Often referred to as the intersection between venture capital and leveraged buyouts,[i] growth private equity investment (“growth equity”) has skyrocketed in recent years and continues to draw the attention of limited partners seeking exposure to emerging technology companies with potentially lower risk profiles than those financed at earlier stages of development.[ii] In 2018, growth equity investment reached record levels, with $66.1B invested across 1,057 deals in the United States (“U.S.”) alone.[iii] 2018 also saw the largest-ever growth equity fundraise with the close of New York-based Insight Venture Partners’ $6.3B technology-focused growth equity fund.[iv] This article will provide an overview of growth equity as an alternative investment asset class, and will also discuss its increasingly important presence in the financial technology (“Fintech”) sector.[v]
I. Defining Growth Equity
To date, there is no universally accepted definition of growth equity (also commonly referred to as growth capital or expansion capital) due, in part, to its similarity to other forms of alternative investment. The U.S. National Venture Capital Association (“NVCA”) and its Growth Equity Group have described growth equity as a “critical component” of the venture capital industry, and have defined growth equity investments as those that exhibit some, if not all, of the following characteristics: investors typically acquire a non-controlling minority interest in the company; investments are often unlevered or use only light leverage; the company is founder-owned and/or founder-managed with a proven business model, positive cash flows and rapidly growing revenues; and, invested capital is geared toward company expansion and/or shareholder liquidity, with additional financing rounds typically not expected until the growth equity investor’s exit.[vi] The European Bank for Reconstruction and Development has defined growth equity in a similar way, but has included mezzanine financing within its definition as a result of private equity investment patterns in the emerging Europe and Central Asia regions, which typically consist of combinations of venture, growth and buyout strategies.[vii]
From the company perspective, growth equity investment, in its varying shapes and sizes, fundamentally serves as a financing mechanism that fuels later-stage expansion into new product and/or geographic markets, often in preparation for a future merger, acquisition or initial public offering. In contrast to multi-investor early-stage venture financing rounds, growth equity investment may provide the company with the benefit of a higher-stake single investor who can provide strategic business and operational guidance that can translate into greater market share and profitability. This benefit, however, can become a double-edged sword for founders as a result of the growth equity investor’s potentially more significant influence over management decisions.
II. Growth Equity Investors
Growth equity investors include, but are not limited to, traditional private equity and venture capital firms that offer growth equity as one of several investment strategies, specialist growth equity firms, strategic corporate investors, and non-traditional institutional investors, such as pension funds and single family offices, which historically have not invested in emerging companies. According to Pitchbook data, the ten most active growth equity investors in 2018 were Business Growth Fund, Bpifrance, Foresight Group, Warburg Pincus, Kohlberg Kravis Roberts, The Blackstone Group, CM-CIC Investissement, Caisse de dépôt et placement du Québec, TPG Capital and General Atlantic. Of the 24 most active growth equity investors in 2018, the majority were concentrated in the U.S., France and the United Kingdom (“UK”), respectively.[viii]
III. Growth Equity Investment in Fintech
From an industry perspective, technology startups are considered attractive growth equity investment targets as a result of their perceived revenue stability and high growth potential.[ix] Software startups in the Fintech sector, in particular, received an aggregate of $11.9B in funding in 2018,[x] and are projected to attract continued interest from growth equity investors in 2019.[xi]
In the UK alone, growth equity investment in the Fintech sector rose by 57% to $1.6B in 2018,[xii] including General Atlantic’s $250M investment in lending startup Greensill Capital and Banco Bilbao Vizcaya Argentaria’s £85.4M investment in mobile-banking platform Atom Bank. In the U.S., recent examples of growth equity investment in Fintech include DST Global’s lead investment into Chime Bank, Goldman Sachs Principal Strategic Investments’ lead investment into Nav Technologies, and Edison Partners’ lead investment into YieldStreet.
With injections of growth equity financing, Fintech startups are able to deepen their domestic market share, as well as their international reach. Growth equity investment in UK Fintech startups, in particular, has contributed to their expansion into the U.S. market. One such example is UK-based small and medium-sized enterprise lending platform Oak North, which plans to launch in the U.S. in 2019 following a $440M growth equity investment from Softbank Vision Fund and the Clermont Group.[xiii]
IV. Conclusion
Growth equity is projected to continue its upward trend as an investment strategy of choice for later-stage investors in the Fintech sector. With higher levels of growth equity invested in promising Fintech startups, Fintech M&A and IPO activity is likely on the way. Private equity and venture capital attorneys should therefore pay close attention to developments in this space.
Disclaimer
The views and opinions expressed in this chapter are those of the author alone, and do not necessarily reflect the views of the American Bar Association, Crowell & Moring LLP, Stanford University or the University of Vienna. The material in this chapter has been prepared for informational purposes only and is not intended to serve as legal or investment advice.
In a case that could indicate the U.S. Supreme Court’s take on contemporary public attitudes toward the use of profane language and lewd images as trademarks, and have wider implications on the authority of the government to regulate and restrict profanity in other contexts, the court is set to decide whether a century-old provision of the U.S. trademark law, which authorizes the U.S. Patent and Trademark Office (USPTO) to reject registration of a trademark it considers to be “immoral” and “scandalous,” passes constitutional muster under the First Amendment.
The “scandalous clause” contained in section 2(a) of the U.S. Trademark Act instructs the USPTO to reject applications for registration of any mark that “consists of or comprises immoral, deceptive, or scandalous matter; or matter which may disparage or falsely suggest a connection with persons, living or dead, institutions, beliefs, or national symbols, or bring them into contempt, or disrepute.”[1] Invoking this clause, the USPTO rejected an application by Erik Brunetti for the mark FUCT for use in connection with a clothing line. The Trademark Trial and Appeal Board (TTAB) affirmed the examiner’s rejection.[2]
Brunetti appealed the TTAB rejection to the Federal Circuit Court of Appeals. While the appeal was pending, the U.S. Supreme Court issued a landmark ruling in Matal v. Tam,[3] which invalidated the disparagement provision of section 2(a) for being in conflict with the First Amendment’s right of free speech. Relying on Tam and expanding its holding, the Federal Circuit struck down the scandalous clause of section 2(a) as similarly failing the constitutional test of the First Amendment.
The USPTO filed a writ of certiorari to the U.S. Supreme Court requesting review of the Federal Circuit’s Brunetti decision, which the Supreme Court granted.[4] Now the issue for the Supreme Court in Brunetti is whether the analysis and reasoning it applied in Tam to reject the disparagement clause of section 2(a) will result in invalidation of the section’s scandalous clause as well.
Eight of the Supreme Court’s regular nine justices participated in the Tam decision. The justices were unanimous in concluding that the disparagement clause of section 2(a) was unconstitutional, but split on their analysis and approach to the issue, resulting in two plurality opinions penned by justices Alito and Kennedy, each of which was signed by four justices. Both plurality opinions rejected the USPTO’s argument that registering a trademark is a form of government speech and that, under the long-standing Supreme Court precedent, the government is permitted to communicate its own viewpoints without violating the First Amendment. The two plurality opinions also agreed that applying the disparagement clause requires the USPTO to engage in impermissible viewpoint discrimination. The opinions split, however, as to the other arguments put forth by the USPTO urging the court to uphold the disparagement clause. The Alito plurality rejected the government’s argument that allowing a trademark to register is analogous to providing a government subsidy and that the government need not subsidize programs it prefers not to encourage. Finally, Justice Alito’s plurality opinion analyzed the disparagement clause as a form of commercial speech and concluded it could not even pass muster under the more relaxed review standard applied to such speech.
On the other hand, the plurality Tam opinion issued by Justice Kennedy focused its analysis and reached its conclusion based on its application of a viewpoint discrimination test, which it articulated as inquiring into “whether—within the relevant subject category—the government has singled out a subset of messages for disfavor based on the view.”[5] The Kennedy plurality found that in exercising its authority under the disparagement clause, the USPTO necessarily engaged in impermissible viewpoint discrimination sufficient to make it constitutionally untenable. Having reached its conclusion based on viewpoint discrimination, the Kennedy plurality found it unnecessary to address the other government arguments, which the Alito plurality opinion had considered and rejected.
Because both Justice Kennedy and Justice Alito’s plurality opinions converged in their rejections on the viewpoint discrimination effect of the disparagement clause, the Supreme Court is expected to apply that ground and its accompanying reasoning and analysis to the scandalous clause at issue in Brunetti. Thus, the key inquiry in Brunetti may well be whether the USPTO’s exercise of its authority under the scandalous clause amounts to discrimination based on viewpoint. If so, then the clause will follow the fate of its disparaging counterpart and fall. If not, then the scandalous clause is likely to survive constitutional First Amendment scrutiny.
The USPTO regularly applies the scandalous clause provision of section 2(a) to reject marks that contain profane language or graphic sexual images—features that were not at issue in Tam. The application of the scandalous clause thus involves evaluation and judgment by the USPTO as to content of the trademark and not any viewpoint it may convey. It has long been settled that the First Amendment permits governments at the federal, state, and local levels to regulate graphic sexual images and profane language on government-run public forums, such as city buses. Relevant to First Amendment analysis of the USPTO’s trademark registration authority is that although a section 2(a) rejection denies registration of the mark with the USPTO, it does not preclude use of the mark in trade and commerce, given that under U.S. trademark laws the underlying rights in a trademark are obtained not by registration of the mark but by use of the mark to identify goods and services in trade and commerce. An owner of an unregistered mark would still have legal “common law” rights in the mark, which rights can be enforced in courts.[6] Therefore, trademark registration is not a requirement for possession of a legally valid and enforceable trademark.
The Supreme Court may well reverse the Federal Circuit’s Brunetti decision and restore the USPTO’s authority to reject trademarks under the scandalous clause of section 2(a), albeit perhaps on a narrower scale. Under either of Tam’s plurality opinions addressing viewpoint discrimination, the scandalous marks provision survives First Amendment scrutiny because the USPTO practice in this regard is content-based and viewpoint-neutral. A fair reading of Tam makes clear that the Supreme Court did not aim to grant First Amendment protection to words, phrases, and imagery that the general public accepts as profane and lewd, and that government restrictions on such is permitted so long as the restriction policy and practice is based on content and does not advocate or discriminate on the basis of particular viewpoint. In fact, even Justice Alito’s plurality opinion specifically recognizes that trademark registration is “more analogous” to “cases in which a unit of government creates a limited public forum for private speech,” wherein “some content-based restrictions are permitted.”[7]
Those “more analogous” cases have repeatedly upheld content-based restrictions on speech in limited public forums created by the government. For example, the Second Circuit Court of Appeals has upheld a Department of Motor Vehicle policy banning use of profane and lewd language on license plates, finding no First Amendment right to use the SHTHPNS license plate.[8] Governmental bans on the use of nude or sexually explicit imagery in clubs have similarly been held to be viewpoint-neutral. In that regard, the Supreme Court has held that “being in a state of nudity is not an inherently expressive condition.”[9] In another case, the Supreme Court held that the First Amendment did not prevent a school district from restricting the use of an offensive form of expression in a public school debate forum.[10] The decision went on to explain that “nothing in the Constitution prohibits the states from insisting that certain modes of expression are inappropriate and subject to sanctions.”
A compromise approach, suggested by Judge Dyk in his concurring opinion in the Federal Circuit’s Brunetti decision invalidating the scandalous provision of section 2(a), is to adopt a narrower reading of the scandalous provision to limit its application to obscene marks. In that regard, Judge Dyk noted that under the Supreme Court’s time-tested “saving construction” precedents, where possible, courts must construe federal statutes to “avoid serious doubt of their constitutionality.”[11] Moreover, certainty in curing an identified defect is not required for a court to engage in a saving construction. Rather, curing the constitutional defect need only be “fairly possible,” and “every reasonable construction must be resorted to.”[12] Judge Dyk’s concurring opinion suggested limiting the reach of the scandalous clause to “obscene marks, which are not protected by the First Amendment.”[13]
More than 740,000 bankruptcy petitions were filed in 2017 by individuals with debts that are predominantly consumer in nature. Through November last year, there were over 700,000 new filings. From these numbers, lawsuits over alleged violations of bankruptcy discharges are frequently in the news, particularly because some of those lawsuits resulted in big sanctions. See, e.g., First State Bank of Roscoe v. Stabler, 247 F. Supp. 3d 1034, 1046 (D.S.D. 2017) (bank and its principal were jointly and severally liable to pay $159,605 in attorney’s fees plus individually liable to pay $25,000 in punitive damages). Attorneys have also borne the brunt of those sanctions. See In re Jon-Dogar Marinesco, Case No. 09-35544 (CGM) (Bankr. S.D.N.Y. Dec. 1, 2016) (compensatory and punitive damages awarded against two law firms).
For consumer debtors, the “principal purpose” of the Bankruptcy Code is a “fresh start.” This means a “new opportunity in life and a clear field of future effort, unhampered by the pressure and discouragement of preexisting debt.” Grogan v. Garner, 498 U.S. 279, 286 (1991). To achieve that purpose, debtors “discharge” most prepetition debts under section 727(b) of the Bankruptcy Code. An injunction under section 524(a)(2) of the Bankruptcy Code prohibits activity to collect discharged debts. See Bessette v. Avo Fin. Servs., Inc., 230 F.3d 439, 444 (1st Cir. 2000).
Congress has not designated a specific sanction for a violation of a discharge injunction. However, bankruptcy courts are vested with powers to protect their jurisdiction. Under section 105(a) of the Bankruptcy Code, a bankruptcy court may “issue any order, process or judgment that is necessary or appropriate to carry out the provisions of this title” and may “tak[e] any action or mak[e] any determination necessary or appropriate” to “enforce or implement court orders or rules.” 11 U.S.C. § 105(a). Hence, a bankruptcy court may use the contempt power to protect its jurisdiction and address violations of the discharge injunction under section 105(a). See Walls v. Wells Fargo Bank, N.A., 276 F.3d 502, 508 (9th Cir. 2002) (contempt is the “traditional remedy” and perhaps the sole remedy for discharge violations).
Discharge violations often arise when a creditor takes action that may be considered an effort to collect on a discharged debt. To prove a violation, the debtor as “the moving party has the burden of showing by clear and convincing evidence that the [creditor] violated a specific and definite order of the court.” Lorenzen v. Taggart (In re Taggart), 888 F.3d 438, 443 (9th Cir. 2018). Clear and convincing evidence is evidence that “instantly tilt[s] the evidentiary scales in the affirmative when weighed against the evidence [the nonmoving party] offered in opposition.” In re Taggart, 548 B.R. at 288 n.11 (citation omitted). Some arguments turn on a creditor’s intentions and awareness of the debtor’s discharge, which can be an important consideration if the underlying conduct was done innocently. However, not all courts agree that these issues should be considered at all. The United States Supreme Court will now decide.
The Emergence of the Good-Faith Defense
There is an argument that a creditor should be shielded from a discharge violation by its good-faith belief that the discharge injunction does not apply to its action relating to a discharged debt. The argument may apply even if the belief was “unreasonable.” Now, the Supreme Court will decide whether to permit this defense, following its grant of certiorari in Taggart. Taggart involves a dispute over interests in a limited liability company. On the eve of a state court trial, Mr. Taggart filed for Chapter 7 bankruptcy. The trial was therefore stayed, and Mr. Taggart ultimately received a discharge of the claim. However, the state court refused to dismiss Mr. Taggart from the litigation, although the parties agreed not to pursue a money judgment against him. Nonetheless, the plaintiffs sought attorney’s fees from Mr. Taggart, alleging his post-bankruptcy participation in the case fell outside the discharge injunction. In defense, Mr. Taggart moved to reopen his bankruptcy to hold his creditors in contempt for violating his discharge injunction.
The bankruptcy court agreed with Mr. Taggart and found the plaintiffs in contempt because they were aware of the discharge and intended their actions. The Bankruptcy Appellate Panel reversed because the bankruptcy court found that subjective or good-faith beliefs were irrelevant. The Ninth Circuit Court of Appeals affirmed that ruling, deciding that creditors could not be in contempt if they believed in good faith that the discharge injunction did not apply. The court of appeals reasoned that a creditor’s good-faith belief excuses a discharge injunction “even if the creditor’s belief is unreasonable.” Taggart, 888 F.3d at 444.
The Rejection of the Good-Faith Defense
Other courts disagree with this reasoning and refuse to allow consideration of the creditor’s intent and awareness. In In re Hardy, 97 F.3d 1384, 1390 (11th Cir. 1996), the Eleventh Circuit held that “the focus of the court’s inquiry in civil contempt proceedings is not on the subjective beliefs or intent of the alleged contemnors in complying with the order, but whether in fact their conduct complied with the order at issue.” Likewise, in In re Pratt, 462 F.3d 14, 19–21 (1st Cir. 2006), the First Circuit held that the creditor’s violation was actionable despite the lack of “bad faith.” The Fourth Circuit reached a similar conclusion in In re Fina, 550 F. App’x 150, 154 (4th Cir. 2014), holding a “good faith mistake is generally not a valid defense.”
Now the Supreme Court will step into the breach. The Court’s rejection of a “good-faith mistake” defense would certainly solidify the debtor’s “fresh start.” However, voiding this defense would subject creditors to strict liability for otherwise innocent activity. In addition, although a creditor’s good-faith intent may remain a factor for determining sanctions, see In re Szenes, 515 B.R. 1, 7–8 (Bankr. E.D.N.Y. 2014) (mere showing that the actions were deliberate is not sufficient for punitive damages; rather, the actions must have been taken with “either malevolent intent or a clear disregard and disrespect of the bankruptcy laws”), damages awards, including shifting attorney’s fees, would remain available where there is liability. As noted, these risks extend to creditors’ counsel personally.
Fortunately, there should soon be a more uniform standard of accountability. As of this writing, opening briefs have been filed, amici are weighing in with their policy arguments, and the Supreme Court will hear argument on April 24, 2019. The Solicitor General has also expressed interest, requesting argument due to ambiguity over the application of the discharge order to debts owed to the government. Under the circumstances, the outcome is uncertain, but we can predict that this will be an important benchmark for consumer creditors and debtors as well as the bankruptcy judges who decide these issues. This is equally so for the lawyers who represent those parties.
Business lawyers bring a valuable breadth of knowledge and experience to nonprofit boards, but as any business lawyer knows, a director of a nonprofit corporation owes a fiduciary duty of care to the corporation. This duty generally requires the nonprofit director to act with the care an ordinarily prudent person would in a like position under similar circumstances. At a minimum, the duty of care requires a nonprofit director to keep apprised of and understand financial and executive reports, strategic initiatives, budgets and fundraising developments, and other operational matters that materially impact the organization.
One area implicating the duty of care that is often minimized or even neglected by many boards of directors of tax exempt charities (hereinafter Board(s)) is the review and approval of the organization’s annual information return filed with the Internal Revenue Service (IRS), the Form 990. Form 990 is easily accessible by the public and therefore invites scrutiny on a broad range of the organization’s internal operations, including financial performance, compensation of executives and other insiders, results of key programs, and interested transactions. It is thus imperative for the Board and senior staff to understand and help frame the information presented in Form 990 well in advance of the due date for its filing.
Form 990 in All Its Shapes and Sizes
The IRS requires most organizations exempt from federal income tax under section 501(c)(3) of the Internal Revenue Code of 1986, as amended (the Code), and classified by the IRS as public charities (hereinafter organizations or exempt organizations) to file Form 990 by the 15th day of the fifth month after the end of the organization’s fiscal year. Organizations may obtain one, automatic six-month extension of the filing due date by timely filing Form 8868 with the IRS. The type of Form 990 that is filed depends on the annual “gross receipts” and total assets of the filing organization. “Gross receipts” are the total amounts the organization received from all sources (e.g., grants, donations, and earned income) during its annual accounting period, without subtracting any costs or expenses.
Small organizations with annual gross receipts that are normally $50,000 or less may file the Form 990-N “e-postcard” online. Form 990-N is the smallest form in the 990 series and includes only basic information about the organization, including its name, principal officer, website address (if any), business address, and employer-identification number.
Organizations with gross receipts of less than $200,000 and total assets of less than $500,000 may file a Form 990-EZ, which is more robust than Form 990-N, but less than half the size of Form 990 and includes a basic balance sheet and statement of revenue and expenses. It also reflects changes in net assets or fund balances from the previous fiscal year. In addition, Form 990-EZ requires the organization to provide a statement of program service accomplishments and related expenses, as well as the level of compensation paid to directors, officers, and key employees, among other information.
Form 990 is the most comprehensive of the information returns filed by public charities, and it is the focus of this article. Form 990 is 12 pages without schedules, and requires the organization to report a vast amount of data about the organization which is made publicly available. Most organizations with gross receipts equal to or more than $200,000 or total assets equal to or more than $500,000 must file Form 990.
As a preliminary note, this article will discuss only the Form 990 that is filed by exempt organizations classified by the IRS as “public charities.” Code Section 501(c)(3) organizations classified as “private foundations” file a different annual information return, Form 990-PF, which will not be discussed in this article. However, many of the observations contained in this article with respect to the review of Form 990 may apply to a foundation Board’s review of its Form 990-PF, or to a small public charity’s review of a Form 990-EZ.
Must the Board Review the Form 990?
Form 990 Part VI, Line 11a, asks whether the organization “provided a complete copy of this Form 990 to all members of its governing body before filing.” There is no requirement that the organization actually have the Board review the Form 990. Rather, this question represents an example of the IRS’s “regulation by disclosure” method of promoting what the IRS perceives as good governance practices for exempt organizations. It may therefore reflect poorly on an organization were this question answered in the negative.
Although seldom the case in many organizations, the Board should receive a copy of the draft Form 990 well in advance of the due date for its filing. Enough time should be given to the Board to decide whether to assign the review of the form to specific Board committees, directors, and/or senior staff. Although audit committees are often assigned the task of reviewing the Form 990, it may make sense for other committees, senior staff, or Board members with relevant expertise to review the form’s more qualitative and governance-focused parts.
Does the Organization Have a Process for Review of Form 990?
This is another question asked by the IRS on Form 990, Part VI, Line 11b. The IRS asks the organization to describe any such process on Schedule O. The Form 990 review process typically involves one or more Board committees, Board members, and/or senior staff that review and make recommendations to the full Board with respect to approval of Form 990 based on their respective expertise or Board-assigned tasks. However, there is no “one-size-fits-all” approach to a Form 990 review process, and policies and procedures differ widely from organization to organization. What is important is that the organization undertakes the effort to craft and follow policies and procedures that are effective based on the organization’s unique characteristics, including Board size, budget, internal competencies, and particular operations.
Special Areas of Review on Form 990
Although not intended as an exhaustive list, what follows is a general discussion of selected areas of Form 990 that commonly require special Board attention.
Reporting changes in purpose or mission. Form 990, Part I, Line 1 and Part III, Line 1 ask the organization to briefly describe the organization’s mission. Form 990, Part VI, Line 4 asks the organization to indicate whether it has made any “significant changes to its governing documents” since its last Form 990 filing. The organization must describe these changes on Schedule O. Thus, if an organization amended its bylaws or articles of incorporation to change its mission or purpose, the organization’s next Form 990 filing should reflect that change.
Many changes to an organization’s mission or purpose will not jeopardize its tax-exempt status. However, if there have been substantial changes to an organization’s purpose—changes that call into question whether it is still organized and operating in furtherance of tax-exempt purposes—those changes should be discussed with qualified legal counsel before they are implemented or adopted by the organization, and certainly before they are reported on Form 990. Occasionally, a request for a private letter ruling from the IRS may be necessary to support that any such changes are consistent with recognized tax-exempt purposes.
