An earlier article, Choice of Law/Forum and Waiving the Right to a Jury Trial: California Court Holds That the Former Cannot Do the Latter,[1] reviewed the William West v. Access Control Related Enterprises, LLC decision in which a California court held that a California citizen could not be required to litigate an action involving a Delaware LLC in the Delaware Chancery Court because that forum does not provide for jury trials. In a subsequent addition to the choice of law battle between California and Delaware, the Delaware Chancery Court in JUUL Labs, Inc. v. Grove held that the inspection of books and records of a Delaware corporation is governed by Delaware law notwithstanding a California statute to the contrary.[2]

Daniel Grove was a shareholder and employee of JUUL Labs, Inc. This corporation is organized in Delaware, but its principal place of business is in San Francisco. Grove demanded to inspect JUUL’s books and records under Section 1601 of the California Corporations Code, indicating that if he did not receive the requested books and records he would bring suit in California to compel inspection under California law. The California Corporations Code, at section 1601(a), purports to apply not only to corporations incorporated in California but also to “any foreign corporation keeping such records in this state or having its principal executive office in this state.” JUUL, in response, filed this action in the Delaware Chancery Court, seeking among other relief a declaration that it is Delaware, not California, law that governs Grove’s rights to inspect JUUL’s books and records. It sought further relief in the form of an injunction against Grove to prevent him from attempting to circumvent certain contractual limitations on his ability to inspect books and records. Thereafter, Grove filed an action in the Superior Court of California for the County of San Francisco seeking relief under California Corporations Code Section 1601. That action, Grove v. Adam Bowen,[3] was stayed by the California court.

The Chancery Court, after disposing of arguments that Grove had, by contract, waived his right to bring an action under California Section 1601, turned to the (frankly more interesting) question of the Internal Affairs Doctrine. That analysis began with a quotation from the decision of the United States Supreme Court, Edgar v. MITE Corp., namely:

The internal affairs doctrine is a conflict of laws principles which recognizes that only one State should have the authority to regulate a corporation’s internal affairs—matters particular to the relationships among or between the corporation and its current officers, directors, and shareholders—because otherwise a corporation could be faced with conflicting demands.[4]  

From there the court cited a number of Delaware decisions holding that the Internal Affairs Doctrine protects rights that arise under the Due Process Clause, the Full Faith and Credit Clause, and the Commerce Clause,[5] all of which may be well and good, but to this point still beg the question of exactly what actions and activities constitute “internal affairs.” It was to that question that the court next turned its attention. For the Delaware Chancery Court, it was not a close question. Rather, “Stockholder inspection rights are a core matter of internal corporate affairs.”[6] Turning its attention to the analysis previously set forth in Salzberg v. Sciavacucchi,[7] the court reviewed that decision and determined that inspection of books and records is a core internal affair.

The Chancery Court went on to compare section 1600 of the California Corporations Code, which affords access to the shareholder list, with section 220 of the Delaware General Corporation Law (DGCL), finding the California statute to be broader than that of Delaware. Likewise, the comparison of California Corporations Code section 1602, governing the inspection rights of directors, was made against DGCL section 220(d), with another determination being made that the rights under California law are broader than they are under Delaware law ultimately:

Generally speaking, the California inspection regime is not radically different from the Delaware regime, but it is not the same either. California’s precious balancing of the competing interests between stockholders and the Corporation differ from Delaware’s.[8]

Drawing a line in the sand, the JUUL court wrote:

Under constitutional principles outlined by the Supreme Court of the United States and under Delaware Supreme Court precedent, stockholder inspection rights are a matter of internal affairs. Grove’s rights as a stockholder are governed by Delaware law, not by California law. Grove therefore cannot seek an inspection under [California Corporate Code] section 1601.[9]

JUUL’s Amended and Restated Certificate of Incorporation contains an exclusive jurisdiction clause requiring that “the Court of Chancery in the state of Delaware shall be the sole and exclusive forum for any stockholder (including a beneficial owner) to bring . . . (iv) any action asserting a claim against the Corporation, its directors, officers, employees or stockholders governed by the Internal Affairs Doctrine.” On that basis, and citing Boilermakers Local 145 Ret. Fund v. Chevron Corp.,[10] it was held that the inspection of records could be brought only in the Delaware Chancery Court.[11]

So there you have it; unsurprisingly, the Delaware Chancery Court has held that the right of inspection of corporate books and records is soundly within the scope of the “internal affairs” of the Corporation, and therefore governed by the law of the jurisdiction of organization, and that a provision in the certificate of incorporation vesting exclusive jurisdiction to hear disputes with respect to internal affairs in the Delaware Chancery Court will likewise be enforced. The question the JUUL court did not resolve was whether contractual waivers of the right to inspect books and records will, when properly presented to the court, be enforced.[12] But again, that determination should be made under the Internal Affairs Doctrine.

Procedurally, Delaware courts will continue to apply its broad interpretation of “internal affairs,” and as long as exclusive jurisdiction provisions of certificates and by-laws are enforced by Delaware courts,[13] and there is no reason to think to the contrary, we could end up in a situation in which companies as a matter of ordinary course include (i) exclusive jurisdiction clauses that expressly encompass inspection of books and records and (ii) waivers of the right to inspect, whether under DGCL § 220, under the law of any other jurisdiction, or under common law. Ergo, “it would mean that 220 inspection rights could be left a functional dead letter.”[14] The question will then arise as to whether the courts of California or another state will disagree that (a) the Delaware courts have exclusive jurisdiction or (b) that inspection rights are subject to waiver, thereby setting up a true conflict as to choice of law.

Another interesting interface of a potential elimination of inspection rights will be upon the standards to bring a derivative action. Currently, Delaware imposes a high threshold for bringing a derivative action, cautioning that plaintiffs should avail themselves of DGCL § 220 inspection rights in order to plead the prospective case with the necessary degree of specificity. If by private ordering the shareholders’ right of inspection has been restricted or eliminated, will the enhanced standards for bringing a derivative action be necessarily reduced?[16] 

[1] Business Law Today (Sept. 2020).

[2] 238 A.3d 904 (Del. Ch. 2020).

[3] Superior Court of California, CGC20582059.

[4] 457 U.S. 624, 645 (1982) (citing Restatement (Second) of Conflict of Laws § 302 cmt. b. (1971)).

[5] 238 A.3d at 914.

[6] 238 A.3d at 915.

[7] 227 A.3d 102 (Del. 2020).

[8] 238 A.3d at 917.

[9] 238 A.3d at 918.

[10] 73 A.3d 934, 963 (Del. Ch. 2013).

[11] 238 A.3d at 919.

[12] 238 A.3d at 919-20.

[13] See Salzberg v. Sciabacucci, 227 A.3d 102 (2020); see also Gabriel K. Gillett, Michael F. Linden, and Howard S. Suskin, Delaware Supreme Court Declares Federal Forum Provisions in Corporate Charters Are “Facially Valid,” Business Law Today (April 2, 2020).

[14] See Professor Ann Lipton (Tulane Law) in a posting on the Business Law Prof Blog on August 15, 2020, titled The United States of Delaware.

[15] See AmerisourceBergen Corporation v. Lebanon County Employees’ Retirement Fund, 243 A.3d 417 (Del. 2020) (“For over a quarter-century, this Court has repeatedly encouraged stockholders suspicious of a corporation’s management or operations to exercise this right to obtain the information necessary to meet the particularization requirements that are applicable in derivative litigation.”); Id. collecting case at note 33.

[16] While this is not the place for a full exploration thereof, there exists a significant policy question with respect to whether, particularly in closely held ventures, limitations on inspection of books and records should be permitted. While it is necessary to balance the need of the corporation or other legal entity to operate in accordance with the directions of its management, eliminating access to books and records allows those fiduciaries the benefit of operating without oversight. See also Thomas E. Rutledge, Who Will Watch the Watchers?: Derivative Actions in Nonprofit Corporations, 103 Kentucky Law Journal Online 31 (2015). The hazard is obvious.

The economic impact of COVID-19 has been almost universal, yet some economies appear to be recovering more quickly than others. Comparing some of the major components of select stimulus programs in Germany, Singapore, and the United Kingdom in response to the economic downturn may help explain the different economic recovery rates. Yet, despite huge variations in legal systems, population, geography, and culture in the countries analyzed, we found significant uniformity in the programs implemented, with the contrasts akin to variations on a theme. 

Early Responses

Each country under review announced large stimulus packages between February and May 2020. Germany adopted a $844 billion[1] package comprised of a $175 billion stimulus program and $675 billion worth of loans and loan guarantees to struggling companies. The UK’s response, announced on March 17, 2020, also included large loan guarantee schemes, including two parallel programs: one for large companies (the “CLBILS”) and one targeting small and medium-sized enterprises (the “CBILS”). Singapore implemented five separate stimulus packages between February 18 and May 26, 2020, totaling approximately $71.8 billion. 

All three countries quickly instituted wage subsidy programs, with the German government providing a minimum of 60 percent of employee salaries, Singapore providing 50 percent (later increased to 75 percent), and the UK providing 80 percent of furloughed employees’ salaries. As of early July 2020, the UK’s furlough program had supplemented 9 million employees’ wages while another program supported an additional 2.7 million self-employed persons. Singapore also instituted a Wage Credit Scheme to provide government funding for employee wage increases given in 2019 or early 2020. These programs assuaged some of the economic pain caused by huge spikes in unemployment as lockdowns took effect in the second quarter of 2020. (See the representative graphs here for Germany, here  for Singapore, and here for the UK.)

In addition, Germany announced a three-month payment moratorium on consumer loans issued prior to March 15, 2020 for households financially impacted by the pandemic. Singapore provided individuals and businesses with assistance to make insurance premium payments, and the UK Financial Conduct Authority requested that firms freeze payments on loans and credit cards for up to three months in April 2020. 

Summer 2020 Packages

Generalized worker and company support programs

On June 29, 2020, the German Parliament passed a $146 billion package establishing and funding a number of programs designed to support workers and prop up struggling companies. The package provided families with an approximate $350 per child payment, doubled the single-parent income tax allowance to $4,500, and extended access to basic income support through the balance of 2020. On July 8, 2020, Germany provided $28 billion in bridging grants to companies to cover fixed operating costs. Companies with more than 10 employees could obtain grants capped at $169,000 depending on how steeply the company’s sales revenue had declined.

On July 8, 2020, the UK announced a “Plan for Jobs” estimated to cost up to $37.5 billion. Similar to Germany’s June 2020 stimulus package, the UK Plan included a number of programs designed to support workers and companies. The Plan extended some programs and established others, including the “Kickstart Scheme,” which provided $2.5 billion to create hundreds of thousands of six-month work placements for those aged 16 to 24 and deemed to be at risk of long-term unemployment, and the Job Retention Bonus, which provided a one-off payment of approximately $1,250 to UK employers for every furloughed employee who remained continuously employed through January 2021. 

Singapore’s Summer 2020 efforts largely extended and supplemented already established programs. Eligibility for the Workfare Special Payment, a grant to low-wage workers, was widened, and the Job Support Scheme was extended to cover employee wages until March 2021. The COVID-19 Support Grant, introduced in May 2020 to provide grants to unemployed applicants that demonstrate job search or training efforts, was also extended. In August 2020, Singapore announced the Jobs Growth Incentive (JGI), a $718 million program to encourage firms to increase their headcount of local workers, reallocating funding chiefly from development expenditures delayed due to the pandemic.   

Targeted programs

Each country targeted specific portions of their Summer 2020 stimulus programs to assisting particularly hard-hit sectors of the economy, as well as investing significant chunks to upgrade infrastructure and support industries of the future.

