The legal profession is on the cusp of a transformation as artificial intelligence (AI) technologies like ChatGPT are becoming increasingly sophisticated. These tools promise to make the generation of written content faster and more efficient than ever before. This flood of content will present a challenge for legal professionals who will need to find ways to differentiate their expertise in an era of information abundance.

How can forward-thinking legal professionals preemptively adapt to the imminent changes brought about by AI technologies like ChatGPT, and effectively position themselves to stand out in a market that will be more crowded than ever?

By proactively developing well-informed opinions and perspectives, honing public speaking skills, and having a clear focus in their practice, legal professionals can establish a distinct presence in their respective areas of practice, and stay ahead of the curve.

The Anticipated Impact of ChatGPT on Legal Marketing

ChatGPT, with its ability to analyze extensive text data, is poised to revolutionize content generation in the legal profession. As more lawyers and legal marketing departments embrace this technology, there will be an influx of written content that happens nearly instantaneously. Client alerts, articles, blog posts, social media campaigns, and even books can all be produced and disseminated faster and more efficiently than ever before. Legal professionals must anticipate this shift and think creatively about how to make their written marketing materials and lawyer thought leadership stand out. Innovating and demonstrating specialized expertise will be crucial.

Differentiating through Opinion and Perspective

In the wave of information that AI technologies are set to generate, it is essential for lawyers who want to stand out to have a unique perspective. An attorney with well-formed opinions can be a guiding force for clients. Savvy lawyers with focused practices are more likely to have opinions on recurring issues in their specific area of expertise. These opinions are not about being right or wrong but are based on what works for them, cultivated through repeated experience.

Opinions in the legal profession are dynamic in nature and evolve as lawyers gain new experiences and insights. A lawyer with well-formed specific views is often perceived as more credible and decisive. Clients typically prefer representation that is proactive, confident, and based on informed judgment. Such lawyers are not just seen as legal representatives, but as counselors and trusted advisors, providing emotional intelligence, strategic decision-making, and advocacy skills that cannot be replicated by AI.

One of the crucial aspects of differentiating oneself as a lawyer through written communication is the ability to distill complex legislative changes into digestible and actionable insights for clients and their businesses. In a landscape soon to be awash with an abundance of AI-generated content that may lack uniqueness, lawyers need to craft well-structured, concise, and personalized written material to stand out from the crowd. This writing should break down legal jargon, incorporate real-world examples for relatability, and, most importantly, offer clear recommendations that set them apart from the redundant information circulating in the market. This human element—the ability to clearly articulate and guide based on informed opinions—is what will differentiate legal professionals in the fast-approaching deluge of written information.

The Power and Benefits of Public Speaking for Lawyers

“Public speaking is one of the most underdeveloped yet essential skills for lawyers,” says Jordyn Benattar, a lawyer and the founder of public speaking coaching firm Speakwell.

As the amount of information available swells, clients will turn to trusted advisors who can skillfully sift through this information and render it into clear and actionable insights. Public speaking emerges as an invaluable asset and clear differentiator in this context. Through engaging and articulate presentations, lawyers can foster trust, a cornerstone in the lawyer-client relationship. By speaking at conferences and live events, or through webinars and published videos, lawyers can gain visibility, establish their authority in their practice area, and build a reputation as experts in their field.

Additionally, public speaking provides a platform for lawyers to showcase their personality and communication style, something written materials often lack and an essential factor for clients when choosing legal representation. It gives potential clients and collaborators a glimpse into what it’s like to work with lawyers, how they approach problems, and how they communicate solutions.

This enhanced reputation not only aids in business development but also plays a significant role in attracting top talent. When a law firm’s attorneys are recognized for their public speaking prowess, it adds an allure to the firm, increasing the chances skilled and talented professionals will want to work there. On a personal level, public speaking fosters the development of communication skills and bolsters confidence. Lastly, public speaking engagements can present networking opportunities with other speakers and attendees, allowing lawyers to establish meaningful connections among recognized experts in their chosen area of interest.

