Tag: banks

Community Banks and Overdrafts — Time for Reconsideration?

Bank consumer overdraft fees (together with nonsufficient funds (NSF) fees and returned check fees) have long been a target of attacks by consumer advocacy groups and progressive politicians who claim that such fees are disproportionately levied on the most vulnerable consumers. The Obama-era Consumer Financial Protection Bureau (CFPB) initiated efforts to regulate overdraft programs, which were shelved during the Trump administration, and legislation to restrict overdraft fees has regularly been proposed and considered by Congress, but not enacted.

2022, however, may be the year that the US financial regulatory agencies finally move to impose formal restrictions on banks’ overdraft fee programs. In particular, the CFPB, increasingly assertive in President Biden’s second year in office, has clearly signaled its intent to take action in this area:

  • Rohit Chopra, the director of the CFPB, has spoken out on numerous occasions — in public appearances, opinion pieces, and blog posts — regarding the imperative of reining in so-called junk fees charged by banks and other financial companies.
  • On January 26, 2022, the CFPB published a request for public comment targeting “exploitative junk fees,” including overdraft and NSF fees. The CFPB stated that the goal of its information request was to assist the agency’s plan to “craft rules, issue industry guidance, and focus supervision and enforcement resources,” with the goals of reducing excessive fees and eliminating illegal practices.

The attack on overdraft fee programs has been echoed by other administration officials as well as by allied politicians. Acting Comptroller of the Currency Michael Hsu has called traditional bank overdraft programs “a significant part” of a “regressive system” that penalizes the poor and has stated that “banks that hesitate to adopt pro-consumer overdraft programs will soon be negative outliers.” On March 31, 2022, the House Financial Services Subcommittee held a hearing on possible government intervention to restrict overdraft programs, clearly showing coordination by the committee majority with the Biden administration’s initiatives. In March 2022, a group of US Senate Democrats (including Banking Committee Chairman Sherrod Brown) sent letters to seven large banks urging them to abolish or significantly reduce overdraft and other fees, and in early April, New York Attorney General Letitia James, in recent letters signed by numerous other state attorneys general, asked the country’s four largest banks to eliminate consumer overdraft fees altogether by summer 2022.

Adding to the chorus of Biden administration and other political voices critical of overdraft fees has been a steady stream of announcements over the past year by many large banks regarding plans to eliminate or greatly restrict their overdraft and related fees. In January 2022 alone, five of the country’s largest banks announced the planned elimination of NSF fees and certain overdraft charges. These announcements add weight to the CFPB’s attacks on overdraft fee programs and will inevitably result in additional pressure on other large banks to follow suit.

The bottom line is that federal regulation of this area may finally be on the horizon, if not imminent, although it is anyone’s guess what form regulatory action will take. The initial targets of any action taken by the CFPB — whether formal rulemaking, statements of policy, or increased enforcement activity — are likely to be banking companies that have total assets in excess of $10 billion and that are thus subject to direct supervision by the CFPB. However, whatever new policy is implemented by the CFPB in this area will inevitably be applied by the three principal federal banking agencies to financial institutions of all sizes, and community banks should prepare themselves for increased examination scrutiny of their overdraft fee programs and the potential for enforcement actions.

Accordingly, community banks — especially those heavily reliant on overdraft fee income — should review their overdraft programs, ensure that they are compliant with existing regulations and best practices, and consider changes to respond to possible regulatory concerns. While it is impossible to react effectively to a regulatory regime that has not been proposed, much less implemented, reports and statements by the CFPB and other banking agencies provide some guidance. First, the CFPB has indicated that it will demand transparent and fully disclosed pricing of overdraft solutions that allow consumers to make an informed choice. In addition, Acting Comptroller Hsu stated in a December 2021 speech — in which he notably did not call for banks to eliminate overdraft fees — that the OCC had identified several features of bank overdraft programs that could be modified or recalibrated to help achieve the goal of improving the financial health of vulnerable consumers. He stated that these changes included:

  • Requiring consumer opt-in to the overdraft program.
  • Providing a grace period before charging an overdraft fee.
  • Allowing negative balances without triggering an overdraft fee.
  • Offering consumers balance-related alerts.
  • Providing consumers with access to real-time balance information.
  • Linking a consumer’s checking account to another account for overdraft protection.
  • Collecting overdraft or NSF fees from a consumer’s next deposit only after other items have been posted or cleared.
  • Not charging separate and multiple overdraft fees for multiple items in a single day and not charging additional fees when an item is re-presented.

