Delaware is a contractarian state, which allows parties the freedom to contract as they see fit and leaves to the parties the ordering of their affairs. Even with the freedom to include (or exclude) terms in a contract, there is one term (a covenant, really) that need not be negotiated or expressly stated in the agreement—that is the implied covenant of good faith and fair dealing. The implied covenant has been described as a “cautious endeavor” that should rarely be invoked.[1] This is because the covenant is used to protect the parties’ benefit of the bargain and not as a quasi-equitable rebalancing of rights. It cannot be invoked if the issue is already covered by the terms of the agreement. Rather, the job of the covenant is to imply those terms that the parties did not negotiate but that they would have included in their agreement if they had thought to do so. Thus, a party asserting the covenant must identify a gap in the contract for the covenant to fill. Parties may not use the covenant to obtain benefits or protections that they did not obtain at the negotiating table. It is not a free-floating duty unattached to the written contract, and it is not the court’s role to impose terms on the parties to which they did not agree.
No matter how thoroughly parties negotiate their agreement, there may be “nooks and crannies” in the contours of the agreement that are left unnegotiated.[2] As such, there are some terms that are too obvious to be negotiated—and thus, a gap exists. For example, the implied covenant barred a general partner from seeking the benefit of a safe harbor provision in a limited partnership (LP) agreement where he had used deceptive and misleading tactics; had the parties thought to negotiate that obvious term, they would have provided that the general partner could not use such deceptive devices.[3]
But a gap in the written agreement is not the only circumstance where the covenant may be applied. In the ordering of their affairs, parties may grant a party the authority to exercise its discretion in making decisions under the contract. While parties are free to set parameters on the exercise of discretion or include a standard by which the exercise of discretion is to be measured, when parties do not spell out the contours of the ability to exercise the discretion granted in the agreement, the implied covenant will imply that discretion must be exercised in good faith.
The covenant requires a contract counterparty to refrain from arbitrary or unreasonable conduct that has the effect of preventing the other party to the contract from receiving the fruits of the bargain.[4] What is arbitrary or unreasonable is not, however, judged at the time of the alleged wrongful act. Rather, the court will look to the parties’ intent at the time they entered into the contract to determine the parties’ reasonable expectations.
The covenant is implied in every contract. Sometimes the covenant can be confused with contract terms providing for “good faith.” This is often seen in the limited liability company context. Limited liability companies are an attractive vehicle for a variety of investment opportunities, including private equity and hedge fund investments. LLCs (and limited partnerships) provide structural flexibility. It is the policy of the Delaware Limited Liability Company Act (the “Act”), for example, to give maximum effect to the principle of freedom of contract and to the enforceability of LLC agreements.[5]
Thus, LLC agreements often confer very broad authority on the managers or directors and provide for a safe harbor for their decisions. Indeed, the Act permits the elimination of fiduciary duties.[6] However, the LLC agreement may not eliminate the covenant of good faith and fair dealing.[7]
So, what does “good faith” in the covenant mean in these various contexts? An LLC agreement may define “good faith” as being what the manager believes to be in the best interest of the LLC (a subjective standard), or what the manager reasonably believed to be in the best interest of the LLC (an objective standard), or provide that certain actions are conclusively presumed to constitute good faith. These concepts are not to be confused with “good faith” under the covenant, which entails faithfulness to the scope, purpose, and terms of the parties’ contract.[8]
Understanding the implied covenant and how it differs from express contractual “good faith” standards is important in drafting contracts to obtain the intended objective, usually of limiting the right to challenge a decision or a liability-limiting provision for making self-interested decisions. It is also important to understand the distinction and how each operates in developing litigation strategies. These concepts should be fully explored at the outset of drafting or litigation.
This article is related to a CLE program titled “Good Faith and Fair Dealing: Can the Covenant Really Be Breached?” that was presented during the ABA Business Law Section’s 2023 Fall Meeting. To learn more about this topic, view the program as on-demand CLE, free for members.
Nemec v. Shrader, 991 A.2d 1120, 1125 (Del. 2010); MHS Capital LLC v. Goggin, 2018 WL 2149718, at *11 (Del. Ch. May 10, 2018) (cleaned up). ↑
Gerber v. Enter. Prods. Holdings, LLC, 67 A.3d 400, 418 (Del. 2013), overruled on other grounds by Winshall v. Viacom Int’l., Inc., 76 A.3d 808 (Del. 2013). ↑
Baldwin v. New Wood Resources LLC, 283 A.3d 1099, 1119 (Del. Ch. 2022). ↑
Brinckerhoff v. Enbridge Energy Co., Inc., 2016 WL 1757283, at *18 (Del. Ch. Apr. 29, 2016). ↑
6 Del. C. § 18-1101(b); In re P3 Health Group, Hldgs., LLC, 2022 WL 16548567, at 33 (Del. Ch. Oct. 31, 2022) (“parties have broad discretion to use an LLC agreement to define the character of the company and the rights and obligations of its members.”). ↑
Attorneys practicing in the field of commercial finance and special assets professionals should keep up with the latest strategies to resolve borrower defaults through negotiated forbearance agreements. As discussed herein, professionals seeking to maximize lender recoveries on distressed debt should consider strategies including, without limitation: (i) preliminary loan workout analysis, (ii) pre-negotiation agreements, and (iii) forbearance agreements, which may be utilized to address deficiencies in loan documentation, collateral, or covenants.
I. Defaults
Defaults under commercial loans may be monetary in nature, i.e., a borrower may fail to pay principal at maturity, interest installments when due, or other indebtedness such as insurance premiums and taxes (collectively, “monetary defaults”). As monetary defaults generally may be cured, lenders must work with their counsel to strategize about potential business plans to resolve such defaults that limit the lender’s risk. Other defaults—such as the unauthorized sale or transfer of collateral, the death of a guarantor, and the failure to comply with applicable laws (collectively, “nonmonetary defaults”)—may not be curable, a factor that lenders should keep in mind when evaluating potential enforcement strategies.
Lenders also should be aware that their remedies must be appropriate for the specific default. For example, courts will examine the fairness and equity of a lender’s choice to accelerate a loan in the context of the nature of the default at issue.[1] In addition, lenders should review the loan documents to determine whether the borrower’s default is automatic or requires the lender to provide notice and a time period to cure.
Most often, the nature of the collateral will compel treatment of the defaults. For example, a lender may be more willing to work out a loan default for a construction loan where the building is nearly complete and only requires minimal costs to complete it, as compared to a lender’s willingness to work out a loan secured by collateral that may not have value in a sale (e.g., computer components or auto parts). In evaluating their options, lenders also should understand that not all default interest may be recoverable, particularly where interest is assessed pre-maturity on the entire loan amount.[2] Depending on the jurisdiction, lenders and their counsel should watch for one-action (or “single action”) rules, which require that lenders exhaust their security before suing the borrower directly on the debt[3] or employ a modified anti-deficiency approach to recoverability.[4] While default remedies often apply the laws of the lender’s preferred jurisdiction, lenders should be aware of recent legal developments that impact the court’s application of contractual choice of law provisions.[5]
II. Pre-Negotiation Agreements
Lenders should strategize about a potential pre-negotiation agreement (“PNA”) prior to entering into workout agreements with their borrower. A PNA sets the ground rules for any workout discussion and expressly reserves the lender’s rights and remedies. PNAs also acknowledge the voluntary nature of workout discussions, and they should confirm that either party can terminate negotiations at any time.
Lenders and their professionals should consider utilizing PNAs to maximize lender interests by, for example: (i) stating the existing defaults with clarity and acknowledging that the lender is free to exercise all rights and remedies as a result thereof, (ii) requiring borrower’s cooperation with pre-meeting inspections of collateral, and (iii) including a detailed release of claims in any way connected with the loan documents as of the date of execution of the PNA.
III. Forbearance Agreements
Forbearance agreements can be important tools in a lender’s arsenal for the informal resolution of defaults, as such agreements provide a clear roadmap for resolution and limit a lender’s credit risk while providing a borrower with sufficient time to resolve its financial difficulties and get back on track. Forbearance agreements also are helpful in reducing lender liability concerns, as any disputes by a borrower concerning the factual aspects of a loan and the existing defaults can be addressed in the agreement. A lender also can reduce the risk of its borrower alleging that the lender made oral promises by documenting the terms and conditions for its forbearance in the forbearance agreement.
Lenders should avoid waivers of existing defaults if at all possible. Where they cannot be avoided, waivers should be specific and short term, prepared by counsel, in writing, and clearly labeled as a waiver of existing default. Oral waivers should be avoided at all costs. Lenders also often are able to collect forbearance fees as consideration for their agreement to conditionally forbear from exercising their rights and remedies upon the borrower’s default, as well as releases. In addition, lenders may utilize forbearance agreements to clarify that attorneys’ fees, appraisal fees, litigation costs, and all other costs of collection are recoverable under the parties’ loan documents. Also, any forbearance agreement should clearly state the benchmarks, conditions, or milestones that a borrower must meet—including the timeframe for such compliance—in order for the forbearance to take and stay in effect. Finally, should lenders discover any insufficiency with their collateral, perfection, or documentation, they should strive to fix the deficiency in the forbearance agreement.
IV. Conclusion
Lenders should confer with their counsel to strategize over options to address defaults under their commercial loan documents. The nature of the borrower’s default, the type of collateral, and the lender’s business goals in resolving any default all should be considered when exploring whether a PNA and forbearance agreement may be the best option for a negotiated resolution in any given situation.
This article is based on a CLE program titled “Defaults and Forbearance Agreements” that took place during the ABA Business Law Section’s 2023 Fall Meeting. To learn more about this topic, listen to a recording of the program, free for members.
See, e.g., Brown v. AVEMCO Inv. Corp., 603 F.2d 1367 (9th Cir. 1979); Cal. Civ. Code §§ 3275, 3369. ↑
See Honchariw v. FJM Private Mortgage Fund, 83 Cal. App. 5th 893 (Sep. 29, 2022); Cal Civ. Code § 1671(b). ↑
See Carmel Financing, LLC v. Schoenmann, 2022 WL 3599561 (N.D. Cal. Aug. 23, 2022) (declining to apply contractual choice of law provisions when outweighed by public policy issues of concern to the forum state). ↑
On February 1, 2023, the Centers for Medicare and Medicaid Services (“CMS”) issued its final rule on risk adjustment data validation (“RADV”) audits.[1] The rule is already the subject of litigation. On September 1, 2023, Humana filed suit in the U.S. District Court for the Northern District of Texas,[2] challenging the new RADV audit rule as an arbitrary and capricious reversal of the 2012 policy governing RADV audits conducted by CMS—and as retroactive rulemaking that upends the predictability of the Medicare Advantage bid process and threatens the availability of benefits to enrollees.[3] On December 15, 2023, the Department of Justice filed a motion to transfer or dismiss the Humana suit.[4] The Department of Justice argues that because CMS has not yet begun any audits under the new methodology, much less completed them, Humana lacks standing to challenge the new RADV audit rule and that certain aspects of the RADV audit rule are not ripe for adjudication.
Case Details
Humana argues that the new rule eliminating the fee-for-service adjuster (“FFSA”) introduces an inconsistent documentation standard that impacts the predictability of the Medicare Advantage (Part C) bid process. To manage financial risk, plans will be required to estimate potential rebates or premiums, due to increased audit recoveries arising from the retroactive application of a different audit methodology.[5] Underlying Humana’s argument is thefundamental principle that “[t]he legal effect of conduct should ordinarily be assessed under the law existing at the time that the conduct took place.”[6] The 2023 RADV audit rule change, asserts Humana, impermissibly creates retroactive liability affecting plan years from 2018 forward.[7]
In its prior final rule in 2012, CMS recognized the need to use the FFSA to account “for the fact that the documentation standard used in RADV audits to determine a contract’s payment error (medical records) is different from the documentation standard used to develop the Part C risk-adjustment model (FFS claims).”[8] The FFSA was intended to ensure that the amount due in a RADV audit considered the difference between audit review standards and the errors resulting from unsupported fee-for-service diagnostic codes, creating a permissible level of payment errors and limiting RADV audit recovery to payment errors above the set level.[9] Humana asserts that the elimination of the FFSA removes a factor required to achieve actuarial equivalence between Part B payments and those of Medicare Advantage.
