On March 27, 2019, the Supreme Court held (in a 6-2 decision) in Francis V. Lorenzo v. Securities and Exchange Commission[2] that a person who (1) knowingly disseminates false and misleading statements to prospective investors and (2) acts with the intent to defraud can be held liable under subsections (a) and (c) of Securities and Exchange Commission Rule 10b-5 (Rule 10b-5), and other relevant statutory provisions, even if such person was not the “maker” of such statements.

Rule 10b-5 makes it unlawful for any person, directly or indirectly, to:

• employ any device, scheme, or artifice to defraud,
• make any untrue statement of a material fact or to omit to state a material fact necessary in order to make the statements made, in the light of the circumstances under which they were made, not misleading, or
• engage in any act, practice, or course of business which operates or would operate as a fraud or deceit upon any person in connection with the purchase or sale of any security.

In June 2009, Waste2Energy Holdings, Inc. stated in a public filing that its assets were worth approximately $14,000,000 (including intellectual property valued at more than $10,000,000). In the summer of 2009, Waste2Energy Holdings, Inc. hired Charles Vista, LLC to sell $15,000,000 of debentures to investors. In early October of 2009, Waste2Energy Holdings, Inc. publicly disclosed and informed Francis Lorenzo (Petitioner), Vice President of Investment Banking at Charles Vista, LLC, that Waste2Energy Holdings, Inc.’s total assets were worth $400,000, significantly less than previously disclosed to the public. After becoming aware of Waste2Energy Holdings, Inc.’s overvaluation of its assets, Petitioner, at the direction of his direct superior, sent e-mails, the contents of which were supplied by his direct superior, to prospective investors that included false and misleading information regarding the valuation of Waste2Energy Holdings, Inc.’s assets.

In 2013, the Securities and Exchange Commission (SEC) charged Petitioner with, and found Petitioner liable for, violating subsection (b) of Rule 10b-5. Petitioner appealed the SEC’s ruling to the U.S. Court of Appeals for the District of Columbia (Court of Appeals). Relying on Janus Capital Group, Inc. v. First Derivative Traders,[3] a Supreme Court decision holding that only the “maker” of false or misleading statements can be held liable under subsection (b) of Rule 10b-5, Petitioner argued that because his direct superior (1) directed Petitioner to send the e-mails and (2) supplied the content for the e-mails, he was not the “maker” of any false or misleading statements and therefore could not be liable under subsection (b) of Rule 10b-5. The Court of Appeals agreed that Petitioner could not be held liable under subsection (b) of Rule 10b-5; however, the Court of Appeals found Petitioner liable under subsections (a) and (c) of Rule 10b-5.  

Petitioner appealed the Court of Appeals decision to the Supreme Court. In Petitioner’s argument to the Supreme Court, Petitioner claimed that each subsection of Rule 10b-5 governs “different, mutually exclusive, spheres of conduct,” with subsection (b) governing the making of false or misleading statements. Petitioner went on to argue that because he did not have ultimate authority over the false or misleading statements, he could not be held liable under subsection (b) of Rule 10b-5 and that because he was not liable under subsection (b), the remaining subsections could not be applied to the acts in question.

The Supreme Court rejected Petitioner’s interpretation of Rule 10b-5, explaining that the Supreme Court and SEC have a history of recognizing significant overlap among the subsections of Rule 10b-5 and other securities statutes. As a result of this overlap, the Supreme Court reasoned that the making of false or misleading statements is not governed solely by subsection (b) of Rule 10b-5, but also falls within the scope of subsections (a) and (c). The Supreme Court, agreeing with the Court of Appeals, found that by sending the e-mails that Petitioner knew contained untrue and misleading statements, Petitioner violated subsections (a) and (c) of Rule 10b-5. The Supreme Court ultimately held that Petitioner “employ[ed] a “device,” “scheme,” or “artifice to defraud,”” violating Rule 10b-5(a), and “engage[d] in [an] act, practice, or course of business” that “operate[d] . . . as a fraud or deceit” in violation of Rule 10b-5(c).

In dissent, Justice Thomas, joined by Justice Gorsuch, argued that the majority’s interpretation of Rule 10b-5 renders the Supreme Court’s decision in Janus a “dead letter.” Justice Thomas asserts that the subsections of Rule 10b-5 are straightforward and clearly specify the conduct each governs—with subsection (b) governing the making of false or misleading statements. Concluding that the majority opinion broadens the scope of subsections (a) and (c) to cover conduct within the plain meaning of subsection (b), Justice Thomas argues that subsection (b) of Rule 10b-5 is now subsumed into subsections (a) and (c), rendering meaningless the Supreme Court’s decision in Janus (detailing conduct governed by subsection (b)). The majority disagreed with this contention, noting that Janus will still apply (and preclude liability) in instances where an individual neither made nor disseminated false information, as opposed to the case at hand where Petitioner knew of and disseminated false information.

Given the Supreme Court’s broad interpretation of Rule 10b-5, it is likely that future litigants will seek to expand the scope of activities subject to Rule 10b-5. However, as the Supreme Court noted, in cases where a person is only tangentially involved with disseminating false or misleading statements, applying subsections (a) and (c) of Rule 10b-5 may prove more difficult and could cause the Supreme Court to more clearly define the reach of these subsections in the future. For example, as the Supreme Court noted, liability would be inappropriate for a mailroom clerk who disseminated misleading or false statements without the intent to defraud. It is clear that future cases may present factual scenarios that would fall outside the reach of subsections (a) and (c); however, in the case at hand, it was clear Petitioner was directly involved with disseminating false and misleading statements because he sent such statements directly to investors and invited them to follow up with him directly.

[1] Chauncey Lane is a partner in the Dallas office of Husch Blackwell LLP. Cooper Overcash and Michael Caine are associates in the Dallas office of Husch Blackwell LLP. Chauncey, Cooper, and Michael are members of the firm’s Corporate and Securities practice group where they advise domestic and international clients on capital market transactions, Securities and Exchange Commission compliance, and complex commercial transactions.

[2] 587 U.S.___ (2019).

[3] 564 U.S. 135 (2011).

In 2019, we are surrounded by AI—from our personal assistants Siri, Alexa, and Google Home Hub; our retailers predicting what we want before we do (think Amazon/Netflix recommended sections); and our cars that sense when braking is required in an emergency—and AI just keeps getting smarter and more accurate over time as it incorporates more data sets, meaning that AI has become more integrated and trusted within our society.

Throughout the world, healthcare systems are some of the most used and relied upon sectors, but they are stretched in terms of resourcing, technology, and funding. For many years, researchers and technology giants have wondered how we can harness the large amount of data that exists in the world for good—to help our healthcare system cope, grow, and thrive in modern times where we are all living longer and expecting more from our healthcare systems.

In this article, we explore some of the issues with AI and health care—the positive aspects and the barriers to integration and use that exist now or will in the future, as well as some of the trials already conducted in both the United States and the European Union.

What Is AI and How Does It Work?

In its broadest sense, AI is a tool where technology and/or a system can perform tasks and analyze facts/situations independently of a human. There are many different applications of AI, including machine learning, deep learning, and robotics.

• Machine learning is when a system uses algorithms to review data in an iterative process until it “learns” how to make a determination or prediction on its own.
• Deep learning is when a complex system similar to human neural networks is fed large amounts of data until it “learns” by example, discovering patterns in the data.
• Robotics is where a machine performs a task instead of a human; for example, where a machine is programmed to perform a simple (or complex) operation with precision and accuracy based on experience.

AI in the healthcare sector works by analyzing and learning from hundreds of thousands (even millions) of records, images, and/or scenarios to spot patterns, common traits, etc. of certain medical conditions, and to analyze findings and/or cut down the options for consideration by the medical professional.

AI and the Healthcare Sector

The prospect of further integration of AI in the healthcare sector is an exciting and promising development with the potential to transform healthcare systems to be more proactive, use fewer resources, lessen time spent on administrative matters, and, most importantly, focus on patient care.

Many are wary of AI in the healthcare sector, however—a sector based on human decisions, skill, and compassion that many feel uncomfortable relinquishing to a machine. Doctors, nurses, and other medical professionals are all highly trained and trusted to deliver high-quality and personalized health care to those in need. Naturally, there is some hesitation about ceding control of some of these tasks to a machine.

AI advocates are clear to point out that AI in health care is designed to complement and not replace human decision-making, experience, and care. AI is said to present the opportunity to free up more of health professionals’ time to care for patients instead of being burdened with administrative tasks and/or spending hours developing a tailored diagnosis and treatment plan.

Some recent examples of AI within the healthcare sector include the following:

• Machine learning was used to identify chronic heart failure and diabetic patients who required closer observation, then analyzed the results of monitoring kits provided to these patients. The patient’s healthcare providers were then automatically alerted when the patient required medical intervention.
• The National Institutes of Health and Global Good developed an algorithm that analyzes digital images of a woman’s cervix and can more accurately identify precancerous changes that will require medical intervention. This easy-to-use technology (which can be used with a camera phone) is an exciting development for those low-resource areas and countries where such screening is not prevalent.
• The United Kingdom’s National Health Service (NHS) provided patients with complex respiratory needs a tablet and probe that measured heart rate and blood oxygen levels on a daily basis. These results were logged and analyzed by the AI technology, reporting back to the clinical team at a local hospital when there were drops in heart rate and/or blood oxygen levels requiring medical intervention. During the period of this study, admissions at the local hospital for this group dropped 17 percent.
• The NHS Eye Hospital Moorfields worked with Google’s DeepMind for nine months and conducted a trial based on an algorithm developed to spot and diagnose eye conditions from scans. This was aimed at cutting down unnecessary referrals to NHS hospitals, allowing clinicians to focus on more serious and urgent cases.
• For pathologists, instead of individually assessing each image/slide, AI technology can be used to review all images/slides and flag the problematic ones for closer review.

In each of the examples above, the healthcare system saved time and resources by ensuring that only those patients requiring more immediate medical intervention were seen to, and that those who were stable were seen at nonemergency appointments to follow-up. Healthcare professionals were able to prioritize those cases with the most urgency while continuing to monitor the other, less urgent cases.

Another AI advantage is that patients are given more control over their own healthcare. They can monitor their own statistics and outcomes and are comforted that medical professionals can intervene when they have spotted concerning results. This also helps patients understand their own health and how their own body reacts to certain conditions/factors.

The Challenges

There are some concerns that have been raised around the integration of AI technologies into the healthcare system, including data protection, patient trust, biased data, and contractual, regulatory, and ownership issues.

Data Protection

In the United States, personally identifiable health information (PHI) is protected from unauthorized use and disclosure by a variety of laws and regulations, most notably the Health Insurance Portability and Affordability Act and the Health Information Technology for Economic and Clinical Health Act (together, HIPAA). Any use of PHI for AI would likely require new or different consent from the patient. Where the AI is used for the benefit of a particular patient, presumably that consent would not be difficult to obtain, but robust AI technologies require a significant amount of data to be effective, and because the use of that data is not necessarily for the benefit of any particular patient contributing data, consent for use of PHI in AI may not be so readily provided. A revision of HIPAA or applicable state laws to permit the disclosure of PHI for the purpose of AI technologies may be required, as well as additional protections to ensure that once the PHI goes into the “soup pot” of AI datasets, it cannot be individually identified again.