It is also important to socialize an organization’s change in purpose or mission with the organization’s constituents and stakeholders before implementing the change. A key donor or community partner should not find out about the change indirectly from a Form 990 filing. Senior staff should determine how best to convey changes in mission or purpose to the organization’s stakeholders. They should also consider involving key Board members and outside communications professionals in the implementation process if resources allow. In some cases, the organization might need to consider the advisability of seeking an automatic extension of the Form 990 filing deadline to properly roll out a change that has already been adopted.
Review of financial information. Form 990 reports a bevy of financial information. Organizations are required to complete a detailed statement of revenue and expenses, a balance sheet, and detailed compensation statements for directors, officers, key employees, and contractors. Obviously not every Board or committee member will also be a certified public accountant, but fiduciary duties dictate that each Board or committee member assigned the task of reviewing the financial information in the Form 990 at least know enough about the organization’s general financial condition to spot any material misstatements or omissions.
For instance, does the Form 990 omit a large grant that was recently received or a large capital project undertaken? Has the organization paid compensation to a new executive that is not accurately reflected on the expense and compensation statements? Those assigned the task of reviewing Form 990’s financial information should also consider reviewing that information against the organization’s internal financial statements. They should also follow up with the preparer of Form 990, outside professionals, and any accounting staff, as needed, to answer any questions or help correct any inconsistencies. Nonprofit corporation statutes have long permitted directors to reasonably rely on officers and outside experts in exercising their fiduciary duties.
Review of compensation arrangements with personnel and insiders. It is crucial to the Board’s review of the Form 990 that each director understand and appreciate the substantial impact that Code Section 501(c)(3) status has on an exempt organization’s compensation arrangements with its service providers and insiders. In general, an exempt organization must not confer a “private benefit” on an individual or entity, and must not allow any of its revenue or assets to “inure” to the benefit of insiders, such as its executives, officers, directors, or their respective family members or affiliates. These are general restatements of the “private benefit” and “private inurement” prohibitions that apply to all Code Section 501(c)(3) organizations. The private benefit and private inurement prohibitions are generally implicated any time an unreasonable sum of the organization’s money or property is provided to such persons in exchange for services or property. Violating the prohibitions may jeopardize the organization’s federal income tax exemption.
When news media publish stories about “excessive” compensation paid to nonprofit executives, the origin of those stories is typically the Form 990, which requires detailed reporting on the name and title of a service provider, how much the service provider worked, and the service provider’s total compensation from the organization. Red flags should immediately go up for a director if, to take an extreme example, he or she reviews the Form 990 of a small organization and notices an employee who worked only 15 hours per week but was paid $100,000. This is because, to help avoid application of the private benefit or private inurement prohibitions, or their less punitive cousin, the “intermediate sanctions” rules, compensation paid to a service provider must be reasonable. Approving and documenting a compensation payment in accordance with the “rebuttable presumption” safe harbor of the intermediate sanctions rules, in addition to following any applicable conflict-of-interest policy or state interested transactions laws, will help support that the payment does not violate such rules or prohibitions. See 26 U.S.C. § 4958 and 26 C.F.R. § 53.4958-1, et seq.
If a director identifies a compensation issue on the Form 990, the Board should work collaboratively to better understand the issue and have a plan in place to address it once it is reported. It should also consider whether to further report the issue as an interested transaction or, if appropriate, an “excess benefit transaction” under the intermediate sanctions rules on Form 990, Schedule L. Depending on the circumstances, it may be prudent for the Board to consider consulting competent legal counsel to aid in reviewing the Form 990 disclosures, and public relations specialists to advise it on any related public statements or media inquiries.
Reporting on programs, fundraising events, and related expenses. Similar to compensation paid by exempt organizations, there has been renewed focus among donors, the media, and nonprofit regulators on high-expense programs or events sponsored by exempt organizations. No law specifically prohibits an exempt organization from spending freely on a program or fundraising event with the object of attracting even greater financial support or creating even greater mission impact. However, it is still not uncommon for funders and pundits in the nonprofit space to set expense expectations around an organization’s activities, advising that “overhead” not exceed a stated percentage in relation to the overall budget for an organization or for its particular programs or events.
Part III of Form 990 asks organizations to report revenue and expenses for its “program service accomplishments for each of its three largest program services, as measured by expenses.” It also requires the organization to include “gross income from fundraising events” in Part VIII, Line 8, less “direct expenses,” to calculate the total “net income or (loss) from fundraising events.” The applicable instructions to Form 990 make it clear that common fundraising events like “dinners/dances” and “auctions” are covered by this disclosure. Accordingly, any programs or events that show substantial losses on Form 990 have the potential to draw scrutiny from the media and stakeholders. For this reason, if the Form 990 review process uncovers any such losses, the organization may wish to consider contacting internal or external accounting professionals to confirm that expenses related to such activities are properly allocated and reported.
Conclusion
Serving on the Board of an exempt organization is both a privilege and a responsibility. To help fulfill their duties of care, nonprofit directors should diligently participate in the Form 990 review process. Exempt organizations are well advised to implement and follow a Form 990 review policy and related procedures. This will help ensure that the organization is doing all it can to accurately report information to the IRS and get ahead of any disclosures that may present particular challenges for the organization.
This article is intended for informational purposes only and should not be relied upon as legal advice, as being current or accurate, or as creating an attorney-client relationship between the author and any person or entity.
By the sweat of your browsers you shall eat your bread.
Profits from technological revolutions mostly inure to the benefit of those who first discover the means to produce valuable output from their discoveries. Manufacturers found ways to harness power, machines, and labor to produce saleable goods in the industrial revolution. Radio, television, and telephone companies restricted consumer choices for their own economic benefit. Internet companies have matched both raw and processed data with consumers and businesses willing to pay for such information, in some cases reselling to them the very data they themselves produced.
However, just because a small cadre of capitalists has managed to grab most of the early income from these changes does not mean that society cannot question the fairness of the money distribution or the value to our economy of the rising new order. From Smith to Marx, from Teddy Roosevelt to the telephone trustbusters to U.S. v. Microsoft, important economic thinkers have analyzed how value is created with new technologies and whether certain economic actors are hoarding more than their fair share of rewards. Such analysis of the new information economy is beginning to be spoken aloud and may soon seep into government policy. Senator Elizabeth Warren, on the campaign trail for 2020, just endorsed a regulatory plan aimed at breaking up some of America’s largest tech companies, including Amazon, Google, Apple, and Facebook. Tim Wu, writing in The New York Times, suggests that for democratic hopefuls in the upcoming presidential election, the problem of monopoly power may be the issue. The Economist recently opined that “if governments don’t want a data economy dominated by a few giants, they will need to act soon.”
We know that data about your behavior has value. An entire information economy enabled by the internet and digitization of transactions, led by Google, Facebook, and Amazon and built on the activities of everyday people, generates billions of dollars each year. Currently, these digital giants are by far the primary beneficiaries of this value, but that is changing and fast. The individuals generating the data and the governments regulating it are mobilizing to stake their economic claims in the value of data.
The question of valuing data will be crucial in the face of two of the defining political issues of our day: rising income inequality and the oncoming (autonomous) train of artificial intelligence. In fact, to some academics, the very way we find purpose in our lives may well depend on the manner in which we as a society choose to give value to data.
In his recent State of the State address, California Governor Gavin Newsom endorsed an idea that has been circulating in the academic and editorial press: should we treat consumer data as the fruits of “labor” or as a public resource worthy of taxation? Governor Newsom suggested that California would look beyond data privacy regulation toward the creation of a “data dividend,” funded by taxes, to compensate the producers of the data upon which our Internet-of-Things economy is increasingly based. Common Sense Media, which helped pass the California Consumer Privacy Act (CCPA) last year, plans to propose legislation in California to create such a dividend. The proposal has already proven popular with the public; one recent poll showed 45 percent of California voters support the idea, whereas only 28 percent are opposed.
Government entities both here and abroad are looking at ways to tap into data as a source of revenue, as Quebec has done by subjecting digital content, cloud-computing services, and digital content platforms to sales taxes.
However, what are “data”? To pose the question in economic terms, are data “capital” or “labor”? The “data as capital” (DaC) school considers data “the natural exhaust from consumption,” free for any capitalist with the means to exploit and profit from it. Contrariwise, the “data as labor” (DaL) crowd sees data as the possessions of their creators, who should properly be compensated for producing them. Of course, just lumping data into these two historically convenient buckets only begins the inquiry.
Data as Labor
The idea that work gives purpose and dignity to our lives is central to our being. As Nelson Mandela said, “Let there be work, bread, water, and salt for all,” notably putting “work” before “bread.” In the age of machine learning (ML), can we find “digital dignity” as data miners for Google? Are the owners of digital platforms, the factories of our day, ready to pay miners for better data to feed ML and AI?
The blueprints behind this kind of social engineering were written long ago. They are based on the idea that the creation of data is “work” by those laboring in the vineyards of social media and e-commerce, and those workers should be compensated for their labor. As Eric Posner and E. Glen Weyl have proposed, “by treating Data as Labor (DaL) not only can we build a fairer and more equal society, but we can also spur the development of technology and economic growth.”
This kind of reasoning harkens back to Karl Marx’s theory of alienation. Even in 1844, Marx observed a modern, technologically developed world apparently beyond the full control of the masses. (If Marx were alive today, as Randy Newman trenchantly observed, Ol’ Karl might well have been glad he was dead!)
Assessing Marx’s concept of “estranged labor” in his Economic and Philosophical Manuscripts of 1844, David L. Prychitko wrote:
People are required to work for capitalists who have full control over the means of production and maintain power in the workplace. Work, [Marx] said, becomes degrading, monotonous, and suitable for machines rather than for free, creative people. In the end, people themselves become objects—robotlike mechanisms that have lost touch with human nature, that make decisions based on cold profit-and-loss considerations, with little concern for human worth and need.
Marx could hardly have been more prescient in his assessment of the effect of technology on the nature of work. After all, we now live in a world where your car drives itself, your opinion is shaped by malign Russian chatbots, and your boss is an AI. Little wonder then that we see efforts to put “free creative people” back in the driver’s seat.
In Europe, the impactful General Data Protection Regulation is based on 30 years of treatment of privacy as a basic human right, with the core assumption that data created by a person “belongs” to that person and can only be exploited for profit if the data subject consents. Canadian law bases its privacy interpretation on a similar reading of rights to data. This includes a human “right to be forgotten” in which economically valuable data must be deleted by a business at the behest of the original data subject. California already enforces a law based on this core set of rights: the California Eraser Law, effective January 1, 2015. This core assignment of value to the role of the data subject is the same rights-based thinking that animates the DaL debate.
Data as Capital
DaC theorists see data more as a natural resource or as raw materials and look toward programs like the Alaska Permanent Fund, which channels a percentage of all oil royalties into a general fund to be distributed to all Alaskan citizens. Alternatively, to use the internal combustion simile, data are “exhaust” we all create from running our search engines. Using that analogy is, in fact, a good way to think about the issue. Exhaust contains myriad elements, some valuable, some noxious. Some drivers produce exhaust solely as a result of being consumers; some produce exhaust in the course of productive activities for someone else. If you drive for Uber or Lyft, you arguably are doing a little of both.
Let’s suppose (and someone may already have perfected this) that someone creates a “smart scrubber” that not only removes pollutants from vehicle exhaust, but also recaptures commercially valuable elements or compounds that could then be sold. The analogy is almost exact. Is that exhaust “free” for the exploiting? Should drivers be compensated for creating the raw material, even if the consumption of fossil fuels is essentially mindless? Should the companies that maintain fleets of vehicles get the spoils? Should the government, which built the highways, get a slice? How about the energy companies that drilled and refined the fuels? The pipeline companies that transported it to the convenience stores where you filled your tank? The auto makers that allowed for the creation of the exhaust in the first place? The reach could be extended almost indefinitely.
Now apply those thoughts to a financial transaction. You use your search engine to buy something on Amazon, creating your little puff of data “exhaust.” Amazon runs that exhaust through its “smart scrubber” and picks out the valuable data elements, which it then sells. You think it’s just a bilateral barter transaction—free data for free, two-day shipping—if you think about it at all. However, you have now created something that a huge number of people think they now own. In a simple mobile purchase transaction, that throng could include you, your merchant, your credit-card company, an ISO, one or more processors, your wireless provider, your phone handset provider, your loyalty program provider, banks and delivery drivers, and even state and federal agencies. Now what if you are buying that item for work and getting reimbursed? Should that data now belong to your employer, like frequent flier miles earned on flights for work?
Each of these digital “sooners” protects its stake from other “claim-jumpers.” In decades past, when you walked into a store and bought a pair of socks, the store likely kept the data about you and shielded it from competitors. (Retailers have known for many years how valuable transaction data can be for them. Merchants today fear disintermediation from their own customers more than almost all other competitive challenges. SKU-level data are the crown jewels.) You would soon appear on the store’s marketing lists and be offered perks for your loyalty in the form of BOGOs and cents off your gasoline fill-ups in loyalty programs. Thus, even if they are not actively selling those data, or derivatives like advertising, to third parties, companies treat transactional data as an asset—an asset that belongs to them.
Those who conceived and built the “scrubbers” believe there are problems with treating data as a renewable natural resource. Antonio García Martínez, a former product manager for Facebook, the CEO-founder of AdGrok, and a former quantitative analyst for Goldman Sachs, has opined that, “[t]he real value of data to a company like Facebook or Google is how it helps lure you to one of their services and keep you coming back.”
Martinez posits that, unlike a natural resource such as an oil reserve, the value of a dataset is found in its combination with other data elements, not in the dataset itself. He observes that the data used in creating targeted advertising isn’t even data that a collector (like Facebook) actually has; value lies in the combination of those data with other data that live offline. To Martinez, the proper metaphor isn’t oil, it’s TNT. If it’s the combination of data that has the real value, and that value is being created by the “work” of data collectors, not the data producers, why should the consumer necessarily profit beyond the basic barter transaction: “free” content and services the data collector provides in exchange for personal data?
This distinction seems both specious and self-serving in that it ignores the fact that, although refiners indubitably add value in the production of fuels and other petroleum-based products, that does not mean that the raw materials do not themselves have their own significant intrinsic value. The real distinction, if there is one to be drawn, between an oil reserve and a database is that no one living today can plausibly claim a hand in having produced that oil, whereas we can all say we contributed to any number of databases.
Some scholars have argued, pace Martinez, that internet users are both consumers and producers: “prosumers.” Christian Fuchs, chair professor in Media and Communication Studies at Uppsala University’s Department of Informatics and Media, in a paper on “Google Capitalism”, observed that these prosumers produce a commodity through their user activity and “engage in permanent creative activity, communication, community building and content production”. In “Means of Communication as Means of Production” Revisited, William Henning James Hebblewhite discussed the relationship between these prosumers and the platforms with which they interact:
As a means of production, the Internet, or in particular, web-based companies such as Google, Facebook and YouTube are able to take the raw material of information that is provided to them by the user and use that information to create new products, whether that be new online games designed to have the user invest time and money or simply a new addition to their integral system which gets such companies more users.
This new definition seems both unnecessary and not particularly helpful in determining how data should be valued. It does not matter so much what hat one is wearing when one creates data; what matters is whether one should receive the wherewithal to help keep one’s head warm as a result of that activity and if so, how much and from whom?
In short, the data underlying this new economy comprise the timely description of the activities, priorities, and preferences of real people, and the economic value from these data is derived by using this prosumer information to drive a particular prosumer, or like-minded groups, to make future economic decisions. To retailers, those decisions are potential sales. To subscription services, those decisions demonstrate the value of the service to the prosumers.
The old marriage adage goes, “Why buy the cow if you can get the milk for free?” Online services have spent enormous sums of capital based on what is essentially free milk: rustling up the docile free-range cows, building the #pens and #milkingsheds, milking them for transactions and preferences, turning the milk into Greek yogurt, artisanal cheeses, and whey protein, and selling these products to willing buyers. (In Amazon’s case, it has thrived by selling the milk back to the original producers, as well as others.) Few would argue that these companies do not deserve to be compensated for all that cost and effort (and for providing something of value to keep the cows coming back to the trough), but do they deserve all of the compensation?
Taxation or Compensation?
As income inequality grows, and more workers become redundant, or as at least one social scientist has put it, irrelevant, as a result of AI and ML, and socialism is no longer the economic theory that dare not speak its name, politicians and regulators are looking toward the value of data as a way out. If the Bezosians and Zucker-burghers of the world control the means of production of social media and e-commerce, should we help address income inequality by taxing them and redistributing their corporate profits to the alienated “prosumers,” or should we simply treat data as if it were a natural resource or raw material exploited by a few large corporations that must pay for the privilege?
Those who have proposed these schemes are long on ideas and short on methodologies or practical solutions. Is there a technical method of accounting for the depth of a user’s internet activity and allocating funds accordingly? Should every consumer get the same dividend irrespective of his or her contribution to the digital economy? Is every entity that uses data subject to taxation? Are we ready for labor unions representing data subjects bargaining collectively with the beloved/despised forces of Facebook, Google, and Amazon? Would data subjects be willing to forgo their Prime orders, Google Maps directions, and Facebook “likes” until they got what they wanted? The calls to “Delete Uber” did not reflect an elevated societal consciousness.
The recently amended CCPA is a good example of a state legislature trying out a DaL plan. Instead of a generally available data dividend, as Governor Newsome wants studied, the CCPA instead contains what appears to be a vigorous nod toward bilateral compensation arrangements between consumers and data collectors. Businesses are encouraged to offer a “data royalty” or “information incentive” to their customers under the CCPA in that it explicitly sanctions such “pay to play” arrangements. Section 1798.125(b) of the CCPA provides:
(1) A business may offer financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale of personal information, or the deletion of personal information. A business may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the consumer by the consumer’s data. (2) A business that offers any financial incentives pursuant to subdivision (a), shall notify consumers of the financial incentives pursuant to Section 1798.135. (3) A business may enter a consumer into a financial incentive program only if the consumer gives the business prior opt-in consent pursuant to Section 1798.135 which clearly describes the material terms of the financial incentive program, and which may be revoked by the consumer at any time. (4) A business shall not use financial incentive practices that are unjust, unreasonable, coercive, or usurious in nature.
Although the CCPA explicitly declares consumer waivers to be against the public policy of the state and hence unenforceable, it looks with approval on voluntary, informed “pay-to-play” incentive plans. Accordingly, progressive companies with broad exposure to the CCPA could follow the state’s lead and include a consumer incentive in their terms of use in exchange for greater freedom to use consumers’ personal information. The cost of data dividend could be viewed as “cheap insurance” to companies that have broad exposure to CCPA strictures. It would be easy to envision tying an information incentive to existing or new loyalty programs, offering consumers willing to part with meaningful data more “points” than those opting out of providing data “related to the value provided to the consumer.”
Skepticism about DaL schemes like the California data dividend already is in the air. Throwing shade on the governor’s plan to study data dividend schemes, Owen Thomas recently wrote in The San Francisco Chronicle:
It will take months to report back what should be obvious to anyone who has an inkling of how online data juggernauts operate: If you want Facebook and Google to pay more to ameliorate the social ills they cause, just raise their taxes.
Thomas’ view is illustrative of the way we tend to think about carbon taxes and “cap-and-trade” plans: as retribution or compensation for damage caused by commercial activity. Those who profit from commercial activities that create pollution as a by-product of their use of natural resources should compensate society for the harm to the environment they cause in the process. This thinking seems to animate the latest French swipe at large, U.S.-based data companies: an enormous data tax bill. The bill would apply to digital companies like Google, Amazon, Facebook, and Apple, with worldwide revenues over 750 million euros ($848 million), including French revenue over 25 million euros. Justifying the new tax, French Finance Minister Bruno Le Maire clearly drew the battle lines: “This is about justice . . . . These digital giants use our personal data, make huge profits out of these data . . . then transfer the money somewhere else without paying their fair share of taxes.”
Viewed differently, however, we could easily think of such taxes as payment for the use of raw materials (that theoretically belong to us all) to create something that benefits society. Reframed in this way and applied to data, a new way of thinking about the value of data emerges.
If data taxes are anathema to some, it may help to recast such imposts as rents or license fees for the use of a renewable resource we all have a hand (or a mouse) in creating. The aggregate rents on the use of data, or digital exhaust, could be funneled into any number of programs to help citizens continue to find dignity in their lives as the nature of work changes, such as:
a “superfund” to help compensate those harmed by cyber crimes or to strengthen our nation’s defenses against cyber warfare;
retraining programs for those workers displaced by ML and AI;
a new WPA or CCC to fix our broken infrastructure;
expanding rural internet connectivity; or
securing the 5G network.
All of these programs are of a piece with the zeitgeist of the Green New Deal. As the digital divide grows, in some manner or another valuing and taxing data could help build the necessary bridges for more of us to cross over to lives of dignity and purpose in the age of data.
Recent changes in agendas and leadership at the federal level are prompting companies offering financial products and services to question what consumer protection enforcement will look like on the road ahead. There has been significant discussion about the increasing role of state regulators, including state attorneys general, in filling the perceived void that may be left by agencies like the Consumer Financial Protection Bureau (CFPB). Many state regulators have indicated that they are ready to step up enforcement, and a number already are doing so; however, this does not mean that the industry should shift its focus exclusively to the states.
The Federal Trade Commission (FTC), which once dominated the playing field on many consumer protection issues, is reclaiming a prominent role. By way of example, prior to the CFPB’s inception, the FTC took a series of enforcement actions that significantly reshaped mortgage servicing[1] well before the CFPB codified its rules.[2] However, passage of the Dodd–Frank Act, Pub. L. No. 111-203, § 929-Z, 124 Stat. 1376, 1871 (2010) (codified at 15 U.S.C. § 78o), and creation of the CFPB made the FTC’s role in the federal consumer protection landscape seem uncertain at times for companies offering financial products and services. Under Dodd-Frank, the FTC retained its authority to enforce numerous consumer protection laws and to enforce CFPB rules applicable to entities within the FTC’s jurisdiction (see 15 U.S.C. § 1607(c)), including most providers of financial services that are not banks, thrifts, or federal credit unions. Yet, on certain issues, the FTC seemed to cede enforcement authority to the CFPB, which also acquired many of the commission’s most seasoned consumer protection lawyers.
With a five-member bipartisan commission that includes Rohit Chopra, who previously was student loan ombudsman at the CFPB, the FTC’s consumer protection efforts are picking up steam. Financial services companies subject to FTC jurisdiction and their service providers should be aware of potential consumer protection enforcement priorities for 2019 and beyond.
Although banks are not subject to the FTC’s consumer protection jurisdiction, an uptick in the FTC’s consumer protection enforcement efforts could have significant implications on their ability to establish and maintain relationships with nonaffiliated third parties subject to the FTC’s consumer protection jurisdiction. More specifically, an increase in FTC enforcement efforts could (1) alter how banks use third-party service providers to support key operations, (2) increase the level of oversight of participants in bank partnerships, and (3) increase the risk of enforcement actions by the prudential banking regulators or the Department of Justice for failing to adequately mange third-party relationships. In addition, more broadly, actions taken by the FTC may serve as guideposts for federal and state regulators that do have jurisdiction over banks.
Consumer Protection Agenda under Chairman Simons
The FTC has escalated enforcement over the past year in a number of areas that are relevant to financial services companies and their service providers. While continuing to bring enforcement actions under its general Unfair or Deceptive Acts or Practices (UDAP) authority, the FTC’s consumer protection agenda appears to include significant focus on: (1) financial technology (fintech) companies, especially those involved in lending and payment-related services; (2) privacy and data security; (3) debt collection; and (4) the treatment of military personnel and families. The FTC also has brought cases utilizing a third-party liability theory of sorts, including holding companies liable for not properly guarding against or preventing the conduct of alleged bad actors.