To shore up restaurants and pubs, the UK created the “Eat Out to Help Out” program, which provided diners with a 50% discount on meals and non-alcoholic drinks purchased at eateries during August 2020. The government also reduced the VAT rate from 20% to 5% at restaurants, hotels, and tourist attractions. Singapore provided its highest level of wage subsidies to employees working in the hardest-hit sectors, namely aerospace, aviation, and tourism. Singapore also provided a standalone relief package for airlines and their employees, and $230 million in vouchers to Singaporeans for use at local attractions, to offset the loss of dollars from now-nonexistent foreign tourists.

The stimulus programs also focused on technology, digitalization and sustainability. Germany’s June 2020 stimulus featured a $56 billion “future investment package” that included a doubling of the electric car buyer rebate to $6,750, $2.8 billion in e-charging facility upgrades, electric-powered bus and truck purchases, and battery cell production, $5.6 billion to the railway company Deutsche Bahn to support modernization, expansion, and electrification of the railway system, and $10 billion to research and develop hydrogen fuel technology with the hope of becoming a world leader in the space. Billions more were invested to retrofit buildings, build out 5G infrastructure, research artificial intelligence, and build “at least two” quantum computers.

The UK introduced a $2.5 billion Green Homes Grant, providing $2 for every $1 spent on home energy efficiency upgrades. The Plan for Jobs established and funded more environmental programs to promote decarbonization of public buildings, to support environmental charities, to promote direct air capture of CO2, and to develop the next generation of clean automotive technology.  The UK also announced $6.25 billion put toward the acceleration of certain infrastructure projects to support both the economy and the transformation of the nation’s infrastructure.

Fall 2020 Stimulus

In October 2020, Singapore announced a six-month extension of its Enhanced Training Support Program for the hardest-hit sectors and expanded it to provide benefits to companies and workers in the marine and offshore sector. Eligibility for Singapore’s JGI was widened to provide 50% wage support for all new hires with disabilities. The Temporary Bridging Loan Program, providing companies access to low interest, government-guaranteed loans of up to $718,000, was extended six months. The government also provided grocery vouchers to individuals, extended COVID-19 Support Grants for the unemployed, and established a new “baby bonus” to encourage families to have children. 

Similarly, the UK abandoned plans to end several stimulus programs in late Fall 2020, extending wage subsidies and grants to the self-employed and reducing VAT rates. The Bank of England continued its quantitative easing program, agreeing on November 5, 2020 to purchase $187 billion of government bonds to promote lowered borrowing costs for consumers and businesses. The Bank also maintained the benchmark interest rate at 0.1%. In November 2020, Germany extended the enhanced electric vehicle subsidy to 2025. It also provided an additional $16 billion to cover fixed costs of companies and solo entrepreneurs affected by the lockdown re-imposed in November, capped at $225,000 and $5,625 respectively.

The Fall 2020 stimulus packages again emphasized investments in infrastructure and the future.  Singapore funded upgrades at the Changi Air Hub, a major driver of the nation’s economy.  Singapore also dedicated funds to the development of the Tuas Port, with the first berths scheduled to be operational in 2021. When fully completed in 2040, the Tuas Port will be the world’s largest fully automated terminal. 

On November 15, 2020, UK Prime Minister Johnson announced his $15 billion “Ten Point Plan for a Green Industrial Revolution.” The plan called for funding of hydrogen fuel technology, a quadrupling of offshore wind power by 2030, and investments in small, advanced nuclear reactors. Its proposal to ban sales of new gasoline and diesel cars by 2030 grabbed the media’s attention. On November 25, 2020, a $125 billion National Infrastructure Plan was announced as part of the annual Spending Review. The plan seeks to upgrade the nation’s roadways, railways, and develop a network of fiber broadband cables. A billion pounds were set aside for building retrofits, and another billion to “future-proof” the electricity grid along motorways and to support the installation of high-powered charging hubs at motorway service areas by 2023.

Recent Stimulus

Stimulus efforts continued in December 2020 and into 2021. Germany announced a $12.3 billion package to support companies impacted by the shutdown over the 2020 Christmas season, and Chancellor Merkel stated additional “large sums” could be deployed in 2021. Singapore moved into Phase 3 of its reopening plan on December 28, 2020, and has not reported more than one new case of locally transmitted COVID-19 in a single day since February 13, 2021. The country continues to seek ways to reopen to international travel, including constructing the Connect@Changi bubble to permit international business travelers to meet in Singapore. It also implemented new support measures for the finance industry and the local construction industry. The UK extended the furlough and business loan schemes, announced new grant programs, including a $1,250 Christmas grant for pubs, and announced new rounds of funding for Scotland, Wales, and Northern Ireland, which can be spent on business support and COVID-19 medical response efforts, among other things. 

Conclusion

Each country is projected to bounce back to positive growth in 2021, with the IMF projecting annual GDP growth rates of 3.5%, 4.5%, and 5% for Germany, the UK, and Singapore respectively. There is, of course, a good deal of uncertainty regarding those projections with so much still unknown regarding the efficacy, manufacture, and distribution of vaccines, whether the emergence of new virus variants will slow down containment, and whether governments will continue to spend to support their respective economies. One thing that looks increasingly clear, however, is that the multitude of programs discussed above cushioned the economic blow dealt by the virus, and provided some much-needed breathing space (literally and figuratively) as well as a platform for a hoped-for economic resurgence in 2021 and beyond. 

[1] For ease of comparison, all currencies have been converted to US dollars.  The exchange rates were taken as of July 1, 2020, and are as follows: $1 = €0.889 = £0.801 = S$1.394. 

While some forms of payments fraud have existed for centuries (like forged checks), others have emerged more recently. And as banking technology and payment methods evolve, fraudsters are doing their part to keep pace, including by updating classic payment fraud schemes to take advantage of the COVID-19 pandemic. Payments fraud generally falls into two categories:

• unauthorized payments – such as unauthorized ACH debits, altered or forged checks, or transactions initiated after an account takeover; and
• scams – such as fraudulently induced payments, “bad check” scams, and revocable payment fraud.

Some of these traditional fraud schemes have been tailored to take advantage of the pandemic situation by targeting vulnerable consumers (e.g., through imposter or work-from-home scams) and state unemployment agencies, which are defrauded when criminals use consumers’ stolen personally identifiable information (PII) to fraudulently apply for unemployment insurance in the victim’s name, then transfer funds through a “money mule” account.

 A variety of different laws, regulations, and payment system rules are relevant to payments fraud, and different rules apply based on the type of transaction and nature of the fraud.

Core laws applicable to payments fraud include:

• For check transactions: UCC Article 3 – Negotiable Instruments[1], and Article 4 – Bank Deposits and Collections[2];
• For consumer electronic fund transfers: the Electronic Fund Transfer Act[3] and its implementing regulation, Regulation E[4]; and
• For commercial funds transfers: UCC Article 4A – Funds Transfers.

Other laws may also have relevance, such as the various prohibitions on unfair, deceptive and abusive acts or practices (UDAAP), anti-money laundering requirements under the Bank Secrecy Act[5] (BSA), and the privacy and data security requirements for financial institutions under the Gramm-Leach-Bliley Act[6] (GLBA). Further, private sector payment system rules, such as the NACHA Operating Rules for ACH[7], may also apply, particularly with respect to the allocation of loss between financial institutions. Which laws apply, and how, may depend on characteristics of the transaction, including the payment channel, whether the payment was unauthorized or resulted from a scam, and whether it is a consumer or commercial transaction.

Check Fraud

Traditional types of check fraud include check alteration (e.g. changes to the payee or amount of a check), check forgery (a forged drawer’s signature), counterfeit checks, and bad check scams (where a consumer receives a bad check, deposits it, and is asked to send some or all of the provisionally credited funds to a third party).

The UCC generally requires a paying bank to recredit its customer’s account when it pays an unauthorized check, which provides customers protection against checks that are not properly payable. In addition, transfer and presentment warranties determine the allocation of loss between the depositary bank and the paying bank.[8] Whereas, in a bad check scam, the loss is likely to fall on the consumer who deposited the bad check when the check is returned unpaid by the paying bank. In these bad check schemes, fraudsters take advantage of a victim’s lack of understanding of payment system functionality and applicable legal framework by instructing the victim to transfer funds through an irrevocable payment channel (wire transfer) or a method that is difficult to trace and recover (purchasing and mailing a prepaid card) once the depositary bank provisionally credits the funds.

Wire Transfer Scams

Business email compromise (BEC) is a sophisticated form of payments fraud that has emerged in recent years. BEC targets businesses in which employees are tricked into sending funds to a fraudster (typically by wire transfer, but sometimes an ACH credit transfer). BEC is carried out through the compromise of legitimate email accounts and social engineering. Many large banks have taken action to try and prevent their customers from falling victim to BEC, including extensive education campaigns.

For commercial transactions, the allocation of loss that results from a BEC scam between the commercial customer and the bank is determined by Article 4A’s security procedure framework. In particular, the commercial customer (Sender) is not liable to the Sending Bank for a funds transfer that was not authorized. However, the transfer can be deemed “authorized” if the Sending Bank verified the authenticity of the instruction using a mutually agreed upon “security procedure,” the security procedure is commercially reasonable, and the bank accepted the payment order in “good faith” and in compliance with the security procedure.

COVID-19 Scams

Fraudsters have taken advantage of the COVID-19 pandemic to target vulnerable consumers, such as the elderly and unemployed. These scams provide a new twist on classic payment fraud schemes, and have taken various forms, including:

• those involving government impersonators;
• fraudulent cures, medical equipment or charities;
• work-from-home fraud;
• contact tracing scams; and
• scams relating to the CARES Act Economic Impact Payments.

These criminal acts may involve an “imposter scam” scenario, or utilize the “bad check” or fraudulently induced wire transfer schemes, with legal responsibility for the loss determined by existing payment laws and regulations as applicable.

Fraudsters have also targeted state unemployment agencies with scams in which a criminal submits fraudulent unemployment insurance claims using consumers’ stolen personally identifiable information (PII), and instructs payments to accounts controlled by money mules (generally by ACH), who themselves may be either witting or unwitting participants and may be lured to participate through good-Samaritan, romance, and work-from-home schemes. This type of fraud has been facilitated by recent large scale data breaches that led to widespread access to consumer PII that can be used to perpetrate payments fraud and for other illicit purposes, such as identity theft.

Notably, FinCEN has released advisories providing financial institutions guidance on potential red flags of such schemes for purposes of Suspicious Activity Reporting obligations under the Bank Secrecy Act, including where a customer receives multiple state unemployment insurance payments to their account within the same disbursement timeframe from one or multiple states, or receives an unemployment insurance payment from a different state from where the customer lives or works.[9]

Policy Considerations

As banks undertake more measures to help customers avoid becoming victims of payments fraud schemes, it is important to consider whether by doing so they are altering the “delicate balance” of interests contemplated under existing loss allocation rules for fraudulent payments and, if so, how that may impact the availability and pricing of certain types of payments in the future.

[1] UCC §§ 3-101 et seq.

[2] UCC §§ 4-101 et seq.

[3] 15 USC §§ 1693 et seq.

[4] 12 CFR Part 1005

[5] 31 USC §§ 5311 et seq.

[6] 15 USC §§ 6801 et seq.

[7] See https://www.nacha.org/rules/operating-rules.

[8] For example, under the UCC, the depositary bank generally bears the loss for improper endorsements and alterations, while the paying bank generally bears the loss for a forged drawer’s signature or a counterfeit check. These UCC provisions reflect the long-standing rule from Price v. Neal, 3 Burr. 1354, 97 Eng. Rep. 872 (KB. 1763).

[9] FIN-2020-A003, 2020 Advisory on Imposter Scams and Money Mule Schemes Related to Coronavirus Disease 2019 (COVID-19) (July 7, 2020), available at: https://www.fincen.gov/sites/default/files/advisory/2020-07-07/Advisory_%20Imposter_and_Money_Mule_COVID_19_508_FINAL.pdf.