Humana argues that the retroactively applied standard for calculating extrapolated overpayments changes the legal effect of conduct under the law existing at the time that the conduct took place.[10] Humana asserts that the change impacts all bids submitted by it since 2012. It states that since 2012, when CMS announced its adoption of the FFSA, Humana has predicated its Medicare Advantage contract bids on the existence of the FFSA.[11] It asserts that the application of the new standard in this current plan year and earlier periods is contrary to the obligations of CMS under the annual rate notice. A retroactive application of the new standard, Humana argues, is contrary to the factors that were key to establishing the current- and prior-year bid proposals. Humana states that it based its bids on the CMS annual rate notice in place in the earlier periods, which required disclosure by CMS to identify risk and other factors to be used in adjusting payments.[12]
Humana seeks to have the court vacate the final rule and enjoin its application against Humana in RADV audits.
Department of Justice Motion to Dismiss and Transfer Humana Suit
Humana’s suit is premised on the impact extrapolated overpayments identified in a RADV audit for payment years 2018 forward will have on current year plan bids and insurance pricing. The Department of Justice attacks Humana’s standing to challenge the 2023 CMS Final Audit Rule. It incorrectly asserts that no RADV audits under the challenged rule have occurred, and that neither Humana nor any of its subsidiaries have been audited. The Department of Justice argues that because the harm of such audits is not certainly impending, Humana cannot establish standing through “a reasonable reaction” to “that risk of harm.”[13] CMS’s authority to conduct RADV audits is set out in 42 CFR 422.311, and it has been retroactively applied by the Office of Inspector General for the Department of Health and Human Services (OIG), in its performance of its audits of Medicare Advantage Organizations, six times since the rule became effective.
Geisinger Health Plan, in its challenge to 2023 Medicare Advantage Compliance Audit findings from the OIG, challenged the authority of the OIG to perform risk adjustment audits, arguing it lacks authority under federal regulations (42 CFR § 422.311) and the Inspector General Act of 1978 to assume program operating responsibilities.[14] It argued that the OIG’s reliance on 42 CFR § 422.311, which outlines the authority of CMS to conduct RADV audits, as one source of authority for its actions, is incorrect in that the regulation “does not govern or inform OIG’s actions” and that the OIG is limited to agency oversight and reporting. Under 42 CFR Section 422.311, Congress intended risk adjustment audits “to be performed by CMS, not OIG” as a corrective audit activity developed by CMS to address provisions included in federal statutes. The exercise of RADV audits delegated to the OIG, Geisinger argued, is tantamount to providing it the authority to “effectively create a new rule under the wrappings of an audit.”
Since February 1, 2023, there have been six OIG audits carried out under the 2023 Final Rule including the audit of Geisinger.[15] A total of approximately $6.4 million in overpayments have been assessed against six Medicare Advantage payers, including a subsidiary of Humana, CarePlus Health Plan.[16] In two of these instances, the OIG extrapolated the overpayment amount assessed because it arose from plan activity after 2018.[17] No fee-for-service adjuster was applied in two of the audits to reduce the net overpayments recouped.[18]
In the OIG audits conducted under the new 2023 Final Rule, payers have objected to audit findings, challenging the methodology used as involving flawed audit sampling that is inconsistent with CMS’s actuarial equivalence mandate, and its requirements for data accuracy and compliance.
CarePlus, in its 2023 contract level RADV audit, asserted an actuarial equivalence argument and objected to CMS’s failure to apply an FFSA in the overpayment calculation, asserting that during the year audited (2015), the 2012 Final Rule allowed for the offset to the recouped overpayment. The OIG responded to CarePlus’s actuarial equivalence argument in its audit report by stating:
We note that after we issued our draft report, CMS stated that it “will not apply an adjustment factor (known as a Fee-For-Service (FFS) Adjuster) in RADV audits.” To this point, we recognize that CMS—not OIG—is responsible for making operational and program payment determinations for the Medicare Advantage program.[19]
However, by adjusting its findings to correspond to the requirements of the 2023 Final Rule for an audit with 2015 as the audit year, the OIG effectively applied a different audit standard than the one in place in 2015, the 2012 Final Rule, which did factor an FFSA into the calculated overpayment.
Conclusion
Medicare Advantage payers face a difficult road in their efforts to manage the risks associated with the 2023 RADV audit rule. However, the 2023 contract-level RADV audits have provided evidence demonstrating the risk of harm associated with the 2023 RADV Final Rule.
Medicare and Medicaid Programs; Policy and Technical Changes to the Medicare Advantage, Medicare Prescription Drug Benefit, Program of All-Inclusive Care for the Elderly (PACE), Medicaid Fee-for-Service, and Medicaid Managed Care Programs for Years 2020 and 2021, 88 Fed. Reg. 6643 (Feb. 1, 2023) [hereinafter 2023 Final Rule]. ↑
Complaint, Humana, Inc. v. Becerra, No. 4:23-cv-00909-o (N.D. Tex. Sept. 1, 2023). ↑
Humana further asserts that no notice and comment procedure was followed with the 2018 proposed rule, which reversed CMS’s policy and excluded the FFSA. ↑
Motion to Transfer or Dismiss, Humana, Inc. v. Becerra, No. 4:23-cv-00909-o (N.D. Tex. Sept. 1, 2023) (“Motion to Transfer or Dismiss”). ↑
87 Fed. Reg. 65,723 (Nov. 1, 2022). RADV refers to risk adjustment data validation, which is the process of verifying diagnosis codes submitted for payment by Medicare Advantage insurers to provide clinical support for the diagnoses. The fee-for-service model reimburses providers based on procedures performed. The Medicare Advantage and Medicare fee-for-service models differ in that Medicare Advantage risk-adjusts a capitated rate to allow plans that accept patient populations with chronic conditions. Reimbursement under the Medicare Advantage model is diagnosis driven. ↑
Landgraf v. USI Film Prods., 511 U.S. 244, 265 (1994). ↑
Contra Azar v. Allina Health Servs., 139 S. Ct. 1804, 1811 (2019) (rulemaking only applied prospectively); Regions Hosp. v. Shalala, 522 U.S. 448 (1998) (rule adjusting base-year cost for inflation was limited to affecting reimbursement for future years and for those cost-reporting periods within the three-year window for auditing cost reports—no new reimbursement principles were applied to prior periods); Bowen v. Georgetown Univ. Hosp., 488 U.S. 204 (1988) (recoupment of amounts previously paid to hospitals applying new rule retroactively is impermissible). ↑
CMS asserts that it meets the standard for retroactive rulemaking, that the RADV audit final rule is “based on longstanding case law and best practices from HHS [Health and Human Services] and other federal agencies,” and that it had a right to change the extrapolation methods that are “historically a normal part of auditing practice throughout the Medicare program.” 83 Fed. Reg. at 54,984, 55,048 (Nov. 1, 2018). ↑
Since 2012, Humana has certified its prior-year bids based on the assumption that “the final risk scores will be calculated and payments and overpayments will be determined consistent with the fact that CMS has used diagnoses contained in administrative claims to calculate risk coefficients and risk scores for [Medicare] fee for service beneficiaries,” and that CMS “will . . . apply [] a Fee for Service Adjuster . . . to account for the fact that the documentation standards used in RADV audits to determine a contract’s payment error (medical records) is different from the documentation standard used to develop the Part C risk-adjustment model ([Medicare] FFS claims).” Humana, Inc. v. Becerra, No. 4:23-cv-00909-o, ¶ 83 (N.D. Tex. Sept. 1, 2023). ↑
Plan bids are based on prior-year risk scores of enrollees, which are derived from specific characteristics of expected enrollees in the relevant program area and the risk-adjustment method for that relevant period. The changes implemented under the 2023 Final Rule raise pricing uncertainties affecting the Medicare Advantage bid process, and the potential negative effect of potential premium increases may affect the availability or the cost of plan benefits. ↑
Clapper v. Amnesty Int’l USA, 568 U.S. 398, 416 (2013). ↑
The six audits addressed in this article were commenced prior to the issuance of the 2023 Final Rule, but the draft reports were held, and the audit findings recalculated the net overpayments due, in a manner consistent with the 2023 Final Rule. ↑
Off. of Inspector Gen., U.S. Dep’t of Health & Human Servs., Medicare Advantage Compliance Audit of Specific Diagnosis Codes That Excellus Health Plan, Inc. (Contract H3351) Submitted to CMS (July 10, 2023), at Report in Brief (payment year 2018 was audited, and CMS extrapolated the overpayment under the challenged rule without allowing for the use of the FFSA offset) (“On the basis of our sample results, we estimated that Excellus received approximately $5.4 million in overpayments for 2017 and 2018. Because of Federal regulations (updated after we issued our draft report) that limit the use of extrapolation in Risk Adjustment Data Validation audits for recovery purposes to payment years 2018 and forward, we are reporting the overall estimated overpayment amount but are recommending a refund of $3.1 million ($235,453 for the sampled enrollee-years from 2017 and an estimated $2.9 million for 2018).”); Off. of Inspector Gen., U.S. Dep’t of Health & Human Servs., Medicare Advantage Compliance Audit of Specific Diagnosis Codes That Presbyterian Health Plan, Inc. (Contract H3204) Submitted to CMS (Aug. 3, 2023), at Report in Brief (payment year 2018 was audited, and CMS applied extrapolation principles as per the 2023 RADV audit rule, without allowing the offset of a fee-for-service adjuster) (“On the basis of our sample results, we estimated that PHP received at least $2.2 million in net overpayments for 2017 and 2018. Because of Federal regulations (updated after we issued our draft report) that limit the use of extrapolation in Risk Adjustment Data Validation audits for recovery purposes to payment years 2018 and forward, we are reporting the overall estimated net overpayment amount but are recommending a refund of $1.3 million ($206,048 for the sampled enrollee-years from 2017 and an estimated $1.1 million for 2018).”). ↑
Off. of Inspector Gen., U.S. Dep’t of Health & Human Servs., Medicare Advantage Compliance Audit of Specific Diagnosis Codes That MCS Advantage, Inc. (Contract H5577) Submitted to CMS (Mar. 24, 2023), at 24 (The FFSA was not applied in this audit that covered payment years 2016 and 2017, despite those years being exempt from the 2023 Final Rule, and the OIG’s explanation referred to the 2023 Final Rule: “CMS stated (after we issued our draft report) that it ‘will not apply an adjustment factor (known as an FFS Adjuster) in RADV audits.’”); Off. of Inspector Gen., U.S. Dep’t of Health & Human Servs., Medicare Advantage Compliance Audit of Specific Diagnosis Codes That Keystone Health Plan East, Inc. (Contract H3952) Submitted to CMS (May 31, 2023), at 20 (Although the audit years sampled were 2016 and 2017, the FFSA was not applied, despite the fact that the 2023 Rule stated that the FFSA would be eliminated only after February 1, 2023, when the rule became effective. The OIG nonetheless applied the 2023 Final Rule: “[W]e note that CMS stated (after we had issued our draft report) that it ‘will not apply an adjustment factor (known as an FFS Adjuster) in RADV audits.’ Thus, we did not revise the amount in our first recommendation based on Keystone’s comments; rather, we revised the amount in response to the updated regulations that CMS published after we issued our draft report.”). ↑
On February 1, 2023, the Centers for Medicare and Medicaid Services (“CMS”) issued its final rule on risk adjustment data validation (“RADV”) audits.[1] The rule expands CMS’s scope with regard to Medicare Advantage Plans, by authorizing different sampling methods and audit techniques and eliminating the fee-for-service adjuster (“FFSA”) offset from 2018 forward.