These areas of focus may be driven in part by the type of consumer complaints the FTC receives most frequently. In 2018, imposter scams, debt collection, and identity theft were the of consumer complaints filed with the FTC.[3] Recently, the FTC announced that it will be making its consumer complaint data more accessible by releasing its aggregated data on a quarterly instead of annual basis. It also will publish “Consumer Protection Data Spotlight[s],” which will “take a deep dive into the data to illuminate important stories [the FTC] is hearing from consumers.” This increased transparency into complaint data could lead to more investigatory and enforcement activity.
The FTC also has made clear that it intends to collaborate with other regulators, including the CFPB and the state attorneys general. Indeed, in February 2019, the FTC and the CFPB reauthorized their memorandum of understanding regarding sharing information and coordinating certain law enforcement activities.[4] And in March 2019, Chairman Simons advocated for increased collaboration with state attorneys general, noting that such collaboration is critical to the FTC’s mission.[5]
UDAP. UDAP has been a centerpiece of the FTC’s enforcement agenda for years. The FTC has stepped up its UDAP enforcement generally, including actions brought by the FTC in the last year that involve cryptocurrencies and data breaches discussed below.
The FTC has emphasized that ensuring advertising is truthful and not misleading is one of its core missions. In April 2018, the FTC filed a UDAP-related complaint alleging that an online lender’s claim that its loans had “no hidden fees” was deceptive because consumers were charged origination fees. In October, the FTC brought an enforcement action against an online student loan refinancer for alleged misrepresentations regarding how much borrowers have saved through refinancing student loans, as well as alleged misrepresentations of when customers would pay more under various refinancing options. These lawsuits may be precursors to other similar actions that the FTC may take in reviewing advertising and marketing materials.
The FTC also used its UDAP authority to file a lawsuit against an online payday lending company and its owner who allegedly marketed payday loans using false loan disclosures that did not accurately describe the true cost of the loans. According to the FTC, despite informing customers that they would be charged only a one-time finance fee, the payday company made multiple withdrawals from customers’ bank accounts, assessing a new finance fee each time. This resulted in the customers paying more for the loans than they agreed to pay. In addition to the FTC’s civil case, the United States Attorney’s Office for the Southern District of New York obtained a criminal conviction against the owner of the payday company and its attorney, and a penalty of $528 million against a bank, for violations of the Bank Secrecy Act, including failing to timely report suspicious banking activities. This lawsuit demonstrates how the FTC is working with other enforcement agencies, but also how entities (such as banks) that are not under the FTC’s jurisdiction still can be brought into related proceedings.
The FTC also recently has taken UDAP actions in connection with credit cards and student loans. In December 2017, it filed a suit alleging that the defendants violated the FTC Act and the Telemarketing Sales Rule by misrepresenting that they could reduce credit-card interest rates and save consumers money, but failing to disclose that consumers could also be required to pay a range of additional bank fees totaling one percent to three percent of their credit-card debt. In October 2017, it announced “Operation Game of Loans,” the first coordinated federal-state law-enforcement initiative targeting deceptive student loan debt-relief scams.
Fintech companies. The FTC remains focused on protecting consumers that use various forms of financial technology and ensuring that “market participants offering these exciting new products [] keep in mind important consumer protection principles as they continue to innovate for consumers’ benefit.” Indeed, Chairman Simons recently stated that one of the FTC’s priorities is “policing the financial marketplace.”[7] Of interest to the FTC are mobile payments, with a focus on the Electronic Funds Transfer Act, marketplace lending, cryptocurrencies, and money transmitters.
The FTC’s recent enforcement action against the recently acquired subsidiary of a worldwide payment systems company indicates that fintechs, especially those in the payments and lending space, may be in the crosshairs of the FTC’s broader agenda. The commission alleged that the subsidiary failed to disclose to users of its peer-to-peer payment service that transfers of funds to external bank accounts were subject to review and could be frozen or removed, and that it misrepresented the extent to which accounts were protected by “bank-grade security systems.” The FTC’s emphasis in this case is consistent with its more general focus on data privacy and security and sends a strong signal that it is willing to rely on its UDAP authority to protect fintech customers.
The commission also has stated that money transmitters have a responsibility to implement controls and procedures to ensure that criminals are not using their services to defraud consumers. In one example, the FTC alleged that a money transmitter was aware that its system was being used for fraud-induced money transfers, but failed to undertake measures to detect and prevent such transfers, such as terminating agents and locations involved in high levels of fraudulent transactions or imposing more robust ID requirements to receive transfers. In another example, the FTC brought an enforcement action in November 2018 against another money transmitter for failing to comply with a prior order to implement a comprehensive fraud prevention program that requires it to “promptly investigate, restrict, suspend, and terminate high-fraud agents.” Here again, the FTC’s enforcement activity is focused on the role of third parties in failing to prevent the illegal conduct of others.
In addition, the proliferation of cryptocurrency is driving the FTC to take action on consumer protection as it relates to this relatively new medium of exchange. Although the FTC’s efforts to date have focused primarily on consumer education, a recent UDAP enforcement action against a cryptocurrency promoter may be a sign of what is to come. The case involved four individuals who allegedly promoted deceptive money-making schemes involving cryptocurrencies through websites, YouTube videos, social media, and conference calls. Exchanges, brokers, wallet providers, and other participants in cryptocurrency markets should keep abreast of the FTC’s activity in this space because enforcement action may move faster than regulation.
Privacy and data security. FTC Chairman Joseph Simons told Congress in July that “privacy and data security top the list of [its] consumer protection priorities . . . .” The FTC has brought more than 500 such cases, and over the course of the past year has taken actions related to data breaches, privacy violations under the Gramm-Leach-Bliley Act, and international privacy frameworks.
The FTC has brought privacy and data security cases against or is currently investigating:
A leading ride-sharing company, alleging that the company failed to reasonably secure sensitive consumer data stored in the cloud.
A lead-generation business, alleging that the company misled consumers into completing loan applications and sold those applications, which included consumers’ personal data, to unscrupulous third parties.
The FTC has brought several recent enforcement actions related to the GLBA’s privacy provisions, which it had regularly enforced prior to the creation of the CFPB. Recent cases against TaxSlayer (Nov. 2017) and a global online payment systems company (May 2018) may signal a recommitment to challenging such conduct.
The FTC also has been actively enforcing the EU-US Privacy Shield Framework, which was designed to facilitate transatlantic transfers of personal data. Although the Privacy Shield Framework is a voluntary mechanism, the FTC is responsible for enforcing its provisions for any organizations that commit to comply. The FTC brought three separate cases enforcing the Privacy Shield in November 2018 alone.
Last year, the FTC established a privacy and data security task force to “better understand the markets for consumer information, incentives for the various parties in that marketplace, and how to quantify costs and benefits of different actions that the FTC or others could take.” The commission said it wanted to deepen its understanding of the “economics of privacy,” which includes studying consumer preferences and the relationship between access to consumer information and innovation. It also held an Information Injury Workshop in December 2017 during which it developed a taxonomy for information injury: loss of opportunity, economic loss, social detriment, and loss of liberty. Although the FTC has yet to provide further guidance regarding the types of injury, its mere acknowledgment that injury goes beyond economic loss suggests that it could broaden its assessment of injury.
Most recently, Chairman Simons expressed the need for privacy and data security legislation that would give the FTC expanded authority. While the FTC has broad authority under Section 5 of the FTC Act to address consumer harms related to privacy and data security, Chairman Simons has described Section 5 as “an imperfect tool” to address those concerns.[8] Instead, the FTC supports data security legislation that would provide the agency with (1) the ability to seek civil penalties to effectively deter unlawful conduct; (2) jurisdiction over non-profits and common carriers; and (3) the authority to issue implementing rules under the Administrative Procedure Act as appropriate.[9]
Moreover, on March 5, 2019, the FTC requested comments on proposed amendments to the GLBA Safeguards Rule[10] and the Privacy Rule.[11] Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, said the aim of the proposal is to “provide more certainty to businesses.” He also said that it “shows that, where we have rulemaking authority, we will exercise it as necessary to keep up with the marketplace trends and respond to technological developments.”[12] The Safeguard Rule proposal is modeled in part on the New York State Department of Financial Services Cybersecurity Rule and includes proposed changes such as (1) designation of a Chief Information Security Officer; (2) elaborating on the existing risk assessment requirement, including requiring a written report; (3) requiring encryption of customer data, both at rest and in transit; (4) implementing access control protocols aimed to prevent unauthorized users from accessing customer information; (5) mandating the use of multi-factor authentication to access customer data; (6) requiring the establishment of incident response plans or data security response plans in the event of an incident; and (7) elevating cyber governance to a board-level issue and requiring periodic reports to an organization’s board of directors or other governing bodies.[13] These proposed rulemakings and the FTC’s advocacy for enhanced data security legislation highlights the agency’s focus on privacy and cybersecurity issues.
Debt collection. Debt collection matters are at the core of the FTC’s enforcement priorities. In 2018 alone, the FTC filed or resolved 7 cases against 52 defendants and obtained more than $58.9 million in judgments.[14] For example, on September 7, 2018, it settled with the operators of a company that allegedly used false claims and threats to get consumers to pay debts, including debts that the company did not have authority to collect or that the consumers did not owe. And on February 4, 2019, the FTC filed a complaint against 10 companies and six individuals who allegedly used deceptive and threatening tactics to collect phantom debt that the consumers did not owe.[15]
Although the conduct in question in this case appears extreme, the FTC could expand its enforcement efforts to include entities under its jurisdiction that employ service providers engaging in illegal conduct. That could entail reviewing vendor-management policies, procedures, and practices related to debt collection, and pursuing enforcement actions based on a company’s failure to monitor a vendor.
More relevant to those not under FTC jurisdiction, if a financial service company’s debt collectors are engaging in acts that draw the focus of the FTC, this could lead prudential regulators or others that do have jurisdiction over banks to focus on the bank’s vendor management policies, procedures, and practices. Indeed, the FTC already has taken steps to work together with other regulators on debt collection enforcement matters. The FTC and CFPB announced in March 2018 joint efforts to police debt collectors and in February 2019 reauthorized their memorandum of understanding that continues collaboration between the two agencies on this issue. They also issued an annual report to Congress in March 2019[16] on their collective actions to combat illegal debt collection practices under their shared responsibilities under the FDCPA. The two agencies are likely to pursue greater collaboration on debt collection going forward.
In addition, collaboration efforts are extending to the states as well. In November 2018, for example, the FTC and the New York Attorney General’s Office sued a New York-based debt collection company for allegedly deceiving people in a manner that led to them paying more money than they purportedly owed.
Military and veterans. The FTC also has identified fraud targeting military personnel as a priority. Although the FTC does not have enforcement authority under the Servicemembers Civil Relief Act, it can bring actions under its general UDAP authority as well as under the authority granted in other statutes, including TILA, EFTA, FCRA, and FDCPA. In 2017 alone, the FTC received more than 114,000 consumer complaints from service members, their dependents, military retirees, and veterans, with the top complaints related to imposter scams, identity theft, and debt collection.
The FTC last year established a military-specific task force and already has brought a number of cases related to debt collection and mortgage debt relief targeting service members and veterans. See FTC v. BAM Fin., LLC, No. 8:15-cv-01672-JVS-DFM (C.D. Cal.) (unlawful collection practices); FTC v. Mortg. Inv’rs Corp. of Ohio, Inc., No. 8:13-cv-1647 (M.D. Fla.) (unlawful telemarketing and advertising of veterans home loan refinance services). It also has brought cases alleging deceptive practices in the sale of automobile add-on products.
Another area of increased focus will be the implementation of rules related to credit monitoring for active military personnel. As part of the Economic Growth, Regulatory Relief, and Consumer Protection Act, the FTC is required to implement rules requiring credit-reporting agencies to provide free, online credit-monitoring services to active duty military personnel. In November, the FTC issued a notice of proposed rulemaking, 83 Fed. Reg. 57693 (Nov. 16, 2018), soliciting comments on the proposed rule.
Conclusion
Although consumer protection priorities under the Trump administration are different from those under the Obama administration, this does not mean that all federal enforcement agencies are standing down.
The FTC has reiterated its commitment to taking enforcement action in the privacy and data security space, and has brought a number of actions that allege UDAP violations and violations of specific privacy statutes. Companies would be well-served to review their policies, procedures, and practices related to data breaches as well as general compliance with privacy laws to ensure that there are no gaps.
The FTC and the CFPB have identified debt collection as a top enforcement priority. Debt collectors and those who hire third parties to collect debt on their behalf should examine their practices and ask themselves whether they have adequate policies, procedures, and practices in place to monitor and rapidly correct infractions, even those that occur by their third-party collectors.
The FTC appears focused on legal issues related to mobile payments, marketplace lending, cryptocurrencies, and money transmitters, and will scrutinize fintechs if compliance with the spirit and letter of consumer protection is called into question.
Issues facing service members are a priority for the FTC. Companies serving military consumers should assess their policies, practices, and procedures in connection with service members, with a particular eye toward conduct that could be alleged to violate UDAP, among other laws that may provide protections for members of the military.
With respect to UDAP, more broadly, there is little doubt that it will remain a central legal vehicle for FTC claims. Matters of interest to the FTC include alleged misrepresentations or deception in advertising as well as fraud. Companies should review their advertising and other consumer-facing materials, as well as origination and servicing practices, for UDAP risk.
The FTC has been rather active over the last year obtaining hundreds of millions of dollars in settlements. Financial services companies and their service providers should keep a watchful eye on FTC’s enforcement agenda.
[1] Order Preliminarily Approving Stipulated Final Judgment, U.S. v. Fairbanks Cap. Corp. Fairbanks Cap. Holding, & Basmajian, No. 03-12219 (D. Mass. Nov. 21, 2003), modified by, U.S. v. Select Portfolio Serv., No. 03-12219-DWP (D. Mass. Sept. 4, 2007); Consent Decree, FTC v. EMC Mortgage Corp., No. 4:08-cv-338 (E.D. Tex. Sept. 9, 2008).
[10] The GLBA Safeguards Rule requires a financial institution to develop, implement, and maintain a comprehensive information security program. The Privacy Rule requires a financial institution to inform customers about its information-sharing practices and allow customers to opt out of having their information shared with certain third parties.
[11] While the vote to submit the Privacy Rule for publication was 5-0, the vote to submit the Safeguards Rule was 3-2 with Commissioners Phillips and Wilson dissenting.
After the global financial crisis, a highly respected group of financial supervisors from the industrialized world convened to consider what might have caused the worst financial crisis experienced since the Great Depression. This group – aptly named the “Senior Supervisors Group” – concluded that a material contributing cause was what they characterized as a “colossal failure of risk management.”[2] The Senior Supervisors Group was not alone. Many other bodies have taken up the same topic and reached a similar conclusion.[3]
In the 10 years since the global financial crisis ended, the financial community has responded to the identified causes of the financial crisis, adopting lessons learned and significantly reforming the financial system. This work has resulted in a financial system with individual institutions that are demonstrably more safe and more sound than before, and a much more resilient banking system overall. In contrast to what existed on the eve of the crisis – early 2007 – today’s financial system has considerably higher capital and liquidity, as government officials and other commentators have observed. In addition, and perhaps even more importantly if we accept the conclusion of the Senior Supervisors Group, there has been a revolution in the discipline of risk management and in the “build-out” of processes and procedures for identifying, measuring, monitoring, and controlling risk. In the United States, for example, one may witness the Dodd-Frank Wall Street Reform and Consumer Protection Act, which President Obama signed into law on July 21, 2010 (the “Dodd-Frank Act”). The Dodd-Frank Act introduced varied and different requirements for risk management, including a series of “enhanced prudential standards,” as well as governance directed at risk management requirements, like the requirement for a risk committee of the board of directors.
In implementing these and other measures, financial institutions in the United States have overhauled their risk management functions from top to bottom. Now, after implementation of the Dodd-Frank Act, a financial institution will commonly have a risk committee at the board of directors’ level, a chief risk officer who is a powerful member of senior management, and a risk function populated by experienced risk professionals with expertise in credit, operational, interest-rate, market, compliance, and other types of risk. The risk professionals will carry out their risk activities in a “three lines of defense” framework, where they will inhabit the so-called “second line.” This is the line of defense that is empowered to challenge the decisions of the front-line business units, namely those units engaged in generating revenue or those who support the revenue generators.[4] Perhaps most importantly, the risk professionals now have status and power, so their challenges can no longer be ignored by the front-line units.
In my view, all of this change is very positive. Like higher capital and more liquidity, the changes in risk management have transformed the post-Dodd-Frank financial institution, and the financial industry. But in reflecting on any change, particularly one of such scale and size, it is also important to contemplate whether the change has brought with it other, unintended consequences. This article will discuss whether the rise of the risk management function has had one very specific unintended consequence – the diminution of the legal function. To place such an important question in a proper context, this article will focus on the potential inverse relationship – it is not only that the legal function has declined in importance, but it is also that the decline has come as the direct result of the rise in risk.
II. The Importance of the Legal Function
Before turning to analyze whether the rise of risk has resulted in a fall of legal, it is useful to take up two preliminary matters. The first preliminary matter relates to whether any decline in the importance of the legal function might be attributable to something other than the ascendancy of risk – say a decline in the importance of what lawyers do for financial institutions. If the importance of the work itself has diminished, then the rise of risk might be correlated to the decline of legal but not causative of legal’s decline. Second, the ascendancy of risk needs to be viewed in a historical perspective. Risk may be getting so much attention nowadays simply because it is new and not because it is noteworthy.
We begin with the question of whether any potential decline in the legal function is attributable to a decline in the importance of what banking lawyers do. I do not find any evidence supporting the proposition that the work itself has become less consequential. Now, as before, legal issues touch every facet of the activities of a financial institution. While it is true that some legal subjects are less important than before, other legal subjects have taken their place. For example, when I started my banking law career nearly 40 years ago, the law relating to the collection of checks was a significant subject for banking lawyers. It is not any longer. But other areas of substantive law have taken its place, like the law related to privacy and cybersecurity. These substantive areas are at least as complex as check law, and perhaps much more so.
The output of the legal function is also just as impactful as it was in earlier times. A persuasive case can be made that the work of lawyers in a financial institution is even more impactful than before, given the measurable enforcement consequences of a violation of law. The stakes, at least with respect to penalties, are higher now than they have ever been.[5] In addition, a material violation will also ordinarily be accompanied by significant reputational damage.
Another topic deserving a brief preliminary discussion relates not to the importance of legal but to the “newness” of risk. There is a significant difference in longevity between risk, on the one hand, and the legal function, on the other. The legal function has enjoyed a much longer life in financial institutions than has the risk management function. Consequently, what is perceived as ascendancy may simply be the attention that something “new” can attract. If you are in a family that has two cars, you can see this effect in the attention that the new car gets over the old car. The new car looks different, probably has better technology, and will stimulate olfactory senses with that magical “new car smell.” The risk function may be like that new car; it is not overtaking the legal function in importance, it is only the latest and the shiniest new object.
If you were to examine the financial institution of 20 years ago, you might not find any risk management function whatsoever. And, if you did find a risk management function, it would likely be much smaller in size, and with rudimentary capabilities. Most such functions had little in the way of power and even less in terms of sophistication. If someone from that period were to be magically transported from then to now, he or she would not recognize today’s risk management function. The financial institution risk management function of today, unlike 20 years ago, is both new and “cutting edge.”
How did such consequential change occur in such a short period of time? From my vantage point, the financial crisis changed the playing field for risk management. It highlighted in vivid detail a clear and present need for financial institutions to manage risk better. And the law reform that turned into the Dodd-Frank Act also transformed risk management into a legal requirement. That said, this author has the sense that financial institutions were ready, independently of the Dodd-Frank Act, to make real change in the way risk would be managed. In bank board rooms across the country, there seemed to be a generalized agreement with what the Senior Supervisors Group concluded – we experienced a colossal failure in managing risk and everyone was resolved not to permit it to happen again.
In comparison to the risk management function, which is now in its youth, the legal function is in a very mature state. Legal functions in financial institutions have been present since they were first chartered. For example, the Federal Reserve Bank of New York obtained a charter from the Comptroller of the Currency in 1913, and had internal counsel when it opened for business. The risk function at the Federal Reserve Bank of New York did not arrive until 2008, ninety-five years later. I use this example to underscore the point that the risk function has become very important in a very short time. The legal function, in contrast, established itself early and has experienced a lasting legacy. When we compare one function to the other, we should keep these characteristics in mind.
Of course, the fact that legal has been a long-time player does not, in itself, make the legal function important. What is the role of the legal function? While we will discuss that question throughout this article, the continuous role of the legal function has been to exercise legal judgment, and in the most effective legal functions, the people providing such judgment are made up of experienced and mature lawyers who have the trust of senior management. In many financial institutions, the chief legal officer is in the “C” suite and in regular contact with the chief executive officer and the board of directors.
But it is not the position and longevity of the legal function that makes the work of lawyers so important. It is the nature of the subject matter – legal judgment – that has so much consequence for the way financial institutions carry out their activities.[6] Shortly before the global financial crisis started, I had the occasion to make the following observation about the work done by banking lawyers: “Generally, lawyers acquitted themselves with distinction in assisting their financial institution clients in the management of legal, compliance, and reputational risk.”[7] Nothing since 2007 has altered my view on the role of banking lawyers or the capability of the class as a whole.
The mismanagement of the risks that resulted in the global financial crisis were largely not legal, compliance and reputational risks, the risks typically associated with the legal function. The problems that caused difficulties at Bear Stearns, AIG, Lehman Brothers, WAMU, Citigroup, and Bank of America arose out of other types of risk. No federal judge during the global financial crisis felt the need, as Judge Sporkin did almost 30 years ago with respect to the failed Lincoln Savings and Loan, to inquire, “[w]here were the lawyers?”[8] In the vast literature about the global financial crisis, there is plenty of blame with respect to how risk was managed, but very little is cast on financial institution lawyers.
Take, as one useful example, the change in the business model for bank lending. The industry transformed from an industry that originated and held the loans that banks made, to an industry that originated and distributed these loans to other industry participants. This change in business model resulted in less discipline among banks, and across the financial industry, with respect to credit risk. Because there was no longer the same incentive for the bank originating the loan to identify, measure, monitor, and control credit risk (because the risk would soon thereafter be transferred to someone else), there was a significant increase in bad loans. This contributed to the financial crisis. Note that this was credit risk and not legal risk. The blame rightly rests with the business people in the front lines who ignored (or did not understand) the implications of a change in business model and what it might mean for managing credit risk across the financial industry.
While some lawyers could have done a better job cautioning their clients about the implications of the change in business model, and how it had affected credit risk, there is no case to single out lawyers, and even less of a case for blaming the legal professionals for mistaken legal judgments that resulted in the global financial crisis. While there may have been a colossal failure of risk management, the mismanaged risks were not the responsibility of the legal function.
With all of that said, let me make an observation about shared responsibility. Financial institutions exist in a highly regulated ecosystem, and lawyers are an indispensable part of the functioning of a modern financial institution. Virtually every decision – from the smallest to the largest – has a legal component. In view of this, there is a shared accountability on the part of the lawyers, and on the part of other people who perform within the ecosystem (regulators, business people, academics, members of Congress, etc.), because they all play a part in shaping the ecosystem.
III. Factors that Might Be Prompting a Diminution in the Legal Function
In this section, I will discuss the factors that might be working in concert with the rise of risk to diminish the legal function. I begin with the terminology used to speak about risk today. One major development is that we now categorize risk by type.