Most-Favored Nations (MFN) clauses (also known as antidiscrimination clauses or most-favored customer clauses) are common in business today. These provisions require that the supplier will treat a particular customer no worse than all other customers (and sometimes even better).  They are often coupled with some sort of monitoring mechanism, such as the power to audit the supplier.  For example, imagine a flour mill signs a requirements contract with Bakery A that contains an MFN clause.  The mill cannot then turn to Bakery B and offer the flour at a lower price without either a) offering the same to Bakery A or b) breaching the requirements contract.  These clauses can extend beyond price to other contractual terms and conditions (e.g., product release dates, promotional prices, or product offerings).

Common as they may be, a series of lawsuits out of New York and California will subject those very clauses to scrutiny under U.S. antitrust law.  First, a class action suit against Amazon and the five largest book publishers in the United States—Hachette Book Group, HarperCollins Publishers, Macmillan Publishing Group, Penguin Random House, and Simon & Schuster (the “Big Five”)—alleges that MFN clauses in ebooks agency contracts amount to an illegal price-fixing agreement.[1]  The suit echoes a 2012 suit against Apple and the Big Five that culminated in a consent decree restricting the use of MFN clauses that prevented ebook retailers from adding their own discounts. 

The second class action accuses Valve, Inc. of using MFN clauses in its contracts with game developers—both big (Ubisoft) and small (Rust)—to maintain its monopoly in personal computer video game sales through its online marketplace Steam as well as stifle competition more generally.  The complaint alleges that the MFN clauses cause game prices across online marketplaces to be the same even though stores like the Epic Games Store take a smaller commission than Valve.  Rather than pass those savings on to the consumer, the developers must maintain higher prices to remain profitable on Steam. 

While the suits target different markets, they boil down to the same issue: when do MFN clauses become anticompetitive?  As the panels to a day-long public workshop on these types of clauses by the 2012 Department of Justice and Federal Trade Commission indicate, it depends on the market at issue, the contracting parties, and the effect on that market.  On the one hand, MFN clauses are practical and advantageous in that they eliminate the purchaser’s risk in negotiating a bad deal under unstable pricing conditions, reduce transaction costs in re-negotiating agreements upon discovery of lower prices, and are generally benign when market power is absent.  On the other hand, MFN clauses as a price-monitoring mechanism can be used to facilitate collusion amongst competitors; discounts to the purchaser’s competitors and new market entrants, regardless of their size, are effectively foreclosed, resulting in increased prices overall.  For these reasons and more, MFN clauses alone are subject to the rule of reason—a lenient standard that requires a rigorous market analysis.

So, what made Amazon and Valve targets for these suits? Market power.  Amazon was public enemy number two (second only to Google) in the House Judiciary Committee’s antitrust report on competition in digital markets, which denounced Amazon’s impact on small- and medium-sized enterprises dependent on the monopolist’s platform.  A humble bookseller no more, the class action alleges that Amazon now enjoys a stunning 90% of the ebook market.  As for Valve, European antitrust regulators recently fined them 1.6 million euros (approx. $2 million) for the practice of restricting access to games based on physical location, which the European Commission deemed an illegal partition of the Digital Single Market. And U.S. regulators may turn towards Valve if the class action is correct in asserting that 75% of all PC games sold in the United States are through Steam.  Both companies have inordinate market share for online sales at a time when antitrust enforcement is experiencing a renaissance and the digital economy is subject to exacting scrutiny. 

The suits should not be a cause for alarm for most companies using MFN clauses.  After all, when small purchasers in unconcentrated markets use MFN clauses to reduce price fluctuations or to commit to a long-term business relationship, courts should recognize that the economic efficiencies outweigh the anticompetitive effects.  But when big tech closes off competition by maverick firms, keeps a watchful eye on its supplier through auditing rights or algorithmic pricing, and guarantees dominance over an extended period of time, it is no surprise that consumers, competitors, and Congress cry foul.  MFN clauses have a time and a place, but it is not at the top.

The United Kingdom Government introduced a National Security and Investment Bill (the “Bill”) to Parliament in November 2020. It passed the House of Commons on 20 January 2021 and will now make its way through the House of Lords. When enacted, the Bill will give the Government unprecedented new powers to investigate and block corporate deals that it suspects might threaten the security of the UK, with potentially thousands of deals having to be pre-notified and cleared by the Government each year. While it is not limited to foreign investment, non-UK investors may attract additional scrutiny. Deal-makers will therefore now need to navigate a new regulatory regime that is much more onerous than the current limited national security intervention powers, and in addition to the usual UK merger control rules.

This piece looks at the background to the Bill, the mandatory notification procedure it will introduce,  the Government’s powers to ‘call-in’ other deals for review, how it will assess national security risks and the potential implications of the Bill for investors.

The Bill a Government white paper, a Parliamentary Select Committee inquiry, and various interim measures stemming from concern over foreign investment in UK assets, including Chinese investment in the Hinkley Point nuclear power plant and Huawei’s involvement in the UK 5G network. There have also been allegations of ‘aggressive acquisitions’ during the COVID-19 pandemic, with the Government giving itself new intervention powers to protect the UK’s capability to combat public health emergencies. There was therefore little surprise when the Government announced a new framework to allow further scrutiny of transactions and investments. At present, the UK Government can only intervene in a transaction on national security grounds where the deal meets the thresholds for UK merger control. The bar for that has recently been lowered for targets with potential national security implications in order to facilitate more Government intervention, but the Bill will replace that regime with a greatly expanded role for the State.

First, the Bill will introduce a pre-closing notification obligation for certain deals, which the Government estimates will catch over 1,000 transactions per year. Second, it will empower the Government to ‘call-in’ acquisitions it considers may give rise to a national security risk, up to five years after the deal has completed. As an anti-avoidance measure, the latter power will apply to any deal completed on or after 12 November 2020 (the day after the Bill was introduced to Parliament).

Mandatory Notification

Scope

The obligation to notify the of a deal will arise where an investor acquires a right or interest in a “qualifying entity” that participates in particular activities within certain key sectors. A qualifying entity can be any form of legal entity (e.g. a company, partnership or trust) and includes non-UK entities that carry on activities in the UK or supply goods or services to persons in the UK. The Bill gives the Government wide powers to make regulations specifying the sectors of the economy and the types of transaction and activity that will engage the notification obligation.

The Government launched a public consultation on the sectors and deals it proposes should be covered, which closed in early January. The results have not yet been announced so it remains to be seen whether the responses will affect the Government’s plans, but the consultation identified 17 sectors as raising potential concerns. These include not only the most obvious candidates but also broad categories that may not have immediately obvious national security implications. The proposed sectors are:

• Advanced Materials
• Advanced Robotics
• Artificial Intelligence
• Civil Nuclear
• Communications
• Computing Hardware
• Critical Suppliers to Government
• Critical Suppliers to the Emergency Services
• Cryptographic Authentication
• Data Infrastructure
• Defence
• Energy
• Engineering Biology
• Military and Dual-Use Technologies
• Quantum Technologies
• Satellite and Space Technologies
• Transport

There is no minimum target turnover or deal value threshold for the notification obligation to apply, and it will catch deals involving non-UK entities that are active in the UK.

Level of Control

A “notifiable acquisition” will arise where the transaction results in the acquiring person either acquiring a right or interest equivalent to at least 15% of the shares or voting rights in the target, or gaining control over the target. Gaining control of an entity means acquiring either:

• more than 25% of the shares or voting rights, with a new notifiable acquisition if an existing shareholder passes thresholds of 50% or 75%; or
• voting rights that enable the acquirer to ensure or prevent the passage of any class of resolution.

Consequences

The Bill provides that a notifiable acquisition will be void if it completes without Government approval. It is not clear what that will mean in practice. Most obviously, it would mean that the terms of the deal would be legally unenforceable. If the parties were content to implement the deal regardless, the Government would have the same powers to unwind a non-notified deal as it has under the voluntary regime (see below).

There will also be very significant corporate and personal consequences for failing to clear a notifiable acquisition. A person who completes such a deal (including any director, manager etc. of a body corporate) risks a criminal conviction with up to five years imprisonment, an unlimited fine, or both. Alternatively, the Government will be able to impose civil penalties of up to the greater of 5% of turnover or £10 million.

Unlike the voluntary regime, the mandatory notification obligation will not have effect so will not affect deals closed prior to the Bill becoming law. However, investors in UK businesses (and businesses with UK interests) should follow the Bill with keen interest, in anticipation of being faced with a significant new regulatory hurdle in 2021.

The ‘Call-in’ Regime and Voluntary Notification

The Bill does not just create risk for deals that qualify as notifiable acquisitions; it also empowers the Government to ‘call-in’ non-notifiable deals for review where it perceives national security concerns.

Scope

This power will exist where a “trigger event” takes place in relation to a “qualifying entity” (see above) or a “qualifying asset”, and the Government thinks the deal could create a national security risk.

The term “qualifying asset” covers a very broad range of assets, including land and corporeal moveable property as well as “ideas, information or techniques which have industrial, commercial or other economic value” (the Bill gives the examples of trade secrets, databases, source code, algorithms, formulae, designs, software, and plans, drawings and specifications). In each case, the asset must be either within the UK or its territorial sea (in the case of land or corporeal property), or otherwise used in connection with activities carried on in the UK or the supply of goods and services to persons in the UK.

A “trigger event” will occur where a person gains control of a qualifying entity or asset. Control of an entity is defined as explained above (and so the 15% threshold does not apply to the call-in power), or where the acquirer gains material influence over the target’s policy (reminiscent of the ‘control’ test in UK merger control). For an asset, gaining control means a person acquiring a right or interest in, or in relation to, the asset that makes them able to use the asset or direct or control how it is used (or able to use it / direct its use to a greater extent). There is, again, no minimum turnover or deal value threshold.

These very broad definitions will give the Government a call-in power over essentially any type of deal where a national security risk might be identified.

Timings

The call-in power can be invoked within six months of the Government becoming aware of the trigger event, up to a maximum of five years after the trigger event. This extremely long window is intended to ensure no transactions slip through the net, either by accident or by design.

This lengthy risk period can be avoided by voluntarily sending notification of the relevant transaction (either before or after completion) to a new Investment Security Unit under the remit of the Business Secretary. As with merger control, it will be for the Government to decide whether the notification contains sufficient information, which means it will control the clock. Once the Government accepts the notification it will have 30 working days to decide whether to call-in the deal for further investigation over an additional 30 working day period (extendible to 75 working days).

A key point to note is that all deals completed after 12 November 2020 will come within the scope of the call-in regime, with the six month / five year periods only commencing when the relevant provisions of the Bill take effect. This anti-avoidance measure means the Bill must already be factored into deals that might raise UK national security considerations, particularly because the process to have a deal cleared via voluntary notification will not even become available until the Bill is fully enacted and in force. In the interim period, parties will have no option but to decide whether to proceed at risk.

Consequences

Where the Government identifies a risk to national security it can impose remedies to prevent, remedy or mitigate that risk. The Bill gives a wide discretion on the remedies that can be imposed, but options are likely to include:

• unwinding a completed deal (e.g. by divestment of the relevant entity or asset);
• prohibiting a deal that has not yet been completed;
• requiring the business to appoint someone to supervise and potentially control any activities that would cause a national security concern; and
• operational restrictions, such as making UK security clearance a condition of a person accessing particular information, working at a particular site, taking part in certain operations, or even holding a management role in the organisation.

If a completed deal is called-in or notified, the Government will be able to impose interim orders to prevent the review process being frustrated, most obviously by prohibiting the acquirer from integrating the acquired business or asset into its own operations. Such orders are routinely made in merger control cases, but may well be even stricter in the national security context.