Developing Public Speaking Skills

“At any stage of your legal career, developing the learnable and indispensable skill of public speaking can very well become your greatest competitive advantage,” says Benattar. To excel as a public speaker, especially in the legal realm, a multi-faceted approach to skill development is essential. 

Understanding the audience is crucial. Legal professionals must recognize that their audience might not possess legal expertise, and it’s imperative to tailor the content to the audience’s knowledge level. This involves avoiding legal jargon when unnecessary and focusing on the key messages that resonate with the audience’s interests and concerns.

Refining body language is another key aspect. A lawyer’s posture, gestures, and facial expressions can significantly impact how the audience perceives the message. Maintaining eye contact, for instance, can create a connection with the audience and convey confidence. Similarly, using gestures effectively can emphasize points and keep the audience engaged.

Voice modulation is equally important. A monotone delivery can make even the most intriguing content seem dull. Varied pitch, appropriate pacing, and strategic pauses can make the content more engaging and help in emphasizing key points.

Speak on enjoyable topics that have been researched thoroughly. Being well-prepared not only boosts confidence but also ensures that the speaker can handle questions and engage effectively with the audience. It’s important to structure the content logically and have a clear understanding of the key takeaways that the audience should leave with.

Regular practice is required. This could take the form of rehearsing in front of a mirror, recording oneself, or practicing in front of a trusted colleague or friend who can provide constructive feedback that can be acted upon.

In addition to practice, attorneys should consider investing in resources such as coaching, courses, and books that focus on public speaking. These resources can offer insights into advanced techniques and provide a structured approach to developing public speaking skills.

Conclusion

Legal professionals that employ human, engaging, and succinct thought leadership will cut through the AI-enabled clutter. As clients and prospects are often too time-strapped to navigate through an abundance of written material, by embracing the role of trusted advisor and utilizing the art of public speaking, attorneys can provide those they serve clarity, relevance, and a personal touch. This combination of attributes is invaluable in getting noticed and being remembered by the people who matter most to the trajectory of your career. A focus on being forward-thinking and proactive, coupled with the ability to communicate insights effectively, will define the successful legal professionals of the future.

Steeped in tradition, governed by highly detailed rules of play, and with a culture that values sportsmanship and civility, professional golf had seemed for many years impervious to change. That state of quietude abruptly ended last year.

What follows is an overview of the game-changing events that have recently occurred, the questions that remain unanswered, and anticipated next steps that will shape the final form that the business of golf will take. Since this saga is ever-evolving, this overview can only reflect the state of play at the time it goes to press.

The oldest principal player in this drama is the PGA Tour, a nonprofit organization based in Florida that runs most golf tournaments. The Tour holds lucrative contracts with the major TV networks that televise such events. Five players sit on its eleven-person governance committee. To be clear, the PGA Tour oversees only a discrete segment of professional golf. It does not run the four “majors”: the Masters, the U.S. Open, the Open (the British Open), or even the PGA Championship (which is run by the PGA of America, an association of club professionals that also has responsibility over the Ryder Cup). However, it does operate a number of other tours, including one that features up-and-coming players who aspire to qualify for and join the PGA Tour.

PGA Tour events involve players competing by playing eighteen holes each day for four days (for a total of seventy-two holes). After the first two rounds of a tournament, the half of the field who have the worst scores fail to “make the cut”; they are sent home without earning a single dollar. (This has been a sore point for non-elite golfers.) At the end of four days, the player with the lowest aggregate score wins. In the event of a tie, a playoff ensues.

The first shock wave to impact the business of golf came in 2022 when LIV Golf was launched, with Australian golfer Greg Norman as its CEO and the Public Investment Fund (PIF), the sovereign wealth fund of Saudi Arabia, serving as its financial backer. LIV enticed several well-known PGA Tour professionals to join its tour with multimillion-dollar signing bonuses and the prospect of earning more money with fewer events. LIV’s format features fifty-four holes over three days of competition, and it involves team as well as individual competition. What’s more, no golfer is cut from a LIV tournament; all participants earn money. The attraction of LIV for professional golfers was simple: make more money for less work.

