On March 4, 2020, the Securities and Exchange Commission (“SEC”) issued an order (the “Order”) providing conditional relief to reporting companies affected by the novel coronavirus disease, or COVID-19. In recognition of the potential disruptions to transportation and limitations on access to facilities, support staff and professional advisors caused by COVID-19, the Order provides reporting companies with an additional 45 days to file certain disclosure reports that would otherwise have been due between March 1 and April 30, 2020, subject to certain conditions.
Highlights of SEC Order
Relief Provided: Extension of Deadlines to File or Furnish Certain SEC Reports
The Order provides that any registrant (as defined in Rule 12b-2 of the Securities Exchange Act of 1934 (the “Exchange Act”)), and any person required to make any filings with respect to a registrant, may take an additional 45 days to file or furnish certain materials with the SEC that are otherwise due between March 1 and April 30, 2020.
Exchange Act reports due during this time period include: (i) Form 10-K filings for registrants with a calendar fiscal year, (ii) Form 20-F filings for foreign private issuers with a calendar fiscal year, (iii) Form 10-Q filings for registrants with a non-calendar fiscal year, (iv) definitive proxy statements if Part III of a registrant’s Form 10-K incorporates information from its proxy statement by reference, and (v) Current Reports on Form 8-K that become due during such time. The Order also applies to any Schedule 13G (or amendment thereto) that is due between March 1 and April 30, 2020, but notably excludes from relief requirements to file any Schedule 13D (or amendment thereto). Additionally, the Order does not apply to beneficial ownership reports required under Section 16 of the Exchange Act, such as Forms 3 and Forms 4.
The Order also provides relief relating to the obligations of a registrant or other person under Exchange Act Sections 14(a) and (c) and Regulations 14A and 14C to furnish soliciting materials to any security holder where the security holder has a mailing address located in an area where, as a result of COVID-19, the common carrier has suspended the delivery service customarily used and the registrant or other person has made a good faith effort to furnish the soliciting materials to the security holder as otherwise required by the applicable rules.
The press release announcing the Order adds that, for Form S-3 eligibility purposes, a registrant relying on the Order will be considered current and timely in its Exchange Act filing requirements if it was current and timely as of March 1, 2020 and files any report due during the relief period within 45 days of the filing deadline of such report. Similarly, for purposes of Form S-8 eligibility and the current public information requirements of Rule 144(c) of the Securities Act of 1933, a registrant relying on the Order will be considered compliant in its Exchange Act reporting requirements if it was compliant as of March 1, 2020 and files any report due during the relief period within 45 days of the filing deadline of such report. Additionally, registrants will be able to rely on Exchange Act Rule 12b-25 to obtain extensions for filing deadlines for reports that were previously delayed in reliance on the Order.
Conditions to Relief
Any registrant relying on the Order must furnish to the SEC a Form 8-K or Form 6-K, as applicable, by the original filing deadline of the subject report stating (i) that it is relying on the Order, (ii) a brief description of the reasons why it could not file such report on a timely basis, (iii) the estimated date by which the report is expected to be filed, and, (iv) if material, a risk factor explaining the impact of COVID-19 on its business. Additionally, if the reason that the subject report cannot be filed timely relates to the inability of any person, other than the registrant, to furnish any required opinion, report or certification (e.g., an auditor’s opinion on audited financial statements), the Form 8-K or Form 6-K must attach as an exhibit a statement signed by such person stating the specific reasons why such person is unable to furnish the required opinion, report, or certification in time. The registrant then must file the subject report no later than 45 days after the original filing deadline. The subject report, when filed, must disclose that the registrant is relying on the Order and state the reasons why the registrant could not file such report on a timely basis.
In the SEC’s press release announcing the Order, Chairman Clayton clarified that registrants providing forward-looking information in an effort to keep investors informed about trends or uncertainties regarding COVID-19 can avail themselves of the Exchange Act’s safe harbor for forward-looking statements.
Conclusion
The outbreak of COVID-19 is rapidly developing and has created much uncertainty in markets worldwide. The Order recognizes the fluidity of the situation by extending relief to registrants with operations in “affected areas” without adding any context as to where those areas are located. Just as the SEC has quickly acted to announce relief through the Order, it is possible that the Nasdaq Stock Market and New York Stock Market, as well as other self-regulatory agencies, may follow suit.
The SEC’s press release announcing the Order acknowledges the balancing act presented by the need to protect the health and safety of market participants while also serving investors’ need for timely information. Similarly, affected registrants should consider taking advantage of the Order’s relief to ensure accurate disclosure , even in the face of demanding investor expectations.
Everyone has biases. It’s true. Having a bias doesn’t make you a bad person, however, and not every bias is negative or hurtful. It’s not recognizing biases that can lead to bad decisions at work, in life, and in relationships.
My first reaction to this notion that we all have biases was, “Certainly not I!” After all, I grew up in a family where diversity and inclusion were part of our basic values. My father was head of the Anti-Defamation League (ADL), an organization whose mission is to secure justice and fair treatment for all people. I was an ADL board chair and helped train others to combat prejudice and discrimination. So how in the world could I have biases?
Although people have both explicit and implicit biases, the implicit ones are the most concerning because they are the ones we don’t recognize we have.
What Is Implicit Bias?
What exactly is an unconscious (or implicit) bias? The Kirwan Institute (for the study of race and ethnicity) at Ohio State University defines these biases as “the attitudes or stereotypes that affect our understanding, decisions and actions in an unconscious manner. These implicit biases we all hold do not necessarily align with our own declared beliefs.”
I began analyzing how biases affect so many aspects of our jobs and our lives when I began teaching advocacy skills as they pertain to jury selection a number of years ago. We identified many biases associated with stereotypes: teachers were too soft; engineers and scientists too rigid; older people too judgmental; younger people too immature. These were the conscious parts of our brains at work—i.e., explicit biases. I then began noticing that when I was teaching a law school class and referring to expert witnesses and judges, I would always use the pronoun “he”. This was in spite of being a judge and having testified as an expert witness myself. This is the implicit or unconscious bias at work.
As I was exploring biases in the legal profession, I began asking more questions of my colleagues and friends. I learned that gender bias was endemic in many professions, including:
female lawyers, including myself, mistaken for someone other than the lawyer in a case
female pilots mistaken for flight attendants
male nurses frequently mistaken for doctors, and female doctors mistaken for nurses
females in the construction industry generally not presumed to be contractors or general managers
The list goes on and on.
The issue of race and implicit bias has also been in the headlines recently, whether it is a group of African-American men asked to leave a Starbucks, or much worse, an African-American man shot under the assumption that he had a weapon. However, implicit bias isn’t just about race or gender. We see implicit bias in many places, about many characteristics—age, religion, weight, appearance, disabilities, accents, gender identity, sexuality, single parents, stay-at-home moms and dads, kids with pink hair, people with tattoos and piercings, people with certain bumper stickers on their cars—again, the list goes on and on.
