Photo of Katherine Mooney Carroll

Katherine Mooney Carroll’s practice focuses on advising U.S. and international financial institutions on U.S. regulatory matters, including recent reforms pursuant to the Dodd-Frank Act, regulatory aspects of bank M&A, cybersecurity and privacy matters, and compliance with U.S. sanctions and anti-money laundering laws.

On January 4, 2020, the Office of the Comptroller of the Currency (“OCC”) published an interpretive letter (the “Letter”) clarifying that national banks and federal savings associations (“banks”) may engage in and facilitate payment activities through new technological means, including serving as a node in a distributed ledger system such as those utilized by some stablecoins, facilitating customer conversion of fiat currency to or from digital currencies, and issuing stablecoins.

The Letter reasons that payment services are a core banking function, and that independent node verification networks (“INVNs”) and stablecoins are merely new means of effecting pre-existing permissible bank activities.

The letter follows other recent actions by former Acting Comptroller of the Currency Brian Brooks to clarify the authority of national banks to engage in certain digital asset activities, including the issuance of two other interpretive letters last year clarifying permissible cryptocurrency-related activities for banks (custodying digital assets and holding certain stablecoin reserves).  The Acting Comptroller, whose resignation became effective today, also spearheaded an initiative to grant national bank and national trust bank charters to fintech companies.

The Letter notes that banks “should consult with OCC supervisors, as appropriate, prior to engaging in these activities.”  This guidance, OCC precedents in expanding permissible bank activities, and the controversy surrounding recent crypto-related charter applications may lead to a deliberative approach by the OCC to banks expanding into these activities.
Continue Reading OCC Affirms Authority of National Banks to Engage in Additional Cryptocurrency-Related Activities, Including Issuing Stablecoins

On August 21, the Financial Crimes Enforcement Network, together with the federal banking agencies, released a statement to clarify banks’ customer due diligence obligations for politically exposed persons. The Statement affirms that (i) there is no regulatory requirement, and no supervisory expectation, for banks’ Bank Secrecy Act / anti-money laundering programs to include “unique, additional

In a landmark enforcement action related to a bank data breach, the Office of the Comptroller of the Currency (“OCC”) assessed an $80 million civil monetary penalty and entered into a cease and desist order with the bank subsidiaries of Capital One on August 6, 2020.  The actions follow a 2019 cyber-attack against Capital One.  The Federal Reserve Board also entered into a cease and desist order with the banks’ parent holding company.  The OCC actions represent the first imposition of a significant penalty against a bank in connection with a data breach or an alleged failure to comply with the OCC’s guidelines relating to information security.
Continue Reading OCC Imposes $80 Million Penalty in Connection with Bank Data Breach

On July 22, 2020, the Office of the Comptroller of the Currency (“OCC”) published an interpretive letter clarifying that providing cryptocurrency custody services to customers is a permissible activity for national banks and federal savings associations.  This letter marks an important milestone in the expansion of permissible banking activities related to digital assets.
Continue Reading OCC Interpretation Opens the Door for Banks to Enter the Crypto Custody Business

On June 25, 2020, a federal district court in the Eastern District of Virginia held that a bank must produce in discovery a report generated by its cybersecurity forensic investigator following a 2019 data breach involving unauthorized access to personal information of customers and individuals who had applied for accounts.[1]  Even though the report was produced at the direction of outside counsel, the court rejected arguments that the forensic report is protected from disclosure by the work product doctrine.  Instead, the court determined that the report was not produced primarily in anticipation of litigation based on several factors, including the similarity of the report to past business-related work product by the investigator and the bank’s subsequent use and dissemination of the report.  This decision raises questions about the scope of work product protection for forensic expert and other similar reports in the context of an internal investigation.
Continue Reading Federal Court Compels Production of Data Breach Forensic Investigation Report

On September 18, 2019, the Securities and Exchange Commission (“SEC”) filed its first civil suit alleging violations of broker-dealer registration requirements in U.S. digital asset markets.  In a case filed in the U.S. District Court for the Central District of California, the SEC alleged that Defendants ICOBox and its founder, Nikolay Evdokimov, illegally conducted an unregistered public securities offering for their 2017 initial coin offering (“ICO”), and have operated an unregistered brokerage service facilitating the launch of ICOs in digital asset securities since 2017.
Continue Reading SEC Files First Suit Against Alleged Unregistered Broker-Dealer Operating in Digital Asset Markets

On January 22, the Financial Industry Regulatory Authority (“FINRA”)[1] released its 2019 Risk Monitoring and Examination Priorities Letter (the “Letter”).  The Letter highlights material new priorities for FINRA examinations in the coming year, as well as priorities in areas of ongoing concern.  The topics highlighted in this year’s Letter reflect FINRA’s increasing focus on its members’ interaction with, and adoption of, innovative financial technologies, as well as its implicit acknowledgement of the ability for such innovations to assist in regulatory compliance.  The new priorities highlighted in the Letter include several related to FinTech, including online distribution platforms, use of regulatory technology (or “RegTech”), and supervision of digital asset businesses.  In priority areas of ongoing concern, the Letter confirmed that FINRA will continue to focus on reviewing the adequacy of firms’ cybersecurity programs.  Below we detail FINRA’s discussion of these priorities and analyze them in the context of other recent guidance and enforcement actions.
Continue Reading FINRA 2019 Examination Priorities Letter Includes Focus on FinTech and Cybersecurity