In the European Union, the General Data Protection Regulation (GDPR) came into force in 2018 and brought about significant changes in data protection regulation across the EU and beyond due to its enhanced territorial scope. One of the themes of the GDPR is that data subjects are given more control over their personal data. There are a few separate issues relating to data protection and AI technology when considering AI and healthcare applications:

• Legal basis. There will be different legal bases applicable to different organizations; for example, healthcare providers generally rely on vital interests (as the processing condition) and therefore may rely on the research and statistics exemption to repurpose such data collected for use in AI technology. Other organizations, such as those who utilize wearable technologies like fitness trackers or heart-rate monitors used by individuals (as opposed to patients), will generally rely on consent to process such data and therefore may not as easily repurpose such data collected, such as for the development of AI technology.
• Data subject rights. Under the GDPR, data subjects have enhanced rights; therefore, organizations must carefully consider the legal basis on which they are relying for processing. For example, when relying on consent, a data subject can withdraw that consent at any time, and the organization must stop processing and notify any third party with which the data was shared to stop its processing. Although data subjects have the right to request deletion of their personal data, from a practical perspective, how can data be deleted if it has become part of the algorithm?
• Data Transfers. A scenario likely to occur with AI technology development is the transfer of data between the United States and European Union and indeed across the globe. In a data transfer scenario, both parties (i.e., the transferor and the transferee) have an obligation to ensure that such transfers are protected and that the data is transferred using adequate measures as stipulated in the GDPR.
• It has been noted that medical data is now three times more valuable than credit-card details in illegal markets; therefore, organizations handling and sharing health data for any purpose must ensure that this data is protected from unlawful loss, access, or disclosure to avoid causing substantial distress to data subjects. When such personal data has been anonymized, then security is less of a concern from a data protection/privacy perspective because the data protection legislation does not apply to data where an individual can no longer be identified; however, anonymized data may still pose a commercial risk due to its value.

Patient Trust

Many individuals may not initially feel comfortable knowing that technology has made a potentially life-or-death decision about their healthcare and/or treatment plan. The healthcare sector is grounded in trust and personal care and compassion for those in need, and some see AI as removing that personal element in favor of a machine-led, batch-process type system where the individual and his or her needs may not be at the core of the decisions and care provided.

It could be argued, however, that AI and increased technology use within healthcare systems could actually improve personalized health care and give individuals more control over their own health by involving them in the process and allowing them to monitor their health remotely.

Many patients may also be uncomfortable with the lack of formal qualification and/or testing of AI technologies and machines, in contrast with healthcare professionals such as doctors and surgeons who often study and train for many years acquiring knowledge and skills in a particular area, which instils trust in patients.

Additionally, some patients may be unwilling to accept such AI technology as part of the healthcare system, given that in recent years the growth of AI technologies has brought about some general mistrust around the rapid growth of AI technologies in our daily lives.

How can the healthcare sector alleviate such concerns? All new technology experiences some bumps on the path to acceptance; distrust or suspicion of new technologies and fear of error takes time and education to overcome. Focusing on the patient and individual care, along with reassuring patients that AI technology will not replace doctors, may alleviate the fears of concerned patients. In addition, education about how AI technology will allow doctors to create more personalized healthcare treatment plans for patients and focus more on patient interaction and care will go a long way toward acceptance of AI technology in the healthcare sector. Medical care at its core is about empathy and care for patients, which cannot be replaced by AI technology, but AI technology can free up time and resources from those that provide that empathy and care by doing some of the “heavy lifting” so that the healthcare system can focus on the patients.

In terms of trust of the AI technology itself, there may need to be more legislative governance and/or accepted standards of testing for such technologies to reassure patients that the AI technology produces accurate results and has been thoroughly vetted as suitable to make decisions about health, diagnosis, and treatment.

There may also be a generational gap in that older patients are generally more wary of AI technologies and their infiltration into our daily lives. However, younger individuals—those who have been brought up in the age of social media, wearable devices, and other technologies—are generally more willing to accept and embrace AI than their parents and grandparents.

Overall, in time the benefits of AI to the healthcare experience (i.e., personalized care, diagnosis, and treatment; saved time and resources; and a more effective and cost-efficient healthcare system) will overcome patient mistrust in the technology.

Bias/Accuracy of Data

One concern that has been voiced by medical professionals is that the data available (from healthcare providers) to train AI technology and machines is not always accurate and often contain biases that may feed through into the technology, which may result in AI technology that is not representative of the population and therefore may not always make the correct decisions for every individual.

For example, in the United Kingdom especially, clinical trials (where most medical data is generated for research purposes) are dominated by white, middle-aged males; therefore, much of the data associated with medical trials is dominated in such a way. Ethnic minority populations, older people, and females are traditionally under-represented in medical trials; therefore, there may be implicit (or sometimes even explicit) bias in the data provided to an AI technology machine from which to learn. In other words, will the results provided by an AI technology based primarily on middle-aged, white males apply to individuals who are not middle-aged, white males? How will patients and providers know? However, there is also an argument that deliberately skewing the data the opposite way (e.g., by ensuring trials are reflective of all ethnic groups) could impact the effectiveness of a study where a condition may predominantly affect one group (e.g., sickle cell anaemia, which is most commonly found in those of African, Caribbean, Middle Eastern, and Asian origin).

Put another way, the output from an AI technology skewed in favor of one or more characteristics (i.e., the middle-aged male) may lead to inaccurate outputs and/or inappropriate treatment plans. In addition, some medical conditions are associated with certain groups more than others; therefore, AI technology may not be reflective of the conditions and medical needs of one group where the data used to train it were reflective of another group.

If AI technology is to reach its full potential in the healthcare system, care must be taken with the data used to train AI technologies to ensure that it is reflective of and includes a cross-section of the population, and is therefore fair and unbiased, so that its output is as accurate as possible.

Another issue, particularly with the NHS, is that hospitals are still very much reliant on paper-based records, although there has been for many years a push toward greater digitalization of healthcare records (which not only aids healthcare data-sharing for medical care purposes, but also assists in “feeding” such data to AI technology from which to learn). Nevertheless, legacy systems and the general lack of investment in technology has meant that moving toward any substantive ability to facilitate data sharing has been a slow process. The format of such records will also differ per area, data may not always be correctly labelled, and records are sometimes not kept as up-to-date as they should be. This lack of standardization creates gaps in information and could mean that the data from which the AI technology is learning is not the full picture of any one individual’s health/symptoms.

This brings questions about bigger issues in health care, especially in the United Kingdom, concerning whether it is possible to move forward with AI technology when the healthcare system is still not modernized enough to have easily accessible digital records. Although the United States is farther along in its adoption of electronic health care records and the digital data they contain, the implicit bias concern is equally strong in both countries. In addition, the lack of standardization of electronic data—both in the United States and between the United States and the European Union—makes ensuring a robust data input especially difficult. Although appropriate governmental regulations may address this, the market itself must figure out how to make it technically and financially viable.

Contractual and Regulatory Issues

There are a variety of potential complex contractual issues that must be addressed among developers and various stakeholders in the healthcare system before AI technology is rolled out, particularly regarding the allocation of liability. Where a doctor fails to diagnose correctly, prescribes the wrong dose of medication, or otherwise acts negligently, the patient has a claim against the doctor/healthcare provider, and the hospital or healthcare system in which the doctor/provider worked, for malpractice, negligence, and/or personal injury. However, who is liable where an AI technology failed to spot a cancerous tumour on a scan it analyzed?

There may be a lot of finger-pointing in this case. The doctors would argue that they were not liable because they (presumably) utilized the AI technology correctly, and that the fault lies with the hospital/healthcare system that required its use and/or the vendor/developer of the technology itself. The hospital/healthcare system might argue that is not liable because the third-party technology vendor developed the technology and trained the doctors in its use. The developer might argue that they are not responsible because AI technology is constantly “learning,” and only from the data it is given. It is important that the contracts between the developer and healthcare system, and between the healthcare system and its physicians, are clear on the allocation of liability in the event that a patient is harmed in relation to the use of AI technology.

Another issue that must be addressed by contract is the warranties (if any) that are provided by the developer to the healthcare provider. How likely is a developer to warrant that the AI technology is accurate? If unlikely, how could the healthcare provider understand its limitations? Is the training provided on the AI technology warranted to provide that information?

Regulatory issues also abound. In the United States, AI-enabled technologies may or may not be regulated as medical devices. Current regulations are unclear on this issue, but generally in both the European Union and United States, devices/technology used in the context of medical advice/health care requires approval. The problem with current regulatory approval processes is that approval is granted only to one specific version of a product and/or device, but AI technology and/or devices are constantly learning; if each iteration is a new “version,” then any approved version would be out-of-date almost immediately (and that’s without getting into “custom-made devices” within the medical device sector). Requiring regulatory approval for each version/iteration of the AI technology would be nonsensical. A new regulatory scheme tailored to the reality of AI technology (and other new and emerging technologies) in both the United States and European Union is needed.

Intellectual Property Ownership

Intellectual property and ownership issues regarding AI technologies include the following questions:

Who owns the data? For purposes of developing robust AI technologies, provided the bias issues discussed above are positively addressed, the more data, the better. Therefore, although AI developers/manufacturers could solicit the data from each data subject (i.e., the patient) directly, the more practical route is to acquire vast amounts of data from the healthcare provider, but who owns the data, and can the healthcare provider disclose/use the data this way?

In the United States, the patient generally does not own his or her medical information. The health record is generally owned by the provider that keeps the record (as a normal business record); HIPAA protects the privacy of the information for the benefit of the individual, but ownership of that information is not addressed in any federal law or the laws of 49 states (New Hampshire is the only state where the individual owns his or her information as a matter of statute). This structure applies only to the data fed into the AI technology. Who owns the output? Most likely, the developer or manufacturer will assert ownership to the results because it owns the algorithms that create the AI. What about results that are personal to an individual, such as a diagnosis or treatment plan? Isn’t that part of the health record owned by the provider?

In the United Kingdom, the person who developed the diagnosis and/or treatment plan owns the copyright in that plan (as the author of such plan); however, the personal information would still be owned by the patient (data subject) because it is personal to him or her. If the AI developer “owns” an individual’s diagnosis or treatment plan, can the developer sell or disclose it, or incorporate that information into other products, or use it for some other purpose? Currently, developers and users of AI technology are contracting around these issues, but that means that ownership, use, and disclosure are different across contracts as a result of individual leverage and market forces and, of course, such contracts leave out the patients entirely (unless the patient is providing the data to the AI developer directly).

In the European Union, there is a distinction between “ownership” and “control” over personal data. Data subjects (i.e., an individual) always retain ownership of their personal data (i.e., a company cannot own such information), but do not always have control over their personal data (e.g., a healthcare provider does not need permission to use one’s personal data because it was collected for the provider’s own purposes and control). Under the GDPR, data subjects are given enhanced rights over their own personal data; however, there are circumstances where a party who controls such personal data does not need to comply with the data subject’s requests and can continue to process the personal information (e.g., for medical treatment).

