Late in 2024, the UK’s Office of Financial Sanctions Implementation (“OFSI”), the agency within His Majesty’s Treasury that is charged with the implementation of financial sanctions in the UK, introduced new sanction measures aimed generally at augmenting the operation and enforcement of UK financial sanctions and targeted specifically at High Value Dealers (“HVDs”) and Art Market Participants (“AMPs”).
These new measures come into force in May 2025—just two months from now—making time very much of the essence.
The decision-making process involved in disclosing a cyber incident is a nuanced and delicate dance. Companies need to consider a myriad of factors, including when to disclose and how much detail to disclose to employees, customers, or regulators, such as the Securities and Exchange Commission (“SEC”).
A New York bank was recently forced to pay over $3.5 million to settle allegations that it minimized the extent of a cybersecurity incident in its SEC filings and public notices to customers. According to the SEC, the bank was negligent in making “materially misleading statements” regarding a cybersecurity incident involving the bank’s network between November 22, 2021 and December 25, 2021.
In the flurry of developments last week in the run-up to the inauguration, it was easy to overlook one that could have significant and positive impact by making government more effective, efficient, and economical.
On January 17, 2025, Senators Joni Ernst (R-IA) and Chuck Grassley (R-IA) announced the launch of a bipartisan Inspector General Caucus. The other members of the caucus are Senators Maggie Hassan (D-NH), Richard Blumenthal (D-CT), Gary Peters (D-MI), and James Lankford (R-OK). Quoting Senator Ernst, “Inspectors General serve a vital role in uncovering waste in Washington and must be empowered to continue looking out for taxpayers.” Quoting Senator Hassan, “Inspectors General play a critical role in rooting out waste, fraud, and abuse within the federal government and the bipartisan Congressional Inspectors General Caucus will help build support for the important work that Inspectors General do.” Quoting a representative of the Inspector General community, Mike Ware, the Chairman of the Council of the Inspectors General on Integrity and Efficiency, “The Federal IG community looks forward to working with the bipartisan IG Caucus and Congressional leaders to enhance efforts to detect and prevent waste, fraud, abuse, improve government efficiency, and deliver for the American public.” Ware, who also serves as the Inspector General of the Small Business Administration and as the Acting Inspector General of the Social Security Administration, noted in a press release that the IG community’s work last year alone identified savings in federal programs of more than $93 billion, suggesting that there are even more savings to be found if IGs are given additional authority and resources to find them.
In 2024, the Abu Dhabi Global Market (“ADGM”) further enhanced transparency, accountability, and market integrity within the financial freezone by introducing the Whistleblower Protection Regulations 2024 (the “Regulations”). In brief, those Regulations require certain entities registered or licensed to operate or conduct any activity within the ADGM to implement arrangements for handling whistleblowing, including having appropriate written policies and procedures, and to maintain related records for at least six years. The Regulations also afforded the Registrar of the ADGM the power to issue censures, impose financial penalties, or suspend or withdraw licenses for contraventions.
Importantly, ADGM entities have until May 31, 2025—approximately just four more months—to implement those arrangements. The clock is ticking.
In 2024, the National Crime Agency (the “NCA”), which is the UK’s lead agency against organized crime; human, weapon and drug trafficking; cybercrime; and economic crime, announced its “groundbreaking” data sharing partnership with seven UK banks, namely Barclays, Lloyds, Metro Bank, NatWest, Santander, Starling Bank, and TSB.[1]
This new public-private partnership (“PPP”) was the largest of its kind anywhere in the world and the initial results of the project suggest it is revolutionizing the fight against financial crime.
On December 16, 2024, the European Union (EU) adopted its 15th package of sanctions against Russia in response to its ongoing aggression toward Ukraine. The new measures target key sectors of Russia’s military-industrial complex, including the “shadow fleet” and companies that support this complex. Our colleagues at The Trade Practitioner cover this significant development in detail, read the full post at The EU Strengthens Sanctions Against Russia with 15th Package of Restrictive Measures | The Trade Practitioner.
Failure to comply with the complex web of US sanctions laws and regulations carries significant risks both in terms of exposure to civil fines and penalties and reputational harm. To help maritime sector stakeholders navigate these regulations, the US Department of Treasury’s Office of Foreign Assets Control (OFAC) has published scenario-based sanctions compliance guidance on October 31, 2024, to aid commodities brokers, insurers, ship management service providers, shipbroking companies, port authorities and other industry participants to identify attempts at sanctions evasion, address due diligence issues and implement best practices. This guidance supplements OFAC’s previously published guidance related to the maritime sector, including the May 14, 2020 “Sanctions Advisory for the Maritime Industry, Energy and Metal Sectors, and Related Communities.”
Our colleagues Marion Seranne and Saeid Abedi recently covered the French Anti-Corruption Agency’s (“AFA”) newly published guidance addressing Corporate Reporting Sustainability Directive (“CSRD”) reporting for companies that do not meet the French Sapin II law thresholds. In short, the agency stated that CSRD reporting standards trigger an obligation to implement an antibribery and corruption compliance program – a noteworthy point for companies looking to understand how (and if) the CSRD applies to their operations.
On September 27, 2024, the Financial Conduct Authority (“FCA”), which is a financial regulatory body in the UK that regulates firms providing financial services to consumers, fined a UK Challenger Bank (the “Bank”) £29 million due to significant failings in its financial sanctions compliance and anti-money laundering systems and controls.
The FCA’s Summary of Reasons found that, while the Bank had undergone “exponential growth” between 2016 and 2023, growing its customer base more than 8,000 percent from approximately 43,000 customers to approximately 3.6 million customers and its revenue more than 3 million percent from approximately £13,000 to approximately £453 million, “its financial crimecontrols [had]failed to keep pace”. Of note, the penalty would have been £41 million, 30% more, but for the Bank’s agreement to reach an early resolution with the FCA.
Our client alert covers the FCA’s findings in more detail and discusses the steps that all regulated firms, not least disruptive companies that are leveraging pioneering financial technology to grow as fast as possible, should be taking to help ensure compliance. It is key that firms reconsider their financial crime risk assessments and controls on a regular basis, to confirm that they remain appropriate for the nature and size of their business and the risks identified. Businesses that are fast-growing, introducing innovative products, entering new markets, or otherwise susceptible to abuse by sanctioned persons, money launderers, or other malicious actors, should undertake this reconsideration urgently.
Please do not hesitate to reach out if you would like to discuss how we can help you to assess the adequacy of your existing sanctions and anti-money laundering compliance programs, which in turn will help to mitigate exposure to government investigations, prosecutions and penalties, derivative litigation, and reputational loss and brand devaluation.
In a post published earlier this year, we highlighted the importance of proactively managing artificial intelligence (“AI”) risks as part of an effective compliance program. Specifically, we explored the key considerations for organizations to effectively navigate AI-related risks and enhance their compliance efforts. We also referenced Deputy Attorney General Lisa O. Monaco’s announcement incorporating an assessment of AI-related risks into its policy on Evaluation of Corporate Compliance Programs (“ECCP”).[1] On September 23, 2024, Principal Deputy Assistant Attorney General Nicole M. Argentieri announced that the U.S. Department of Justice (“DOJ”) updated the ECCP (“ECCP Update”) to guide federal prosecutors in analyzing how companies utilize new technologies, including AI, in their operations, and whether this use is accompanied by an appropriate assessment of the risks these technologies may present.[2] The revisions in the ECCP Update aim to “account for changing circumstances and new risks” posed by AI and other emerging technologies in compliance programs, reinforcing the DOJ’s commitment on corporate compliance in an evolving technological landscape.[3]