Finally, community banks should closely monitor CFPB and other bank regulators’ overdraft fee initiatives, through state and national bankers associations and otherwise, and continue to explore potential methods of managing their overdraft programs in line with stated and possible future regulatory concerns.

© 2022 Jones Walker LLP
For more about banking institutions, visit the NLR Financial, Securities & Banking section.

Russian Sanctions Create Patent Risks

While multi-national sanctions recently imposed on Russia were intended to punish Russia for its aggression in Ukraine, the effects of the sanctions have led to a need for tough decisions for U.S. entities with patent interests in Russia.  The prohibitions on financial exchanges with certain Russian banks will essentially prevent any payment of fees to Rospatent (the Russian patent office), and although a general license from the Department of the Treasury provides a short window for winding down certain administrative transactions, U.S. entities engaged in patent transactions with Rospatent only have a short time to make decisions about current and future patent activities in Russia.

Prohibited Activities

On February 28, 2022, the Department of the Treasury initiated prohibitions related to transactions involving certain financial institutions in Russia, including the Central Bank of the Russian Federation.1 The directive specifically prohibits a United States person (unless otherwise excepted or licensed) from engaging in any transaction involving the listed financial institutions, including any transfer of assets to such entities or any foreign exchange transaction for or on behalf of such entities.  Under the directive, the prohibitions are specifically worded to include: (1) any transaction that evades or avoids, has the purpose of evading or avoiding, causes a violation of, or attempts to violate any of the prohibitions of the directive; and (2) any conspiracy formed to violate any of the prohibitions of the directive.

Notably, the prohibited activities do not expressly prevent any transactions of a U.S. person with Rospatent.  And although the United States Patent and Trademark Office (USPTO) has cut off direct engagement with Rospatent for carrying out activities such as use of the Global Patent Prosecution Highway (GPPH) program2, Rospatent is not currently a sanctioned entity under the directive.  This, however, is essentially a distinction without a difference.  Moreover, since the USPTO (and also the European Patent Office) has already cut ties with Rospatent, there still remains the possibility that Rospatent itself will be added to the sanctions at a future date and thus completely eliminate any pursuits by U.S. persons with Rospatent.

The current sanctions directly affect entities seeking patent protection in Russia since payments of required fees related to patent applications and granted patents in Russia are processed through the Central Bank of the Russian Federation.  This includes a number of financial transactions, such as payment of government filings fees for directly filing a patent application in Russia or filing a national phase of an international PCT application in Russia, as well as incidental fees incurred during prosecution of pending Russian patent applications and payment of yearly maintenance fees for issued Russian patents.  This would also include payment of yearly maintenance fees for patents obtained through the Eurasian Patent Organization (EAPO) and maintained in Russia since such fees paid to the EAPO must be forwarded to Rospatent.  Because of the intertwining of Rospatent with the Central Bank of the Russian Federation, any fees paid to Rospatent must be considered equivalent to making a transaction through said bank.

Patent prosecution in Rospatent requires engagement with a Russian patent practitioner.  While U.S. entities pursuing patent interests in Russia are unlikely to directly engage Rospatent and pay fees that are ultimately processed through the prohibited bank, it is clear from the directive that strategies, such as routing payments through countries that are neutral in relation to sanctions, are prohibited.  As noted above, the directive prohibits any transaction that actually “evades or avoids” the other prohibitions of the directive, as wells as any transaction that “has the purpose of evading or avoiding” the other prohibitions.  This language appears to have the potential to ensnare purposeful non-adherence as well as actions that unwittingly end in non-adherence (e.g., forgetting to discontinue an automated payment of a patent maintenance fee to Rospatent).

Deadline for Administrative Transactions

U.S. entities still have time to complete administrative transactions with Rospatent despite the February implementation of the directive.  On March 2, 2022, the Department of the Treasury issued a general license authorizing certain transactions that are otherwise prohibited by the directive.3  The license authorizes U.S. persons to pay taxes, fees, or import duties, and purchase or receive permits, licenses, registrations or certifications to the extent such transactions are prohibited under the directive, provided such transactions are ordinarily incident and necessary to such persons’ day-to-day operations in the Russian Federation.  For at least U.S. entities whose day-to-day operations include securing and maintaining intellectual property, including in Russia, this license provides a window to complete activities and avoid violation of the directive.  Currently, the transaction window provided under the license runs through 12:01 a.m. eastern daylight time on June 24, 2022.

