcement).
1.1.7.1.2. Three areas to watch: overretention of PI; biometric technology in workplace; unexpected collection of PI on mobile devices
1.1.7.2. Will the EU become an information island?
1.1.7.3. Why placing a price tag on personal data may harm consumer privacy
1.1.7.4. Why demonstrable accountability matters
1.1.7.5. "Structured" vs. "Unstructured" Data
1.1.7.5.1. "Structured"=represented inside a system in a strict, field-based format (e.g., a database)
1.1.7.5.2. "Unstructured"=stored in a disorderly or unregulated way (e.g., free form text found in workplace chat document or Word document)
1.1.7.5.3. Generally much easier for privacy teams to work with structured data
1.1.7.5.4. "For most privacy teams, unstructured data stands in the way of being automated and fully privacy compliant across their privacy program. Many companies find the task so daunting that they are pushing it to the background or working through inefficient manual searches. But that’s part of a false option that exists in the market today. If you are a large company that wants to get to more efficient and resource-light privacy compliance, you need the ability to handle unstructured data with automation — and the tools exist to do so."
1.1.7.5.5. Why some data subject request services create compliance concerns
1.2. Export Compliance
1.2.1. Sanctions and Trade Embargoes
1.2.1.1. Policy Updates
1.2.1.1.1. Cuba
1.2.1.1.2. Venezuela
1.2.1.1.3. Russia
1.2.1.1.4. Iran
1.2.1.1.5. Terrorism
1.2.1.1.6. China/HK
1.2.1.1.7. Secondary Sanctions
1.2.1.1.8. Other
1.2.1.2. Enforcement Actions
1.2.1.2.1. (September 24, 2020) Keysight
1.2.1.2.2. (April 2020) Industrial Bank of Korea (IBK)
1.2.1.2.3. (May 2019) State Street Bank and Trust Co. (SSBT)
1.2.1.2.4. (April 2019) Standard Charter Bank
1.2.1.2.5. (April 2019) UniCredit Group
1.2.1.2.6. (2018, 2019) Halkbank
1.2.2. EAR Updates
1.2.2.1. "Military end use/user rules (MEU)"
1.2.2.2. China/HK
1.2.2.2.1. (June 30, 2020) HK National Security Law
1.2.2.2.2. Huawei
1.2.2.2.3. SMIC
1.2.2.3. Emerging Technologies
1.2.2.3.1. (October 6, 2020) BIS finalized export controls on six recently developed or developing technologies that are essential to the national security of the United States
1.2.2.4. IT Export Controls
1.2.2.4.1. (October 20200) Changes re: Telecoms and InfoSec
1.2.2.5. Foreign Direct Product Rule
1.2.3. ITAR Updates
1.2.4. Compliance Tips
1.2.4.1. Five Steps to Implementing a SCP
1.2.4.1.1. 1. Senior management adoption of a trade compliance policy
1.2.4.1.2. 2. Risk assessment and supply chain audit
1.2.4.1.3. 3. Screening technology and internal controls
1.2.4.1.4. 4. Annual training
1.2.4.1.5. 5. Periodic audits and monitoring
1.3. AML
1.3.1. Enforcement Actions
1.3.1.1. (May 2021) GWFS Equities
1.3.1.1.1. SEC imposed a $1.5 million monetary penalty against broker-dealer for its alleged violations of the BSA due to its claimed failure to file SARs when it was required to do so, and because certain filed SARs were inadequate.
1.3.1.1.2. The suspicious activity at issue involved primarily so-called “account takeovers” by cyber criminals, which is of course a growing and pernicious threat.
1.3.1.1.3. Even though GWFS has a sophisticated, robust AML program, it still messed up (297 inadequate reports over 3 year period)
1.3.1.1.4. It is not enough to just have a compliance program in place. Broker-dealers should ensure that their compliance staff is well-trained and reports suspicious activity through the issuance of SARs that, at a minimum, contain the five essential elements.
