InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
DOJ will not charge researchers who report cybersecurity flaws in “good faith”
On May 19, the DOJ revised its policy for charging cases under the Computer Fraud and Abuse Act (CFAA), directing prosecutors to not charge researchers who report cybersecurity flaws in “good faith.” The policy directive informs prosecutors that the DOJ will not prosecute security researchers that access computers “solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public.” Instead, the policy directive focuses the DOJ’s resources “on cases where a defendant is either not authorized at all to access a computer or was authorized to access one part of a computer— such as one email account—and, despite knowing about that restriction, accessed a part of the computer to which his authorized access did not extend, such as other users’ emails.” The new policy directive explains, however, that “claiming to be conducting security research is not a free pass for those acting in bad faith,” and provides that “discovering vulnerabilities in devices in order to extort their owners, even if claimed as ‘research,’ is not in good faith.”
U.S. signs protocol to strengthen international efforts to combat cybercrime
On May 12, the U.S. signaled its commitment to fight cybercrime by signing the Second Additional Protocol to the Convention on Cybercrime to obtain access to needed electronic evidence. Deputy Assistant Attorney General Richard Downing of the DOJ’s Criminal Division signed the new protocol to strengthen and expand international law enforcement cooperation to combat cybercrime. Currently, 66 countries are party to the multilateral treaty (commonly known as the Budapest Convention), which presents a “technology-neutral approach to cybercrime” and “has created an enduring framework for cooperation that ensures law enforcement has the tools they need to respond to new criminal methods.”
According to the DOJ’s announcement, the new “Protocol to the Budapest Convention will accelerate cooperation among parties to protect [] citizens from cybercrime and hold criminals accountable. As cybercrime proliferates, electronic evidence is increasingly stored in different jurisdictions. The Second Additional Protocol is specifically designed to help law enforcement authorities obtain access to such electronic evidence, with new tools including direct cooperation with service providers and registrars, expedited means to obtain subscriber information and traffic data associated with criminal activity, and expedited cooperation in obtaining stored computer data in emergencies. All these tools are subject to a system of human rights and rule of law safeguards.”
DOJ and EEOC address AI employment decision disability discrimination
On May 12, the DOJ and the Equal Employment Opportunity Commission (EEOC) released a technical assistance document addressing disability discrimination when using artificial intelligence (AI) and other software tools to make employment decisions. According to the announcement, the DOJ’s guidance document, Algorithms, Artificial Intelligence, and Disability Discrimination in Hiring, provides a broad overview of rights and responsibilities in plain language, and, among other things, (i) provides examples of technological tools used by employers; (ii) clarifies that employers must consider the impact on different disabilities when designing or choosing technological tools; (iii) describes employers’ obligations under the ADA when using algorithmic decision-making tools; and (iv) provides information for employees on actions they may take if they believe they have experienced discrimination. The EEOC also released a technical assistance document, The Americans with Disabilities Act and the Use of Software, Algorithms, and Artificial Intelligence to Assess Job Applicants and Employees, which focuses on preventing discrimination against job seekers and employees with disabilities.
DOJ seizes $300 million yacht as part of Task Force KleptoCapture; OFAC issues Russia-related general licenses and updated FAQs
On May 5, the DOJ executed a seizure warrant freezing a $300 million yacht owned by a sanctioned Russian oligarch, following a determination that the yacht is subject to forfeiture based on probable cause of violations of U.S. law, including the International Emergency Economic Powers Act, money laundering and conspiracy. The Russian oligarch was designated in 2018 by the U.S. Treasury Department’s Office of Foreign Assets Control pursuant to the Countering America’s Adversaries Through Sanctions Act and Executive Order (E.O.) 13582 (covered by InfoBytes here). According to the DOJ’s announcement, the sanctioned oligarch owned the yacht after his designation and “caused U.S. dollar transactions to be routed through U.S. financial institutions for the support and maintenance of the [yacht].” The seizure was coordinated through the DOJ’s Task Force KleptoCapture, which is “an interagency law enforcement task force dedicated to enforcing the sweeping sanctions, export controls, and economic countermeasures that the United States, along with its foreign allies and partners, have imposed in response to Russia’s unprovoked military invasion of Ukraine” (covered by InfoBytes here.)