LIV’s exposure to the viewing public has been limited by the fact that it has not been able to reach agreements with the major television networks. LIV also does not operate a player development circuit; it has just raided the PGA Tour ranks for players.

Corporate ownership of sports leagues is not unknown; in motorsports; NASCAR and Formula One are examples. What makes LIV different is the involvement of the Saudi sovereign wealth fund. Critics of LIV have accused the Saudi government of sportswashing, using its investment in golf to distract from its human rights record, the murder of Washington Post columnist Jamal Khashoggi, and speculation about its being involved in 9/11 (though allegations of connections have been investigated, no direct link has been established). Jay Monahan, Commissioner of the PGA Tour, commented in 2022 that no golfer ever had to apologize for being a member of the PGA Tour. His criticism of LIV and PIF at the time earned him the support of 9/11 Families United, a group of family members of those who died and survivors of the attacks. In the context of sportswashing accusations, it’s worth noting that LIV is not PIF’s only foray into the world of sports: PIF led a consortium that acquired U.K. soccer club Newcastle United in 2021 and has also made significant multi-year investments in Formula One and WWE.

Following the first LIV event in London in June 2022, the PGA Tour made good on its threat of sanctioning players who joined the LIV Tour by barring them from participating in PGA Tour events. Unkind words between the golfers of the rival tours ensued, as did litigation. A number of LIV players—followed by LIV Golf itself—sued the PGA Tour in federal court in California. alleging antitrust violations. The Tour countersued for interference with contractual relations. The Tour also hired lobbyists to seek support from Congress to help fend off its new rival—all to no avail. In order to prevent further defections of its players to LIV, the PGA Tour raised purses, which put financial stress on the organization. At one point Monahan, in a telling comment, observed: “If this is an arms race and if the only weapons are dollar bills, the PGA Tour can’t compete.”

The vitriol between the two tours and their respective players made the second shock wave particularly upsetting to loyal PGA golfers and their fans. On June 6, PGA Tour Commissioner Monahan and PIF Governor Yasir al-Rumayyan announced that following secret negotiations (from which players as well as LIV Golf CEO Norman were excluded), they had entered into a framework agreement to form a new and yet-to-be-named legal entity that would combine their respective commercial and business assets (including LIV) as well as those of the DP World Tour (formerly known as the European Tour). The PGA Tour would remain a nonprofit organization and retain full control over how its tournaments were played. The PGA Tour’s board would appoint the majority of the board of the new entity and hold a majority voting interest in the new entity. Monahan of the PGA Tour would be the CEO, and al-Rumayyan would chair the board of the new entity. PIF would also hold a right of first refusal with respect to any required further cash investments.

The press release announcing the deal also indicated that the parties would “work cooperatively and in good faith to establish a fair and objective process for any [LIV] players who desire to re-apply for membership with the PGA Tour or the DPA World Tour.” The press release also indicated that they would cease all litigation between the parties. Good to their word, the parties soon thereafter filed a joint motion in federal court in California to dismiss the pending lawsuits with prejudice.

Monahan admitted that a subsequent meeting with the PGA Tour players was “intense” and “heated.” One player was quoted as saying that the players who remained loyal to the PGA Tour and had not followed the money felt betrayed. 9/11 Families United was also highly critical of the deal.

How much remains to be negotiated became evident when the New York Times on June 26 broke a story based on its having obtained a copy of the framework agreement. The newspaper reported that the agreement was a scant five pages long (slim even for a typical M&A letter of intent). Apart from the mutual agreement to dismiss the pending litigation, the only other firm commitments found in the agreement involved mutual confidentiality and non-disparagement covenants, a ban on recruiting players to rival tours, and a deadline of December 31 of this year for entering into a final, binding agreement (unless mutually extended). That final agreement will ultimately require the approval of the PGA Tour board. In short, the “merger” is far from being a done deal.

Where things go from here is as difficult to predict as picking the winner of the next PGA or LIV tournament.

