On February 28, 2024, the Biden administration announced the creation of a new national security regulatory regime that will prohibit or restrict certain transactions involving bulk sensitive US personal data or government-related data and specified “countries of concern.” The Biden administration announced the regime in a new executive order, Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern (EO 14117), which was accompanied by an advance notice of proposed rulemaking (ANPRM) issued by the National Security Division (NSD) of the Department of Justice (DOJ), the component and agency with primary responsibility for implementing and enforcing the forthcoming regulations. The White House and DOJ also published fact sheets regarding the new regime.

Executive branch officials and members of Congress have long been concerned about the lack of a national security regulatory regime covering the transfer of sensitive US personal data to countries of concern, particularly China. As explained in EO 14117, such data has the potential to be used for a variety of nefarious purposes, including surveillance, extortion, and influence campaigns targeting US government employees and members of the US military, among others. The order highlights that such risks have become more acute due to the rapid advancement of artificial intelligence (AI) and its ability to analyze and manipulate data sets. Bulk sensitive personal data can also be used in the creation and refinement of AI models and other advanced technologies.

According to the White House, the EO is “the most significant executive action any President has ever taken to protect Americans’ data security.”

The public may submit comments on the ANPRM through April 19, 2024 and will likely have an additional opportunity to comment on the language contained in a proposed rule, once issued.

Although intended to be tailored in its scope, our initial assessment is that the new regulatory scheme, once fully implemented, will likely have a profound impact on a number of industries and entities around the world. At a minimum, it seems certain that regulatory compliance costs could be substantial, particularly on entities that have not previously focused on building out a risk-based compliance program in this or other related areas.Continue Reading Biden Administration to Implement New National Security Rules Targeting Personal Data

On October 4, 2023, Deputy Attorney General Lisa O. Monaco, the second-ranking official in the US Department of Justice (“DOJ” or the “Department”), announced a new Safe Harbor Policy for Voluntary Self-Disclosures (“VSDs”) made in connection with mergers and acquisitions (“M&A”) (together, “M&A Safe Harbor Policy”).  The new policy encourages acquiring companies to timely disclose misconduct uncovered during M&A due diligence and harmonizes the DOJ-wide approach to VSDs for M&A transactions.  The implementation of the M&A Safe Harbor Policy is the most recent initiative in the Biden Administration’s efforts to combat corporate crime and has broad implications across DOJ’s Divisions.Continue Reading DOJ Announces “Safe Harbor” Policy for Mergers & Acquisitions

After months of anticipation, a federal judge has finally ruled in the closely watched case of Joseph Van Loon, et al. v. Department of Treasury, et al.  This important case addressed challenges to the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) decision to impose sanctions on Tornado Cash as a Specially Designated National and Blocked Person (SDN).  The judge granted summary judgement in favor of OFAC, finding it had sufficient legal authority to designate Tornado Cash, and denied summary judgement on the plaintiffs’ claims.  Shortly after that ruling, OFAC announced the SDN designation of Roman Semenov, one of three alleged co-founders of Tornado Cash, and the Department of Justice (DOJ) charged Semenov and Roman Storm, another Tornado Cash founder, with multiple alleged criminal violations related to anti-money laundering (AML) and economic sanctions laws. 

All three actions are critical developments that contain key insights on how the US government views the AML and sanctions obligations of decentralized protocols and individuals associated with those protocols.  The developments make clear that, at least in certain scenarios, individuals involved in the creation of a DeFi platform can be held responsible for the activities conducted on that platform where such conduct violates US economic sanctions or AML laws, or constitutes sanctionable activity under applicable executive orders. Continue Reading Critical Tornado Cash Developments Have Significant Implications for DeFi AML and Sanctions Compliance

On July 26, 2023, the US Department of Commerce’s Bureau of Industry and Security (BIS), the US Department of the Treasury’s Office of Foreign Assets Control (OFAC), and the US Department of Justice (DOJ) issued a joint compliance note (the Note) focusing on the voluntary self-disclosure (VSD) policies that apply to US sanctions, export controls, and other national security laws. The Note is the second collective effort by the three agencies to inform the private sector about civil and criminal enforcement trends, as well as to provide guidance to the business community and all persons regarding compliance with US sanctions and export laws. The first joint note, which focused on combatting third-party intermediaries used to evade Russia-related US sanctions and divert export-controlled items that are contributing to Russia’s foreign harmful activities, was issued on March 2, 2023.

The Note does not change the existing VSD policies of the three agencies, but highlights the benefits of their existing VSD policies to incentivize companies to promptly disclose and remediate.  Likewise, the Note highlights the risks companies face, in at least some instances, should they choose not to disclose.