Risk Typology
A lesson learned during the financial crisis is that there are different types of risk. AIG, for example, learned a powerful lesson with respect to liquidity risk in September and October of 2008. At that time, AIG was the world’s largest insurance company,[9] and did not anticipate that a downgrade by the rating agencies would result in a situation where it could not repay its debts as they came due. It then learned a very hard lesson about liquidity risk, a risk that is distinguishable from insolvency risk[10] – where the liability side of the balance sheet exceeds the asset side. In September of 2008, AIG was not balance sheet insolvent but it was illiquid, and the governmental rescue of AIG succeeded because AIG and the United States Government acted together to solve AIG’s liquidity problems.
To return for the moment to the observations that I made in early 2007, I spoke about the role of lawyers with respect to legal, compliance, and reputational risk. Let’s consider how the OCC currently treats these forms of risks in its Part 30,[11] a set of regulatory measures designed in the post-crisis period to foster better risk management in OCC-regulated financial institutions. In Part 30, the OCC covers a range of risk types, including compliance and reputational risk. It does not address legal risk,[12] because the OCC wisely did not want to be challenged as trying to regulate the practice of law. Instead, the OCC could, and has, monitored how well institutions are handling compliance and reputational risk by reviewing the adequacy of their compliance function.
Another problem relates to how the regulatory community defines legal risk, on the one hand, and compliance risk, on the other. The definitions are not mutually exclusive. In fact, the definitions substantially cover the same subject matter. Let’s consider the Federal Reserve’s SR 16-11, which defines “legal risk” as follows: “the potential that actions against the institution result in unenforceable contracts, lawsuits, legal sanctions, or adverse judgments can disrupt or otherwise negatively affect the operation or condition of a financial institution.”[13] This risk, as it is cast by the Federal Reserve supervisory staff, is the risk that arises from a contract that is unenforceable or from the institution being subject to a legal sanction. Now consider how the Federal Reserve defines “compliance risk” in SR 16-11, as “the risk of regulatory sanctions, fines, penalties or losses resulting from failure to comply with laws, rules, regulations, or other supervisory requirements applicable to a financial institution.”[14] The definitions of legal risk, on the one hand, and compliance risk, on the other, are not mutually exclusive; to the contrary there is considerable overlap between them.
Defining different concepts to mean much of the same thing might not be harmful, depending on how the definitions are used. However, if the definitions are used to define roles and responsibilities, this can cause considerable mischief. One might also say that using the definitions to define roles and responsibilities is using the definitions inappropriately. In my view, an inappropriate use of the defined risk types would be to say, as many do, that the compliance function is responsible for compliance risk and the legal function is responsible for legal risk. If there is substantial overlap between the two risk types, and there is, this could lead to compliance encroaching onto the functioning of legal.
Encroachment by the compliance function onto the legal function is worrisome because of the core competency of lawyers. Lawyers are special because of the nature of the judgment entrusted to them. Lawyers make legal judgments. Under the current definitions of these risk types used by the regulators, compliance risk and legal risk are both, directly and materially, affected by legal judgments.
Why are legal judgments entrusted to lawyers? In most financial institutions, legal judgments are entrusted to the lawyers who inhabit the legal function (or, in the case of outside counsel, participate in the work of the legal function)[15] because of their special competency. In the United States, our respective state laws require that the people exercising such judgment be licensed members of the bar because “it protects the public against rendition of services by unqualified persons.”[16] Consequently, to assign compliance risk to the compliance function without consideration of the types of judgment that are needed to identify, measure, monitor, and control compliance risk is a mistake. When compliance risk depends, as it often does, on a legal judgment, you need assistance from a qualified professional and that is a lawyer. The manner in which the regulators have defined legal and compliance risks has ignored this core concept – that a qualified licensed lawyer needs to provide the necessary legal judgment.
Let me use my own past experience as General Counsel of the Federal Reserve Bank of New York to demonstrate the overlap in the definitions.[17] In the rescue of AIG, a question arose as to whether a so-called “equity participation or kicker” could be offered as partial consideration for the revolving credit facility that rescued AIG from bankruptcy. This question called for a legal judgment, and I made the judgment that the governing law permitted the Federal Reserve (my client) to receive such consideration. This legal judgment was challenged in headline-grabbing litigation brought by AIG’s largest private shareholder, who was diluted by the equity participation (hereafter referenced as the “AIG Shareholder Litigation”).[18] This AIG shareholder claimed that the governing law did not permit such consideration, and that the contractual provisions in the rescue deal relating to the equity participation were not enforceable. In the Court of Federal Claims, Judge Wheeler ruled for the plaintiff-shareholder on the legal question (contrary to my legal opinion), a ruling that was not sustained on appeal.
Note that, as the AIG example reveals, a legal judgment can create both legal and compliance risk. In the AIG Shareholder Litigation, the plaintiff claimed that the Federal Reserve Act did not permit the Federal Reserve to receive an equity participation, which meant that (under plaintiff’s theory) the Federal Reserve had violated its authorizing statute. This created the risk that an important component of the revolving credit agreement could not be enforced as written, the provision that AIG had to contribute nearly 80% of its equity to a trust for the benefit of the United States Treasury. A judgment in favor of the plaintiff clearly represented a legal risk but it also created a compliance risk. At least in theory, an enforcement action could be brought against the Federal Reserve to hold it accountable for the claimed statutory violation. In simple terms, when there is an error in a legal judgment, or as in the AIG Shareholder Litigation, an alleged error in a legal judgment, it typically creates both legal and compliance risk. The example also illustrates why the definitions are not fit for the purpose of assigning roles and responsibilities as between legal and compliance. The question whether the Federal Reserve Act permitted an equity kicker called for a legal judgment.
Another problem with the overlapping definitions of legal and compliance risk is that they obscure what, in many situations, is the key determinant of the risk in a financial transaction or activity. This key determinant – legal judgment – is a central thesis of this article. These legal judgments must be made with respect to fuzzy and ambiguous concepts or texts, and take into account interpretations by judges and regulators that morph over time and with changing facts. The simplistic notion that compliance risk is for compliance and legal risk is for legal does not withstand analysis. The province and responsibility of the legal function is making legal judgments on behalf of the financial institution. This is what makes the legal function important. To the extent that legal judgments are made by another group of professionals, let’s say the compliance professionals, then the importance of the legal function is diminished and a specific type of decision-making gets done by those who are not properly qualified.
With respect to legal risk, there is another development that has occurred among the supervisory community which is relevant to this analysis. The Basel Committee on Banking Supervision (BCBS) has determined legal risk to be a subcategory of operational risk. In its seminal manuscript titled Principles for the Sound Management of Operational Risk, the Committee said this plainly: “Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk, but excludes strategic and reputational risk.”[19] Of course, the problem with this bold statement is that operational risk describes almost everything. Every calamity will be caused either by an externality or by a failure on the part of a process, person, or system. The inherent credit risk in the sale of a portfolio of bad loans fits the definition, and so does the liquidity risk that AIG experienced in September of 2008.
Of course, if operational risk covers nearly all risks, and the risk management function has responsibility for operational risk, then the risk management function owns nearly all risks. This would include legal and compliance risks. Consequently, the BCBS declaration that legal risk is a component of operational risk is a problem.
Returning to the AIG Shareholder Litigation, let us assume for purposes of argument that the court concluded the Federal Reserve Act prohibited receipt of an equity kicker, and the United States had to pay a judgment of more than $20 billion. An application of the quoted conclusory statement by the BCBS would result in a conclusion that an operational risk had produced this result, attributable most directly and immediately to a bad selection decision with respect to the General Counsel. Alternatively, one might say the risk arose from the externality of litigation by AIG’s largest shareholder. In either variant, we have a risk that would qualify as an operational risk fitting the Basel definition.
If you categorize risk in this fashion, it might lead you to conclude that managing all these risks is within the role and responsibility of the chief risk officer, because the chief risk officer is charged with identifying, measuring, monitoring, and controlling operational risks (and legal risk, according to the BCBS, is operational risk).[20] But, in my view, that puts this kind of risk into the hands of an unqualified professional because the key determinant is a legal judgment. Consequently, the BCBS framework turns us in the wrong direction.
Legal judgments should be made by those who are qualified, namely the lawyers in the legal function. Legal risk is not operational risk. Neither is compliance risk when it depends on legal judgment (it can be operational risk when it is determined by technology, such as when compliance is designing a suspicious activity monitoring system). The BCBS just got this one wrong.
With respect to the AIG Shareholder Litigation, had I concluded that the Federal Reserve Act did not permit the Federal Reserve Bank to receive an equity participation, this legal judgment would have been binding on the policy makers because they are bound by the common internal-affairs constraint that all corporate officers must follow the law. No Federal Reserve official has the authority, on behalf of the organization, to violate the law. This is true in nearly all financial institutions (many would say that a deliberate decision by a corporate officer to violate the law constitutes a breach of the officer’s fiduciary duty).
The General Counsel is, under the rules governing the organization’s internal affairs, the person who gets to say what the law is. Senior Federal Reserve officials could resort to other external counsel in an effort to obtain a different legal judgment, but they would nonetheless need a competent opinion from a qualified lawyer. As a result, this theoretical possibility for the “front line” policy makers – to go to outside counsel for a different legal judgment – is not usually practicable. The important point is that a properly licensed lawyer – either the General Counsel or outside counsel – gets to say what the law is. This is not subject matter for a layperson. In the end, when it comes to legal judgment, the legal function holds the decisional responsibility. At issue in the AIG Shareholder Litigation was the legal judgment that the Federal Reserve Act permitted the equity kicker. If the legal judgment were that the Federal Reserve Act prohibited the equity kicker, then no equity kicker would have been a part of the rescue, and there would have been no AIG Shareholder Litigation.
For purposes of this particular discussion, the imprecision in the definitions of legal and compliance risk is a highly consequential factor that may be empowering the risk and compliance functions to the detriment of the legal function. I look at this as a kind of “original sin” by the regulatory community, which has caused many successive problems. The problems with the definitions of risk types are compounded further by the mistaken belief of supervisors that legal risk is a form of operational risk
Three Lines of Defense
Another potentially contributing factor to the diminution of legal is the three lines of defense framework, which has become the accepted framework for managing risk in a financial institution.[21] Under this framework, the front-line business owns the risk and is the first line of defense. In the second line of defense are the risk professionals who are empowered to identify risks for the front line and help them to manage and control their risks. The third line is audit, which will ascertain how well the framework is working.[22]
With respect to the second line, the risk function is intended to operate on an enterprise-wide basis across all risk types. The risk types would include operational and compliance risks. While legal risk is not usually referenced, the discussion of the overlapping definitions in the preceding section means legal risk can be reached indirectly, as compliance risk or operational risk. Being outside the framework could have caused the regulators a problem, if some critical risk management function were to fall outside of regulatory purview. But the regulators found a way to avoid that result, using the loose definitions of compliance and operational risk.
The OCC has adopted the three-lines-of-defense framework in Appendix D to Part 30. During the notice-and-comment phase that preceded adopting of Part 30, there was a significant clamor over the OCC’s preliminary attempt to force legal into the three-lines-of-defense framework. In the final guidance, the OCC withdrew from covering legal, and this was the right regulatory response in the view of the author. Regrettably, however, there has been too little attention to a view expressed by this author that legal stands in its own right.[23] Instead, legal is too often forgotten when it comes to the risk management framework. Alternatively, the legal function is subsumed in the risk taxonomy, and placed under the broader category of operational risk. In a certain respect, it is “as if” the legal function disappeared.[24]
Again, if this factor were alone, it would not likely result in a diminution in the role of the legal function. But it is not alone, and the absence of legal is amplified considerably by a trend in the way compliance reports within today’s financial institutions.
The Modern Trend for Compliance Reporting – From Legal to Risk
The modern trend for financial institutions is for compliance to report up to the chief risk officer rather than to the chief legal officer. This is not a trend that has been fostered by regulatory requirements, although there are many bank examiners who mistakenly believe it is. A financial institution can, if it wishes, have compliance report up to the chief legal officer.[25]
There is a rich literature articulating the benefits and challenges with respect to either form of structural reporting, and there are also some other options, like having the chief compliance officer report to the chief operating officer or even the chief executive officer.[26] The considerations that lead financial institutions to select one reporting relationship over another are beyond the scope of this article. Here, I will address two considerations that may explain some of the modern trend, and state why I think both are mistaken. Then, with respect to the modern trend, I will explain what I perceive to be an organizational dynamic inherent in any structure where compliance reports to risk. The organizational dynamic could result in the diminution of the legal function.
One widely offered explanation for the movement of compliance to risk relates to independence. The Basel Committee on Banking Supervision has declared as a core principle that “[t]he bank’s compliance function should be independent.”[27] Many disciples of independence believe that this means the chief compliance officer must be independent of management, although the BCBS never actually said this. In fact, the BCBS said that “[t]he concept of independence does not mean that the compliance function cannot work closely with management and staff in the various business units.”[28]
Further, it is simply erroneous to conclude that the risk function is independent of management while the legal function is not. In my opinion, the erroneous view rests upon a mistaken notion as to what a financial institution’s legal counsel does. The mistaken notion is that counsel is the advocate for management, most often the so-called “C” suite or even the chief executive officer. But bank counsel do not act as the advocate for any particular business person or organizational constituent. A financial institution’s lawyer represents the organization.[29] Her obligation is to exercise “independent professional judgment and render candid advice”[30] on behalf of the organization, and this necessarily means that counsel can be “independent” of management. If compliance reports to counsel who are themselves independent, there is no independence problem. Of course, this is not a structural independence as we often see with respect to audit (many independent auditors report to the Chair of the Audit Committee of the board of directors, rather than to a member of management). It is judgment independence, and judgment independence is precisely what is needed for compliance. In sum, there is no independence problem when compliance reports to the chief legal officer.
Another often unspoken reason why some chief legal officers have not objected to the reassignment of compliance to risk relates to a different kind of risk calculus. Some chief legal officers look at the roles and responsibilities of compliance as roles and responsibilities likely to lead to problems and to the assignment of blame. Consequently, when a discussion arises with respect to the appropriate reporting relationship, some chief legal officers see this in terms of a way to limit their own personal responsibility. In my view, this is the wrong reason to move compliance. It is not a reason grounded in organizational interest; it is a reason grounded in the chief legal officer’s personal interest.[31]
Putting to the side the reasons underlying the modern trend to have compliance report to risk, it is clearly the trend for banking organizations in the post-crisis period. And when that organizational move is made, there is a very clear organizational dynamic that follows at the time when compliance moves from legal to risk. Once compliance moves, the chief compliance officer will naturally realign with the chief risk officer, the officer to whom the chief compliance officer now reports. If a particular risk issue occupies the sometimes mercurial border between legal, compliance, and operational risk, then the lawyers should anticipate that risk and compliance will form a new coalition. Remember that a reporting relationship usually entails some other components in the typical financial institution – the chief risk officer will now probably be appraising the chief compliance officer’s performance and determining the chief compliance officer’s compensation.
If there is to be a “turf fight” between risk and legal, once the chief compliance officer starts reporting to the chief risk officer, there will be little daylight between compliance and risk.
Attorney-Client Privilege
Many of those who are familiar with the examinations process would say that there is a generalized antipathy on the part of examinations staff toward lawyers and the legal function. I wish that this were not true, and I know that it is not universal. Yet it is my generalized view that this bias exists. Why?
One factor is the attorney-client privilege. Financial institution lawyers will raise privilege with examination staff and examination staff will often see it as an obstructionist tactic. With respect to compliance staff, who are not functioning in the same capacity as legal counsel, and who typically do not interpose privilege objections (and when they do, they assign, appropriately, responsibility to legal), the examination staff have much more agreeable dealings. As a result, examiners routinely see compliance staff as more cooperative than the legal function. Further, there is a symbiotic relationship that often occurs between examination staff and compliance staff.
For example, when compliance needs more resources, often compliance will receive external support from the examiners. When a compliance professional is having difficulty with a particular business executive, a hushed hallway conversation with the examiner-in-charge can sometimes work a miracle. Finally, on an interpersonal level, there will typically be a close working relationship between the examiners and the compliance staff; they will see each other as colleagues. In contrast, the relationship between examiners and lawyers is generally at arm’s length.
With respect to the attorney-client privilege and the work product doctrine, there is a special provision of federal law that is intended to facilitate the communication of privileged information between the financial institution and its prudential supervisor.[32] Some look at this provision as evidence of an attempt by government to erode privilege. As one of the proponents of the provision, which was added by the Regulatory Relief Act of 2006, I can state that this provision was supported by the Federal Reserve and the OCC, but that support was not designed to erode privilege. The provision was drafted and enacted to reinforce, and not disable, the attorney-client privilege and the work product doctrine.
Of course, the operative hypothesis underlying Section 1828 (x) is that sharing with a supervisory authority would be considered as fostering the interests of the financial institution. If, on the other hand, the financial institution wishes to block the supervisor from seeing the legal advice, an assertion of privilege affords a way to accomplish this objective.[33] When the privilege is asserted, it is asserted on behalf of the bank by bank counsel. The examination staff will commonly experience the privilege assertion as a hostile act by bank counsel. Over time, if the examination staff is regularly confronted with privilege assertions from the legal function, the examiners may come to regard the legal function as obstructionist and obdurate, and contrast that perception with what they experience from compliance and risk.
Examiner antipathy toward the legal function is never a good thing. But it can be especially destructive when there is a conflict between risk/compliance and legal. The examiners will likely side with risk/compliance and the conflict may be resolved with a legal loss. Again, this can contribute to a diminution of the legal function.
Legal “Meremanship” as an Advocacy Tool
One of the most surprising factors contributing to the diminution of the legal function may relate to the arguments that financial institution lawyers make about their own roles. There are many examples, but perhaps the clearest and the most obvious occurred recently in the United Kingdom with respect to the Senior Managers Regime.
The Senior Managers Regime is designed by regulatory authorities in the United Kingdom to encourage senior managers in covered financial institutions to manage the risks that they are responsible for. Consequently, the regime is designed to elucidate for senior managers what they are responsible for, that there is a proper focus on skills, capability and conduct within the firm, that a set of conduct rules provide a foundation for behavior, that practices and policies within covered firms provide for a necessary sense of accountability, and that the Financial Conduct Authority can hold the senior officials accountable if they should fail.
A question arose under the Senior Managers Regime as to how to treat the senior staff of the legal function. Were the lawyers to be considered within the scope of the Senior Managers Regime and held accountable as officials who had significant responsibility for risk management? In the comments that were received, “[m]ost respondents argued that the [legal] function was purely advisory” and that a determination otherwise might be compromising to privilege.[34] Accordingly, the Financial Conduct Authority has now proposed “to exclude the Head of Legal from the requirement to be approved as a Senior Manager.”[35] Of course, the chief risk officer and the chief compliance officer are included. What does this contrasting position say about the relative importance of risk/compliance vis-à-vis the legal function? I believe the answer is obvious.
The argument made in the United Kingdom is an argument that is often heard from counsel in the United States. It is the “meremanship” argument – to the effect that all lawyers do is give legal advice. The purpose of this result-oriented argument is to deemphasize lawyer importance. It is a variation on the argument that “don’t worry about us, we do not really matter.” One problem with the argument is that it is not really true. For the reasons stated above, the lawyers within a financial institution do matter, because they are the group that renders legal judgments that have a material effect on how the financial institution carries out its activities. Returning to the AIG Shareholder Litigation example, when I opined that the Federal Reserve Bank could receive an equity participation as consideration for a rescue loan, that legal judgment enabled the deal to go forward with that particular component which turned out to be worth more than $20 billion. A decision otherwise would have resulted in a different deal, with considerably less upside for the taxpayer. As the AIG Shareholder Litigation example demonstrates, legal judgment matters. Legal judgment can determine the consideration for a material transaction, or the contours of a permitted activity. The legal function does much more than just whisper advice.
Another problem is that such advocacy becomes a self-fulfilling prophecy. The essence of the argument is that “lawyers don’t matter.” More problematic is that the argument is occurring in a context where the role of lawyers is juxtaposed against the role of risk and compliance professionals, who are covered by the Senior Managers Regime. And, with respect to the risk and compliance professionals, the conclusion reached with those professionals speaks to the following conclusion, that “these people really do matter.” This returns us to the overall purpose of the Senior Managers’ Regime – to hold those who have material decision making authority responsible for their decisions. Risk and compliance professionals need to be responsible. Why not senior personnel exercising legal judgments?
Risk Governance
In the new, post-financial-crisis world, financial institutions are expected to identify, measure, monitor, and control all of the risks they face. The supervisors of such institutions expect that there will be processes and procedures for governing these risk functions across all of the risk types, and that these governance procedures will encompass risk-appetite statements and a risk-governance framework.
The processes and procedures will be developed under the supervision and control of the risk committee of the board of directors. The risk committee will be the body that typically approves the risk appetite and the risk-governance framework. Ordinarily, the senior management will create an internal management committee to perform these tasks, before these kinds of determinations reach the risk committee of the board (or to the full board).
Note that risk governance will typically encompass the following risk types: credit risk, interest rate risk, liquidity risk, price risk, operational risk, compliance risk, strategic risk, and reputational risk.[36] Once again, the absence of legal risk and the legal function may be problematic, if this absence gives rise to an inference that legal risk and the legal function are not important (or are subsumed under the umbrella of other risk professionals). The concern is a variant on the concern that I have expressed about meremanship advocacy, except here it is that an inference might be drawn – legal risk and lawyers do not need a framework because they are not important.
This does not mean that we should invite regulators to make legal judgment a part of the risk governance that they are reviewing as a component of enterprise risk management. An alternative possibility is for the legal function to create its own risk governance framework for matters requiring legal judgment. This framework would require that lawyers be the core professional staff, and not the risk function. But, for anyone who has engaged in this exercise, it is not facile and will often be met with a healthy skepticism as to why legal is different from all other risk types.
If a risk-appetite statement is prepared for legal risk, it will look decidedly different from the appetite statements for other risk types. Let us hypothesize that we are creating a risk appetite statement for violations of the Volcker Rule.[37] Having gone through such an exercise, it is likely to result in the only practicable conclusion – that there is a zero appetite for such a violation. Would the answer be different for sexual harassment, a Truth-in-Lending Act violation, and so on? No. Every financial institution will seek to conduct its activities within the bounds of the law, meaning that it has zero risk appetite for violations of law. Having no appetite for legal violations will be consistent with what most banking organizations practice; it is a permutation on the internal affairs policy referenced earlier that no corporate officer has the authority to violate the law. When a bank official intentionally violates a legal prohibition, nearly all banks will take disciplinary action against the official.[38] The goal of such disciplinary action will, of course, be aspirational and designed to send a message that the bank conforms its activities to the bounds of the law. With that said, in nearly every financial institution, including the most carefully controlled and the best governed, the goal will not be attained and there will be episodic violations.
Those with experience in these matters will know that legal and compliance risks are different in nature from risks like credit risk and liquidity risk. Governance practices that work for the later risk types are not easily adapted to the former. Perhaps what is needed is for the legal profession to intervene with regulators and make sure there is awareness that the legal function is sui generis in its risk management endeavors.
The alternative course – remaining silent with respect to the legal function – has its own potentially destructive consequence.[39] In a world where risk governance is seen as exceptionally important to the health of the financial institution and the stability of economic ecosystem, being marginalized is a form of diminishment.