Where data is shared for the purposes of developing and/or testing AI technology, the key consideration should be transparency: Is the patient fully informed? Is there an appropriate legal basis? Without transparency, processing may be unlawful, and the patient could prevent it.

Who owns the algorithm? The algorithm is likely owned by the company who developed it for use in the device and/or AI technology; however, there are questions around whether someone can own something that is essentially a “self-learning” machine. Is the algorithm something tangible that can be explained? Or is the initial algorithm something tangible, but then the AI learns to improve this, and then the company no longer has control over the decision-making process?

Who owns the device/product/finished AI machine? This will depend on what the device or product is. Where the product is the technology, i.e., the algorithm, the healthcare provider may wish to own this to control more of the output. However, it is likely that the developer/manufacturer would want to claim ownership, especially where such use is novel in the sector.

UK/EU Thoughts

The United Kingdom has been investigating the role of AI in healthcare over the last few years, and in September 2018, the government published a code of conduct for data-driven healthcare technology. The code sets out 10 key principles (some relate to data protection and existing NHS codes of practice):

1. Define the user—who is the product for, and what problem are you solving?
2. Define the value proposition—why has it been developed?
3. Be fair, transparent, and accountable about what data are used—use privacy-by-design principles and data protection impact assessments.
4. Use data that are proportionate to the identified user need—use the minimum personal data required to achieve the purposes.
5. Make use of open standards—build in current standards.
6. Be transparent to the limitations of the data and understand the quality of the data.
7. Make security integral to the design—have appropriate levels of security to safeguard data.
8. Define the commercial strategy—commercial terms that benefit partnership between the commercial organization and healthcare provider.
9. Show evidence of effectiveness for the intended use.
10. Show the type of algorithm being developed or deployed, the evidence base for using that algorithm, how performance will be monitored on an ongoing basis, and how performance will be validated—show the learning method you are building.

It is clear from the United Kingdom’s willingness and prioritization of such a code of conduct that AI technology is seen as a method of advancing its healthcare system. It remains to be seen whether the code will be successful and ensure best practices among organizations working together to develop such technologies in the future. As of the date of this article, the government has more pressing priorities, and cooperation with the European Union in this area may be delayed.

The matter has also been discussed at an EU level, and in April 2018, the European Commission published its Communication on enabling the digital transformation of health and care in the Digital Single Market; empowering citizens and building a healthier society (the Communication). The Communication outlines the need for major reforms in the healthcare sector and how developing new and innovative ways of working (through the use of technology and digital platforms) could assist in transforming health care into a modern, innovative, and sustainable sector.

In December 2018, the European Economic and Social Committee (EESC) released its opinion on the Communication (the Opinion), which largely supports the Communication and the Commission’s roadmap for transformation of the healthcare sector, and outlined some observations of which to take note when implementing such a vision of transformation.

The Communication focuses on three key areas:

1. Citizens’ secure access to and sharing of health data. The Commission highlighted that many data subjects would like to have better access to their health data and have more control/choice over with whom it is shared; however, there is limited electronic access to health records. Often, records are in paper form and scattered among different healthcare providers, i.e., not available electronically in one central location.
2. Better data to promote research, disease, prevention, and personalized health care. Personalized health care is an emerging approach to health care that focuses on using data to better understand individual characteristics to enable care to be provided when necessary. The use of data have increased the healthcare sectors’ ability to monitor, identify, and predict healthcare conditions, which also means they are better equipped to diagnose and treat such conditions.
3. Digital tools for citizen empowerment and for person-centered care. The Commission recognizes that to cope with the ever-increasing demand on healthcare services, health care must move away from treatments and toward health promotion and prevention, which will involve a move away from disease and toward well-being, as well as a move away from fragmented service provisions toward a community-based care model.

Conclusion

There has been significant recognition at national and supranational government levels that AI technology has a role to play in the development of health care; however, many obstacles remain before AI technologies are fully accepted into those healthcare systems. Such issues will require thoughtful and careful consideration by technology developers, healthcare providers, and healthcare professionals to develop a consistent approach to the issues identified as barriers to the full integration of AI technologies into the healthcare systems.

As noted, in the United Kingdom, the government has seen these potential issues arising in discussions about health care and AI and recognize the potential benefits to the NHS of adopting such technologies. The government has therefore published a code of conduct to ensure that healthcare organizations and those developing AI technologies are working together and upholding best practices when dealing with patient data.

In the European Union, the Commission has been considering more effective ways to encourage AI technology in the healthcare sector and has identified some barriers to adoption of AI technology in the healthcare sector and set out some proposals to remedy this.

In the United States, AI technology is becoming more accepted by patients and providers, but regulations are lagging behind innovation and acceptance, which may be dangerous to patients. In addition, the uncertainty around liability, ownership, etc. may be dampening progress in the United States, not to mention the uncertainty around whether AI technologies (and automation in general) will create jobs or eliminate them.

We hope that, moving forward, AI technology companies and the healthcare sector find a way to partner successfully, utilizing patient data in a safe and secure manner while training AI technology/machines to provide healthcare assistance in the future, and ensuring that our healthcare systems move with the times and cope with mounting pressure on staff, time, and resources to the benefit of all.

The authors thank the Health IT Task Force of the Cyberspace Committee for support and assistance with the article.

Introduction

 The Bankruptcy Court for the District of Maryland recently ruled that a secured creditor retains its priority over other junior creditors even though its UCC financing statement lapsed during the bankruptcy case.  The case resolves a conflict between federal bankruptcy law and UCC state law. The freeze rule maintains the petition-date priority of the secured creditors throughout a bankruptcy case.

The Case: Firstrust Bank v. Indus. Bank (In re Essex Constr., LLC), 591 B.R. 630 (Bankr. D. Md. 2018)

Essex Construction, LLC filed for bankruptcy under chapter 11. On the petition date, two banks held perfected security interests in the debtor’s assets: Firstrust Bank and Industrial Bank. On the petition date, Industrial held the senior interest. Industrial recorded its UCC-1 financing statement in 2012; Firstrust in 2014. The debtor filed for bankruptcy in 2016. One year later, in 2017, and while the case was still in chapter 11, Industrial’s financing statement lapsed.

The issue centers on the post-petition lapse of Industrial’s financial statement. Neither bank disputed that Industrial held the senior interest on the petition date. They disagreed on the effect of the post-petition lapse. Firstrust argued that state law—Article 9 of the UCC—mandates that it should jump Industrial in priority and that a chapter 11 proceeding should not change this result under state law.  Industrial asserted that the freeze rule in bankruptcy rendered the post-petition lapse inapplicable for determining priority.

Priority Lost: Article 9 of the UCC

Under section 9-515 of Maryland’s UCC, a filed financing statement remains effective for five years. Industrial filed its statement in 2012, and it remained effective until 2017.  Absent the filing of a continuation statement, the financing statement lapses on the expiration date and rendered unperfected pursuant to section 9-322(a)(2), which states that a perfected security interest has priority over a conflicting unperfected security interest.  In short, a secured creditor will lose its place in line if it fails to file the continuation statement.  Under this rational, Firstrust argued that its security interest had priority over Industrial’s conflicting unperfected security interest because of the lapse in 2017.

Firstrust relied on legislative history. It noted that the UCC used to state the following: “[i]f a security interest perfected by filing exists at the time insolvency proceedings are commenced by or against the debtor, the security interest remains perfected until termination of the insolvency proceedings.”  That language was removed in the current version of the UCC.  Firstrust argued that the removal of this language evidenced the legislature’s intent to eliminate the freeze rule. That rational, however, was not supported by the comments to the section 9-515, which explain that the legislature did not intend to eliminate that rule.  Rather, the comments confirm that the effect of the lapse on priority is left to courts to decide based on federal bankruptcy law.

Priority Regained: Freeze Rule in Bankruptcy

In bankruptcy, the freeze rule freezes the priority of a security interest as of the petition date, which will remain the priority throughout the bankruptcy case. This principle has been recognized by the U.S. Supreme Court since at least 1931: “valid liens existing at the time of the commencement of a bankruptcy proceeding are preserved.” Isaacs v. Hobbs Tie & Timber Co., 282 U.S. 734, 738 (1931).

Two leading cases explain how the freeze rule works. In Halmar Distributors, a debtor moved its inventory to Massachusetts. The senior secured creditor filed proper financing statements in New York, but the junior filed in both New York and Massachusetts. Under the UCC, the senior had to file in Massachusetts within four months to maintain its position. It failed to do so. Yet the court found that the senior maintained its position because the lapse occurred after the debtor filed for bankruptcy. The senior secured creditor’s position was frozen in time on the day of the petition.

The second case is Chaseley’s Foods. It also involved the effect of a lapsed financing statement on a secured creditor’s priority. Again, the court found that the secured creditor maintained its status despite failing to file a continuation statement during a bankruptcy case. The court also addressed the effect of the UCC. It concluded that a bankruptcy case maintains the priority of a secured creditor regardless of whether a provision in the UCC reaffirms this principle. The lapse makes no change.

That is what happened here. Before bankruptcy, Industrial had priority over Firstrust. On the day of the bankruptcy filing, Industrial had priority over Firstrust. Throughout the bankruptcy case, Industrial had priority over Firstrust. Nothing changed when Industrial’s financial statement lapsed shortly after the bankruptcy filing. Under the UCC, Industrial would have lost priority. But the freeze rule maintained Industrial’s priority—a result that the drafters of the UCC affirmed in their comments to Article 9. A senior secured creditor in bankruptcy need not file a continuation statement to maintain its priority.

The American Bar Association’s Derivatives and Futures Law Committee published a first-of-its-kind comprehensive legal guide for practitioners and their clients involved with the fast-developing markets for “crypto” or “virtual” currencies, and the many other types of digital and digitized assets that exist or are recorded on blockchain platforms. The committee’s over 300-page White Paper, “Digital and Digitized Assets: Federal and State Jurisdictional Issues,” reviews the complex web of federal and state statutes and precedents that have been applied to transactions in such digital assets.

The paper was prepared by the Jurisdiction Working Group of the committee’s Innovative Digitized Products and Processes Subcommittee, with contributions from 34 lawyers with expertise in derivatives, securities, FinTech, and related areas of law. The paper summarizes the current interpretations and applications of the federal securities, commodities, and derivatives trading laws, the federal anti-money-laundering statutes, and the state statutes governing money services businesses. It also reviews some of the principal international statutory approaches to regulating crypto assets. Recognizing the complexity and uncertainty of the law in this area, the subcommittee prepared the paper as a service to and resource for practitioners and policy makers. The Commodity Futures Trading Commission (CFTC) included a presentation on the paper at the meeting of its Technology Advisory Committee on March 27th.

Regulators face interpretative obstacles in determining the scope and application of laws that do not envision financial products with the novel, varied, and unique characteristics of digital assets. Recognizing these challenges, the CFTC, the Securities and Exchange Commission (SEC), the Treasury Department’s Financial Crimes Enforcement Network (FinCEN), the Internal Revenue Service (IRS), and state regulators such as New York’s Department of Financial Services (New York DFS) have issued guidance or interpretations concerning application of their rules to digital asset products and market participants. Foreign regulators have done the same. In applying its laws and rules to digital assets, each regulator and standard-setting body must consider the potentially overlapping jurisdiction of other regulators, including cross-border issues.