The Final Rule is expected to increase the frequency of claims audits as well as the potential liability of Medicare Advantage Plans, physicians, and other providers. During a RADV audit, CMS looks at a sample of Medicare Advantage claims and confirms that any diagnoses submitted for risk adjustment are supported in the patient’s medical record to ensure the plan did not receive an overpayment. Changes in sampling methods and extrapolation of overpayments affect both the frequency of RADV audits as well as potential overpayment calculations.
This article discusses the increased risk of liability for providers who are parties to Medicare Advantage risk-sharing arrangements resulting from the 2023 RADV Final Rule. The 2023 audit changes represent a strengthening of CMS’s programmatic method of assuring accurate payments under the Medicare Advantage program, through an expanded scope of the RADV audits that authorizes different sampling methods and auditing techniques, and methods of extrapolation and calculation of overpayments.
To understand the evolution of the 2023 RADV audit final rule, an understanding of the Medicare Advantage payment methodology is required. While the intention of the Medicare Advantage program was to provide coverage to enrollees who require increased health-care resources, the abuses of the model have resulted in an expanded scope of CMS RADV audits and increased regulatory scrutiny of payers by the Department of Justice.
Unlike Medicare Part B payments, which are based on procedures performed, Medicare Advantage payments are diagnosis driven. A hierarchical condition category (“HCC”) model is used to risk-adjust diagnoses, by grouping ICD-10[2] diagnosis codes by severity of condition and increased cost of care for treatment of enrollees with chronic diagnoses. The HCCs are additive in nature and produce a risk score. Risk adjustment allows CMS to redirect payments from managed-care organizations that target healthy populations to those that care for the most ill. By risk-adjusting plan payments, CMS can make appropriate payments for enrollees with differences in expected costs. As an enrollee’s risk score increases, the monthly risk-adjusted payment to the Medicare Advantage organization also increases. In this way, the risk-adjustment program compensates Medicare Advantage plans for the additional risk of providing coverage to enrollees expected to require more health-care resources.
CMS Audits of Medicare Advantage Plans
Under its authority to identify waste and mismanagement of federal health program dollars, CMS has been actively conducting audits on risk-adjustment submissions from Medicare Advantage organizations.
There was little to no activity by CMS in terms of Medicare Advantage audits prior to 2019. However, in 2021, CMS recouped $223,043,005 in overpayments from six plans. The overpayment recouped from Humana in one audit totaled $197.7M (comprising 71 percent of the recoveries by the Office of Inspector General for the Department of Health and Human Services (HHS OIG) in 2021). In 2022, CMS recouped $134,739,612 in overpayments from twelve Medicare Advantage plans.
This increased scrutiny stems from the fact that in 2019 the Medicare Advantage program provided health-care coverage for 23 million Americans (accounting for about a third of all Medicare beneficiaries). Health-care coverage under Medicare Advantage plans resulted in a total annual cost of $264 billion of the $758 billion total Medicare program costs spent in fiscal year 2019.[3]
Evolution of the Audit Rule
The discussion below traces the changes in CMS audit methodology and reflects the expansion of RADV audits’ scope over time.
Medicare Advantage Audit Methodology under the 2012 Final Rule
Selection of Plans. The selection of plans for audit in 2012 was stratified. Under CMS’s approach, thirty Medicare Advantage plans were selected annually for audit, typically two to three years after payment. The contracts were targeted based on diagnosis coding intensity, which is the average change in risk score associated with reported beneficiary diagnoses covered by the Medicare Advantage contract. Coding intensity measures the extent to which the estimated medical needs of beneficiaries increase from year to year. The targeted contracts were those whose beneficiaries appeared to get sicker at a relatively rapid rate, based on the information submitted to CMS. Those contracts chosen by coding intensity were divided into three categories: high, medium, and low, with the same number of enrollees for each stratum.[4]
Beneficiary Sampling. The total number of enrollees sampled was up to, but often exceeded (see table below), 201 beneficiaries, with 67 enrollees per stratum. The categories of each stratum were based on the individual risk scores of the enrollees.[5]
Medical Record Collection and Review. After selecting the beneficiaries for review, CMS requested supporting documentation for all risk-adjusted diagnoses submitted in the past year. The Medicare Advantage plans were permitted to submit five medical records per audited risk-adjusted diagnosis. CMS contractors then reviewed the submitted medical records to determine if the medical records supported the diagnosis.
Payment Error Calculation and Extrapolation. When a medical review was completed, CMS extrapolated an error rate for the entire population over the audited period. The extrapolated amount considered the sampling weight of each enrollee. The payment error was calculated by taking the difference between the actual amount paid based on the plan’s submitted diagnoses and the amount that would have been paid based on the RADV-validated diagnoses.[6]
Extrapolation meant that if an error was found during a RADV audit on an HCC, not only were the overpayments recouped on that plan member, but payment was recouped on all members who were in that HCC over the audited year(s). The annual payment error for each sampled enrollee was multiplied by the enrollee’s sampling weight (computed for each stratum). The weighted enrollee annual payment error was summed across all enrollees in the sample to determine the extrapolated payment error.
In its prior final rule in 2012, CMS recognized the need to use an offset, the FFSA, to account “for the fact that the documentation standard used in RADV audits to determine a contract’s payment error (medical records) is different from the documentation standard used to develop the Part C risk-adjustment model (FFS claims).”[7] The FFSA was intended to ensure that the amount due in a RADV audit considered the difference between audit review standards and the errors resulting from unsupported fee-for-service diagnostic codes, creating a permissible level of payment errors and limiting RADV audit recovery to payment errors above the set level.[8] Under that 2012 CMS final rule, the FFSA was used to account for differences in the fee-for-service and Medicare Advantage documentation standards to ensure that there was no bias built in that resulted in underpayment to Medicare Advantage plans.
The 2018 CMS Proposed Rule
Highlights. CMS proposed eliminating the FFSA as part of the revised 2018 RADV audit methodology proposed rule. To support its proposal, CMS cited a 2018 internal study finding “that errors in FFS claims data do not have any systematic effect on the risk scores calculated by the CMS-HCC risk adjustment model, and therefore do not have any systematic effect on the payments made to [Medicare Advantage] organizations.”[9] CMS’s proposed changes to the audit methodology, i.e., the elimination of the FFSA, would allow it to recover payments retroactively from audits conducted for plan years from 2011 forward without an offset.
CMS also asserted its authority to use its discretion to identify different sampling methods and auditing techniques other than a stratified approach, including auditing by sub-cohorts. Auditing by sub-cohorts involves auditing by HCC, targeting diagnoses that CMS views as subject to high rates of improper payment.[10] A sub-cohort represents a grouping of HCCs, such as HCCs 17, 18, and 19—the HCCs for the diagnosis of diabetes and its complications. The 2018 proposed rule recognized that using a sub-cohort method of auditing plans would allow CMS to use smaller sample sizes to calculate extrapolated overpayments.[11]
Litigation. In United Healthcare Insurance v. Becerra, the U.S. Court of Appeals for the D.C. Circuit rejected the United Healthcare challenges to the 2018 CMS RADV rule, finding that there was no valid legal or factual claim that CMS’s overpayment rule failed to comply with actuarial equivalence, affirming CMS’s agency authority to implement the 2018 RADV proposed rule as a final rule.[12]
Audits in 2021 and 2022: Combined Methodology of 2012 and 2018 Audits
Below is a summary of some of the HHS OIG audits performed in 2021 and 2022 that combine the methodology of audits used in both 2012 and 2018 and represent varied approaches to the RADV audit process.[13] CMS’s authority to conduct RADV audits is set out in 42 CFR 422.311 and has been applied by the HHS OIG in its performance of Medicare Advantage compliance audits.
Even at that time, there were inconsistencies in the audit approach. Only four of the audits above used a sample size of 200 or below; most used a significantly larger sample size. Some had more than one reference year from which the sample was drawn. All samples were drawn from reference years that were closed, i.e., they already had final reconciliations and were settled, mostly five to six years prior to the year of the audit. Two of the contract-level audits did not extrapolate the overpayments; several were targeted reviews of sub-cohorts of HCCs, while others followed a stratified sampling method.
The 2023 RADV Audit Final Rule
Highlights. Below are the highlights of the most recent final rule, effective February 1, 2023:[26]
CMS will no longer apply a risk-adjustment factor, the FFSA, in RADV audits, meaning that plans will no longer have an offset against the extrapolated amount determined in the RADV audit.
CMS will no longer be limited in either the audit methodology used to conduct RADV audits or its extrapolation of payment errors.[27] CMS is “not adopting any specific sampling or extrapolated audit methodology, but will rely on any statistically valid method for sampling and extrapolation that is determined to be well-suited to a particular audit.”[28] CMS will extrapolate RADV audit findings under its new methodology beginning with plan year 2018, and that approach will not apply to any plan years prior to that.[29]
Payer challenges to CMS and HHS OIG audit methodology since the 2023 RADV Final Rule have focused on the lack of a consistent approach.
Two payers audited in 2023, MCS Advantage (“MCS”) and Excellus Health Plan, Inc. (“Excellus”), have challenged changes to audit methodology by arguing that their audits involved flawed audit sampling, inconsistent with CMS’s actuarial equivalent mandate and its requirements for data accuracy and compliance.[30] The MCS audit challenged the sampling methodology on grounds that it was “biased to identify overpayments.”[31] HHS did not seek to identify or account for all potential unrelated HCCs that were not submitted but were reported to CMS, thus omitting data that represented potential underpayments. HHS responded by stating its analysis “is now limited to the net overpayments associated with the sampled enrollee-years” and that a valid estimate “does not need to take into consideration all potential HCCs or underpayments within the audit period.”[32]
MCS and Excellus also challenged the audit analysis as employing a shifting audit methodology, arguing there is no consistency in the selection of the method of identifying high-risk diagnoses for review. Excellus noted that in its audit, four cancer diagnoses were selected as HCCs targeted for review, while in other compliance audits affecting other payers, none were selected. It also argued that a “high-risk” diagnosis code is nowhere defined, though HHS argued it provided information on the parameters used.[33]
Further, both payers argued that actuarial equivalence between Medicare Advantage and traditional Medicare payments is required as part of the calculation of estimated overpayments, and that HHS did not meet this requirement due to its not applying an FFSA or other mechanism to account for its risk adjustment model being based on unaudited traditional Medicare data.[34] These challenges were dismissed by HHS, based on CMS’s statement that application of an adjustment factor in RADV audits is no longer required.
MCS and Excellus also contended that other aspects of the current audit methodology are at odds with the risk adjustment model. MCS and Excellus argued the use of a physician as a tiebreaker when medical review contractors cannot determine whether a reported HCC represents an overpayment deviated from the CMS risk adjustment program requirements, which base overpayments on the inaccurate assignment of ICD 10 codes, not the clinical judgment of a physician reviewer.[35] Excellus asserted that HHS failed to use a proper notice and rulemaking process to establish its audit standards because its audit departed from CMS’s established risk adjustment audit standards. The use of such standards made the audit “procedurally defective, arbitrary and capricious” in Excellus’s view, though HHS disagreed.[36]
Impact. Plans and providers can expect the following:
The number of RADV audits will increase because of CMS’s use of either sub-cohort audits or Unified Program Integrity Contractors (“UPIC”) auditors to perform Medicare Advantage audits. CMS will use UPICs to select Medicare Advantage plan enrollees for review, identify underpayments and overpayments associated with diagnosis data submitted to CMS, and calculate the final over-/underpayment amount.[37] CMS intends for all Medicare Advantage plans to be subject to either a comprehensive or condition-specific RADV audit each plan year. There is expected to be an increase in targeted reviews, which would allow CMS to base audits on smaller sample sizes, permitting it to increase the number of audits performed. This would increase the burden on providers to respond to record requests and also widen the spectrum of provider liability for those providers who are parties to risk-sharing arrangements.