Risk Reporting
The final factor leading to a potential diminution in the role of the legal function concerns risk reporting. In today’s financial institution, it is typical for a bank’s highest legal authority, the board of directors, to also have a risk committee either because it is legally required or because it is considered to be a better governance practice. The risk committee’s principal task will be risk oversight. To perform its risk-oversight function in a competent manner, the risk committee will need information from the management about risk in the organization. This ordinarily leads the board’s risk committee to turn to the chief risk officer and request a risk report, or a risk “dashboard,” that will enable the risk committee to perform its risk-oversight functions. In its IRM Guidance, the Federal Reserve proposes the principle that independent risk management “should provide the board and senior management with risk reports that accurately and concisely convey relevant, material risk data and assessments in a timely manner.”[40]
An effective risk-reporting mechanism will typically show the risk committee the different types of risk that the organization faces, and will try to gauge trend lines. The trend lines will show whether risk of a particular type is increasing, decreasing, or remaining constant. Often, when presented in dashboard form, the risk report will highlight risk trends in colors, where green is good, red is bad, and yellow is a warning sign. A good risk report will identify “emerging risks” and provide “forward-looking perspectives.”[41]
In most organizations, the risk committee will look to the chief risk officer to provide this kind of information. The risk committee typically will not want to receive information from many different people. It will want to hold accountable for risk reporting a key senior officer, and usually that officer is the chief risk officer. This can place the chief legal officer in an uncomfortable position, particularly with respect to legal and compliance risks. Often, compliance risk reports will reference legal judgments, and, again, legal judgments are the province of the legal function. For example, compliance may believe that there has been a violation of the Truth in Lending Act, which involves a legal determination and a legal judgment. If this view should be written into a risk report, this encroaches on the legal function because it is the province and duty of the legal function to say what the law is and whether the law has been violated.
If there is a legal memorandum from the legal function stating this judgment, it could be appended to the risk report and the problem is solved. But often these reports do not follow this practice, and that has consequence. For example, if a legal conclusion is stated in a report from the chief risk officer or the chief compliance officer, it will not be privileged.[42] There will likely be significant pressure to get the board books done timely, and not to distinguish this “legal” matter from all the other risk issues that warrant the attention of the risk committee. In addition, if the legal function should demand special treatment, there may be a perception that legal is “too defensive” or that legal is “causing trouble.” All of these considerations may create pressure on the legal function to acquiesce, and permit the chief risk officer to follow the path of least resistance and treat a legal risk issue just as it would treat say an information technology risk. If this should occur, it is another encroachment by risk on what should be legal’s territory.
IV. Diagnostic: Is the Legal Function Being Diminished?
In the preceding section, I summarized seven risk management conditions that might be causing a diminution in the role performed by the legal function. Is it actually happening? I try to answer that question in this section.
Turning to one of the tools used in the discipline of risk management, we need to confront a measurement problem. How can we measure an amorphous concept like diminution? Without spending much time on the question, the short answer is we have no quantitative measure of the power and effect within financial institutions of the legal function.[43] We have identified the risk of diminution, but we have no good quantitative measure of whether it is actually occurring.
Is there qualitative or anecdotal evidence that the power and effect of the legal function is in decline? I believe that there is evidence this is happening, but it is very early in the process to be drawing firm conclusions. This is a current topic of conversation among senior internal lawyers within financial institutions. The degree of concern varies from person to person and from institution to institution, but the topic is often front of mind. There is also considerable interest among legal and compliance professionals in defining roles and responsibilities, largely driven by concerns about who does what, but especially influenced by structure wherever compliance reports to risk.
For purposes of this article, my personal perspective is the legal function has, in fact, been diminished by the ascendancy of the risk management function. I have a sense that this has started to occur, and I hope this article will foster vigorous discussion of that question by the banking bar.
One can also ask, if the legal function has started to decline, how far has it declined?
Assuming that my perspective of decline is accurate, and further assuming that some impairment has already occurred, can we reverse the trend and repair the damage? I think the answer is yes.
V. Taking Affirmative Actions to Reverse the Decline and Repair the Damage
If a conclusion is reached that the legal function in financial institutions is being diminished and that this is a negative trend that needs correction, what remedial actions are needed? If I have correctly identified the conditions that are causing the diminution, then the future remedial action becomes clear. We need to focus on the seven conditions that are working in concert to diminish legal.
The first condition concerns risk typology. The legal function is certainly focused on legal risk. But this does not mean that this is the exclusive interest of the legal function. The legal function should be interested in any risk type that is affected by the exercise of legal judgment. At a minimum, that would include compliance and reputational risk, but we should not stop there. Legal judgment affects other types of risk, including credit risk. In fact, when you consider various risk types, legal judgment likely impacts the majority of them (misconduct risk, for example, is heavily influenced by legal factors whereas model risk is probably not). Lawyers need to be much more assertive about their expertise and their expertise is legal judgment. But lawyers also should not be shy when rendering judgment and advice. As the Model Rules frame it, lawyers should feel free to “refer not only to law but to other considerations such as moral, economic, social, psychological, and political factors that may be relevant” to the financial institution’s situation.[44] In this regard, the legal function brings to the table not only depth of knowledge with respect to legal judgment, but a breadth of knowledge that can be meaningful with respect to managing other risk types. As legal professionals, we do more than merely give legal advice. In the best-in-class legal functions, the senior members of the function are typically considered as business partners who are valued for their legal judgment and business acumen.
The next condition is the three-lines-of-defense framework. This framework is fine for creating a conceptual model for the work of risk professionals, but it should not be either a model or a constraint on lawyers. We have to continue functioning as we always have, and, as I said in the article in the Business Law Today, the legal function within banking organizations has worked well for more than a century. With respect to the three lines of defense, the lawyers may move from line to line, depending on the function performed. If a lawyer is drafting transactional documents at the direction of a front-line business person, the lawyer (as an agent) will be in the first line (assuming that the lawyer is not exercising legal judgment but simply codifying the intention of the business personnel). If the lawyer is assisting in identifying the risks in a potential new product, to inform a senior management committee that is deciding whether to greenlight or redlight the new product, and authorize it to be offered by the financial institution, the lawyer will be in the second line. The lawyer is performing a second-line function by informing the decision-makers about risk. There may also be times when lawyers are assisting internal audit – let’s say they are auditing some kind of human resource practice or procedure. When acting in this capacity, the lawyers may be in the third line. The important point is the three lines of defense mode does not neatly fit the work of a legal function; it does not matter where the lawyers are found, so long as they are performing their historical role and making the necessary legal judgments. And, perhaps most importantly, the lawyers often perform a hugely consequential function that does not fit into any one of the three lines of defense. Consider the role performed by a senior lawyer who is handling “bet the company” litigation. Such a lawyer is not in any line of defense but is performing a classic function in managing and controlling the legal risk presented in the litigation. To avoid a diminution of legal, we must become more assertive about the role of lawyers in risk management, and how they stand apart from the three lines of defense.
Moving to reporting relationships, we need to develop a more realistic understanding that organizational dynamics will change when (and if) compliance moves from legal to risk. In a certain respect, this is like stating rain is wet. When the reporting line of the chief compliance officer changes from the chief legal officer to the chief risk officer, who but a fool would ignore the change in organizational dynamics? Yet this point is hardly mentioned in the literature. Further, because the distinction between legal, compliance, and operational risks is often obscure, there will be inevitable conflict as to roles and responsibilities. Having sensitivity to the organizational dynamics is important, because it permits those who are on the playing field to discuss the subject matter and do what is required – namely, work it out. Alternatively, if they cannot work it out, then they can escalate the dispute to a higher authority who must likewise be sensitive to organizational dynamics. These dynamics should also be considered when senior officials resolve the inevitable conflicts that come with an escalated matter.
The next condition is privilege. Financial institution lawyers should closely examine privilege assertions that withhold information that would otherwise be seen by their regulators. This action has real consequence, and it can and does breed examiner resentment directed toward lawyers. When privileged matter is solicited by a regulator who is performing prudential oversight (and not acting in an enforcement capacity),[45] sharing privileged information with an appropriate legend will not result in a waiver and likely will not have any negative consequence. In fact, it might reveal to the examiners just how well the legal function has helped the organization to function in a safe and sound manner. Providing such material to a prudential supervisor, certainly in a context where there is no likelihood of enforcement action, might be one small, additional step. While inevitably there will be certain occasions that warrant a privilege assertion, the assertion of privilege in response to a regulator’s request should not be reflexive; if privilege is not asserted, the hidden benefit could be the avoidance of examiner enmity.
As for legal “meremanship,” I am reminded of what President Obama said “[T]he first thing we do is stop doing stupid things.” We should stop arguing that the legal function is not important. We are important – we make legal judgments and, almost every day, those judgments directly and materially affect the way in which banks conduct their activities. Arguing we merely give legal advice now threatens to turn us into advisors about nothingness. If it were true that we are unimportant, then I would have no objection. But it is not true and we know it. This could, of course, mean that we will be held accountable for our legal judgements, perhaps even to regulators. Is that necessarily a “bad” outcome?
With respect to a risk governance framework, lawyers should work to fashion our own unique framework with respect to the exercise of legal judgment. We should not remain in a kind of twilight zone, because this is not in the interest of the financial community and diminishes the rule of law in society. And when we finally start to analyze our framework, we will likely discover that we actually have one. We just have never codified it or conformed our practice to a written policy and procedure.
With respect to risk reporting, I am reminded of the situation in 2006 that needed to be remedied with Section 1828 (x). Having the chief risk officer recite a legal judgment in a risk report creates a non-privileged record that could be subject to discovery in third-party litigation against the financial institution. This is a problem that needs attention. It is also a problem that perhaps needs some creativity and initiative. What about a risk report from both the chief risk officer and chief legal officer? What about a risk report that contains an addendum with legal memoranda? The problem can be addressed if it receives proper attention.
Finally, the whole of these seven conditions is more than the sum of its parts. Yet, if we address each one individually, we can reverse the potential diminution and start to repair the damage. The legal, compliance and risk functions can work together seamlessly, with each being cognizant of their unique roles and responsibilities, and each regarding the other with mutual respect.
VI. Conclusion
The ascendancy of risk management and the chief risk officer is one of the truly noteworthy changes in financial institutions since the end of the global financial crisis. In the view of the author, the change has materially contributed to the safety and soundness of banks and banking. There is anecdotal evidence that this change has produced an unintended consequence, and the unintended consequence is a relative diminution in the role of the legal function. This unintended consequence is dangerous, particularly if the diminution becomes material. The legal function performs a hugely consequential role in the functioning of financial institutions. The role needs to be better understood and appreciated. The rise of the risk function should not mean there will be a decline in the legal function.
[1] I gratefully acknowledge the invaluable assistance of my Sullivan & Cromwell colleagues, Camille Orme and Cristina Liebolt. The views, thoughts, and opinions expressed in this article belong solely to the author, and do not necessarily reflect the views of Sullivan & Cromwell, or anyone affiliated with the firm.
[2] Senior Supervisors Group, Risk Management Lessons from the Global Banking Crisis of 2008 (October 21, 2009).
[3]See, e.g., David Moss, “An Ounce of Prevention: The Power of Public Risk Management in Stabilizing the Financial System,” Harvard Business School (working paper) (Jan. 5, 2009); Tobias Adrian, Risk Management and Regulation, International Monetary Fund: Monetary and Capital Markets Development (2018); Risk and Insurance Management Society, Inc., “The 2008 Financial Crisis: A Wake-Up Call for Enterprise Risk Management,” (2008); Federal Reserve Bank of New York, “Economic Policy Review: Special Issue: Behavioral Risk Management in the Financial Services Industry The Role of Culture, Governance, and Financial Reporting,” August 2016, Vol 22:1; Society of Actuaries, the Casualty Actuarial Society and the Canadian Institute of Actuaries, “Risk Management: The Current Financial Crisis, Lessons Learned and Future Implications,” The Financial Crisis Inquiry Edition, Final Report of the National Commission on the Causes of the Financial and Economic Crisis in the United States, submitted pursuant to Public Law 111-21, January 2011; Anil K Kashyap, Lessons from the Financial Crisis of Risk Management, University of Chicago, Booth School of Business and NBER (paper prepared for the Financial Crisis Inquiry Commission) (February 27, 2010); Daniel Zéghal and Meriem El Aoun, Enterprise Risk Management in the US Banking Sector Following the Financial Crisis, Modern Economy, 7, 494-513 (April 29, 2016); OECD, Corporate Governance and the Financial Crisis: Key Findings And Main Messages, June 2009; Permanent Subcommittee on Investigations, United States Senate, Wall Street And The Financial Crisis: Anatomy of a Financial Collapse (April 13, 2011); Philippe Jorion, Risk Management Lessons from the Credit Crisis, European Financial Management (2009).
[4]See, e.g., the definition used by the OCC for a “front-line unit.” 12 C.F.R. Part 30, App. D, at I(E)(6). The Federal Reserve has recently used the expression “business line management” to refer to “the core group of individuals responsible for the prudent day-to-day management of the business line and who report directly to senior management.” Board of Governors of the Federal Reserve System, Proposed Supervisory Guidance – Independent Risk Management and Effective Senior Management, 83 Fed. Reg. 1351 (Jan. 11, 2018) (hereafter “IRM Guidance”).
[5] A recent report by the Group of Thirty notes that, since the financial crisis, the “banking industry has paid an estimated US$350 billion to US$470 billion in penalties (including fines and litigation/settlement charges) for conduct-related matters . . . .” Banking Conduct and Culture – A Permanent Mindset Change at 3 (November 2018).
[6]See E. Norman Veasey & C. DiGuglielmo, Indispensable Counsel: The Chief Legal Officer in the New Reality (2012).
[7] Thomas C. Baxter, Jr. and Brian Baxter, The Financial Institution Lawyer: Four Flavors of Failure, Bus. Law Today vol. 16, no. 4 (March/April 2007).
[8]Lincoln Sav. & Loan Ass’n v. Wall, 743 F. Supp. 901 (D.D.C. 1990).
[9]See, e.g., Emilios Avgouleas, A New Framework for the Global Regulation of Short Sales: Why Prohibition is Inefficient and Disclosure is Insufficient, 15 Stan. J.L. Bus. & Fin. 376, 380; Lila Zuil, “AIG’s Title as World’s Largest Insurer Gone Forever,” April 29, 2009, available at https://www.insurancejournal.com/news/national/2009/04/29/100066.htm
[10] Today, AIG is a publicly traded company which has no continuing dependence on the United States Government.
[12] In Appendix D to Part 30, the regulation expressly provides that a “[f]ront line unit does not ordinarily include an organizational unit or function thereof within a covered bank that provides legal services to the covered bank.”
[13] Board of Governors of the Federal Reserve System, Supervisory Guidance for Assessing Risk Management at Supervised Institutions With Total Consolidated Assets Less Than $50 Billion, SR 16-11 (June 8, 2016).
[14]Id. In the more recent IRM Guidance, the Federal Reserve uses the terms compliance risk and legal risk, but does not define those terms. IRM Guidance, supra n. 4.
[15] I am mindful that there are some financial institutions that are very small in asset size, and do not have lawyers. For these institutions, whose official staff are charged with knowledge of the law’s restrictions and requirements, the official staff must do the best that they can. But in the vast majority of financial institutions, the chief legal officer or General Counsel is the official charged with making legal judgments. Other officials are authorized to take action within the scope of their authority; ordinarily, no official has authority to violate the law, which empowers the chief legal officer because she is the person who gets to say what the law is.
[16]See New York Rules of Professional Conduct Rule 5.5, Comment 1 (January 1, 2017).
[17] This example is not protected by the attorney-client privilege because the Court of Federal Claims determined that privilege was waived. Starr Int’l Co. v. United States, Order of Jan. 6, 2015 (Court of Federal Claims, Doc. No. 417) (filed Jan. 6, 2015). All of the legal judgments are from the public record in the litigation.
[18]Starr Int’l Co., Inc. v. United States, 121 Fed. Cl. 428, 430 (2015), aff’d in part, vacated in part, 856 F.3d 953 (Fed. Cir. 2017).
[19] Basel Committee on Banking Supervision, Principles for the Sound Management of Operational Risk at 3n.5 (2011).
[20] In the Federal Reserve IRM Guidance proposal, the text provides that “Business line management should incorporate appropriate feedback from [independent risk management] on business line risk positions, implementation of the risk tolerance, and risk management practices, including risk mitigation.” IRM Guidance, supran. 4 at 1358. The IRM Guidance says nothing about the legal function.
[22] Internal auditors would be quick to say that they have other responsibilities, and their role in the three lines of defense describes only one part of a multi-faceted audit function.
[23] Thomas C. Baxter, Jr. and Won B. Chai, Enterprise Risk Management: Where is Legal and Compliance?, The Banking Law Journal, Volume 133, Number 1 (2016).
[24] In the Federal Reserve’s IRM Guidance, this is literally true. There is no reference whatsoever to a General Counsel, a Chief Legal Officer, or any lawyer whatsoever. The legal function is never mentioned, notwithstanding a repeated refrain that senior management should be attentive to “compliance with internal policies and procedures, laws, and regulations, including those related to consumer protection.” IRM Guidance, supra n.4 at 1356.
[25] While every organization is different, I note that, at the Federal Reserve Bank of New York, the chief compliance officer reported to me when I was General Counsel. This organizational fact should aid in rebutting the mistaken notion on the part of some supervisors that this structure is not permitted because of independence concerns.
[26]See M. DeStefano, Creating a Culture of Compliance: Why Departmentalization May Not Be The Answer, 10 Hastings Bus. L.J. 71 (Winter 2014); C. Bagley, M. Roellig, and G. Massameno, Who Let the Lawyers Out?: Reconstructing the Role of the Chief Legal Officer and the Corporate Client in a Globalizing World, 18 Univ. of Penn. J. Bus. L. 419 (Winter 2016).
[27] Basel Committee on Banking Supervision, Compliance and the Compliance Function in Banks at 10 (April 2005).
[29]E.g., New York Rules of Professional Conduct, Rule 1.13 (Jan. 2017) (“[T]he lawyer is the lawyer for the organization and not for any of the constituents.”).
[30] New York Rules of Professional Conduct Rule 2.1 (Jan. 2017).
[31] In a prior position when the author served as General Counsel and Executive Vice President of the Federal Reserve Bank of New York, the Chief Compliance Officer reported to me and not to the Chief Risk Officer.
[33] Last year, seven major law firms, including Sullivan & Cromwell, released a white paper relating to whether or not the federal financial regulators could compel the production of privileged information. Bank Regulators’ Legal Authority to Compel the Production of Material that is Protected by Attorney-Client Privilege (May 16, 2018). A potential collateral consequence of the assertion of that legal right is the effect that it might have on bank examiners. In some respects, it is analogous to how a jury might consider a criminal defendant’s exercise of the right not to testify in her own defense.
[34] Financial Conduct Authority, Optimizing the Senior Managers & Certification Regime at 9-12 (January 2019).
[36] 12 C.F.R. Part 30, App. D, at II (B). Seealso IRM Guidance, where the Federal Reserve identifies “credit, market, operational, liquidity, interest rate, legal and compliance” as risk types. IRM Guidance, supra n.4 at 1361.
[38] Where there is controversy, the controversy typically relates to the degree of discipline, contrasting the “slap on the wrist” to the so-called “capital offense.”
[39] It is noteworthy that in the Federal Reserve’s proposed IRM Guidance, the legal function is no where mentioned. Further, there are extensive discussions of the Chief Risk Office and the Chief Audit Executive , but no reference whatsoever to the Chief Legal Officer or General Counsel.
[42] The privilege protects communications between an attorney and her client, not between a risk or compliance professional and its Risk Committee.
[43] Some might look at the number of people working in the risk function at various times over the last 10 years, and compare it to the number of people working in the legal function.
[44] New York Rules of Professional Conduct Rule 2.1 (Jan. 2017).
[45] This is not always clear. Regulators should be candid about the function they are performing, and if the information is going to be shared with enforcement or if enforcement staff are accompanying an examination team, this should be transparent to the financial institution.
Location data tracking is ubiquitous. The tension between privacy and innovation in this space is exacerbated by rapid developments in tracking technologies and data analytics methodologies, as well as the sheer volume of available consumer data. This article focuses on the privacy risks associated with these developments. To the extent that current and proposed privacy law protects location data, such protection is limited to location data that is identified (or in some cases identifiable) to an individual. Requirements generally apply only to the initial data collector; however, recent media accounts and enforcement actions describe a robust secondary market in which (1) identified location data is regularly acquired and used by third parties with whom the individual has no direct relationship, and (2) de-identified or anonymized location data is regularly combined with identified personal data and used by third parties with whom the individual has no direct relationship to compile comprehensive profiles of the individual. These secondary-market practices are not currently addressed by U.S. law. This article proposes that the risks posed by location tracking and profiling are sufficient to warrant consideration of regulatory intervention at the following points: collection from the individual; use by the original data collector; transfer to and among secondary-market participants; identification of anonymized data to a specific individual; profiling of the individual; and decision-making based on profiling.[2]
I. Location Data Tracking Generally
Consumer location is tracked regularly by multiple systems and devices.[3] Many mobile applications (apps) continuously track user location; Facebook, Google, Apple, Amazon, Microsoft, and Twitter all track and use location data.[4]
Individuals often opt into location tracking through personal devices and their apps, such as fitness monitors, smartphones, and GPS trackers, for the purposes of allowing the app to provide them with the underlying service, such as determining distance ran, providing the local weather forecast, and locating and obtaining directions to nearby restaurants.
Business use cases for identified individual location data include providing consumer goods or services (such as roadside assistance) and marketing and targeted advertising.[5] Aggregated location data (i.e., data that is identifiable by distinct data location points but not by individual) can help urban planners alleviate traffic problems, health officials identify patterns of epidemics, and governmental agencies monitor air quality. Commercial uses of aggregated location data include inventory and fleet control, retail location planning, and geofencing. Specified data points may be aggregated over a defined time period and then presented as an overlay to a geographic map. For example, a trucking company can view in real time the locations of its trucks and the demand for trucking services to more efficiently assign routes. Alternatively, the trucking company can geofence its trucks, which means that if a truck goes out of a designated geographical zone, the company will be alerted in real time. Location data is critical to certain types of commercial and public data analytics.
Recent journalistic investigations have revealed that location data is tracked by a wider variety of parties for a greater number of purposes in ways that exceed our understanding or control. The sheer volume of location data tracked, disclosed, and repurposed is tremendous. The widespread availability of location tracking technologies compounds this issue.[6] Furthermore, the use of multiple systems to track location, and the use of data analytics to combine location data with other personal data, enables the both the identification of anonymous data and the compilation of comprehensive and precise profiles of tracked individuals.
Are we at a point yet where place itself acts as a consumer identifier? Unique location tracking patterns can be used to identify the individual; and develop a profile of the individual. A person’s lifestyle, priorities, professional and personal endeavors, and crimes and peccadilloes can all be inferred from continuous location tracking.
The power of place: A person cannot be in more than one place at the same time.
A. Justification for the Initial Collection of Location Data
Location data is regularly collected by devices, apps, and other online services.
Generally, the basic app model is as follows. An individual downloads a map app in order to get directions. As part of the map app download, the individual agrees that his or her location will be tracked in order to provide personalized directions via the app. The app must know where the individual’s starting point is in order to give accurate directions to the individual’s destination. The individual’s smart phone hardware and the app software use GPS and other tracking technologies to determine the individual’s geographical location: the more accurate and recent the location data, the more accurate the app service.[7]
The wireless carrier transmits this real-time location data to a third-party company (the aggregator), subject to a nondisclosure agreement. The aggregator transmits the location data to the app so that the app can generate the directions to provide to the individual. The location data is tracked and disclosed in order to provide the requested transaction (i.e., directions) to the individual. The sharing of information with third parties is limited to these purposes, and the parties are bound by written nondisclosure agreements not to otherwise use or disclose the individual’s location.