Why Should We Care About Our Biases?
If we are litigators, these biases can impact how we pick juries, how we assemble our legal team, how we prepare our cases, how we deal with our clients and witnesses, and how we interact with our colleagues. As a judge, I work to ensure that the decisions I make, including credibility decisions, and the sentences I give out are based on appropriate facts, and not implicit biases of which I may not even be aware.
In a work-place environment, unconscious biases can affect hiring and promotion decisions, work assignments, and career tracks, and unfortunately can end up a part of harassment, hostile work environments, and discrimination law suits. These biases can also cause problems and damage relationships, as well as affect the reputations of businesses. In addition, these implicit biases have deadly consequences when they affect such individuals as police officers, who must assess situations quickly and make life-and-death decisions—decisions that may be the result of an implicit bias.
These biases can be incredibly painful for the victims of the biases. One of my dear friends who is a district court judge, formerly a public defender, shared a story with a group of lawyers. He told them how, as an African-American public defender in the courtroom, there were a number of occasions where judges and other lawyers and staff would ask him where his lawyer was, assuming that because he is an African-American, he must be the defendant in the case. The people who made those assumptions weren’t necessarily racist or prejudiced, but there was clearly an implicit bias at work. As he shared this story, tears streamed down his face. Another friend of mine who is Hispanic shared his experience in court 15 years ago and being asked by a judge whether he spoke English (simply because of his last name). Regardless of the intent behind these questions, the pain was palpable for both of these individuals.
Is It Possible to Overcome Our Implicit Biases?
How do we recognize and interrupt our own biases? First, we must be willing to admit we have biases. The more we convince ourselves how unbiased we are, the more of a blind spot we may have when it comes to recognizing our own implicit biases. A great place to start is by taking the Harvard Implicit Association tests (Project Implicit). These are on-line tests that are designed to measure implicit biases in about 28 different categories. Although the results may be shocking at first, the science suggests that the test is absolutely valid.
We must also recognize that the old adage, “trust your gut,” may not prevent us from recognizing implicit bias. We must focus on how we form opinions about people. Sometimes it means asking ourselves whether our opinions would be the same if the person were a different race, gender, or religion or dressed in a different manner. In other words, would our opinion be the same if the individual were part of a different group? Studies suggest that we are most at risk of making a decision that is the result of an implicit bias when we are tired, under stress, and pressured to make quick decisions. How many lawyers do we know who fit that description? We may not be able to control how much sleep we get, or how much stress we feel, but we can control how quickly we make decisions that could be the result of an implicit bias.
Although we must be willing to identify and interrupt our own biases, we must also recognize and be willing to interrupt bias in others. This is probably the most difficult and the most uncomfortable part of overcoming bias.
The challenge with others is determining when to say something, how to say it, and to whom. I make every effort not to address another’s bias in front of other people. I try to find a place to talk in private, and perhaps begin the conversation with something like, “I know you didn’t mean to make me (or another person) feel bad, but I need to share with you the effect that those words or actions had.” I know it is easier said than done, but if someone isn’t made aware that he or she has a particular bias, it will only continue to cause pain to another individual or group of individuals and could lead to significant problems for the employer or organization.
Finally, in terms of specific steps we can take when interrupting bias, it is important to remember that biases develop at a young age and are often the result of our tendencies to surround ourselves with people who are the most like us. In fact, research indicates that we tend to perceive anyone different from us as a threat because our brain tells us to do so. “The capacity to discern ‘us from them’ is fundamental in the human brain,” wrote David Amodio, associate professor of psychology and neural science at New York University, in his 2014 paper, “The Neuroscience of Prejudice and Stereotyping.” However, that doesn’t mean that we can’t begin to recognize and overcome our implicit biases. Here are some suggestions:
Be aware of your initial thoughts about people and upon what those thoughts are truly based
Stay attuned to people around you and notice how often you engage in conversations with people who are different than you
Surround yourself with a diverse mix of cultural and social situations and individuals
Share your own experiences of bias with others
Educate others about the elements of an inclusive work, school, and community environment
Look for commonalities that exist regardless of race, religion, gender, culture, etc.
If you see something, say something, hopefully in a manner that is sensitive to the feelings of everyone involved
Don’t assume bad intent
Slow down your decision-making process
The reality is that we all say things or do things that we wish we could take back. Unfortunately, the tendency is to pretend that it wasn’t said, or that it didn’t happen, or hope that perhaps the person didn’t hear it. But it did happen, we did say it, and the person did hear it, so acknowledge it, apologize, MOVE on AND CHANGE. My experience has been that most people truly appreciate it and can move on when someone acknowledges a misstep and apologizes for it.
Finally, by challenging ourselves to identify and overcome our own implicit biases, and to help others recognize their biases, we can begin to lay the foundation for harmonious and productive work and personal environments.
Karen Steinhauser is a practicing attorney, judge, and adjunct law professor at the University of Denver Sturm College of Law in Denver, Colorado. She presents workshops and seminars to lawyers and nonlawyers, government offices, and private businesses in the area of implicit/unconscious bias.
New from the ABA, “Automating Legal Services” will help lawyers understand how to use automation to reduce costs, cut fees, and remain profitable, all while making justice more accessible. Author Hugh Logue reveals how rather than posing a threat to the legal profession, automation will allow lawyers to do more of what they enjoy and access a latent market. Automating Legal Services: Justice through Technology can be purchased at shopABA.org.
A February 2016 Deloitte report, “Developing Legal Talent: Stepping into the Future Law Firm,” predicted that 114,000 jobs in the UK legal sector are likely to be lost to automation by around the year 2020.[1] In my view, while the report correctly states need for change in the legal services sector, I disagree that automation will lead to overall net job losses. Deloitte’s hypothesis, echoed by many others, assumes that all the legal needs in society are currently met by the legal services industry, and that as artificial intelligence and other technologies continue to grow they will take this work away from legal professionals.
Like the other industries that went, or are going, through automation, there is a latent demand for legal services that is not currently being met. The largest-ever survey of legal needs of people in England and Wales, published in May 2016, revealed the scale of the latent market for legal services, with only 30 percent of people with legal problems obtaining formal legal advice.[2]
Other commentators cite job losses and decline in revenue in the solo and small law firm market in recent years and attribute this to the rise of low-cost legal self-service websites such as LegalZoom and believe further automation will only lead to more job losses. However, in my view, those job losses have more to do with the toxic mix of the oversupply of lawyers in the U.S. market, coupled with the fact that current law firm business models do not allow them to increase demand by using automation to reduce costs and cut client fees without damaging profit margins.