The new methods of extrapolation of overpayments from 2018 forward will potentially subject providers who participated in risk-sharing arrangements to exposure to increased, unexpected losses, where they participated as an in-network provider during the earlier periods and a final reconciliation has already taken place. They also could expect reduced income where a RADV audit has resulted in recoupment of overpayments from a plan year where no final reconciliation has occurred. While providers face a contractual risk of liability as part of the recoupment of overpayments from plans, they also could face liability under the False Claims Act to the extent they benefited financially from inflating revenues.[38]
An increase in the number of RADV audits will likely lead to additional scrutiny of physician documentation. Certain clinical documentation and billing practices can be an indicator of an overpayment.[39] Diagnoses that cannot be validated either because they are clinically unsupported or have resolved could result in RADV audit findings.[40] Managing risk in this area can protect physicians against not only liability for overpayment under a risk-sharing arrangement but also direct liability under the False Claims Act for “potential fraud actions.”[41]
As plan revenues become more uncertain due to plans’ inability to adjust for potential recoupment of overpayments, premiums may increase as one way to address that uncertainty, and enrollee decision-making as to plan options and participation could be impacted. That change, coupled with increased provider exposure to liability due to risk-sharing arrangements, may impact provider decisions to accept Medicare Advantage enrollees. A decision to no longer accept Medicare Advantage patients, while driven by revenue considerations, may have other revenue consequences for physicians who fail to factor in the potential loss of revenues from other sources, i.e., providers who refer patients to them based on their acceptance of Medicare Advantage insurance.
Providers will likely be subject to increasing demand to respond to requests from plans to comply with audit requirements.
Plans will likely conduct increased prospective audits on providers’ coding and charting to improve the accuracy of ICD-10 coding.
Guidance for Ensuring Compliance with the 2023 RADV Audit Requirements
Plans and providers should perform billing compliance audits to ensure the accuracy and completeness of the coding of claims and to affirm that diagnosis codes are clinically supported.
A plan has twenty-five weeks to submit medical records to CMS in response to an audit request. There is a large amount of information involved in a RADV audit, as well as a fixed deadline. Efficiently managing time and use of software tools enables both the provider and the plan to capture and track pertinent information.
Plans must be aware of the timetable to appeal RADV audit findings. Plans must file a written request with CMS for an appeal of the RADV audit report (the medical record review determination or the payment error calculation) within sixty days of its issuance.
Conclusion
The impact of the 2023 RADV audit final rule extends beyond Medicare Advantage payer pricing and the Medicare Advantage bid process. Providers who are parties to risk-sharing arrangements face unexpected risk in the form of loss of revenue from audited periods where final reconciliations have occurred. The contractual risks of recoupment of overpayments sought from earlier plan periods alone may be sufficient for some providers to no longer accept enrollees as patients. Further, increased premiums built into future bids may affect patient choice in terms of the plans selected; more importantly, the increased cost of the program to the plans may restrict the availability of services, ultimately impacting the patients for whom the program was created.
Medicare and Medicaid Programs; Policy and Technical Changes to the Medicare Advantage, Medicare Prescription Drug Benefit, Program of All-Inclusive Care for the Elderly (PACE), Medicaid Fee-for-Service, and Medicaid Managed Care Programs for Years 2020 and 2021, 88 Fed. Reg. 6643 (Feb. 1, 2023) [hereinafter 2023 Final Rule]. ↑
ICD-10 stands for International Classification of Diseases, Tenth Revision. ↑
In the 2018 proposed rule, CMS sought feedback on use of different payment methodologies. The cohort-by-cohort methodology would target certain HCCs with a high likelihood of improper payments. 2023 Final Rule, supra note 1, at 6649. ↑
Medicare Program Integrity Manual, at ch. 8 (“Administrative Actions and Sanctions and Statistical Sampling for Overpayment Estimation”) (effective Feb. 21, 2023). ↑
Rather than applying extrapolation beginning for payment year (PY) 2011 audits as proposed, is finalizing a policy whereby it will not extrapolate RADV audit findings for PYs 2011 through 2017 and will begin extrapolation with the PY 2018 RADV audit. As a result, CMS will only collect the non-extrapolated overpayments identified in the CMS RADV audits and Department of Health and Human Services Office of Inspector General audits between PY 2011 and PY 2017, and will begin collection of extrapolated overpayment findings for any CMS and OIG audits conducted in PY 2018 and any subsequent payment year. ↑
MCS Audit Report at 23–24; Excellus Audit Report at 23–24. HHS applies the audit rule in place at the time of the audit, rather than the rule in place at the time of the audited activity, arguably improperly allowing retroactive application of the new RADV Audit Rule. ↑
MCS Audit Report at 23; Excellus Audit Report at 20–22. ↑
Medicare Program Integrity Manual, at ch. 8 (“Administrative Actions and Sanctions and Statistical Sampling for Overpayment Estimation”), § 8.4.1.4 (effective Feb. 21, 2023); id. at ch. 4 (“Program Integrity”). ↑
Provider liability under the False Claims Act can result from:
Upcoding to increase risk adjustment factor scores (i.e., where a patient encounter note does not indicate a severe or chronic diagnosis, but a high-dollar risk-adjusted diagnosis code is assigned).
False reporting of conditions with high risk-adjusted diagnosis scores where the condition has resolved (cancer, stroke, myocardial infarction).
Making post-encounter addenda to record unsupported risk-adjusted diagnoses.
Failure to delete inappropriate codes that are part of a problem list in a patient’s medical record.
Physicians in network with Medicare Advantage Plan organizations who received financial incentives in the form of bonuses to make changes that inflated plan revenues are subject to individual liability under the False Claims Act.
See, e.g., United States’ Complaint-in-Intervention, United States ex rel. Osinek v. Kaiser Permanente, No. 3:13-cv-03891-EMC (N.D. Cal. Oct. 25, 2021). Kaiser Permanente allegedly created programs to mine patients’ electronic medical records for certain data—key words, lab results, medications, clinical indicators—suggestive of potential diagnoses that would increase risk-adjustment payments. Id. at 37. The government’s complaint alleges Kaiser “systematically alter[ed] patient medical records to add diagnoses that either did not exist or were unrelated” to a patient’s visit, using Kaiser physicians to inflate a patient’s risk score. Id. at 1; see alsoid. at 24, 40–43. Kaiser allegedly altered the patients’ medical records retrospectively using addenda to add diagnoses months, or even a year, after a patient’s visit. Id. at 1. Approximately 500,000 addenda were added during the period covered by the complaint, resulting in alleged damages in the range of $1 billion. Id. at 1, 74.
See alsoUnited States’ Complaint-in-Intervention, United States ex rel. Kathy Ormsby v. Sutter Health and Palo Alto Medical Foundation, No. 3:15-cv-01062-JD (N.D. Cal. Mar. 4, 2019). Sutter Health physicians were pressured to add risk-adjusting diagnoses codes for conditions that had resolved in prior years and no longer mapped to an HCC, and to add addenda for past patient encounters, even a year old. Sutter Health settled the False Claims Act suit in 2021 for $90 million plus a five-year Corporate Integrity Agreement. ↑
Such activity includes: Medicare Advantage organizations ”querying” physicians, directing them to supplement their documentation to add risk-adjusted diagnoses; improper use of amendments or addenda to add high-dollar risk-adjusted diagnoses six to twelve months after the patient encounter; and inconsistencies between diagnoses on problem lists compared against current encounter documentation. Ctrs. for Medicare & Medicaid Servs., Contract-Level Risk Adjustment Data Validation: Medical Record Reviewer Guidance in effect as of 03/20/2019 at 42–43, 52, 60–61 (2018). There is no indication that this RADV audit medical reviewer checklist is no longer in effect. ↑
In a decision driven by long-standing precedent and a close adherence to historical interpretations of the Delaware General Corporation Law (“DGCL”), the Delaware Supreme Court (the “Court”) affirmed the Court of Chancery’s holding that Section 242(b)(2) of the DGCL did not require a separate class vote of nonvoting shares for a certificate of incorporation amendment to provide for officer exculpation under Section 102(b)(7).
In 2022, the board of Fox Corporation (“Fox”) adopted a certificate of incorporation amendment in accordance with the recent revisions to Section 102(b)(7). The capital stock of Fox was comprised of two classes: Class A Common Stock and Class B Common Stock. The holders of Class A Common Stock did not have voting rights. The holders of Class B Common Stock were entitled to one vote per share, and they were the only class to vote on the amendment, which was ultimately approved.
The board of Snap Inc. (“Snap”) adopted a similar certificate of incorporation amendment. Like Fox, Snap had a multi-class capital structure. The holders of Class A Common Stock did not have the power to vote, the holders of Class B Common Stock were entitled to one vote per share, and the holders of Class C Common Stock were entitled to ten votes per share. The Class C stockholders executed a written consent approving the amendment.
A Class A Fox stockholder and a Class A Snap stockholder filed suit against their respective companies, seeking a “declaration that the charter amendments did not comply with Section 242(b)(2) and were invalid.” The matters were consolidated.
Section 242(b)(2) provides, in relevant part:
The holders of the outstanding shares of a class shall be entitled to vote as a class upon a proposed amendment, whether or not entitled to vote thereon by the certificate of incorporation, if the amendment would increase or decrease the aggregate number of authorized shares of such class, increase or decrease the par value of the shares of such class, or alter or change the powers, preferences, or special rights of the shares of such class so as to affect them adversely. (Emphasis added.)
Relying on this language, the plaintiffs asserted that stockholders have three fundamental powers—the power to vote, to sell, and to sue. As such, the plaintiffs argued that, by depriving stockholders of the ability to sue officers for duty of care violations, the amendment infringed on one of those powers and therefore triggered a class vote of each class of capital stock pursuant to Section 242(b)(2).
At the subsequent summary judgment hearing in this matter, the plaintiffs argued: (i) that the word “powers” should be read broadly, and in conjunction with other, unrelated sections of the DGCL, and (ii) that Hartford Accident & Indemnity Co. v. Dickey Clay Mfg. Co. (“Dickey Clay”) and Orban v. Field (“Orban”), two seminal cases interpreting Section 242(b)(2), were inapplicable to the present dispute because those cases did not, at their core, deal with “the elimination of a personal power.” By contrast, the defendants asserted that: (i) the word “powers” only referred to “special characteristics of the class” and that the term needed to be closely analyzed in conjunction with the phrase “preferences, or special rights of the shares of such class” and (ii) the long-standing precedent of Dickey Clay and Orban provided strong support that Section 242(b)(2) should apply to only the “peculiar” or “special” characteristics of stock.
The Court of Chancery, while hesitant to do so, granted summary judgment in favor of the defendants and held that “the officer exculpation amendment d[id] not require a class vote of the company’s non-voting stock because the officer exculpation amendment d[id] not affect a power, preference, or special right that appears expressly in the charter.” The Court of Chancery arrived at this conclusion by conducting a textual analysis of Sections 242(b)(2) and 102(a)(4) of the DGCL and reviewing precedent as well as practitioner understanding and commentary.