1.3.1.1.5. In the end, and importantly, GWFS received a reduced monetary penalty imposed against it due to its significant remedial measures, including, but not limited to, implementing new SAR drafting procedures, increasing the size and experience of its AML compliance team, and restructuring its SAR process to ensure greater quality control.
1.3.1.2. (October 2020) BitMEX
1.3.1.2.1. The Bitcoin Mercantile Exchange, or BitMEX, is a large and well-known online trading platform dealing in futures contracts and other derivative products tied to the value of cryptocurrencies.
1.3.1.2.2. Recently, the Commodity Futures Trading Commission (“CFTC”) filed a civil complaint against the holding companies that own and operate BitMEX, incorporated in the Seychelles, and three individual co-founders and co-owners of BitMEX for allegedly failing to register with the CFTC and violating various laws and regulations under the Commodity Exchange Act (“CEA”).
1.3.1.2.3. The 40-page complaint alleges in part that the defendants operated BitMEX as an unregistered future commission merchant and seeks monetary penalties and injunction relief.
1.3.1.2.4. The indictment is unusual because it charges a rare criminal violation of Section 5318(h) – the general requirement to maintain an adequate AML program
1.3.1.3. (March 2021) Binance
1.3.1.3.1. CFTC has opened an inquiry into Binance Holdings Ltd. (“Binance”) to investigate allegations that the exchange allowed US citizens to trade in cryptocurrency derivatives, without properly registering with the CFTC.
1.3.1.4. (March 2020) U.S. Bank
1.3.1.4.1. FinCEN issued a $450,000 civil penalty against the former Chief Operational Risk Officer at a major U.S. bank for allegedly ignoring red flags of deficiencies in the bank’s BSA/AML program. The OCC also issued a $50,000 penalty.
1.3.1.4.2. U.S. Bank used automated transaction monitoring software to spot potentially suspicious activity, but it improperly capped the number of alerts generated, limiting the ability of law enforcement to target criminal activity. In addition, the bank failed to staff the BSA compliance function with enough people to review even the reduced number of alerts enabling criminals to escape detection.
1.3.2. Legislative Initiatives
1.3.2.1. BSA/AML Reform Legilsation
1.3.2.1.1. (December 2020) Released by committees in House and Senate, but subject to potential veto
1.3.2.1.2. Although the change that has (appropriately) received the most attention is the CTA’s requirement for the reporting of beneficial ownership to a national database by entities at the time of their creation, the NDAA includes a huge array of other changes, including expanding the stated purpose of the BSA (which will have ripple effects on future regulation and examination priorities); requiring numerous process-related studies tied to the effectiveness and costs of certain BSA requirements, including SAR and CTR reporting (many of these studies may lead to additional, future substantive regulation or legislation); enhancing penalties under the BSA for repeat offenders; provisions designed to enhance information sharing; adding a whistleblower provision to the BSA; including dealers in antiquities to the definition of “financial institutions” covered under the BSA (and requiring an assessment of also including art dealers within that definition); and including digital currency in the BSA’s definition of “coins and currency.”
1.3.3. Topics
1.3.3.1. Ransomware
1.3.4. Practical Compliance
1.3.4.1. The 2020 Basel AML Index
1.3.4.1.1. Established in 2003, the Basel Institute is a not-for-profit Swiss foundation dedicated to working with public and private partners around the world to prevent and combat corruption, and is an Associated Institute of the University of Basel.
1.3.4.1.2. One of several online tools developed by the Basel Institute to help both public- and private-sector practitioners tackle financial crime. The Index is a research-based ranking that assesses countries’ risk exposure to money laundering and terrorist financing.
1.4. Anti-Bribery and Corruption
1.4.1. Enforcement Actions
1.4.1.1. (January 2021) Deutsche Bank
1.4.1.1.1. Deutsche Bank settled FCPA and fraud cases with the Justice Department and the SEC, and agreed to pay a total of $130 million. The settlement included resolution of fraud charges against Deutsche Bank relating to a commodities fraud scheme, commonly referred to as “spoofing.”
