On June 25, the American National Standards Institute (ANSI) issued a call for organizations with an interest in security to participate in an advisory committee to a new International Organization for Standardization (ISO) technical committee. The ISO is planning to restructure its security sector to consolidate the work of three existing technical committees—Societal security; Fraud countermeasures and controls; and Management system for quality of private security company operations. The new committee will begin work on January 1, 2015 and will cover standardization in the field of security including but not limited to general security management, business continuity management, resilience and emergency management, fraud countermeasures and controls, security services, and homeland security. Organizations interested in participating in the advisory committee must contact ANSI by July 4, 2014.
On July 4, the European Banking Authority (EBA) released an Opinion that outlines for the EU Council, the European Commission, and the European Parliament requirements that would be needed to regulate virtual currencies. The EBA identified more than 70 risks across several categories and numerous causal drivers for those risks, including that (i) a virtual currency scheme can be created, and then its function subsequently changed, by anyone, and in the case of decentralized schemes, by anyone with a sufficient share of computational power; (ii) payer and payee can remain anonymous; (iii) virtual currency schemes do not respect jurisdictional boundaries and may therefore undermine financial sanctions and seizure of assets; and (iv) market participants lack sound corporate governance arrangements. To address those drivers, the EBA believes a regulatory framework would need to comprise, among other elements: (i) governance requirements for certain market participants; (ii) segregation of client accounts; (iii) capital requirements; and (iv) the creation of “scheme governing authorities” accountable for the integrity of a virtual currency scheme and its key components, including its protocol and transaction ledge. Given that the creation of such a regulatory framework will take time, the EBA recommends that European national prudential regulators take action in the immediate term to discourage financial institutions from buying, holding or selling virtual currencies while no regulatory regime is in place. In addition, the EBA recommends that EU legislators consider declaring market participants at the direct interface between conventional and virtual currencies, such as virtual currency exchanges, to become “obliged entities” under the EU Anti Money Laundering Directive and thus subject to its anti-money laundering and counter terrorist financing requirements. The EBA report follows a recent reportby the inter-governmental Financial Action Task Force (FATF) that provides an overview of virtual currency terms, markets, risks, and law enforcement actions announced to date.
On May 13, the European Court of Justice held that an internet search operator is responsible for the processing of personal data that appear on web pages published by third parties, and that an individual has a right to ask a search engine operator to remove from search results specific links to materials that include the individual’s personal information. The court considered the issue in response to questions referred from a Spanish court about the scope of a 1995 E.U. directive designed to, among other things, protect individual privacy rights when personal data are processed. The court determined that “by searching automatically, constantly and systematically for information published on the internet, the operator of a search engine ‘collects’ data within the meaning of the directive,” and further determined that the operator “processes” and “controls” individual personal data within the meaning of the directive. The court held that a search engine operator “must ensure, within the framework of its responsibilities, powers and capabilities, that its activity complies with the directive’s requirements,” including by, in certain circumstances, removing “links to web pages that are published by third parties and contain information relating to a person from the list of results displayed following a search made on the basis of that person’s name,” even when publication of that person’s information on those pages is lawful. Further, the court held that although the search engine operator’s processing operations take place outside of the E.U., the operator is covered by the directive because the operator also has operations in an E.U. member state that were “intended to promote and sell, in the Member State in question, advertising space offered by the search engine in order to make the service offered by the engine profitable.”
On May 8, OFAC released enforcement information regarding “apparent violations” of the Cuban Assets Control Regulations by Canadian subsidiaries of a U.S. insurance company. The U.S. company self-reported 3,560 apparent violations that occurred between January 2006, and March 2009, and agreed to remit $279,038 to settle potential civil liability. OFAC stated that over a more than three-year period two Canadian subsidiaries issued or renewed property and casualty insurance policies that insured Cuban risks of a Canadian company, and that one of the subsidiaries maintained a D&O liability insurance policy that insured certain directors and officers of three Cuban joint venture partners of a Canadian corporation. Separately, another subsidiary sold, renewed, or maintained in force individual or annual multi-trip travel insurance policies in which the insured identified Cuba as the travel destination. The civil penalty reflects OFAC’s balancing of aggravating and mitigating factors, including the actual knowledge of the company and certain members of management of the violative conduct; and the company’s self-disclosure, cooperation, and advance remediation.
On May 8, OFAC issued regulations to implement recent Executive Orders establishing sanctions against Russian individuals and entities related to the situation in Ukraine. The Ukraine-Related Sanctions Regulations, 31 C.F.R. Part 589, implement Executive Order 13660 of March 6, 2014, Executive Order 13661 of March 17, 2014, and Executive Order 13662 of March 20, 2014. Consistent with its prior practice, OFAC published the regulations in abbreviated form and plans to provide a more comprehensive set of regulations, which may include additional interpretive and definitional guidance and additional general licenses and statements of licensing policy.