The Note also encourages whistleblowers to report suspected violations of sanctions and anti-money laundering laws to the US Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN), for which persons that submit whistleblower tips may be awarded up to 10% to 30% of the monetary penalty collected for successful US government enforcement actions.Continue Reading Commerce, Treasury, and Justice Issue Joint Compliance Note on Voluntary Self-Disclosure

On February 16, 2023, the Department of Justice (DOJ) and Commerce Department announced the creation of the Disruptive Technology Strike Force with a mission to prevent nation-state “adversaries” from acquiring “disruptive” technologies.  The strike force will be co-led by Assistant Attorney General Matthew Olsen of the DOJ’s National Security Division (NSD) and Assistant Secretary for Export Enforcement at the Commerce Department’s Bureau of Industry and Security (BIS) Matthew Axelrod, and will bring together the DOJ’s NSD, BIS, the Federal Bureau of Investigation, Homeland Security Investigations, and 14 US Attorneys’ Offices in 12 metropolitan regions. 

The strike force’s mandate, and remarks by Deputy Attorney General Lisa Monaco announcing the new initiative, illustrate the US government’s continuing focus on protecting sensitive data and “disruptive” technologies, as well as the regulatory and enforcement tools that the US government has used and will continue to use to prevent the acquisition, use, and “abuse” of “disruptive” technologies by autocratic governments to commit human rights abuses and seek strategic advantage vis-à-vis the United States.Continue Reading Justice and Commerce Departments Announce Creation of Disruptive Technology Strike Force

In this blog post, we provide an overview of the updates to the Criminal Division’s Corporate Enforcement Policy (CEP) and discuss the impact of these changes on the corporate enforcement policies for criminal violations of sanctions and export controls, criminal violations of antitrust laws, and civil violations of the False Claim Act.

On January 17, 2023, Assistant Attorney General Kenneth A. Polite, Jr. announced changes to the Department of Justice’s (“DOJ”) Corporate Enforcement Policy (“CEP”), including applying the most recent FCPA Corporate Enforcement Policy to all corporate criminal cases handled by the DOJ’s Criminal Division. The FCPA Corporate Enforcement Policy, codified in § 9-47.120 of the Justice Manual, provides that if a company voluntarily self-discloses, fully cooperates, and timely and appropriately remediates, there is a presumption of declination absent certain “aggravating circumstances involving the seriousness of the offense or the nature of the offender.” The clear goal of this and other recent pronouncements from senior DOJ leadership is to tip the scales in favor of early disclosure by setting forth concrete incentives for corporations that discover potential criminal violations. 

Importantly, the CEP now explicitly states that a company presenting “aggravating circumstances,”1 while not eligible for a presumption of declination, may still obtain a declination if (1) the company had an effective compliance program and system of internal accounting controls at the time of the alleged misconduct, (2) the voluntary self-disclosure was made “immediately” upon the company becoming aware of the allegation of misconduct, and (3) the company provided “extraordinary cooperation” to DOJ investigators. For companies that do not receive a declination but do receive credit, the CEP also increases the available discounts from fines under the U.S. Sentencing Guidelines (“USSG”), both for companies that voluntarily self-disclose and those that do not.

Although the updated CEP heavily emphasizes the benefits of voluntary self-disclosure and cooperation, its implications for companies will largely depend upon the Criminal Division’s application of the policy, including through DOJ prosecutors’ interpretation of important, undefined terms such as “immediate” disclosure and “extraordinary” cooperation.

Moreover, although the CEP applies to the entire Criminal Division, it could potentially have ripple effects on the corporate enforcement policies in place in other DOJ components. For example, the CEP does not revoke or alter the DOJ National Security Division’s (“NSD”) Export Control and Sanctions Enforcement Policy for Business Organizations (the “Export Control and Sanctions Enforcement Policy”). That NSD policy is generally consistent with the CEP, but it does not spell out affirmatively, as the new Criminal Division policy does, the circumstances that a company must demonstrate to be considered for a non-prosecution agreement (“NPA”) rather than a criminal resolution in the face of aggravating factors. Similarly, the Antitrust Division and Civil Division have their own corporate enforcement policies in place, each of which has aspects uniquely tailored to those respective regimes. It therefore remains to be seen whether these other Divisions within DOJ will adjust their corporate enforcement policies to align more precisely with the CEP.  Continue Reading DOJ’s New Corporate Enforcement Policy for the Criminal Division and its Impact on Cases handled by other Divisions