Within days of the deal becoming public, the PGA Tour announced that Tour Commissioner Monahan had experienced “a medical situation” and would be stepping away from his day-to-day duties until further notice. Fortunately, during Monahan’s medical leave the PGA Tour had the benefit of having on its board two veteran dealmakers: Board Chairman Edward D. Herlihy, a corporate partner at Wachtel, Lipton, Rosen & Katz, and investment banker James J. Dunne III. Both men were involved in the earlier rounds of negotiations and presumably were well positioned to keep things moving forward. Even more fortunate, Monahan, more quickly than expected, sent a memo to the PGA Tour policy board on July 8 announcing that his still-undisclosed health condition had “improved dramatically,” allowing him to return to his CEO role on July 17. What Monahan’s health episode demonstrates is that any point in any deal, whether during negotiations or during post-closing integration, the sudden and unexpected unavailability of a key player, decision-maker, or champion of the deal can be very unsettling and potentially derail the transaction.

On his return, Monahan and the PGA Tour Board will face a variety of substantive questions, including:

• Who should replace independent board member and former AT&T CEO Randall Stephenson, who abruptly resigned shortly following Monahan’s announcement of his planned return? (In his resignation letter, Stephenson wrote that he had “serious concerns with how this framework agreement came to fruition without board oversight” and that “the construct currently being negotiated by management is not one I can objectively evaluate or in good conscience support, particularly in light of the U.S. intelligence report concerning Jamal Khashoggi in 2018.”)
• What value should be placed on the business assets that each party will be contributing to the new entity?
• Will there continue to be a LIV Tour, separate and apart from the PGA Tour?
• Will the PGA Tour adopt certain attributes of the LIV Tour?
• Under what terms will the LIV players be able to play in the PGA Tour events?
• Should PGA Players who did not migrate to LIV be compensated for their loyalty? If so, who decides what each of them should receive?

Other open questions involving third parties include:

• How will television networks and other media outlets cover professional golf events on a going-forward basis? Will new contracts need to be negotiated?
• Similar questions can be raised regarding sponsors of the two tours and individual players; how will they react? Will those agreements also require renegotiation?
• Will a significant number of disaffected fans simply tune out professional golf?

As for coming attractions, the U.S. Department of Justice has indicated that it is investigating the PGA/PIF/LIV deal for possible antitrust violations. It was recently reported that the parties agreed to drop the anti-poaching provision from the framework agreement, presumably in order to reduce their antitrust risk profile.

Further congressional inquiry or even proposed legislation may follow the three-hour hearing of the Senate Permanent Subcommittee on Investigations at which PGA Tour board member Dunne and Chief Operating Officer Ron Price appeared on July 11.

Next to be served up: professional tennis? The head of the Association of Tennis Professionals (ATP) Tour recently confirmed that “positive” talks had taken place with PIF and other parties regarding investment in the men’s professional tennis tour.

Even occasional viewers of televised golf will acknowledge that during the final round of a tournament, they cannot forecast who will win in advance. To learn the final outcome, they must stay tuned until the very end. So too with this current golf-related business drama. We may have seen the first two acts, but it is far from clear how many more there will be, and what professional golf will look like when the final curtain comes down.

Introduction

On June 22, 2023, a federal court in New York (“Court”) issued sanctions against two lawyers and a law firm for submitting “non-existent judicial opinions with fake quotes and citations created by the [generative] artificial intelligence tool ChatGPT.”^[1] The lawyers and their firm were jointly fined $5,000 and ordered to mail individual letters to each judge wrongly identified as the author of the non-existent opinions. While the sanctions order has been publicized as a cautionary tale against premature reliance on artificial intelligence (AI) tools,^[2] a closer read shows that sanctions were not directed at faulty use of new technology but rather at disregard for well-established principles of professional conduct inherent to the Rule of Law.