In a further parallel with UK merger control (also, in principle, a voluntary regime), the potential consequences of completing a deal only for it to be called-in for review – including the administrative and financial burden of complying with an interim order, as well as the substantive risk of a forced sale of the entity or asset purchased – mean that buyers and investors are likely to err on the side of caution and try to make any deal that might have national security implications conditional on Government clearance.

Interestingly (and very much unlike merger control), the Bill confers a power on the Government to give financial assistance to an entity in consequence of an order. That perhaps reflects a principle that the State should meet at least part of any additional cost incurred by a private entity as a result of measures imposed on national security grounds.

How Will National Security Risks Be Assessed?

The Bill does not define potential risks to national security in any meaningful sense. However, the Government has published a draft ‘Statement of Policy Intent’ describing how it expects to use the call-in power.

The Government expects to consider three risk factors:

1. Target risk: the entity or asset subject to the trigger event could be used to undermine UK national security (e.g. the entity or asset plays a key role in national security matters or could, simply because of its nature, put national security at risk if it fell into the ‘wrong’ hands – there is likely to be significant overlap here with the sectors identified for mandatory notification);
2. Trigger event risk: the acquisition itself could undermine national security (e.g. because it could facilitate unauthorised access to sensitive information, or give a hostile actor leverage over the UK in other matters); and
3. Acquirer risk: the identity of the acquirer would give rise to national security concerns.

On the latter risk, a range of factors would need to be considered on a case-by-case basis, but the nationality of the acquirer – while not formally part of any test under the Bill – will surely be a key issue. However, concerns will not necessarily be limited to nationals of hostile states: in 2019 the UK Government intervened in the acquisition of the British satellite telecommunications company Inmarsat plc by Connect Bidco, a US-UK-Canadian joint venture, obtaining undertakings to ensure the maintenance of strategic services and prevent unauthorised access to sensitive information.

The various risks will be considered in combination – for example, the draft Statement of Policy Intent notes that a pension fund investing in UK infrastructure would involve a target risk but no acquirer risk.

Use and Application

At this point, it is only possible to speculate as to how strictly the Government will apply the powers in the Bill and, in particular, how many deals will need to be notified pursuant to the Bill. By the Government’s own estimate, however, mandatory filings alone will result in between 1,000 and 1,830 notifications per year.

For the voluntary regime, and notwithstanding that the draft Statement and other guidance documents give some indication of how risks will be assessed, it will take time to build up a body of precedent that will allow buyers to consider when to notify. Even that may be complicated by the need for confidential decisions in light of the obvious sensitivities. Buyers are therefore likely to err on the side of caution for some time, in which case the Government should also expect to receive a large number of voluntary notifications.

There will therefore be an enormous increase in the number of cases dealt with compared to the current public interest intervention regime, under which only 12 transactions have been reviewed on national security grounds since 2003 (albeit with a recent uptick following reductions to the applicable turnover thresholds, including the frustration of Chinese-backed Gardner Aerospace Holdings’ proposed acquisition of Impcross, a UK manufacturer of aerospace components).

The Bill will impose a strict and wide-ranging new regime that has the potential to cause significant disruption to deals and investments. It is essential that investors, sellers and advisers are aware of the risks involved, including for any deal completed after 12 November 2020, and plan their transactions accordingly.

On January 19, 2021, the American Bar Association (ABA) Derivatives and Futures Law Committee’s Innovative Digital Products and Processes Subcommittee (IDPPS) Jurisdiction Working Group released an update to its comprehensive white paper addressing jurisdictional issues associated with digital products, including cryptocurrencies and other digital assets, and digital processes, such as blockchain.[1]

The updated white paper gives an in depth analysis of several current issues in the cryptocurrency and digital asset space that have developed since the March 2019 publication of the first white paper, including:

• rapid development of Stablecoins;
• growth of the decentralized finance movement and the increasing number of state central banks exploring the creation of virtual currencies;
• 2020 guidance from the CFTC concerning “actual delivery” of digital assets and related litigation;
• The SEC’s Digital Asset Framework, its first issuance of digital asset-related no-action letters, and further developments in its key enforcement actions targeting significant digital asset projects;
• SEC staff guidance on the custody of digital asset securities under the rules applicable to broker-dealers;
• Recent case law developments in certain CFTC enforcement actions involving digital assets;
• New developments regarding the Travel Rule’s application to virtual asset service providers;
• FinCEN’s first assessment of civil money penalties against a peer-to-peer virtual currency exchanger; and
• International developments, including the EU’s recent approval of the Sixth Anti-Money-Laundering Directive.

The need for this update reflects the rapid evolution of the digital asset and cryptocurrency space.  As regulators worldwide endeavor to keep pace with this ever-developing industry, it is imperative that market participants continue to keep themselves informed of the applicable legal and regulatory landscape, as detailed in this update.  Several key developments merit further discussion below, as we expect that regulators will focus on these areas in the coming years.

A. Stablecoins

Stablecoins were developed in response to the price volatility of bitcoin and other cryptocurrencies.[2]  As their name suggests, Stablecoins aim to “increase price stability,” given that their value is tied to fiat currencies, which typically are “stable and liquid.”[3]  The stability of Stablecoins should increase their market acceptance, particularly for payment purposes.[4]   

In 2019, the Swiss Financial Market Supervisory Authority (FINMA) released Stablecoin guidelines.[5]  This guidance noted that while Swiss law lacks specific provisions to regulate Stablecoins, they would be treated the same as any other blockchain-based tokens.  The specific characteristics of Stablecoins can influence which financial laws apply.  For example, if a token is linked to a particular fiat currency, it likely would be categorized as a deposit under the banking laws.  The updated white paper explores FINMA’s and other regulators’ evolving approaches to Stablecoins in more depth.

B. Actual Delivery

The Commodity Exchange Act (CEA) provides that agreements, contracts, or transactions in commodities—other than foreign currencies or securities—entered into by or offered to retail customers on a leveraged, margined, or financed basis must be regulated as or “as if” they were futures, unless covered by an exemption.[6]  This effectively means that a non-exempt transaction may be executed only on or subject to the rules of a CFTC-regulated exchange, and persons providing services in connection with nonexempt transactions may be covered by one of the CEA’s registration categories for professionals.

One oft-discussed exception to this requirement is for contracts for commodity sales that result in actual delivery of the commodity within 28 days.  The CFTC has been grappling for years with its interpretation of the term “actual delivery.”[7]  The need to clarify the meaning of actual delivery in virtual currency transactions became more pronounced in 2016, when the CFTC brought its first enforcement action against a trading platform that offered retail commodity transactions in virtual currency without registering with the CFTC.[8]  In its settlement order against that platform, Bitfinex, the CFTC took the position that delivery of bitcoin purchased with borrowed funds to a private, omnibus settlement wallet where the coins were held for the benefit of the buyer but also as collateral for the loan did not constitute actual delivery, because the buyer did not have any rights to access or use the purchased bitcoin until released by Bitfinex following satisfaction of the loan.  In March 2020, the CFTC addressed the uncertainty surrounding the concept of “actual delivery” in the context of digital asset transactions by issuing an interpretation that aligns with the approach it employed in Bitfinex.  This guidance provides, in part, that the actual delivery exception applies only when a customer secures possession and control of, and has the ability to use freely in commerce, the entire quantity of the digital asset no later than 28 days from the date of the transaction, rendering any lien on the digital asset as a means to secure repayment incompatible with actual delivery.[9]  The updated white paper examines the CFTC’s actions in this area in greater depth.

C. SEC Digital Asset Framework and Other Enforcement Issues

In April 2019, the SEC’s Strategic Hub for Innovation and Financial Technology (FinHub) published the Digital Asset Framework,[10] which provides guidance regarding FinHub’s view as to whether a given digital asset would be considered a security—and thus subject to SEC regulation—under the test set forth in SEC v. W.J. Howey Co.[11]  The SEC staff also recently issued its first digital-asset-related no-action letters, confirming that two digital assets that essentially function as stored-value cards would not be deemed securities.  The Framework and other developments concerning the SEC’s regulation of digital assets are discussed in detail in the updated white paper. 

The white paper also addresses the regulatory uncertainty attending digital assets, which could potentially frustrate law enforcement and innovation.  The CFTC and the SEC appear to be coordinating in combatting perceived fraudulent activity involving cash market transactions in digital assets, but their coordination does not necessarily mean that where only one agency initiates an action, only that agency has jurisdiction.  One legislative attempt to address this regulatory uncertainty is the Digital Commodity Exchange Act of 2020 (DCEA), which was introduced to fill regulatory gaps that exist between the CFTC and the SEC and to provide a clear means by which market participants could ensure that their transactions in digital assets comply with the law.  The updated white paper includes more detailed discussion of the DCEA.

D. Travel Rule

FinCEN’s Travel Rule has been a recent focus of international attention, with the Financial Action Task Force (FATF) adopting an interpretive note in June 2019 confirming that countries should apply provisions similar to the Travel Rule to virtual asset services providers.[12]  In the United States, FinCEN has confirmed that the Travel Rule is the most commonly cited violation by the IRS against money services businesses engaged in virtual currency money transmission.[13]  The updated white paper expands on this topic in detail. 

[1] By Michael Spafford and Katherine Berris of Paul Hastings, Jonathan Marcus of Skadden, and Daren Stanaway of Interactive Brokers.

[2] Tim Swanson, Why Bitcoin Needs Fiat (And This Won’t Change in 2018), Coindesk (Jan. 4, 2018), https://www.coindesk.com/bitcoin-still-needs-fiat-currency-wont-change-2018/.

[3] Id.

[4] FINMA, Supplement to the Guidelines for Enquiries Regarding the Regulatory Framework for Initial Coin Offerings (ICOS) (2019), https://www.finma.ch/en/news/2019/09/20190911-mm-stable-coins/.

[5] Id.

[6]  7 U.S.C. § 2(c)(2)(D)(iii).

[7] American Bar Association Derivatives and Futures Law Committee Innovative Digital Products and Processes Subcommittee Jurisdiction Working Group, Digital and Digitized Assets: Federal and State Jurisdiction Issues 61 (2020), https://www.americanbar.org/content/dam/aba/administrative/business_law/buslaw/committees/CL620000pub/digital_assets.pdf.

[8] See In re BFXNA Inc., CFTC No. 16-19 [2016-2017 Transfer Binder] Comm. Fut. L. Rep. (CCH) ¶ 33,766 (June 2, 2016).

[9] Retail Commodity Transactions involving Certain Digital Assets, 85 Fed. Reg. 37,734, 37,742–43 (June 24, 2020).

[10] SEC, Strategic Hub for Innovation and Financial Technology, Framework for “Investment Contract” Analysis of Digital Assets (Apr. 3, 2019), https://www.sec.gov/corpfin/framework-investment-contract-analysis-digital-assets.

[11] SEC v. W.J. Howey Co., 328 U.S. 293 (1946).

[12] See FATF, Outcomes FATF Plenary, 16-21 June 2019 (June 21, 2019), https://www.fatfgafi.org/publications/fatfgeneral/documents/outcomes-plenary-june-2019.html. FinCEN subsequently “applauded” FATF’s interpretation. See FinCEN, Prepared Remarks of FinCEN Director Kenneth A. Blanco at Chainalysis Blockchain Symposium (May 13, 2020), https://www.fincen.gov/news/speeches/prepared-remarks-fincen-directorkenneth-blanco-delivered-consensus-blockchainsymposium.

[13] See FinCEN, Prepared Remarks of FinCEN Director Kenneth A. Blanco at Chainalysis Blockchain Symposium (Nov. 15, 2019), https://www.fincen.gov/news/speeches/prepared-remarks-fincen-director-kenneth-blancochainalysis-blockchain-symposium.

Buried in the $740.5 billion National Defense Authorization Act for 2021[1] (“NDAA”) are numerous provisions that affect financial services law.  Although the news media directed most of their coverage to Congress’s override of President Trump’s veto of the massive bill[2], this article discusses a few of the provisions that should be of interest to the financial services bar. 