The same day OFAC also issued several Russia-related general licenses (GL), including GL 7A, which authorizes “transactions ordinarily incident and necessary to the receipt of, and payment of charges for, services rendered in connection with overflights of the Russian Federation or emergency landings in the Russian Federation by aircraft registered in the United States or owned or controlled by, or chartered to, U.S. persons that are prohibited by the Russian Harmful Foreign Activities Sanctions Regulations”; GL 26A, which authorizes all transactions ordinarily incident and necessary to the wind down of transactions involving Joint Stock Company SB Sberbank Kazakhstan or Sberbank Europe AG, or any entity that Sberbank subsidiaries owns, through July 12, provided certain criteria are met; GL 31, which authorizes certain transactions related to patents, trademarks, copyrights, or other forms of intellectual property protections in the U.S. or Russia that would otherwise be prohibited; and GL 32, which authorizes the wind down of transactions involving Amsterdam Trade Bank NV that would ordinarily be prohibited by E.O. 14024 through July 12. Additionally, OFAC issued one new and one amended Russia-related frequently asked questions.
Hsu: Bank merger framework needs updating
On May 9, acting Comptroller of the Currency Michael J. Hsu delivered remarks before the Brookings Institution focusing on updating the framework used to analyze bank merger applications. In his remarks, Hsu described that bank mergers have “received significant attention this past year” and that “[c]oncerns about the negative effects of bank mergers on competition, communities and financial stability have prompted some to call for a moratorium on merger activity.” Hsu also noted that “others have defended the benefits of mergers,” noting that “the U.S. financial services market is highly competitive, and mergers allow institutions to achieve needed economies of scale and to diversify risk through geographic or product expansion.” The OCC adopted the DOJ’s bank merger review guidelines, which were last revised in 1995, but public comments as to whether it should update the guidelines to reflect trends in the banking and financial services sector and to modernize its approach to bank merger review is currently pending. Stating that the frameworks for analyzing bank mergers need updating, Hsu noted that imposing a moratorium on mergers would “lock in the status quo,” thus, “prevent[ing] mergers that could increase competition, serve communities better, and enhance industry resiliency.” Considering that it is time to “rethink the frameworks” for analyzing bank merger applications, Hsu stated that he does not believe that “the statutory prongs of competitiveness, safety and soundness, meeting community needs, and financial stability need to be revisited.” Instead, he described that, “the modes of analysis used by regulators to apply these factors need to be improved.” According to Hsu, there is a “resolvability gap” among large regional banks, which is creating a whole new set of "too-big-to-fail" entities as these banks grow in size.
National retailers must pay $5.5 million to resolve deceptive product representation
On May 10, the DOJ announced that two national retailers agreed to pay a $2.5 million and a $3 million civil penalty (see here and here) to resolve allegations that they engaged in false labeling and marketing tactics by presenting rayon textile products as bamboo. As previously covered by InfoBytes, the DOJ on behalf of the FTC, filed complaints (see here and here) against the defendants, which alleged that since at least 2015, the companies made false or unsubstantiated representations in violation of the FTC Act by improperly labeling and marketing textile fiber products as “made of bamboo” in both product titles and descriptions. In addition to paying the civil money penalties, the defendants are prohibited from making deceptive claims, including false and/or unsubstantiated claims, relating to bamboo fiber products, and are prohibited from engaging in future violations of the FTC Act, Textile Act and Textile Rules.
DOJ to strengthen kleptocracy asset recovery
On April 28, the DOJ issued a fact sheet outlining legislative proposals to strengthen kleptocracy asset recovery as part of the Biden administration’s efforts “to isolate and target the crimes of Russian officials, government-aligned elites, and those who aid or conceal their unlawful conduct.” The proposed measures would “streamline asset forfeiture proceedings in certain circumstances” and also:
- Enable the DOJ and Treasury and State Departments to work together to return forfeited kleptocrat funds to remediate harms caused to Ukraine;
- Expand forfeiture authorities under the International Emergency Economic Powers Act (IEEPA) to include property used to facilitate the violations of sanctions and “amend IEEPA’s penalty provision to extend the existing forfeiture authorities to facilitating property, not just to proceeds of the offenses”;
- Expand the definition of “racketeering activity” in the Racketeer Influenced and Corrupt Organizations Act to include criminal violations of IEEP and the Export Control Reform Act to improve the U.S.’s ability to investigate and prosecute sanctions evasion and export control violations;
- Extend the statute of limitations for prosecuting sanctions violations and the statute of limitations for seeking forfeitures based on foreign offenses from five years to 10 years; and
- Improve the U.S.’s ability to work with international partners to facilitate enforcement of foreign restraint and forfeiture orders for criminal property and improve the ability to take these actions in the U.S.