Forming a Russian Patent Strategy

The incursion of Russia into Ukraine has been underway for shortly more than one month, but there is no way to know when hostilities may cease.  Moreover, even when peace is achieved, it is impossible to know how long the current sanctions against Russia may continue.  Those familiar with patent law know that the business of obtaining patents is a deadline-driven venture, and uncertainty of time quickly breaks apart the paradigm.  A “wait and see” approach thus has the potential to result in a loss of patent rights as well as possible liability for knowingly or unknowingly engaging in activities that are prohibited under the directive.  Anyone engaged in patent activities in Russia thus would be advised to undertake a portfolio review and utilize the time remaining under the General License to form a plan that ensures compliance with the current sanctions.  This can include at least the following items.

Anyone engaged in patent activities in Russia thus would be advised to undertake a portfolio review and utilize the time remaining under the General License to form a plan that ensures compliance with the current sanctions.

  • Proceeding with Grant of Presently Allowed Applications – For Applicants that have received a Notice of Allowance with a due date after expiration of the General License, one may consider early payment of the fees.  This should only be done, however, to the extent that it is possible to confirm that payment will be processed through Rospatent and the Central Bank of the Russian Federation prior to the expiration of the General License on June 24, 2022.
  • Annuities on Granted Patents – Any patent annuity paid to Rospatent after the General License expires should be assumed to be in violation of the current sanctions.  Patent holders that engage a patent annuity service should contact their provider to confirm that they have a plan in place for compliance with the sanctions.  Some annuity services have, in fact, already announced that they will no longer make payments to the Rospatent until further notice.  Presumably, for Russian patents with annuities due in 2022, early payment could be made in the hope that normalcy will ensure prior to the deadline in 2023, but such action should only be taken to the extent one can ensure that payment is processed through Rospatent and the Central Bank of the Russian Federation before the deadline.  Even then, it may be advisable to consider whether “early” payment of patent annuities would be considered to be “ordinarily incident” to day-to-day operations of a person’s patent pursuits.  In the alternative, a patent owner should confirm that any Russian patents are under a “do not pay” order with their annuity provider to avoid an unintentional, automated payment in violation of the sanctions.
  • Filing a Direct or National Phase Patent Application – If a new patent application in Russia is planned, or if the deadline for national phase entry of a PCT application is approaching, one may consider early filing prior to the expiration of the General License.  This could be done in the hope that a deadline for payment of future fees to Rospatent do not arise before the time that sanctions are lifted.  This is seen to be a risky proposition since it is unknown how quickly Rospatent processes paid fees through the Central Bank of the Russian Federation, and it is likewise unknown to what extent a fee paid to Rospatent before expiration of the General License but only processed through the Central Bank of the Russian Federation after expiration would be viewed as being in violation of the sanctions.  Moreover, if Rospatent itself is later added to the sanctions, any early filings would be at significant risk for abandonment due to an inability to continue transactions with Rospatent.
  • Filing Through EAPO as an Alternative to Russia – Russia is one of several countries where patent protection can be secured based on a granted patent from the EAPO.  As of this writing, the banks utilized for processing financial transactions for the EAPO (AO UniCredit Bank and AO Raiffeisenbank) are not included in the U.S. sanctions.  As such, direct filing or national stage entry with the EAPO can provide an alternate pathway for patent protection in Russia.  The cessation of interaction between the USPTO and the EAPO would not have a bearing on this option, but care would need to be taken to ensure that all documents otherwise transferrable directly between the offices are handled by other routes.  Once a patent is granted by the EAPO and Russia is elected as a country for maintenance of the patent, annuities paid to the EAPO are forwarded to Rospatent.  As such, this alternative pathway is only effective for patents where annuities in Russia would not become due until after lifting of sanctions.  As the average length of time for completion of patent prosecution with the EAPO is generally two or more years, one would hope that the current situation in Russia would be resolved within that timeframe.  Again, however, uncertainty remains.
  • Using Russia as an International Search Authority – Rospatent is one of the limited number of patent offices available for use as the ISA in a PCT application, and Rospatent may be preferred because of the relatively low cost relative to other ISA options.  Search fees paid to the World Intellectual Proper Organization (WIPO) are forwarded to Rospatent when chosen as the ISA, and it is not possible to ensure that such fees paid to WIPO will be forwarded to Rospatent, and then to the Central Bank of the Russian Federation before the expiration of the General License deadline.  As such, it is recommended to not use Rospatent as the ISA in any PCT application from now until sanctions are lifted.
  • Enforcement of Granted Russian Patents – A comprehensive patent strategy in Russia must now also consider the relative value of any Russian patents in light of the recent decree on patent enforceability in Russia.4   Therein, any holder of a Russian Patent from a so-called “unfriendly” foreign state is required to give a mandatory license with no compensation to anyone in Russia wishing to exercise the right of use without consent of the patent owner.  As with the entire situation, uncertainty reigns with this decree, and it is impossible to know when (if ever) rights of Russian patent holders from “unfriendly” states will be returned.  Accordingly, a Russian patent strategy must consider not only options for proceeding in the near term to secure rights to the extent possible but must also consider the reality that any “rights” that are secured with a Russian patent are of no effect and will be for the foreseeable future.