1.4.1.1.2. (FCPA Case) Between 2009 and 2016, Deutsche Bank conspired to violate the FCPA books and records provisions to conceal payments to Business Development Consultants (BDCs) and misrepresented the purpose of payments to BDCs and falsely characterizing payments to others as payments to BDCs. In addition, Deutsche Bank employees conspired to fail to implement internal accounting controls by not conducting due diligence regarding BDCs, making payments to BDCs who were not under contract and making payments to BDCs without invoices or adequate documentation of services actually performed.
1.4.1.2. (December 2020) Vitol Inc.
1.4.1.2.1. DOJ announced that Vitol Inc., the U.S. affiliate of the Vitol group of companies, which together form one of the largest energy trading companies in the world, agreed to resolve a net $90 million FCPA enforcement action for conduct in Brazil, Ecuador and Mexico.
1.4.1.3. (August 2020) Herbalife
1.4.1.3.1. Corrupt payments to obtain licenses in China
1.4.1.3.2. Covered up by falsifying books and records, which mislead investors
1.4.1.4. (June 2020) Novardis
1.4.1.4.1. Limited resolution
1.4.1.4.2. Schemes to make improper payments or to provide benefits to public and private healthcare providers in South Korea, Vietnam, and Greece in exchange for prescribing or using Novartis or Alcon products
1.4.1.5. (January 2020) Airbus
1.4.1.5.1. Largest combined cross-border settlement in history (FCPA and ITAR)
1.4.1.5.2. Shows ability of DOJ to coordinate resolutions (domestic and foreign)
1.4.1.5.3. Shows willingness and ability to respect the equities of foreign authorities
1.4.1.5.4. The FCPA charge arose out of Airbus’s scheme to offer and pay bribes to foreign officials, including Chinese officials, in order to obtain and retain business, including contracts to sell aircraft. The AECA charge stems from Airbus’s willful failure to disclose political contributions, commissions or fees to the U.S. government, as required under the ITAR, in connection with the sale or export of defense articles and defense services to the Armed Forces of a foreign country or international organization.
1.4.1.6. (January 2019) ICBL
1.4.1.6.1. EDNY
1.4.1.6.2. Minister of Industry in Barbados, convicted for laundering 36K in bribes received from ICBL (ins. co.)
1.4.1.6.3. ICBL CEO and VP charged
1.4.1.6.4. Shows willingness to take tough cases to trial
1.4.1.7. "Smaller" Cases
1.4.1.7.1. Provide important lessons
1.4.1.7.2. Focus on Book and Records and Internal Controls Cases
1.4.1.7.3. Corporate Hospitality
1.4.2. Case Law
1.4.2.1. "Hoskins" and "McDonald"
1.4.3. Biden Memo
1.5. Compliance Tips and Discussions (General)
1.5.1. Applying privacy law in 3 dimensions: How to focus on solutions and maximize value
1.5.2. Dynamic Risk Governance: Linking Strategy and Risk Management | Corporate Compliance Insights
1.5.3. Susan Roberts on Creating a Compliance Book
1.5.3.1. Written, comprehensive description/demonstration of compliance program
1.5.3.2. Document what you do and why
1.5.3.3. Helpful to management and employees
1.5.3.4. "Living and Evolving"
1.5.3.5. Something to show gov't
1.5.3.6. "Prove" how program works (credible, effective)
1.5.3.7. Book based on government guidance (essential elements of disparate programs)
1.5.3.8. Screenshots help
1.5.3.9. Digital links to policies help
1.5.3.10. Internal roadmap that identifies areas to improve ("self-assessment")
1.5.4. Insights on Compliance Training
1.5.5. Role of "Gatekeepers"
1.5.6. Incorporating "Smart Tech" into Compliance Programs
1.5.6.1. Key takeaway: DOJ emphasizes importance of compliance team having access to data-->can use tech. to generate insights on how people are using the program
1.5.7. "Connected Compliance Dialogs"
1.5.8. Strategies for Achieving Compliance while Controlling Costs
1.5.9. When to Appoint Corporate Monitors
1.5.9.1. AAG Brian Benczkowski’s 2018 memo on selecting corporate monitors states that one should only be imposed when there’s a “clear benefit” of doing so. And yet there was none imposed on the Goldman Sachs case.
