White Collar Crime Watch

White Collar Crime Watch

Insights & Commentary on International White Collar Crime & Investigations

SCOTUS: No Quid Pro Quo Where Gov. Official Merely Arranged the Meeting, the Menu, the Venue, the Seating

The hit Broadway musical Hamilton depicts a backroom dinner meeting between then Congressman James Madison (Virginia) and the titular Secretary of Treasury, during which Madison proposes a “quid pro quo”: Hamilton will convince President George Washington to move the nation’s capital to the Potomac in exchange for Madison providing the congressional votes needed to pass Hamilton’s debt plan. The ostentatious Thomas Jefferson, Madison’s fellow Virginian, proudly claims to have orchestrated the dinner as a favor to Hamilton, and perhaps because he would like to “work a little closer to home.”

Hamilton’s contemporary retelling of an old story feels particularly at home as a reflection of today’s politics. Consider the case of yet another Virginian: former Governor Robert McDonnell, who was convicted of bribery charges in 2014 for allegedly accepting payments and gifts in exchange for a bit of “Jeffersonian” event planning on behalf of Virginia businessman Jonnie Williams.

Federal prosecutors alleged that McDonnell contacted Virginia officials on Williams’ behalf, arranged meetings with officials to discuss Williams’ products, and hosted events for Williams’ company at the Governor’s Mansion. According to the Government, these calls, meetings, and events were “official acts,” which McDonnell committed or agreed to commit in exchange for $175,000 in loans and other benefits from Williams in violation of the federal bribery statute, 18 U.S.C. §201. Section 201(a)(3) defines “official act” as “any decision or action on any question, matter, cause, suit, proceeding or controversy, which may at any time be pending, or which may by law be brought before any public official, in such official’s official capacity, or in such official’s place of trust or profit.” At trial, the District Court instructed the jury that the term “official acts” encompassed “acts that a public official customarily performs,” including acts “in furtherance of longer-term goals” or “in a series of steps to exercise influence or achieve an end.”

Recently, the United States Supreme Court unanimously held that the District Court’s instructions on “official act” were overly broad, and thus permitted the jury to convict McDonnell for potentially lawful conduct. In McDonnell v. United States, the Court reasoned that merely setting up a meeting, hosting an event, or contacting an official is not enough to qualify as an official act under 18 U.S.C. §201(a)(3). Rather, the official must make a decision or take some action on the matter, or agree to do so. Accordingly, the Court found that the District Court’s instructions were deficient on the grounds that they failed to:

  • adequately explain to the jury how to identify the “question, matter, cause, suit, proceeding or controversy”;
  • inform the jury that the “question, matter, cause, suit, proceeding or controversy” must be more specific and focused than a broad policy objective; and
  • instruct the jury that, to convict McDonnell, it was required to find that he made a decision or took an action—or agreed to do so—on the identified “question, matter, cause, suit, proceeding or controversy.”

The Court overturned McDonnell’s conviction, finding that the deficiencies in the District Court’s instructions made it possible for the jury to convict McDonnell even if he committed no crime.

The Court’s narrow interpretation of “official act” ensures that routine political interactions between “conscientious public officials” and their constituents remain outside the scope of conduct punishable under the federal bribery statute. To prove an “official act,” the Government must show that the parties got to “yes,” rather than just assume that it happened.

UK Confiscation in the Wake of Tom Hayes

In January 2016, the Home Affairs Select Committee launched an Inquiry into the effectiveness of the UK’s proceeds of crime regime. It is anticipated that the Inquiry will hone in on the legal concept of ‘criminal benefit’ and how the UK enforcement authorities broadly define this concept when assessing the benefit obtained by defendants as a result of their crimes. The practical effect of this broad approach has been that a significant number of defendants have been unable to discharge their confiscation orders, a reality attracting increasing media attention in the UK.

The High Court’s recent confiscation ruling in Serious Fraud Office v Tom Hayes[1] highlights the difficulties with the wider interpretation of criminal benefit, and also signifies a troubling expansion of the broad-brush approach, which is likely to adversely affect future defendants.