Next Steps

For anyone with significant patent interests in Russia, time is of the essence for cementing a strategy for moving forward.  For some, the most expeditious approach could be to simply close your file on any Russian patents and patent applications.  If such approach is taken, careful attention must be made, as noted above, to ensure that any possibility of a fee being paid to Rospatent after June 24, 2022, is eliminated.  For others, investments in Russia may not allow for a complete abandonment of possible future patent enforcement rights in Russia.  If actions as noted above are taken to “batten down the hatches” of the Russian patent portfolio prior to the deadline in order to weather this storm, timing is again crucial in order to avoid unintentional engagement in sanctioned activities.  Also, moving to patent filings through the EAPO as a starting point for Russia can be an effective workaround so long as Russian sanctions get lifted before any patent annuities through an EAPO patent would become due in Russia.  Finally, in forming a strategy, one also must consider that even before its recent decree on patent enforceability, Russia was already one of nine countries on the United States Trade Representative (USTR) “Special 301 Report”  of trading partners presenting the most significant concerns regarding insufficient IP protection or enforcement or actions that otherwise limited market access for persons relying on intellectual property protection.

1  Directive 4 Under Executive Order 14024, “Prohibitions Related to Transactions Involving the Central Bank of the Russian Federation, the National Wealth Fund of the Russian Federation, and the Ministry of Finance of the Russian Federation,” February 28, 2022, Office of Foreign Assets Control, Department of the Treasury.  See, https://home.treasury.gov/system/files/126/eo14024_directive_4_02282022….
2  USPTO Statement on Engagement with Russia, the Eurasian Patent Organization, and Belarus, March 22, 2022.  See, https://www.uspto.gov/about-us/news-updates/uspto-statement-engagement-r….
3  General License No. 13, “Authorizing Certain Administrative Transactions Prohibited by Directive 4 Under Executive Order 14024, Office of Foreign Assets Control, Department of the Treasury, March 2, 2022.  See, https://home.treasury.gov/system/files/126/russia_gl13.pdf. 
 Decree of the Government of the Russian Federation of 06.03.2022 No. 299 “On Amendments to Clause 2 of the Methodology for Determining the Amount of Compensation Paid to a Patent Owner When Deciding to Use an Invention, Utility Model or Industrial Design without His Consent, and the Procedure for its Payment.” See, http://publication.pravo.gov.ru/Document/View/0001202203070005?index=0&r…

Article By Ryan Cagle of Womble Bond Dickinson (US) LLP

For more intellectual property legal news, click here to visit the National Law Review.

Copyright © 2022 Womble Bond Dickinson (US) LLP All Rights Reserved.