Disgorgement Authority

Of major significance is a provision that enhances the Securities and Exchange Commission’s (“SEC”) authority to seek disgorgement remedies in conjunction with an enforcement action.[3]  The provision addresses a limitation on the SEC’s authority to seek equitable remedies against bad actors.  In Kokesh v. SEC, the U.S. Supreme Court held that the five-year statute of limitations in 28 USC § 2462 applies when the SEC seeks disgorgement from those who have wrongfully enriched themselves. The court held that “disgorgement, as it is applied in SEC enforcement proceedings, operates as a penalty under § 2462.  Accordingly, any claim for disgorgement in an SEC enforcement action must be commenced within five years of the date the claim accrued.”[4]  In testimony before the U.S. Senate Committee on Banking, Housing, and Urban Affairs, SEC Chairman Jay Clayton asserted that the Kokesh decision has had the

anomalous effect of allowing the most “successful” perpetrators of fraud—those whose frauds are well-concealed and stretch beyond the five-year limitations period—to keep their ill-gotten gains.  Since Kokesh was decided, an estimated $1.1 billion in ill-gotten gains has been unavailable for possible distribution to harmed investors, much of which is tied to losses by investors.[5]

Chairman Clayton further noted:

I greatly appreciate the bipartisan, bicameral work underway to address this issue, and I welcome the opportunity to continue to work with Congress to ensure the Commission is able to seek recoveries in cases of well-concealed, long-running frauds so that defrauded retail investors can get their investment dollars back while remaining true to the principles embedded in statutes of limitations.[6]

Apparently, those efforts bore fruit in the NDAA.  The legislation amends Section 21(d) of the Securities Exchange Act of 1934 (“Exchange Act”), granting the SEC the authority to seek disgorgement against the person who received “unjust enrichment.”  Congress included a statute of limitations of ten years for equitable remedies in most instances.  The statute of limitations “clock” does continue to run during any time that the bad actor is outside of the United States.

I have prepared a mark-up showing how Congress amended Section 21 of the Exchange Act (in “Hill-speak” a “Ramseyer”).  I have struck through deletions and marked the legislative changes in italics.  It appears below:

H.R. 6395

The “William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021”

******

Amendments of Title LXV – Miscellaneous

******

SEC. 6501. INVESTIGATIONS AND PROSECUTION OF OFFENSES FOR VIOLATIONS OF THE SECURITIES LAWS

[Page 1238]

(a) IN GENERAL. —Section 21(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78u(d)) is amended —

(3) CIVIL MONEY PENALTIES IN CIVIL ACTIONS.— AND AUTHORITY TO SEEK DISGORGEMENT

(A) AUTHORITY OF COMMISSION.—Whenever it shall appear to the Commission that any person has violated any provision of this title, the rules or regulations thereunder, or a cease and-desist order entered by the Commission pursuant to section 21C of this title, other than by committing a violation subject to a penalty pursuant to section 21A, the Commission may bring an action in a United States district court to seek, and the court shall have jurisdiction to impose, upon a proper showing, a civil penalty to be paid by the person who committed such violation. “jurisdiction to—

“(i) impose, upon a proper showing, a civil penalty to be paid by the person who committed such violation; and

“(ii) require disgorgement under paragraph (7) of any unjust enrichment by the person who received such unjust enrichment as a result of such violation.”

(B) AMOUNT OF PENALTY. — 

(i) FIRST TIER. — The amount of the penalty a civil penalty imposed under subparagraph (A)(i) shall be determined by the court in light of the facts and circumstances. For each violation, the amount of the penalty shall not exceed the greater of (I) $5,000 for a natural person or $50,000 for any other person, or (II) the gross amount of pecuniary gain to such defendant as a result of the violation.

(ii) SECOND TIER. — Notwithstanding clause (i), the amount of penalty amount of a civil penalty imposed under subparagraph (A)(i) for each such violation shall not exceed the greater of (I) $50,000 for a natural person or $250,000 for any other person, or (II) the gross amount of pecuniary gain to such defendant as a result of the violation, if the violation described in subparagraph (A) involved fraud, deceit, manipulation, or deliberate or reckless disregard of a regulatory requirement.

(iii) THIRD TIER.—Notwithstanding clauses (i) and (ii), the amount of penalty for each such violation amount of a civil penalty imposed under subparagraph (A)(i) for each violation described in that subparagraph shall not exceed the greater of (I) $100,000 for a natural person or $500,000 for any other person, or (II) the gross amount of pecuniary gain to such defendant as a result of the violation, if— (aa) the violation described in subparagraph (A) involved fraud, deceit, manipulation, or deliberate or reckless disregard of a regulatory requirement; and (bb) such violation directly or indirectly resulted in substantial losses or created a significant risk of substantial losses to other persons.

(C) PROCEDURES FOR COLLECTION. — [No change.]

* * * * *

(D) SPECIAL PROVISIONS RELATING TO A VIOLATION OF A

CEASE-AND-DESIST ORDER.  [No change.]

* * * * *

(4)  PROHIBITION OF ATTORNEYS’ FEES PAID FROM COMMISSION DISGORGEMENT FUNDS.—Except as otherwise ordered by the court upon motion by the Commission, or, in the case of an administrative action, as otherwise ordered by the Commission, funds disgorged under paragraph (7) as the result of an action brought by the Commission in Federal court, or as a result of any Commission administrative action, shall not be distributed as payment for attorneys’ fees or expenses incurred by private parties seeking distribution of the disgorged funds.

(5) EQUITABLE RELIEF [No change.]

* * * * *

(6) AUTHORITY OF A COURT TO PROHIBIT PERSONS FROM PARTICIPATING IN AN OFFERING OF PENNY STOCK [No change.]

* * * * *

(7) DISGORGEMENT. — In any action or proceeding brought by the Commission under any provision of the securities laws, the Commission may seek, and any Federal court may order, disgorgement.

(8) LIMITATIONS PERIODS.  —

(A) DISGORGEMENT. — The Commission may bring a claim for disgorgement under paragraph (7)—

(i) not later than 5 years after the latest date of the violation that gives rise to the action or proceeding in which the Commission seeks the claim occurs; or

(ii) not later than 10 years after the latest date of the violation that gives rise to the action or proceeding in which the Commission seeks the claim if the violation involves conduct that violates —  

(I) section 10(b);

(II) section 17(a)(1) of the Securities Act of 1933 (15 U.S.C. 77q(a)(1));

(III) section 206(1) of the Investment Advisers Act of 1940 (15 U.S.C. 80b–6(1)); or

(IV) any other provision of the securities laws for which scienter must be established.

(B) EQUITABLE REMEDIES. —The Commission may seek a claim for any equitable remedy, including for an injunction or for a bar, suspension, or cease and desist order, not later than 10 years after the latest date on which a violation that gives rise to the claim occurs.

(C) CALCULATION. — For the purposes of calculating any limitations period under this paragraph with respect to an action or claim, any time in which the person against which the action or claim, as applicable, is brought is outside of the United States shall not count towards the accrual of that period.

(9) RULE OF CONSTRUCTION. — Nothing in paragraph (7) may be construed as altering any right that any private party may have to maintain a suit for a violation of this Act.” 

***** 

(b) APPLICABILITY— The amendments made by subsection (a) [i.e., of this amendment] shall apply with respect to any action or proceeding that is pending on, or commenced on or after, the date of enactment of this Act.[7]

Anti-Money Laundering Provisions

Protection of Algorithms

The NDAA includes a remarkable provision to protect the privacy of algorithms that financial institutions use for their anti-money laundering (“AML”) compliance programs.  Division F of the NDAA includes many amendments to the Bank Secrecy Act (“BSA”), including provisions that expand the scope of the BSA to “value that substitutes for currency,”[8] presumably referring to cryptocurrency.  Other provisions strengthen the Financial Crimes Enforcement Network (“FinCEN”) by establishing a FinCEN exchange to facilitate voluntary public-private sharing of information[9] and increase technical assistance for international cooperation.[10]  This article does not attempt to discuss all of those provisions on a comprehensive basis. However, I will focus on one provision that may have implications beyond AML compliance, and will make a recommendation with respect to AML rules.  

The NDAA amends the Bank Secrecy Act to protect the confidentiality of algorithms that financial institutions use for their AML efforts.  Section 6209 amends 31 USC § 5318(o)(3) to provide that if a financial institution discloses to its regulator information about an algorithm that the institution uses in conjunction with its AML program, the regulator must not disclose that information to the public. 

Hedge fund managers have had legitimate concerns about revealing the details of their trading algorithms to regulators for fear of public disclosure.  Managers appreciate the need for regulatory oversight, but preferred that regulators look at actual trading patterns, rather than the algorithms, during examinations.  Managers only wished to release information about the algorithms themselves after regulators have examined other, less proprietary data, but still have regulatory concerns.

This amendment to the Bank Secrecy Act protects the confidentiality of the algorithms that financial institutions use for AML purposes, i.e., a public purpose, rather than trading algorithms.  Nonetheless, the provision demonstrates the sensitivity of algorithms and the need for confidentiality, at least in some settings.

Perhaps this amendment to the Bank Secrecy Act will validate hedge fund managers’ concerns about keeping their trading algorithms confidential unless regulators cannot reasonably discharge their oversight responsibility in any other way.

Recommendation to FinCEN

The author suggests that the Treasury Department and FinCEN should re-propose and adopt final AML rules for investment advisers.  Remarkably, FinCEN has never adopted final rules subjecting investment advisers to AML requirements.  Prior administrations have proposed rules, but never adopted them.  

The FinCEN 2015 Proposal[11] reviewed the history of the proposal and I have summarized it below:

• On September 26, 2002, FinCEN proposed rules requiring that unregistered investment companies establish AML programs (“Proposed Unregistered Investment Companies Rule”).[12] 
• On May 5, 2003, FinCEN proposed requiring that certain investment advisers establish AML programs (“First Proposed Investment Adviser Rule”).[13]
• In June 2007, FinCEN announced that it was reconsidering both the Proposed Unregistered Investment Companies Rule and the First Proposed Investment Adviser Rule, and subsequently withdrew them.[14]
• After Congress passed the Dodd Frank Act,[15] FinCEN decided to propose new AML rules for investment advisers. The proposal notes that the Dodd Frank Act required most investment advisers to be registered with the SEC.  “Accordingly, FinCEN believes the two-pronged approach of the prior proposals is no longer necessary to address the money laundering and terrorist financing risks presented by SEC registered investment adviser clients and the unregistered investment companies that are managed by such advisers.”

  Briefly, the proposal would have amended 31 CFR § 1010 to add a new subsection 100(nnn), defining an investment adviser as “[a]ny person who is registered or required to register with the SEC under section 203 of the Investment Advisers Act of 1940….”  As a result, the proposal would have made such investment advisers subject to the AML requirements.  Of course, the proposal included numerous other requirements.[16]  For whatever reason, the Obama Administration never adopted a final rule requiring that investment advisers have AML rules. 

On September 14, 2020, FinCEN published an advanced notice of rulemaking (“ANPRM”), seeking comments on ways to improve the current AML requirements.  The proposal notes that “any such amendments would be expected to further clarify that such a program assesses and manages risk as informed by a financial institution’s risk assessment, including consideration of anti-money laundering priorities to be issued by FinCEN.”[17]  The ANPRM does not include any reference to the 2015 Proposal.  The Trump Administration did not otherwise pursue the issue of applying AML requirements to investment advisers. 

