Episode Transcript
[00:00:00] Speaker A: Hi, everyone. Today we'll discuss some of the risks and realities of the swiftly changing environment around emerging tech and federal versus state regulatory enforcement. I'm your host, Bill Coffin, and this is the Ethicast.
The ethics and compliance landscape looks quite a bit different now than it did just a year ago. Between the rapid implementation of AI, dramatic administrative change in Washington, regulatory uncertainty, and more, the result has been no small amount of consternation and commentary over what the future might hold. And perhaps more importantly, there are trends and risks, especially around emerging technologies that aren't AI and regulatory enforcement realities that are no less important now than they were a few months ago.
For ethics and compliance leaders looking to strategically future proof their program, understanding these nuances might make the difference between program maturity and program stagnation.
Joining us today to offer her insights is Jaime Marlier, a partner in Morrison Forster's investigations and White Collar defense group. Jaime also chairs MoFo's fintech practice. Drawing on her experience as a former securities and Exchange Commission Senior Trial Counsel, Jaime represents public and private companies, financial services providers and executives, directors and other individuals, including in matters involving the sec, the Commodity Futures Trading Commission, the Financial Industry Regulatory Authority, state securities regulators, internal investigations, as well as in related litigation. Jaime, thank you so much for joining us today.
[00:01:36] Speaker B: Great to be here.
[00:01:37] Speaker A: Bill, with so much attention being paid to the impact of AI on the ethics and compliance space, could you talk about some of the big issues that you see impacting compliance that deal with other emerging technologies that, that aren't AI?
[00:01:52] Speaker B: Yeah, it's a great question. I think that your intro made a really important point, which is what does this compliance landscape look like in light of two things, in light of these technologies that are developing and being deployed very rapidly and also in light of a changed political climate in Washington, I would say from a compliance perspective, and I'm coming at this from a securities enforcement background, I believe that very little has changed. I believe the same compliance frameworks need to be in place for a number of reasons, which I'm sure we'll get to today.
Much has been made of AI. There are other emerging technologies and I would say emerging technology issues that we need to be mindful of.
An emerging technology issue that is omnipresent that we have been looking at for a long time are cybersecurity threats.
For example, the SEC has finalized rules on public company as well as SEC registered firms. So these are your broker, dealers and registered investment advisors and others. They have finalized rules on what disclosures must be made regarding cybersecurity threats. Threats. So that's an interesting technology area because these are not necessary necessarily technologies that are deployed by an organization. These are external technical threats that victimize organizations. Yet nevertheless they need strong compliance frameworks in place to deal to deal with that. Other technologies that can be deployed outside the AI space are. A lot of organizations, for example, use third party vendors to deploy technology to enable them to provide services efficiently to their customers, clients, whatever their frameworks are.
So part of the compliance infrastructure also needs to be understanding, hey, what kind of emerging technologies are our third party service providers using?
How do they affect how we store our customers data, our employees data, and what information do we need, do we need from them? Finally, a lot of companies are, especially for digital asset companies, often their work in some way touches blockchains, Web three or other parts of the digital asset space. And despite what feels like a change in Washington towards the crypto industry, I believe that the compliance frameworks that are necessary are still the same as they would have been a year ago.
[00:04:37] Speaker A: We've seen a great deal of interest around changes in federal regulatory enforcement, especially on things like the Foreign Corrupt Practices Act. But as we all know, the Feds are not the only regulators to be concerned about. So can you talk about what you're seeing around individual states stepping up to fill the perceived enforcement gaps left by federal agencies?
[00:04:56] Speaker B: Yeah, it's a great question. So, so just for anyone who may not know, Bill, what Bill's referring to is an executive order that came out in February and President Trump said that there would be an 180 day pause in FCPA enforcement.
What's unclear to us is what that I will note before I get to your question on states. What's unclear to us, I think as of yesterday, hopefully things have not changed in the past few hours. Today, before we recorded this, is that the SEC's FCPA website remains active and it still states it's a high priority area for the agency. So there's a little bit, there are questions over the scope of the order and what it means.
That's a good segue to states.
So all states, if from a securities perspective, have these things called blue sky laws. And many people listening to this may remember something about that from law school. What the blue sky laws are the state security laws. They are laws that, that are designed to protect investors on a state, on investors and consumers on a state level. All 50 states have them. So what we have seen since the inauguration in January is a noticeable uptick in securities enforcement and securities inquiries by very active and well, resourced sort of so called blue states.
So these would be states like New York, New Jersey, California, Massachusetts, Illinois.
These states have, from a securities perspective, two parts that many listeners need to be aware of.
Their AG's offices can enforce the state securities clause. Often they also have a separate securities and or financial regulator. In Massachusetts, the Massachusetts securities Division is a very active regulator. In the state of New York, the New York DFS is a very active financial regulator.
Many of these state securities laws will look like very familiar. They'll look like you're looking at the securities act, for example. Many states require securities to be registered or to qualify for an exemption from registration. Many state securities laws have anti fraud provisions, et cetera.
Some of these states, under some of these states, for example, in New York's Martin act is a good example.
New York does not need to prove intent or even negligence for a Martin act violation.