New Year to Bring Increased Regulatory Focus on Cybersecurity for Financial Institutions

Having weathered the cybersecurity turbulence of 2014, the financial services sector can look forward to increased regulatory attention from federal, state and non-governmental regulators in 2015. First, in the wake of data breaches at major banks and financial institutions, and drawing upon its mid-2014 “Report on Cyber Security in the Banking Sector,”1 the New York Department of Financial Services (the “NYDFS” or the “Department”) has announced a New Cybersecurity Examination Process for the banks under its regulatory jurisdiction (the “Examination Letter”). Additionally, the Chairman of the federal Commodity Futures Trading Commission (“CFTC”) has testified before a Senate committee that the CFTC will increase its attention to cybersecurity during its upcoming examinations of clearinghouses and exchanges. Also, the Conference of State Bank Supervisors (“CSBS”) has issued a resource guide for bank executives on cybersecurity that community bank CEOs, senior executives and board members are being strongly encouraged to use to address cybersecurity threats at their banks.

These latest regulatory developments impacting financial institutions will likely affect the cybersecurity policies of other regulators, including enforcement actions against regulated entities that fail to implement adequate cybersecurity programs. Thus, even if your organization is not a financial institution regulated by the NYDFS, CFTC or a state banking regulator, the key takeaways discussed below will provide insight into the types of questions regulators will pose, and offer practical guidance for developing a compliant privacy and data security program to mitigate cybersecurity risks. The December 2014 ruling that retailer Target had an affirmative duty to protect its customers’ personal and financial information illustrates that these pronouncements provide important guidance not just to regulated entities, but to companies generally.

NYDFS’s Examination Letter

On December 10, 2014, the NYDFS issued the Examination Letter to all New York chartered and licensed banking institutions announcing the Department’s new, targeted cybersecurity preparedness assessment. In an effort to promote greater cybersecurity across the financial services industry, the NYDFS warned that it will expand its routine information technology examinations to include cybersecurity. However, as noted in an article in American Banker2, the Examination Letter provides no indication that the examinations will differentiate among banks by size, meaning a smaller community bank may be subject to the same cybersecurity requirements as multinational banks with significantly more resources.

The new examination procedures are designed to encourage “all financial institutions to view cybersecurity as an integral aspect of their overall risk management strategy, rather than as a subset of information technology.” According to Benjamin M. Lawsky, Superintendent of the NYDFS, new procedures are also intended to promote a “laser-like focus on this issue by both banks and regulators” given that regulatory examination rankings can have a significant impact on the operations of financial institutions, including their ability to enter into new business lines or make acquisitions.

The Examination Letter notes that the NYDFS will be incorporating the following new security-oriented topics into its pre-examination “First Day Letters” to assist in expediting the Department’s review of financial institutions’ cybersecurity preparedness:3

  • Corporate governance, including written information security policies and procedures, and the periodic reevaluation of such policies and procedures in light of changing risks;

  • Cybersecurity incident detection, monitoring and reporting processes;

  • Resources devoted to information security and overall risk management;

  • The risks posed by shared infrastructure;

  • Protections against intrusion, including multifactor or adaptive authentication, and server and database configurations;

  • Information security testing and monitoring, including penetration testing;

  • Training of information security professionals as well as all other personnel;

  • Vetting and management of third-party service providers; and

  • Cybersecurity insurance coverage and other third-party protections.

In addition to the information requested in the First Day Letter, the NYDFS stated that it will schedule IT/cybersecurity examinations following the risk assessments of each financial institution. The new IT/cybersecurity examinations will take a deeper look into the financial institution’s ability to prevent, detect and respond to data breaches and other cyber attacks by requesting:

  • The qualifications of the institution’s Chief Information Security Officer, or the individual otherwise responsible for information security;

  • Copies of the institution’s information security policies and procedures;

  • The institution’s data classification approaches and data access management controls;

  • The institution’s vulnerability management programs, including its consideration of applications, servers, endpoints, mobile, network and other devices;

  • The institution’s patch management program, including how updates, patches and fixes are obtained and disseminated;

  • The institution’s due diligence process regarding information security practices used to vet, select and monitor third-party service providers;

  • Application development standards used by the institution, including the extent to which security and privacy requirements are incorporated into application development processes;

  • The institution’s incident response program, including how incidents are reported, escalated and remediated; and

  • The relationship between information security and the organization’s business continuity program.

