Compliance, Securities and Commodities March 4, 2021

SEC 2021 National Exam Program Examination Priorities

By Aline McCullough, Cheryl Haas, Emily P. Gordy and Molly White

On March 3, 2021, the Securities and Exchange Commission’s Division of Examinations (EXAMS) (formerly the Office of Compliance Inspections and Examinations (OCIE) released its 2021 examination priorities.

Notably, while the majority of the examination priorities echo OCIE priorities from prior years, this year’s EXAMS priorities include a greater focus on climate-related risk and environmental, social, and governance (ESG) matters. This is consistent with the Commission’s increased emphasis on ESG matters in other contexts, as well as that of other regulators. This year’s priorities also include examinations relating to Regulation Best Interest (Reg BI) compliance, considerations relating to the impacts of the COVID-19 pandemic and a continued focus on complex products.

EXAMS’s leadership also calls out its newly operational Event and Emerging Risks Examination Team (EERT), which is tasked with enhancing the Division’s ability to identify and tackle emerging and exigent risks as they arise.

The examination priorities are organized around largely perennial themes, and we discuss each such theme below.

Financial Institution Regulation March 3, 2021

Budget Launches Taskforce to Uncover Exploitation of the UK Government’s COVID-19 Financial Rescue Schemes

By Francesca Titus, Chloe S. Steele, Alice O'Donovan and Rend Alani

In today’s budget, UK Chancellor Rishi Sunak announced a £100 million Taskforce to scrutinise claims made under business support schemes designed to help companies and workers navigate their way through the economic impact of the COVID-19 pandemic. The Taxpayer Protection Taskforce will be examining claims made honestly but in error as well as those made fraudulently.

The UK Government’s package of COVID-19 support schemes are credited with saving millions of jobs and keeping many businesses viable. However, auditors and Members of Parliament have been quick to point out that weak safeguards left the schemes vulnerable to exploitation.

Fraud, Deception and False Claims, Securities and Commodities March 2, 2021

Responses Matter: Securities Fraud Sentence Shows the Value of a Sound Response to a Government Investigation

By Simon Davidson

It’s an old lesson in government investigations, but one worth repeating. Conduct during an investigation can matter as much as the conduct under investigation – sometimes even more.

High-profile prosecutions of the past have shown the severe consequences of mistakes in responding to government investigations. Martha Stewart went to prison not for insider trading but for how she responded to an insider trading investigation. Barry Bonds was convicted not for steroid use, but for how he responded to a steroids investigation.

Compliance, Enforcement and Prosecution Policy and Trends, Securities and Commodities February 26, 2021

CFPB’s “Change of Direction” After One Month: New Goals, More Attorneys

By Joseph J. Reilly and Susan C. Rodriguez

In the month since he became Acting Director of the Consumer Financial Protection Bureau, David Uejio has implemented a “change of direction” at the agency, making sweeping announcements on a weekly basis.

Read our complete commentary on McGuireWoods’ Consumer FinSights blog, which assesses where the CFPB stands after the Biden administration’s first month and the likely changes to come.

Enforcement and Prosecution Policy and Trends, Fraud, Deception and False Claims February 25, 2021

DOJ Indictment Highlights Methods Utilized by State Sponsored Cybercriminal Organization to Attack Major Industry and Government Entities

By Kevin M. Lally, Rodger A. Heaton, Erin L. Wilson and Clare E. Reardon

For the third time in less than a month, the United States Department of Justice (DOJ) announced a major enforcement action against an international cybercriminal organization that infiltrated public and private computer networks, fundamentally compromised these systems, and sought to obtain over a billion dollars from this illicit access. This past week’s indictment, which was obtained by the United States Attorney’s Office for the Central District of California, is particularly notable in that it: (1) shines a spotlight on the operations of a decade-long effort by a North Korean state sponsored cybercriminal organization to inflict monetary and reputational harm on targeted government agencies and contractors, financial institutions, cryptocurrency platforms, online casinos and entertainment industry companies; and (2) and highlights the broad array of methods utilized by this organization to evade network cybersecurity protections, exploit computer networks, and steal intellectual property and corporate secrets, while also conducting cyber-extortions, ransomware attacks, and cyber-enabled heists of bank-held funds, ATMs, and cryptocurrency. The threat posed by this organization is sufficiently acute that the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Treasury (Treasury) simultaneously released a joint advisory addressing one of the organization’s most invasive tools, the Applejeus malware, that has been used to conduct large-scale cyber-intrusions, including in this case.