Under section 76(4) of the Proceeds of Crime Act 2002 [LINK to], a person “benefits from [criminal] conduct if he obtains property as a result of or in connection with the conduct“. Therefore there must be a causal link between the offending behaviour and the benefit received. It is this link which was the subject of some reinterpretation in the Hayes ruling. By way of example, the Court determined that 35% of Hayes’s signing on bonus (termed the “golden hello”) paid to him by Citi Bank fell to be confiscated on the basis that it was the defendant’s prominent reputation as a successful trader (obtained as a result of his manipulation of LIBOR submissions at UBS) which directly resulted in him being hired by Citi Bank. In short, Mr Hayes would not have received this offer of employment ‘but for’ his previous criminal activity at UBS and therefore the causal link required by section 76(4) was established. This finding appears to be stretching the causal relationship to its limits in order to recoup sums which ordinarily would be out of the reach of the confiscation process.

Perhaps the Hayes ruling is in itself unique given that it is the first benchmark manipulation case to go through the confiscation process and there may be an argument that the complexity of the underlying offence warrants a higher level approach to the confiscation question. This is hinted at in the course of Mr Justice Cooke’s ruling[2] in Hayes where he comments that there is “no way” in which it is possible to determine the difference that Hayes’s attempts to manipulate LIBOR actually made to the published rate on any given day, and therefore the Serious Fraud Office had not sought to “quantify the unquantifiable” for the purposes of confiscation.

What does the Hayes ruling denote for the future? If the interpretation of section 76(4) continues to be applied broadly by the UK courts, defendants may well find themselves burdened with a heavy obligation to pay a higher sum than that which they actually obtained from their crimes. Lawyers should bear this in mind when advising clients, especially those facing allegations of serious and complex fraud.

In addition, those advising should be mindful that the desire to avoid a harsh confiscation process through co-operation with the state e.g. through a SOCPA agreement, may be a powerful incentive for some offenders. However, prosecuting agencies are likely to be conscious that public confidence in the criminal justice system may be damaged if criminals are routinely allowed to keep the profits of their criminal activities in return for co-operation.

Until the Home Affairs Committee reports on its findings, the lay of the land is uncertain, and lawyers should proceed with caution when advising in this arena.

[1] 23 March 2016

[2] Paragraph 51

Recent News and Comments Show U.S. and U.K. Authorities’ Efforts to Get the Information Behind the Panama Papers Scandal

The Panama Papers have captured the public’s and the legal community’s attention, with blockbuster disclosures of the offshore dealings of various prominent persons. The investigation so far has been controlled by a team of journalists from various organizations, who have access to a purpose-built database of an estimated 11 million computer files, and have been working with it for months to develop the stories now being published. They have not made public, however, the underlying data.  While regulators and enforcement bodies around the world doubtless would love to get their hands on the entire trove of documents, indications are that they have not. Indeed, the website of the Süddeutsche Zeitung, which is the news organization that was initially contacted by the source of the Panama Papers data, states that it will not “make all the data publicly available and neither will we hand the data over to law enforcement authorities.” http://panamapapers.sueddeutsche.de/articles/5703c8fba1bb8d3c3495b67f/.On the other hand, the International Consortium of Investigative Journalists (which is collaborating on the Panama Papers project) has indicated that it will make the data available in May. The ICIJ’s website does not state how it plans to handle law enforcement inquiries for the underlying Panama Papers data.

On both sides of the Atlantic, recent news stories have focused on some different ways the authorities are attempting to obtain access to the information. First, both in the U.S. and the U.K., some regulators are using an indirect approach to get access to some of the information—demanding that banks disclose to those regulators documents and information relating to the banks’ dealings with Mossack Fonseca, the Panamanian law firm from which the data was taken. Thus, Bloomberg reports that New York’s Department of Financial Services has ordered 13 foreign banks to provide documents and information, including communications with Mossack Fonseca, as well as records identifying any New York-based personnel who had a position with any Mossack Fonseca-established shell companies. http://www.bloomberg.com/news/articles/2016-04-20/ny-regulator-asks-banks-for-records-linked-to-panama-papers-firm.  Similarly, in the U.K., the Financial Conduct Authority has ordered approximately 20 banks to produce information relating to their dealings with Mossack Fonseca. https://next.ft.com/content/8c9d4944-fc23-11e5-b5f5-070dca6d0a0d. Second, recent news has revealed some information about what prosecutors are doing. In the U.S., the United States Attorney for the Southern District of New York wrote a letter to the ICIJ stating that his office had opened a criminal investigation and requesting that the ICIJ provide information (presumably voluntarily). The ICIJ quickly declined, stating that it did not intend to participate in the investigation, and noting that it is “shielded by the First Amendment and other legal protections from becoming an arm of law enforcement.” https://panamapapers.icij.org/20160421-us-investigation-hongkong-editor.html. In the U.K., the head of the Serious Fraud Office, David Green, noted during a conference co-sponsored by Brown Rudnick and Outer Temple Chambers that the files “are being and will be accessed” without clarifying whether the agency actually had them. http://uk.reuters.com/article/uk-panama-tax-britain-idUKKCN0XH1QA. At the same conference, the Financial Conduct Authority Head of Enforcement, Mark Steward, confirmed that he had not seen the files, noting most of us on the law enforcement side haven’t seen what the media has seen.”