Two of the opening sentences of the Court’s opinion capture its essence: “Technological advances are commonplace and there is nothing inherently improper about using a reliable artificial intelligence tool for assistance. But existing rules impose a gatekeeping role on attorneys to ensure the accuracy of their filings.”^[3]

While acknowledging that the submission of fake, AI-generated opinions is unprecedented, the Court identified the essential harm committed by the sanctioned lawyers as “abuse of the adversary system” that flowed from the submission of fake opinions.^[4] Essentially, the Court sanctioned the involved lawyers and their firm for “abandon[ing] their responsibilities when they submitted non-existent judicial opinions with fake quotes and citations” created by ChatGPT, and, equally for continuing “to stand by the fake opinions after judicial orders called their existence into question.”^[5]

Emphasizing long-standing and well-tested principles of the Rule of Law, the decision is an invitation for lawyers to use reliable new technologies—while keeping in mind their professional obligations to safeguard the adversary legal system and honor and uphold principles of the Rule of Law. This article breaks down the Court’s opinion and offers a summary of some of the key principles of the Rule of Law that it invokes.

The Long Road from Reliance on ChatGPT to Rule 11 Sanctions

In February 2022, Steven Schwartz of the Levidow Firm filed suit in the Supreme Court of the State of New York on behalf of a personal injury claimant. This case was removed to the United States District Court for the Southern District of New York. Since Schwartz was not admitted to practice in that district, another attorney from the same firm, Peter LoDuca, filed notice of appearance in the case. Schwartz continued to perform all the substantive legal work for the federal case, with LoDuca merely signing and filing documents authored by Schwartz.

In the course of litigation, Schwartz prepared and LoDuca signed and filed a response to the defendant’s motion to dismiss. This responsive filing, a so-called “Affirmation in Opposition,” was wrongly filed in accordance with New York state and not federal court requirements. ^[6] It cited and quoted from purported judicial decisions that were said to be published in the Federal Reporter, the Federal Supplement Reporter, and Westlaw. Although LoDuca signed and filed the affirmation, he made no effort to verify the form of the filing or any case law cited therein.

Two weeks later, on March 15, 2023, the defendant filed a response, “impliedly assert[ing]” that cases cited in the plaintiff’s affirmation did not exist and stating that the few cases which the defendant was able to locate did not stand for the propositions for which they were cited.^[7] The Court conducted its own search for the cited materials but was unable to locate multiple authorities cited. Neither LoDuca, Schwartz, nor the firm they worked for sought to withdraw the filing or provide any explanation.

In April 2023, the Court ordered plaintiffs to file an affidavit that annexed copies of the cited decisions that raised concerns.^[8] Eventually, LoDuca filed an affidavit authored by Schwartz that annexed ChatGPT-generated excerpts of all but one of the fake opinions, which was described as an unpublished opinion. The affidavit was vague about the source of the excerpted materials, stating that the purported opinions represented only what was made available by online database, without identifying any “online database” by name or admitting reliance on ChatGPT.

The Court’s review found that while the fake opinions had some traits that were superficially consistent with actual judicial decisions, (e.g., citing to plausible panels of federal judges, credible docket numbers, and purported citations to case law), blatant stylistic and reasoning flaws on the face of the excerpts made it clear that they could not have issued from a US appeals court. One fake opinion, for example, started off discussing wrongful death claims related to the death of “George Scaria Varghese” only to abruptly shift to discussing claims of “Anish Varghese” who was denied boarding on a flight. The excerpts additionally conflated facts and jurisdictions, contained erroneous citations, and advanced procedural history “border[ing] on nonsensical.” ^[9]

Thus, the Court’s sanctions opinion sharply focused on the importance of protecting the adversarial process from fake submissions. The Court plainly stated that “if the matter had ended with [the lawyers] coming clean about their actions shortly after they received the defendant’s March 15 brief questioning the existence of the cases, or after they reviewed the Court’s Orders of April 11 and 12 requiring production of the cases, the record now would look quite different.”^[10]

Appreciation for the Rule of Law as a Safeguard during Uncertain Times

The sanctions opinion shows that even in cases of clear and obvious failing of technical competence, the Court’s interest remains focused on ensuring the Rule of Law. Rule of Law is defined as the restriction of the arbitrary exercise of power by subordinating it to well-defined and established laws.^[11] Traditional principles of the Rule of Law relevant to the Court’s opinion include: the principles of stare decisis, legal certainty, and legal predictability. The Court’s decision connects these principles to legal practice by citing to rules of professional conduct.