So you may even be facing a lower burden of proof than if the federal government, certainly the doj, which has to prove in criminal cases, criminal securities cases, beyond a reasonable doubt, this is a much lower burden of proof for these state regulators.
So that brings me back to, you know, your opening question. In my remarks. I think that a strong culture of compliance and strong compliance frameworks that are tailored to, to an organization's risks and that are revisited periodically to ensure that they, they still fit that risk profile are really, really important.
[00:08:39] Speaker A: There is this notion that given what we're seeing in Washington these days, that the DOJ and the SEC will simply cease to matter when it comes to certain enforcement matters. Now, can you speak to the reality of that notion and perhaps lend some insight on how the risk of private litigation might be getting overlooked?
[00:08:57] Speaker B: Sure. So I think that what the SEC will, starting with the sec, I think what the SEC will focus on will look different. But I think the SEC remains there. If you go and look at the SEC's litigation releases, since the inauguration, they have brought a number of cases involving fraud on retail investors. These are offering frauds, Ponzi schemes. Also these are alleged frauds by SEC registered firms like especially in the investment advisor space. So these are failures to disclose conflicts of interest, failures to disclose fees.
We've long known that we need compliance frameworks around those areas when we are, you know, talking about a registered investment, registered investment advisor.
Similarly, the SEC created a new enforcement unit in, in February. It's called the Cyber and Emerging Technologies Unit. If you just Google that, the first hit is the SEC's press release. It's very short and I would encourage everyone to Read it. If you're interested in this space, you can see there that they. I'm looking at it now. They've outlined seven areas of fraud that this 30 member unit will be focused on investigating in the emerging technology space to protect retail investors. So these include things like artificial intelligence and machine learning, the use of social media to perpetrate fraud, hacking to obtain material, non public information takeovers of retail brokerage accounts, fraud involving blockchain and digital assets. And then as I mentioned, the last two areas are cybersecurity related.
One is these registered entities compliance with cybersecurity rules and regulations, including customer notification requirements and policy and procedure requirements. And finally public companies. If you're working for a public company, as you well know, there are final rules related to public company disclosure of cybersecurity.
What I think will look different from the SEC is the SEC under the previous administration pursued a great number of what we think of as controls cases.
The underlying conduct that the SEC was concerned about is not something we would normally associate with a security.
Perhaps it was a not material cybersecurity incident, perhaps it was a human resources issue. It got a little bit, a little bit far afield from the securities laws. But what the SEC was looking at, they were bringing these controls violation and the allegation was you have inadequate disclosure controls and procedures. Put in plain English, your policies and procedures internally are insufficient to permit information flow from people that have it about the HR issue or about the cybersecurity issue to permit that information to flow up to leadership, the legal department and others that make materiality determinations.
It's hard to get be in the prediction business, but I don't think we're going to see those types of cases in the future. The other type of case that I think that the SEC has already pulled back from is in the digital asset space. It looks like they are going to remain focused on fraud with respect to blockchain technology, but they're working on coming up with a regulatory framework. So some of these registration cases I think will go away.
DOJ is an interesting one.
I can fully expect the DOJ to continue to prosecute fraud. I'd also remind everyone that the DOJ has the wire fraud statute which really loops in a very broad chunk of conduct and it's broader than the tool the SEC has. Right. The SEC needs something to be a security or the organization to be an SEC registrant at the end of the day. Or there's in limited cases there can be some private company violation of SEC rules like whistleblower protections. The DOJ can look at any transmission of money or any other assets under the wire fraud statute.
Finally, I think that if nothing else I've said has convinced you that compliance remains really important.
Think about private litigation.
So if the SEC is pulling back and they want, you know, let's, let's hypothetically that, hypothetically they want a less regulated environment and we're going to see less SEC enforcement.
All the same statutes and cases all the way from the Supreme Court cases to many of our notable courts of appeal cases remain on the books. And plaintiffs attorneys, those who represent shareholders as well as, you know, consumers, customers, users, clients, can leverage that existing law and bring claims against organizations. So again, those strong compliance frameworks are very important because that can serve as anything from a defense to a claim that's brought in a litigation. It can enable you to say, well, this was a bad actor. This is not an organization wide problem. Because look at our compliance program all the way to like simple things like I've litigated a lot of cases. Clients with really strong cultures of compliance have a much easier time in litigation. They know where their people are, they know where their documents and communications are.
And their compliance professionals are well respected and have a safe seat at the table in these discussions. And often they have warned about these risks before and prepared for them.
[00:14:53] Speaker A: Well, Jaime, we appreciate your insights and expertise on these matters. Thank you so much for joining us today.
[00:14:58] Speaker B: Thank you. It's been great to be here.
[00:15:01] Speaker A: For more thought leadership from Jaime, please visit her profile on mofo.com where you'll find her in a wide range of insightful client alerts, news items, articles, podcasts and more.
To appear as a guest on the Ethicast, drop us a line at ethisphere.com ethicast to share a best practice, ENC success story or proof point around how business integrity builds value. Thanks for joining us. We hope you've enjoyed the show. For new episodes each week, be sure to subscribe on YouTube, Apple, podcasts and Spotify. And until next time, remember, strong ethics is good business.
[00:15:40] Speaker B: It.