There is, of course, the more direct approach adopted by Panamanian and Swiss authorities, which raided offices of Mossack Fonseca quickly after the Panama Papers were first published. It remains to be seen whether U.S. and U.K. authorities will attempt to compel access to the underlying data, either from journalists or Mossack Fonseca, or will continue to rely on published information (and leads from it) as well as indirect sources of the same information, such as that sought from banks.

 

Utah Publishes Nation’s First Online White Collar Crime Offender Registry

Public shaming has reached new levels in Utah. In February 2016, the state became the first to publish an online registry of white collar crime offenders. The Utah White Collar Crime Offender Registry (“Registry”) has been a long-time goal of Utah Attorney General Sean D. Reyes, who stated that “[w]hite-collar crime is an epidemic in Utah.”

According to Attorney General Reyes, the Registry “will further equip citizens to protect themselves from financial fraud by making information much more accessible in this digital age.” The two primary motivating factors behind the creation of the Registry appear to be protecting investors and incentivizing the repayment of restitution. In addition, when legislation for the Registry was introduced, Attorney General Reyes alluded to what may be a third factor—“Utah’s unique personal interweavings and close relationships”—noting that Utah citizens trust those in their neighborhoods, churches, and professions. Attorney General Reyes went on further, stating, “[w]hile in many ways trust is a healthy community trait that fosters social strength and business success, it also leaves [Utah] citizens quite susceptible to those who would exploit that trust.” This rationale—which seems to imply that Utah citizens are overly trusting and therefore need protection from the state—is questionable at best and borders on paternalistic.

A recent press release from the Utah Office of the Attorney General touts the Registry as a tool that “protects future investors, deters fraudsters and incentivizes restitution by allowing removal from the [Registry] after full repayment.” However, it is unclear how effective the Registry will be. First, the information provided on the Registry may not always be correct. Online visitors must acknowledge a disclaimer before entering the Registry that states, “the attorney general does not guarantee the website’s accuracy or completeness.” Second, the information provided on the Registry is already public information, meaning anyone—including investors—can already access it. While publication to a searchable online platform may make the information more accessible, it isn’t necessary. Finally, it is uncertain whether removal or exclusion from the Registry will sufficiently incentivize repayment of restitution. In addition, tying removal and exclusion from the Registry to an individual’s ability to repay restitution may burden those individuals with limited financial means.

It appears that the only other similar registry maintained in Utah is an online sex offender and kidnap offender registry—meaning the state has chosen to single out individuals convicted of financial crimes for inclusion on a public registry over individuals convicted of other crimes, including violent offenses. The rationales offered for creating the Registry are not sufficient to justify equating white collar offenders to sex offenders and kidnappers. This, coupled with a Registry that is likely to be ineffective and unnecessary, leads one to conclude that the true justification for the Registry is shaming white collar offenders into paying restitution. Indeed, one of the sponsors of the bill creating the Registry, Representative Mike McKell, acknowledged that this may amount to a “scarlet letter” and stated, “I’m comfortable with that. If it’s a public shaming to the extent that it’s someone that’s stripped retirement accounts from seniors, I’m okay with that.”

Publication to an online forum also raises significant concerns related to privacy and the potential harassment of listed offenders. The Registry provides extensive information for each listed offender, including the offender’s full name, any aliases, date of birth, height, weight, eye and hair color, qualifying conviction(s), summary of offense(s), and recent photograph. Over 100 individuals are currently listed on the Registry, although this number is expected to rise to approximately 230 individuals over the next several months.

Individuals Required to Register

Per Sections 77-42-105 and 77-42-106(2) of the Utah Code, individuals convicted after December 31, 2005 of a second degree felony for any of the following offenses are required to register with the Utah Office of the Attorney General:

  • Securities fraud;
  • Theft by deception;
  • Unlawful dealing of property by fiduciary;
  • Fraudulent insurance;
  • Mortgage fraud;
  • Communications fraud; and
  • Money laundering.