As previously covered by InfoBytes, the DOJ launched “Task Force KleptoCapture,” an “interagency law enforcement task force dedicated to enforcing the sweeping sanctions, export restrictions, and economic countermeasures that the United States has imposed, along with allies and partners,” in order to “isolate Russia from global markets” in March. The task force has since engaged in numerous transatlantic efforts to sanction numerous Russian elites, Russia’s largest privately-owned aircraft, and one of the world’s largest superyachts (covered by InfoBytes here), and has “seized approximately $625,000 associated with sanctioned parties held at nine U.S. financial institutions.”
Find continuing InfoBytes coverage on the U.S. sanctions response to Russia’s invasion of Ukraine here.
UK's FCA secures £2,000,000 account forfeiture order against fintech start up
On April 21, the UK’s Financial Conduct Authority (FCA) secured a £2,000,000 account forfeiture consent order against a fintech startup that purportedly offers due diligence and underwriting services. The FCA noted that the funds were supposedly an investment received from a software firm, but observed that the fintech company moved the money repeatedly to different bank accounts in several countries in transactions with no legitimate business purpose. The funds, which the FCA had already frozen in October and December 2020, were allegedly “the proceeds of illegal activity connected to criminal proceedings in the United States of America concerning an alleged conspiracy to commit wire fraud against banks, credit card companies and other financial service providers in the USA.” While the FCA is not alleging that the fintech company was involved in the conspiracy, it flagged concerns in response to the company’s application to become a regulated firm. The company has since withdrawn its application to be regulated by the FCA.
FTC charges funeral company with deceptive marketing practices
On April 22, the DOJ filed a complaint on behalf of the FTC against certain defendants providing funeral goods and services to consumers throughout the U.S. for alleged violations of Section 5 of the FTC Act and the FTC’s Funeral Rule. (See also FTC press release here.) According to the complaint, the defendants, who arrange third-party cremation services, allegedly (i) misrepresented that they perform local funeral services, which were instead outsourced to unaffiliated third parties; (ii) charged consumers additional undisclosed costs; and (iii) illegally threatened to withhold remains or information about the remains from consumers who refused to pay previously undisclosed fees or the new, higher prices. The complaint seeks injunctive relief, monetary relief, and civil penalties.
International medical waste provider agrees to $84 million FCPA settlement
On April 20, the DOJ entered into a deferred prosecution agreement (DPA) with an Illinois-based international medical waste management company, in which the company agreed to pay a fine of approximately $52.5 million related to a conspiracy to violate the FCPA’s anti-bribery provision and books and records provisions. Together with a related resolution with the SEC, and with various foreign authorities, the total resolution will reach over $84 million.
According to the DOJ, between 2011 and 2016, the company participated in a scheme to bribe officials at government agencies and instrumentalities in Brazil, Mexico, and Argentina to obtain and retain business and to secure improper advantages in connection with providing waste management services. An executive at the company’s Latin America division directed employees in the company’s offices in Brazil, Mexico, and Argentina to pay bribes, typically in cash, that were calculated as a percentage of the underlying contract payments owed to the company from government customers.
As part of the DPA, the company agreed to cooperate with the DOJ’s ongoing or future investigations, to improve its compliance program, and to retain an independent compliance monitor for two years, followed by self-reporting for the remainder of the term.
The DOJ noted that in addition to cooperation and remediation the resolution reflects a number of factors including, the company’s (i) “failure to voluntarily and timely disclose the conduct that triggered the investigation”; and (ii) “the nature, seriousness, and pervasiveness of the offense.”
The SEC simultaneously announced a resolution of a related matter, in which the company consented to a cease-and-desist order finding violations of the FCPA’s anti-bribery, books and records, and internal accounting controls provisions. According to the SEC, the scheme also included sham third-party vendors who used false invoices to conceal cash payments to government clients. In addition, the company failed to have sufficient internal accounting controls in place to prevent or detect the misconduct and failed to implement its FCPA policies or procedures prior to 2016. Under the terms of the order, the company agreed to pay $28.2 million in disgorgement and prejudgment interest, of which up to $4.2 million will be offset by disgorgement paid to foreign authorities.