The paper addresses these themes in eight sections: (1) a factual background describing the various types of digital or crypto assets and blockchain systems; (2) CFTC jurisdiction over digital assets, with an emphasis on virtual currencies; (3) SEC regulation of digital assets under the Securities Act of 1933 and Securities Exchange Act of 1934; (4) regulatory implications under other federal securities laws, specifically the Investment Company Act and the Investment Advisers Act; (5) issues created by jurisdictional uncertainty between the CFTC and SEC, an analytic framework for considering those issues, and potential tools for resolving jurisdictional issues; (6) FinCEN’s regulation of digital assets; (7) international regulation of digital assets and blockchain technology; and (8) state regulation of digital assets. These sections lay out the varying and diverse approaches taken by federal, international, and state regulators with respect to digital asset uses and markets as well as interpretative issues associated with each approach, given that digital asset markets are still in the early stages of development.

Section 1 is a high-level primer on blockchain technology and the different categories of digital and digitized assets and how they function within a blockchain or other electronic ledger. It explains that the absence of uniform definitions for digital assets creates obstacles for regulators in establishing what obligations should apply to these products.

Section 2 provides an overview of the Commodity Exchange Act (CEA) and how the CFTC has applied it to digital assets—with a focus on virtual currencies—and derivatives based on them. It analyzes the potentially broad reach of the CEA’s definition of “commodity” (which covers items one would not expect under a common understanding of the term, such as securities) and the interpretative questions it raises since the CFTC first formally asserted in 2015 that virtual currencies are commodities within its oversight. It analyzes the CFTC’s authority to regulate derivatives on digital assets listed on registered exchanges, swaps on digital assets, and off-exchange leveraged or financed transactions involving digital assets with retail persons, as well as the agency’s anti-fraud and anti-manipulation enforcement authority over digital asset markets. This section also summarizes the current jurisdictional boundaries between the CFTC and the SEC over the various types of financial derivative instruments.

Section 3 explains the application of the Securities Act, the Exchange Act, and SEC regulations to digital assets. It explains the SEC’s treatment of digital assets as securities if they are deemed to be “investment contracts” pursuant to the Supreme Court’s four-part test set out in SEC v. Howey, and the regulatory obligations that apply to issuers and market intermediaries with respect to digital assets that are securities, such as securities registration, reporting requirements and disclosures for issuers, and broker-dealer registration and capital requirements for intermediaries.

Section 4 covers the application of the Investment Company Act and the Investment Advisers Act to investment management activities involving digital assets. Among other things, it summarizes registration requirements for investment companies and for their shares, and explains how the definition of “security” for purposes of determining whether investments trigger investment company status can be broader than the definition in the Securities Act and Securities Exchange Act. With respect to the Investment Advisers Act, the paper explains what constitutes investment advice and summarizes registration requirements and exemptions from registration, and how they can arise in connection with digital assets.

Section 5 analyzes the overlapping and potentially conflicting jurisdiction of the CFTC and SEC and the need for agency guidance to provide a clear and commercially compatible regulatory regime. Recognizing that digital assets can diverge greatly in their characteristics and uses, defying easy “one size fits all” classification, section 5 suggests a framework for applying a jurisdictional analysis to such assets. The discussion includes an explanation of how CFTC and SEC jurisdiction has intersected in the past, and a set of questions for evaluating whether a particular digital asset is within the purview of one agency alone, both agencies together, or neither agency. Section 5 also discusses past instances of jurisdictional debates between the two agencies and how they were resolved. It describes the formal inter-agency process for cooperation mandated as part of the Dodd-Frank Act for clarification of each agency’s jurisdiction over novel products. The paper examines other potential methods to resolve jurisdictional issues without new legislation, including utilizing each agency’s exemptive authority.

Section 5 is particularly timely. SEC FinHub recently issued a “Framework for ‘Investment Contract’ Analysis of Digital Assets” that provides color on how to apply the Howey investment contract analysis to digital assets, and identifies additional considerations for reevaluating whether a digital asset initially sold as a security remains a security in the future. The framework does not address the jurisdictional issues raised in section 5, but may help further illuminate how the SEC and CFTC can jointly address them.

Section 6 explains FinCEN’s regulation of virtual currency issuers and sellers through its authority to regulate “financial institutions” under the Bank Secrecy Act (BSA). These regulations focus on combating money laundering and terrorism financing. This section discusses the scope of FinCEN’s regulatory authority under the BSA and how FinCEN has interpreted the BSA’s term “financial institution” to extend its authority to certain virtual currency businesses deemed to be money services businesses. Those businesses are required to register with FinCEN, submit to examinations by the IRS, and establish an anti-money-laundering program. This section also describes FinCEN’s enforcement actions against virtual currency market participants.

Section 7 provides an overview of international regulations, directives, and guidance regarding virtual currency and other digital asset markets. It discusses European efforts initiated at both the EU level, through EU legislation and European Securities and Markets Authority guidance and statements, and the individual country level. These efforts include compliance obligations under the Markets in Financial Instruments Directive II, the European Market Infrastructure Regulation mitigation requirements, and European Parliament and EU Council amendments to anti-money-laundering legislation to specifically cover cryptocurrency exchanges and custodial wallet providers. Section 7 also summarizes approaches to virtual currency taken by regulators in the United Kingdom, Switzerland, France, Germany, Austria, Slovenia, Malta, Japan, South Korea, Singapore, China, and Australia, and addresses guidance by international bodies such as the International Organization of Securities Commissions, the Financial Services Board, the Financial Action Task Force, and the Bank for International Settlements.

Section 8 discusses key state regulators that also have asserted authority over virtual currency businesses. It focuses on the New York DFS regulations of virtual currency businesses and the requirement that those businesses register for a “BitLicense.” It explains the exemption from BitLicense regulations for virtual currency businesses that are chartered under New York banking law. Section 8 also summarizes the efforts of other states in regulating the issuance of virtual currencies or tokens through initial coin offerings, and an appendix provides a 50-state survey of the state laws and regulations that govern money transmitters and virtual currency regulations (as of January 23, 2019).

The subcommittee is undertaking other projects through its working groups. In addition to the efforts of the Jurisdiction Working Group, the Blockchain Modality Working Group is considering commercial and regulatory issues relating to application of blockchain technology in the financial markets and financial services industry, and the Self-Regulatory Organization Working Group is considering issues for potential implementation of self-regulation with respect to markets for digital assets.

On March 29, 2019, Section members and guests enjoyed a most interesting presentation by guest speaker Chris Gear, the vice-president of team operations and general counsel for Canucks Sports and Entertainment, which owns the Vancouver Canucks Hockey Club and Vancouver Warriors Lacrosse Club.

Chris reminded the audience of the fact that sport has become big business, and referring to the applicable laws as “sports law” is something of a misnomer; more accurately it involves the application of business law discipline to the sport context. Sport franchises are valued in the billions of dollars, and players are paid millions, sometimes hundreds of millions. Sport activities and the collateral aspects of those activities are often focal points in building cities and communities. Their activities are complex businesses that operate within the existing social and legal orders.

Sport, like all of society, continually evolves, as does its footprint. Chris gave the example of the rise of e-sport, which like it or not is now a factor. His company has already invested in the sector, particularly the competitive gaming aspects. In respect of the phenomenon, like any responsible business investment in something new, he sought “expert” advice. Although he could understand why individuals might have an interest in playing e-sports, why would people would pay to watch (often in specially constructed facilities) other people play e-sports, from which the players earn considerable income? The 12-year old expert’s perspective on this was simply, “Dad, you watch other people playing hockey for a living.” There will be much more of this to come.

The seminal events that brought Chris to sports occurred in 1984, when the Edmonton Oilers won the first of five Stanley Cup championships, led by the Great One, Wayne Gretzky, and when Los Angeles hosted the Olympic Games. This led to business school, followed by law school and subsequent professional experience in M&A, corporate finance, and related fields. His insertion in the sports field came from volunteer involvement in an annual PGA golf tournament sponsored by Air Canada, which helped him to understand the needs of sponsors and broadcasters. When Vancouver decided to bid for the 2010 Winter Olympic and Paralympic Games, Chris volunteered to work on the bid as an investment in the community at large.

After Vancouver won the bid, the chief legal officer of the organizing committee offered him a job on the legal team for the ensuing five to six years. It was a whirlwind experience, with long, difficult, but inspiring, work and some 5,000 contracts, for which there were precious few useful precedents (given that the preceding Olympic Games were held nin China, Italy, and Greece). They encountered the usual range of problems, from a lack of snow, interference with the torch relay, and initial bad weather that, fortunately, cleared up by the fourth day of the games.

During his time with the Canucks, there have been several legal issues to face, which have included legal proceedings arising from the career-ending injury of an NHL hockey player that took forever to resolve, including jurisdictional issues (whether the case should be resolved in civil court or within the NHL structure, and whether the injury was a personal or club responsibility) and a quantum of applicable damages. Other legal proceedings arose in the context of a trademark of the Vancouver Millionaires, a hockey club that had won the Stanley Cup in 1915, before the NHL was formed. The trademark had been acquired by a squatter, who sold t-shirts with a registered mark. The owner, a hard-rock performer named Thor (but off-stage a reasonable, mild-mannered Clark Kent), agreed to sell it, and the Vancouver team wore the jerseys in an NHL game commemorating the 1915 Stanley Cup winners.

The matter of trademarks is one of the most valuable assets for any professional team, which must be able to protect the rights it has granted to marketing partners and sponsors. A local Honda dealership jumped on the Canucks playoff bandwagon and portrayed itself as (in effect) a Canucks partner, painting the dealership in Canucks colours and generally occupying a great deal of Canucks “space.” This, of course, was not appreciated by the official Canucks sponsor in the automotive category, General Motors. The team sent a cease-and-desist letter to the dealership, which then took it to a local radio station and had it read over the air, painting the Canucks in a bad light. The learning experience for the team was that it had not explained in advance to the public how important it was to the Canucks that the rights granted be respected by the community at large.

An emerging set of rights relates to players. To what extent does a player retain the rights to her or his image, and to what extent does the club or organization own those rights? One solution to the dilemma was to create a group licence, under which the clubs could use four or more players in a club promotion, whereas in promotions involving three players or less, the individual players retained their personal rights, and their consent would be required. A local professional hockey team had a promotion for Canucks Water, using the portraits of four players on water bottles, under the group licence agreement. The agent for one of the four complained that the players union had no right to use his client’s image. The club immediately removed his image and found another player, who then trumpeted around town that they had had to change the complaining player’s bottles because those bottles tasted like piss. What comes around, goes around!

In his current role with the Canucks Management Team, Chris deals on a daily basis with risk management, governance, venue, and other agreements; player compensation; dealerships; sponsorships; the evolving e-sports; and concessions. He considers that sports are good for society and the local community. As he says, “We are all Canucks.”