Individuals remain on the Registry for ten years for a first offense, and for an additional ten years for a second offense. If convicted of a third offense, an individual will remain on the list for a lifetime.

Individuals Excluded from the Registry

Individuals are not required to register if they have (1) fully complied with court orders at the time of sentencing; (2) paid all court ordered restitution in full; and (3) not been convicted of any other offense for which registration is required. See Utah Code § 77-42-106(3)(a)-(c).

Removal from the Registry

Removal from the Registry is possible, but requires full repayment of any court ordered restitution.  The Utah Code and the Utah Administrative Rules outline the procedures for removal.

Utah’s White Collar Crime Offender Registry is the first of its kind in the country, and will hopefully be the last. It is unlikely that this type of registry will serve as an effective or even necessary tool to protect investors, ensure repayment of restitution, or deter future criminal conduct. In addition, serious concerns related to privacy and public shaming should dissuade other state legislatures from enacting similar registries.

Microsoft Sues U.S. Government in Privacy Fight

On April 14, 2016, Microsoft sued the United States Department of Justice, challenging a law that provides the government with authority to prevent technology companies from informing customers when their data is given to the government. This lawsuit comes in the wake of the FBI’s recent requests for Apple to unlock certain iPhones, once again pitting the technology industry against the government over privacy, data, and national security.

The complaint, filed in the Federal District Court in Seattle, argues that the Electronic Communications Privacy Act of 1986 (“ECPA”), is unconstitutional under the First and Fourth Amendments. The ECPA allows the government to issue secrecy orders that block technology companies from informing their customers about a government data request when there is “reason to believe” the disclosure could have an “adverse result” that would endanger a life, or cause one to flee from prosecution, destroy or tamper with evidence, intimidate a potential witness, or otherwise jeopardize an investigation. See 18 U.S.C. § 2705(b). An exception under the Fourth Amendment warrant requirement allows the government in certain situations to seize evidence without a warrant, including when there is imminent danger of destruction of property or evidence.

Microsoft maintains that the ECPA is outdated and too broad. According to the complaint:

There may be exceptional circumstances when the government’s interest in investigating criminal conduct justifies an order temporarily barring a provider from notifying a customer that the government has obtained the customer’s private communications and data. But Section 2705(b) sweeps too broadly. That antiquated law (passed decades before cloud computing existed) allows courts to impose prior restraints on speech about government conduct—the very core of expressive activity the First Amendment is intended to protect—even if other approaches could achieve the government’s objectives without burdening the right to speak freely.

It argues that the government is “exploiting” the recent rise in cloud computing by directing its investigations at parties that store their data on clouds. “The transition to the cloud does not alter people’s expectations of privacy and should not alter the fundamental constitutional requirement that the government must — with few exceptions — give notice when it searches and seizes private information or communications,” stated Microsoft President Brad Smith in a company blog.

The complaint states that between September 2014 and March 2016, Microsoft received 5,624 requests under the ECPA of which nearly half were accompanied by secrecy orders. In addition, 1,752 of the orders contained no time limit or end date, essentially preventing Microsoft from ever disclosing to its customers about the data request.

The ECPA is currently under review by Congress, with proposed reforms before both the House and Senate. Regardless of whether the law is amended through Congress or the courts, it is clear that the privacy fight between technology companies and the government has only begun.

For White Collar Defendants, an Eight-Justice Court Could Mean Less Rights and More Liability

Despite the speculative ideological divide left in the wake of Justice Antonin Scalia’s untimely death, the Supreme Court’s five post-Scalia decisions, each decided 6-2 or better, have reflected appreciable consensus. But notwithstanding President Barack Obama’s nomination of D.C. Circuit Chief Judge Merrick Garland to fill Justice Scalia’s seat, uncertainty remains concerning the fate of cases that may realistically face a 4-4 tie. Here’s how the eight-Justice Court might decide two pending cases that carry sweeping implications for white collar litigation:

Constitutional Limitations on Pretrial Asset Restraint

In United States v. Gonzalez-Lopez, Justice Scalia—writing for an unlikely majority that included the four liberal-most Justices—called the right to retain counsel of choice “the root meaning” of the Sixth Amendment. That right is burdened when the government, before conviction, freezes a criminal defendant’s assets needed to retain counsel. Luis v. United States asks whether such a burden is unconstitutional when the frozen assets are not traceable to the charged crime. A tie or answer in the negative would curtail the rights of criminal defendants to use their legitimate assets to retain their counsel of choice.