1.5.10. Record Retention Strategies
1.5.11. Why Leading Organizations Adopt IRM Over GRC
1.5.12. Change, Compliance Bots, and Why a Career in Risk Is Indefinitely Rewarding
1.5.13. How do you 'market' your compliance program?
1.6. Career Advice, Networking, etc.
1.6.1. Jim Passey on Setting Career Goals [Podcast] - The Compliance and Ethics Blog
2. Compliance Programs
2.1. General
2.1.1. Structure and Management
2.1.1.1. Fostering a "Culture of Compliance"
2.1.1.1.1. Definition of CoC:
2.1.1.1.2. Key Points:
2.1.1.1.3. Organizational Culture and Governance
2.1.1.1.4. Communication and Awareness, Education and Training
2.1.1.1.5. Incentives and Reporting and Escalation
2.1.1.1.6. Technology and Reources
2.1.1.2. Independence/Authority
2.1.1.2.1. Effective Positioning of the Chief Compliance Officer ("CCO")
2.1.1.2.2. To whom does the E&C officer report? (Board, GC, Head of Audit, CEO)?
2.1.1.2.3. What function does the E&C Officer sit it? Is the E&C Officer a lawyer or nonlawyer?
2.1.1.2.4. Can the E&C officer by hired or fired without Board approval? Who makes those decisions?
2.1.1.2.5. What is the E&C Officer’s title? Seniority? Is it a C Suite level position?
2.1.1.2.6. What resources does the E&C Officer have? Personnel? Budget?
2.1.1.3. Leveraging Relationships
2.1.1.3.1. Collaboration/partnership with other functions to minimize organizational risk
2.1.1.3.2. Relationship b/t compliance and other functions
2.1.1.4. Leaders, Comms, Liasons
2.1.1.5. Helping the Board Support a Robust Program
2.1.1.5.1. Best practices in Board Oversight and Support
2.1.1.6. Reporting to the Board
2.1.1.7. Escalation Protocols
2.1.2. DOJ Guidelines
2.1.2.1. History
2.1.2.1.1. Thirty year dialogue between government and industry
2.1.2.1.2. "Holder Memo" (1999) + Series of Subsequent Memos
2.1.2.2. General Approach
2.1.2.2.1. Compliance program as "living, breathing organism" that continues to evolve
2.1.2.2.2. Beyond a "checkbox approach"
2.1.2.3. Key changes in updated guidelines
2.1.2.3.1. Access to big data
2.1.2.3.2. Third party risk
2.1.2.4. Best Practices
2.1.2.4.1. Prioritize: Start by focusing on 2-3 projects to attack 2-3 biggest risks
2.1.2.4.2. Start with "controls"
2.1.2.4.3. Use guidelines for "internal messaging"
2.2. Area-Specific
2.2.1. Sanctions
2.2.2. Trade Control across Industries
2.2.2.1. Examples of Program Structures:
2.2.2.1.1. Shell:
2.2.2.1.2. Microsoft:
2.2.2.1.3. Medtronic:
2.2.2.2. Role of Technology/People:
2.2.2.2.1. Microsoft:
2.2.2.2.2. Medtronic:
2.2.2.3. Interaction of Legal and Compliance:
2.2.2.3.1. Lawyers as interpreters of legislation
2.2.2.3.2. Compliance professionals operationalize that advice and guidance
2.2.3. Health Data
2.2.4. U.S. Privacy Program Development
2.2.5. Global Privacy Program Development
2.2.5.1. General Advice:
2.2.5.1.1. Take global approach
2.2.5.1.2. Role of privacy officer:
3. Overview
3.1. What is "Corporate Compliance?"
3.1.1. A system both for detecting wrongdoing by employees and giving content and effect to ethical norms that aim to reduce risks identified by the company.