During the Q & A following his initial remarks, Chris was asked what innovations were being adopted to make the game of hockey more interesting for spectators. Chief among these were the use of chips in the pucks and players’ uniforms to enable better tracking of the movements of both the players and the puck and better replays to demonstrate how plays developed, all as supplementary information for the fan base. There is also the possible use of biometric data and statistics (such as heartbeat, speeds, etc.) if such data is not used improperly, such as a club refusing to pay a large (or long-term) salary to a player who was shown by the biometric data to have an irregular heartbeat.

As we enter the 2019 proxy season, we want to bring your attention to a few topics that are likely to play a prominent role in the coming months.[1] In this article, we discuss some of the significant policy changes adopted by ISS and Glass Lewis applicable to the 2019 proxy season and the SEC’s continued focus on non-GAAP measures.

1. ISS PROXY VOTING POLICY UPDATES

ISS has updated its proxy voting policies for shareholder meetings held after February 1, 2019. The following is a summary of the significant policy changes:

A. Board Composition—Gender Diversity

For the 2019 proxy season, ISS will not issue an adverse vote recommendation due to lack of gender diversity. It will, however, highlight the lack of gender diversity in its report. For companies in the Russell 3000 or S&P 1500 indices, effective for meetings on or after February 1, 2020, ISS intends to recommend a vote against or withhold from the chair of the nominating committee (or other directors on a case-by-case basis) at companies with no women on the company’s board.

B. Board Accountability—Management Proposals (New)

ISS took note of the use of board-sponsored proposals to ratify existing charter or bylaw provisions during the 2018 proxy season. In particular, ISS noted that several companies “obtained no-action relief to exclude shareholder proposals to adopt or amend the right of shareholders to call a special meeting by seeking ratification of their current provision. Notably, none of these ratification proposals made material changes to the provisions that enhanced shareholders’ rights to call special meetings.”

In response, ISS has adopted a new policy to recommend a vote against/withhold from individual directors, members of the governance committee, or the full board where boards ask shareholders to ratify existing charter or bylaw provisions considering certain enumerated factors.

C. Shareholder Rights—Management Proposals to Ratify Existing Charter or Bylaw Provisions (New)

Under this new policy, ISS will generally recommend a vote against management proposals to ratify provisions of the company’s existing charter or bylaws, unless these governance provisions align with best practice. In addition, in certain instances, ISS could also recommend a vote against/withhold from individual directors, members of the governance committee, or the full board, in certain instances.

Action Items:

• In light of the new gender diversity emphasis, companies without any female board members may wish to include a firm commitment, as stated in the proxy statement, to appoint at least one female to the board in the near term.
• For a company that has included a shareholder proposal or management proposal in its proxy statement, consider expanding disclosure in its next proxy statement regarding the outreach efforts by the board to shareholders in the wake of the vote and the level of implementation of that proposal.

2. GLASS LEWIS

In late October 2018, Glass Lewis published its updated U.S. policy guidelines and 2019 shareholder initiatives policy guidelines. The following is a summary of some significant changes to the guidelines that are in effect for annual meetings held after February 1, 2019, except as noted below.

A. Board Gender Diversity

For meetings held after January 1, 2019, Glass Lewis will generally recommend voting against the nominating committee chair of a board that has no female members. Glass Lewis may extend this recommendation to vote against other nominating committee members depending upon several factors, including the size of the company, the industry in which the company operates, and the governance profile of the company. This policy does not necessarily apply to companies outside the Russell 3000 index or those that have provided a robust explanation for not having any female board members.

B. Conflicting and Excluded Proposals

Glass Lewis has updated its policy related to “conflicting” management proposals, and in those instances where a special meeting shareholder proposal is excluded as a result of “conflicting” management proposals, it will take a case-by-case approach, taking into account the following issues: (1) the threshold proposed by the shareholder resolution; (2) the threshold proposed or established by management and the attendant rationale for the threshold; (3) whether management’s proposal is seeking to ratify an existing special meeting right or adopt a bylaw that would establish a special meeting right; and (4) the company’s overall governance profile, including its overall responsiveness to and engagement with shareholders. Glass Lewis noted that it generally favors a 10–15 percent special meeting right and will generally recommend voting for management or shareholder proposals that fall within this range.

With respect to conflicting proposals, Glass Lewis will generally recommend in favor of the lower special meeting right and will recommend voting against the proposal with the higher threshold. In addition, where there are conflicting management and shareholder proposals, and a company has not established a special meeting right, Glass Lewis may recommend that shareholders vote in favor of the shareholder proposal and that they abstain from a management-proposed bylaw amendment seeking to establish a special meeting right.

Glass Lewis also noted that, in certain, very limited circumstances where the exclusion of a shareholder proposal is “detrimental to shareholders,” it may recommend against members of the governance committee.

C. Environmental and Social Risk Oversight

Glass Lewis states that “an inattention to material environmental and social issues can present direct legal, financial, regulatory and reputational risks that could serve to harm shareholder interests,” and that these issues should be carefully monitored and managed by companies, including ensuring that there is an “appropriate oversight structure in place to ensure that they are mitigating attendant risks and capitalizing on related opportunities to the best extent possible.” The key is to have appropriate board-level oversight of material risks to a company’s operations.

In certain instances where “a company has not properly managed or mitigated environmental or social risks to the detriment of shareholder value, or when such mismanagement has threatened shareholder value, Glass Lewis may consider recommending that shareholders vote against members of the board who are responsible for oversight of environmental and social risks.” In instances where there is no explicit board oversight on these issues, Glass Lewis states that it may recommend that shareholders vote against member of the audit committee.

Action Items:

• A company that finds itself without any female board members should provide a sufficient rationale for not having any female board members. Issues addressed in explaining the rationale could include a disclosed timetable for addressing the lack of diversity on the board and any notable restrictions in place regarding the board’s composition, such as director nomination agreements with significant investors.
• A company that qualifies as a Smaller Reporting Companies (SRC) under the new SEC guidelines should consider retaining the full CD&A disclosure, rather than taking advantage of the reduced disclosure requirements available to a SRC.

3. NON-GAAP MEASURES—EQUAL OR GREATER PROMINENCE

On December 26, 2018, the SEC settled charges with a public company that its disclosure gave undue prominence to non-GAAP financial measures included in two earnings releases in violation of section 13(a) of the Exchange Act and Rule 13a-11 thereunder. Although not admitting the factual basis of the charges, the public company agreed to cease and desist from future violations and agreed to pay a civil penalty of $100,000.

Action Items:

• Issuers should review their use of non-GAAP financial measures in SEC filings and earnings releases in light of the May 2016 CD&Is and the SEC’s recent action. Issuers should pay particular attention to ensuring that they present GAAP measures with “equal or greater prominence” whenever they present non-GAAP measures.
• The SEC will measure for “equal or greater prominence” within each particular section of the relevant filing or release. If a headline mentions a non-GAAP measure, then that headline should also mention the comparable GAAP measure. If a group of bullet-pointed highlights mentions a non-GAAP measure, then the bullets should also mention the comparable GAAP measure. Providing the comparable GAAP measure later in a filing or release (or in a footnote) is not sufficient.
• Practically, even though “equal or greater prominence” is the standard used in Regulation S-K, issuers should aim for GAAP measures to have greater prominence than any non-GAAP measures. This means using the comparable GAAP measure first, and before any comparable non-GAAP measure, and highlighting the GAAP measure to a greater degree than the non-GAAP measure. Issuers should also carefully review the use of any non-GAAP measures that indicate an improving picture of the issuer’s finances, where the comparable GAAP measure would indicate the opposite.
• Although the SEC has been willing to allow issuers to correct their disclosures in future filings, this action indicates that the SEC believes that it has provided issuers with enough advance notice of its position on undue prominence of non-GAAP measures, and that the grace period it provided for compliance may be coming to an end.

The 2019 proxy season is well underway, and the topics noted above are a few items that are expected to generate some interesting headlines.

[1] This article is based on a series of Proxy Season client alerts we published in early 2019. The full series is available here <https://www.dlapiper.com/en/us/insights/publicationseries/2019-proxy-season-hot-topics/>.

Indictments are often viewed as a death knell for a publicly traded company. As a result, whenever a government investigation involves a potential criminal penalty, obtaining a civil or administrative resolution in lieu of a criminal resolution is typically viewed as a favorable outcome for the company. Fares v. Smith[1] highlights that civil administrative actions by components of the U.S. Department of the Treasury (Treasury) can be as devastating for a company as a criminal indictment. Moreover, although an indictment at least requires a grand jury to find that probable cause exists to support criminal charges, Treasury can immediately act without an independent review, and any after-the-fact judicial review of Treasury’s determinations is severely limited.

The Fares matter stemmed from an administrative action taken by Treasury’s Office of Foreign Assets Control (OFAC) that essentially killed a global business: OFAC issued a blocking order that immediately caused the shutdown of a duty-free enterprise that earned over $600 million in revenue in 2015 and employed more than 5,000 individuals throughout Latin America.[2] Although OFAC provides a nominal path for administrative reconsideration,[3] this type of proceeding effectively shifts the burden of proof, requiring the company seeking reconsideration to provide evidence as to why it does not satisfy the criteria for the blocking that OFAC has already imposed. Such a burden requires a business entity to do the nearly impossible work of proving a negative—that it is not engaged in unlawful transactions. The challenging party in Fares did not fare well when it sought judicial review: the court not only granted substantial deference to agency determinations, but citing national security, law enforcement sensitivities, and confidentiality restrictions, also allowed OFAC to withhold substantial portions of the evidence upon which the government relied in making its determination.

The decision in Fares illustrates the challenges with successfully obtaining judicial review of an adverse finding by Treasury. Therefore, the best approach is to take all reasonable steps to avoid being in a situation where judicial review is even necessary through a robust compliance program that identifies and reviews potentially problematic transactions before they become so great that Treasury decides to take administrative action.