In my view, the Biden Administration should re-propose rules subjecting investment advisers to AML rules.  I cannot point to a specific regulatory failure to justify my suggestion.  Nonetheless, I believe that it is time for FinCEN to adopt such requirements for the following reasons:

• Investment advisers, particularly hedge funds, have AML programs. It would be foolish indeed for any investment manager not to have a program and wittingly or unwittingly to take “dirty” money.  Any manager that accepted tainted money would face extreme reputational risk and probably would violate other statutes, depending on the circumstances. 
• In some circumstances, it may be wise to adopt rules in the absence of a crisis. As President Kennedy said, “the time to repair the roof is when the sun is shining.”[18]  I suggest that FinCEN should propose and adopt new rules in an environment that would permit thoughtful consideration of a proposal and comments rather than hastily adopting ill-conceived rules in a crisis environment.  The NRPRM noted above might inform such a proposal.
• FinCEN’s rules should reflect the existing course of business that investment managers have with other, regulated financial institutions. AML rules for investment managers should integrate with the existing regulatory framework.
• If FinCEN adopted AML rules that differ from existing practice, managers would have an opportunity to comply.

Thoughtful rules would help investment advisers do a better job of supporting the existing AML infrastructure.  Establishing clear rules for investment advisers that complement existing rules and practices would benefit everyone.

© Stuart J. Kaswell 2021, who has granted permission to the ABA to publish this article in accordance with the ABA’s release, a copy of which is incorporated by reference. Stuart Kaswell is an experienced financial services lawyer. He has worked at the Securities and Exchange Commission, as securities counsel to the Committee on Energy and Commerce of the U.S. House of Representatives (when it had securities jurisdiction), and has been a partner at two law firms and general counsel of two financial trade associations.

[1]  The William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021, H.R. 6395, 116^th Cong., 2d. Sess. (2021).  The bill is 1,480 pages long.

[2] The House voted to override the veto on Dec. 28, 2020; the Senate voted to override on Jan. 1, 2021. See also WSJ, Jan. 1. 2021

[3] Section 6501 of the NDAA.  See also A. Frankel, Congress hid a big gift to the SEC in defense spending bill awaiting Trump’s signature, Reuters, Dec. 23, 2020.

[4] 581 US ___ slip op. at 11 (2017).

[5] Testimony of the Honorable Jay Clayton, Dec. 10, 2019 at text accompanying footnote 76.  The Supreme Court subsequently upheld the SEC’s authority to seek disgorgement “an antecedent question” that Kokesh left unanswered. Liu v. SEC, 591 US ____ (2020), at slip op. 1.

[6] Id at text accompanying note 81.

[7] Compared to Exchange Act version dated October 2, 2019 available on the SEC’s website at https://www.govinfo.gov/content/pkg/COMPS-1885/pdf/COMPS-1885.pdf,As amended Through P.L. 115-141, Enacted March 23, 2018.

[8] Section 6102(c) of the NDAA.

[9] Section 6103 of the NDAA.

[10] Section 6111 of the NDAA.

[11] Department of the Treasury, FinCEN, RIN 1506-AB10, August 24, 2015, 80 FR 52680 (Sept. 1, 2015).

[12] Anti-Money Laundering Programs for Unregistered Investment Companies, 67 FR 60617 (Sept. 26, 2002).

[13] Anti-Money Laundering Programs for Investment Advisers, 68 FR 23646 (May 5, 2003).

[14] Withdrawal of the Notice of Proposed Rulemaking; Anti-Money Laundering Programs for Unregistered Investment Companies, 73 FR 65569 (Nov. 4, 2008); and Withdrawal of the Notice of Proposed Rulemaking; Anti-Money Laundering Programs for Investment Advisers, 73 FR 65568 (Nov. 4, 2008).

[15]  The Wall Street Reform and Consumer Protection Act (“Dodd Frank Act”), Public Law 111–203, 124, Stat. 1376 (2010).

[16] FinCEN, Department of the Treasury, RIN 1506-AB10, (Aug. 15, 2015); 80 FR 52680 (Sept. 1, 2015)

[17] Docket No. FinCEN-2020-0011, 85 FR 58023 (Sept. 17, 2020).

[18] President John F. Kennedy, Jan. 11 1962, State of the Union Address.

Owners of closely held corporations or LLCs often find themselves litigating for control of their “Company.” When that happens, on which side of the caption does the Company line up? What role should it play? And should either warring faction enjoy access to the Company’s assets to fund that side’s litigation costs?

When derivative claims are asserted, the Company must be a party,[1] but when nothing is sought on behalf of or from the Company and all the owners are before the court, should the Company be a plaintiff or a defendant, or should it be left off the caption altogether? If it is not named as a party, the court may require the Company to become one so that it will be subject to the court’s orders.

When the Company is named a nominal defendant in the Complaint, the plaintiff runs the risk that the defendant owners will retain one lawyer to represent both them and the Company and pay that lawyer’s retainer (and eventually a lot more) from the Company’s treasury, even though as a practical matter that lawyer will be advancing one side’s position in the litigation against the other. In addition to whether that is fair, joint representation raises ethical issues.[2] The result is that the choice of counsel, the authority to choose counsel, and the use of Company funds to pay counsel become issues in a soon-to-follow pretrial application for relief by the plaintiff.[3]

These issues were addressed, but not conclusively resolved, in a case that came before the Texas Supreme Court on pretrial applications to disqualify defendants’ counsel.[4] The underlying dispute, which had not yet been decided by the lower court, was between twelve LLC owners and six “Governing Persons” collectively divided into two factions. The disagreement arose from the majority’s firing of the previously unanimously elected president and managing member who, with his supporters, claimed that a unanimous vote was required for dismissal. The minority’s Complaint, asserting derivative as well as direct claims, included the LLC as a named plaintiff. The defendant majority engaged a law firm that had previously represented the LLC, funded its litigation costs from the Company treasury, and asserted counterclaims.

Late in the litigation, the minority moved to disqualify defendants’ counsel charging (1) that the law firm, having previously been counsel to the plaintiff LLC, could not appear against its former client, and (2) that the defendant faction had no authority to hire a law firm to act for the LLC.

The court noted that the core issue underlying the litigation was who had the right to control the LLC’s management, and as to this issue, each faction’s position was that the other side’s position was incorrect and harmful to the LLC. The court observed that when stripped of the baggage of the derivative label, the Company’s alignment in the caption was immaterial to this issue, noting that “[C]ompanies in derivative litigation are simultaneously ‘plaintiffs’ and ‘defendants’ depending on how you look at it.”[5]

The court reviewed decisions from other jurisdictions questioning joint representation and found no categorical rule.[6] Based on Texas law and the Texas Rule serving as the basis for one of the applications made below, and in light of the timing of the motions to disqualify, the Texas Supreme Court upheld the lower court’s discretion not to grant disqualification. The core merits question of control was capable of being fairly litigated by the factions and lawyers for both sides presently before the court.

Whether defendants had the authority to hire counsel at Company expense was not determined at this stage of the proceeding. The authority to hire counsel for an LLC often turns on whether it is a “major” or “material” or “extraordinary” or “not in the usual course of business” decision that requires unanimity or high vote under either statute or operating agreement. 

As to the inequity of one side’s use of Company money to pay its litigation costs, the court said that “adequate remedies exist” for subsequent recovery of any legal fees that may turn out to have been improperly paid from the other group’s interests in the LLC.

“Adequate remedies” after the fact may be viable if the personal resources of both sides fighting for control are such that each is able to fund its litigation costs without hardship. This may have been true in the Texas case. If one or both litigants have limited resources, the rights of one side to postlitigation remedies are of little avail when the other side is enjoying the real-time advantage of financing its position in the litigation with the Company’s funds. Courts do afford relief in those situations when timely application is made.[7]

[1]  Meyer v. Fleming, 327 U.S. 161 (1946); Liddy v. Urbanek, 707 F.2d 1222 (11th Cir. 1983). In Cotter on behalf of Reading International, Inc. v. Kane, 473 P.3d 451 (Nev. 2020), the plaintiff, asserting that his termination as corporate president was void, filed a derivative action against the directors naming the corporation as a nominal defendant.  Although the corporation had to remain neutral on the merits of the claim, the court allowed it to challenge the plaintiff’s standing because the corporation might later be called upon to indemnify the defendant directors.

[2]  See, for example, In re Conduct of Kinsey, 680 P.2d 660 (Or.1983).

[3]  When the court orders the Company to be represented by separate counsel, additional indirect costs are incurred by both parties. The Company’s lawyer, however, when acting as a neutral, may assist the court as would a guardian and perhaps facilitate amicable resolution.

[4]  In re Murrin Brothers 1885, Ltd., 603 S.W.3d 53 (Tex. 2019).

[5]  Id. at 58. Because the nominal defendant corporation stands to be the beneficiary of any derivative action recovery, its interests are not necessarily adverse to the plaintiff. Cotter on behalf of Reading International, Inc. v. Kane, note 1 supra.

[6]  In addition to the cases cited, Rosenfeld v. Metals Selling Corp., 643 A.2d 1253, 1264 (Conn. 1994), and Messing v. FDI, Inc., 439 F.Supp. 776 (D. N.J. 1977) are also instructive.

[7]  In Ehlinger v. Hauser, 785 N.W.2d 328 (Wis. 2010), the court, recognizing that the dispute was really between the two shareholders, and citing Matter of Clemente Bros., Inc., 239 N.Y.S.2d 703 (App. Div. 1963), aff’d o.b. 13 N.Y.2d 963 (1963), observing that “the corporation may not assume a ‘militant alignment on the side of one of the two equal, discordant stockholders,’ ” prohibited the corporation from paying the expenses incurred by one of the shareholders. Similarly, Matter of Penetent Corp., 605 N.Y.S.2d 691 (App. Div. 1993), affirmed the trial court’s grant of petitioner’s motion to restrain respondent from using corporate funds to pay for professional services incurred in the proceeding.

At the ABA Business Law Section’s annual meeting in Spring 2020, which went virtual for the first time due to the pandemic, the Section’s Gaming Law Committee took up the issue of sports betting and data security as a key emerging area that intersects with numerous other areas of law practice, including contracts, commercial transactions, securities regulation, business entity issues, tribal-state compacting, and intellectual property. Along with the authors of this article, Dennis Ehling (Partner with Blank Rome in Los Angeles), Raymond Luk, Jr. (Corporate Counsel for BorgWarner Inc., in Auburn Hills, Michigan), and Peter McLaughlin (Partner with Culhane Meadows in Boston) comprised the panel, which was co-sponsored by the Business Law Section’s Intellectual Property and Sports Law Committees. ABA Business Law Section members can watch the program for CLE credit on-demand here.

Introduction

A rapidly evolving subfield in gaming law concerns cybersecurity, data protection, and privacy rights. The swift expansion of legalized sports betting, as well as igaming, mobile gaming, daily fantasy sports (DFS), and competitive videogaming (esports), have created both opportunities and challenges for the business lawyer. Online and mobile platforms for sports betting and DFS, as well as team trademarks and design of esports games, raise issues related to intellectual property, data collection and reporting, data ownership, protection, and privacy, and ensuring data security. A business lawyer advising clients in these areas, or working directly in these industries, needs to know how data protection compliance and intellectual property interests operate in these rapidly developing contexts. Such matters also increasingly intersect with the dynamic area of digital currencies and cryptocurrencies, blockchain technologies and transactions, and compliance within and across jurisdictions, whether domestic or international.

Data security has always been a key issue for the gaming industry. Traditionally a “cash business,” the current $260 billion U.S. gaming industry runs primarily on transactions, often large ones. Like finance and banking institutions, casinos must be diligent in guarding against cybersecurity threats, especially as mobile and online transactions become the norm. The gaming industry also relies on computer systems for operating gaming devices, gaming floor security, and gathering and storing player data, among other functions, all of which can be targets for hackers and cheats. With the recent spread of legalized sports betting, data security is more important than ever.