More specifically, the Court of Chancery first concluded that while the plaintiffs attempted to shape the right to sue officers for monetary damages for a breach of the duty of care as a power specially granted to stockholders, such a power was not set forth in the certificate of incorporation or in the DGCL, and, accordingly, the Fox and Snap amendments did not require a separate Class A stockholder vote. Second, the Court of Chancery drew upon Dickey Clay and Orban, which stand for the proposition that a Section 242(b)(2) vote is only necessary when the amendment “adversely affect[s] a peculiar attribute of the class of stock rather than rights incidental to stock ownership.” Lastly, the Court of Chancery concluded that the plaintiffs’ argument was not well-supported by treatises, general commentary, or practice.
On appeal, the plaintiffs argued that the Court of Chancery: (i) improperly rejected the plaintiffs’ interpretation of the word “powers” and their argument that the right to sue officers falls under the powers referenced in Section 242(b)(2); (ii) incorrectly relied on Dickey Clay and Orban; and (iii) wrongfully considered the legal community’s understanding of Section 242(b)(2) as part of its analysis. The Court addressed, and rejected, each of these arguments.
First, after diving into the lengthy history of Section 242(b)(2) and the case law interpreting it, the Court analyzed Section 242(b)(2) in conjunction with two additional provisions of the DGCL: Sections 102(a)(4) and 151(a). Section 102(a)(4) provides that the “powers, preferences and rights” of class-based stock must be included in a corporation’s certificate of incorporation. Section 151(a) discusses the “powers,” “preferences,” and “special rights” that may be granted to specific classes of stock and provides that such powers “shall be stated and expressed in the certificate of incorporation or of any amendment thereto . . . .” As the Court noted, Section 242 directly references amendments to the certificate of incorporation, thereby connecting it to Section 151(a).
The Court continued by explaining that the “powers, preferences, and rights” that are incorporated into all three of the above-mentioned statutes are not defined in Section 242(b)(2), but that Sections 102(a)(4) and 151(a) shape the understanding of Section 242(b)(2) as “limit[ing] the ‘powers, preferences, or special rights’ of a class to those authorized by Section 151(a) and expressed in the charter under Sections 151(a) and 102(a)(4).” Importantly, these powers may either be expressly set forth in the certificate of incorporation or may be incorporated pursuant to Section 394, which provides that the DGCL is part of the certificate of incorporation of every Delaware corporation.
Then, the Court, disagreeing with the plaintiffs’ introduction of rather selective definitions of the word “power,” again explained the importance of understanding Section 242(b)(2) in relation to Sections 102(a)(4) and 151(a), and further explained that the term “powers” is meant to refer to “specific class powers . . . and not to general powers incidental to stock ownership.” The Court also dismissed plaintiffs’ argument that “power” should be read in conjunction with other provisions of the DGCL. Specifically, the Court explained that plaintiffs’ cited provisions only referred to the power to sue in certain contexts, rather than defining the right to sue as a power specific to the shares of a class. The Court also declined to accept plaintiffs’ argument that requiring a class vote for powers stated in the certificate of incorporation, but not requiring such a vote for identical powers stemming from the DGCL, creates an inequality. As the Court had noted earlier, the DGCL, through Section 394, makes it clear that the DGCL is part of the certificate of incorporation of every Delaware corporation, thereby eliminating any potential inequality.
Second, the Court summarily dealt with plaintiffs’ precedent argument, concluding that “for three quarters of a century, Dickey Clay has stood for two points: 1) that rights incidental to stock ownership are not a peculiar characteristic of the shares of a class of stock, and 2) that Section 242(b)(2) should be read considering other provisions of the DGCL.” Fifty years later, Orban confirmed the value of Dickey Clay. As such, the Court affirmed the Court of Chancery’s reliance on, and application of, Dickey Clay.
Finally, the Court also rejected plaintiffs’ third argument. The Court briefly recognized legal practitioners’ near-unanimous understanding of how Section 242(b)(2) operates, as evidenced by the fact that nine multi-class corporations that amended their certificates of incorporation to include director exculpation provisions under Section 102(b)(7) concluded that a multi-class vote was not necessary, a point raised during summary judgment. Further, the Court highlighted the Court of Chancery’s statement that since Section 102(b)(7) was adopted nearly forty years ago, the plaintiffs were the first to argue that an exculpation amendment required a class vote. Lastly, the Court explained that the Court of Chancery’s observation of practitioner commentary did not substantially contribute to its ultimate holding.
Proponents of marijuana reform have had cause for celebration in recent months. Despite challenges facing the industry, the political and social momentum surrounding cannabis is ticking upward.
Recently, the marijuana industry touted the passage of the Secure And Fair Enforcement Regulation Banking Act (SAFER Banking Act) by the Senate Banking Committee. The SAFER Banking Act passed by a notable bipartisan majority of 14–9 on September 27, 2023. The bill (S. 2860) was placed on the Senate legislative calendar under general orders the following day. A Senate floor vote is now pending.
Despite the SAFE Banking Act passing in the US House of Representatives on seven previous occasions since its first passage in 2019, the SAFER Banking Act’s advancement through the Senate has caused quite a stir among not only cannabis and cannabis-related businesses, but also among banks, credit unions, insurers, lenders, and more—especially those that have, until now, elected not to serve the cannabis industry due to the risk that they could be prosecuted given federal restrictions on cannabis. While some banks, credit unions, and other financial services providers do serve the cannabis industry, the majority of state-legal medicinal or recreational cannabis businesses do not participate in traditional and secure banking systems and financial services for this very reason.
The advancement of the SAFER Banking Act by the Senate Banking Committee may be a signal that significant changes are on the horizon, making marijuana a bigger, more accessible product throughout the country—and allowing cannabis industry participants to make bigger deals—in the near future.
Marijuana Gains Momentum at Federal and State Levels
Based on recent events, it seems likely marijuana will be rescheduled under the Controlled Substances Act (CSA) sometime this year, garnering attention nationwide. While industry experts have discussed the potential impacts of rescheduling marijuana from a Schedule I substance to a Schedule III substance—including offering relief from Internal Revenue Code 280E, resulting in a much lower effective tax rate for businesses across the industry, as well as providing expanded opportunities to research the plant and its impact on and interactions with the human body—many questions still remain with respect to how the rescheduling of marijuana could impact a cannabis or cannabis ancillary company’s ability to access financial services. As reported previously, “[i]t is unclear if the change from Schedule I to Schedule III will impact the marijuana industry’s ability to access financial services. Although many risks may be reduced, they are not fully eliminated. Time will tell if and how this change in marijuana re-scheduling will change the risk appetite of banks, credit unions, and other financial service providers.”
The passage of the SAFER Banking Act, conversely, would have substantial direct impacts on banks, credit unions, and other financial service providers.
Zooming in, thirty-eight states and Washington, DC, currently allow for the medical use of marijuana. Voters or legislators in twenty-three states and Washington, DC, have passed laws regulating the non-medical (so-called “recreational”) use of cannabis. There have been several notable developments in the past year: Maryland’s recreational marijuana market opened on July 1, 2023, and Maryland cannabis retailers sold more than $85 million worth of products during the state’s first month of legal sales. Minnesota’s law—the most recently implemented—went into effect on August 1, 2023. Ohio voters approved a measure to legalize recreational marijuana in early November, and recreational marijuana may be on the ballot in Florida in 2024 as well.
Key Provisions of the SAFER Banking Act
In sum, the key provisions of the SAFER Banking Act include the “safe harbor”—or protections—from certain criminal, civil, and administrative penalties that may otherwise result due to the status of marijuana under federal law on the basis of the institution’s provision of financial services to a “State-sanctioned marijuana business or service provider.”
While marijuana will remain illegal under the SAFER Banking Act, the law would resolve the tension between federal and state law with respect to banking, lending to, and insuring a state-legal cannabis business. While the authors of this article are not aware of any enforcement action taken against a bank or credit union solely on the basis of its providing services to a state-legal marijuana business, a pattern of non-enforcement does not operate as a shield against future enforcement. The fear of such enforcement operated as a substantial barrier to marijuana-related businesses obtaining financing and banking products in recent years.
Under the SAFER Banking Act, certain applicable guidelines and restrictions will remain in place—primarily surrounding due diligence and ongoing monitoring for suspicious activities, all activities to which banking and financial institutions are accustomed in the context of other highly regulated industries.
The Scope of the SAFER Banking Act
Payments: The SAFER Banking Act includes the following payments-related activities under the definition of “financial service(s)” that are protected under the Act’s safe harbor provisions:
“whether performed directly or indirectly, the authorizing, processing, clearing, settling, billing, transferring for deposit, transmitting, delivering, instructing to be delivered, reconciling, collecting, or otherwise effectuating or facilitating the payment of funds that are made or transferred by any means, including by the use of credit cards, debit cards, other payment cards, or other access devices, accounts, original or substitute checks, or electronic funds transfers;” and
“acting as a money transmitting business that directly or indirectly makes use of a depository institution in connection with effectuating or facilitating a payment for a State-sanctioned marijuana business or service provider.” Sec. 2(7)(B)(ii–iii).
Insurers: The text of the bill also provides protections for insurers engaging in the business of insurance with a state-sanctioned marijuana business or service provider of the relevant legal jurisdiction against being held liable pursuant to any federal law or regulation solely for providing a financial service, or for further investing any income derived from such a financial service. Sec. 2(1), Sec. 2(7)(B)(i). The language of the SAFER Banking Act also expands these protections to insurers that “otherwise engage[] with a person in a transaction permissible pursuant to a law (including regulations),” Sec. 5(c), language that notably does not appear in the House’s SAFE Banking Act.
Mortgage Loans: Under the SAFER Banking Act, income derived from a legally operating state-sanctioned marijuana business “shall be considered in the same manner as any other legal income for purposes of determining eligibility for a covered mortgage loan for a 1- to 4-unit property that is the principal residence of the mortgagor.” Sec. 9(b)(1). Further, a mortgager or servicer may not be held liable pursuant to any federal law or regulation solely for providing, guaranteeing, purchasing, or securitizing a mortgage to an otherwise qualified borrower, or for accepting such income as payment on the covered mortgage loan. Sec. 9(b)(2)(A)–(B). Nor may a relevant legal interest be forfeited solely based on an entity’s providing, insuring, guaranteeing, purchasing, or securitizing a mortgage to an otherwise qualified borrower, or accepting marijuana-related income as payment on a covered mortgage loan.
The SAFER Banking Act provides 180 days after its enactment for affected agencies, departments, corporations, and more to provide notice of the implementation of the law previously described by notice, mortgagee letter, circular or handbook, bulletins, seller/servicer guides, and guidelines as directed thereby.
Forfeiture: A critical consideration in any discussion of the relevant risks faced by all parties providing goods or services to the cannabis industry is the risk of forfeiture.
Addressing these issues, the SAFER Banking Act provides express protections against “criminal, civil, or administrative forfeiture” of relevant “legal interest[s]” solely for providing a financial service to a state-sanctioned marijuana business or service provider, or for further investing any income derived from such a financial service. See Sec. 5. The beneficiaries of these protections include depository institutions, community development financial institutions, federal reserve banks, federal home loan banks, federal national mortgage associations, federal home loan mortgage corporations, and federal agencies making, insuring, or guaranteeing mortgage loans or securities. These protections also extend to other parties to mortgage loans (such as nondepository lenders that make a covered mortgage loan, as further defined, and any person who otherwise has a legal interest in such a loan or in the collateral of the loan, including individual units of condominiums and cooperatives, provided that the collateral is a property designed principally for the occupancy of one to four families and underwritten, in whole or in part, based on income from a state-sanctioned marijuana business or service provider). Sec. 5(d).