The NYDFS’s Examination Letter is essentially a “take-home test” for any New York chartered or licensed banking institution or regulated firm preparing for an NYDFS examination or conducting its own internal audit to strengthen its cybersecurity practices and incident response preparedness. Additionally, although the new examination procedures do not impose cybersecurity requirements on regulated entities per se, the NYDFS is essentially announcing the standards and practices it expects to be adopted in any compliant cybersecurity program. For now, the new cybersecurity examination procedures are limited to banks, but it is likely that the NYDFS will extend these same types of procedures to the other financial services firms it regulates, such as insurance companies and investment companies.

CFTC’s Increased Focus on Cybersecurity

On December 10, 2014, CFTC Chairman Timothy Massad testified before a Senate Agriculture Committee hearing that cybersecurity is “perhaps the single most important new risk to financial stability.” As a result, cybersecurity will become an increasingly important aspect of the CFTC’s oversight for futures and swaps markets.

Chairman Massad testified that the CFTC requires clearinghouses, swap execution facilities, designated contract markets and other market infrastructures to implement system safeguards, which must include four elements: (1) a program of risk analysis and oversight to identify and minimize sources of cyber and operational risks; (2) automated systems that are reliable, secure and scalable; (3) emergency procedures, backup facilities and a business continuity/disaster recovery plan; and (4) regular, objective, independent testing to verify that the system safeguards are sufficient. Each CFTC-regulated entity must also have a risk management program that addresses seven key elements, including information security, systems development, quality assurance and governance. Furthermore, these entities must notify the CFTC promptly of cybersecurity incidents.

Although the CFTC does not conduct independent testing of its cybersecurity requirements, it reviews evidence provided for satisfaction of the requirements. Chairman Massad testified that the CFTC’s upcoming examinations will focus on the following areas:

  • Governance—Are the board of directors and top management devoting sufficient attention to cybersecurity?

  • Resources—Are sufficient resources and capabilities being devoted to monitor and control cyber-related risks across all levels of the organization?

  • Policies and Procedures—Are adequate plans and policies in place to address information security, physical security, system operations and other critical areas? Is the regulated entity actually following its plans and policies, and considering how plans and policies may need to be amended from time to time in light of technological, market or other security developments?

  • Vigilance and Responsiveness to Identified Weaknesses and Problems—If a weakness or deficiency is identified, does the regulated entity take prompt and thorough action to address it? Does it not only fix the immediate problem, but also examine the root causes of the deficiency?4

CSBS Guidance for Financial Services Officers and Directors

On December 17, 2014, the CSBS issued “Cybersecurity 101: A Resource Guide for Bank Executives” (the “CSBS Resource Guide”), which is designed to aid chief executive officers, senior executives and board members in their understanding, oversight and implementation of effective cybersecurity programs. The CSBS Resource Guide is organized according to the five core cybersecurity functions of the Commerce Department’s National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity: (1) identify internal and external cybersecurity risks; (2) protect organizational systems, assets and data; (3) detect systems intrusions, data breaches and unauthorized access; (4) respond to a potential cybersecurity event; and (5) recover from a cybersecurity event by restoring normal operations and services. For each of these core functions, the CSBS Resource Guide provides questions that chief executive officers should ask, as well as training guidance and a model checklist to follow in the event of a data breach.

Takeaways

In light of these developments, banks and other financial institutions should consider undertaking the following steps and customizing them to their specific circumstances and risks:

1. Conducting Periodic Cybersecurity Risk Assessments

  • Identify potential cybersecurity threats (including physical security threats) to security, confidentiality and integrity of personal and other sensitive information (both customer and internal) and related systems;

  • Evaluate effectiveness of current controls in light of identified risks;

  • Prioritize resources, assets and systems corresponding to the nature and level of threats and vulnerabilities, and revise procedures and controls, as necessary and appropriate, to address and mitigate areas of risk; and

  • Determine whether existing insurance policies will cover the threats identified in the risk assessment, and determine whether separate cyber coverage is needed.

2. Evaluating Potential Third-Party Vendor Risks

  • Review due diligence procedures for selecting vendors and procedures for approval/monitoring of vendor access to networks, customer data or other sensitive information;

  • Obtain copies of vendors’ written information security plans or certifications of compliance with applicable standards; and

  • Determine whether contracts with vendors include appropriate security measures, including incident response notification procedures and cyber insurance coverage.

3. Developing and Periodically Testing a Comprehensive Incident Response Plan

  • Implement a comprehensive, written incident response plan to respond proactively to actual or suspected cybersecurity events; and

  • Conduct periodic “table top” exercises of mock cybersecurity events with IT, legal, compliance, human resources and other business stakeholders.

