Sasha Leonhardt


Washington, D.C.

Sasha Leonhardt represents financial services industry clients in a wide range of enforcement, litigation and regulatory matters. He has assisted clients in resolving government investigations and enforcement actions before several federal and state agencies, including the United States Department of Justice (DOJ), the Consumer Financial Protection Bureau (CFPB), the Office of the Comptroller of the Currency (OCC) , the Federal Deposit Insurance Corporation (FDIC), and state financial regulators and attorneys general.

Sasha also has substantial experience advising clients on the Servicemembers Civil Relief Act (SCRA), Military Lending Act (MLA), Consumer Financial Protection Act (CFPA), Truth in Lending Act (TILA), Real Estate Settlement Procedures Act (RESPA), Equal Credit Opportunity Act (ECOA), Fair Housing Act (FHA), and Fair Debt Collection Practices Act (FDCPA). He advises companies, non-profits and industry associations with consumer privacy issues arising from the Gramm-Leach-Bliley Act (GLBA) and Regulation P, the Fair Credit Reporting Act (FCRA) and its Affiliate Marketing Rule and state and federal laws that address data privacy and information security.

In addition to representing clients, Sasha has published numerous articles on various aspects of consumer financial services law and practice, including data privacy, class action litigation, white collar litigation, whistleblower lawsuits and recent trends in regulation and enforcement. He also maintains an active pro bono practice and serves as a member of the Legal Counsel for the Elderly’s Young Lawyers Alliance. A frequent speaker on a variety of legal topics, Sasha has taught at Duke University School of Law and American University Washington College of Law, and was previously a Professorial Lecturer in Law at the George Washington University Law School.

Prior to joining Orrick, Sasha was a partner at Buckley LLP. He also previously served as Deputy Press Secretary to Maryland Governor Martin O’Malley. He is accredited as a Privacy Law Specialist, a Fellow of Information Privacy, a Certified Information Privacy Manager (CIPM/US), and a Certified Information Privacy Professional (CIPP/US) by the International Association of Privacy Professionals.

  • Representative financial services and fintech engagements include:

    • Representing a major marketplace lending platform in an FTC investigation alleging UDAP violations that was closed without further action.
    • Representing multiple clients—including mortgage servicers, captive and bank auto loan servicers, and student loan servicers—in various SCRA enforcement matters initiated by the Department of Justice, the Office of the Comptroller of the Currency, and the Federal Deposit Insurance Company.
    • Separately representing a mortgage loan servicer and a credit union in SCRA foreclosure investigations by the DOJ, with each investigation ending without public action.
    • Representing a captive auto lessor in the first-ever public enforcement action arising under the SCRA’s early lease termination provisions.
    • Representing a housing manufacturer and mortgage lender in a multi-year CFPB and state attorneys general investigation related to potential violations of ECOA, FHA, TILA, and UDAAP.
    • Representing financial institutions in multiple enforcement actions under RESPA/Regulation X.
    • Representing banks and credit unions in regulatory and enforcement matters related to rate exportation and preemption under the National Bank Act, the Federal Deposit Insurance Act, and the Federal Credit Union Act.
    • Assisting fintech startups in the development and operation of unsecured loan products, secured loan products, credit cards, and deposit accounts.
    • Advising multiple private student lenders regarding state and federal requirements related to student loan origination and servicing.
    • Guiding multiple national banks through detailed internal process and compliance reviews related to loan origination, loan servicing, debt collection/FDCPA, and UDAAP.
    • Preparing credit card agreements, federal and state disclosures, and reward program terms for bank and non-bank credit card issuers.
    • Preparing amicus briefs on behalf of trade industry groups before the Supreme Court and federal circuit courts.

    Representative privacy and data security engagements include:

    • Advising financial institutions on the data use and sharing limitations arising from the acquisition and integration of fintech platforms.
    • Evaluating and negotiating data protection agreements under the CCPA/CPRA, GDPR, and various state privacy laws.
    • Providing guidance to banks, non-banks, and fintechs regarding the scope of the FCRA.
    • Assisting a cryptocurrency service provider regarding the retention and reuse of data obtained under the GLBA.
    • Advising a security company in negotiating third-party agreements in compliance with state, federal, and international privacy laws.
    • Advising various financial institutions in preparing data protection agreements with service providers.
    • Representing clients in responding to data breach incidents.
    • Preparing consumer-facing privacy policies for fintech and non-fintech clients operating throughout the United States.
    • Performing privacy and data security due diligence for a variety of clients as part of mergers, acquisitions, asset purchases, and third party vendor engagements.