Hemp: The SAFER Banking Act also addresses challenges faced by “hemp-related legitimate businesses.” Sec. 8. Acknowledging that “despite the legalization of hemp, some hemp businesses (including producers, manufacturers, and retailers) continue to have difficulty gaining access to banking products and services”—including that “businesses involved in the sale of hemp-derived CBD products are particularly affected, due to confusion about the legal status of such products” —the SAFER Banking Act requires each federal banking regulator to update guidance related to providing financial services to “hemp-related legitimate business and hemp-related service providers.” Sec. 8(c).
Specifically, regulators will have 180 days to provide guidance concerning compliance with obligations of financial institutions, as well as best practices for providing financial services—expressly including processing payments—to such businesses and service providers.
Will Financial Institutions Be Required to Serve the Marijuana Industry?
Under the newly revised legislation, the Treasury Secretary is required to publish updated guidance titled “BSA Expectations Regarding Marijuana-Related Businesses” (FIN–2014–G001), or otherwise issue new guidance to “ensure[] that a financial institution, and any director, officer, employee, or agent of a financial institution continues to report suspicious transactions” within one year of the enactment of the SAFER Banking Act. Sec. 6(2). Notably, the previous version of the SAFER Banking Act initially introduced in the Senate provided the Treasury Secretary only half this amount of time (180 days) to issue amended or new guidance.[1]
So what are banks, credit unions, insurers, lenders, and others to do in the meantime? Will institutions and entities be forced to do business with marijuana-related business and services providers?
If the SAFER Banking Act does become law, all relevant entities will be expected by Congress—despite no updated guidance in place at the time—to “take a risk-based approach in assessing individual customer relationships rather than decline to provide banking services to categories of customers without regard to the risks presented by an individual customer or the ability of the depository institution to manage the risk.” Sec. 10(a)(5).
But no, institutions will not be required to serve marijuana businesses; the Act states as much:
Nothing in this Act shall require a depository institution, an entity performing a financial service for or in association with a depository institution, a community development financial institution, or an insurer to provide financial services to a State-sanctioned marijuana business, service provider, or any other business.
Sec. 16(a).
The SAFER Banking Act’s passage would mean there would likely be a significant (voluntary) influx in market entry for financial services providers, as well as increased competition among new and existing financial, insurance, and related service participants in the cannabis industry. With that influx will come an increased need for these institutions and entities to engage in a wide range of state- and marijuana-specific business activities such as customer identification, risk-based customer diligence, and complying with suspicious activity monitoring and reporting obligations consistent with the business plan, risk profile, and management capabilities of the entity or institution.
A Risk-Based Approach: How to Prepare to Work with a Marijuana Business
The current FinCEN guidance (FIN-2014-G001, issued February 14, 2014) clarifying Bank Secrecy Act (BSA) expectations for financial institutions seeking to provide services to marijuana-related businesses is based on what are known as the “Cole Memos.” This guidance requires financial institutions in practice to develop a sophisticated expertise in the marijuana laws and marijuana business environment particular to each marijuana-related business customer.
This FinCEN guidance remains the current authority on BSA expectations for financial institutions that offer marijuana banking services and financial institutions generally, if any suspected marijuana-related activity taking place in the financial institution requires a report to be filed pursuant to the guidance. Briefly, the guidance restates the standards set out in Cole Memo I, including the eight enforcement priorities.
The FinCEN guidance then details the following requirements for financial institutions:
Initial and Ongoing Customer Due Diligence. As part of the financial institution’s determination whether to open, close, or refuse an account.
Suspicious Activity Reports (SARs). Regardless of any state law legalizing marijuana, financial transactions involving a marijuana-related business involve funds derived from presently federally illegal activity. Therefore, financial institutions must file SARs on marijuana-related business activity even if the marijuana-related businesses are legal under state law. There are three types of SARs for marijuana businesses, and financial institutions must determine which is appropriate for a transaction.
Currency Transaction Reports. The marijuana industry is still overwhelmingly cash-based, and financial institutions must still comply with currency transaction reporting (CTR) requirements for marijuana-related transactions.
If the SAFER Banking Act passes, this guidance will be required to be updated within one year of its date of enactment.
Big Deal(s) Ahead
Despite the existing disconnect between federal and state law with respect to the treatment of marijuana, as well as the oft-conflicting federal guidance, some financial institutions have chosen to serve marijuana-related businesses in recent years. However, the SAFER Banking Act could change that landscape completely and usher in a new era of expanded banking, financing, and insurance of the cannabis industry throughout the United States.
Uniform guidance and examination procedures are also required to be developed by the Federal Financial Institutions Examination Council, in consultation with the Department of the Treasury, within one year of the enactment of the SAFER Banking Act. Sec. 7(a). ↑
Before a company raises its first round of financing, it’s crucial that the founding team understands how an equity round will impact the company’s capitalization table (“cap table”) and the founders’ ownership in the company. This article illustrates an easy way to conceptualize this impact and calculate a company’s post-money cap table following a financing.
Initial Share Distribution
Before we delve into the numbers, let’s imagine a scenario: Alice and Bob are the sole founders of XYZ Tech and are considering their first major financing round. Currently, Alice and Bob each hold 500,000 shares of XYZ Tech representing 50 percent of its outstanding equity.
The table below represents XYZ Tech’s cap table immediately prior to the financing:
Shareholder
Shares
Ownership
Alice
500,000
50%
Bob
500,000
50%
Pre-Money Capitalization
1,000,000
100%
Raising Cash – Transforming the Cap Table
Example 1: Initial Capital Raise Impact on XYZ Tech’s Cap Table
Assume that Alice and Bob meet with a prospective investor who is interested in investing $1 million in XYZ Tech based on a pre-money valuation of $15 million. By accepting these terms, XYZ Tech will receive an investment of $1 million in exchange for issuing equity to the new investor. This will increase XYZ Tech’s post-money valuation to $16 million (i.e., the company had $15 million of value, and an additional $1 million in cash was added to its balance sheet), but it will also dilute Alice and Bob’s ownership percentage of XYZ Tech (i.e., the pre-money capitalization).
Using these terms, we can calculate XYZ Tech’s post-money capitalization table using the following process:
New Investor Ownership Percentage: The $1 million investment translates into a 6.25 percent ownership stake in XYZ Tech on a post-money basis ($1,000,000 investment / $16,000,000 post-money valuation).
Founders Post-Money Capitalization Ownership Percentage: Alice and Bob currently own 100 percent of the company. After the investment, their combined ownership will adjust to accommodate the new investor’s 6.25 percent ownership stake, leaving them with 93.75 percent of XYZ Tech’s post-money capitalization (100% – 6.25%).
Post-Money Capitalization Shares: Post-money capitalization shares can be calculated by dividing the pre-money capitalization shares by Alice and Bob’s remaining ownership percentage after the investment (i.e., the founders’ post-money capitalization ownership percentage calculated in Step 2) (1,000,000 / 93.75% = 1,066,667).
New Investor Shares: To determine the actual number of shares that the new investor receives, we multiply the new investor ownership percentage we calculated in Step 1 by the post-money capitalization shares calculated in Step 3 (6.25% x 1,066,667 = 66,667).
Post-Money Cap Table: The final step is to update the cap table with the new share distribution. Optionally, you can include a column for the value of the shares held by each shareholder. This value can be calculated by multiplying the post-money ownership percentage by XYZ Tech’s post-money valuation. The revised cap table, with the optional “Value” column, would look like this:
Shareholder
Value
Shares
Ownership
Alice and Bob
$15,000,000
1,000,000
93.75%
New Investor
$1,000,000
66,667
6.25%
Post-MoneyCapitalization
$16,000,000
1,066,667
100%
Option Pool Increase and Convertible Notes
Example 2: Incorporating Convertible Notes and the Employee Stock Option Pool Prior to Investment
Now assume that XYZ Tech has an additional financial instrument in play prior to the financing: $500,000 in convertible notes that will convert at a 20 percent discount. For those unfamiliar with convertible notes, they are short-term debt that will usually convert into equity at the most favorable price per share derived from either a valuation cap or a discount during a company’s next equity financing. For this example, the notes convert using a discount rate.
Assume further that XYZ Tech is required to create an employee stock option pool (“ESOP”) equal to 15 percent of its post-money capitalization as part of the terms of the investment.
A simple way to calculate the post-money capitalization table is to begin by determining the ownership percentages of the new investor, the ESOP, the noteholders, and the founders, as follows:
New Investor Ownership Percentage: The new investor still receives a 6.25 percent ownership stake in XYZ Tech’s post-money capitalization ($1,000,000 / $16,000,000).
ESOP Ownership Percentage: XYZ Tech is required to allocate an option pool equal to 15 percent of its post-money capitalization.
Noteholders Ownership Percentage: The noteholders’ ownership percentage can be calculated by dividing the total value of the convertible notes after adjusting for the discount ($500,000 / 80% = $625,000) by the post–money valuation: ($625,000 / $16,000,000 = 3.90625%).
Founders Post-Money Capitalization Ownership Percentage: We calculate the founders’ post-money ownership percentage using the same method as before, except now we need to adjust to accommodate the new investor, the ESOP, and the convertible notes (100% – 6.25% – 15.00% – 3.90625% = 74.84375%).
As in Example 1, to calculate the total post-money capitalization shares, we divide the total pre-money capitalization shares by Alice and Bob’s remaining ownership percentage after the investment (1,000,000 / 74.84375% = approximately 1,336,117). Now we can determine the share amounts for each category and update the cap table with the new share distribution:
ESOP Share Calculation: Multiply the ownership percentage by the total number of shares (15.00% x 1,336,117 = 200,418 shares).
Noteholders Share Calculation: Multiply the ownership percentage by the total number of shares (3.90625% x 1,336,117 = 52,192 shares).
New Investor Share Calculation: Multiply the ownership percentage by the total number of shares (6.25% x 1,336,117 = 83,507 shares).
Shareholder
Value
Shares
Ownership
Alice and Bob
$11,975,000
1,000,000
74.84375%
ESOP
$2,400,000
200,418
15.00%
Noteholders
$625,000
52,192
3.90625%
New Investor
$1,000,000
83,507
6.25%
Post-Money Capitalization
$16,000,000
1,336,117
100%
Example 3: Incorporating Convertible Notes and the ESOP After the Investment
The timing of the option pool increase and conversion of outstanding notes or simple agreements for future equity (“SAFEs”)—that is, whether they occur before or after an equity investment—can have significant implications for a start-up’s valuation, investor share price, and founder dilution.
Before the New Investment: Treating an option pool increase or the shares issued upon conversion of outstanding notes or SAFEs as occurring prior to the new investment effectively lowers a company’s post-money valuation and increases the dilutive impact on prior investors. This results in a higher share count before the investment and thus a lower share price for the new investor. If you compare Examples 1 and 2 above, you can see that including the ESOP and the noteholders in the company’s pre-money capitalization, before the new investment, dilutes Alice and Bob’s ownership in XYZ Tech and the effective value of their investment by 18.91 percent (93.75% – 74.84%).
After the New Investment: Treating an option pool increase or the shares issued upon conversion of outstanding notes or SAFEs as occurring after the new investment means that the new investor will share some of the dilution with the current cap table. This results in a higher share price for investors and less dilution for the founders initially.
To illustrate this concept, let’s continue our ongoing analysis of XYZ Tech’s cap table from Example 2, except with a critical timing difference: the ESOP increase and the conversion of the convertible notes will occur after the investment. Since the convertible notes and the ESOP occur after the investment, we calculate the shares issued to the new investor using the same calculation as in Example 1.