3.1.2. Addresses many subject areas:
3.1.2.1. Financial Management and Reporting
3.1.2.2. AML
3.1.2.3. Data Privacy
3.1.2.4. Exports
3.1.2.5. Cybersecurity
3.1.2.6. Employment Discrimination
3.1.2.7. Corruption Risks
3.1.2.8. Health, Safety, and Environmental
3.1.2.9. Tax
3.1.2.10. Antitrust
3.2. Historical Context
3.2.1. Thirty year dialogue between government and industry
3.3. Examples of Compliance Guidelines
3.3.1. U.S.
3.3.1.1. U.S. Department of Justice (DOJ) Criminal Division
3.3.1.1.1. Principles of Federal Prosecution of Business Organizations
3.3.1.1.2. United States Sentencing Guidelines
3.3.1.1.3. DOJ and U.S. Securities and Exchange Commission (SEC) Foreign Corrupt Practices Act (FCPA) Resource Guide
3.3.1.1.4. 2020 Evaluation of Corporate Compliance Programs
3.3.1.2. U.S. DOJ Antitrust Division
3.3.1.2.1. 2019 Evaluation of Corporate Compliance Programs in Criminal Antitrust Investigations
3.3.1.3. U.S. SEC
3.3.1.3.1. 2001 Seaboard Report of Investigation
3.3.1.4. U.S. Departments of State and Commerce
3.3.2. Global
3.3.2.1. 2010 U.K. Bribery Act Guidance
3.3.2.2. 2015 Brazilian Office of the Comptroller General Guidance
3.3.2.3. Organisation of Economic Co-operation and Development (OECD)
3.3.2.3.1. 2010 “Good Practice Guidance on Internal Controls, Ethics, and Compliance”
3.3.2.4. As a general matter, U.S. and global corruption focused guidelines can be a starting place for any compliance program.
3.3.2.4.1. 2020 SFO Handbook – “Evaluating a Compliance Programme”
3.4. Helping Your Program Resonate Globally
3.4.1. Here, "globally" means geographically as well as across functions, business areas
3.4.2. General frameworks for all programs are similar enough that you can design global programs, supplemented by local "soft law" (non-governmental guidance)
3.4.3. Start with general framework, then build out to match local conditions
3.4.4. Principles we are familiar with in U.S. apply globally
3.4.4.1. Individualized risk assessments
3.4.4.2. Appropriate training
3.4.4.3. Discipline (limited by local law)
3.4.4.4. Data capture and analysis
3.4.5. Combine concepts from U.S. regulatory guidance with local soft law to expand reach of existing compliance program
3.4.5.1. Signals to foreign regulators that risk is being approximately localized.
3.4.5.2. Signals to foreign regulators that compliance programs are dynamic and well thought out
3.4.6. Soft Law Guidelines
3.4.6.1. “Soft law” can help fill out compliance programs to make them risk appropriate.