Enforcement and Prosecution Policy and Trends, Financial Institution Regulation February 25, 2021

CISA, FBI, and Treasury Issue Guidance on State Sponsored Cryptocurrency Malware Targeting Financial Institutions and Cryptocurrency Exchanges

By Kevin M. Lally, Rodger A. Heaton, Erin L. Wilson and Clare E. Reardon

This past week the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Treasury (Treasury) released a joint advisory report on HIDDEN COBRA—the cyber threat to cryptocurrency posed by North Korea—and provided mitigation recommendations for addressing this ongoing threat. This report was issued in conjunction with the unsealing of a wide-ranging indictment by the United States Attorney’s Office for the Central District of California that charged three North Korean hackers for their participation in a broad criminal conspiracy to conduct destructive cyberattacks that targeted the financial and entertainment industries, government contractors, and government agencies, including the U.S. Departments of State and Defense.

Enforcement and Prosecution Policy and Trends, Fraud, Deception and False Claims February 11, 2021

Analysis of the DOJ’s 2020 FCA Statistics and the Trends Therein

By Michael J. Podberesky, David Pivnick, Christina Egan and Jeremy Byrum

The U.S. Department of Justice (DOJ) recently issued its annual press release summarizing fraud-related recoveries from False Claims Act (FCA) matters in the prior fiscal year. While the headline number for FY 2020 of $2.2 billion in settlements and judgments involving fraud and false claims against the government is down about $900 million from the average annual recoveries over the prior three years, a deeper look at the underlying statistics and macro trends suggests an upswing in False Claims Act matters, particularly non qui tam (whistleblower) cases, and suggests that an increase in government fraud-related recoveries are likely in future years.

Enforcement and Prosecution Policy and Trends, Fraud, Deception and False Claims February 5, 2021

DOJ Accelerates Enforcement Efforts Against Cybercriminals Who Engage in Ransomware Attacks

By Rodger A. Heaton, Kevin M. Lally, Jason H. Cowley, Brandi G. Howard and Patrick A. Wallace

On successive days last week, the Department of Justice (DOJ) unveiled enforcement actions against international cybercriminal organizations that utilized ransomware to infect computer systems and then extort payment, often in the form of cryptocurrency, from victims worldwide. First, the Criminal Division’s Computer Crime and Intellectual Property Section and the U.S. Attorney’s Office for the Middle District of Florida announced the unsealing of charges against a Canadian national for his alleged involvement in the ransomware scheme known as NetWalker that generated tens of millions of dollars from businesses, public entities, and individuals whose computer databases were encrypted and rendered useless, pending satisfaction of a ransom demand. The following day, the U.S. Attorney’s Office for the Middle District of North Carolina and the Criminal Division’s Computer Crime and Intellectual Property Section revealed their participation in a multinational enforcement operation that disrupted and dismantled Emotet, a botnet that utilized malware, including ransomware, to target critical infrastructure in the United States and abroad. These actions highlight U.S. law enforcement’s increased focus on preventing ransomware attacks, which in the future will rely on both traditional collaboration among international law enforcement agencies and reporting from private entities over which the government exercises regulatory control.

Fraud, Deception and False Claims, Uncategorized February 5, 2021

With Fraud Against UK Businesses at Epidemic Levels, Businesses Need to Know How to Protect Themselves

By Francesca Titus, Chloe S. Steele and Alice O'Donovan

Fraud has reached epidemic levels in the UK and should be seen as a national security issue, says think tank the Royal United Services Institute (RUSI) in a paper published last week[1]. It is the crime to which UK citizens are most likely to fall victim[2]. Its impact on the private sector has consequences for both the stability of individual companies and the broader reputation of the UK as a place to do business.

85% of reported fraud in 2019/2020 was cyber enabled[3] fraud[4]. With limited in person interaction due to the pandemic, and increasing levels of remote working, this figure is expected to increase in the coming year. Cyber fraud is a constantly evolving area with perpetrators adapting their methods as new technologies become available. Common examples of cybercrime are denial of service (DoS), botnet, phishing, and ransomware attacks. Continue Reading

Compliance, Enforcement and Prosecution Policy and Trends, Securities and Commodities February 2, 2021

Consolidated Financial Account Reports and Use of Vendors: FINRA Continues Regulatory Scrutiny – What’s Old is New

By Emily P. Gordy, Cheryl Haas and Piper Waldron

Overview

Consolidated financial account reports can offer a broad – all-encompassing — view of customers’ investments regardless of where the assets are held and may even include non-securities assets. Customers often demand them and firms and financial advisers provide them. FINRA has had these types of communications to customers on its radar screen for years.

Equally, on FINRA’s radar screen for years has been the need to supervise regulatory functions outsourced to third party vendors. FINRA has frequently reminded firms that outsourcing regulatory functions does not relieve the firm of its compliance obligations and that firms must supervise the outsourced activity.

Subject to Inquiry

THE LATEST ON GOVERNMENT INQUIRIES AND ENFORCEMENT ACTIONS