Under 18 U.S.C. § 1345, a civil court may enjoin a defendant’s disposal of fraudulently-obtained proceeds (“tainted assets”), or restrain an equivalent value of the defendant’s untainted assets as substitute property. Petitioner Sila Luis’ was indicted for Medicare fraud in 2012. A civil court, pursuant to § 1345, contemporaneously enjoined $45 million of her property, including untainted assets needed to retain counsel. Luis objected that the pretrial restraint of legitimate defense funds categorically violated the Sixth Amendment. The court disagreed, finding “no Sixth Amendment right to use untainted, substitute assets to hire counsel.” The Eleventh Circuit affirmed.

In Caplin & Drysdale Chartered v. United States, the Supreme Court found no constitutional right to pay one’s attorney with assets proved forfeitable under 21 U.S.C. § 853, the criminal forfeiture statute. Section 853’s “relation-back” provision vests title to illicit proceeds in the government at the moment the violation occurs. Just as a robbery suspect is not entitled to fund his defense with the victim’s money, the Court reasoned that a defendant has no constitutional right to pay his counsel of choice with the government’s property.

Relying on Caplin, the Court in United States v. Monsanto, held that the pretrial restraint of a defendant’s assets under § 853 is permissible where probable cause supports forfeiture. In Kaley v. United States, the Court restated Monsanto’s rule to reflect § 853 forfeiture requirements: there must be probable cause demonstrating that (1) the defendant has committed a crime, and (2) the subject assets are traceable to that crime. The Court held that a grand jury’s determination on the first requirement is conclusive.

Luis argued that § 853 cases are inapplicable because the government had no preconviction interest in her untainted assets. She also advanced—though not in her petition—a narrow reading of § 1345: a temporary restrain order against all assets is authorized until a hearing, after which only assets proved tainted may be enjoined.

During arguments last November, the three Kaley dissenters seemed ready to limit Monsanto.  Justice Sonia Sotomayor appeared loath to further restrict the Sixth Amendment. Chief Justice John Roberts and Justice Stephen Breyer (who approved of Luis’ interpretation of § 1345) disliked the notion that the government could restrain all of a defendant’s legitimate money, including defense funds, without a full pretrial hearing. Even Justice Elena Kagan, who penned the Kaley decision, suggested that the Court may be “uncomfortable with the path [it] started down” in Monsanto.

Conversely, Justices Ruth Bader Ginsburg and Samuel Alito took a dim view of Luis’ tainted/untainted distinction. Justice Ginsburg suggested that Congress intended to “come down very hard” on healthcare and banking fraud. Justice Alito viewed Luis’ distinction as problematic given the fungible nature of money. Although he was “troubled by [the] statute,” he noted Luis’ failure to raise the issue in her petition.

Justice Anthony Kennedy voted against the defendants in Caplin, Monsanto, Gonzalez-Lopez, and Kaley, but here criticized the government’s inability to limit its principle, which “would, in effect, prevent the private bar from practicing law unless it did so on a contingent basis.” Justice Clarence Thomas said naught, but twice voted pro-government in Kaley and Gonzalez-Lopez.

Unless Luis gets scheduled for reargument when a new Justice is appointed, the Court may split four-four, with Chief Justice Roberts and Justices Breyer, Sotomayor, and possibly Kagan siding with Luis.  A tie would affirm the decision below. That outcome could be avoided if enough Justices accept Luis’ statutory argument. Alternatively, Justice Kennedy, the last sitting majority-voter from Caplin and Monsanto, could decide that untainted assets—at least those needed to retain counsel of choice—are categorically outside the government’s pretrial reach.

Expansive False Claims Act Liability

The Court’s ruling in another pending case will impact the scope of liability under the federal False Claims Act (“FCA”). The FCA penalizes the submission of false claims for payment to the United States. The “implied certification” theory expands FCA liability by treating a claim as an implicit representation of legal eligibility to be paid. Accordingly, a claim is “false” if submitted while knowingly violating the program’s requirements.

The Seventh Circuit has flatly rejected implied certification. Other courts differ as to whether it applies only to non-compliance with express preconditions of payment. In an opinion now on review, the First Circuit said no: “Preconditions of payment, which may be found in sources such as statutes, regulations, and contracts, need not be expressly designated.” Universal Health Services v. United States ex rel. Escobar asks (1) whether implied certification is a valid theory of FCA liability, and (2) if valid, whether it requires non-compliance with an expressly stated condition of payment.