A report in 2016 by the American Bar Association (ABA) found that 80 percent of the civil legal needs of lower-to-middle income individuals in the United States went unmet.[3] This broadly fits with studies by the World Justice Project, which estimated in 2018 that 77 percent of people in the United States and 93 percent of people in the United Kingdom did not seek support of an authority or third party to help them to resolve a legal problem.[4] A separate ABA report published in 2014 found that two-thirds of a random sample of adults in a midsize American city reported experiencing at least one of twelve different categories of civil justice situations in the previous 18 months.[5] When respondents were asked how they handled their civil justice situations, 16 percent did nothing, 46 percent took action on their own without any assistance from a third party, and 16 percent had help from family or friends. Of the 22 percent of people that did seek help from an adviser or representative, these seldom included a lawyer and were more likely to be a social worker, police officer, city agency, religious leader, or elected official.[6] Studies in Australia, Canada, and Germany all paint a similar picture—around 70 percent of people of people with legal problems are unable or unwilling to engage lawyers.
The latent market is driven by the fact that for many transactions, the cost of engaging a lawyer is prohibitive in relation to the value of the transaction. Although cost was factor reported by many respondents, another factor was the practical barriers to hiring a lawyer, such as unclear pricing and confusing processes. Growing demand for unbundled legal services is also increasing the need for law firms to assemble their knowledge in an automated self-service platform for their clients to pick à la carte where they need manual legal advice and where they just need to be pointed in the right direction by an authoritative source.
Law practices try to do too much. They are reluctant to accept that they need to realign their services to focus on their strengths and allow the delivery of some services via automated methods. Technology can make the delivery of some legal services a lot simpler. Clients do not always need personal one-on-one delivery; indeed, manual delivery can actually slow things down. If lawyers currently only meet less than a third of society’s legal needs, there is plenty of scope to leverage AI and other innovative technology to serve the other two-thirds. While there will be realignment between the tasks that are completed by technology, manually, and a combination of both, ultimately the new jobs will more than offset by those lost to technology.
Instead, law firms can split legal work into two piles. Offer high-quality manual legal services for fees that keep the firm sustainable and secure and offer work that is automatable as a completely new proposition for a fraction of the cost of manual work, while still retaining a decent profit margin. Once law firms bring clients into their firm with automated services, there will be legal tasks where the client can self-serve while there will be other areas where a lawyer is still needed. The key to upselling more complex legal work is to make the self-service platform really high quality to bring in as many prospective clients as possible and to provide good impression of the law firms’ expertise. Law firms need to be experts on different ways their clients can pay for more complex legal work that comes to the surface through automated legal services. For example, contingency fee arrangements, public funding, or legal expense insurance.
About the Author: Logue is the Lead Analyst for Legal & Regulatory technology at Outsell, a Silicon Valley-headquartered research and advisory firm that tracks market performance and trends in the data, information and analytics economy. His clients include the world’s leading legal publishers and legal tech companies. He has delivered talks and written extensively on legal tech, the business of law and the automation of legal services. Hugh was called to the Bar of England and Wales in 2007.
[1] Deloitte, Developing Legal Talent: Stepping into the Future Law Firm, Feb. 2016, https://www2.deloitte.com/uk/en/pages/audit/articles/developing-legal-talent.html.
[2] Legal Servs. Bd. & Law Soc’y of England & Wales, Online Survey of Individuals’ Handling of Legal Issues in England and Wales 2015, May 2016 (survey carried out by Ipsos-MORI polled 8,192 adults, followed up with in-depth interviews with a smaller panel of respondents).
[3] ABA Comm’n on the Future of Legal Servs., Report on the Future of Legal Services in the United States (ABA, Aug. 2016).
[4] World Justice Project, Global Insights on Access to Justice: Findings from the World Justice Project General Population Poll in 45 Countries (2018).
[5] Rebecca L. Sandefur, Accessing Justice in the Contemporary USA: Findings from the Community Needs and Services Study (Am. Bar Found./Univ. of Ill. at Urbana-Champaign, Aug. 8, 2014).
The wave of marijuana legalization that has washed over North America in recent years, with Canada and most U.S. states legalizing the substance for medical and/or recreational uses (although it remains illegal under U.S. federal law), has spurred an increasing number of mergers and acquisitions involving marijuana-related businesses (MRBs). Despite the surge in deal-making, cannabis remains an emerging industry that presents unique challenges, even for experienced M&A practitioners who have advised on deals in a wide range of industries. This article will discuss a few of the unique challenges for deal lawyers in marijuana M&A, including industry-specific due diligence issues and risks that may be hard to quantify and (through appropriate representations, warranties, and indemnities) limit for buy-side clients.
Broadly speaking, marijuana deals entail advising companies engaged in the cultivation, processing, sale, or distribution of marijuana and products derived from marijuana, as well as some ancillary businesses that, while they do not “touch the plant,” primarily or exclusively serve businesses that do. It is important to note that, while both marijuana and hemp are forms of cannabis, the laws and regulations applicable to the two substances vary dramatically, as hemp was legalized under U.S. federal law in 2018.
Because of the unique legal status of marijuana as a federally prohibited controlled substance but a legal and highly sought-after commodity under the laws of most U.S. states, due diligence in marijuana M&A must encompass both the extent to which a target’s business is likely to become the subject of federal enforcement actions and its compliance with state and local laws. The risk of federal enforcement itself is in part dependent upon the target’s compliance with applicable state laws, but it behooves buyers and their counsel to go beyond a pure state-law analysis to include an assessment of the target’s compliance with the factors enumerated by the U.S. Department of Justice in 2013 in the guidance that is commonly referred to as the Cole Memorandum. That document (the effectiveness of which is currently unclear, as it was rescinded by former Attorney General Jeff Sessions in 2018 but subsequently unofficially endorsed by current Attorney General William Barr) established enforcement priorities for federal prosecutors when choosing whether to bringing criminal charges for marijuana-related violations of federal law.
Those priorities focused on such issues as preventing the distribution of marijuana to minors and ensuring that revenues from the sale of marijuana would not flow to criminal enterprises and that state-legal marijuana activity would not be used as a cover for trafficking other illegal drugs. In order to get some degree of comfort that federal prosecution is at least a limited risk (although there is no legal protection from federal prosecution as long as marijuana remains illegal under federal law), buyers and their counsel should review the extent to which the target presents identifiable risks of implicating one of the enumerated federal enforcement priorities. In addition, since a typical “compliance with law” representation and warranty is not feasible in the marijuana industry with respect to U.S. federal law, this provision of the purchase agreement should be tailored to address not only the target’s compliance with applicable state and local law but ideally also the non-implication of the federal enforcement priorities set forth in the Cole Memorandum (although the specific wording of such a provision will likely be heavily negotiated).
While due diligence relating to a marijuana-industry target’s compliance with federal law is by nature a limited and highly bespoke exercise, diligence relating to state and local law compliance should be tailored to address the specific legal and regulatory requirements of the state(s) and localities in which the target operates. The marijuana laws that have been adopted in recent years vary widely from state to state and are by nature complex, as they seek to create comprehensive regulatory schemes for the creation of an entirely new (legal) industry in their respective states. As an example, the law adopted by the most recent state to legalize adult-use marijuana, Illinois (where adult-use marijuana became legal as of January 1, 2020), comprises over 600 pages of detailed provisions addressing licensing, ownership, and operational and marketing requirements, as well as change of control provisions if a licensee changes hands. The parts of the relevant state laws that are applicable to a target will depend on where along the value chain the target operates (i.e., different rules may apply to a grower as opposed to a dispensary operator).
