Photo of Katherine Mooney Carroll

Katherine Mooney Carroll’s practice focuses on advising U.S. and international financial institutions on U.S. regulatory matters, including recent reforms pursuant to the Dodd-Frank Act, regulatory aspects of bank M&A, cybersecurity and privacy matters, and compliance with U.S. sanctions and anti-money laundering laws.

The final version of the California Consumer Privacy Act of 2018 is coming into view.

On October 10, California’s Attorney General released the long-anticipated draft regulations to implement the CCPA, and on October 12, the Governor signed into law five amendments to the CCPA passed during the 2019 legislative session.  (We previously discussed the CCPA 

On September 18, 2019, the Securities and Exchange Commission (“SEC”) filed its first civil suit alleging violations of broker-dealer registration requirements in U.S. digital asset markets.  In a case filed in the U.S. District Court for the Central District of California, the SEC alleged that Defendants ICOBox and its founder, Nikolay Evdokimov, illegally conducted an unregistered public securities offering for their 2017 initial coin offering (“ICO”), and have operated an unregistered brokerage service facilitating the launch of ICOs in digital asset securities since 2017.
Continue Reading

California’s 2019 legislative session has drawn to a close with passage of five amendments to the California Consumer Privacy Act (CCPA) during the final days of the session.  Assuming that the bills are timely signed by the Governor before the October 13 deadline, businesses will finally have the complete version of the statute that will

On January 24 2019, Canada’s Office of the Superintendent of Financial Institutions (“OSFI”) released an Advisory detailing new requirements for Canadian federally regulated financial institutions (“FRFIs”) to report cyber incidents within 72 hours.  FRFIs include banks, trust companies, loan companies, life insurance companies, property and casualty insurance companies, and fraternal benefit societies.

The new reporting requirements become effective on March 31, 2019.
Continue Reading

On January 22, the Financial Industry Regulatory Authority (“FINRA”)[1] released its 2019 Risk Monitoring and Examination Priorities Letter (the “Letter”).  The Letter highlights material new priorities for FINRA examinations in the coming year, as well as priorities in areas of ongoing concern.  The topics highlighted in this year’s Letter reflect FINRA’s increasing focus on its members’ interaction with, and adoption of, innovative financial technologies, as well as its implicit acknowledgement of the ability for such innovations to assist in regulatory compliance.  The new priorities highlighted in the Letter include several related to FinTech, including online distribution platforms, use of regulatory technology (or “RegTech”), and supervision of digital asset businesses.  In priority areas of ongoing concern, the Letter confirmed that FINRA will continue to focus on reviewing the adequacy of firms’ cybersecurity programs.  Below we detail FINRA’s discussion of these priorities and analyze them in the context of other recent guidance and enforcement actions.
Continue Reading

In 2018, data privacy and cyber breaches made headlines throughout the year.

Major companies continued to suffer data breaches, highlighting the risks and potential costs of cyber incidents across industries.  At the same time, a growing and overlapping thicket of data security and privacy regulations—within the U.S., European Union, Latin America, and elsewhere—continued to increase

On January 7, 2019 the National Futures Association (“NFA”) provided additional guidance on the required cybersecurity practices of certain NFA members by amending its Interpretive Notice entitled NFA Compliance Rules 2-9, 2-36 and 2-49: Information Systems Security Programs (the “Interpretive Notice”).  The Interpretive Notice currently requires each NFA member futures commission merchant (“FCM”), commodity trading advisor, commodity pool operator, introducing broker (“IB”), retail foreign exchange dealer, swap dealer (“SD”) and major swap participant to implement a written information systems security program (“ISSP”) and enact other cybersecurity procedures sufficient to identify, address and respond to cybersecurity incidents.  The amendments to the Interpretive Notice are informed by NFA examinations of member ISSPs since the Interpretive Notice became effective in March 2016.  They are intended to clarify certain common questions posed by NFA members related to internal approvals of the ISSP and employee training.  The amendments additionally impose a new notification requirement for specified cybersecurity incidents.
Continue Reading

On December 20, 2018, the Financial Industry Regulatory Authority (“FINRA”) released a Report on Selected Cybersecurity Practices for broker-dealer firms.  This report reflects FINRA’s current perspective on the cybersecurity threat landscape based on observations from its examinations of securities firms.  Below we discuss the report’s key observations and contextualize these insights for members of the financial industry.
Continue Reading

On November 28, 2018, the Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) identified for the first time digital currency addresses associated with sanctioned persons.  The newly sanctioned individuals, Iran-based Ali Khorashadizadeh and Mohammad Ghorbaniyan, were accused of converting digital currency payments into Iranian rial as part of a widespread ransomware scheme.  Since 2015, the ransomware scheme (known as “SamSam”) has infected the data networks of corporations, hospitals, universities, and government agencies.  According to OFAC’s announcement, the identified bitcoin addresses were used with over 40 digital currency exchangers to process more than 7,000 illicit transactions in bitcoins worth millions of U.S. dollars.
Continue Reading

On the heels of the European Union’s implementation of the General Data Protection Regulation (“GDPR”) and public outcry over the Cambridge Analytica scandal, on June 28, 2018, California enacted the most comprehensive data privacy law to date in the United States. The California Consumer Privacy Act of 2018 (the “CCPA”) was hastily passed by the