Recently, the Court has limited the FCA’s reach, deciding six of the seven cases since 2005 for the defendant. That consistency may be lost without Justice Scalia’s traditionally pro-defendant vote on FCA issues. Less than a third of the collective votes of Justices Ginsburg, Breyer, Kagan, and Sotomayor since 2005 have favored FCA defendants. Justice Breyer has routinely sided with qui tam plaintiffs except in unanimous pro-defendant decisions. Justice Sotomayor, who has consistently voted pro-plaintiff, has cautioned against “restrictive” FCA interpretations, considering Congress’ intent “to broaden the availability of qui tam relief.” Justice Ginsburg has similarly rejected decisions that “weaken[] the force of the FCA as a weapon against fraud on the part of Government contractors.” Justice Kagan has only participated in a single FCA decision, where a unanimous Court rejected the defendant’s narrow reading of the “first to file” rule, marking the only instance since 2005 where Chief Justice Roberts, and Justices Kennedy, Thomas, and Alito favored the plaintiff.

Universal Health Services is set for argument this April and will almost certainly be decided by eight Justices. The chance of enough votes to wholly invalidate or affirm the First Circuit’s broad ruling is minimal. If the Court finds middle ground, it will likely reverse the First Circuit on the narrower second question, holding that implied certification applies only where the government expressly states that compliance is a precondition of payment.

A previous version of this article was published by Law360

Assistant Attorney General Highlights Increased Worldwide Collaboration in the Fight Against Cybercrime, and Emphasizes the Need to Access Encrypted Data

On January 25, 2016, Leslie Caldwell, the Assistant Attorney General for the U.S. Department of Justice’s (DOJ) Criminal Division, spoke at the Internet Education Foundation’s 12th Annual State of the Net Conference in Washington, D.C. At this conference, she revealed that the DOJ has stationed investigators and prosecutors in five countries on four different continents in the past fiscal year, focused solely on information sharing to prosecute cyber criminals.

Ms. Caldwell remarked that the Federal Bureau of Investigation’s (FBI) Cyber Division embedded three permanent Cyber Assistant Legal Attachés in the United Kingdom, Canada, and Australia, and that the DOJ recently placed a Criminal Division prosecutor with Eurojust in The Hague, and one in Southeast Asia. These assignments were said to help “facilitate information-sharing, improve cooperation on investigations, and build even stronger relationships with our law enforcement partners in other countries.”

Further, Ms. Caldwell renewed the DOJ’s call for technology companies to provide law enforcement with a way to access encrypted communications during investigations. She said “digital security is a vital tool, but it is not a cure-all – especially when it impedes our ability to protect ourselves and each other in the physical world.” Ms. Caldwell added that the DOJ is committed to obtaining authorization for electronic evidence collection, but that encrypted data impedes law enforcement’s ability to access critical information when necessary.

These revelations and remarks highlight the DOJ’s emphasis on prosecuting crimes committed over the internet, regardless of whether or not the alleged violations occurred within the United States, or by U.S. citizens. Though the DOJ has put an emphasis on the above mentioned information sharing arrangements with strategic countries around the world, standard jurisdictional issues still apply. However, the inescapable connection between the Internet and U.S. interstate commerce may sometimes be sufficient to satisfy the jurisdictional element required in relevant criminal statutes, such as those related to fraud and associated activities in connection with computers and devices under 18 U.S.C. §§ 1028-30.

Further, the DOJ’s call to technology companies, and indirectly to Congress, to provide U.S. law enforcement agencies with the ability to access encrypted data in their investigations has raised a number of privacy issues, including the government’s right to access personal information stored online, and could further complicate the role of technology companies as custodians of customer information when law enforcement comes knocking. However, in October, 2015 the White House decided that it is not possible to give law enforcement access to encrypted communications without also creating an opening that China, Russia, cybercriminals, and terrorists could exploit, because it would increase system complexity, create concentrated targets that could attract bad actors, and would provide foreign countries the political means to compel technology companies to provide the same access to personal encrypted data provided to U.S. law enforcement. Therefore, the DOJ’s call for access to encrypted data is unlikely to be answered anytime soon.

To learn more about Brown Rudnick’s Cybersecurity & Data Privacy practice, click here.