This can be referred to as the initial transaction between the individual and the data collector. The justification for this sharing is that (1) it is necessary to (a) honor the customer’s request for app services and (b) ensure consistency of app usage quality across carriers and devices, and (2) the customer has consented to location tracking as part of his or her enrollment in the app service.
II. The Pandora’s Box of Location Data: The Secondary Location-Data Market
A. Monetization of Location Data in Secondary Market
The purpose of the initial collection of location data is to enable the data collector to provide a service to the individual; the secondary market purpose is to use that same location data to make conclusions and predictions about the tracked individual. The secondary location data market is used to monetize location data for unrelated purposes, such as enabling a subsequent buyer to compile a profile of the individual and sell access to the individual (whether the individual is identified by name or as part of a data category, like “engaged female retail shopper”). Location data analytics drive a variety of business strategies:
Business data usually contains geographical or location data which mostly goes unused. This data can be as broad as city and country or as specific as GPS location. When this data is placed within the context of big data dashboards and data science models, it allows companies to discover new trends and insights.[8]
The secondary consumer-data market is huge. IBM claims that 90 percent of all consumer data that is currently in circulation was created in the last two years. This industry is expected to generate $350 million dollars annually by 2020.[9] Location data is a big part of that business. The New York Times reported that:
At least 75 companies receive anonymous, precise location data from apps whose users enable location services to get local news and weather or other information, The Times found. Several of those businesses claim to track up to 200 million mobile devices in the United States—about half those in use last year. The database reviewed by The Times—a sample of information gathered in 2017 and held by one company—reveals people’s travels in startling detail, accurate to within a few yards and in some cases updated more than 14,000 times a day.
These companies sell, use or analyze the data to cater to advertisers, retail outlets and even hedge funds seeking insights into consumer behavior. It’s a hot market, with sales of location-targeted advertising reaching an estimated $21 billion this year.[10]
Location tracking data analytics support targeted advertising and marketing for retail and other business purposes. This profiling is intended to individualize the customer experience as much as possible to encourage purchases and loyalty:
[T]he scale of data collected by early adopters of [location tracking] technology is staggering. Location analytics firm RetailNext currently tracks more than 500 million shoppers per year by collecting data from more than 65,000 sensors installed in thousands of retail stores. A single customer visit alone can result over 10,000 unique data points, not including the data gathered at the point of sale.[11]
In addition, the potential combinations and re-use of location data is tremendous:
[B]y combining location data with existing customer data such as preferences, past purchases, and online behavioral data, companies gain a more complete understanding of customer needs, wants and behaviors than is achievable with online data only.[12]
In 2014, Shoshana Zuboff coined the term “surveillance capitalism” to describe how consumer data has become a business unto itself.[13] More recently, Zuboff explained how location data fits in this model:
[There] has been a learning curve for surveillance capitalists, driven by competition over prediction products. First they learned that the more surplus the better the prediction, which led to economies of scale in supply efforts. Then they learned that the more varied the surplus the higher its predictive value. This new drive toward economies of scope sent them from the desktop to mobile, out into the world: your drive, run, shopping, search for a parking space, your blood and face, and always … location, location, location.[14]
Data is generally sold on the secondary market as identified data (which is directly associated with a distinct individual) or as de-identified or anonymous data (which is aggregated and not associated with a distinct individual).
B. Disclosure of Identified Location Data
1. Disclosures by Aggregators
Under the app model, the aggregators receive the individual’s location in order to send it to the app owner for purposes of furnishing the app service. Distribution of this data is much more widespread. Journalistic investigations reveal that aggregators routinely sell location data to a series of parties that are not intermediaries to the initial data transaction, leading to dissemination of location data beyond its intended purpose, and resulting in unrelated third-party access to the individual’s location data.[15]
One such aggregator, LocationSmart, regularly sold continuous cell tower location tracking to Securus Technologies, a prison contractor that provides and monitors calls to inmates. As an ancillary service, Securus “offers [a] location-finding service as an additional feature for law enforcement and corrections officials, [as] part of an effort to entice customers in a lucrative but competitive industry.” This service was used by a variety of law enforcement officials for a wide variety of purposes, including search-and-rescue operations, thwarting prison escapes and smuggling rings, and closing cases.[16]
The relationship between Securus and LocationSmart impacted almost all U.S. cell phone users, was unknown to them, and could not be opted out of:
So how was Securus getting all that data on the locations of mobile-phone users across the country? We learned more last week, when ZDNet confirmed that one key intermediary was a firm called LocationSmart. The big U.S. wireless carriers—AT&T, Verizon, Sprint, and T-Mobile—were all working with LocationSmart, sending their users’ location data to the firm so that it could triangulate their whereabouts more precisely using multiple providers’ cell towers. It seems no one can opt out of this form of tracking, because the carriers rely on it to provide their service.[17]
Another Motherboard investigation showed that wireless carriers also routinely sell assisted or augmented global positioning system (aGPS) location data. aGPS data is more precise location data that is collected for use with enhanced 9-1-1 services to allow first responders to pinpoint an individual’s location with greater accuracy. For example, a cellular call made to the 9-1-1 emergency service that relies solely on GPS satellites might indicate the caller’s location within a given area, such as a building, and it might take several minutes to determine that location. aGPS relies on other external and systems to provide a faster, more precise location, like a floor within a building.
Federal law expressly prohibits the sale of aGPS data.[18] The Federal Communications Commission issued an order in 2017 providing that data included in the National Emergency Address Database, which is collected using Wi-Fi and Bluetooth to locate 9-1-1 callers within a building, may not be used for any other purpose.[19] In addition, the Federal Trade Commission could enforce section 5 of the Federal Trade Commission Act prohibiting deceptive and unfair trade practices against carriers whose privacy policies were inconsistent with this practice.[20]
2.Privacy Leaks and Security Breaches
In addition to intentional disclosures, LocationSmart exposed this real-time location data through a bug in its website, which enabled users to track anyone without credentials or authorization using a free demo and a single cell phone number:
Anyone with a modicum of knowledge about how Web sites work could abuse the LocationSmart demo site to figure out how to conduct mobile number location lookups at will, all without ever having to supply a password or other credentials.
“I stumbled upon this almost by accident, and it wasn’t terribly hard to do,” Xiao [a security researcher] said. “This is something anyone could discover with minimal effort. And the gist of it is I can track most peoples’ cell phone without their consent.”
Xiao said his tests showed he could reliably query LocationSmart’s service to ping the cell phone tower closest to a subscriber’s mobile device. Xiao said he checked the mobile number of a friend several times over a few minutes while that friend was moving and found he was then able to plug the coordinates into Google Maps and track the friend’s directional movement.[21]
Further, the Securus database was the subject of a data hack that separately exposed personal data. A Motherboard reporter obtained data that had been hacked from Securus’s database:
“Location aggregators are—from the point of view of adversarial intelligence agencies—one of the juiciest hacking targets imaginable,” Thomas Rid, a professor of strategic studies at Johns Hopkins University, told Motherboard in an online chat.
The data hack, which was attributed to a weak password reset feature, revealed personal data of thousands of law enforcement users and inmates.[22]
This means that Securus, acting as an unregulated entity and outside of the scope of its nondisclosure agreements with the wireless carriers, was responsible for innumerable disclosures of identified location data.
Other privacy failures involving identified location data can result in exposure to threats of physical danger. A recent privacy failure by a family tracking app (React Apps “Family Locator”) that exposed children’s identified location data for weeks; the very app that parents obtained to protect their children arguably put them at great risk:
Family tracking apps can be very helpful if you’re worried about your kids or spouse, but they can be nightmarish if that data falls into the wrong hands. Security researcher Sanyam Jain has revealed to TechCrunch that React Apps’ Family Locator left real-time location data (plus other sensitive personal info) for over 238,000 people exposed for weeks in an insecure database. It showed positions within a few feet, and even showed the names for the geofenced areas used to provide alerts. You could tell if parents left home or a child arrived at school, for instance.[23]
3. Access by Unauthorized Third Parties
The same Motherboard reporter was able to identify the exact location of a smartphone using only the phone number and a $300 payment to a bounty hunter in an attenuated process that apparently happens regularly and in violation of the apps’ posted privacy policies and the parties’ written nondisclosure agreements.[24] In the Motherboard scenario, a wireless carrier sold an individual’s location data to an aggregator, that sold it to a skip-tracing firm, that sold it to a bail-bond company, that sold it to an independent bounty hunter. The bounty hunter had no written agreement with anyone and no relationship with the wireless carrier or the individual customer, and neither did its source.[25]
The article’s aftermath included revelations that all of the major wireless carriers sold location data to aggregators that ultimately sold the data to hundreds of bounty hunters.[26] Multiple lawmakers sent the major carriers and aggregators letters requesting an explanation of these location data sharing practices.[27]
The ensuing furor prompted the wireless carriers to commit to stop selling location data to aggregators.[28]The Wall Street Journal reported that Verizon, Sprint, T-Mobile, and AT&T all committed to end agreements with downstream location aggregators, and Zumigo (the initial aggregator in the bounty hunter scandal) cut off access by the intermediary aggregator to whom it sold the location data.[29]
4.Privacy and SecurityRisks
These investigations indicate that real-time location data that is identified to a particular individual is regularly monetized and sold to third parties in a manner that is arguably inconsistent with the individual’s consent, the apps’ stated privacy policies, the data collector’s third-party nondisclosure agreements, and applicable law.
In other words, location data identified to a specified individual is routinely collected and sold by a variety of parties for a variety of purposes unrelated to the original transaction that justified the initial location data collection. This results in a myriad of privacy and security risks to the individual. Consider a stalker who tracks his or her victim’s location either by signing up for a free Securus or similar trial or by paying a bounty hunter. The victim may be taking strict precautions to elude location tracking and would not even be aware of this risk. In addition, the more entities that possess the victim’s location data, the greater the likelihood of a privacy exposure or data breach.
B. Sales of De-identified or Anonymous Location Data
1. Sales by App Owners
Separately, apps that receive individual user location data from aggregators frequently sell location data to third-party buyers for their own commercial purposes. The data is provided in large sets that do not identify the specific individuals who are tracked.[30] The purpose of the data set is to enable the buyer to identify patterns in location data. Such business use cases may involve allowing buyers to spot trends for investment[31] or marketing purposes.[32]
In this context, the justification for the sale and reuse is that the individual’s personally identifiable information (like phone number or name) is deleted from the data and replaced instead with a unique identifier.
The model is basically as follows. A map app organizes location data for a specified commercial neighborhood over a defined time period to show the number of people who walk through the neighborhood during the time period. This foot traffic may show times of day when foot traffic is greatest and areas in the neighborhood that may attract more or less foot traffic. This data may be sold to a retailer for purposes of deciding whether the neighborhood, or any particular part of it, would be suitable for establishing a brick-and-mortar location. The retailer purchases the data for research and investment purposes. Its interest is in the number and patterns of individuals who walk through the neighborhood.
For these purposes, the identity of the individual is not relevant to the data buyer and is not included in the data set. It is the traffic patterns or trends and not the individual’s identity that gives this data set value.
2. Re-identification by Unknown Third Parties
Data sets may be used to identify the individual through other means, however.
In order to verify the authenticity of the data points that comprise the data set and facilitate the tracking by the app/seller of the unique location data of an individual, the individual is assigned a unique identifier, and the individual’s unique identifier can remain the same. Presumably, then, buyers could use the unique identifier to track identifiers over time and combine them with other data to identify the individual subject.
Separately, using data analytics, location data can be combined with nonlocation data to ascertain an individual’s identity. For example, the retailer that buys the anonymous data set could note that a single data point or individual goes back and forth from a nearby residential address throughout the day. Matching the individual to his address enables identification of the individual.
A more sensational example of this is the use by law enforcement of DNA information combined with location data to identify suspects in cold cases.[33]
The New York Times, with permission from a school teacher, was able to accurately associate anonymous location data with the individual teacher solely by reviewing four months’ and more than a million phones’ worth of location data and combining that with their knowledge of where she worked and lived.[34] The report posits that:
[t]hose with access to the raw [anonymized] data—including employees or clients—could still identify a person without consent. They could follow someone they knew, by pinpointing a phone that regularly spent time at that person’s home address. Or, working in reverse, they could attach a name to an anonymous dot, by seeing where the device spent nights and using public records to figure out who lived there.[35]
In fact, location data alone may be used to identify consumers in large anonymized data sets.
In 2013, MIT and Belgian researchers: “analyzed data on 1.5 million cellphone users in a small European country over a span of 15 months and found that just four points of reference, with fairly low spatial and temporal resolution, was enough to uniquely identify 95 percent of them.”[36]
As technology has evolved and the use and dissemination of location data has proliferated, reidentification of individuals included in anonymized data sets has been greatly facilitated:
With an increasing number of service providers nowadays routinely collecting location traces of their users on unprecedented scales, there is a pronounced interest in the possibility of matching records and datasets based on spatial trajectories. Extending previous work on reidentifiability of spatial data and trajectory matching, we present the first large-scale analysis of user matchability in real mobility datasets on realistic scales, i.e. among two datasets that consist of several million people’s mobility traces, coming from a mobile network operator and transportation smart card usage. . . .We show that for individuals with typical activity in the transportation system (those making 3-4 trips per day on average), a matching algorithm based on the co-occurrence of their activities is expected to achieve a 16.8% success only after a one-week long observation of their mobility traces, and over 55% after four weeks. We show that the main determinant of matchability is the expected number of co-occurring records in the two datasets. Finally, we discuss different scenarios in terms of data collection frequency and give estimates of matchability over time. We show that with higher frequency data collection becoming more common, we can expect much higher success rates in even shorter intervals.[37]
3. Privacy and Security Risks
As tracking technologies become further developed and more widely accessible and data analytics become more sophisticated, anonymous data points (particularly when tracked over time) can be used to facilitate identification of the individual.
Consider the private investigation of various retail robberies.[38] If the retailer did not have a suspect’s name, its private investigator could identify possible suspects by:
purchasing from an aggregator anonymized cell phone location data for all individuals near each robbed location during the time of each robbery;
pinpointing unique IDs or data points for all phones present at some or all of the robberies;
requesting extended cell phone location data for the unique IDs or data points from the wireless carriers;
purchasing larger pools of anonymized data from an aggregator and reidentify data points within a given area and timeframe; or
hiring a bounty hunter to track the numbers and locations of the phones tied to the unique IDs or data points.[39]
The City of Los Angeles passed rules requiring scooter companies to provide the per-trip location data of each scooter to city officials within 24 hours of the end of the trip. Although the rider’s identity is not disclosed to the city and the location data will be treated as confidential by the city, it will be accessible in aggregated form to various city agencies and accessible in per-trip form to law enforcement, subject to a warrant, and to third parties, in response to a subpoena. Given the sensitivity of location data and the ability of using location data itself to identify individuals, consumer advocates have framed this not as a matter between the scooter companies and the city but as a matter of governmental surveillance and debate between individual citizens and the city:
“This data is incredibly, incredibly sensitive,” said Jeremy Gillula, the technology projects director for the Electronic Frontier Foundation, a San Francisco-based digital rights group.
The vast trove of information could reveal many personal details of regular riders — such as whom they’re dating and where they worship — and could be misused if it fell into the wrong hands, the nonprofit Center for Democracy and Technology told the city in a letter.[i]
De-identified, real-time location data is regularly monetized and sold to third parties for a variety of purposes unrelated to the original transaction that justified the initial location data collection. Location tracking use cases include the following scenarios:
location data point identified to a specific individual;[40]
location data point identifiable to a specific individual;
location data point not identified to the individual;
continuous location tracking identified to a specific individual;
continuous location tracking identifiable to a specific individual;
continuous location tracking not identified to the individual;
development of a profile based on location tracking identified to a specific individual;
development of a profile based on location tracking that is identifiable to a specific individual; and
location data used to compile a profile of an unidentified individual.
As described above, the distinctions among these categories become less relevant in practice, and the risks posed by transfers of anonymized location data may be as great as those posed by sales of identified location data.
III. Location Tracking: Profiling the Individual
Precise tracking of an individual’s location over time can be used to discover information about the individual that may not be otherwise available (consider repeat trips to a bar, the home of a person not the individual’s spouse, or to an oncologist), which when combined with other data, can be used to develop a fairly comprehensive profile of the individual. Even anonymized data profiles can pose these risks to the individual due to the relative ease of reidentifying an individual, as described above.
A. Data Profiling and Decision-Making
Profiling is done for a variety of purposes; targeted advertising and marketing is the most well-known effort. For example, if an Apple customer is in geographical proximity to an Apple Store, his or her phone could provide ads for Apple TV. These ads may be more successful if the individual were located in a TV store near an Apple Store, or better yet, if the individual were located for several minutes in an Apple Store near the Apple TV demo.
Individual data profiling has become sophisticated and comprehensive, and location data is an integral part of profiling:
A profile is a combination of metrics, key performance indicators, scores, business rules, and analytic insights that combine to make up the tendencies, behaviors, and propensities of an individual entity (customer, device, partner, machine). The profile could include:
Key demographic data such as age, gender, education level, home location, marital status, income level, wealth level, make and model of car, age of car, age of children, gender of children, and other data. For a machine, it might include model type, physical location, manufacturer, manufacturer location, purchase date, last maintenance date, technician who performed the last maintenance, etc.
Key transactional metrics such as number of purchases, purchase amounts, returns, frequency of visits, recency of visits, payments, claims, calls, social posts, etc. For a machine, that might include miles and/or hours of usage, most recent usage time and date, type of usage, usage load, who operated the product, route of product usage (for something like a truck, car, airplane, or train)
Scores (combinations of multiple metrics) that measure customer satisfaction level, financial risk tolerance, retirement readiness, FICO, advocacy grade, likelihood to recommend (LTR), and other data. For a machine, that might include performance scores, reliability scores, availability scores, capacity utilization scores, and optimal performance ranges, among other things
Business rules inferred using association analysis; for example, if CUST_101 visits a certain Starbucks and a certain Walgreens, we can predict (with 90% confidence level) that there is an 85% likelihood that this customer will visit a certain Chipotle within 60 minutes
Group or network relationships (number, strength, direction, sequencing, and clustering of relationships) that capture interests, passions, associations and affiliations gained from using graphic analysis
Coefficients that predict certain outcomes or responses based upon certain independent variables found through regression analysis; for example, a machine’s likelihood to break down given a number of interrelated variables such as usage loads since last maintenance, the technician who performed the maintenance, the machine manufacturer, temperatures, humidity, elevation, traffic, idle time, etc.)
Behavioral groupings of like or similar machines or people based upon usage transactions (purchases, returns, payments, web clicks, call detail records, credit card payments, claims, etc.) using clustering, K-nearest neighbor (KNN), and segmentation analysis[41]
Location data analytics are used to make a variety of decisions that may impact the individual. One use case for data profiling is credit-risk analysis. Such data profiles may arguably be considered “consumer reports” governed by the federal Fair Credit Reporting Act (FCRA). As the lines have blurred between online decision making and targeted advertising, and prescreening and marketing (the former are protected by FCRA and the latter are not), it certainly appears as if credit availability depends, in part, on secondary market data that the consumer reporting agencies do not treat as “consumer reports” under FCRA.[42]
Payment-card fraud management can also be enhanced by developing profiles of each cardholder. By combining device location data with transaction histories, fraud detection is more precise:
New technologies . . . merg[e] a broader range of financial data, mobile-phone data, and even social-networking data to better establish the likelihood it’s actually you behind the transactions racking up on your cards or mobile device. Nguyen says that Feedzai’s system can improve fraud detection rates from 47 percent to almost 80 percent. Chirag Bakshi, founder and CEO of Zumigo, a company in San Jose, California, that provides location-based mobile services, says his company’s data algorithms reduce fraud losses by at least 50 percent.
“When fraudsters steal your identity, what they can’t do is steal your behavior,” Nguyen says. That, in fact, has long been the principle behind credit card fraud alerts. But a conventional credit card company is relying on information from your past to guess whether each attempted transaction is genuine. Today’s new technologies tap into your mobile phone and its more up-to-date information to see if your current behavior matches your purchase.
“[We can use] a SIM card as a proxy for a person,” says Rodger Desai, CEO of Payfone, which works with banks, mobile operators, and fraud detection companies to assess the legitimacy of a given payment. Payfone builds a profile of a user and tracks more than 400 types of data to create what it calls a persistent identity. Change phone company? Noted. Someone steal your phone or clone it? The company will catch that, too. Even if you’ve canceled your cellular data plan, it has ways of flagging the activity of someone who then tries to use the phone’s Wi-Fi connection.[43]
Data analytics for decreasing fraud are likely welcome to the individual. Once a “persistent identity” is created by profiling the individual’s location and related data, however, there are few limits on how that profile may be used or sold:
Mobile location data firms interviewed for this story stressed their dedication to encrypting data to prevent direct connections to individuals, yet there are no industry-wide accepted practices or U.S. government regulations preventing the use of such data in ways that weren’t originally intended. For instance, data reflecting drinking or drug use arguably could find its way into data models for targeting ads for health insurance plans, or even find its way into formulas used to calculate health or auto insurance rates or job eligibility.[44]
B. Behavioral Influencing
Use of predictive modelling has been extended to influence behavior:
It works like this: Ads press teenagers on Friday nights to buy pimple cream, triggered by predictive analyses that show their social anxieties peaking as the weekend approaches. “Pokémon Go” players are herded to nearby bars, fast-food joints and shops that pay to play in its prediction markets, where “footfall” is the real-life equivalent of online clicks.[45]
The intrusiveness of such profiles cannot be overstated. Facebook has shown advertisers:
how it has the capacity to identify when teenagers feel “insecure”, “worthless” and “need a confidence boost”, according to a leaked documents based on research quietly conducted by the social network[, which] states that the company can monitor posts and photos in real time to determine when young people feel “stressed”, “defeated”, “overwhelmed”, “anxious”, “nervous”, “stupid”, “silly”, “useless” and a “failure.”[46]
Location data is key to this type of influencing:[47]
The next step—”from flat, to fast, to deep, is psychic,” Friedman believes. “I now know your whole psychographic from your phone. I will just push you your groceries, push you the supplies you need, push you the information you need.”
The use of profiles for behavioral targeting is likely as limitless as the use of profiles for predictive behavior:
Imagine a not-so-distant future where you’re just driving on the highway. Your car is sending real-time data about your performance behind the wheel to your insurance company. And in return, the insurance company is sending real-time driver behavior modification punishments back—real-time rate hikes, curfews, even engine lockdowns. Or, if you behave in the way they like, you get an instant rate discount.
In other words, the insurance company is shaping your behavior right then and there. Would you like that? What does it mean for our entire understanding of free will?[48]
Once the individual’s “persistent identity” is created, however, its uses are not limited. Consider another Facebook scandal: Cambridge Analytica. Cambridge Analytica combined personal user data obtained from a Facebook app developer (in violation of its nondisclosure agreement) with data combined from other sources, including location data, to compile profiles of voters around the world for the purpose of influencing elections using propaganda and direct marketing.[49]Up to 87 million Facebook users worldwide were profiled with the intent of waging “psychological warfare” against and targeting “influence operations” to these users.[50] Cambridge Analytica’s parent company’s reach exceeded “100 election campaigns in over 30 countries spanning five continents.”[51] Cambridge Analytica was a secondary market user of the location data collected from Facebook profiles and from external sources. The Facebook users had no idea that the voter profiles were being compiled or that their location data was being used to identify them for specific political campaigns for the purposes of influencing their votes.
