On November 4, the Federal Reserve and the New York DFS announced a combined $258 million penalty against a global bank for “violations in connection with transactions on behalf of countries and entities subject to U.S. sanctions.” According to the Fed’s cease and desist order, the bank failed to implement adequate risk management and compliance policies and procedures to “ensure that activities conducted at offices outside the United States complied with applicable OFAC Regulations and were timely reported in response to inquiries by the Federal Reserve Bank of New York.” Specifically, the Fed alleged that, from November 2001 to January 2006, foreign offices of the bank processed funds transfers with parties subject to OFAC Regulations through the bank’s New York-based subsidiary and other unaffiliated U.S. financial institutions without having the information necessary to determine that the transactions were consistent with U.S. law. The Fed’s order requires the bank to develop a compliance program that establishes (i) policies and procedures to ensure compliance with applicable OFAC regulations; (ii) an OFAC compliance reporting system; and (iii) requirements for employee training in OFAC-related issues. Under the terms of the DFS consent order, the bank agreed to hire an independent monitor to conduct a comprehensive review of its BSA/AML and OFAC sanctions compliance program, policies, and procedures.
Developments in Uzbekistan Telecommunications FCPA Investigations: Dutch Telecommunications Company Makes Provision in Connection with Investigation; DOJ Names Russian Telecommunications Company in Civil Forfeiture Action
On November 3, a Dutch telecommunications company announced that, based on its assessment of ongoing FCPA investigations, it would make a provision in the amount of $900 million in its third quarter financial statements. The company previously disclosed that the SEC, the DOJ, and the Dutch Public Prosecution Service were conducting investigations related to its business in Uzbekistan and prior dealings with a Gibralter-registered company that negotiates mobile phone licenses on behalf of the Uzbek government.
On November 5, another company under investigation for its conduct in Uzbekistan disclosed that the DOJ referenced it in a civil forfeiture complaint. The DOJ’s complaint was directed at an unnamed Uzbek government official, but the complaint alleged that the company and certain other parties made corrupt payments to the unnamed official to gain access to the Uzbek telecommunications market.
Recently, German data protection authorities issued a position paper to address potential consequences of the Court of Justice of the European Union’s (CJEU) Schrems ruling on the handling of personal data. The first section of the paper summarizes the ruling, noting that the court found the Safe Harbor decision overly restrictive of the “supervisory powers of the European data protection supervisory authorities and does not follow the requirements of the provisions that empower the Commission to decide on the level of protection of a third country.” The remaining four sections of the paper consider the following: (i) the European Commission’s options to either adopt a new decision which declares U.S. law provides an adequate level of protection, or to push for an international treaty to include a data protection agreement with the U.S.; (ii) the legal basis for the transfer of personal data; (iii) private bodies’ use of standard contractual clauses, concluding that private bodies must “consider terminating the underlying standard contract with the data importer in the U.S. or suspending data transfers”; and (iv) enforcement concerning private bodies, noting that authorities will examine “whether orders against private bodies must be issued and on which basis data transfers to the United States must be suspended or banned.”
On October 30, the FDIC announced that Vice Chairman Thomas Hoenig will serve as the President of the International Association of Deposit Insurers (IADI) and as Chairman of its Executive Council for a two-year term. The IADI sets global deposit insurance standards and promotes financial stability by facilitating international cooperation and developing best practices among deposit insurers and other parties responsible for financial safety net arrangements. Hoenig will continue to serve as Vice Chairman of the FDIC.
On October 29, OFAC granted a General License authorizing nine Belarusian entities to make transactions otherwise prohibited by Executive Order 13405, effective October 30. The General License also authorizes transactions with any entities that are owned 50 percent or more by the nine named entities. U.S. persons must report authorized transactions or series of transactions exceeding $10,000 to the U.S. Department of State no later than 15 days after execution. The General License expires on April 30, 2016, unless extended or revoked.