Background on Fares v. Smith

In Fares, the plaintiffs asserted due process violations against OFAC for freezing their assets under the Foreign Narcotics Kingpin Designation Act (Kingpin Act).[4] The Kingpin Act authorizes the president to block the U.S. assets of “foreign person[s] that play a significant role in international narcotics trafficking,” referred to as “significant foreign narcotics traffickers.”[5] The secretary of Treasury can derivatively designate foreign persons who “materially assist” or provide “financial or technological support” or “goods or services in support of the international narcotics trafficking activities of” a significant foreign narcotics trafficker.[6] The secretary can also derivatively designate foreign persons deemed to be “owned, controlled, or directed by, or acting for or on behalf of, a significant foreign narcotics trafficker,” or foreign persons who “play[] a significant role in international narcotics trafficking.”[7] Foreign persons designated under the Kingpin Act are referred to as “specially designated narcotics traffickers” (SDNTs).[8]

A designation under the Kingpin Act immediately freezes “all . . . property and interests in property within the United States, or within the possession or control of any United States person, which are owned or controlled by” the designated person.[9] There is no prior notice. A foreign person is permitted to see the unclassified, nonprivileged basis for the designation and seek administrative reconsideration only after getting designated and having all of his or her assets blocked.[10] OFAC will typically disclose a heavily redacted, unclassified administrative record, primarily consisting of news articles and other publicly available information.[11] OFAC can provide an unclassified summary of the classified information upon which it relied for the designation, or even allow counsel with security clearances to view the classified record, but it is often not required to do so.[12] To seek reconsideration, a designated party usually must complete a detailed questionnaire from OFAC and ultimately make a written submission.[13] There are essentially two grounds for delisting: an insufficient basis for the designation or a subsequent change in circumstances.[14]

In Fares, OFAC designated two Panamanian men and the companies they controlled as SDNTs for allegedly laundering money on behalf of multiple international drug traffickers.[15] The companies they controlled, including a company that sold duty-free goods internationally, had hundreds of millions of dollars in revenue and thousands of employees.[16] A few weeks after the designation, the plaintiffs requested OFAC to reconsider its decision, arguing that the designation would cause permanent adverse consequences and that they should be allowed to put their assets into trusts managed by independent persons approved by the U.S. government.[17] OFAC denied the initial request for reconsideration, but agreed to begin production of the administrative record.[18] One month later, OFAC produced the administrative record in two batches, and it was “very heavily redacted” because OFAC maintained that “law enforcement sensitiv[e]” or other forms of “privilege” required the almost complete redaction of the evidence underlying the designation.[19]

About a month after that, the plaintiffs filed suit against OFAC, arguing that OFAC failed to adequately disclose the basis for their designations and therefore did not provide sufficient notice under the Due Process Clause of the Fifth Amendment.[20] Only one day after the plaintiffs filed suit, OFAC provided a “terse[,] . . . two[-]paragraph,” unclassified summary of the evidence underlying the redacted portions of the administrative record.[21] Two months later, OFAC produced “a more substantial summary spanning several pages.”[22] After reviewing the entire record disclosed by OFAC, including the summaries disclosed months after the plaintiffs filed suit, the district court held that “the total body of information” gave the designated parties adequate notice and, therefore, satisfied due process.[23] In particular, unlike other challengers to OFAC’s blocking actions, “who were left in the dark as to the reasons for their designations,” the plaintiffs in Fares were “apprised, primarily via the [more substantial summary provided two months after they filed suit], of the government’s view regarding the basis for their designations, and as such, [could] meaningfully” rebut OFAC’s evidence and arguments.[24]

The D.C. Circuit affirmed the district court’s ruling, but it viewed the issue before it to be very narrow, holding that it essentially had no choice but to rule in OFAC’s favor because the plaintiffs in Fares declined to challenge the unclassified summaries, their involvement in money laundering, the nonspecific nature of the summaries, or the scope or legitimacy of the government’s “sweeping redactions to the administrative record.”[25] Rather, the court found that the plaintiffs in Fares chose to “present a single claim on a single theory[,] . . . insist[ing] that the court . . . order the agency to turn over the actual underlying evidence (or details regarding that evidence that would aid them in identifying its sources), or else require the agency to delist plaintiffs.”[26] The court held that this “all-or-nothing argument” was unavailing and decided the matter based on the narrow issue the plaintiffs in Fares chose to present.[27] To be sure, the D.C. circuit court, in dicta, signaled an openness to consider the broader due process concerns presented by the government’s ability to rely on heavily redacted administrative records,[28] particularly when the government cites law enforcement interests as opposed to national security concerns.[29] Although the dicta might provide cause for hope, it does not provide binding authority with which a designated entity can challenge the current practice of extensively redacting the administrative record.

The Importance of Compliance

Once a company is in the crosshairs of a Treasury component like OFAC and receives notice of an administrative action, the odds are already heavily stacked against the company. For large companies, such as the duty-free company in Fares, which process thousands of transactions each day, rebutting allegations from publicly available news articles and short summaries of confidential or classified information will essentially require a company to prove a negative—that it is not involved in unlawful activity—an endeavor that will require a costly and time-intensive review of tens, if not hundreds, of thousands of transactions that occurred during whatever multiyear period is under investigation. Even after such a review is completed, there is no guarantee that the review will directly address, or address to OFAC’s satisfaction, all of the specific transactions reflected in the classified, or otherwise confidential, portions of the evidence upon which OFAC relied but has withheld.

These substantial procedural and evidentiary obstacles highlight the need to take the necessary steps to maximize the likelihood that OFAC will not even consider initiating one of these administrative actions. Companies should work with outside counsel to ensure that they have a robust, state-of-the-art compliance program in place that minimizes the likelihood that sustained, violative transactions might occur and that can be lauded if some violative transactions do nevertheless occur. The immediate and substantial penalties associated with administrative action, coupled with minimal opportunity for agency or judicial review, make it incumbent on companies to do everything within their power to be proactive and to avoid an SDNT designation or any other comparable designation. As Fares demonstrates, obtaining post-designation relief can be challenging. For many businesses, designation in and of itself may be a fatal blow, and even if the business survives that blow, the prospects for relief through reconsideration can be dim.

[1] Fares v. Smith, 249 F. Supp. 3d 115 (D.D.C. 2017), aff’d, 901 F.3d 315 (D.C. Cir. 2018).

[2] Fares v. Smith, No. 16-1730 (CKK), at Dkt. No. 1 (Compl.) ¶ 7 (D.D.C. filed Aug. 25, 2016).

[3] 31 C.F.R. § 501.807 (setting forth administrative reconsideration process that, inter alia, requires Treasury to “provide a written decision to the blocked person”).

[4] Fares, 249 F. Supp. 3d at 118.

[5] 21 U.S.C. §§ 1903(b), 1907(7).

[6] Id. § 1904(b)(2).

[7] Id. § 1904(b)(3)–(b)(4).

[8] See 31 C.F.R. §§ 598.803, 598.314.

[9] 21 U.S.C. § 1904(b).

[10] See 31 C.F.R. § 501.807.

[11] Fares, 249 F. Supp. 3d at 125. See also Sulemane v. Mnuchin, No. 16-1822 (TJK), 2019 WL 77428, at *5–*7 (D.D.C. Jan. 2, 2019) (rejecting arguments that OFAC’s reliance on “open-sourced” news articles violated the Administrative Procedures Act).

[12] See, e.g., Al Haramain Islamic Found., Inc. v. U.S. Dep’t of Treasury, 686 F.3d 965, 983 (9th Cir. 2012).

[13] See, e.g., Kadi v. Geithner, 42 F. Supp. 3d 1, 29 (D.D.C. 2012).

[14] 31 C.F.R. § 501.807(a).

[15] Fares, 249 F. Supp. 3d at 119.

[16] U.S. Treasury Office of Foreign Assets Control, “Treasury Sanctions the Waked Money Laundering Organization” (May 5, 2016); 81 Fed. Reg. 28,937 (May 10, 2016); Fares v. Smith, No. 16-1730 (CKK), at Dkt. No. 1 (Compl.) ¶ 7 (D.D.C. filed Aug. 25, 2016).

[17] Fares, 901 F.3d at 319.

[18] Id. at 319–20.

[19] Id. at 320.

[20] Id.

[21] Id.

[22] Id.

[23] Fares, 249 F. Supp. 3d at 127.

[24] Id.

[25] Fares, 901 F.3d at 322–23.

[26] Id. at 323.

[27] Id. at 323–26.

[28] Id. at 324–25.

[29] Id.

The requirements of the Bank Secrecy Act (BSA) and anti-money-laundering laws (AML) are pervasive and longstanding, yet they continue to vex companies trying to comply with them. Regulators have hit virtually all large banks, and many nonbanks, with BSA/AML-related enforcement actions, resulting in large fines, deferred prosecution agreements, criminal consequences, and reputational damage.

New BSA/AML requirements are making compliance more, not less, challenging. The Financial Crimes Enforcement Network’s Customer Due Diligence Rule,[1] for example, will add to compliance costs and could contribute to further de-risking of bank accounts for money services businesses and other customers. This has made it more difficult for customers to maintain accounts and added to the demanding nature and already high cost of BSA/AML compliance.

The nexus between BSA/AML requirements and law enforcement and national security concerns will ensure that compliance remains a top priority for regulators and the Department of Justice. Understanding exactly what is required of an institution from a BSA/AML perspective is therefore more critical than ever.

Background

Enacted in 1970, the BSA is primarily a recordkeeping and reporting statute. Its purpose is to require certain reports or records where they have a high degree of usefulness in criminal, tax, or regulatory investigations or proceedings, or in the conduct of intelligence or counterintelligence activities, including analysis, to protect against international terrorism.[2]

Tax evasion was the BSA’s initial purpose, but it subsequently became a primary weapon in the fight against narcotics, money laundering, terrorist financing, human trafficking, elder abuse, and other illicit activity. The Patriot Act,[3] enacted shortly after 9/11, expanded the BSA beyond banking, and now most nonbank financial institutions have BSA-related obligations, including compliance programs and suspicious-activity reporting. Even entities not subject to the BSA often assume compliance responsibilities because they contract with an entity subject to the BSA.

Chief among this expanded scope of institutions subject to the BSA are money services businesses (MSBs)—money transmitters, check cashers, providers of prepaid access, and dealers in foreign exchange, among others—and residential mortgage loan originators (RMLOs). The specific requirements for these categories of institutions are discussed in detail below.[4]

Requirements for MSBs

Compliance program. The fundamental requirement for MSBs under the BSA is the development and implementation of a BSA/AML compliance program that is reasonably designed to prevent the MSB from being used to facilitate money laundering and the financing of terrorist activities. The written compliance program must be commensurate with the risks posed by the location and size of, and the nature and volume of the financial services provided by, the MSB and made available for inspection by the Department of the Treasury.

These programs must incorporate what are referred to as the four pillars:

1. policies, procedures, and internal controls that are reasonably designed to assure compliance with the BSA, including procedures to verify customer identification (applicable only to providers or sellers of prepaid access), file reports, maintain records, and respond to law enforcement requests;
2. a designated person to assure day-to-day compliance with the program;
3. education and training of appropriate personnel; and
4. independent review to monitor and maintain an adequate program.

Registration. MSBs (other than providers of prepaid access) are required to register with FinCEN and renew that registration every two years; states in which the MSB does business often require registration as well. Agents generally do not have to register.

Reporting. MSBs have specific reporting requirements, the most important of which are currency transaction reports (CTRs) on cash transactions exceeding $10,000 and suspicious-activity reports (SARs) on suspicious transactions exceeding $2,000. MSBs must retain CTRs and SARs for five years from the date of filing.

An MSB may disclose SARs to only a limited group: FinCEN; a federal authority (such as the IRS) or state authority with power to examine the MSB for compliance with the BSA; and federal, state, and local law enforcement. Strict confidentiality requirements apply, with criminal penalties for unauthorized disclosure. The business may share facts, transactions, and documents underlying a SAR with other institutions and, in limited circumstances (permitted by regulation or regulatory guidance), may share the actual report within the organization. MSBs are protected from civil liability extending from SAR filings. FinCEN and its delegates are responsible for examining MSBs for compliance with these requirements.