Since state marijuana laws generally seek to closely control the issuance and ownership of licenses for cultivation, processing, transport, sale, and distribution of marijuana, a critical issue to be analyzed early in a transaction is whether applicable state laws limit the seller’s ability to assign its license(s), and, if a share deal is contemplated, what impact statutory change of control provisions will have. Additionally, state law may include ownership limitations that prohibit a single person or entity from owning an interest in more than a fixed number of licenses, and some forms of cross-ownership of licenses may be restricted. The Illinois law, for example, forbids the ownership by any person or entity of any legal, equitable, or beneficial interest in more than three cultivation centers, more than ten dispensing organizations, or more than three craft grower licenses (and cross-ownership of certain types of licenses is also restricted). In deals in which a simultaneous signing and closing is not possible, it is also important to analyze whether a provision that grants the buyer extensive pre-closing control rights is consistent with legal prohibitions on license transfers without prior state approval.
In addition, the Illinois marijuana law contains social equity provisions that offer preferential treatment in the issuance of licenses to applicants that are controlled by or employ a majority of people who have disproportionately suffered the consequences of enforcement of marijuana laws. These include people who have been arrested or incarcerated for marijuana-related offenses that are eligible for expungement under the law, as well as their family members, and people who reside in high-poverty areas and other areas that have been disproportionately affected by the enforcement of drug laws. If a target’s license was granted in part based on the participation of such a “social equity applicant,” transfer of that license is subject to additional conditions that the buyer must comply with. As a result, it is critical that a buyer understand the basis on which the target’s license was issued and how that might impact the buyer’s operation of the business following the acquisition.
Beyond licensing issues, while marijuana deals present many of the same due diligence topics as targets in other industries, some of these topics have special significance in marijuana M&A. Two issues that are of particular importance are the target’s access to banking services and insurance, as both areas have proven very challenging for many MRBs. In connection with the target’s banking relationships (to the extent that it has been able to obtain banking services), the buyer should ascertain whether the target’s bank is fully aware of the nature of the target’s business, as some banks have reportedly terminated banking relationships with customers because of their involvement in the marijuana industry. Due diligence should also encompass payment processing and money-handling, as many MRBs operate largely on a cash basis due to the lack of available service providers. MRBs that operate largely or fully on a cash basis present particular safety and security challenges, and due diligence on such targets is complicated by the fact that cash transactions may not generate electronic records that can be used for fraud control and to verify a target’s financial records.
On the insurance front, due diligence should include an examination of the sufficiency of the target’s coverage, including director and officer insurance, as many MRBs have struggled to obtain adequate coverage. In this regard, the target’s policies should be reviewed to ensure that there are no exclusions that would effectively prevent it from making a claim in the event of a product liability, recall, or other loss event.
Finally, federal tax compliance is a critical issue for a buyer’s due diligence, as the Internal Revenue Code prohibits MRBs from deducting many expenses that other businesses can deduct as a matter of course. As a result, buyers should carefully review the target’s past tax filings to assess the risk that the target has claimed impermissible expense deductions and, therefore underpaid its federal taxes. It is also essential to review the target’s bookkeeping practices to ensure that expenses of different types (e.g., costs of goods sold vs. other types of business expenses) are appropriately recorded, as some expenses are deductible while others are not.
These are only a few of the unique aspects of advising clients on marijuana M&A. The industry continues to develop at a dizzying pace, and law and regulation are struggling to keep up with the market. This creates an exciting environment for deal lawyers who are prepared to help their clients navigate an emerging industry with many challenges and even more opportunities.
DISCLAIMER: Morrison & Foerster LLP makes available the information in this article for informational purposes only, and it does not constitute legal advice and should not be relied on as such. Morrison & Foerster LLP renders legal advice only after compliance with certain procedures for accepting clients and when it is legally permissible to do so. Readers seeking to act upon any of the information contained in this article are urged to seek their own legal advice.
Access to capital is critical for start-ups and emerging growth companies to fund operations, finance working capital, and develop and scale products and technology. These companies typically rely on invested capital to raise funds; however, equity financing may not be available and can be dilutive to founders equity. Venture debt can complement equity financing and offers a source of capital to bridge the gap until the company’s next equity round, to cover expenses, or to support growth.
What Is Venture Debt?
Venture debt is nondilutive financing in the form of term loans or lines of credit available to venture-backed growth companies. These organizations typically have limited assets and are not cash-flow positive. Thus, traditional loans are typically unavailable. There are three primary kinds of venture debt:
Equipment financing. This kind of financing is meant to fund the purchase of equipment, such as network infrastructure, hardware, or research and development.
Accounts receivable. A start-up borrows against their accounts receivable, thereby smoothing out their spikes in revenue.
Growth capital. A catch-all category meant for loans that can be used to fund growth, such as M&A, a new round of hiring, or working capital.
Benefits of Venture Debt
Venture debt offers benefits over other forms of financing. Unlike equity financing, venture debt is nondilutive. It allows shareholders to create greater value by providing the necessary capital for the organization to achieve critical milestones and support growth prior to its next round of funding. Venture debt also allows founders and shareholders of the company to maintain control of the business, given that lenders do not generally require board seats or observation rights as a condition.
Venture debt can usually also be arranged much more quickly than raising capital through equity financing. Thus, growth companies can gain access to funds faster and with fewer requirements. In addition, organizations can structure their debt, including venture debt, to lower their overall cost of debt capital.
Is Venture Debt Appropriate for the Business?
Although venture debt does offer certain benefits, it is not ideal for every organization.
Venture debt is typically ideal for start-ups that lack sufficient tangible assets to be eligible for more traditional financing. As such, many venture lenders prefer start-ups with monthly recurring revenue. Venture debt is typically for fast-growing companies with low operating expenses for which revenue growth can ultimately exceed the cost of capital. These kinds of start-ups are frequently found in the technology space, where very little initial capital is needed before a steady stream of revenue is generated.
Venture debt is not suitable as a last resort for companies that already have a low cash balance and high operating expenses. If the debt payment ends up being more than 20 percent of the company’s operating expenses, it is probably too costly for the company. It is also not suggested for companies that have a variable revenue stream or any company that does not have a clear use for the funds.
What Are Typical Terms for Venture Debt Loans?
The terms of venture debt facility will vary depending on a number of factors, including: (1) the company’s current stage of growth; (2) its current cash position; and (3) the industry and market in which the company operates. Some key terms of which emerging companies should be aware include the following:
Interest rate: Interest rates tend to be higher than a normal commercial loan. Organizations can expect venture debt interest rates to be upwards of 10 percent.