On October 20, the DOJ, OFAC, the NYDFS, the Manhattan District Attorney’s Office, and the Federal Reserve simultaneously announced that a Paris-based investment bank would pay a total of more than $787 million to settle multiple alleged violations of U.S. sanctions regulations. The OFAC settlement resolves allegations that the investment bank and certain predecessor banks, between August 6, 2003 and September 16, 2008, processed 4,055 transactions – for a total of approximately $337,043,846 – to or through U.S. financial institutions that involved countries and/or persons subject to the sanctions regulations administered by OFAC. The investment bank settled with OFAC for more than $329,500,000, an amount that reflects the agency’s consideration of the following aggravating factors: (i) the investment bank had indications that its actions had the potential to constitute violations of the U.S. law before the earliest date of the apparent violations; (ii) several managers of the investment bank were aware of the conduct that led to the violations; (iii) the investment bank’s conduct resulted in significant harm to various sanctions programs OFAC oversees and their associated policy objectives; (iv) the investment bank’s size and sophistication, along with its global presence; and (v) the investment bank’s failure to maintain proper controls to prevent the violations from occurring and otherwise maintain an adequate compliance program. Read more…
On October 21, following the October 7 designation of a Honduras-based bank as a Specially Designated Narcotics Trafficker, OFAC announced that it granted a General License authorizing certain transactions and activities to help with the liquidation and wind down of the same bank. Pursuant the General License, transactions and activities that are otherwise prohibited by OFAC during a bank’s liquidation process will be permitted through 12:01 a.m. ET on December 12, 2015, with the following exceptions: (i) the unblocking of any party pursuant to the Foreign Narcotics Kingpin Sanctions Regulations; and (ii) transactions or dealings that are limited by Executive Order, or are with an individual or entity, other than the Honduras-based bank, that is on OFAC’s List of Specially Designated Nationals or Blocked Persons. Any U.S. persons involved in the bank’s liquidation process must file a report with OFAC’s Licensing Division to include the parties involved, and the type, scope, and dates of the activities conducted.
OFAC Issues Finding of Violation to a Bank for Violations of Iranian Transactions and Sanctions Regulations
On October 21, OFAC issued a Finding of Violation to a Chicago-based bank as the successor of a bank that processed six funds transfers totaling approximately $67,000. According to OFAC, the predecessor bank, between February 3, 2011 and March 10, 2011, processed six funds transfers on behalf of its customer “for the purpose of paying an outstanding balance owed to an Iranian entity located in Iran for the purchase of Iranian-origin carpets,” allegedly resulting in a violation of the Iranian Transactions and Sanctions Regulations (ITSR). The bank allegedly failed to remove its customer “from [its] False Hit List or implement any additional measures to prevent or identify possible violations involving the [customer]” after OFAC removed a general license for the importation of Iranian-origin carpets, which became effective September 29, 2010. Read more…
On October 16, the Article 29 Working Party (Working Party) released a statement regarding the October 6 Court of Justice of the European Union’s decision to invalidate the adequacy of the U.S.-EU data protection Safe Harbor framework. The EU Court recently declared that the Safe Harbor Framework fails to “ensure an adequate level of protection of the personal data which is transferred to the United States from the European Union.” In response to the EU Court’s decision, the Working Party provided the following guidance on the implementation of the judgment: (i) a broad analysis of third country domestic laws and international commitments must be applied when determining if data transfers meet adequacy standards; and (ii) Member States and European institutions should hold open discussions with U.S. authorities to “find political, legal and technical solutions enabling data transfers to the territory of the United States that respect fundamental rights.” The Working Party noted that it will continue to monitor the Irish High Court for developments concerning the Schrems opinion, but that “[i]f by the end of January 2016, no appropriate solution is found with the US authorities and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.”
On October 18, the Department of the Treasury released a statement on reaching the formal “Adoption Day” of the Joint Comprehensive Plan of Action (JCPOA), the plan reached between the P5+1, the European Union, and Iran regarding Iran’s nuclear program. Adoption Day is the day JCPOA participants will begin taking steps necessary to implement their JCPOA commitments. According to Treasury Secretary Lew, October 18 marks an “important milestone” as “Iran begins taking its nuclear-related measures and the United States and [its] partners prepare to lift nuclear-related sanctions in response.” Although this action means that the JCPOA’s effective date is October 18, 2015, no sanctions will be lifted until Implementation Day, which will occur after international inspectors confirm that Iran has met its commitments under the JCPOA. As decided in July and outlined in an OFAC press release, licenses with certain credentials will remain in effect in accordance with their terms until Implementation Day. OFAC also issued FAQs concerning Adoption Day. Commenting on the implications of Adoption Day, the White House likewise issued a Statement that it had directed the heads of all relevant executive departments and agencies of the United States to begin preparations to implement U.S. commitments under the JCPOA.
On October 13, the FTC, as part of the International Consumer Protection and Enforcement Network (ICPEN), announced an updated version of ICPEN’s econsumer.gov, a website containing cross border consumer complaints and designed to assist law enforcement authorities investigate and take action against international scams. Originally launched in 2001, the website’s update includes (i) additional language availability; (ii) an improved complaint form, providing consumers with complaint trend data and guidance on how to resolve complaints; and (iii) an interface that is reader-friendly on tablets and smart phones. The FTC enters complaints received via the website into its complaint database, Consumer Sentinel, which is available to enforcers and regulators participating in ICPEN.
