On April 3, 2019, staff of the Securities and Exchange Commission released (1) a framework providing principles for analyzing whether a digital asset constitutes an investment contract, and thus a security, as defined in SEC v. W.J. Howey Co. and (2) a no-action letter permitting TurnKey Jet, Inc., without satisfying registration requirements under the Securities

On 12 February 2019, the European Data Protection Board (“EDPB”)[1] adopted its first opinion on an “administrative arrangement,” which provides a new mechanism for the transfer of personal data between European Union (“EU”) financial supervisory authorities and securities agencies and their non-EU counterparts.

Under the EU’s General Data Protection Regulation 2016/679 (“GDPR”), personal data cannot be transferred from the European Economic Area (“EEA”) to a third country unless the European Commission has decided that such third country is “adequate” from a data protection laws perspective, or “appropriate safeguards” are in place to ensure that the treatment of personal data in the hands of the recipient reflects the GDPR’s high standards. Article 46 of the GDPR provides for various safeguarding options, including the possibility of “provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.[2] No such “administrative arrangements” have been approved by the EDPB until now.
Continue Reading

On January 10, 2019, a Magistrate Judge in the Northern District of California issued an order denying an application for a search warrant that would have compelled any individual present at the premises to be searched to unlock their digital devices using biometric features, such as thumb prints and facial scans.  The order is notable in that the search warrant was not rejected on Fourth Amendment grounds, but rather on the grounds that requiring a person to unlock his or her digital device ran afoul of the Fifth Amendment’s privilege against self-incrimination.[1]  Providing a thumb or facial scan, the court reasoned, constituted testimony protected by the Fifth Amendment, analogizing biometrics to passwords that similarly protect information stored on devices.  This decision highlights the current tension in the courts on the accessibility of information stored on digital devices, and the courts’ continuing efforts to develop rules governing this rapidly-evolving area of law.
Continue Reading

Nearly a decade ago, WikiLeaks ushered in the age of mass leaks.  Since then, corporations, governments, public figures and private entities have increasingly had to reckon with a new reality: that vigilantes, activists, extortionists and even state actors can silently steal and rapidly disseminate proprietary information, including customer data and other sensitive information.  Last month, the Department of Justice (“DOJ”) indicted four individuals based on information first revealed in the “Panama Papers” leak.  This marks a significant milestone in law enforcement’s reliance on evidence based on an unauthorized mass leak of information.  While leaks and hacks are not a novel phenomenon—in 1971, the New York Times published top secret documents on the Vietnam War and, in 1994, a paralegal leaked tobacco industry documents that ultimately cost the industry billions of dollars in litigation and settlement costs—the frequency, scale and ease of dissemination of leaked information today presents a difference not only of degree, but of kind.  The new Panama Papers-based criminal case will likely raise a host of novel legal issues based on legal challenges to the DOJ’s reliance on information illegally obtained by a third party, as well as information that would ordinarily be protected by the attorney-client privilege.  In this memorandum, we discuss the potential issues raised by the prosecution and their implications.
Continue Reading

On December 20, 2018, the Financial Industry Regulatory Authority (“FINRA”) released a Report on Selected Cybersecurity Practices for broker-dealer firms.  This report reflects FINRA’s current perspective on the cybersecurity threat landscape based on observations from its examinations of securities firms.  Below we discuss the report’s key observations and contextualize these insights for members of the financial industry.
Continue Reading

On December 20, 2018, the U.S. Securities and Exchange Commission (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) released its 2019 Examination Priorities.  The six themes for this year’s priorities are:  retail investors (including seniors and those saving for retirement), compliance and risk in registrants responsible for critical market infrastructure (clearing agencies, transfer agents, national securities exchanges and Regulation SCI entities), oversight of the Financial Industry Regulatory Authority and Municipal Securities Rulemaking Board, digital assets, cybersecurity and anti-money laundering.  The only new theme for 2019 compared to 2018 is digital assets, which we take to imply a plan to more closely—and substantively—regulate investment advisers and broker-dealers involved with this asset class.  The 2019 priorities also more explicitly than the 2018 priorities describe specific practices that OCIE found concerning in examinations of those entities, many of which involved failure to adequately safeguard client assets and the adequacy of disclosures of conflicts of interest.  We expect to see a corresponding focus in Enforcement Division investigations and cases on these issues as a result.
Continue Reading

Continuing its efforts to engage with FinTech innovators and market participants in the adoption of new technologies, the Commodity Futures Trading Commission (“CFTC”) and its LabCFTC[1] released a Primer on Smart Contracts (the “Primer”) on November 27. The Commission focused its Primer on (1) detailing the technical aspects of smart contract technology; (2) examining potential benefits and risks connected to their widespread adoption; and (3) the CFTC’s role in regulating the adoption of the technology within those markets under its jurisdiction.

Continue Reading

On November 16, 2018, the U.S. Securities and Exchange Commission (“SEC”) Division of Corporation Finance (“Corp. Fin.”), Division of Investment Management, and Division of Trading and Markets issued a joint public statement on “Digital Asset Securities Issuance and Trading.”  The public statement is the latest in the Divisions’—and the Commission’s—steady efforts to publicly outline and develop its analysis on the application of the federal securities laws to initial coin offerings (“ICOs”) and certain digital tokens.  These efforts have combined a series of enforcement proceedings with public statements by Chairman Jay Clayton and staff, including a more detailed statement of the SEC’s analytical approach in Corp. Fin. Director William Hinman’s speech on digital assets in June 2018.
Continue Reading

On November 2, the SEC’s Enforcement Division released its annual report detailing the facts and figures of its enforcement efforts in fiscal year 2018.  At first blush, this year’s report looks strikingly similar to those from recent years, as the headline numbers in most categories are nearly indistinguishable from 2015, 2016, and 2017.  This consistency may be surprising given that 2018 is the first such report reflecting exclusively the enforcement priorities of the Commission since it was reconstituted under Chair Jay Clayton.

But a closer examination of the report, including the components feeding into the top-line facts and figures and commentary by Division co-directors Stephanie Avakian and Steven Peikin, reveals a clear shift in priorities by the Division.  These range from a philosophical shift in its mission to the reallocation of resources during a hiring freeze.  We address here the most notable of these subtle but important changes. 
Continue Reading

On October 16, 2018, the Securities and Exchange Commission released a Report of Investigation that cautioned public companies to consider cyber threats when designing and implementing internal accounting controls.  The report was based on an investigation of nine victims of email cyber-fraud schemes for potentially failing to have adequate internal accounting controls, in violation of the Securities Exchange Act of 1934.  The report highlights the need for companies to reassess their controls in light of the current cybersecurity risk environment.  By describing the remedial steps taken by the investigated companies, it further provides guidance about the key areas that companies should consider when assessing their own policies and procedures.
Continue Reading