ARTICLE BY

John C. Cleary
Bruce A. Radke
OF
Vedder Price

1 See http://www.dfs.ny.gov/about/press2014/pr1405061.htm
2 See http://www.americanbanker.com/news/bank-technology/new-york-cybersecurity-exams-will-be-tougher-than-ffiecs-1071603-1.html
3 The NYDFS’s new cybersecurity questions and topics are similar to the comprehensive cybersecurity questionnaire attached to the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations’ (“OCIE”) Risk Alert, issued on April 15, 2014, as part of the OCIE’s cybersecurity examinations of registered investment advisors and broker-dealers. Click here.
4 The NYDFS and the CFTC are certainly not the only banking and financial services regulators that have intensified their focus on cybersecurity. Indeed, during her December 10, 2014 testimony before the U.S. Senate Committee on Banking, Housing and Urban Affairs, Valerie Abend, chair of the Federal Financial Institutions Examination Council (“FFIEC”) Cybersecurity and Critical Infrastructure Working Group, said the FFIEC’s interagency cybersecurity guidelines “require banks to develop and implement formal information security programs that are tailored to a bank’s assessment of the risks it faces, including internal and external threats to customer information and any method used to access, collect, store, use, transmit, protect, or dispose of the information.”

New G-7 Sanctions Against Russia

McDermottLogo_2c_rgb

The United States, in coordination with other G-7 nations, announced on Monday, April 28new sanctions on individuals and entities with ties to the Russian government and President Putin.  The newly announced sanctions build on earlier rounds of U.S. sanctions imposed on March 6, March 17, March 20 and April 11.  The United States also tightened license restrictions for high technology exports to Russia.  In addition to the new U.S. sanctions, the European Union, Canada and Japan also announced new sanctions against Russian individuals and entities.

Reasons cited for the new sanctions were Russia’s failure to abide by commitments it made to de-escalate the crisis during an April 17 meeting in Geneva among Russia, Ukraine, the United States and the European Union (also known as the Geneva accord) and continued Russian-supported efforts to destabilize Eastern Ukraine.  According to an April 25 statement by the G-7 leaders, Russia has failed to take actions required by the Geneva accord and has continued to escalate tensions through its “increasingly concerning rhetoric” and “ongoing threatening military maneuvers on Ukraine’s border.”

New U.S. Sanctions and Export Restrictions

The new U.S. sanctions issued by the Office of Foreign Assets Control of the U.S. Department of the Treasury, target seven individuals and 17 entities, including banks, construction companies and transportation companies, with connections to the Russian government.  These sanctions, like those previously announced, freeze the assets subject to U.S. jurisdiction of all sanctioned individuals and bar those individuals from obtaining visas to enter the United States.  The sanctions also prohibit U.S. persons, including U.S. companies and their overseas branches and divisions, from transacting business with any sanctioned individuals or entities.

In addition, the Bureau of Industry and Security of the U.S. Department of Commerce announced that it added 13 of the newly sanctioned entities to its Entity List (comprised of parties that are prohibited from receiving some or all items subject to the U.S. Export Administration Regulations without a license), and that it will immediately begin denying pending applications for licenses to export or re-export “high technology” items to Russia or Crimea that may enhance Russia’s military capabilities.  Concurrently, the Directorate of Defense Trade Controls of the U.S. Department of State announced that it is placing a hold on all licenses for exports of defense articles and defense services to Russia.

New EU Sanctions

In coordination with the new U.S. sanctions, the new EU sanctions add 15 individuals with ties to the Russian government to the European Union’s existing list of sanctioned individuals.

Other New G-7 Sanctions

The two remaining G-7 member states also imposed new sanctions on Russian individuals this week:  Canada announced sanctions against two Russian banks and nine individuals, and Japan announced visa bans on 23 as-yet-unnamed individuals.

Companies with interests in Russia or Ukraine or doing business with Russian enterprises are advised to ensure appropriate measures are in place to comply with the sanctions, including careful screening of all parties to transactions.

Article By:

Jay L. Eizenstat
Andrea L. Hamilton
David J. Levine
Raymond Paretzky
David Henry
Of:
McDermott Will & Emery