On September 15, 2020, the U.S. Department of the Treasury published a final rule modifying the types of foreign investments that would trigger a mandatory filing before the Committee on Foreign Investment in the United States (CFIUS). The final rule largely tracks a proposed rule published by CFIUS on May 21, 2020. The final rule will come into effect on October 15, 2020, and will apply only to transactions that take place on or after that date. It is not retroactive.
Posting revised August 13, 2020
On July 2, 2020, Sidley partner Alan Raul, founder and co-head of Sidley’s Privacy and Cybersecurity practice, hosted Adam Klein, Chairman of the Privacy and Civil Liberties Oversight Board (“PCLOB” or “the Board”), for a Monitor-Side Chat.
The discussion focused largely on the Commission’s work since Mr. Klein became Chairman in October, 2018. Key topics of the chat included:
- Mission, Operation and Access of PCLOB
- Balancing Counter-Terrorism and Privacy
- Comparison of U.S. and Foreign Checks and Balances
- FISA Reform
- Emerging Technologies
In a decision with significant implications for international trade and cross-border data flows, the EU’s highest court – the Court of Justice of the European Union (“CJEU”) ruled on 16 July 2020 that a key legal mechanism (called the EU-US Privacy Shield program) used to enable transfers of personal data from the European Union (“EU”) was invalid, while also potentially requiring additional protections to be implemented when another key transfer mechanism (called Standard Contractual Clauses) is used. The case – Data Protection Commissioner v. Facebook Ireland, Max Schrems (“Schrems II”) – considered the validity of the EU-US Privacy Shield (“Privacy Shield”) program (a privacy certification made available for US organizations through an agreement between the European Commission and the US government) and Standard Contractual Clauses (“SCC”) (a form of international data transfer agreement made available for use by the European Commission).
On May 18, 2020, the Financial Crimes Enforcement Network (FinCEN), as part of its COVID-19-related response, issued a Notice Related to the Coronavirus Disease 2019 (COVID-19) reminding financial institutions of certain Bank Secrecy Act (BSA) obligations and pertinent information regarding reporting COVID-19-related criminal and suspicious activity (the Notice). Contemporaneously, FinCEN issued an Advisory on Medical Scams Related to the Coronavirus Disease 2019 (COVID-19) (the Advisory).
In light of the Notice and Advisory, firms should (a) continue to comply with their BSA obligations; (b) include COVID-19 detail only when that detail relates to the reported suspicious activity; (c) review policies and procedures to notify and to provide COVID-19 information to government agencies, including verification of the requesting agency; (d) review the Advisory red flags related to medical scams; and (e) consider revising policies and procedures as appropriate.
COVID-19-related frauds are a special emphasis for law enforcement and regulatory agencies, so failing to detect and report those issues could be viewed as a significant flaw in a firm’s anti-money laundering (AML) program.
The U.S. Departments of State, the Treasury and Homeland Security and the Federal Bureau of Investigation issued a joint advisory (the Advisory) on April 15, 2020, discussing the threat to the international community posed by cyberattacks linked to the Democratic People’s Republic of Korea (North Korea), in particular highlighting concerns for the financial services sector. North Korea has been subjected to comprehensive international sanctions implemented to pressure its government to denuclearize. The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has implemented additional unilateral sanctions in response to other North Korean activities, including cyberattacks, human rights violations and money laundering. In addition to broad prohibitions on trade with North Korea, U.S. sanctions bar domestic financial institutions from conducting or facilitating any significant transaction in connection with trade with North Korea or on behalf of any person whose property has been blocked under executive orders imposing sanctions on North Korea. Foreign financial institutions risk secondary sanctions for engaging in the same. (more…)
On January 31, 2020, the Department of Defense released its latest version of the Cybersecurity Maturity Model Certification (“CMMC”) for defense contractors. Under the CMMC plan, DOD contractors will be required to obtain a cybersecurity rating from Level 1 through Level 5. Self-certification will not be permitted. Given the significant investment of industry resources the CMMC may require, the DOD eased some concerns by announcing that it would roll out the CMMC program out in stages. A new Defense federal Acquisition Regulation Supplement (“DFARS”) clause is expected in the spring of 2020, and CMMC requirements are anticipated to be included in certain limited Requests for Information released starting June 2020. Ultimately, all DOD contracts will include a minimum cybersecurity requirement by 2026. (more…)
On January 13, 2020, the U.S. Department of the Treasury (Treasury) issued final and interim regulations implementing the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA), which expands the jurisdiction of the Committee on Foreign Investment in the United States (CFIUS) to review foreign investments and mitigate any potential national security concerns. While the final regulations largely track the proposed regulations issued on September 17, 2019, Treasury has made refinements and added several clarifying examples. See Sidley’s previous Update on the proposed regulations.
Following the structure of the proposed regulations, the final regulations were issued in two parts: one part covers investments in real estate, available here, while the other covers certain other investments in U.S. businesses, available here. Treasury simultaneously released a number of frequently asked questions on the proposed regulations, available here, and a fact sheet, available here.
The final CFIUS regulations will go into effect on February 13, 2020.
On June 20, 2019, the Federal Energy Regulatory Commission (“FERC”) approved a North American Electric Reliability Corp. (“NERC”) petition to adopt Reliability Standard CIP-008-6 to strengthen the reporting requirements for attempts to compromise the operation of the United States’ bulk electric system. The prior Critical Infrastructure Protection (“CIP”) Reliability Standards only required reporting where an incident compromised or disrupted one or more reliability tasks. The new standard applies to all registered entities subject to the CIP Reliability Standards.
On May 15, 2019, President Donald Trump signed an executive order (EO) declaring a “national emergency” related to certain threats against information and communications technology and services (ICTS) in the United States and authorizing the Department of Commerce to block transactions that involve ICTS with a “foreign adversary.” The EO provides for the possibility of a licensing regime that could allow transactions that would otherwise be blocked. The EO is available here.
The EO itself does not mention any particular countries or companies that would be subject to its prohibitions. However, the EO is widely reported to be aimed at China. Indeed, tensions between the United States and China have intensified over the past week, after negotiations between the two governments to resolve their trade dispute stalled.
On January 25, 2019, the North American Electric Reliability Corporation (“NERC”) asked the Federal Energy Regulatory Commission (“FERC”) to approve a settlement issuing a record $10 million fine against an unidentified utility resulting from violations of critical infrastructure protection standards (“CIP”) occurring mostly between 2015 and 2018 (referred to hereafter as the “Settlement Agreement”). Although none of the violations resulted in any reported outages, NERC concluded that the cumulative effect of the violations posed a serious risk to the reliability of the bulk U.S. power grid because “many of the violations involved long durations, multiple instances of noncompliance, and repeated failures to implement physical and cyber security protections.” Settlement Agreement at 12.