On October 7, OFAC announced the designation of a Honduras-Based bank (the Bank) as a Specially Designated Narcotics Trafficker. According to the Department of the Treasury, this announcement “marks the first time that OFAC has designated a bank pursuant to the [Foreign Narcotics Kingpin Designation Act].” OFAC alleged that the Bank was an integral part of a money laundering operation that “facilitated the laundering of narcotics proceeds for multiple Central American drug trafficking organizations.” In addition to the Bank’s designation, OFAC announced the designation of three Honduran businessmen for supporting, via money laundering and other services, the international trafficking of narcotics for the same Central American criminal organizations. The Government of Honduras informed OFAC on October 10 that the liquidation process for the Bank was in effect. Non-U.S. persons involved in the Bank’s liquidation process will not be subject to OFAC designations or enforcement actions, with the understanding that “they do not undertake such transactions with knowledge that such transactions involve or benefit, directly or indirectly, any individual or entity other than [the Bank] that is listed on OFAC’s List of Specially Designated Nationals or Blocked Persons or that otherwise constitutes a person whose property and interests in property are blocked.” Liquidation transactions involving U.S. persons or financial institutions are prohibited, unless the individual or entity applied for and received OFAC authorization.
Special Alert: Cross-Border Data Transfers Significantly Impacted by EU Court Decision Invalidating Adequacy of U.S.-EU Data Protection Safe Harbor Framework
On October 6, the Court of Justice of the European Union (CJEU) in Schrems v. Data Protection Commissioner (“Schrems”) declared “invalid” a decision of the European Commission that the United States-European Union Safe Harbor framework (Safe Harbor) provides adequate protection for personal data transferred from the European Union (EU) to the United States (U.S.). Thousands of U.S. companies have registered with the U.S. Department of Commerce in order to permit the transfer of personal data from the EU to the U.S.
The EU’s 1995 Data Protection Directive (Directive) requires that the transfer of personal data from an EU country to another country take place only if the other country ensures an adequate level of data protection. For the past 15 years, per a 2000 decision by the Commission of the European Communities, U.S. companies participating in Safe Harbor have been deemed to meet adequacy standards. Advocate General (AG) Yves Bot of the CJEU issued an opinion in September (“AG Opinion”) calling that 2000 decision invalid. AG Bot’s opinion declared that the existing framework governing that exchange of data fails to “ensure an adequate level of protection of the personal data which is transferred to the United States from the European Union” because that framework, in AG Bot’s view, contains holes that can allow access to European’s personal data by the NSA and other U.S. security agencies. “[T]he law and practice of the United States allow the large-scale collection of the personal data of citizens of the [EU] which is transferred under the [framework] without those citizens benefiting from effective judicial protection.” And while the FTC and private dispute resolution providers have the power to monitor possible breaches of the framework by private companies, neither has the power to monitor possible breaches by U.S. security agencies. AG Bot stated his belief that, even with an adequacy decision, national Data Protection Authorities retain the power to assess the sufficiency of national data protection regimes outside the EU to which personal data will be transferred. Read more…
On October 5, the SEC announced a settlement with Bristol-Myers Squibb to resolve allegations that the pharmaceutical company’s Chinese joint venture, BMS China, gave cash, jewelry, and other benefits to health care providers in order to boost prescription sales at state-owned or controlled hospitals. The SEC proceeded via an administrative cease and desist order. The SEC’s order found that the company violated the internal controls and books and records provisions of the FCPA. Bristol-Myers consented to the SEC’s order without admitting or denying the findings, and agreed to disgorge profits of $11.4 million plus $500,000 in pre-judgment interest and pay a civil penalty of $2.75 million. Bristol-Myers also agreed to report to the SEC for two years regarding the status of its efforts to implement anti-corruption compliance controls.
The SEC’s order states that Bristol-Myers failed to investigate red flags and claims by terminated BMS China employees that raised the possibility that sales personnel were making improper payments. The order also states that Bristol-Myers was too slow to fill gaps in its internal controls regarding interactions with health care providers.
On October 2, Canadian mining company Kinross Gold Corp. announced that the SEC and DOJ are investigating potentially improper payments to government officials in West Africa. The company’s announcement states that it received subpoenas from the SEC in 2014 and 2015, and a request for information from the DOJ in December 2014. The subpoenas came after the company launched an internal investigation in August 2013 to investigate a whistleblower complaint alleging improper payments to government officials and internal control deficiencies in the company’s West African mining operations.