Casinos and Cybersecurity

Like other industries that retain extensive customer data, the gaming industry is particularly vulnerable to cyber threats. The 2014 hacking of the Las Vegas Sands Corporation (LVS), which owns the Venetian and Palazzo casino resorts in Las Vegas as well as several casino resorts in Asia, provides a cautionary tale. As confirmed by the U.S. Director of National Intelligence, the cyber-attack was carried out by Iranian “hacktivists” in retaliation for LVS CEO Sheldon Adelson’s support of a U.S. military strike against Iran. Malware shut down company email and phone lines, and wiped out employee hard drives. Hackers stole customer credit card data, Social Security numbers, and driver’s license information. The company’s casino websites were taken over and defaced, prompting a one-week shutdown before the sites were restored. The cyber-attack impacted the majority of the company’s Las Vegas servers; the cost of recovering data and building new systems reportedly was in excess of $40 million.

The gaming industry has its own particular vulnerabilities as well. Several years ago, a Russian hacker devised a system to decipher the random number generator programs in slot machines. He then organized teams to visit casinos and identify vulnerable slot machines, before using a smartphone app to trigger a jackpot on the machine. Reportedly, the teams took in $250,000 a week from casinos around the world. In 2014, four team members pled guilty to federal fraud charges stemming from using the slot machine cheat in casinos in California, Illinois, and Missouri. The hacker also leveraged the success of the teams to attempt to extort the slot machine manufacturer. Though the extortion attempt was unsuccessful, the hacker bragged to magazine that he continues to earn millions through the scheme.

Sports Betting

Since the U.S. Supreme Court’s 2018 decision striking down the federal Professional and Amateur Sports Protection Act in Murphy v. NCAA, 584 U.S. ___, some 24 states plus the District of Columbia have legalized sports betting, with as many as a dozen more expected to take up sports wagering legislation in 2021. Commentators predict that as many as 45 states may have legal sports betting within five years. A growing number of states, including Indiana, Iowa, Nevada, New Jersey, Pennsylvania, Rhode Island, and West Virginia, have also legalized online and mobile sports betting.

Legal wagers on Super Bowl LIV in 2020 exceeded $270 million (though legal wagers continue to be eclipsed by the illegal market; the estimated total wagers for the Super Bowl were over $6 billion, placed by some 26 million bettors). Industry experts estimated that five million people placed their bets—both legal and illegal—via online or mobile platforms.

Next on the calendar, of course, was March Madness—the NCAA men’s basketball tournament. The American Gaming Association had predicted over $10 billion in wagers ($295 million made legally) by over 50 million Americans and some 100 million people around the world. The tournament was cancelled due to the pandemic—as were all collegiate and major-league professional sports throughout the U.S., as well as globally, throughout the summer and into the fall. This only raised the stakes. Industry commentators predict that latent and pent-up demand for sports and sports gambling opportunities will generate wagers of similar or even larger amounts for Super Bowl LV in Tampa Bay, as well for as the recently announced “bubble edition” of March Madness taking place in Indiana in spring 2021.

As more states enter the legalized sports betting market, many of them have minimal regulatory experience as compared to Nevada, where sports betting has been legal and highly regulated for decades. Even fewer states have experience with regard to online and mobile betting, as federal law has permitted states to legalize online gaming only for the last decade or so.

Sports Betting and Data Security

Cybersecurity experts warn about the risks posed by the lure of the anticipated handle, both legal and illegal, around sports betting. While money laundering and theft are concerns, so are data breaches of customer information, which in the long run may be even more valuable—and more damaging—to patron and operator alike. The customer data collected by casinos often is extensive. Bettors may be required to provide date of birth, Social Security number, physical and email addresses, and other personal identifying information. They may also be required to create accounts with financial and banking information, along with passwords and security questions. Customer habits and preferences may be tracked through players club cards and apps. For online and mobile betting, age (sometimes via date of birth) and location data is also collected.

But sports betting also has other valuable data: sports data.

Sports books offer wagers not just on the outcome of the game (win or moneyline), but on the score (over/under, point spread) and special events (proposition bets, such as whether the game will go into overtime or whether a particular player will score a touchdown). In-play or live betting allows bettors to place wagers after an event has started and up to the time of its conclusion. The odds on all of these bets are driven by sports data on all features of the players, teams, contests, and leagues. The security of sports data is critical to the integrity of legalized sports betting. As sports betting has one of the slimmest margins of any casino games, the security of sports data also is critical to the financial risk inherent in a casino’s sports book.

Sports data also is an intellectual property asset. Leagues and teams have claimed ownership of sports data, with the business plan of selling their official data to data analytics companies and oddsmakers, or charging integrity or data rights fees to the gaming industry. For example, in 2018, MGM Resorts entered into a 3-year deal with the NBA to receive league-verified data for some $25 million, followed by similar deals between MGM and the NHL and MLB. But there are unsettled questions regarding ownership, copyright, and fair use. Broadcasts of sporting events may be copyrightable, but the live game likely is not. Prior cases, including NBA v. Motorola, Inc., 105 F.3d 841 (2d Cir. 1997) (broadcasts, not games, are copyrighted; facts derived from broadcasts are not copyrighted; a sports broadcast is not “hot news”), Morris Communications Co. v. PGA Tour, 364 F.3d 1288 (11th Cir. 2004) (a sports league may charge a fee for access to proprietary data without violating antitrust laws), C.B.C Distribution & Marketing, Inc. v. MLB Advanced Media, 505 F.3d 818 (8th Cir. 2007) (a fantasy sports operator’s use of baseball statistics in the public domain is protected by the First Amendment), and Daniels v. FanDuel, Inc., 909 F.3d 876 (7th Cir. 2018) (college athletes’ names, likenesses, and statistical data are “newsworthy” and may be used without an athlete’s permission), provide clear answers to issues that are increasingly significant, or even novel, in the post-Murphy legal environment as the legal sports betting industry—and its demands for data—expand.

Similar considerations and questions with regard to data security and intellectual property apply to DFS and esports.

Applicable Data Security Laws

While data protection, data privacy, and data-breach notification are recognized as critical dimensions of cybersecurity law, regulation, and policy, these issues have yet to be addressed in any comprehensive legislation in the U.S Not so elsewhere. The European Union’s comprehensive General Data Protection Regulation (GDPR) took effect in 2018. The GDPR regulates the processing of personal data within its territoriality requirements. Processing of personal data includes collection, use, storage, organization, disclosure, or any other operation performed on personal data. Personal data is defined as any information relating to an identified or identifiable person, including names, identification numbers, location data, IP addresses, etc. The GDPR’s territoriality requirements bring within its scope any organization with an “establishment” in the EU that processes personal data as part of that establishments’ activities.

As for the U.S., there is not yet a single, comprehensive federal data protection law. There are several federal laws that address data security in specific areas, including:

• Children’s Online Privacy Protection Act (COPPA)
• Computer Fraud and Abuse Act (CFAA)
• Consumer Financial Protection Act (CFPA)
• Electronic Communications Privacy Act (ECPA)
• Family Educational Rights and Privacy Act (FERPA)
• Federal Trade Commission Act (FTC Act)
• Health Insurance Portability and Accountability Act (HIPAA)
• Fair Credit Reporting Act (FCRA)

These laws, however, speak to highly diverse forms of data and expectations of privacy, with divergent requirements for relevant industry actors.

States, however, have moved more rapidly to address privacy, cybersecurity, and data breaches, passing or at least considering hundreds of bills across all 50 states, territories, and the District of Columbia, many of which focus heavily on consumer protection. At least 25 states have laws addressing data security practices in the private sector, more than half of them passed in the last five years. Most states also now have data disposal laws, governing how companies destroy or render indecipherable the personal information obtained from customers and employees. The California Consumer Privacy Act (CCPA) is notable for its comprehensive approach, as it applies to most for-profit companies that do business in the state, and regulates all “personal information,” encompassing nearly any and all information that a business might collect from a customer.

Conclusion

The rapid expansion of legalized sports betting, as well as the emergent areas of DFS and esports, have created both opportunities and challenges for the business lawyer. In particular, online and mobile platforms for sports betting and DFS, as well as team trademarks and design of esports games, raise rapidly mounting issues and dynamic questions related to intellectual property and data protection, privacy, and security.

A business lawyer advising clients in these areas, or working directly in the gaming industry or with public officials who either have or claim a stake in the success of gaming regulation, needs to know how data protection compliance and intellectual property interests operate in these rapidly developing contexts as they merge with gaming law in retail casino operations and online or mobile wagering alike.

Fortunately, the ABA’s Business Law Section, including its Gaming Law, Intellectual Property, and Sports Law Committees, will continue to spotlight these issues as they arise and evolve.

The year 2020 was an unprecedented year, but one thing remained constant: the number of Fair Credit Reporting Act (FCRA) case filings continued to increase dramatically.[1] In addition to new filings, the year saw several key decisions handed down by federal courts, shedding light on diverse issues such as the matching procedures of credit reporting agencies (CRAs), Article III standing, the meaning of “maximum possible accuracy,” and preemption of state credit reporting laws. As FCRA cases continue to be filed with increasing frequency, CRAs, employers seeking to screen new hires, and other FCRA-regulated entities should examine these decisions and their consequences carefully. To that end, we’ve compiled the following list of ten key FCRA decisions of 2020.

Williams v. First Advantage LNS Screening Solutions

In January 2020, the Eleventh Circuit affirmed a $250,000 compensatory damages award and reduced a $3.3 million punitive damages award to $1 million in an individual mixed-file claim brought pursuant to section 1681e(b) of the FCRA.[2] In Williams, the plaintiff sued defendant First Advantage for alleged violations of the FCRA in connection with twice attributing the criminal background information of another individual to the plaintiff.

The court recognized that although First Advantage had a policy requiring use of a third identifier before attributing criminal information to a subject with a common name, evidence indicated that this policy was not followed in practice. Based on this evidence, the Eleventh Circuit affirmed the district court’s denial of First Advantage’s motion for judgment as a matter of law with respect to willfulness under the FCRA.

The court also affirmed the jury’s compensatory damages award but found that the $3.3 million punitive damages—at a ratio of 13:1 to the compensatory damages—was unconstitutionally excessive. The court noted that the Supreme Court had previously found that a 4:1 ratio was “close to the line” of unconstitutionality and that an award that exceeded a single-digit ratio was likely a violation of the Due Process Clause. Ruling that a 4:1 ratio was appropriate here based on the state court’s assessment of First Advantage’s conduct, the court reduced the award to $1 million.

As evidenced by Williams, challenges to matching procedures utilized by the background screening industry continue to be an area of focus in FCRA litigation. This decision is also significant regarding the availability (and constitutional limits) of punitive damages.

Ramirez v. TransUnion LLC

In February, the Ninth Circuit issued its decision in a class action case watched closely by consumer reporting agencies.[3] Ramirez involved a product offered by TransUnion to identify consumers with names designated by the Department of the Treasury’s Office of Assets Control (OFAC) as posing a national security threat. A jury ultimately awarded $8 million in statutory damages and $52 million in punitive damages to the class members, finding that TransUnion failed to comply with certain disclosure requirements under the FCRA. TransUnion appealed on various grounds, including that many of the class members lacked Article III standing.

On appeal, the Ninth Circuit held for the first time that “every member of a class certified under Federal Rule of Civil Procedure 23 must satisfy the basic requirements of Article III standing.” However, the court went on to rule that a “material risk of harm” was sufficient to confer standing to each class member. The Ninth Circuit held that “a real risk of harm arose when TransUnion prepared the inaccurate reports and made them readily available to third parties,” even though most class members’ reports were never actually disclosed to a third party.

The Supreme Court granted certiorari in December 2020, to consider “whether either Article III or Rule 23 permits a damages class action where the vast majority of the class suffered no actual injury, let alone an injury anything like what the class representative suffered.”

Walker v. Fred Meyer, Inc.