New Investor Ownership: The new investor’s $1 million investment translates into a 6.25 percent ownership stake in XYZ Tech on a post-money basis, immediately prior to the conversion of the notes and the ESOP ($1,000,000 / $16,000,000 post-money valuation).
Post-Money Shares before ESOP and Note Conversion: Using the steps outlined in Example 1, we know that Alice and Bob’s one million shares represent 93.75 percent of XYZ Tech’s outstanding equity and that the shares allocated to the new investor are equal to 66,667. Therefore, the total capitalization of XYZ Tech immediately after the investment but before the conversion of the notes and the option pool increase is 1,066,667 shares (1,000,000 / 93.75%), which represents $16 million from a valuation perspective.
Note Conversion: The number of shares issued to the noteholders can be calculated using the same methodology as before, except that the ownership percentage for the noteholders is multiplied by the number of shares calculated in Step 2 above (3.90625% x 1,066,667 = 41,667).
Calculating Total Post-Money Capitalization: We can use the same methodology outlined above to calculate the total post-money capitalization, except that now both the new investor and the noteholders are included with Alice and Bob in the capitalization calculations. This means that we can calculate post-money capitalization by dividing 1,108,334 (1,066,667 + 41,667) by 85 percent (100% – 15% (ESOP)), which equals 1,303,922.
Shareholder
Value
Shares
Ownership
Alice and Bob
$15,000,000
1,000,000
76.6917%
New Investor
$1,000,000
66,667
5.1128%
ESOP
$2,400,000
195,588
15.00%
Noteholders
$625,000
41,667
3.1955%
Post-Money Capitalization
$19,025,000
1,303,922
100%
This scenario illustrates how the timing of the ESOP increase and note conversion influences the cap table. By deferring these actions until after the investment, the new investor and the noteholders share in the dilution, reducing the total dilutive impact on the founders (Alice and Bob) by 1.848 percent.
Summary
In conclusion, mastering cap table math is vital for start-up success. Founders must comprehend the impact of financing on ownership and valuation to make informed decisions. This guide simplifies the complexities, empowering entrepreneurs with the knowledge to navigate equity distribution and maintain the integrity of their vision and ownership.
Recent regulatory proposals have kick-started the open banking sprint.[1] As both banks and fintechs adopt open banking innovations, however, new all-encompassing digital interfaces, paired with artificial intelligence (“AI”), will raise critical questions about data protection, consent, and current disclosure frameworks. Entities must dedicate sufficient resources to design, test, and protect AI and protect privacy as they enter the new, exciting open banking landscape.
The Future of Open Banking
In the not-so-distant future, we will find ourselves in a brave new world of consumers sharing deposit, credit card, loan, and mortgage data across enterprises, to display and interact with their full financial profile in one dynamic interface. In that world—known as “open banking”—privacy implications and potential AI applications loom large.
This future has been accelerated by the proposed rule on open banking announced by the Consumer Financial Protection Bureau (“CFPB”) on October 19, 2023. The proposed rule mandates that financial institutions, card issuers, and payment providers make consumer data—including transaction data—readily available to consumers and authorized third parties. In addition, the proposed rule institutes consumer protection obligations on collection and use of that data and prohibits data providers from imposing fees for establishing and maintaining these new-age interfaces.
Further dissection of the CFPB’s proposed rule on personal financial data rights illustrates an expectation that digital interfaces will play a primary role in the banking ecosystem, as well as a staunch desire to prevent potential exploitation through limitations and protections on the use of personal financial data. Key considerations will include implementation of robust encryption mechanisms, transparent data governance practices, and protection against inadvertent disclosure of sensitive financial information.
The Proposed Section 1033 Rule: Overview
Section 1033 of the Dodd-Frank Act provides consumers the right to obtain their information relating to a consumer financial product or service in an electronic form from a covered person subject to CFPB rulemaking to implement this statutory provision. The CFPB has described its proposed rulemaking as accelerating the shift to open banking, which is the idea that financial information will flow among various parties in the financial services ecosystems, including banks, fintechs, data aggregators, and consumers. However, the proposed section 1033 rules currently are limited to regulating the flow of consumer financial data from data providers to consumers and third parties authorized to access that data by the consumer. The comment period on the proposed rule closed on December 29, 2023.
The rule represents one of CFPB Director Rohit Chopra’s signature priorities because it addresses his desire both to regulate what he refers to as the monetization of consumer data and to promote competition in consumer financial services. Competition in the marketplace arguably is bolstered by consumers having the ability to “vote with their feet” and more easily move their financial data from one entity to another. Because of the rule’s importance to Chopra’s agenda, a final rule is likely to be issued by late spring to avoid potential Congressional Review Act invalidation. The compressed time frame from proposed to final rule suggests that there will not be significant change in scope between the proposed and final rules.
Elements of the Proposed Rule
The proposed rule establishes pertinent terminology: data providers, covered data, and authorized third parties. In the initial iteration of the rule, data providers are limited to financial institutions as defined by Regulation E and credit card issuers as defined by Regulation Z.[2] (The CFPB has intimated that expanding the applicability of this data access right to other markets will likely be the subject of future rulemakings.)
This first round of rulemaking applies to covered data relating to Regulation E accounts and Regulation Z credit cards.[3] Authorized third parties are those that are permitted to request covered data from a data provider.[4] They will have to comply with certain authorization procedures that require express consent by the consumer that is limited in duration.[5] Moreover, they will be subject to a limitation on use and retention of covered data and will be required to condition further disclosure of consumer data to other third parties upon that third party’s agreement by contract to comply with the section 1033 authorization requirements.[6] These restrictions on the flow and use of data by third parties and other players in the payments ecosystem will undoubtedly have implications for consumers’ privacy and use cases for AI as open banking develops and evolves in the United States.
The proposed rule seeks to impose a framework in which data transfers are accomplished via application programming interface (“API”) calls rather than by existing methods such as screen scraping or credential sharing. Data providers will be required to maintain a consumer interface and establish and maintain a developer interface, both of which must meet certain performance specifications, to receive and respond to data access requests.[7] Data providers generally will not be allowed to restrict the frequency of access requests, nor will they be permitted to deny access requests except in limited circumstances to address risk management concerns.[8]
Notable Gaps in the Proposed Rule
Banking industry trade groups, whose members are subject to the proposed rule, have sharply critiqued the proposed rule for failing to be sufficiently prescriptive on issues relating to data accessibility and for being nearly silent on issues relating to liability for mishandling data.[9]
Indeed, many of the standards by which the CFPB proposes to make data accessible and available to consumers and authorized third parties appear to be delegated to standard-setting organizations (“SSOs”) that have yet to be recognized by the CFPB. The Financial Data Exchange, widely regarded by industry groups as the leading contender to qualify as a standard-setting organization, does not yet function in the form that the proposed rule contemplates. And there is no industry-wide agreement on whether any CFPB-recognized SSO should enjoy enforcement power or otherwise be able to mandate adoption of the standards it promulgates. Nor does the proposed rule contemplate that a data provider’s compliance with any standards promulgated by a recognized SSO will provide a safe harbor from any regulatory action. The lack of certainty around the role that an SSO will play under the final rule and the implementation of appropriate governance that an SSO will need to achieve recognition leaves many in the banking industry viewing the short compliance time frames in the proposed rule (which are staggered according to asset thresholds, with the first time frame to take effect six months after publication of the final rule in the Federal Register) as unworkable.
The proposed rule fails to resolve questions of liability for any potential misuse, misappropriation, or breach of a consumer’s financial data. That silence is a notable asymmetry to the obligations (and corresponding liability) that Regulation E and Regulation Z impose on financial institutions and credit card issuers to investigate disputes. The proposed rule’s failure to allocate liability is likely to disadvantage financial institutions relative to nonbanks: because consumers are more likely to complain to their banks in the first instance about potential unauthorized payments transfers, even if an authorized third party or a player even further downstream was the one that mishandled the data resulting in the alleged payment, banks will likely need to invest greater resources than nonbanks to comply with their Regulation E obligations. Any investment to meet increased compliance demands may result in either an increase in the price of banking products or services or reduced offerings of such products and services, or both, none of which would benefit consumers.
Instead, the proposed rule contemplates that liability will be handled by private contract among data providers and authorized third parties. Banking trade groups have appropriately raised concerns that larger market players—such as data aggregators and other nonbank institutions—will be able to leverage their bargaining power to minimize their liability. Leaving liability to private contract also raises the specter of inconsistent treatment of data and remedies for consumers in the event of a breach or misuse of data.
The Proposed Rule’s Potential to Blunt the Promotion of Open Banking
The promise of open banking that the proposed rule seeks to advance may be undone by two of its key aspects.
First, under the proposed rule, data providers are not permitted to charge fees in connection with developing and maintaining the data access interfaces. The costs of developing and maintaining these interfaces will be significant, with various trade groups estimating development costs of approximately “the high tens of millions of dollars”[10] and ongoing maintenance costs ranging anywhere from “millions of dollars each year”[11] to “approximately $15 million beyond what is currently spent to provide consumers and third parties with covered data through existing APIs.”[12] There is also significant cost incurred by a data provider in ensuring the security of that data when it is transferred in response to an access request. Larger institutions may be able to better leverage the work they’ve already put in to facilitate data transfers in the market as it exists today, but smaller financial institutions will not necessarily have done this work. Industry groups have argued that smaller financial institutions in particular may decrease their product offerings to consumers without a way to recoup any of the costs of their technology investments.
Further, the proposed rule imposes limitations on third parties’ use of consumer data obtained from data providers. The proposed rule provides that third parties must limit their use, retention, and collection of covered data to what is “reasonably necessary to provide a consumer’s requested product or service.”[13] The rule prohibits, as not “reasonably necessary,” use of covered data to provide targeted advertising, to cross-sell other products or services, or to sell the data itself.[14] While such limitations may be laudable from a consumer privacy perspective, they may nonetheless inhibit the achievement of open banking without greater regulatory clarity about what is “reasonably necessary” to provide a consumer’s requested product or service. It is less than clear, for example, whether a third party may collect and use consumer data to train algorithms that may in turn improve the quality of the requested product or service. Nor is it certain whether a third party may use consumer data to forecast trends that may improve credit underwriting or inform new product development.
Privacy and AI Implications
The interplay between open banking and data rights raises critical issues across state privacy regimes and federal financial services requirements—including the Gramm-Leach-Bliley Act’s safeguarding mandates. Handing users financial data-sharing control across digital services, platforms, and sectors will now drive industry obligations. However, this control sans safeguards will not only create a minefield for privacy overexposure but also open floodgates for bad actors.
When “forced” to share data, financial institutions will need to ensure secure transfer to prevent breach and compromise of consumers’ data. This will include salting, hashing, and/or tokenizing numbers to eliminate security risk, and identifying compromised points—while limiting friction on customer end points. Tokenized Account Numbers (TANs) will assist in the solution, through obfuscating raw data, pinpointing a breach (since TANs are merchant-specific), and promoting scalability. TANs are also utilized by users and merchants today and will fulfill section 1033’s mandate for secure, standardized documentation through a low-code, or no-code integration path.
In addition to the other benefits noted, open banking’s inevitable integration of AI models/algorithms will increase efficiency and user personalization. The increase in reliance on AI-driven data analytics, however, will require a continued balance between innovation and safeguarding user privacy. Named entity recognition (NER), as a subset of natural language processing (NLP), will undoubtedly be used to extract relevant information from open banking’s text-based transaction data—both for beneficial use cases such as organization and ease of customer use and for improper uses like payment surveillance. Machine learning will also solve classification problems with ease—identifying purchasing, prioritizing payments, and supporting other open-banking use cases.