Term: Given that the purpose of venture debt is to assist the start-up in reaching the next round of equity financing, the terms of the loans are typically short. Thus, the terms of these loans are typically 12 to 48 months.
Security: The loan will typically be secured by the company’s assets, such that the lenders have priority over the assets in case of insolvency.
Warrants: The lender will typically receive warrants allowing the lender to purchase shares in the emerging company at a future date.
Covenants: A loan will normally include both positive covenants and negative covenants. Common covenants include limits on raising additional debt and restrictions on the use of the loaned amount.
Conclusion
Emerging companies exploring venture debt should ensure that it is right for their organization. For mature organizations with assets that a loan can be secured against and a healthy stream of revenue, traditional commercial loans may be more attractive because the interest rates for loans will likely be much lower. However, venture debt offers an attractive source of financing for venture-backed organizations that are in a certain stage of growth.
Due to the significant variability between the terms of venture debt facilities made available, it is advisable that emerging companies seek expert advice for guidance on this form of financing.
The year 2019 was active in the legal space. Legal operations continued to be adopted by major enterprises and mid-market businesses alike. Facebook, British Airways, and Marriott Hotel faced millions in GDPR penalties, and litigation over clickwrap and other online contracts continued to skyrocket. In 2020, we can expect a continuation of these trends and more. Here are three predictions for what you can expect in the legal/litigation space in 2020.
(1) Data privacy legislation will increase, as will the need for third-party solutions like consent tracking. Data privacy regulations are becoming more of a pain point to legal teams. With the California Consumer Privacy Act (CCPA) now in effect, and the GDPR continuing to be fleshed out, we may see more of a push for easy third-party solutions to things like consent tracking. We will also see a surge of privacy policy-related litigation as the courts are called in to resolve ambiguity surrounding CCPA requirements. Depending on what happens in the aftermath, we may see (and in fact have already seen) a push for federal regulation over privacy. With all of these privacy regulations giving the express mandate to produce a privacy policy that outlines to consumers how their data will be used, companies will need third-party solutions to track consent. Especially as scrutiny of back-end records increases and becomes more sophisticated, third-party solutions will be needed to effectively convince the court of compliance with the new privacy regulations.
(2) eSignature and contract lifecycle management tools won’t be enough. Businesses should want to leverage any technology that gives them more control over legal and/or compliance-driven aspects of the business, especially business models that operate at a massive scale online. Given that businesses must move at breakneck speed to keep up with consumer demand, legacy technologies like eSignature and contract lifecycle management tend to break, particularly with these newer business models. Technology and tools like these cannot scale with fast-paced business while remaining compliant with the increase in data privacy regulations. As compliance grows in focus in the new year, so will the necessity for technology that governs that aspect of the business.
(3) Tech adoption will increase because of the drive for efficiency. The constant drive toward efficiency will manifest itself in two ways. First, legal teams will take a more data-driven approach to managing outside counsel and the related spend. Technology within legal has proliferated to such an extent that there are now multiple tools that can be used to provide the data necessary to complete this function. As this technology improves and its adoption increases, it will become one of the most important drivers of change, not just for inhouse legal, but for private law firms as well. Second, legal’s adoption of a more holistic approach to enabling their departments using tech will drive not only major increases in efficiency, but in the type of tech solutions offered by vendors. This holistic approach will begin from a fundamentally different foundation—one that focuses on business velocity versus plodding risk management—and for the first time ever, technology will allow for increases in business velocity to occur simultaneously to a decreased risk profile.
Be Prepared to Defend Your Agreements in 2020
With the CCPA in effect as of January 1, there will be even more compliance-related litigation, which will inevitably change the way companies function. Courts will become even more sophisticated in their evaluation of online agreements, and consumers will become more concerned about their data privacy. Businesses must be more prepared than ever to defend the enforceability of their agreements and prove compliance to the new (and old) privacy laws.
If you are a lawyer who does not specialize in privacy, you may be familiar with the feeling of dread that creeps into your heart when a client requests your counsel on how to comply with data privacy laws. The feeling is well-founded. There is no single statute you can consult to provide the needed advice. In the United States, the law of privacy is commonly referred to as “sectoral,” meaning that there is no overarching legal regime covering privacy generally, but rather a series of federal laws (and often accompanying regulations) that each govern a particular subject matter. Nor is privacy protection exclusively on the federal level; federal law does not generally preempt state privacy laws, and state legislatures have not been shy about enacting their own privacy regulations. If your client operates an internet-based business or otherwise serves customers beyond the borders of the United States, the client may also be subject to the privacy regulations prevailing in other countries and trading blocs, which are in many cases intentionally written to have extraterritorial effect.
For those of you who may be experiencing this sort of dread, the ABA’s Cyberspace Law Committee now offers a helping hand. The committee’s Consumer Privacy and Data Analytics Subcommittee has assembled an international group of privacy experts and tasked them with compiling a guide to privacy laws from multiple jurisdictions around the world—the Global Privacy Checklist. The Checklist is a valuable starting point for any lawyer who counsels clients on complying with privacy laws. It serves as a pointer to the most salient of those laws in multiple jurisdictions: U.S. federal, U.S. states, Australia, Canada, the European Union’s General Data Protection Regulation, and the member states of the European Union.
The Checklist is an Excel spreadsheet, with each of the covered jurisdictions occupying its own tab. It is organized around a user-friendly “if-then” framework. For example, the U.S. federal tab includes the “if” statement: If “You collect and use email addresses for commercial purposes.” The “then” statement points the user to the relevant legal rules: “Then consider the applicability of” the “Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM): 15 U.S.C. §§ 7701–7713.” What follows is a summary of the rules that must be followed to comply with the CAN-SPAM Act.
Defining the scope of laws to include within the privacy rubric is more difficult than it may seem. Laws addressing data privacy are related to, and sometimes overlap with, those addressing data security; therefore, the Checklist’s coverage sometimes includes security laws. Coverage of all U.S. state laws relating in some way to data privacy would exceed the scope of the project and the resources available to it. To make the project manageable, the Checklist’s U.S. states tab is limited to the five most commonly encountered areas of privacy regulation: general privacy, data of children, biometric data, health data, and financial data. Coverage of the EU member states is also limited to a few key subject areas.
As valuable as the Checklist is, it has a few important limitations. It does not cover case law or determinations by regulatory agencies. Nor does it include proposed legislation, which is voluminous in light of the number of jurisdictions included among the U.S. states and the EU member states. The authors of the Checklist have sought to represent the state of the legal landscape as of the date of its publication. Inevitably, however, there will have been recent legal developments in some of the many covered jurisdictions that will not have come to their attention in time to include them. Given the dynamic nature of regulation touching upon privacy and the limited resources available, it is not feasible to keep the list continuously updated. We hope to update the Checklist annually, however, as resources allow.