C. Privacy and Security Risks
Use of location tracking data to create individual profiles is not addressed under current law and poses unique risks. The eventual data buyer that compiles the data profile or identifies an individual in relation to a profile may not be in privity with either the individual or the original data collector. Further, once a profile is created for a specific purpose, there are few limits on using the profile for other purposes:
The fact is that location data is flowing around the digital ecosystem with little control. Many of the firms that have built businesses on using mobile location data for ad targeting gather the data from ad calls made by programmatic ad systems. And audience segments like “frequent quick serve restaurant visitors” could be accessed for ad targeting as easily as they could be excluded from targeting parameters for health insurance ads, for instance. “Even though data is used just for marketing, there’s no reason to think it will only be used just for that purpose,” said Dixon. “Those formulas—they are data hungry,” she said of data models used by insurance firms or other corporations.[52]
At this point, the uses and distribution of individual profiles based on location data appears limitless, even though the individual has no control over or knowledge of them and may not opt out of data profiling or access or correct data profiles. Moreover, use of such profiles has become increasingly intrusive as secondary market participants seek to monetize their value.
IV. United States Law and Location Tracking
Federal law does not directly regulate location tracking or the collection, sale, or use of personal location data.[53] Location tracking has, however, been the focus of recent significant actions.
A. FTC Enforcement Actions and Issuances
The Federal Trade Commission (the FTC) has focused on location tracking for several years through reports and a series of enforcement actions under section 5 of the Federal Trade Commission Act regarding unfair and deceptive trade practices (UDAP)[54] and the Children’s Online Privacy Protection Act (COPPA).[55]
1. Sensitivity of Location Data
In its 2013 FTC Staff Report, Mobile Privacy Disclosures: Building Trust Through Transparency, the FTC stated that location tracking should be preceded by just‐in‐time disclosures made to the individual and subject to the individual’s affirmative express consent. The disclosures should clearly explain how the location tracking is conducted (i.e., one‐time versus persistent collection practices) and for which purposes.[56] In its 2012 Privacy Report, the FTC asserted that the precise location data of an individual should be considered “sensitive” information (similar to children’s data, health, and financial information) and should not be stored beyond the time period necessary for providing the service to the individual that justified the location tracking in the first place. The FTC clarified that affirmative express consent is generally required for location data collection, except when appropriate in context (e.g., when the individual searches for nearby weather or locations).[57]
2.Misuse by Data Collectors
Uber uses real-time location tracking for the purpose of locating drivers and riders schedule and administer rides. In 2017, the FTC pursued a UDAP enforcement action against Uber for its collection of location data even when the app was not in use and use of such data for purposes other than administering rides:
The FTC entered into a consent order with Uber Technologies, Inc. regarding its use of the so-called “God View” feature of the Uber application software (“Uber App”), which implemented continuous geolocation tracking of all users (drivers and riders) at all times and allowed employee access to such tracking information, regardless of whether or not the users were actively using the Uber App or the Uber ride service.[58] The FTC complaint alleged the following unfair and deceptive trade acts and practices: Uber employees improperly accessed the user geolocation information for purposes other than picking up riders, including allegations that employees accessed the geolocation information of certain riders who were journalists critical of Uber’s business practices for the purposes of conducting “opposition research” on such journalists.[59] Uber subsequently publicized action taken to limit and monitor employee access to such geolocation information but such limits and monitoring were ultimately abandoned by Uber.[60][61]
The name “God View” is apt; real-time location tracking compiles a precise and continuous location record of the individual’s whereabouts indefinitely. (Facebook’s BOLO list (“be on lookout”) recently came under scrutiny. Like God View, BOLO uses Facebook app and website activity to monitor the real-time location of users Facebook has determined pose a credible threat to the company or its officers.[62])
3. Access to and Use of Location Data by Third Parties
The FTC entered into similar consent orders with other companies that collected personal location data:
A cell phone provider whose Chinese security vendor uploaded firmware on the phones to collect user personal data, including cell phone tower location data (UDAP).[63]
A marketing enterprise platform service provider whose targeted advertising software tracked app user location data (including that of children) and combined such data with aggregated wireless network data to identify an individual user’s precise location for purposes of ad targeting (UDAP and COPPA).[64]
The FTC described the variety of systems and methodologies used to develop the marketing platform at issue in the second action above. The InMobi SDK platform allowed app developers to integrate their apps in the platform for purposes of monetizing their users’ location data by allowing third-party advertisers to target ads to the app users:[65]
So how did InMobi circumvent these protections to track the consumer’s location without consent? By creating its own geocoder database. As explained in more detail in the complaint, InMobi collected information through consumers’ devices that allowed it to map out the real-world latitude and longitude coordinates of Wi-Fi networks. InMobi then monitored the Wi-Fi networks that a consumer’s device connected to (on both Android and iOS), and in many instances, the Wi-Fi networks that a consumer’s device was in-range of (on Android). By collecting the BSSID (i.e., a unique identifier) of the Wi-Fi networks that a consumer’s device connected to or was in-range of, and feeding this information into its geocoder database, InMobi could then infer the consumer’s location. Until December 2015, InMobi used this method to track the consumer’s location even if the application that had integrated the InMobi SDK had never asked the consumer for permission to access location, and even if the consumer had turned off all location services on the device.
4. Notice-and-Choice Model
In all of these enforcement actions, the UDAP claims against the data collector were based on:
the failure to give clear disclosures to the individual;
the failure to obtain valid consent or failure to honor opt-out; and
collection of location data in conflict with stated privacy policies.
Notice and choice are also key to COPPA compliance. The FTC sent COPPA warning letters in 2018 to two parental tracker manufacturers for failure to give direct notice of the real-time collection of precise location information and obtain verifiable parental consent in connection with the marketing and sale of children’s smart watches.[66] (Recent media scrutiny has focused on privacy vulnerabilities associated with children’s GPS tracking.)[67] The failure to give notice and obtain verifiable parental consent was also the crux of the COPPA claim in InMobi.[68]
This notice-and-choice model focuses on whether the individual understood the extent of the real-time location monitoring and consented to or did not opt-out of it. Based on the foregoing, location tracking that is clearly disclosed and subject to effective consent may be permissible under both UDAP and COPPA.
All of these actions were against the data collector and involved location data that was (1) identified to a particular individual and (2) collected over time. The FTC consistently expressed concerned about the pervasiveness and intrusiveness of the continuous location tracking of the individuals.
Although the enforcement action in InMobi was against the initial data collector, the FTC’s concerns about combining location data with other data for purposes of monetizing the data in ways unrelated to the initial transaction between the individual and the app would also apply to secondary market use of the data. As currently enacted, however, neither UDAP nor COPPA grants the FTC enforcement authority over secondary market participants that are not in privity with the individual.
B. United States Supreme Court: Carpenter v. United States[69]
Last year, the U.S. Supreme Court decided that law enforcement must have a Fourth Amendment probable cause warrant to obtain an individual’s long-term, real-time location data from the individual’s wireless carrier.[70]
Like the FTC, albeit in a much different context, the Court was struck by (1) the intrusiveness and pervasiveness of continuous location tracking; and (2) the use of location data for purposes unrelated to the justification for the original collection.
The facts and background of Carpenter v. United States are as follows:[71]
This case involved a series of armed robberies and an order under the Stored Communications Act (“SCA”).[72] In 2011, a group of men robbed a series of Radio Shack and T-Mobile stores.[73] A suspect gave Federal Bureau of Investigation (“FBI”) agents the names and cellular phone numbers of several accomplices, including Carpenter. Based on that information, the FBI was able to obtain an SCA court order for Carpenter’s cellular phone records, including geolocation information, during the four-month period in which the robberies occurred. (The type of geolocation information at issue here is specifically cell-site location information, which is tied to the proximity of an individual phone to each of the wireless carrier’s radio antennae.[74])
The SCA prescribes limited circumstances under which the government can compel an electronic communications service provider (“SP”) to disclose user content or data.[75] The government must obtain a warrant, subpoena, or court order under the SCA (“SCA order”) requiring such disclosure without notice to the user.[76] The effect of these SCA requirements is to give the user an expectation of privacy in his SP records.[77]
In response to the SCA order, the FBI “obtained 12,898 location points cataloging Carpenter’s movements—an average of 101 data points per day.”[78] As a result, he was arrested for multiple counts of armed robbery and the federal crime of carrying a firearm. He argued that the FBI’s seizure of the geolocation records “violated the Fourth Amendment because they had been obtained without a warrant supported by probable cause.”[79]
At issue was whether Carpenter had a “reasonable expectation of privacy” in his personal location information, which was entitled to protection under the Fourth Amendment prohibition against “unreasonable search and seizure.” If the answer to the preceding question is “yes,” then access to such records would have required a “warrant supported by probable cause,” rather than the SCA order’s less stringent showing requiring the proffer of “specific and articulable facts showing that there are reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation.”[80]
In a precursor to Carpenter, the Court considered the applicability of the Fourth Amendment to the use of a GPS tracking device on a suspect’s vehicle.[81] In that case, FBI agents tracked the vehicle movements continuously over a 28-day period. The majority opinion held that this tracking was subject to the Fourth Amendment and relied on a property-right theory in doing so; the suspect had a reasonable expectation of privacy in his vehicle, and the FBI’s intrusion in the undercarriage of the vehicle to place the GPS violated that right.
In his concurring opinion in Jones, Justice Alito focused more on the invasion of privacy resulting from the GPS tracking itself (rather than the placement of the tracker on the vehicle) and explained persistent GPS tracking surveillance as follows:
Prolonged surveillance reveals types of information not revealed by short-term surveillance, such as what a person does repeatedly, what he does not do, and what he does ensemble. These types of information can each reveal more about a person than does any individual trip viewed in isolation. Repeated visits to a church, a gym, a bar, or a bookie tell a story not told by any single visit, as does one’s not visiting any of these places over the course of a month. The sequence of a person’s movements can reveal still more; a single trip to a gynecologist’s office tells little about a woman, but that trip followed a few weeks later by a visit to a baby supply store tells a different story. A person who knows all of another’s travels can deduce whether he is a weekly church goer, a heavy drinker, a regular at the gym, an unfaithful husband, an outpatient receiving medical treatment, an associate of particular individuals or political groups – and not just one such fact about a person, but all such facts.[82]
The Court recognized its unique challenge in Carpenter:
The issue we confront today is how to apply the Fourth Amendment to a new phenomenon: the ability to chronicle a person’s past movements through the record of his cell phone signals. . . . [L]ike GPS tracking of a vehicle, cell phone location information is detailed, encyclopedic, and effortlessly compiled.[83]
The Court focused on the pervasiveness of the information collected, the completeness of the individual profile that may be compiled using such information, and the retrospective use of data collected on an individual who had not been a suspect during the time period of collection.[84]The Court held that the “tireless surveillance” of location data collection and the collection of such data by using theindividual’s smart phone, which is such a personal and intimate device as to be considered an extension of the self, “invaded Carpenter’s reasonable expectation of privacy in the whole of his physical movements.”[85]
C. Proposed Federal Law
There are competing views as to what federal data privacy legislation should look like.
Senator Rubio proposed a Senate bill requiring the FTC to promulgate regulations to impose privacy requirements on internet service providers that would allow individuals access to and the ability to dispute inaccuracies in records relating to the individual. This law would preempt state privacy laws and exempt certain entities covered by other federal privacy laws.[86]
Senator Markey proposed a Senate bill, the CONSENT Act, that would require the FTC to issue regulations requiring: consumer consent for the sale of “precise geolocation information”; disclosures regarding the collection, use, and sharing of such data; and preservation of the anonymity of such data that has been de-identified.[87] This act would protect such data upon collection and from sale in the secondary market.
Senator Wyden has introduced, for discussion purposes, a draft of a much more comprehensive Senate data privacy bill based on the European Union’s General Data Protection Regulation.[88] This act would protect “any information, regardless of how the information is collected, inferred, or obtained that is reasonably linkable to a specific consumer or consumer device.” This definition appears to protect location data that is identified or identifiable. The act applies to “automated decision making” and disclosures to third parties, which may make it applicable to the secondary location data market.
In addition, big data companies and their industry associations have issued guidance on federal privacy legislation; Apple’s proposal is one of the few that recommends regulating data brokers and allowing individuals to access and delete data sold on the secondary market.[89]
Intel has proposed a draft “Innovative and Ethical Data Use Act of 2018,” which would be enforced by the FTC and focuses on “privacy risk” to individuals; this bill would require privacy notices to specify the intended uses of the data and limit the further use and dissemination of data. The collection and use of geolocation data (which the bill states creates “significant privacy risk” to the individual) would necessitate more explicit notice and heightened privacy protections.
This month the U.S. Senate Committee on the Judiciary held a hearing, “GDPR & CCPA: Opt-ins, Consumer Control, and the Impact on Competition and Innovation,” which squarely addressed location tracking, with Senator Josh Hawley questioning Google’s senior privacy counsel, Will DeVries, about Google’s location tracking practices:[90]
He wanted to know whether DeVries thought a user would expect that Google tracks “where she goes to work, where her boyfriend lives, where she goes to church” or to the doctor. “Do you think the user expects that? Do you think you’re communicating clearly when a user cannot turn off their location tracking?
DeVries said Google’s use of location tracking is to make its services more effective, not to make money.
It’s “necessary to make services work,” DeVries said. “If we turned those off, your phone wouldn’t work like you’d expect,” adding that the operational aspects of it are complicated
But Hawley wasn’t satisfied with that.
“It’s not complicated,” he said. “What’s complicated is you don’t allow consumers to stop your tracking of them.”
He continued, “Here is my basic concern: Americans have not signed up for this, they think the products you’re offering are free; they’re not free. They think they can opt out; they can’t opt out. It’s kind of like that old Eagle’s song, ‘You can check out any time you like, but you can never leave.’ And that’s a problem for the American consumer; it’s a real problem. And for somebody who has two small kids at home, the idea that your company and others like it will sweep up information to build a user profile on them that will track every step, every movement and monetize that, and they can’t do anything about it, and I can’t do anything about it, that’s a big problem this Congress needs to address.”
V. State Law
State laws vary regarding whether a warrant must be obtained by law enforcement to obtain cell phone location information.[91] All 50 states have unfair and deceptive trade practices laws like the federal UDAP statute (state UDAP).[92] Recently, some state legislatures have begun to focus more specifically on the privacy of individual location data.
A. Location Data Collection
California’s Consumer Privacy Act (CCPA) (effective July 1, 2020) provides that protected “personal information” includes “geolocation data” that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”[93] The effect of this protection would be to enable consumers to (1) find out what types of location data are being collected and how it is used, and (2) direct companies to (a) delete location data under certain circumstances, and (b) refrain from selling location data to third parties.[94]
B.Secondary Location-Data Market
Only one state has acted to regulate the secondary data market generally. Vermont enacted the first U.S. law governing data brokers, which was effective January 1, 2019.[95] This statute applies to companies that collect or sell “brokered personal information” regarding an individual that is not a customer of the company (the data brokers). “Brokered personal information” includes: “other information that, alone or in combination with the other information sold or licensed, would allow a reasonable person to identify the consumer with reasonable security.”[96] Arguably, previously anonymous location information that is identified or identifiable to a specific individual would be protected by the statute. Data brokers are, among other requirements, required to maintain information security programs and to register annually with the state; annual registrations should describe the manner of opt-out for individuals if opt-outs of its database are offered.[97] There is no mandatory requirement for data brokers to make disclosures to individuals or provide database opt-outs.
Effective January 18, 2019, New York has regulated the use of secondary market data by life insurers in underwriting, particularly the use of data profiling as a “proxy for traditional medical underwriting.”[98] The Department of Financial Services explained the risk to the individual of external data analytics, including profiling:
First, the use of external data sources, algorithms, and predictive models has a significant potential negative impact on the availability and affordability of life insurance for protected classes of consumers. An insurer should not use an external data source, algorithm or predictive model for underwriting or rating purposes unless the insurer can establish that the data source does not use and is not based in any way on race, color, creed, national origin, status as a victim of domestic violence, past lawful travel, or sexual orientation in any manner, or any other protected class. . . . Second, the use of external data sources is often accompanied by a lack of transparency for consumers. Where an insurer is using external data sources or predictive models, the reason or reasons for any declination, limitation, rate differential or other adverse underwriting decision provided to the insured or potential insured should include details about all information upon which the insurer based such decision, including the specific source of the information upon which the insurer based its adverse underwriting decision
C. Proposed State Law
Several states are in the process of considering various types of privacy legislation.
The proposed Washington Privacy Act expressly provides that specific location data is a personal identifier.[99] Like the California Act, the Washington Act would give consumers more access to and control over how their identifiable location data is used.
Other states are in the process of considering privacy legislation based on the CCPA, including Hawaii, Maryland, Massachusetts, New Mexico, and Rhode Island.[100] These statutes would also protect location data that is identified or identifiable to an individual. Illinois, New Jersey, and New York are all considering statutes that apply to online services, which may cover location data tracked via app.[101]
New Jersey is considering legislation that would require operators of mobile device apps that collect GPS data to clearly disclose to the user what GPS data is collected, all third parties to whom GPS data is disclosed, and how long the GPS data is retained, and allow the user a meaningful opt-in to certain types of GPS data-sharing.[102]
Oregon is considering new legislation amending its UDAP (the Data Transparency and Privacy Protection Act, “DATPA”) to require “express written consent” from an individual prior to collecting or selling geolocation data.[103] A quick summary provides that:
Additional DATPA provisions require a business entity collecting, analyzing, deriving, selling, leasing, or otherwise transferring an Oregonian’s geolocation or audiovisual information to first disclose intent and methodology, and receive express consent from that individual. Geolocation refers to data displaying the location of a digital electronic device (cellular phone, tablet, etc.) on a map or similar depiction.[104]
The proposed DATPA would require an individual’s consent prior to “the collection, use, storage, analysis, derivation, sale, lease or other transfer” of geolocation information.[105] This would require both the initial data collector and each secondary market participant to obtain consent from an individual prior to using location data to profile the individual or transferring the location data to another party.
VI. Alternatives for Regulation of Location Data
Given the rapidly evolving and seeming limitlessness of location data tracking and usage, regulating specific technologies or types of use may not be practical.
Another regulatory model would require the default for location-based apps to limit collection, use, and disclosure to that which is necessary for the provision of app services. Individual consent could be obtained for marketing by the collector. Recipients of the location data could be directly regulated to limit use to facilitation of app services and to prohibit other use or disclosure. This would prevent sale of the individual’s location to unknown third parties for unknown purposes.
The following proposals are incomplete suggestions; one or more may act as a launchpad for regulatory discussion. A combination of approaches commensurate with the sensitivity of location data and the complexity of its uses may be appropriate.
A. At the Point of Initial Collection or Use
1. Ensuring That an Identified Individual Has Notice and Choice
Current laws and enforcement regulate the data collector and focus on location data that is identified to a particular individual. Pending and proposed laws may also protect location data that is personally identifiable.[106]
The current regulatory approach focuses on whether the individual has the right to know how his or her location data is collected, used, and shared, and whether he or she should have the right to opt out of or decline to consent to certain types of sharing. Heightened scrutiny is generally given to disclosures of location data by the data collector for commercial purposes unrelated to (1) the purposes of the initial collection, or (2) the relationship between the collector and the individual (i.e., secondary market usage). Several proposed laws follow this approach.
Enforcement and liability in this context may depend on the following issues: whether the privacy policy of the data collector and related settings are clear; whether the user consent is effective; whether the purpose of subsequent sharing by the data collector aligns with the disclosures or consents; and whether adequate nondisclosure agreements and security measures are in place to protect the location data from both disclosure and uses exceeding the data collector’s original notice.
Similarly, the digital marketing industry group “Data Marketing & Analytics” (DMA) has guidelines for direct, mobile location-based marketing that advise marketers to comply with the Telephone Consumer Protection Act[107] and “inform Individuals how location information will be used, disclosed and protected so that the Individual may make an informed decision about whether or not to use the service or consent to the receipt of such communications. Location-Based information must not be shared with third-party marketers unless the individual has given Prior Express Consent for the disclosure.”[108]
The consent model can be problematic in this context. Google’s consent practices for location tracking have come under recent scrutiny:
If a user turns off “Location History” for Google services, this action does not stop location tracking, but only halts the user’s ability to view his or her location data going forward.[109]
In order to stop location tracking by Google, the user must go to a separate setting, “Web & App Activity,” and opt out of tracking.[110]
The two settings are not in proximity to one another and do not cross-reference each other.
At issue is whether the following are deceptive: (1) the text of first setting (“Location History”); (2) the text and location of the second setting (“Web & App Activity”) (which is not in proximity to or cross-referenced with the first); and (3) the default setting for both is real-time location tracking. Google argues that its disclosures are clear and that user consents to location tracking are valid.[111]
France recently fined Google $57 million on the basis of this practice for violation of the General Data Protection Regulation’s requirements regarding clear disclosures and user consent.[112] In the United States, the FTC is under pressure to investigate Google for these practices under UDAP and an existing consent order with Google.[113] States attorneys general are beginning to consider pursuing state UDAP enforcement actions against Google.[114]
The City of Los Angeles recently sued The Weather Channel (TWC) app on the basis of “fraudulent and deceptive” trade practices. TWC app user location information was sold to advertisers and marketers for purposes of serving app users advertising targeted to their location.[115]
The TWC app location consent prompt states that location access will be used to provide personalized local weather. The consent does not reference marketing or that the location tracking would continue even when the app was not in use:
For years, TWC has deceptively used its Weather Channel app to amass its users’ private, personal geolocation data—tracking minute details about its users’ locations throughout the day and night.[116]
The notice-and-choice model may not be workable:[117]
The free and informed consent that today’s privacy regime imagines simply cannot be achieved. Collection and processing practices are too complicated. No company can reasonably tell a consumer what is really happening to his or her data. No consumer can reasonably understand it. And if companies can continue to have their way with user data as long as they tell users first, consumers will continue to accept the unacceptable: If they want to reap the benefits of these products, this is the price they will have to pay.
There are also deficiencies in the app development models espoused by several Big Tech companies in which app developers are required to provide notice and choice, but without actual oversight by the platforms making the apps available to individuals. An exhaustive study of pre-installed Andoid apps showed a lack of supervision by Google over the location data and other collection activities of apps that come automatically loaded on each Android device (which are often not susceptible to deletion by the individual).[118] Instead, Google apparently relied on privacy and security requirements and tools provided to the app developers, much like Facebook apparently relied on disclosure limitations imposed on its app developers, all without actually overseeing the privacy practices of the app developers.
2. Substantive Limits on Collection
One difficulty with consent in this context is that the data collector does not know what all possible uses of the location data might be. Indeed, collection of location data often seems excessive in comparison to the purpose of collection. The effect of over-collection of continuous location data has been to motivate alternate data usage and monetization.
As an alternative or complement to the notice-and-choice model, substantive limits could be placed on how much and what types of location data may be collected at the outset. This model would look toward the collector as a gatekeeper. For example, a collector could be limited to the collection of location data only as necessary to provide the service for which the location data is collected. That would limit the initial exhaustive volume of location data.
B. At the Point of Transfer
1. Ensuring That IndividualLocation Data Is Anonymous
If location data is identified or identifiable to a specific individual when collected, it may be entitled to protection under current and proposed privacy law. In order to transfer such data, the individual’s consent or failure to opt out may be required. Location data that is properly anonymized would generally be excludable from the definition of personal information under applicable law and not subject to the notice-and-choice model.
If rapidly evolving tracking technologies and data analytic methodologies enable an actual location to be used to identify a unique individual, however, then arguably unique location data is personal information. The key in this context would be identifiability, which would be dependent on the privacy and security measures taken to ensure the anonymity of the data and the likelihood of risk or reidentification of the location data to an individual.