Requirements for RMLOs

RMLOs are subject to program requirements that are similar to those applicable to MSBs. Although RMLOs are not required to submit CTRs, they are required to file similar reports (Form 8300) when receiving cash payments over $10,000. They are also subject to SAR requirements, although the filing threshold is $5,000. The SAR recordkeeping and confidentiality requirements also apply, as well as the safe harbor from civil liability. As with MSBs, FinCEN and its delegates conduct compliance examinations.

Sanctions

Sanctions are not formally part of the BSA, but are related and important. Compliance with the sanctions regime is required for all U.S. persons, not just financial institutions. The Office of Foreign Assets Control (OFAC) is responsible for administering U.S. sanctions. There is no formal program requirement, but regulators expect banks and most nonbank financial institutions to have an effective filtering process in place to screen accounts and transactions for the involvement of individuals and entities that are on the Specially Designated Nationals and other lists or are OFAC-sanctioned jurisdictions, such as Iran and North Korea. Companies are expected to block or reject (depending on the exact sanctions) attempted transactions that result in hits and report them to OFAC. Sanctions compliance has been under intense scrutiny in recent years, and violations have resulted in large fines.

Conclusion

Although nonbanking institutions are not regulated for BSA/AML and sanctions compliance to the same degree that banks are, they are widely perceived as vulnerable to illicit activity and therefore subject to significant scrutiny. Enforcement agencies include FinCEN, DOJ, and OFAC as well as federal, state, and local regulators. As fines over many years have made clear, the costs of getting it wrong in this area can be severe. Institutions subject to the BSA/AML requirements should therefore take care to develop, implement, and maintain procedures covering the following areas:

• risk assessment
• customer identification
• customer due diligence/enhanced due diligence (CDD/EDD)
• customer risk rating
• monitoring
• investigation
• SARs
• CTRs

The primary purpose of these procedures is to help companies develop a deep enough understanding of their customers to be aware of which ones present AML risks, and then help companies successfully manage those risks while identifying and reporting suspicious transactions.

Given the expanding role of nonbanking institutions in the payment system and the overall economy—and the persistent focus on money flows implicating national security or law enforcement concerns—BSA/AML compliance is poised to be an area of increasing importance for the foreseeable future.

[1]  See Customer Due Diligence Rule, 31 C.F.R. § 1010.230.

[2] See Bank Secrecy Act, 31 U.S.C. § 5311 et seq.

[3] See Pub. L. No. 107-56, 115 Stat. 272 (2001).

[4] Much of the subsequent discussion of the requirements of BSA/AML laws and related compliance obligations are descriptions drawn from 31 C.F.R. §§ 1010, 1020, and 1029. For more information, see https://www.law.cornell.edu/cfr/text/31/subtitle-B/chapter-X.

INTRODUCTION

For much of 2018, Canada was the focal point of the global cannabis industry due mainly to Canada’s federal legalization of cannabis for recreational purposes, which occurred on October 17, 2018. Fueled by optimism surrounding both Canadian and global prospects, we saw a significant uptick in capital raising in the cannabis industry, with nearly US$13.8 billion raised in 2018, up from US$3.5 billion in 2017. Much of this capital raising activity was a result of U.S. cannabis companies that looked north of the border for access to capital markets.

Despite being only 6 months removed from legalization, Canadian licensed producers (LPs) appear to have shifted their focus to (i) developing “next generation” products, such as edibles and “vapes,” which are set to become legalized in Canada in October 2019, but which have been legal for some time in certain U.S. states, such as Colorado, California and Washington, and (ii) implementing a rest-of-world strategy that includes exposure to the U.S. cannabis market—both resulting in an increasing number of transactions reaching across the border. As U.S. clients are requiring more and more guidance from counsel, U.S. law firms are grappling with how to advise with respect to both the Canadian and U.S. cannabis industries.

With respect to the development of next generation products, significant investments from major U.S. alcohol and tobacco companies have given credibility to the Canadian cannabis industry and provided certain players with an experienced partner for the next phase of legalization (both domestically and abroad). Constellation Brands (Constellation), a leading international producer of wine, beer and spirits, made a US$4 billion investment in Canopy Growth Corporation (Canopy). The investment closed in November 2018 and brought Constellation’s ownership stake in Canopy to approximately 37%. In December 2018, Altria Group Inc. (Altria), parent company of Philip Morris USA, announced a US$1.8 billion investment in Cronos Group Inc. (Cronos), representing a 45% ownership interest in Cronos.

With respect to exposure to the U.S. market, the enactment of the 2018 Farm Bill in the U.S., which created a federally legal environment for the cultivation, distribution and sale of industrial hemp, has provided an opportunity for Canadian LPs to establish a toe-hold in the U.S. market after having previously been denied access due to the restrictions of the major Canadian and U.S. stock exchanges against operations which are offside U.S. federal law. The significance of the Farm Bill stems from the presence of the non-psychoactive cannabinoid, cannabidiol (CBD), which is found in industrial hemp and for which the Brightfield Group has estimated a potential market of US$22 billion by 2022 in the U.S. alone.

Canadian LPs, including Canopy and Tilray Inc. (Tilray), have already taken advantage of the liberalized U.S. hemp laws to establish a presence south of the border. On October 15, 2018 Canopy announced that it had entered into an agreement to acquire the assets of Ebbu, Inc., a  Colorado-based hemp research leader. Canopy has also taken a step toward establishing a cultivation presence in the U.S. by announcing on January 14, 2019 that it had been granted a licence by New York State to process and produce hemp. Canopy stated that it intends to invest between US$100 million and US$150 million toward the establishment of large-scale production capabilities focused on hemp extraction and product manufacturing within the U.S. Tilray, meanwhile, announced the acquisition of Manitoba Harvest, a Canadian hemp-based food processor with products currently sold in grocery store chains throughout Canada and the U.S. The company has been developing products containing hemp-derived CBD and plans to enter the U.S. CBD market once approved by the FDA.

CONSIDERATIONS FOR US LAW FIRMS

Cannabis continues to be a Schedule I narcotic under the federal Controlled Substances Act in the US. We have found little evidence of enforcement of federal law against cannabis companies operating within states that have established a legal framework, but, despite this, U.S. law firms have understandably been hesitant to provide legal services to companies that operate in the cannabis space. However, as was the case in Canada, the volume of activity in the space and the involvement of well-established, “traditional” clients have necessitated that major U.S. law firms become familiar with both the U.S. and Canadian cannabis industries.

The primary consideration from a U.S. legal perspective is that providing advice to a company that operates in violation of U.S. federal law, regardless of compliance with state cannabis laws, could be seen as aiding and abetting in the commission of a federal crime. Furthermore, a firm that accepts payment for such services could be in receipt of proceeds of crime under applicable anti-money laundering statutes. However, to advise a cannabis company that operates exclusively in Canada, or any other jurisdiction which has a legal framework regulating cannabis, does not appear to be a violation of U.S. law. As a result, many U.S. law firms have gotten comfortable advising cannabis companies that do not have U.S. cannabis operations, such as Canopy and Tilray. Similarly, U.S. law firms have gotten comfortable advising U.S. companies who do business with cannabis companies that operate solely outside of the U.S., such as Constellation, Altria and other U.S. investors.

U.S. law firms should take comfort from the policies of major stock exchanges (the TSX and TSX-V in Canada, and the NYSE and NASDAQ in the U.S.), which prohibit the listing of cannabis companies that operate in violation of U.S. federal law. Although such issuers are subject to continuous monitoring by the exchanges, law firms are best advised to conduct their own diligence prior to agreeing to act on behalf of any cannabis company.

Another consideration that has provided some comfort for U.S. law firms with respect to aiding and abetting in the commission of a federal crime is the degree to which a prospective client “touches the plant.” Any company that cultivates, processes, or sells cannabis would be said to “touch the plant”—these are the clients that U.S. law firms have been most hesitant to advise. However, as the degree of contact with the plant decreases, the comfort with providing legal services increases. For example, a client that is providing security systems or hydroponic lights to in the cannabis industry is generally viewed as a much less risky client than one that directly touches the plant.

Even still, some U.S. law firms have gotten comfortable advising clients that touch the plant with the reasoning that general corporate, securities and transactional advice is not aiding and abetting the commission of a crime, as they are not advising on any matter that is a violation of federal law.

One final concern expressed by some U.S. law firms is that of reputational risk. There remains a degree of stigma associated with cannabis use, and that is considered by the general counsel and ethics committees of law firms when deciding whether to accept a cannabis-related mandate. Furthermore, as a relatively nascent sector, the cannabis industry has experienced some growing pains in both Canada and the U.S. in the form of questionable dealings by executives and directors. Many firms fear the prospect of seeing their name alongside their client’s in a news story regarding unscrupulous behaviour.

Ultimately, the level of comfort a law firm has with working in the cannabis space exists on a spectrum. Many large firms simply won’t advise on cannabis-related matters. Others have taken a cautious approach, working exclusively on deals that do not involve U.S. cannabis operations or with companies that are several steps removed from touching the plant. At the opposite end, there are those that have leapt headfirst into the industry, advising U.S.-focused clients that do in fact touch the plant, with an eye toward establishing a first-mover advantage in the industry and “being on the right side of history.”

LOOKING FORWARD

Even for firms that have avoided the cannabis industry to date, the reality in the U.S., as it was in Canada, is that traditional firm clients, whether it be investment banks, retailers, pharmaceutical or consumer packaged goods companies, will get involved in the cannabis space and firms will need to get smart in a hurry.

Federal legalization of cannabis in the U.S. appears to be on the horizon, whether it be as part of a 2020 election campaign or sometime prior. We expect that there will continue to be interest in U.S. hemp and cannabis assets from Canadian LPs in the interim and expect that there will be an explosion of activity in the form of capital raising and domestic M&A upon federal legalization in the U.S. At that time, firms that have developed experience, expertise and relationships in the cannabis industry will be well positioned to capitalize on the opportunity.

Recent months have been busy for banking lawyers focused on the cannabis industry and the legal and regulatory risks of providing financial services to marijuana-related businesses. Of principal note, in mid-December, President Trump signed the Agriculture Improvement Act of 2018 (the 2018 Farm Bill) into law, which lifted the federal prohibition on hemp production. This law also has significant implications regarding the legality of cannabidiol (CBD), a popular hemp derivative. This article will first explain the significance and implications of the 2018 Farm Bill, describe possible divergences in state and federal law regarding cannabis generally, and briefly touch on international developments.

For decades, the United States has been the only industrialized nation where hemp was not a legally authorized crop. Schedule I of the federal Controlled Substances Act of 1970 (CSA), 21 U.S.C. § 801 et seq., has long prohibited the growing, production, and sale of marijuana, which has been defined under the CSA as including all parts of the Cannabis sativa L. plant, with the exception of “the mature stalks of such plant, fiber produced from such stalks, oil or cake made from the seeds of such plant, any other compound . . . of such mature stalks (except the resin extracted therefrom), fiber, oil, or cake, or the sterilized seed of such plant which is incapable of germination.”[1] Hemp has been subject to the marijuana definition because it is also a variety of the Cannabis sativa L. plant. Hemp is characterized by low levels of tetrahydrocannabinol (THC), the primary psychoactive chemical in marijuana, and high levels of CBD, believed to have numerous therapeutic benefits. It is also capable of use in a diverse array of products, including construction materials, clothing, paper, cosmetics, pharmaceuticals, food, and dietary supplements.

