On November 15, 2018, the Division of Enforcement (the “Division”) of the U.S. Commodity Futures Trading Commission (“CFTC”) released its Annual Report on the Division of Enforcement (the “Report”), highlighting the enforcement division’s recent initiatives and reinforcing its focus on cooperation and self-reporting. The Report provides a succinct overview of the Division’s enforcement priorities over the last year, discusses its overall enforcement philosophy, sets out key metrics about the cases brought in the last year, and highlights its key initiatives for the coming year. While the Division’s priorities—preserving market integrity, protecting customers, promoting individual accountability, and increasing coordination with other regulators and criminal authorities—do not mark a departure from prior guidance, the Report does highlight the Division’s particular focus on individual accountability and a few target areas of enforcement. Continue Reading Virtual Currencies, Manipulation, Cooperation, and More: CFTC Enforcement Division’s 2018 Annual Report
There have been plenty of press reports about the SEC’s settlement with Elon Musk arising from his tweeting about taking Tesla private. But the concurrent settlement with Tesla itself provides interesting lessons for disclosure and governance at public companies.
Tesla agreed to pay a $20 million penalty and agreed to several “undertakings” to strengthen its governance and controls including a requirement that it add two independent directors to its Board. And, under his own settlement, Musk agreed to step down for three years as chairman of the Board of Directors, although he is allowed to continue as CEO. Continue Reading The Tesla Settlement – What It Means for Other Companies
On October 15, 2018, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced a $16 million settlement with Anthem, Inc. over alleged violations of federal privacy and security regulations under the Health Insurance Portability and Accountability Act (HIPAA). The settlement resolves an investigation following a data breach that exposed protected health information of nearly 79 million people. According to OCR, the incident is the largest health data breach to date in the United States and Anthem’s payment similarly represents the largest HIPAA settlement to date. The settlement is consistent with OCR’s recent focus on enforcing regulatory requirements to conduct an accurate and thorough risk analysis and maintain appropriate mechanisms to monitor systems that contain protected health information and to control access to that information. It also highlights the agency’s distinct cybersecurity remediation approach. Continue Reading The U.S. Department of Health And Human Services Settles With Anthem for Record $16M Over Alleged HIPAA Violations
Last month, Guatemalan President Jimmy Morales effectively shut down the operation of the UN-operated International Commission against Impunity in Guatemala (called by its Spanish initials, “CICIG”) by declining to renew its mandate past its September 2019 expiration date and by barring the head of CICIG, Iván Velásquez, from re-entering the country. CICIG, a uniquely independent organ of the United Nations (“U.N.”), was created in 2007 to support and assist Guatemalan institutions in identifying, investigating, and prosecuting public corruption. Over the past decade, it has investigated nearly 200 public officials, and its efforts led to the prosecution and ultimate resignation of former Guatemalan President, Otto Pérez Molina. Continue Reading Anti-Corruption in Guatemala: A Critical Moment for CICIG
The £16.4 million fine imposed by the UK Financial Conduct Authority on Tesco Personal Finance plc provides a salutary lesson on the regulatory exposure associated with failing adequately to prepare for and respond to a cyber-attack – one of the FCA’s stated regulatory priorities.
The episode illustrates how cybersecurity failures can expose a business not only to increasingly draconian penalties under the EU’s General Data Protection Regulation where personal data is involved (effective from 25 May 2018), but also to regulatory enforcement penalties where systems are not in place or are not operated effectively in a crisis.
It highlights the critical importance for businesses of:
- Establishing cybersecurity and data protection compliance firmly on the management and risk agenda. More than just the costs of doing business in the digital economy, these can give rise to serious regulatory and franchise exposure;
- Taking effective action to prevent foreseeable cyber-attacks;
- Establishing appropriate crisis management procedures and providing training to staff on how to invoke them, including through desktop exercises that provide scenario planning training; and
Engaging constructively and immediately with the relevant authorities and stakeholders to mitigate even greater damage to the business once an attack has occurred.
Please click here to read the full alert memorandum.