In March, the Ninth Circuit issued important guidance for employers obtaining background checks on potential or current employees.[4] The plaintiff in Walker claimed that his employer violated the FCRA by not disclosing its background check process in a “clear and conspicuous” disclosure contained “in a document that consists solely of the disclosure.” Although the district court held the disclosure form signed by the plaintiff was a standalone document, the Ninth Circuit reversed, finding that certain provisions in the disclosure form referenced other rights under federal and state law and, in so doing, violated the FCRA’s requirement that the document consist “solely of the disclosure.”

The Ninth Circuit held that in addition to a “plain statement” that a report may be obtained for employment purposes, a standalone disclosure may include a “concise explanation” of that statement. The court cautioned, however, that the explanation must not be so long or confusing that it detracts from the disclosure or in any way makes the disclosure unclear and conspicuous.

Separately, the Ninth Circuit also affirmed that employers, in a pre-adverse action letter sent before taking action against an applicant or employee, are not required to provide employees or applicants with an opportunity to directly discuss a consumer report with the employer. Rather, it is sufficient for the employer to provide notice in a pre-adverse action letter that describes the consumer’s ability to dispute the completeness or accuracy of the information with the CRA.

Luna v. Hansen & Adkins Auto Transport, Inc.

In April, shortly after the Walker decision, the Ninth Circuit issued another decision interpreting the FCRA’s disclosure requirements for employers conducting background checks on potential hires.[5] Whereas Walker looked at the language of the disclosure, Luna focused on the format of the disclosure and its accompanying authorization.

The disclosure form in Luna was a separate page included within a larger group of application materials. The plaintiff argued that including the disclosure page alongside other materials violated the FCRA’s “standalone” requirement. The court rejected this argument, stating that while the disclosure itself cannot contain other unrelated information, “no authority suggests that a disclosure must be distinct in time, as well.”

The court in Luna also weighed in on the “clear and conspicuous” prong of the FCRA’s disclosure requirement—one of the issues left open in Walker. The court reiterated that a disclosure must be “readily noticeable” and in a “reasonably understandable form.” The court found the employer’s disclosure (featuring a bold, all-caps heading and simple explanatory statement) to meet the clear and conspicuous requirement, saying “applicants, such as big-rig truckers, can be expected to notice a standalone document featuring a bolded, underlined, capital-lettered heading.”

Finally, the Ninth Circuit also dispensed with the employee’s claim that the authorization for an employer to obtain a consumer report on an applicant also needed to be in a clear and conspicuous standalone document. The court found no statutory support for this position.

Davis v. C&D Security Management, Inc. et al.

In July, the Eastern District of Pennsylvania confirmed that a plaintiff lacks Article III standing to state a claim for violation of the FCRA premised solely on a failure to receive a copy of the background report and a summary of rights.[6] In Davis, the plaintiff applied for employment as a security guard with C&D Security and was ultimately denied the position twice. She brought suit on behalf of a putative class claiming that C&D Security failed to provide her with notice of the background check, a copy of her report, and a summary of her rights, as required under the FCRA.

Following Third Circuit precedent, the court held that Davis lacked an injury-in-fact since she ultimately became aware of her rights and timely brought suit against the employer. It cited the U.S. Supreme Court’s maxim in its landmark Spokeo decision that a bare procedural violation, divorced from any concrete harm, cannot satisfy the injury-in-fact requirement of Article III. Further, the court found that because Davis failed to establish her own standing, she could not seek relief on behalf of the putative class.

This decision highlights the critical role of Article III standing in FCRA cases, in both individual and class contexts. Companies defending FCRA class actions should consider standing issues at the forefront of the matter, rather than reserving them for the certification stage.

Moran v. The Screening Pros, LLC, et al.

Also in July, a California district court granted summary judgment in favor of a background screening agency, holding there was no willful or negligent violation of the FCRA despite the agency’s incorrect interpretation of the FCRA provision at issue.[7]

Plaintiff Moran filed suit after he was allegedly denied housing based on a screening report issued by The Screening Pros, LLC. The report included misdemeanor charges that had been filed ten years earlier but dismissed after six years, prior to the report. Moran argued that this violated the FCRA’s prohibition on reporting nonconviction adverse information older than seven years, pursuant to 15 U.S.C. § 1681c(a)(5). The district court dismissed the claim, holding that because the charges had only been dismissed six years prior, the dismissal fell within the seven-year period prior to issuance of the report. The Ninth Circuit reversed, holding that the seven-year reporting window for a criminal charge begins on the date of entry rather than on the date of disposition.

Despite this reversal, the district court granted summary judgment to The Screening Pros on remand because the violation of § 1681c(a)(5) was neither willful nor negligent. The district court’s holding was supported by the fact that this was an issue of first impression in the Ninth Circuit. FTC guidance available at the time the report was issued (but rescinded afterward) indicated that the seven-year reporting period ran from the date of the disposition.

While the decision in Moran was certainly favorable to the background screener defendant, courts are not likely to be as lenient moving forward, given that the holding in Moran was largely predicated on the fact that the FTC’s guidance was rescinded only after the report was issued.

Domante v. Dish Networks, LLC

In September, the Eleventh Circuit weighed in on the meaning of a “legitimate business need,” one of the permitted purposes for obtaining a screening report under § 1681b of the FCRA.[8] In Domante, the court held that requesting and obtaining a consumer report for verification and eligibility purposes is a legitimate business need under the FCRA.

Plaintiff Domante had previously filed and settled an FCRA suit against Defendant Dish Networks, LLC (Dish), after Domante’s personal information was stolen and used to open two accounts with Dish. To implement the terms of that settlement, Dish entered Domante’s personal information, including her Social Security number, into an internal system designed to prevent unauthorized accounts from being opened in the future.

When an attempt was made to open a new account using the last four digits of Domante’s Social Security number but a different name, Dish submitted the applicant’s information to a CRA to verify the applicant’s identity. The CRA matched the information with Domante and returned her credit report to Dish, which included Domante’s full Social Security number. Dish then blocked the application and requested that the CRA delete the inquiry from Domante’s credit record. Domante sued, arguing that Dish did not have a legitimate business need to pull her credit report because Dish knew or should have known that Domante was not the account applicant based on their prior settlement agreement.

The Eleventh Circuit noted that the false applicant provided only the last four digits of Domante’s Social Security number. Dish depended on the CRA’s credit report to obtain the full Social Security number for cross-checking with its internal records. Using the report for this verification and eligibility purpose was a legitimate business need.

A key takeaway for requesters of consumer credit reports is the importance of developing and maintaining internal verification and eligibility procedures that are consistent with the information contained in the requested report.

Consumer Data Industry Association v. Frey

In October, the district court of Maine held that the federal FCRA preempted burdensome credit reporting restrictions imposed by the Maine Fair Credit Reporting Act.[9] The Maine legislature passed two amendments to the Maine Fair Credit Reporting Act in 2019 prohibiting CRAs from including certain kinds of information in a consumer’s credit report. The amendments restricted reporting certain medical debts and debts that were the result of “economic abuse.” Both laws required CRAs to engage in extensive investigations of the underlying circumstances, conditions, and status of a consumer’s debts to determine whether those debts were reportable. The Consumer Data Industry Association (CDIA) filed suit, seeking declaratory judgment that both laws were preempted by the FCRA.

The court ruled in favor of the CDIA and held that the amendments were preempted by the FCRA. Engaging in a detailed analysis of the language and history of the FCRA’s preemption provisions, the court held that the FCRA preempted any state regulation of information contained in consumer reports. In doing so, the court rejected the narrower construction advocated by the state of Maine that would limit preemption to the specific types of information already regulated by the FCRA.

The court’s analysis in Frey will have important ramifications for other states seeking to impose their own restrictions on consumer credit reports and for any other present or future preemption claims against states by CRAs, furnishers and users. The state of Maine has filed an appeal of the district court’s decision, which will give the First Circuit an opportunity to rule definitively on this issue.

Settles v. Trans Union, LLC

The year 2020 saw an influx of complaints alleging that the “current pay status” reported by a furnisher is inaccurate when an account that was delinquent when closed is reported with a historical delinquency status. Settles was one such case where the theory was soundly rejected.[10]

In Settles, the plaintiff was overdue on his account by 120 days when his account was closed. His credit report showed that his account was closed, and the account balance was $0. However, the pay status reflected 120 days past due. The plaintiff brought suit claiming that this was materially misleading because the account could not be past due while also having a $0 balance. The court held that the reporting was not inaccurate or misleading. The court noted that it must look at the accuracy of the report as a whole, taking into account relevant context. It listed several cases holding that reporting historical data is not inaccurate.

This decision and others like it underscore that the inclusion of accurate historical account information on credit reports is allowable and not misleading, even when the current account information is different from the historical information and may even appear contradictory on its face.

Erickson v. First Advantage Background Services Corp.

Addressing a recurring issue bedeviling the background screening industry, the Eleventh Circuit confirmed in December that it is not inaccurate for a CRA to report a criminal or sex-offender record without matching the record to a subject consumer, as long as the CRA notifies the user of the report that the record needs further investigation before being attributed to the consumer.[11]

Plaintiff Erickson applied to be a Little League coach and was subjected to a background check. Unfortunately, his report identified a sex offender record of his estranged father, with whom he shared his name. In releasing the report, First Advantage explained to Little League that it was a name-only match and that further review was necessary to determine if the record belonged to Erickson. Erickson nevertheless filed suit, arguing that First Advantage violated the FCRA’s requirement that a CRA “follow reasonable procedures to assure maximum possible accuracy” of reported information. The district court ruled against him.

On appeal, the Eleventh Circuit weighed in on a debate that has reached several circuit courts: whether the FCRA’s “maximum possible accuracy” requirement demands more than technical accuracy. The court held that it does, following a plurality of circuit courts by holding that the FCRA requires reported information to be both factually true and “unlikely to lead to a misunderstanding.”

Despite rejecting a lenient test in favor of a more stringent one, the court affirmed that First Advantage’s report was neither inaccurate nor objectively misleading because no reasonable user in the shoes of the report’s intended user would be misled. The court focused on First Advantage’s cautionary disclaimer that further review was required. CRAs seeking compliance tips should note carefully the notifications First Advantage gave to the users of its reports, which the court found to be clear.

Conclusion

FCRA litigation continues to increase. With increased caseloads comes increased precedent, and going forward, we continue to expect to see more and more published FCRA decisions.

[1] WebRecon LLC, WebRecon Stats for Oct 2020 & Year-End Projections, https://webrecon.com/webrecon-stats-for-oct-2020-year-end-projections.

[2] Williams v. First Advantage LNS Screening Solutions, Inc., 947 F.3d 735 (11th Cir. 2020).

[3] Ramirez v. TransUnion LLC, 951 F.3d 1008 (9th Cir. 2020).

[4] Walker v. Fred Meyer, Inc., 953 F.3d 1082 (9th Cir. 2020).

[5] Luna v. Hansen and Adkins Auto Transport, Inc., 956 F.3d 1151 (9th Cir. 2020).

[6] Davis v. C&D Security Management, Inc., 2020 U.S. Dist. LEXIS 132291 (E.D. Penn. July 27, 2020).

[7] Moran v. Screening Pros, 2020 U.S. Dist. LEXIS 148171 (C.D. Cal. July 30, 2020).

[8] Domante v. Dish Networks, LLC, 974 F.3d 1342 (11th Cir. 2020).

[9] Consumer Data Industry Association v. Frey, 2020 U.S. Dist. LEXIS 187061 (D. Me. Oct. 8, 2020).

[10] Settles v. Trans Union, LLC, 2020 U.S. Dist. LEXIS 220341 (Nov. 24, 2020).

[11] Erickson v. First Advantage Background Servs. Corp., 981 F.3d 1246 (11th Cir. 2020).