Readers are encouraged to communicate with the Checklist’s editors and let us know of any new or additional laws or regulations that should be considered when the Checklist is updated. Our contact information: John Isaza, [email protected], and John Rothchild, [email protected]. The editors extend a hearty thanks to the team of volunteers whose efforts made this Checklist possible. They are listed in the contributors tab.
Recently enacted state laws targeting arbitration provisions in employment agreements specifically related to sexual harassment have come into conflict with the Federal Arbitration Act (FAA), as illustrated by recent court decisions in New York and California.
In the shadow of the #MeToo movement, many states sought to strengthen their human rights laws to combat the prevalence of sexual harassment in the workplace. One of the tools put forth in state statutes was to prohibit the use of the arbitral forum for claims of sexual harassment. This has resulted in a predictable clash with the mandates of the FAA, which provide that arbitration provisions in contractual agreements shall be upheld and binding on the parties with limited exceptions.
For instance, in New York, the state passed legislation in 2018, N.Y. C.P.L.R. § 7515, prohibiting the use of arbitration agreements for claims of sexual harassment regardless of the FAA. As a result, in Latif v. Morgan Stanley & Co. LLC, 2019 WL 2610985 (S.D.N.Y., June 26, 2019), the opposing positions of the FAA and the state legislation resulted in District Court Judge Denise Cote holding that the state law ban on mandatory arbitration in sexual harassment cases was preempted by the FAA.
As a general proposition, Judge Cote noted that the FAA preempts any state law that discriminates on its face against the FAA. The New York statute specifically provided that any mandatory arbitration provision in an employment contract which provides that arbitration is the only and final remedy for such a claim is “null and void.” Latif went to the Second Circuit Court of Appeals, where an application for an en banc hearing was submitted. The Second Circuit dismissed the appeal on January 15, 2020, for lack of jurisdiction because the district court had stayed the federal action pending arbitration, citing Katz v. Cellco P’ship, 794 F.3d 341 (2d Cir. 2015), which provides for a stay of the federal action where an arbitration is compelled, as such, there is no final determination to appeal. It is this author’s sense, that but for this stay, that deference still would have been given to the FAA.
California recently passed legislation, Assembly Bill No. 51 (AB 51), banning employers from requiring the execution of an arbitration agreement as a condition of employment and prohibiting any discrimination or retaliation against employees who refuse to sign such an agreement. The legislation was scheduled to take effect on January 1, 2020, and it covered under its rubric not just sexual harassment claims, even though it was inspired by the #MeToo movement, but any employment-related disputes. On December 30, 2019, the federal district court in the Eastern District of California in the case of Chamber of Commerce of the United States of America, et al. v. Bacerra, et al., 2:19-cv-2456 (KJM) (DB), issued a TRO until a hearing could be held on a temporary injunction, and the court noted that this was due to the conflict between the state law and the FAA and the upheaval the law going into effect would have on employment agreements, even in the short term, where there is a serious question as to whether the law is preempted by the FAA. After hearing oral argument, the court temporarily enjoined the enforcement of the California statute on January 31, 2020.
Congressional action to amend the FAA would resolve this dispute. For instance, the Arbitration Fairness Act of 2017 was introduced in the 115th Congress to prohibit forced arbitration agreements for employment claims as well as civil rights and commercial claims. This legislation expired at the end of the 115th session without further action; however, similar legislation was introduced in the 116th Congress as the Forced Arbitration Injustice Repeal Act of 2019. It was approved by the House on September 20, 2019, by a vote of 225-186, but has not been acted upon by the Senate. In addition, there has been bi-partisan legislation specifically targeting sexual harassment arbitration. The legislation, Ending Forced Arbitration of Sexual Harassment Act of 2017, which expired with the 115th Congress before being acted upon, has been reintroduced as Ending Forced Arbitration of Sexual Harassment Act of 2019 in the 116th Congress and is still going through the legislative process. This bill would provide a carve-out in the FAA for sexual harassment claims and may be a compromise versus banning all employment-related arbitrations.
As of today, the inherent conflict between the FAA and the states’ attempts to take steps to combat sexual harassment by targeting arbitration clauses will continue to be fought in cases such as the ones discussed above until the question reaches the Supreme Court or Congress takes action.
By now, most businesses accept ongoing cyber threats as a fact of life. How could they not with the onslaught of daily news reporting about malware, phishing, ransomware, viruses, and various other hacking attacks? Some firms, accepting the reality of the threats, are deciding whether to ignore their cyber risks, fix them, or transfer them by way of insurance. This article considers this last option, specifically how you can obtain full insurance coverage for your actual cyber exposures at a fair premium.
Although not impossible, the process is a good deal more complex than, say, purchasing adequate fire insurance. What follows is a step-by-step primer on how to get the job done. In a nutshell, you must first thoroughly assess your IT and non-IT risks and then retain a broker knowledgeable in cyber-risk insurance coverage so you can come to the bargaining table with an accurate understanding of the coverage you actually need.
Essential Steps
Step One. It is absolutely critical that you have a thorough, comprehensive assessment of your cyber exposures in hand to enable your critical decision-making. This assessment should cover your IT risks, including systems security, policies, procedures, and training, and your non-IT risks, including social media usage and policies, bring-your-own-device policies, Cloud-computing contracts, Internet of Things exposures, and compliance issues. Without such a thorough and comprehensive assessment, you simply cannot make informed, cyber risk-management decisions to protect your business.
Step Two. Retain a sophisticated broker who is savvy in the various cyber insurance coverages offered. There are a great number of underwriters offering cyber risk coverage, with the various coverages differing in the risks covered, the assessment of a policyholder’s risks, and the premiums charged. Only a truly qualified broker, experienced in the marketplace, can guide a business through the maze to the right coverage.
Step Three. This is the promised nit and grit. Any business needs two major classes of coverage: first-party liability coverage for risks it cannot remediate but are too pressing to ignore, and third-party liability coverage for damages it might cause, directly or indirectly, to third parties. An example of the former would be the intrusion of a virus that causes a disruption in a firm’s business, and of the latter a hacking attack that causes a breach or loss of a client’s data. The coverages set out below are those you should discuss with your broker and insist upon when you have the data to indicate the real risks.
Primary Liability Coverages
First-party liability coverage is for your firm to cover the costs incurred from a break-in to your systems. The essential elements of the coverage are:
Theft and fraud coverage for some of the costs of a theft or destruction of your data, or theft of your company’s funds. How much coverage you may be able to obtain may depend on how well-versed you are in the actual costs your business will incur.
Forensic investigation coverage for determining the cause of the intrusion.
Network and business interruption coverage can be the most important part of your cyber coverage. The carrier may impose limitations to this coverage, but one of them you should not permit is specifying that the intrusion must be caused by an intentional cyber attack. Not only may “intentional” be hard to prove, but for your business the result is the same: you are losing money because of the attack. Reasonable conditions on the coverage may include a time limit on when the coverage begins and the total length of outage the insurance will cover. You can negotiate these limitations if you are fully prepared to discuss the business exposures giving rise to the coverage you are seeking, including contingent business expenses which you probably will not be able to quantify in advance.