On September 27, 2018, in remarks delivered at the 5th Annual Global Investigations Review New York Live Event, Deputy Assistant Attorney General Matthew S. Miner reported on the accomplishments of the Department of Justice (“DOJ”) over the course of the last twelve months. Importantly, he also discussed recent changes to the DOJ’s policies on prosecution of business organizations and how those changes have been implemented. Miner highlighted the DOJ’s efforts to incentivize and provide guidance to companies to self-report, cooperate and remediate corporate misconduct while underscoring the importance of robust compliance programs to detect and prevent wrongdoing and to obtain full credit in resolving investigations by the DOJ. Continue Reading DOJ Remarks Highlight Changes to White Collar Policy
On September 4, 2018, the Securities and Exchange Commission (“SEC”) announced a $25.2 million settlement with French pharmaceutical company Sanofi (“Sanofi” or the “Company”) for violating the books and records and internal controls provisions of the Foreign Corrupt Practices Act (“FCPA”) in connection with a scheme to bribe foreign officials to increase sales of Sanofi products. The Sanofi settlement encompasses conduct by three Sanofi subsidiaries organized in Kazakhstan, Lebanon and the United Arab Emirates (“UAE”). The Sanofi settlement follows a recent enforcement action by U.S. authorities against another French company—Société Générale—for FCPA violations. In announcing the Sanofi resolution, the SEC signaled its intention to focus further on bribery risk in the pharmaceutical industry. Continue Reading Sanofi Settles FCPA Charges With SEC for $25.2 Million
On August 27, 2018, the Securities and Exchange Commission (“SEC”) announced a $34.5 million settlement with investment management firm Legg Mason, Inc. (“Legg Mason” or the “Company”) for violating the internal controls provision of the Foreign Corrupt Practices Act (“FCPA”) in connection with a scheme to bribe Libyan government officials to secure investments from Libyan state-owned financial institutions. The SEC settlement follows a June 2018 non-prosecution agreement between Legg Mason and the U.S. Department of Justice (“DOJ”) regarding the same conduct. Under the non-prosecution agreement, Legg Mason agreed to pay $64.2 million. The Legg Mason settlements reflect the increased focus of U.S. authorities on coordinating with other authorities in imposing penalties on a company, including not “piling on,” and the continued enforcement of the FCPA, while highlighting the potential risks under the FCPA of not having proper controls in place for assessing use of third party intermediaries.
When the U.S. Department of Justice opened an investigation against Volkswagen AG (“VW“) and its subsidiaries Audi AG (“Audi”) and Volkswagen Group of America, VW instructed an international law firm to conduct an internal investigation and to represent it (i.e., only VW) before the U.S. Department of Justice. The lawyers, including German lawyers based in the firm’s Munich office, conducted the internal investigation throughout the Volkswagen group. Audi, though not a client of the law firm, allowed the internal investigation within its sphere and accessed the internal investigation’s findings via VW. In January 2017, VW and the U.S. Department of Justice concluded a plea agreement covering 2.0 liter diesel engines designed and produced by VW and installed in VW and Audi vehicles and 3.0 liter engines designed and produced by Audi and installed in VW vehicles. Continue Reading German Federal Constitutional Court: Seizure of Documents Relating to an Internal Investigation at German Office of International Law Firm Found Not to Violate Constitutional Rights
Yesterday the U.S. Department of Justice (“DOJ”) announced a non-prosecution agreement (“NPA”) with a Hong Kong-based subsidiary of Credit Suisse Group AG arising out of the so-called “princelings” scandals of recent years—the practice of hiring unqualified, but politically-connected, relatives of Chinese officials to garner business from state-owned firms. Per Credit Suisse’s admissions, “bankers discussed and approved the hiring of close friends and family of Chinese officials in order to secure business,” resulting in $46 million “in profits from business mandates with Chinese” state-owned enterprises. As part of the resolution, Credit Suisse agreed to a $47 million criminal penalty, to continue to cooperate with DOJ, and to enhance its compliance program, including adopting additional controls around hiring. In addition, Credit Suisse agreed to pay nearly $25 million in disgorgement and $4.8 million in prejudgment interest to the Securities and Exchange Commission (“SEC”). In its press release, DOJ stated that it was giving Credit Suisse a 15 percent discount from the bottom end of the U.S. Sentencing Guidelines for its cooperation in the investigation, while also (as discussed more below) noting steps the firm did not take that worked to limit the amount of such cooperation credit. While this is hardly the first of the “princelings” cases, it does demonstrate DOJ’s continued commitment to the cooperation framework it laid out in its FCPA Corporate Enforcement Policy (“Enforcement Policy”) late last year.