Location tracking use cases include the following scenarios:
location data point identified to a specific individual;
location data point identifiable to a specific individual;
location data point not identified to the individual;
continuous location tracking identified to a specific individual;
continuous location tracking identifiable to a specific individual;
continuous location tracking not identified to the individual;
development of a profile based on location tracking identified to a specific individual;
development of a profile based on location tracking that is identifiable to a specific individual;
location data used to compile a profile of an unidentified individual.
As described above, the distinctions between these categories become less relevant in practice.
Is regulation of data collectors sufficient to address these privacy risks? Can de-identified location data be rendered truly anonymous?
If the pervasiveness and intrusiveness of continuous location tracking indicates that location data should be subject to heightened privacy rights (as in the Jones concurring opinion, Carpenter, and the relevant FTC actions and guidance), should location tracking data be regulated regardless of whether the data is identified to a particular individual?
The analysis is even more complicated when reidentification is accomplished by a secondary market participant. In that event, who would be liable for privacy violations? Would liability rest with the data collector that did not ensure true anonymity, or with the secondary market user that was not in privity with the individual? Would it matter if data collection predated the specific technology or methodology that facilitated later identification, whether by the data collector or another party?
2. Restricting andProhibiting Transfer
The transfer of location data could be prohibited other than as necessary to provide the underlying service to the individual and/or for any secondary market purpose. The transferee’s use could be similarly limited. The goal would be to limit the monetization of location data in the secondary data market. As demonstrated in the wireless carrier aggregated data scenarios described above, this approach is susceptible to abuse by the parties.
C. Upon Individual Profiling Based on Location Data
Creating individual profiles using location data poses unique risks to the individual. Precise tracking of an individual’s location over time can be used to discover information about the individual that may not be otherwise available (consider repeat visits to a casino, the home of a person not the individual’s spouse, a visit to Planned Parenthood, repeat visits to an oncologist), which when combined with other data, can be used to develop a fairly comprehensive profile of the individual.
Arguably, if a comprehensive profile is generated by the original data collector and is identified or identifiable to a specific individual, the combined data may be protected under applicable privacy law, but in the secondary market, the eventual data buyer is neither subject to current privacy regulation nor in privity with the individual or the original data collector. This includes:
compilation of a data profile or adding data to the profile;
identifying an individual in relation to a previously anonymous profile;
resale of the profile;
use of the profile to make decisions impacting the individual; and
use of the profile to influence the individual’s behavior.
Very few of these activities are impacted by current U.S. privacy regulation, and none of them fit the current notice-and-choice model.
Consider again the Facebook/Cambridge Analytica scandal. Although Facebook is subject to UDAP for its collection of the data, the app developer that accessed it and the profiler that purchased it were unregulated; the risks of resale and unauthorized use were not addressed by current U.S. law.
New York’s letter to life insurance companies (described above) highlights the risks to individuals posed by secondary market usage and profiling in insurance underwriting. These same risks are present in credit marketing and underwriting, and development of use cases for data profiling is likely to explode in the same manner that monetization of data has, meaning that we cannot determine all of the possible use cases at a given point in time.
Data profiles are used daily to make decisions regarding the individual, without regard to whether the individual knows that there is a profile or that the profile is being used to make a decision affecting the individual; this precludes regulation solely through individual choice or consent. In that event, data profiling decisioning and targeting based on profiles may be better regulated directly.
Regulators could prohibit profiling using location data altogether or by secondary-market participants. Like limiting collection, use, and transfer, this would have the impact of diminishing the separate value and monetization of location data.
D. Imposing a Duty of Care on Market Participants
Collectors, users, profilers, and third parties could be regulated directly to owe the individual a duty of care in collecting, profiling, sharing, and using location data and to have other direct obligations to the individual. In this way, privity could be created between each individual and the market participants and the risk of loss or error could be shifted from the individual to the market participant that caused the harm. This approach has precedent in the federal regulation of consumer reporting agencies and disclosers and users of consumer reports but would be much more comprehensive and complicated in scope.
VI. Conclusions
To the extent that current and proposed privacy laws protect location data, such protection is limited to location data that is identified (or in some cases identifiable) to an individual. Requirements generally apply only to the initial data collector.
As the technological lines blur between identified and identifiable, and identifiable and not identified or anonymized, the distinctions between the categories may become less relevant. This complicates the regulatory analysis.
Moreover, recent media accounts and enforcement actions reveal a robust secondary market:
identified location data is regularly acquired and used by third parties with whom the individual has no direct relationship;
de-identified or anonymized location data is regularly re-identified; and
location data is routinely combined with other types of personal data and used by third parties with whom the individual has no direct relationship to compile comprehensive profiles of the individual and make decisions about the individual or attempt to influence behavior of the individual.
These secondary-market practices are not currently addressed by United States law.
Profile development and decisioning or influencing based on data analytics, whether relying solely on location data or combining location data with other data, is a distinct business from the initial transaction between the individual and the data collector, and poses unique risks to the individual not present during the initial collection. These secondary market uses are also complex.
If an individual can be identified by location and further characteristics or acts may be attributable directly to the individual by virtue of his or her geographical movements, then discussions of privacy regulation should include location tracking. If parties removed from the initial transaction between the individual and the data collector subsequently reidentify data to an individual or develop a profile of the individual, or make decisions regarding the individual, then consideration should also be given to whether regulation of the initial transaction and limitation of the use and disclosure by the data collector and its service providers adequately address the risks posed by the secondary location data market. The current notice-and-choice model alone is inadequate to close this Pandora’s Box.
The power of place: location tracking and location data profiling are big business. Each poses distinct privacy risks to the individual and remain largely unregulated in the United States.
[1] The author thanks Dr. Peter Alan Jezewski for his editing contributions.
[2] Although potentially applicable to a wider variety of personal data, this article focuses solely on location data. In addition, “data profiling” can refer to the process of reviewing source data to ensure its accuracy and integrity. In this article, the term is used to describe the process of characterizing an individual using data related to the individual.
[3] The presentation materials for the Future of Privacy Forum’s class, “Location Data: GPS, Wi-Fi, Spatial Analytics,” gives an excellent overview of the types of systems, hardware, and software that are involved in location tracking. Future of Privacy Forum, Sources of Data: Mobile Sensors, Wi-Fi Analytics (Nov. 27, 2018).
[6] Consider that you are in a store; your real-time location can be collected via your smartphone using all of a combination of the following systems: GPS (via satellite); cell tower proximity; Wi-Fi networks; Bluetooth or beacons; LED; and audio. The smartphone has distinct hardware and software to facilitate location tracking through this variety of external systems. In addition, the apps on the smartphone have their own software to facilitate collection. This data can include your precise latitude, longitude, and altitude, including location within a building. These systems are ubiquitous, and much of the technologies are relatively inexpensive.
[7] Longitudinal data may show the individual’s movements during a specified timeframe, which would be helpful for a fitness tracker that calculates distance achieved and calories burned. Alternatively, the data tracked over time may be of a particular geographical location if a certain type of data traffic is more relevant than a single individual’s location; for example, understanding the number of measles cases with a month in a specific county allows public health planners to treat and prevent the spread of the disease.
[15] The secondary data market is not limited to location data and is a topic in its own right. Discussion of that market here focuses on the risks involved when location data is sold on the secondary market, although some of these concerns may be general to other types of secondary-market data.
[23] J. Fingas, Family tracking app leaked real-time location data for weeks. It would have let intruders spy on a child’s whereabouts., ENGADGET, Mar. 24, 2019.
[30] For convenience’s sake, this data is referred to as “anonymous” and “anonymized,” although in practice there is an entire spectrum of de-identification, and the assumptions made in this article may vary depending on the level of de-identification technologies employed. See K. Finch, A Visual Guide to Practical Data De-Identification, Future of Privacy Forum, Apr. 25, 2016.
[38] This fact set is based on the scenario in Carpenter v. U.S., discussed below.
[39] The focus of this article is on the privacy implications of commercial location data tracking. Many of these practices are used by law enforcement as well, but addressing the need for balance with public safety and law enforcement purposes is a topic in its own right and beyond the scope of this article.
[40] L. Nelson, L.A. wants to track your scooter trips. Is it a dangerous precedent?, L.A. TIMES, Mar. 15, 2019.
[42] E. Mierzwinski & J. Chester, Selling Consumers Not Lists: The New World of Digital Decision-Making and the Role of the Fair Credit Reporting Act, Suffolk U. L. Rev. 46 (2013).
[43] Laursen, Who Are You?, MIT Tech. Rev. (Jan. 2015) [emphasis supplied].
[44] K.Kaye, Why the Industry Needs a Gut-Check on Location Data Use, AD AGE, Apr. 26, 2017.
[53] Wireless carriers must certify that they do not use assisted GPS information other than for enhanced 9-1-1 purposes. 80 FR 45897 (08/03/2015). 47 U.S.C. § 222 protects “customer proprietary network information” (CPNI), which includes location data when a wireless customer makes or receives a call; it does not currently protect location data tracked via phone when calls are not being made. See EPIC, CPNI: Mobile Location Data as CPNI.
[54] Section 5 of the Federal Trade Commission Act (the FTC Act), 15 U.S.C. § 45, prohibits “unfair or deceptive acts or practices in or affecting commerce.” The FTC regularly prosecutes enforcement actions in the privacy and cybersecurity context under the FTC Act.
[55] The Children’s Online Privacy Protection Act, 15 U.S.C. §§ 6501–6505 and implementing regulation 16 C.F.R. pt. 312 (COPPA), generally require operators of website or online services that collect information from children under 13 years old to give parents clear notice of the collection practices and obtain “verifiable parental consent” to such collection.
[69] Susan Freiwald & Stephen Smith, TheCarpenter Chronicle: A Near-Perfect Surveillance, 132 Harv. L. Rev. 205 (Nov. 9, 2018) (providing a thorough history of federal legislative and judicial authorities regarding modern surveillance, including GPS and cell phones).
[106] U.S. Senator Ron Wyden’s draft Consumer Data Protection Act includes a do-not-track provision that would allow the individual to opt out of “personal information” sharing. Wyden has said that the bill would allow individuals to know what location data is being collected and to opt out of collection. Senator calls for regulation that would force tech companies to offer “do not track” option, CBS News, Jan. 10, 2019.
On December 23, 2018, after significant market turmoil, Treasury Secretary Steven Mnuchin issued a statement that he had completed calls with the nation’s six largest banks and that those banks had reported that “markets continue to function properly,” and that they had sufficient liquidity to fund themselves.[1] This unexpected statement generated considerable commentary as to why the conversations had occurred in the first place[2] and was the first time since the dramatic events of the 2008–09 financial crisis that the government had focused on particular institutions and their liquidity. It thus seems appropriate to consider an important “weapon” in the U.S. government’s arsenal when responding to significant liquidity events in the financial sector, and what happened to that weapon in the Dodd-Frank Act.
The weapon is section 13(3) of the Federal Reserve Act, which has permitted emergency lending to bank and nonbank companies by the Board of Governors of the Federal Reserve System (the Federal Reserve).[3] This article begins with consideration of section 13(3)’s enactment during the Great Depression and its history since, and then turns to some of its principal uses during the financial crisis. It concludes with a discussion of how the Dodd-Frank Act amended this provision and how, as amended, section 13(3) fits into the post-crisis regulatory scheme.
As an initial matter, section 13(3) was not part of a “banking bill” per se, and it was controversial even in 1932. It came about as part of the Hoover administration’s response to the Great Depression, which was focused primarily on a new government enterprise, the Reconstruction Finance Corporation (RFC), created in early 1932.[4] The RFC responded to a series of bank failures in December 1931, and among other things, was a source of credit to banking institutions that were not members of the Federal Reserve as well as commercial enterprises like railroads.[5] Economic conditions continued to decline notwithstanding the RFC, and Congress continued to legislate, enacting the first Glass-Steagall Act: the Banking Act of 1932. This statute, inter alia, permitted the Federal Reserve, “in exceptional and exigent circumstances,” to authorize emergency “advances” to member banks at a penalty rate of interest when satisfactorily secured.[6] Even this measure, however, was considered a temporary measure, originally expiring after one year.[7]
As 1932 continued, President Hoover wished to expand financing by the RFC. His desires were surpassed by House Speaker John Nance Garner of Texas, who in May 1932 introduced legislation to expand the RFC’s lending authority “to any person.”[8] Despite President Hoover’s objections that this legislation authorized loans “on any conceivable security and for every purpose,” a bill containing expanded RFC authority passed the House and Senate on July 9, 1932.[9] The expanded authority of the RFC concerned not only President Hoover, but also Federal Reserve Board member Charles Hamlin and Senator Carter Glass, the father of the Federal Reserve System, likely because it introduced competition to the Federal Reserve’s lending powers.[10] Two days later, President Hoover vetoed the Garner bill, and Senator Glass introduced what became section 13(3) as an amendment to an appropriations bill that would ultimately become the Emergency Relief and Construction Act of 1932.[11]
The amendment expanded Federal Reserve authority at the expense of the RFC. It drew heavily from the expanded Federal Reserve authority to make advances to member banks in “exceptional and exigent circumstances” contained in the first Glass-Steagall Act, but was still somewhat limited in scope:
In unusual and exigent circumstances the Federal Reserve Board, by the affirmative vote of five members, may authorize any Federal Reserve Bank . . . to discount for any individual, partnership or corporation, notes, drafts, and bills of exchange of the kinds and maturities made eligible for discount under other provisions of this Act when such notes, drafts and bills of exchange are indorsed and otherwise secured to the satisfaction of the Federal Reserve Bank.[12]
In other words, the amendment permitted lending by discount only on such paper that was eligible for discount under other sections of the Federal Reserve Act—at the time, short-term paper like commercial paper.[13] The amendment was satisfactory to President Hoover and became law as Federal Reserve Act section 13(3) on July 21, 1932.[14]
Section 13(3) immediately met with a narrow Federal Reserve interpretation; the Federal Reserve initially took the position that the term “corporation” in the statute did not include nonmember banks and trust companies.[15] Moreover, section 13(3) was essentially an orphan provision: Federal Reserve Banks extended very few section 13(3) loans during the Depression itself, and it was only with the FDICIA in 1991 that Congress removed (having considered the stock market crash of 1987 and the need for broker-dealer liquidity) the limitation in section 13(3) that paper to be discounted had to be the same type of paper that was otherwise eligible for discount at a Federal Reserve Bank.[16]
As is well known, section 13(3) saw great use during the financial crisis as a means of providing much-needed liquidity. Section 13(3) was the source of authority for Federal Reserve lending in connection with the JPMorgan-Bear Stearns acquisition and the support of American International Group (AIG), and it was the source of authority for such broader programs as the Term Securities Lending Facility (TSLF), Term Asset-Backed Securities Loan Facility (TALF), and Commercial Paper Funding Facility (CPFF).[17] The Federal Reserve’s use of section 13(3) is now widely regarded as extremely successful in maintaining financial stability.
Congress responded to the Federal Reserve’s use of section 13(3) by narrowing that authority in the Dodd-Frank Act. Such lending must now be made in connection with a “program or facility with broad-based eligibility,” cannot “aid a failing financial company” or “borrowers that are insolvent,” and cannot have “a purpose of assisting a single and specific company avoid bankruptcy” or similar resolution.[18] In addition, the Federal Reserve cannot establish a section 13(3) program without the prior approval of the secretary of the Treasury.[19]
Revised section 13(3) could be used to create facilities like the alphabet facilities of the financial crisis mentioned above, but the intent of the revisions was to preclude loans like those to JPMorgan/Bear Stearns and AIG. The Dodd-Frank Act instead takes a prophylactic approach to single financial company issues or issues raised by a number of financial companies contemporaneously affected—the enhanced capital and liquidity prudential standards of section 165, resolution planning, limitations on the exercise of default rights in qualified financial contracts, and prepositioning of capital and liquidity where necessary to advance going-concern value at the operating subsidiary level. However, there is most certainly a significant limitation of the ability of the Federal Reserve—or any government agency for that matter—to inject emergency liquidity in a time of crisis: for example, liquidity available in the first instance under the Orderly Liquidation Fund authority in Title II of Dodd-Frank is limited to 10 percent of the total consolidated assets of a failing financial company.[20]
The result, then, although differing significantly in the details, is not different in character from the way that section 13(3) was originally conceived—emergency lending power must have restraints. Certainly, just as in 1932, a much less-constrained approach to Federal Reserve lending does raise policy concerns—among them the ability of the government to pick and choose among failing firms, damage to the credibility of the Federal Reserve should an emergency loan fail, and what open-ended emergency lending means for the taxpayer. It may be time, however, to take a fresh look at revised section 13(3) and determine how to balance those issues against the historical reality that financial panics and crises usually come unexpectedly, and often for reasons not considered threatening at the time. The prophylactic approach that the Dodd-Frank Act takes in guarding against and preparing for large-firm failure may be only as successful as the ability of future policymakers to anticipate a significant crisis. Nor has the issue of financial firm interconnectedness disappeared in the years after 2008. As in 1932–1933, Congress will not necessarily act with dispatch in a crisis. It was fortunate, after all, that before coming to Washington, former Chairman Bernanke had focused on the Great Depression in his academic life.
[1] Damien Paletta & Josh Dawsey, Treasury Secretary Startles Wall Street with Unusual pre-Christmas Calls to Top Bank CEOs, Washington Post, Dec. 23, 2018.
An important feature of a learning machine is that its teacher will often be very largely ignorant of quite what is going on inside, although he may still be able to some extent to predict his pupil’s behavior.
A.M. Turing (1950) Computing Machinery and Intelligence. Mind 49: 433-460.
Computer scientists have been experimenting with artificial intelligence for decades. In 1950, Professor Alan Turing predicted that by the year 2000, a computer would be able to win his Imitation Game 70% of the time—by sounding like a human to another human. At that early date, Professor Turing knew that the main roadblocks to AI were storage space and speed. Nearly 70 years later, we have had a significant increase in both, along with a significant increase in large data sets that permit a broad range of experimentation. And as he predicted we have indeed constructed machines that can play and win the Imitation Game—at least, until they trip up and sound like the bots they are.
While there are many definitions of artificial intelligence, a distinguishing feature is the type of instructions humans provide to the machine. When we type numbers and functions into a calculator, we are providing step-by-step instructions and we know precisely what was done to obtain each output. We can even double-check the calculator ourselves. When a machine “learns,” it takes actions with data that go beyond merely calculating or following explicit instructions. For example, one important task that computers perform is grouping or clustering words, numbers, documents, images or other objects in very large data sets. This clustering effort is somewhat similar to playing numerous simultaneous games of Sesame Street’s “One of These Things Is Not Like the Other.” Once these data points are clustered, we can then make much more powerful inferences about the data that would not be possible if we had to examine or chart or graph individual data points. This technology allows us to say that certain contract provisions are like other contract provisions, for example, by looking at similarities in words. It allows us to teach a computer about previously diagnosed CT scans in order to use those inferences to detect illnesses in new CT scans.
Machine learning, neural networks and other types of artificial intelligence undertake such complex computational tasks that we often must in turn undertake substantial work to evaluate the results. This is one of the many potential problems Professor Turing anticipated in 1950. So once we have given up on understanding “quite what is going on inside,” how can we evaluate whether the computer did what we wanted? This is the new problem presented by the burgeoning use of advanced technology both in the practice of law and in the products and services produced by clients of legal service providers: how do we examine advanced technology for compliance with legal rules? What standards do lawyers have to meet when using or advising on advanced technology?
Ethical Framework for Lawyer Use of Machine Learning Technology
A lawyer has a duty under Rule 1.1 of the ABA Model Rules to provide “competent representation to a client,” which means that the lawyer must demonstrate the requisite knowledge, skill, thoroughness, and preparation reasonably necessary for the representation. The ABA and many states have recognized that a lawyer’s duty of competence extends to the lawyer’s substantive knowledge of the areas of law pertinent to the representation and the tools used to provide legal services to the client. The lawyer has a duty of technological competence to the extent that technology is used to represent the client. The lawyer can fulfill this duty if the lawyer possesses the requisite technological knowledge personally, acquires the knowledge, or associates with one or more persons who possess the technological knowledge. SeeNew York County Ethics Op. 749 (2017); see also ABA Commission on Ethics 20/20 Report (“in order to keep abreast of changes in law practice in a digital age, lawyers necessarily need to understand basic features of relevant technology”).
In addition, lawyers must understand the benefits and risks associated with technology. ABA Model Rule 1.1, Cmt. 8. Lawyers have an affirmative duty (1) to be proficient in the technology they use in the representation of a client; and (2) to consider technology that may improve the professional services the lawyer provides to his or her clients. With respect to the first duty, lawyers must have sufficient proficiency with the technology they use in their practice to ensure that they are using the technology effectively to serve their clients’ interests, and they must supervise any nonlawyers who assist them in the use of this technology to ensure that they are acting consistent with the lawyer’s professional obligations. Id.; see also ABA Model Rule 5.3; see, e.g., In Re Seroquel Products Liability Litig., 244 F.R.D. 648 (M.D. Fla. 2007) (“Ultimate responsibility for ensuring the preservation, collection, processing, and production of electronically stored information rests with the party and its counsel, not with the nonparty consultant or vendor.”). With respect to the second duty, lawyers have an ethical responsibility to consider whether the client may be better served if assisted by emerging technology, including tools that rely on machine learning.
Lawyers should be aware of machine learning bias in their AI tools as part of their exercise of technological competence. AI tools based on machine learning rely on the assumptions that determine the algorithm’s decision-making. Incomplete inputs, inadequate training, incorrect programming – in addition to the machine’s own elaborations of the initial inputs – can create biases that render the tool an inaccurate and ineffective tool for the client’s purposes. In turn, the lawyer’s use of an inaccurate and ineffective tool could cause the lawyer to fail to fulfill his or her duty of competence. Indeed, where the AI tool produces results that are materially inaccurate or discriminatory, the lawyer risks not only violating the duty of competence under Rule 1.1, but may unwittingly engage in conduct that violates Rule 8.4 (d) (engaging in conduct that is prejudicial to the administration of justice) or Rule 8.49(g) (unlawfully discriminating in the practice of law).
Examples of Algorithmic Bias
With artificial intelligence, we are no longer programming algorithms ourselves. Instead, we are asking a machine to make inferences and conclusions for us. Generally, these processes require large data sets to “train” the computer. What happens when we use a data set that contains biases? What happens when we use a data set for a new purpose? What happens when we identify correlations that reinforce existing societal norms that we are actually trying to change? In these instances, we may inadvertently teach the computer to replicate existing deficiencies — or we may introduce new biases into the system. From this point of view, system design and testing needs to uncover problems that may be introduced with the use of new technology.
As a result of the growing awareness of the possibility of bias in algorithms guiding AI, we are now seeing efforts to provide guidance to deal with the problem. The most important of these comes from the EU’s General Data Protection Regulation (GDPR) in Article 22, which allows data subjects the right to object to the results of automated decision-making, to opt out of such systems, and to demand an explanation as to how the algorithms work. In fact, despite the opposition of privacy experts, the influential European Data Protection Board (formerly known as the Article 29 Working Party) has interpreted Article 22 as barring any automated decision-making that lacks a human review element. New York City, in an ordinance passed last year, has established a task force to examine the issue.
Meanwhile, industry groups, government entities and international organizations have articulated standards that may generate some consensus around audit standards and further legislation. The Fairness, Accountability, and Transparency in Machine Learning (FAT/ML) group’s principles are an excellent and brief example of the developments in this area. Their five principles – responsibility, explainability, accuracy, auditability and fairness – and the related social impact statement for these principles, provide a responsible structure for designing algorithmic systems.
Connect with a global network of over 30,000 business law professionals
