yannellap@ballardspahr.com | 215.864.8180 | view full bio

As Practice Leader of Ballard Spahr's Privacy and Data Security Group, and Practice Leader of the firm's E-Discovery and Data Management Group, Philip N. Yannella provides clients with 360-degree advice on the transfer, storage, and use of digital information.

Phil regularly advises clients on the Stored Communications Act (SCA), Computer Fraud and Abuse Act (CFAA), EU-US Privacy Shield, General Data Protection Regulation (GDPR), Defense of Trade Secrets Act, PCI-DSS, Telephone Consumer Protection Act (TCPA), New York Department of Financial Services Cybersecurity Regulations, ISO 27001 compliance, HIPAA Security Rules, and FTC enforcement activity, as well as eDiscovery issues—leveraging his experience serving as National Discovery Counsel for more than two dozen companies in nationwide litigation. He harnesses his deep knowledge of privacy, data security, and information governance laws to help multinational companies develop global information governance programs to comply with overlapping, and sometimes conflicting, laws. Phil serves on the advisory board for the ACC Foundation's Cybersecurity Survey, the largest survey of in-house counsel on cybersecurity issues.

Farewell to 2022, and welcome 2023.  As we do every year, let’s look back.

We highlight 12 of our most-read blog posts from 2022, which address many of the key issues we’ve examined during the past year: the Corporate Transparency Act (“CTA”) and beneficial ownership reporting; sanctions — particularly sanctions involving Russia; cryptocurrency and digital

A Deep Dive Into FinCEN’s Latest Proposals Under the CTA

On December 16, the Financial Crimes Enforcement Network (“FinCEN”) issued a 54-page notice of proposed rulemaking (“NPRM”) regarding access by authorized recipients to beneficial ownership information (“BOI”) that will be reported to FinCEN under the Corporate Transparency Act (“CTA”).  The CTA requires covered entities – including most domestic corporations and foreign entities registered to do business in the U.S. – to report BOI and company applicant information to a database created and run by FinCEN upon the entities’ creation or registration within the U.S.  This database will be accessible by U.S. and foreign law enforcement and regulators, and to U.S. financial institutions (“FIs”) seeking to comply with their own Customer Due Diligence (“CDD”) compliance obligations, which requires covered FIs to obtain BOI from many entity customers when they open up new accounts.

In regards to this NPRM, FinCEN’s declared goal is to ensure that

(1) only authorized recipients have access to BOI; (2) authorized recipients use that access only for purposes permitted by the CTA; and (3) authorized recipients only redisclose BOI in ways that balance protection of the security and confidentiality of the BOI with furtherance of the CTA’s objective of making BOI available to a range of users for purposes specified in the CTA.

Further, FinCEN has indicated that, “[c]oincident with the protocols described in this NPRM, FinCEN is working to develop a secure, non-public database in which to store BOI, using rigorous information security methods and controls typically used in the Federal government to protect non-classified yet sensitive information systems at the highest security levels.”

The comment period for the NPRM is 60 days.  The NPRM proposes an effective date of January 1, 2024, consistent with when the final BOI reporting rule at 31 C.F.R. § 1010.380 becomes effective.  The proposed BOI access regulations will be set forth separately at 31 C.F.R. § 1010.955, rather than existing 31 C.F.R. § 1010.950, which governs the disclosure of other Bank Secrecy Act (“BSA”) information.

This NPRM relates to the second of three sets of regulations which FinCEN ultimately will issue under the CTA.  As we have blogged (here and here), FinCEN already has issued regulations regarding the BOI reporting obligation itself.  FinCEN still must issue proposed regulations on “reconciling” the new BOI reporting regulations and the existing CDD regulations applicable to covered FIs for obtaining BOI from their own entity customers.

As we discuss, the lengthy NPRM suggests answers to some questions, but it of course also raises other questions.  Although domestic and even foreign government agencies will have generally broad access to the BOI database, assuming that they satisfy various requirements, the NPRM’s proposed access for FIs to the BOI database is relatively limited.

Continue Reading  Privacy, Cybersecurity and Access to Beneficial Ownership Information:  FinCEN Issues Notice of Proposed Regulations Under the Corporate Transparency Act

As anticipated, the Office of the Comptroller of the Currency, the Federal Reserve Board, and the FDIC recently approved and released the Final Rule Requiring Computer-Security Incident Notification (“Final Rule”).  The Final Rule is designed to promote early awareness and stop computer security incidents before they become systemic.  It places new reporting requirements on both

On December 18, 2020, the Office of the Comptroller of the Current (OCC), Federal Reserve Board (FRB), and Federal Deposit Insurance Corporation (FDIC) announced an interagency notice of proposed rulemaking that would require supervised banking organizations to provide notification of significant computer security incidents to their primary federal regulator.  Under the proposed rule, for incidents

October is National Cybersecurity Awareness Month, and the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”) and Office of Foreign Assets Control (“OFAC”) kicked off the month by issuing two advisories that aim to increase cybersecurity awareness, assist financial institutions in detecting and reporting ransomware activity, and highlight potential sanctions risks for facilitating ransomware payments.

The FinCEN and OFAC advisories signal the seriousness with which the Department of Treasury treats the threat of cybercriminals and ransomware attacks. Both FinCEN and OFAC have now squarely placed an obligation on financial institutions and other payment intermediaries to put procedures in place to detect ransomware payments and to restrict payments to blocked individuals. It appears FinCEN and OFAC want to make sure cybercrime does not pay by cutting off cybercriminals’ access into the financial system.

While both FinCEN and OFAC have offered guidance to financial institutions formulating policies and procedures for deciding whether to process or report payment requests that may be connected to ransomware attacks, OFAC has also offered a warning: facilitating ransomware payments may lead to an enforcement action and civil penalties. Given the growing national security concerns associated with ransomware attacks, the advisories rightly encourage financial institutions and other payment intermediaries that facilitate ransomware payments to share information via Suspicious Activity Reports (“SARs”) and to fully cooperate with law enforcement during and after ransomware attacks.
Continue Reading  FinCEN and OFAC Advisories Aim to Increase Cybersecurity Awareness and Thwart Ransomware Attacks in the Financial Sector