On April 18, OFAC announced that a privately held travel services provider based in the Netherlands but majority-owned by U.S. persons agreed to pay nearly $6 million to resolve allegations that over a roughly six-year period the company’s business units mostly outside the U.S. provided services related to travel to or from Cuba, which assisted 44,430 persons. OFAC states that such business activities constitute alleged violations of the Cuban Assets Control Regulations. The company voluntarily self-disclosed the alleged violations to OFAC, the vast majority of which occurred prior to such disclosure. OFAC claims that the company (i) failed to exercise a minimal degree of caution or care regarding its obligations to comply with OFAC sanctions against Cuba by processing unauthorized travel related transactions for more than four years before recognizing that it was subject to U.S. jurisdiction; (ii) processed a high volume of transactions and assisted a large number of travelers, which caused significant harm to the objectives of the Cuban Assets Control Regulations; and (iii) failed to implement an adequate compliance program. OFAC’s Cuba Penalty Schedule sets a base penalty for the alleged violations at $11,093,500, which was reduced given that (i) the conduct at issue was the company’s “first violation”; (ii) the company provided substantial cooperation during OFAC’s investigation of the alleged violations, including by agreeing to toll the statute of limitations and by providing OFAC with detailed and well-organized documents and information; and (iii) the company already has taken significant remedial action in response to the alleged violations.
On April 15, BAFT, an international financial services association for organizations engaged in international transaction banking, announced the creation of a new Anti-Money Laundering and Know Your Customer Trade Finance Sound Practices working group. The group will focus on the needs of the transaction banking industry’s heightened focus on maintaining compliance with increasing regulatory expectations involving AML, combating the financing of terrorism, and KYC practices. The group will review “red flags” identified in different jurisdictions, identify common challenges, and develop best practices, which it will consolidate and publish for use by other trade practitioners.
On April 3, Martin Wheatley, Chief Executive of the UK Financial Conduct Authority (FCA), which took over responsibility for overseeing consumer credit markets in the UK on April 1, 2014, identified the FCA’s most “immediate priority” as ensuring “providers of credit, as well as satellite services like credit broking, debt management and debt advice, have sustainable and well-controlled business models, supported by a culture that is based on ‘doing the right thing’ for customers.” He explained that the FCA wants to expand financial service providers’ focus on compliance with specific rules to include “wider FCA expectations of good conduct.” Referencing a paper the FCA published on April 1, the day it began overseeing consumer credit markets, Mr. Wheatley stated that consumer credit providers need to consider how they engage with consumers in vulnerable circumstances. On this issue, the FCA also announced a “competition review” of the UK credit card market to determine, among other things, “how the industry worked with those people who were in difficult financial situations already.”
On March 6, the FTC released a memorandum of understanding (MOU) it signed with the UK’s Information Commissioner’s Office (ICO), which is designed to strengthen the agencies’ privacy enforcement partnership. The FTC stated that over the last several years it has worked with the ICO on numerous investigations and international initiatives to increase global privacy cooperation. The MOU establishes a formal framework for the agencies to provide mutual assistance and exchange of information for the purpose of investigating, enforcing, and/or securing compliance with certain privacy violations. The FTC also announced a joint project with the European Union (EU) and Asia-Pacific Economic Cooperation (APEC) economies to map together the requirements for APEC Cross Border Privacy Rules and EU Binding Corporate Rules, which is designed to provide a practical reference tool for companies that seek “double certification” under the APEC and EU systems, and shows the substantial overlap between the two.
On March 4, the UK FCA released the results of its most recent review of sales incentives at retail financial firms. The FCA’s review revealed that retail banks have made progress in changing their financial incentive structures in response to the FCA’s supervisory focus on the issue starting in September 2012, which led to new guidance issued in January 2013. The FCA’s initial focus on the issue derived from its concerns about incentive structures that, among other things, allegedly fueled the sale of payment protection plans and other add-on products. Despite the broad progress, the FCA reports that roughly one in 10 firms with sales teams had higher-risk incentive scheme features where it appeared they were not managing the risk properly at the time of the FCA’s assessment. It believes firms should concentrate on, among other things (i) checking for spikes or trends in the sales patterns of individuals to identify areas of increased risk; (ii) better monitoring behavior in face-to-face sales conversations; and (iii) managing risks in discretionary incentive schemes and balanced scorecards, including the risk that discretion could be misused. The FCA states that given the progress made, it is not proposing any rule changes at this time, but it intends to keep financial incentives on its agenda for 2014.
On February 28, the UK Financial Conduct Authority (FCA) announced final rules for consumer credit providers, including new protections for consumers in credit transactions. The FCA states that the most drastic changes relate to payday lending and debt management. For example, with regard to “high-cost short-term credit,” the new rules will (i) limit to two the number of loan roll-overs; (ii) restrict to two the number of times a firm can seek repayment using a continuous payment authority; and (iii) require creditors to provide a risk warning. Among other things, the new rules also establish prudential standards and conduct protocols for debt management companies, peer-to-peer lending platforms, and debt advice companies. The policy statement also describes the FCA’s risk-based and proactive supervisory approach, which the FCA states will subject firms engaged in “higher risk business” that “pose a potentially greater risk to consumers” to an “intense and hands on supervisory experience” and will allow the FCA to levy “swift penalties” on violators. The new rules take effect April 1, 2014. The FCA plans next to propose a cap on the cost of high-cost, short-term credit.