Extortion is coverage for the cost of the “ransom” you may be required to pay to get your systems back online. Although there is no way to quantify the demand in advance, ransomware tracking shows these demands are on the rise.
Data loss and retention is coverage for the cost of restoring any data that may have been lost and possibly the cost of diagnosing the cause of the loss. It may be expensive because it is typically subject to substantial retentions. You should ensure, to the extent possible, that this coverage is not limited in terms of the cause of the loss. In this regard, it will be important for you to be able to demonstrate that you have done the necessary measures to remediate, within your firm’s capability, any potential IT or non-IT exposures revealed by your assessment so that the insurer is comfortable with not including a cause-of-loss limitation.
Third-party liability coverage is to cover claims by third parties whose data within your possession has been hacked into or otherwise compromised. The essential elements follow:
Privacy coverage is to address claims by your firm’s customers, clients, and employees for breaches of their confidential information. This coverage should include any failure to protect the data, rather than specifying that the breach be intentional. You should also seek coverage for any failure to report the breach under applicable state reporting requirements, or failure to disclose a breach under applicable privacy laws.
Regulatory actions coverage should include defense costs for any governmental or civil investigations or requests for information, beginning with the onset of the investigation, whether or not the investigation is instigated by a formal complaint or “suit.” You also will need coverage for civil fines and penalties.
Notification costs include notifying third parties who may have been affected by your data breach. You should be prepared to inform the insurer of the number of people to be notified and the method and cost of notification. Ensure this data is included in the policy along with a provision allowing you to update this data on a regular basis. Given the constantly changing landscape of individual state notification laws, it behooves your counsel to keep track of the state requirements that may apply to your clients.
Crisis management is an important element of this coverage to defray the public relations costs of defending or repairing your reputation. These costs may be difficult to quantify in advance, but you would be advised to consider coverage to support a substantial budget. Reputational restoration can be one of the most important aspects of your post-breach efforts.
Call-center costs may be one of the most significant of your postbreach expenses. It is important to have coverage for these costs included, along with the number of people eligible to receive call-center services, the specific call-center services to be provided, and the call center’s hours.
Credit/identity monitoring coverage is included in most policies but may be limited by the individuals who can receive the services and the list of approved vendors.
Transmission of viruses and malicious code protects against liability claims for damages for the transmission of viruses or other malicious code or data from your system to another system. Although important if your system is capable of this kind of transmission, you do not want to pay for unneeded coverage.
Other Important Considerations
Types of policies. Policies are generally divided into two major categories: “claims made” and “occurrence.” A claims made policy is triggered when a claim is made against the insured during the current policy period, regardless of when the act that gave rise to the claim took place. Occurrence policies cover claims that arise out of damage or injury that took place during a policy period, regardless of when claims are made. Most commercial general liability insurance is written on an occurrence form.
By way of example, a claim made by a customer in the current policy year that it suffered damage 10 years ago would be covered by a current claims made policy. On the other hand, a claim made that the damage occurred in a 10-year-old policy period, but not made until five years later, would be covered by an occurrence policy.
Trigger. Cyber policies, whether claims made or occurrence, typically are triggered by an event that results in the loss of data during the policy period. The claims-made polices typically are more restrictive in terms of the events that can trigger coverage, and the timing of resulting claims in relation to the loss may limit or preclude available coverage. Thus, you may find the occurrence policies preferable, their higher premiums notwithstanding.
Defense obligations. In some cyber policies, the defense obligation can be triggered only by a “suit,” which requires a lawsuit or written demand against the insured. This definition may preclude defense of a claim that has yet to ripen into a lawsuit or written demand, where much of the defense costs on a particular matter may be spent. You should argue for less restrictive defense language so that there are no limitations as to coverage for governmental actions including investigations.
Choice of defense counsel. In some cyber policies, defense costs are covered only to the extent that the insured chooses from the insurer’s list of “panel” law firms. If the insured chooses a different firm, its defense costs probably will not be covered.
Given the substantial costs likely to be associated with a significant data breach—costs that could exceed the limits of the primary and applicable excess policies—you should have substantive input in the choice of counsel. Accordingly, you should argue for a policy with a balanced choice of counsel language, e.g., the insured and the insurer should mutually agree on defense counsel, and if they cannot agree, the insured will choose counsel for which the insurer shall pay up to a set hourly rate.
Retroactive coverage. Cyber policies often contain a “retroactive date” in which losses arising from events prior to the retroactive date will not be covered. Insurers often would like to fix the retroactive date at the initial date of coverage. Given that exposures unknown to you may have occurred some time ago, you should negotiate a retroactive date as far back as you can reasonably determine your exposures may have arisen.
Vendor liability. Acts and omissions of third parties may not be covered expressly, or may even may be excluded, under some cyber policies. By way of example, if a company uses the services of a third-party vendor to maintain its confidential customer or employee information in the Cloud, and the vendor experiences a data breach, your firm could be sued by its customers or employees. Whether you have coverage will depend on the policy language. Some cyber policies provide coverage for breaches of data maintained by third parties so long as there is a written agreement between the insured and the vendor to provide such services.
If you rely on a third party to maintain any of your confidential information, you should consider seeking a policy that expressly covers breaches of data maintained by the third party.
In the alternative, your contract with your cloud provider should include indemnification language backed up by a provision that the provider will maintain verifiable cyber-risk insurance. Self-insured retention language applicable to your coverage should be clear that any payments made by the third party indemnifying the company for loss sustained by the breach count toward satisfaction of the retention.
Loss of unencrypted data. Coverage for data lost from unencrypted devices is often excluded in cyber policies. If you must live with this limitation, ensure you have an enforceable policy that all personal information or sensitive firm information, in any format, is encrypted on individual devices. The better firm policy would prohibit personal information and sensitive firm information from personal devices, period.
Identity of covered entity. Many cyber policies define covered persons, for liability purposes, to include only natural persons. Your policy should accurately define the entity or entities who may be affected. This would also be the place to include any other entities who should be listed as additional insureds.
Policy territory outside the United States. Even if your firm does not operate outside the United States, your employees may lose their laptops, PDAs, and other electronic devices containing confidential information, or have them stolen, while traveling abroad. Many cyber policies attempt to restrict the applicable coverage territory to the United States and its territories. You should ensure that your cyber policy provides coverage for losses or thefts of confidential information that occur outside the United States.
Breaches unrelated to electronic records. Some cyber liability policies restrict coverage to loss or theft of electronic data. Given that many breaches occur as a result of loss or theft of paper or other nonelectronic records, your policy should cover both electronic and other forms of records.