A Happy New Year for the SFO?

The Serious Fraud Office (“SFO”) will wave goodbye to 2015 with a few triumphs under its belt, but what will 2016 bring for David Green?

2015 was a year of “firsts” for the SFO:

Tom Hayes was the first person to be tried for the manipulation of Libor. He was sentenced in August to 14 years in prison. This was slightly reduced to 11 years by the Court of Appeal on 21 December 2015.

On 30 November 2015, the President of the Queen’s Bench Division, Lord Justice Leveson, approved the UK’s first ever Deferred Prosecution Agreement1 after the SFO had conducted a 3 year investigation into CBC Standard Bank who admitted failure to prevent bribery under Section 7 of the Bribery Act 2010 (the “Bribery Act”).

This year also saw the first convictions under the Bribery Act in the Sustainable AgroEnergy trial with the first sentences for bribery offences to be passed in accordance with the new sentencing guidelines, effective from 1 October 2014, and the first conviction of a corporate for foreign bribery in Smith and Ouzman, which concerned that company’s security printing business in Africa.

The latest “first” happened on 2 December 2015 when the first admission of the failure to prevent bribery offence, under Section 7 of the Bribery Act, outside of a DPA was made by Sweett Group PLC.

It is probably safe to assume, at least for now, that the UK’s Home Secretary will shelve her plans for the NCA to swallow the SFO. The NCA has had a rocky 2015, in particular after the warrant scandal. In Chatwani2, the court described the conduct of the NCA in relation to search warrants, which were ruled unlawful, as indifferent to the constitutional safeguards and described the mistakes made by the NCA as grave errors that “went to the very root of the statutory scheme”.

It was not, however, plain sailing for the SFO in 2015:

The SFO will pick up a multi million pound legal bill after the judge dismissed the Welsh mining case3 in which six people were accused of a fraud conspiracy. The judge said that the attempt to prosecute was “improper and unreasonable” because no law was broken. Mr Justice Hickinbottom stated that “this was not simply an error of judgment: once the dismissal application had been formally notified and its essential basis set out, no reasonable prosecutor in the shoes of the SFO would have contested that application in the manner that the SFO in fact did.”

The SFO also faced strong criticism when Ben Morgan, the joint head of bribery and corruption, stated that the new foreign bribery fining policy will see the UK’s SFO consulting with the US on financial penalties even in circumstances where the US is not involved in the case.

Morgan stated that this was “to make sure the sanction would have been appropriate in the US”. The justification for choosing to consult with the US over any other country is because “it’s the US that is really the most active enforcer. It’s really the best frame of reference. There are only so many jurisdictions that have anything approaching a track record”.

The UK introduced new sentencing guidelines for fraud, bribery and money-laundering offences in 2014 and many have suggested that to use the US as a starting point would contradict the spirit of the ‘stepping back’ process set out in the guidelines or, worse, would amount to an abdication of jurisdiction. In addition, US sentencing guidelines provide for ‘prosecutorial discretion’ which would prove difficult to factor in circumstances where a US prosecutor finds himself advising on a matter without having any involvement.

A mixed story, then, for 2015. The SFO will no doubt be aware that it will be obliged to shine in 2016 or face the terror of rebranding or the humiliation of assimilation.

 

______________________

1 http://www.whitecollarcrimewatch.com/2015/12/first-dpa-in-the-uk/
2 The Queen (on the Application of Chatwani & Ors) v The National Crime Agency & Anor [2015] EWHC 1283 (Admin).
3 Evans & Others v SFO

New York’s Focus on Cybersecurity Likely to Increase Compliance Requirements

On November 9, 2015, New York’s top financial regulator, Anthony J. Albanese, Acting Superintendent of Financial Services for the New York State Department of Financial Services (“NYDFS”), issued a letter that outlined increased “cyber security defenses within the financial sector.”  The letter seeks proposals, collaboration and “ultimately, regulatory convergence” on “new, strong cyber security standards for financial institutions.”  The letter follows numerous steps taken by NYDFS in recent years to better understand cybersecurity risks and develop policies to combat future breaches.

The proposed regulations are based on the results of extensive cybersecurity surveys conducted in May 2014 and February 2015 of nearly 200 of NYDFS’ regulated banking organizations and insurance companies.  These surveys led the NYDFS to conclude in its letter that there was a “demonstrated need for robust regulatory action in the cyber security space.”