On January 17, the Russian Federation became the fourth party to the United Nations Convention on the Use of Electronic Communications in International Contracts, joining The Dominican Republic, Honduras, and Singapore. The Convention will take effect for Russia on August 1, 2014. It is intended to enhance legal certainty and commercial predictability where electronic communications are used in relation to international contracts, including by addressing, among other things, (i) the determination of a party’s location in an electronic environment; (ii) the time and place of dispatch and receipt of electronic communications; and (iii) the use of automated message systems for contract formation. The Convention builds on the fundamental legal principles and provisions contained in the UNCITRAL Model Law on Electronic Commerce by providing criteria for establishing functional equivalence between electronic communications and paper documents, as well as between electronic authentication methods and hand-written signatures. Fifteen other states have signed the Convention but have not yet ratified it.
On January 15, the Basel Committee on Banking Supervision issued final guidance regarding anti-money laundering/counter-terrorism financing (AML/CTF) risk management. The Committee states that the guidelines are consistent with and supplement the 2012 International Standards on Combating Money Laundering and the Financing of Terrorism and Proliferation issued by the Financial Action Task Force. The guidelines supersede two previously-issued Basel Committee publications: Customer due diligence for banks (October 2001) and Consolidated KYC management (October 2004). The final guidelines detail the “essential elements” of sound AML/CTF risk management, including those related to (i) assessing and understanding risks; (ii) customer acceptance policies; (iii) customer and beneficial owner identification; (v) ongoing monitoring; (vi) information management and record keeping; and (vii) reporting suspicious transactions and asset freezing. The guidelines also address AML/CTF in the group-wide and cross-border context, and outlines expectations for banking supervisors.
On October 18, the U.S. Court of Appeals for the Second Circuit vacated and remanded a district court’s judgment and held that subjecting a foreign bank to personal jurisdiction in New York was within the reach of New York’s long-arm statute and comported with due process protections provided under the U.S. Constitution. Licci v. Lebanese Canadian Bank SAL, No. 10-1306, 2013 WL 5700963 (2d Cir. Oct. 18, 2013). The complaint, brought by individuals who were harmed by rocket attacks in Israel carried out by the terrorist group Hezbollah, alleges that the foreign bank used its correspondent bank account in New York to wire millions of dollars to Hezbollah, knowing that the money would enable the group to carry out terrorist attacks. The New York Court of Appeals had accepted the Second Circuit’s certification question concerning the scope of New York’s long-arm statute and explained that a foreign bank’s use of a New York correspondent account to execute dozens of wire transfers is sufficiently purposeful conduct to constitute a “transaction of business” under the state’s long-arm statute. After resolving the question of personal jurisdiction under state law, the Second Circuit also held that subjecting the defendant bank to personal jurisdiction did not violate due process under the Constitution, finding that the alleged conduct—the deliberate and “repeated use of New York’s banking system” for the purpose of “repeated, intentional execution of U.S.‐dollar‐denominated wire transfers”—satisfied the minimum contacts test established by the Supreme Court in International Shoe. The court further noted that the bank should have foreseen that “it might be subject to the burden of a lawsuit” in that same forum for wrongs related to, and arising from, that use. The Second Circuit specifically noted that a foreign defendant’s “mere maintenance” of a correspondent account in the U.S. is not by itself sufficient to support the constitutional exercise of personal jurisdiction over the account-holder.
On October 21, the EU Parliament civil liberties committee voted overwhelmingly to adopt amendments to EU data protection rules and to require stiffer fines for non-compliance. The rules are designed to increase individual control over personal data while at the same time making it easier for companies to move across Europe, the committee explained. Under the adopted amendments, if a third country requests a company (e.g., a search engine, social network, or cloud provider) to disclose personal information processed in the EU, the firm would have to seek authorization from the national data protection authority before transferring any data and would have to inform the individual of the request. The amendments would grant any person the right to have their personal data erased if he/she requests it. It also would require that, where processing of personal information is based on consent, an organization or company could process the information only after obtaining clear permission from the data subject, who could withdraw his/her consent at any time. Finally, the amendments would increase the cap for penalties for violations to $136.7 million or up to 5 percent of the violating company’s annual worldwide turnover, whichever is greater. The committee directed the EU Parliament to start negotiations with national governments in the European Council, which would be followed by inter-institutional talks. According to the committee release, Parliament aims to reach an agreement on this major legislative reform before the May 2014 European elections. The 91 amendments are available in two parts, here and here.