Conclusion
If properly implemented, open banking will drive exciting pro-consumer innovation and competition in financial services. This new reality will have to balance privacy and AI implications to build consumer trust and maximize the potential of section 1033. To do so, the CFPB should take into account legitimate concerns raised by financial institutions regarding the burdens that the proposed rule places on them to ensure the accuracy, integrity, and accessibility of sensitive payments–related and other financial data to consumers and authorized third parties—without any ability to recoup the significant costs involved, to protect themselves against liability once the data leaves their control, or to prepare adequately for compliance with the rule in the absence of certainty as to the role SSOs will play under this regulatory framework.
Jehan Patterson is counsel at Debevoise & Plimpton LLP; Sumeet Chugani is general counsel at Cloaked. The coauthors participated on a panel titled “AI + Privacy in the New Age of Open Banking” presented at the American Bar Association’s Consumer Financial Services Committee Winter Meeting on January 7, 2024, in Santa Barbara, California, and their remarks are adapted for this article. In addition, Patterson assisted one of the industry trade groups cited in a footnote to this article in preparing comments on the proposed rulemaking to implement section 1033 of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010. ↑
The case of Hardwick v. 3M, a per- and polyfluoroalkyl substances (PFAS) class action lawsuit filed in Ohio, has been marked as one of the most significant legal cases in recent history. The Sixth Circuit Court of Appeals granted interlocutory review of this enormously significant case on September 9, 2022. However, on November 28, 2023, the Sixth Circuit Court of Appeals dismissed the class action, holding that the lead plaintiff failed to identify which companies made the “forever chemicals” detected in his blood.
The Hardwick case is noteworthy due to the proposed scope of plaintiffs that counsel sought to include in the case. The lawsuit aimed to include any US citizen with detectable levels of PFAS in their blood, which is estimated to be over 95 percent of the US population.
Instead of seeking relief in the form of monetary damages, the suit sought to establish a medical monitoring program for affected citizens. It also sought to establish an independent science panel to study the effects of numerous PFAS on human health. In March 2022, the Ohio court ruled that the class of plaintiffs allowed to proceed with the lawsuit was “[i]ndividuals subject to the laws of Ohio who have 0.05 parts per trillion (ppt) of PFOA (C-8) and at least 0.05 ppt of any other PFAS in their blood serum.”
Although the Ohio federal district court rejected the lead plaintiff’s proposed nationwide class, it nonetheless certified a class of what the Sixth Circuit’s order granting interlocutory review referred to as “nearly all 11.8 million residents of Ohio, along with anyone else otherwise subject to its laws.” The court limited the class to individuals subject to Ohio law instead of making it nationwide due to the fact that numerous states do not yet recognize medical monitoring as a legal cause of action, and some states do not permit lawsuits to proceed for an increased risk of disease without any proof of actual harm.
Sixth Circuit Vacates District Court’s Class Certification
On November 27, 2023, in a strongly worded order, the Sixth Circuit vacated the district court’s class certification and remanded with instructions to dismiss for lack of jurisdiction.[1] The Sixth Circuit stated that “[s]eldom is so ambitious a case filed on so slight a basis,” acknowledging that PFAS exposure is a “fact of daily life” for Americans, involving thousands of compounds manufactured by thousands of companies over the last fifty-plus years, with human body concentration reductions varying from days to years depending on the compound type.
The Sixth Circuit held that the plaintiff lacked standing due to the absence of particular allegations about how each defendant manufactured or provided a plausible pathway that likely delivered to the plaintiff’s body any one of the five detected PFAS compounds. The court found that the plaintiff pled only collective and conclusory allegations against all defendants for the trace quantities of only five PFAS compounds, while not knowing which companies manufactured those five PFAS compounds, not having any current sickness or symptoms, and not knowing whether PFAS exposure may someday make him sick. Thus, even at the pleadings stage, a plaintiff must do more than make a conclusory “the-defendant-unlawfully-harmed-me-accusation.” Hardwick failed to allege facts “supporting a plausible inference that any of these defendants caused these five particular PFAS to end up in his blood.”
Implications
The Hardwick decision is instructive in evaluating future PFAS claims. Absent evidence of traceability to the defendant at the time of filing, plaintiffs will have a difficult time surviving dispositive motions on the basis of standing. This decision sets forth a burden for standing plaintiffs must meet in order bring PFAS claims against multiple defendants. Plaintiffs must establish a “plausible pathway” at the time of filing. This will require tying an alleged injury to a particular defendant. In short, plaintiffs will have to show traceability back to the defendants at the time of filing the complaint in order to survive dispositive motions.
Facing PFAS exposure claims, companies may want to consider conducting qualified environmental audits with use of outside counsel in identifying sources where PFAS is used either in their manufacturing process or in their parts received by suppliers. Audits will enable companies to distinguish the type of PFAS in question and trace potential exposure pathways for those PFAS chemicals.
Similarly, on January 12, 2024, a northern California federal district court dismissed the PFAS-related class action case of Lowe v. Edgewell Personal Care Company on the grounds that its plaintiffs had not plausibly alleged injury from the products at issue. The Lowe plaintiffs brought their actions against two different tampon product lines, claiming that the presence of PFAS rendered the manufacturer’s various representations about the products “false and misleading.”
The manufacturers filed motions to dismiss the actions on the grounds that the plaintiffs had not plausibly alleged that its products contained PFAS and that any alleged amount of PFAS rendered the products harmful, or that PFAS can be traced back to the manufacturers.
The Court granted defendants’ motion to dismiss, holding that plaintiffs’ allegations provided no specificity as to the results reached by the independent testing or any other findings that would support their interpretation of the testing results. It also found the plaintiffs to have merely speculated that the tampon components were likely to contain PFAS because those chemicals are “frequently” used to make materials water-repellent.
The court further found that plaintiffs’ allegations that the tampons contained PFAS to be insufficient because the plaintiffs did not provide any information showing how much PFAS the tampons might have contained, let alone whether that level of PFAS in a tampon might be harmful.
Conclusion
Hardwick is a virtual roadmap for all companies facing alleged PFAS exposure issues, providing a step-by-step basis for challenging standing. It appears that federal courts will not allow just any complaint containing PFAS allegations to progress past the pleading stage of litigation. Plaintiffs will have to show some plausible pathway that can be traced back to the defendant. Environmental audits focused on a cradle-to-grave examination from the time the PFAS chemical is created or used up through the time it is properly disposed will be invaluable. It will likely require the use of qualified environmental consultants and outside counsel but is well worth the investment of time and expense.
Hardwick v. 3M Co. (In re E.I. du Pont de Nemours), 2023 US App. LEXIS 31297 (6th Cir. Nov. 27, 2023). ↑
Canada’s M&A activity is poised at the crossroads of anticipation and opportunity as we step into 2024. Reflecting on both recent trends that have shaped the Canadian legal landscape and predicted ones, it’s clear that a sense of cautious optimism pervades discussions about the future.
In this article, we delve into the anticipated trends in Canada’s M&A landscape for 2024. Through a pragmatic lens, we explore key factors shaping the M&A environment, ranging from considerations like interest rates and inflation to the evolving dynamics of private credit and the increasing international interest in Canadian renewable energy.
Increased Confidence Surrounding Interest Rates and Inflation
In the evolving landscape of Canadian M&A in 2024, a critical factor influencing dealmaking will be the projected stabilization of interest rates and inflation. Some buyers may remain cautious, evaluating economic conditions, while others, stimulated by the “new normal” of higher interest rates, may boldly charge forward with M&A activity.
The Bank of Canada and the US Federal Reserve have each hinted at interest rate cuts in 2024. Though the timing is unclear, the reduced concerns about ongoing inflation and rate increases may drive market activity.
Distressed Acquisition Opportunities
The aftermath of government support during the post-COVID-19 era, coupled with the impact of high interest rates, has created a landscape ripe with distressed acquisition opportunities and restructuring potential. Limited liquidity and inflated valuations will compel organizations to evaluate strategic alternatives, leading to an expected uptick in distressed M&A activities. In 2024, well-capitalized companies are anticipated to be well poised to engage in strategic acquisition transactions at discounted prices.
Less Frenzied M&A Market
A notable shift in the M&A landscape for 2024 is the anticipation of a less frenzied market characterized by greater parity among buyers and sellers. The days of rushed transactions may give way to a more deliberate approach, with extended negotiation periods and in-depth due diligence becoming the norm. Both buyers and sellers are expected to exercise heightened caution, leading to more balanced and nuanced deal terms, including the continued prevalence of earn-out structures. This shift towards a measured M&A environment emphasizes the importance of thorough assessments and collaborative negotiations in achieving mutually beneficial outcomes.
The delicate balance between risk and reward will bring dealmakers back to the negotiating table, fostering a climate where astute decision-making becomes paramount. Within this context, we are cautiously optimistic that we will see continued deal activity in 2024, with stakeholders keenly assessing the impact of the economic factors discussed above on transaction dynamics.
Increased Availability and Use of Private Sources of Funds
In response to the evolving financial landscape, a notable trend on the horizon is the increased use of private credit to finance purchase prices. The significant increase in borrowing costs, not wholly offset by decreased valuations for targets, means that traditional banks constrained by regulatory frameworks and risk appetites may be unable or unwilling to provide the capital required for M&A transactions. Consequently, private credit has become an attractive alternative source of capital. Dealmakers are expected to increasingly turn to private credit instruments and innovative financial solutions in 2024. Borrowers are also likely to leverage their existing lending relationships, as banks and other lenders will be more willing to deploy their capital to borrowers with whom they have established a history.
Regulatory Scrutiny
A growing consensus among competition regulators and policymakers suggests that many markets have become less competitive, necessitating heightened merger enforcement. In 2024, regulatory bodies are expected to intensify their examination of foreign investment transactions and strategic combinations.
Proposed changes to the Competition Act aim to strengthen the Competition Bureau’s enforcement powers, penalties, and sanctions. These changes subject more mergers to notification and approval requirements, lowering the bar for the Bureau to challenge transactions. The result is regulatory uncertainty and increased costs. Such considerations lessen the attraction for some companies seeking to engage in Canadian business deals.
Attention on ESG and Canadian Renewable Energy
Canada’s renewable energy sector is poised to attract heightened international interest in 2024. As global initiatives focus on sustainable practices, Canadian projects present attractive investment opportunities. The confluence of Canada’s commitment to ESG, including renewable energy targets, and the international appetite for green investments positions the country as a key player in the global energy transition. For investors looking to take advantage of more readily available capital, projects involving clean energy innovation will be an attractive option, given the Canadian federal budget and provincial measures being used to entice investment. Investors and dealmakers alike are expected to explore partnerships and acquisitions within the Canadian renewable energy landscape, contributing to the sector’s growth and fostering international collaboration.
With this said, it is growing increasingly important that parties to M&A transactions carefully evaluate and structure their deals with ESG considerations top of mind, ensuring that a clear narrative, targets, and performance indicators are employed. This is especially true for larger public or multinational companies, given the rising pressure from investors and stakeholders to prioritize ESG considerations.
Conclusion
The landscape of Canadian M&A in 2024 is characterized by opportunity—to create value through creative financing, strategic acquisitions, and carefully considered deal terms and structures. As we anticipate the stabilization of interest rates and inflation, the surge in private credit, international interest in Canadian renewable energy, distressed acquisition opportunities, increased regulatory scrutiny, and a less frenzied M&A market, strategic and well-informed dealmakers and their legal representatives are poised to capitalize on the evolving M&A terrain.
The trends forecast for 2024 underscore the importance of strategic foresight, adaptability, and a nuanced understanding of the intricacies inherent in each transaction. As the legal landscape responds to economic shifts and global imperatives, dealmakers can leverage this knowledge to navigate M&A scenarios with confidence and clarity.
Connect with a global network of over 30,000 business law professionals