3.4.6.2. Soft law includes quasi-legal instruments like voluntary frameworks and industry guidance.
3.4.6.2.1. Particularly useful for rapidly developing technologies
3.4.6.3. Examples:
3.4.6.3.1. National Institute for Standards and Technology (NIST)
3.4.6.3.2. International Organization for Standardization (ISO)
3.4.6.3.3. Japan’s “General Framework for Secure IoT Systems"
3.5. General Compliance Tips
3.5.1. Promote a culture of compliance that starts at the top.
3.5.1.1. Remember middle management
3.5.2. Appoint an independent compliance officer.
3.5.3. Create a written anti-bribery policy and provide regular anti-bribery training.
3.5.4. Understand bribery risks in every country where you operate.
3.5.5. Require accurate recordkeeping.
3.5.6. Conduct periodic audits and compliance reviews.
3.5.7. Provide anonymous reporting mechanisms and implement a non-retaliation policy.
3.5.8. Conduct and document internal investigations following any credible tip.
3.5.9. Conduct thorough due diligence on all targets and third-parties.
3.5.10. Take extra care during mergers and acquisitions
3.5.11. Document compliance efforts.
4. Regulatory Areas
4.1. Data Privacy and Information Security
4.1.1. Foundations of Information Privacy and Data Security
4.1.1.1. Common Principles
4.1.1.1.1. The Concept of "Privacy"
4.1.1.1.2. Sources of PI
4.1.1.1.3. "Processing" PI
4.1.1.1.4. Major Categories of PI
4.1.1.1.5. "Privacy Policy" and "Privacy Notice"
4.1.1.1.6. Information Risk Management
4.1.1.1.7. Fair Information Practices (FIPs)
4.1.1.1.8. Data Protection Organization
4.1.1.2. Geography
4.1.1.2.1. World Models of Data Protection
4.1.1.2.2. Conceptions of Privacy (U.S. vs. EU)
4.1.1.2.3. Canada
4.1.1.2.4. Latin America
4.1.1.2.5. Asia
4.1.1.2.6. Middle East
4.1.1.2.7. Africa
4.1.1.3. Sectors
4.1.1.3.1. Healthcare
4.1.1.3.2. Financial
4.1.1.3.3. Telecommunications
4.1.1.3.4. Online
4.1.1.3.5. Government
4.1.1.3.6. Human Resources
4.1.1.3.7. Energy
4.1.1.3.8. Marketing
4.1.1.4. Information Security
4.1.1.4.1. Overview
4.1.1.4.2. Cybersecurity for Lawyers
4.1.1.5. Online Privacy
4.1.2. Jurisdictions
4.1.2.1. U.S.
4.1.2.1.1. U.S. Privacy Environment
4.1.2.1.2. Sectors
4.1.2.1.3. Government and Court Access to Private Sector Information
4.1.2.1.4. State Laws
4.1.2.1.5. Ethical Issues for Lawyers
4.1.3. Information Governance
4.1.3.1. Definition:
4.1.3.1.1. The specification of decision rights and an accountability framework to ensure appropriate behavior in the valuation, creation, storage, use, archiving, and deletion of information.
4.1.3.1.2. The processes, roles and policies, standards, and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals.
4.1.3.1.3. The overall management of the availability, usability, integrity, and security of the data employed in an organization or enterprise.
4.1.3.2. General Principles:
4.1.3.2.1. Not just record retention
4.1.3.2.2. Cross-functional
4.1.3.2.3. Covers all information in any form
4.1.3.2.4. Take care of information through entire lifecycle
4.1.3.2.5. Should be a core function of organizations, not just project-based
4.1.3.3. Mitigation:
4.1.3.3.1. Rule of thumb-->minimize "attack surface" (dispose when not needed and not required to retain)
4.1.3.3.2. Main risk areas:
4.1.3.4. Relationship b/t Privacy and IG
4.1.3.4.1. Data mapping helps see connections, clear picture
4.1.3.4.2. Defensible disposition enables DSARs
4.1.3.4.3. Take an integrated approach (no silos)
4.1.4. Technology Overview
4.1.4.1. Cloud Computing
4.1.4.1.1. Introduction
4.1.4.1.2. Data Centers
4.1.4.2. Enterprise Software
4.1.4.3. Technology Agreements
4.2. Export Compliance
4.2.1. ECR
4.2.2. BIS Contacts
4.3. Anti-Money Laundering (AML)
4.3.1. Legal Framework
4.3.1.1. Bank Secrecy Act (BSA)
4.3.1.1.1. Set of statutes
4.3.1.1.2. Only applies to "financial institutions" (broadly defined)
4.3.1.1.3. Record-keeping and reporting obligations:
4.3.1.2. Financial Crimes Enforcement Network (FinCEN)
4.3.1.2.1. Main enforcer of BSA
4.3.1.3. Money laundering statutes (U.S.C. Secs. 1956, 1957)
4.3.1.3.1. Apply to all entities, not just financial institutions
4.3.1.3.2. Civil and criminal forfeiture
4.3.1.3.3. Doctrine of willful blindness
4.3.1.3.4. Sec. 1956 generally prohibits a financial transaction:
4.3.1.3.5. Sec. 1957 can capture mundane and transparent transactions
4.3.2. "Hot Topics":