Albanese wrote in the letter, “[f]irst, although financial institutions have taken significant steps to bolster cyber security efforts in recent years, companies will continue to be challenged by the speed of technological change and the increasingly sophisticated nature of threats . . . . Second, third-party service providers often have access to sensitive data and to a financial institution’s information technology systems, providing a potential point of entry for hackers.”

If implemented, these regulations would be the first set of formal cybersecurity rules established by any state financial regulator.  The New York Superintendent, by including the Federal Reserve, the Consumer Financial Protection Bureau, the US Securities and Exchange Commission, and 15 other federal and state regulators in its letter, is clearly aware of the potential for federal and state regulators to follow suit.

The letter came a day before New York federal prosecutors unsealed indictments against three individuals alleging a cybercriminal enterprise involving a hack of J.P. Morgan Chase & Co. and subsequent data breach of 83 million customers’ personal information.

The proposal provides for both internal controls and requirements for managing third-party providers:

Proposed Regulations for Companies to Implement Internally 

  • Implement and maintain written cybersecurity policies and procedures
  • Implement and maintain written procedures and standards designed to ensure the security of all applications utilized
  • Designate a Chief Information Security Officer
  • Employ personnel to manage cybersecurity risks
  • Conduct annual penetration testing and quarterly vulnerability assessments

Proposed Regulations for Managing Third-Party Service Providers

  • Implement and maintain policies and procedures to ensure the security of data accessible to, or held by, third party service providers, including:
    • Multi-factor authentication
    • Encryption
    • Mandatory notice in the event of a cybersecurity incident
    • Cybersecurity audits of third party vendor
    • Representations and warranties by the third party concerning information security

It is important for financial institutions and insurers, and vendors who serve those entities, whether inside or outside of the state of New York, to monitor these proposed regulations.  Given the NYDFS’s leading position in the financial industry, it is very likely that NYDFS will be just the first of many regulators to implement strict cybersecurity rules in the near future.

First DPA in the UK

On Monday, 30 November 2015, the High Court Judge, Lord Justice Leveson handed down the first ever approval of a Deferred Prosecution Agreement (“DPA“) following a three-year investigation conducted by the Serious Fraud Office (“SFO“) after London ICBC Standard Bank admitted failure to prevent bribery under Section 7 of the Bribery Act.

The case relates to a US$6 million bribe paid by a former sister company of Standard Bank, Stanbic Bank Tanzania, in March 2013 to a local partner in Tanzania, Enterprise Growth Market Advisors, as a “consultancy” fee. Within days, the money was withdrawn in large cash amounts. The SFO alleged that the payment was made to encourage the government officials of Tanzania to support the bank in its $600 million sovereign note private placement.

A DPA is a court-approved deal under which a corporate entity, facing prosecution for economic or financial offences, consents to various measures that could include, amongst others, payment of penalties, repayment of related profits and cooperation with the investigation. In return the prosecution of the company will be suspended for an agreed period of time and will then be withdrawn subject to the corporate’s compliance with all requirements. DPAs were officially introduced in the UK in February 2014, but have been commonly used in the US for years.

In this case the DPA terms include payment of financial orders of US$25.2 million, compensation of US$7 million to the Government of Tanzania and £330,000 for the SFO’s reasonable costs incurred as a result of the investigation and the resolution of the DPA.

The SFO was cooperating with the US Department of Justice (“DoJ“) and the Securities and Exchange Commission during the investigation process on a separate related matter.

Lord Justice Leveson confirmed in his decision that the terms of this DPA are “fair, reasonable and proportionate“. He also stated that “a useful check is to be obtained by considering the approach that would have been adopted by the US authorities had the Department of Justice taken the lead in the investigation and pursuit of this wrongdoing“. In this case the financial penalty is equivalent to the penalty that would have been enforced by the DoJ, had it been the lead investigator and prosecutor of the case in the US.

The Director of the SFO, David Green CB QC, said in his statement in relation to the DPA: “This landmark DPA will serve as a template for future agreements” and indicated that the judgment from Lord Justice Leveson will provide useful guidance to lawyers advising the corporate entities.

UK lawyers view DPAs as a useful means for corporate entities to deal with wrongdoing, specifically in light of the complexity and high costs related to prosecution of companies in the UK.

The first of many DPAs to be entered into, this case is important in demonstrating the SFO’s progressive approach in modernising the prosecution procedure for corporate entities as well as being the very first SFO attempt to prosecute a corporate under Section 7 of the Bribery Act.