On September 17, 2020, SEC Commissioner Hester Peirce gave a speech that focused on potential issues raised by investment advisers that—while purporting to follow environmental, social and governance (“ESG”)-labeled investment strategies—did not, in Commissioner Peirce’s words, “walk the ESG walk.”[1]  Her comments are the latest reminder that, while the SEC has continued to struggle with whether to mandate specific ESG disclosures, there seems to be consensus behind the SEC’s focus on determining whether advisers’ disclosures concerning ESG are sufficiently accurate and understandable.  Thus, asset managers would be well served to review and, where warranted, enhance their ESG-related disclosures and compliance policies in an area where the SEC’s Enforcement Division may well be looking to bring cases. Continue Reading Despite Disagreements, SEC Commissioners Emphasize Need for Clear Disclosure by ESG Funds

On September 15, 2020, the Securities and Exchange Commission issued a cease‑and‑desist order against Unikrn, Inc. concerning its 2017 initial coin offering  of UnikoinGold .  The SEC found that the Unikrn ICO violated the prohibition in Section 5 of the Securities Act of 1933 against the unregistered public offer or sale of securities.  The SEC imposed several remedies, including requiring Unikrn to permanently disable the UnikoinGold token and a civil money penalty of $6.1 million. Continue Reading SEC Issues Enforcement Action Against Unikrn, Inc. for its ICO, Prompting Rare Public Dissent from Commissioner Hester Peirce

On September 10, 2020, the Division of Enforcement (“Division”) of the Commodity Futures Trading Commission (“CFTC”) released guidance (“CFTC Guidance”) outlining factors the Division will consider when evaluating compliance programs in connection with enforcement actions. The CFTC Guidance ties into guidance released by the Division in May directing staff to consider an entity’s compliance program when recommending a penalty or other resolution as part of an enforcement action.

Please click here to read the full alert memorandum.

On September 3, 2020, the Antitrust Division of the DOJ issued a revised Policy Guide to Merger Remedies, following shortly after it announced a reorganization of its civil enforcement to create an Office of Decree Enforcement and Compliance.

The Policy Guide to Merger Remedies largely codifies a trend towards strengthening of the Division’s preference for structural remedies—such as divestitures—over conduct remedies—such as firewalls. This revision now expressly states that “[s]tructural remedies are strongly preferred in horizontal and vertical merger cases because they are clean and certain, effective, and avoid ongoing government entanglement in the market” (emphasis added), responding to a perception within the bar that vertical mergers (involving firms at different levels of the distribution chain that do not compete directly) are more amenable to conduct-only remedies. The Policy Guide also lays out conditions when the Division may accept a conduct-only remedy: (1) a transaction generates significant efficiencies that cannot be achieved without the merger; (2) a structural remedy is not possible; (3) the conduct remedy will completely cure the anticompetitive harm, and (4) the remedy can be enforced effectively.

Please click here to read the full alert memorandum.

Background

On August 20, 2020, the Department of Justice (“DOJ”) announced that it had charged Joseph Sullivan, the former Chief Security Officer (“CSO”) of Uber Technologies Inc. (“Uber”), with obstruction of justice and misprision of a felony for allegedly attempting to cover up Uber’s 2016 data incident during the course of an investigation by the Federal Trade Commission (“FTC”).  While the DOJ and federal law enforcement have generally treated corporate hacking targets as victims in connection with data breaches, the charges against Sullivan reinforce that they will actively pursue any violations of federal law that are committed by entities or individuals during the course of responding to such incidents. Continue Reading DOJ Charges Former Uber Executive for Alleged Role in Attempted Cover-Up of 2016 Data Breach

On August 21, the Financial Crimes Enforcement Network, together with the federal banking agencies, released a statement to clarify banks’ customer due diligence obligations for politically exposed persons. The Statement affirms that (i) there is no regulatory requirement, and no supervisory expectation, for banks’ Bank Secrecy Act / anti-money laundering programs to include “unique, additional due diligence steps” for customers who are PEPs and (ii) there is no regulatory requirement for banks to screen customers and their beneficial owners for PEPs.  Instead, the Statement confirms that PEP customers should be subject to the same risk-based approach to CDD that applies to any other customer, but that PEP status (and screening for PEPs) may be a factor in developing a customer risk profile and assessing money laundering risk.  It also reminds banks of the continued U.S. national security and law enforcement interest in detecting and combatting public corruption and other criminality involving PEPs.

Please click here to read the full alert memorandum.

In a landmark enforcement action related to a bank data breach, the Office of the Comptroller of the Currency (“OCC”) assessed an $80 million civil monetary penalty and entered into a cease and desist order with the bank subsidiaries of Capital One on August 6, 2020.  The actions follow a 2019 cyber-attack against Capital One.  The Federal Reserve Board also entered into a cease and desist order with the banks’ parent holding company.  The OCC actions represent the first imposition of a significant penalty against a bank in connection with a data breach or an alleged failure to comply with the OCC’s guidelines relating to information security. Continue Reading OCC Imposes $80 Million Penalty in Connection with Bank Data Breach

On July 30, 2020, Italian Legislative Decree no. 75 went into effect, introducing amendments to the Italian Criminal Code and a new set of criminal offences in the context of corporate liability under Legislative Decree no. 231 of June 8, 2001, among which a number of tax crimes.

Please click here to read the full alert memorandum.

On June 25, 2020, a federal district court in the Eastern District of Virginia held that a bank must produce in discovery a report generated by its cybersecurity forensic investigator following a 2019 data breach involving unauthorized access to personal information of customers and individuals who had applied for accounts.[1]  Even though the report was produced at the direction of outside counsel, the court rejected arguments that the forensic report is protected from disclosure by the work product doctrine.  Instead, the court determined that the report was not produced primarily in anticipation of litigation based on several factors, including the similarity of the report to past business-related work product by the investigator and the bank’s subsequent use and dissemination of the report.  This decision raises questions about the scope of work product protection for forensic expert and other similar reports in the context of an internal investigation. Continue Reading Federal Court Compels Production of Data Breach Forensic Investigation Report

Cleary Gottlieb and Tiantong & Partners 天同律师事务所 continue their collaboration to produce joint analyses regarding some of the current U.S. regulatory challenges for Chinese companies.  This fourth analysis is based on a case study of U.S. sanctions imposed against China Ocean Shipping Company (COSCO), one of the world’s largest shipping companies, and considers sanctions risk mitigation for Chinese companies.

A copy of the case study is available here, with a Chinese translation available here.