Location of security failure. Some cyber insurers attempt to limit coverage to physical theft of data from company premises. This limitation would deny coverage from claims arising from laptop, PDA, or thumb drive thefts. Other policies limit coverage for data breaches resulting from password theft to situations where the theft occurs by nonelectronic means. You would be well advised not to permit these kinds of limitations, which could be costly in the long run.
Exclusions for generalized acts or omissions. Some cyber insurers will attempt to exclude coverage for losses arising from: (1) shortcomings in security of which the insured was aware prior to the inception of coverage; (2) the insured’s failure to take reasonable steps to design, maintain, and upgrade its security; and (3) certain failures of security software. If your firm performs a thorough cyber-risk assessment and acts on the remediation recommendations in the assessment, you should be able to demonstrate that, in your case, these kinds of exclusions should not be included.
Exclusions for acts of terrorism or war. Many cyber policies include this common exclusion, which would seem to apply to an attack by a foreign nation. If you cannot get the insurer to leave this exclusion out, then consider purchasing alternative coverage that would address your concerns.
Conclusion
You absolutely can achieve your goal of obtaining cyber-risk coverage for your full range of cyber exposures, but only if you have a thorough assessment of your IT and non-IT risks in hand, retain a broker knowledgeable in cyber-risk insurance coverage, and come to the bargaining table fully prepared with the essential facts as outlined above.
Please feel free to contact the author: Edward (“Ned”) M. Dunham, Jr. Spector Gadon Rosen Vinci P.C. 1635 Market Street, 7th floor Philadelphia, PA 19103 [email protected] (215) 241-8802
For over a decade, financial firms have been collaborating with financial technology (fintech) companies on an array of products and services. The explosive growth of these collaborations has resulted in massive investments. As of Q3’19, these collaborations raised $24.6B. The growing use of fintech may be attributable to: (1) ongoing innovation, (2) more options and benefits for consumers, and (3) enhanced operational capabilities and efficiencies for financial institutions. Financial firms can use fintechs in place of outdated legacy models to deliver financial services to consumers. Tech-savvy consumers have access to services (often on their smartphones) that enable them to conduct trades, pay bills, and manage their funds. Start-up fintechs can leverage the name, resources, and access to well-established financial firms to deliver their technology products and services to a growing consumer pool.
Although these collaborations appear to be a win-win situation for all parties, growing risks have prompted greater regulatory focus, not to mention the need for better-defined compliance frameworks to manage risks.
Limited Oversight
For years, there was little to no oversight of fintech collaborations. The evolving and innovative nature of fintechs created the perfect environment for unknown or undetected compliance risks. Financial regulators were unfamiliar with these products and, as a result, unsure about how to regulate them. Requirements were murky at best, leaving the financial industry vulnerable to fraud, money laundering, terrorist financing, cybercrime, and other illegal activity.
More Focus, More Regulation
The “limited oversight” approach proved to be unsustainable as the growth and complexity of fintech partnerships triggered unique legal, regulatory, reputational, and other risks. In response, financial services regulators are stepping up their efforts to ensure better and more specific oversight of fintechs.
In the United States, regulators are incorporating fintechs into enforcement and rulemaking actions involving: (1) consumer protection laws; (2) licensing requirements; (3) anti-money laundering and know-your-customer rules and regulations; (4) privacy and data security regulations; (5) cybersecurity regulations; and (6) special considerations involving Blockchain and cryptocurrency.
As this is happening, regulators are trying to strike the right balance between promoting innovation and regulating these efforts properly. At the federal level, the Consumer Financial Protection Bureau (CFPB) has launched its Innovation Office that houses various resources, including a Compliance Assistance Sandbox, to help companies test innovative products and services for a limited period while sharing data with the CFPB. The CFPB has also launched the American Consumer Financial Innovation Network (ACFIN), a partnership with multiple state regulators to serve as a network that will help enhance coordination among federal and state regulators to facilitate financial innovation.
States are also getting into the act. Arizona’s fintech sandbox was the first state sandbox that allows participants to test-drive their products, under regulatory supervision temporarily. Other states such as Wyoming, Utah, and Nevada are following Arizona’s lead with similar models.
Growing regulatory focus at both the federal and state level is creating the potential for a patchwork of state and federal requirements. This potential outcome is further complicated by global regulations in that fintech arrangements often facilitate access to a global consumer base. With access comes the application of complex and often restrictive laws, such as the European Union’s General Data Protection Regulations (GDPR). Additionally, various countries around the world are assessing current requirements to ensure they adequately manage the risks posed by fintechs. The Global Financial Innovation Network (GFIN) has emerged as an international effort for collaboration by regulators and numerous U.S. federal and state regulatory agencies, including the CFPB and the New York Department of Financial Services.
Embrace Compliance
So, what should fintech collaborations do? In response, these collaborations should have a practical and documented plan to establish and maintain a strong compliance program to manage risks and to prepare for expanded regulatory scrutiny. Begin with the following preliminary steps: (1) know the current regulatory environment and applicable requirements at the state, federal, and international levels; (2) document current controls (no one needs to begin with a blank slate); and (3) identify risks (by priority) for engaging in these collaborations.
The next step should be to launch efforts to establish and maintain effective compliance controls. A sample framework for a fintech compliance program can include: (1) a dedicated compliance program administrator; (2) risk assessments to identify and address risks; (3) policies and procedures; (4) oversight measures to periodically assess the effectiveness of program controls; (5) maintenance of program controls through ongoing monitoring of regulatory and internal developments; (6) third-party management; (7) delivery of training; (8) recordkeeping requirements; (9) an escalation process for reporting violations; and (10) periodic reporting on the program. Feel free to make adjustments based on your needs and requirements, but do not procrastinate critical measures, and plan for what cannot be done immediately.
Make sure to factor in special considerations for a fintech compliance program, such as: (1) controls around how personal information is collected, managed, stored, and handled in any other way; (2) AML/CFT and KYC controls to help flag, address, and manage money laundering and suspicious activities as well as maintain customer due diligence protocols; (3) information security controls to manage breaches of company information to ensure a timely and effective response.
Some final considerations revolve around who must be involved. It is critical to engage legal, compliance, and risk personnel early and throughout the planning and implementation of fintech collaborations and compliance programs. Separately, regular presentations should be made to educate and inform boards and management on the fintech compliance program, as well as existing and emerging fintech-related issues and challenges. Management and the governing authority of the company must be knowledgeable about risks to make well-informed decisions.
Conclusion
Fintechs are no longer market disrupters and are here to stay as integral players in the financial services sector. However, their success cannot be sustained without the responsible delivery of products and services, which is why fintech compliance must be an integral part of any collaboration. Effective compliance requires, at a minimum, knowledge of fintech regulatory requirements and issues. It also requires a documented and effective compliance program to help identify, manage, and possibly prevent regulatory, reputational, and unforeseen risks. Anything less could have an immediate or long-term impact on the fintech’s credibility, bottom line, and ultimately its business viability.
Connect with a global network of over 30,000 business law professionals