4.3.2.1. Cannabis
4.3.2.1.1. Overarching Issue=Reconciling federal and state laws
4.3.2.1.2. DOJ Memos:
4.3.2.1.3. 2014 FInCEN Guidance
4.3.2.2. Digital Currencies
4.3.2.2.1. Terminology
4.3.2.2.2. Digital Currency Exchanges
4.3.2.2.3. State Laws
4.3.2.2.4. The "Travel Rule"
4.3.2.3. Real Estate
4.3.2.3.1. Why is real estate a common target of money laundering?
4.3.2.3.2. Geographic Targeting Orders (GTO) Program
4.3.2.3.3. Current Regulatory Scheme
4.3.3. Sanctions and Trade Embargoes
4.3.3.1. Sanctions Overview
4.3.3.1.1. OFAC currently administers 25 U.S. economic sanctions programs
4.3.3.1.2. OFAC Jurisdiction
4.3.3.1.3. 50% Rule
4.3.3.1.4. Strict Liability
4.3.3.1.5. Exemptions and Licenses
4.3.3.1.6. "Facilitation"
4.3.3.2. Effective Sanctions Compliance Programs (OFAC Guidelines)
4.3.3.2.1. There are five essential components of a Sanctions Compliance Program (“SCP”)
4.3.3.3. Key Enforcement Trends
4.3.3.3.1. Types of Enforcement Actions
4.3.3.3.2. OFAC Responses to Apparent Violations
4.3.3.3.3. Recent Enforcement Actions
4.3.3.3.4. Voluntary Self-Disclosure Guidance
4.3.3.4. Impact of Sanctions Law on BSA/AML Programs
4.3.3.4.1. FinCEN Global Investigations Divisions
4.3.3.4.2. Section 311 "Special Measures"
4.3.3.4.3. Best Practices
4.3.3.5. 2020 AML/BSA Government Priorities
4.3.3.5.1. 1) Risks from traditional money laundering schemes.
4.3.3.5.2. 2) Risk assessment processes, policies and procedures.
4.3.3.5.3. 3) Risk-appropriate controls, sufficient customer due diligence and
4.3.3.5.4. 4) suspicious activity identification and monitoring.
4.3.3.5.5. 4) Evolving vulnerabilities resulting from the rapid pace of technological change.
4.3.3.5.6. 5) Emerging payment solutions and terrorist financing.
4.3.3.5.7. 6) Overlapping issues of money laundering, fraud, consumer protection, and cyber vulnerabilities.
4.3.3.5.8. 7) Cryptocurrencies and other alternative currencies.
4.3.3.5.9. 8) Trade-based money laundering.
4.4. Anti-Bribery and Corruption
4.4.1. FCPA
4.4.1.1. Overview
4.4.2. Enforcement Trends
4.4.2.1. Covid-19 Impact
4.4.2.1.1. May change how compliance professionals do their jobs, but law enforcement agencies have in no way retreated from focus on FCPA and anticorruption enforcement
4.4.2.1.2. DOJ Perspective
4.4.2.1.3. SEC Perspective
4.4.2.1.4. Defense Perspective
4.4.2.2. Voluntary Disclosure
4.4.2.2.1. Most recent cases did not involve voluntary disclosure despite efforts by agencies to encourage it
4.4.2.2.2. Incentive: can get a presumption of a declination
4.4.2.2.3. Clients seem less likely to seek (more sophisticated cost-benefit analysis; worried about uncertainty)
4.4.2.3. Recent Enforcement Actions
4.4.2.4. Impact of Cases on Private Practice
4.4.2.4.1. Good to have case law
4.4.2.4.2. Two big cases (2nd Circ.)
4.4.2.5. Compliance Programs
4.4.2.5.1. DOJ Guidelines
4.4.2.5.2. Clients tend to struggle with day-to-day monitoring
4.4.2.5.3. Role of data analytics
4.4.2.6. "Compliance Monitors"
4.4.2.6.1. Companies want to avoid having one appointed
4.4.2.6.2. Best way to avoid is by developing a robust CP and self-reporting
4.4.2.6.3. Show track record of ongoing program with regular improvements
4.4.2.7. Data Privacy
4.4.2.7.1. Can companies provide DOJ with data located outside U.S.?