Passage of the 2018 Farm Bill marks the first change in the federal classification of marijuana since Congress designated it a Schedule I controlled substance in 1970. Specifically, the 2018 Farm Bill’s hemp-specific provisions amend the CSA so that hemp, so long as it contains 0.3 percent THC or less, no longer comes within the federal definition of marijuana.[2] Certain cannabinoid derivatives of hemp would therefore also be removed from the purview of the CSA, including hemp-derived CBD. The 2018 Farm Bill’s hemp provisions build on the framework set forth in the 2014 farm bill, which allowed for some legal cultivation of hemp by states. The previous iteration of the farm bill allowed cultivation of hemp for research purposes under state-approved pilot programs connected to universities or state agricultural departments.[3] Some states declined to participate, however, and the Drug Enforcement Agency often took the position that the 2014 farm bill allowed only for the cultivation, not sale, of hemp and hemp-derived products.[4]

Section 10113 of the 2018 Farm Bill allows states to regulate hemp production if they so choose. Otherwise, federal requirements to be promulgated by the U.S. Department of Agriculture (USDA) will constitute the default regulatory regime in all 50 states. States must submit their plans to the USDA for approval prior to becoming effective. USDA review is meant to ensure that state laws comply with at least the minimum level of federal statutory requirements, and the USDA must act within 60 days of receipt. However, the USDA has indicated that it will not begin acting on state plans it receives until it promulgates its own regulations regarding hemp production, which it expects to do in fall 2019.

Under section 10113, state plans must include information concerning locations of hemp production, testing for THC concentration, disposal of noncompliant plants, compliance with the bill’s enforcement provisions, participation in law enforcement information sharing, and a certification that the state has sufficient resources to carry out its plan. These requirements indicate Congress’s desire to maintain a strict legal separation between marijuana and hemp.[5] As an additional step to ensure that marijuana is not grown under the auspices of hemp legalization, the 2018 Farm Bill bars individuals with felonies related to a controlled substance from entering into hemp production for 10 years following conviction.[6]

Notwithstanding hemp’s removal from Schedule I of the CSA, the legality of certain FDA-regulated categories of hemp products—including products containing hemp-derived CBD—remains uncertain at the federal level. Specifically, the 2018 Farm Bill provides that it does not “affect or modify the Federal Food, Drug, and Cosmetic Act [‘FFDCA’] . . . [or] the authority of the Commissioner of Food and Drugs and the Secretary of Health and Human Services.”[7] The U.S. Food and Drug Administration (FDA) has taken the position that cannabinoids, including CBD, are impermissible for use in food and dietary supplements.[8] Despite the existence of counterarguments, at the present time certain CBD products currently on the market, particularly those intended for ingestion, may therefore remain unlawful. The FDA has intermittently sent warning letters to entities that sell CBD products, including dietary supplements and topical cosmetic products, for making unproven drug claims about CBD’s health-related properties.[9] Moreover, FDA Commissioner Scott Gottlieb indicated in a statement released with the passage of the 2018 Farm Bill that the agency will “continue to closely scrutinize products that could pose risks to consumers . . . warn [them] and take enforcement actions.”[10] That said, the FDA is under significant political pressure to take a more relaxed attitude toward these issues. For instance, Oregon Senators Ron Wyden and Jeff Merkley recently sent a letter to the FDA Commissioner arguing that “it was Congress’ intent to ensure that both U.S producers and consumers have access to a full range of hemp-derived products, including hemp-derived cannabinoids.”[11] As a result, the FDA has indicated it will hold a public meeting in the near future to evaluate ways in which the current regulatory framework should be changed.[12]

Another difficulty for stakeholders in the industry will be accounting for the various treatments of hemp and CBD under state law. The 2018 Farm Bill does not preempt state law, and states could choose to regulate hemp and hemp-derived CBD in a more restrictive manner. In fact, it provides: “No Preemption—Nothing in this subsection preempts or limits any law of a State or Indian tribe that (i) regulates the production of hemp; and (ii) is more stringent than this subtitle.”[13] States have their own controlled substances laws that often mimic the provisions of the CSA as it existed prior to the 2018 Farm Bill’s amendments. This means that hemp and certain hemp products may still come within the marijuana definition under state law. Many state attorneys general have even publicly declared—prior to passage of the 2018 Farm Bill—that products containing CBD come within state marijuana prohibitions and are therefore subject to state enforcement.

States have chosen to react to the passage of the 2018 Farm Bill in several different ways. Some have chosen the path of Alabama. Alabama’s attorney general recently announced that because of the 2018 Farm Bill, the state is altering its prior position that the sale of CBD products violates state law.[14] Iowa has chosen to move more cautiously. The state attorney general and state agriculture officials met in January to determine whether CBD processed from industrial hemp should be legalized, and resulting legislation is currently pending.[15] On the other hand, not all states have reacted in tandem with the federal government. The South Dakota attorney general, for instance, confirmed that CBD products would remain illegal in the state and that the law would be enforced.[16] Although state legislators passed a bill legalizing hemp, the South Dakota governor vetoed it, and so the state’s prohibition remains in effect.[17] Participants in the industry, and financial services firms that deal with them, must be cognizant of the laws of states in which CBD products may be distributed.

Looking forward, there is ample evidence that the rules of the road regarding cannabis regulation will continue to evolve. FDA Commissioner Scott Gottlieb has stated that federal legislation addressing the divergence between state and federal law regarding marijuana is “inevitable” and will happen “soon.”[18] Several bills to this effect have already been introduced into Congress this year.[19] Further, it seems that President Trump is amenable to these changes. In June 2018, he said that he supported the STATES Act, which would protect states with legal marijuana regimes from federal interference.[20] He also nominated William Barr for attorney general, who has said that he would not go after companies that have relied on the “Cole Memorandum,” the U.S. Department of Justice guidance issued during the Obama administration directing prosecutors generally not to enforce the federal marijuana prohibition in states that have legalized marijuana (so long as those marijuana activities do not target minors or present other risks).[21] This represents a decidedly less aggressive approach than former Attorney General Jeff Sessions, who rescinded that guidance early last year.

With these federal developments looming in the background, states have continued to legalize marijuana use in different contexts. As of this writing, medical marijuana is legal in 33 states and the District of Columbia, with 10 of these and the District of Columbia also having legalized recreational marijuana. The pace of this change appears to be accelerating: 21 states considered adult-use marijuana legalization bills in 2018.[22] Voter initiatives ushered in legalization in Michigan,[23] Missouri,[24] Oklahoma,[25] and Utah.[26] For financial services companies, whether and how to engage with cannabis companies operating legally under state law will thus present a growing challenge.

Change also is evident both north and south of U.S. borders. Canada’s Cannabis Act was fully implemented as of October 18, 2018; as a result, U.S. financial institutions (and others) have been faced with how to engage with companies conducting legal cannabis business there.[27] Additionally, Mexico’s Supreme Court held in October that an absolute ban on recreational marijuana use is unconstitutional. A bill introduced by the ruling party (the National Regeneration Movement, or MORENA) in November would allow companies to grow and sell marijuana for commercial, medicinal, and recreational use.[28] However, Mexican legislators are still considering how marijuana legalization should be implemented.[29]

These shifting developments continue to pose compliance and legal challenges for financial services firms. Until a final U.S. federal resolution is reached, those challenges will remain present.

[1] 21 U.S.C. § 802(16) (2018).

[2] Agriculture Improvement Act of 2018, Pub. L. No. 115-334, sec. 12619 (2018).

[3] 7 U.S.C. § 5940 (2018).

[4] Statement of Principles on Industrial Hemp, 81 Fed. Reg. 53395 (Aug. 12, 2016).

[5] See 7 U.S.C. § 5940(a)(2); Agriculture Improvement Act of 2018, Pub. L. No. 115-334, sec. 10113, § 297A(1) (2018).

[6] Agriculture Improvement Act of 2018, Pub. L. No. 115-334, sec. 10113, § 297B(e)(3)(B) (2018).

[7] Agriculture Improvement Act of 2018, Pub. L. No. 115-334, sec. 10113, § 297D(c)(1) (2018).

[8] U.S. Food and Drug Admin., FDA and Marijuana: Questions and Answers (June 25, 2018).

[9] See, e.g., U.S. Food and Drug Admin., Warning Letter to Hemp Oil Care (Feb. 26, 2015); U.S. Food and Drug Admin., Warning Letter to Natural Organic Solutions (Feb. 26, 2015).

[10] Statement from FDA Commissioner Scott Gottlieb, M.D., on signing of the Agriculture Improvement Act and the agency’s regulation of products containing cannabis and cannabis-derived compounds (Dec. 20, 2018).

[11] Letter from Ron Wyden & Jeffrey A. Merkley, U.S. Senators, to Scott Gottlieb, FDA Commissioner (Jan. 15, 2019).

[12] See supra note 11.

[13] Agriculture Improvement Act of 2018, Pub. L. No. 115-334, sec. 10113, § 297B(a)(3) (2018).

[14] Office of the Alabama Attorney General, Guidance on Alabama Law Regarding the Possession, Use, Sale, or Distribution of CBD (Dec. 12, 2018).

[15] Associated Press, Iowa Lawmakers To Weigh Hemp Regulations, Keloland Media Group, Jan. 3, 2019.

[16] Christopher Vondracek, South Dakota unlikely to allow CBD oil even though it’s in farm bill, Rapid City J., Dec. 16, 2018.

[17] Lisa Kaczke, What’s South Dakota missing without legal industrial hemp?, Argus Leader, March 22, 2019.

[18] Kyle Jaeger, Federal Marijuana Action Is An ‘Inevitability,’ Trump FDA Chief Says, Marijuana Moment, Nov. 19, 2018.

[19] See, e.g., Regulate Marijuana Like Alcohol Act, H.R. 420, 116th Cong. (2019); Strengthening the Tenth Amendment Through Entrusting States Act, S. 3032, 115th Cong. (2018).

[20] Eileen Sullivan, Trump Says He’s Likely to Back Marijuana Bill, in Apparent Break With Sessions, N.Y. Times, June 8, 2018.

[21] Sarah N. Lynch, U.S. attorney general nominee will not target law-abiding marijuana businesses, Reuters, Jan. 15, 2019.

[22] National Conference of State Legislators, Marijuana Overview (Dec. 14, 2018).

[23] Michigan Proposal 1, Marijuana Legalization Initiative (2018) (recreational).

[24] Missouri Amendment 2, Medical Marijuana and Veteran Healthcare Services Initiative (2018) (medical).

[25] Oklahoma State Question 788, Medical Marijuana Legalization Initiative (2018) (medical).

[26] Utah Proposition 2, Medical Marijuana Initiative (2018) (medical).

[27] Cannabis Act, S.C. 2018, c. 16 (2018) (Can.).

[28] Carrie Kahn, Mexico Looks To Be Next To Legalize Marijuana, NPR, Nov. 14, 2018.

[29] Chris Roberts, Mexican Lawmakers Reach Across Party Lines to Launch Marijuana Reform Process, Marijuana Moment, March 15, 2019.