On October 25, 2016, the United States Department of Treasury’s Financial Crimes Enforcement Network (“FinCEN”) issued an advisory entitled Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime (the “Advisory”), to help financial institutions understand how to fulfill their Bank Secrecy Act obligations with regard to cyber events and cyber-enabled crime. The Advisory indicates that SAR reporting is mandatory for cyber events where the financial institution “knows, suspects or has reason to suspect a cyber-event was intended, in whole or in part, to conduct, facilitate, or affect a transaction or a series of transactions….” Implementing this new guidance will require increased collaboration between AML and cybersecurity or IT departments in large institutions, and may create challenges for smaller banks that are more likely to outsource their cybersecurity functions. Continue Reading FinCEN Issues Advisory on SAR Reporting Obligations Involving Cyber Crime
On May 5, 2015, the Financial Crimes Enforcement Network of the U.S. Treasury Department (“FinCEN”), in coordination with the U.S. Attorney’s Office for the Northern District of California (“USAO”), announced a civil monetary penalty of $700,000 against Ripple Labs, Inc. (“Ripple Labs”) and its subsidiary XRP II, LLC (“XRP II”) for violations of the Bank Secrecy Act (“BSA”). This assessment represents the first BSA enforcement action against a virtual currency exchanger by FinCEN. The fine coincides with a settlement agreement between Ripple Labs, XRP II and the USAO to resolve any criminal and civil liability arising out of these activities, the terms of which include a $450,000 forfeiture and full cooperation by Ripple Labs in the ongoing investigation.
As reported in Bloomberg BNA, on April 1, 2015, the White House announced that President Obama has signed a new executive order providing the Secretary of the Treasury, in consultation with the Attorney General and the Secretary of State, the ability to impose sanctions on individuals and entities that engage in certain cyber-enabled activities. The signed executive order, entitled Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities (the “Executive Order”), focuses on blocking the property or interests in property located in the United States of persons engaging in cyber-enabled activities that cause a significant threat to the national security, foreign policy, economic health or financial stability of the U.S. (collectively, the “Significant Threat”).
On August 6, 2013, the Obama Administration posted links on The White House Blog to reports from the Departments of Commerce, Homeland Security and Treasury containing recommendations on incentivizing companies to align their cybersecurity practices with the Cybersecurity Framework. These reports respond to the Administration’s February 2013 executive order entitled Improving Critical Infrastructure Cybersecurity (the “Executive Order”).
On November 2-3, 2011, Mexico’s Federal Institute for Access to Information and Data Protection (“IFAI”) will host the 33rd International Conference of Data Protection and Privacy Commissioners in Mexico City. Marty Abrams, President of the Centre for Information Policy Leadership at Hunton & Williams LLP, is the chairman of the Conference’s advisory panel and principal advisor to Conference organizers on program content. Hunton & Williams is a proud sponsor of the event which will feature Hunton representatives as speakers or moderators on multiple panels and plenary sessions, including the following:
On November 30, the Council of the European Union agreed to allow U.S. anti-terrorism authorities access to financial data of individuals located in the EU under certain circumstances. Under the agreement, U.S. authorities will continue to have access to data collected by Society for Worldwide Interbank Financial Telecommunication (“SWIFT”) after a SWIFT database located in Switzerland becomes active later this year (the data had previously been processed in a database located in the U.S.). The agreement contains restrictions on access to the data that have been negotiated between the EU and the U.S. (e.g., access will be limited to data that relate to individuals with links to terrorist activities; U.S. authorities will not have access to data concerning intra-European transactions; and U.S. authorities seeking access to personal data will have to tailor their requests narrowly and justify their requests to the U.S. Department of the Treasury). The agreement will run until October 31, 2010, after which time a further agreement between the U.S. and the EU would have to be negotiated for the U.S. authorities to continue to have access to the data. The agreement was reached despite the abstention from voting of the governments of Austria, Germany, Greece and Hungary because of data protection concerns. Under the EU’s new Lisbon Treaty (which went into effect on December 1, 2009), any further agreement will require participation by the European Parliament, which has been highly critical of the agreement.
Today, eight federal financial regulatory agencies issued a final Gramm-Leach-Bliley Act (“GLBA”) model privacy notice. The final model notice incorporates financial institutions’ required disclosures pursuant to Section 503 of the GLBA. The GLBA requires, in relevant part, that financial institutions provide consumers with information regarding their collection and sharing of nonpublic personal information. Financial institutions that adopt the final model notice will be deemed in compliance with the GLBA notice requirements. The final model notice is the result of the agencies’ consumer research and testing. It is touted as succinct, easy to use and consumer friendly. The final model notice will take effect 30 days after publication in the Federal Register. Publication is anticipated shortly.
The federal financial services agencies are expected to shortly announce a proposed-final Gramm-Leach-Bliley Act (“GLBA”) model form privacy notice. The model notice incorporates financial institutions’ required disclosures pursuant to Section 503 of the GLBA. Financial institutions that use the form to provide notice to consumers will be deemed in compliance with the privacy notice provisions of the GLBA. Once adopted and published in the Federal Register, the financial services agencies’ final model notice will take effect in 30 days.
The GLBA requires, in relevant part, that financial institutions provide consumers with notice of their privacy policies and practices. The privacy notice must describe a financial institution’s disclosure of nonpublic personal information to affiliated and nonaffiliated third parties. In addition, the notice must also give consumers a reasonable opportunity to opt out of certain sharing with nonaffiliated third parties.