“The Anglo-American common-law tradition is built on the doctrine of stare decisis (‘stand by decided matters’), which directs a court to look to past decisions for guidance on how to decide a case before it. This means that the legal rules applied to a prior case with facts similar to those of the case now before a court should be applied to resolve the legal dispute.”^[12] Stare decisis is one of the main reasons why lawyers cite to other cases in their briefs and writings, because judges are required to align their decisions with relevant and authoritative precedents. Stare decisis relies entirely on the existence of authentic precedent authored by judges. When stare decisis is undermined, legal certainty is undermined as well. Legal certainty is the principle that requires that the law be clear, precise, and unambiguous, and its legal implications foreseeable. Fake cases disrupt clear laws, provoke ambiguity, and prevent assessment of foreseeable legal implications. Legal certainty implies legal predictability—that adjudication must be predictable. This means that laws must be clear, stable, and intelligible so that those concerned can with relative accuracy calculate the legal consequences of their actions as well as the outcome of legal proceedings.

Justice John Marshall Harlan considered the importance of giving the public a “clear guide,” the value of helping individuals “to plan their affairs,” the benefits of “expeditious adjudication,” and “the necessity of maintaining public faith in the judiciary as a source of impersonal and reasoned judgements” as providing strong indication that courts should respect their own precedents.^[13] Perhaps echoing Justice Harlan’s approach, the Court here provides useful illustration of the contemporary impacts:

Many harms flow from the submission of fake opinions. The opposing party wastes time and money in exposing the deception. The Court’s time is taken from other important endeavors. The client may be deprived of arguments based on authentic judicial precedents. There is potential harm to the reputation of judges and courts whose names are falsely invoked as authors of the bogus opinions and to the reputation of a party attributed with fictional conduct. It promotes cynicism about the legal profession and the American judicial system. And a future litigant may be tempted to defy a judicial ruling by disingenuously claiming doubt about its authenticity.^[14]

Highlighting the connection between harmful systemic impacts and relevant procedural and ethical legal practice rules, citing Rule 11 of the Federal Rules of Civil Procedure, the Court found that filing papers “without taking the necessary care in their preparation” was an “abuse of the judicial system” subject to Rule 11 sanction.^[15] Further, the Court cited Rule 3.3(a)(1) of the New York Rules of Professional Conduct, 22 N.Y.C.R.R. § 1200.0 (NYRPC), which states, “A lawyer shall not knowingly make a false statement of fact or law to a tribunal or fail to correct a false statement of material fact or law previously made to the tribunal by the lawyer.” In highlighting the appropriateness of reliance on other lawyers, databases, and technology, the Court implicitly points to Rule 5.1 NYRPC that imposes obligations on lawyers, particularly firms and direct supervisors, to make reasonable efforts to ensure conformity with these and other rules. The Court even went to the extent of discussing potential violations of criminal law, noting that knowingly passing off false documents as authentic ones issued by the courts of the United States implicates the federal criminal statute prohibiting such conduct. The Court ultimately found that since no fake signatures or seals were submitted, the criminal statute was not invoked, despite noting the strong resonance between the crimes the statute seeks to prevent and the circumstances of the case.^[16]

Lawyers in the United States, regardless of where they are barred, have an obligation to uphold principles of Rule of Law. This means while lawyers have an obligation to zealously represent their clients, they are required to fulfill this obligation in a manner that upholds the integrity and fair functioning of the legal system. When it comes to citing precedents, this means that lawyers have an obligation to advance arguments grounded in authentic legal precedent. This includes the obligation to check citations and to locate and review full decisions. This principle extends to all actors in the legal system, whether they are judges, attorneys, or pro se litigants. The adversarial system depends on transparent and open development of the law by judges through an adversarial process. Reliance on fake decisions not only undermines the potential for a fair fight between the parties, but it also undermines the value, certainty, and predictability of a decision.

Generative AI is a type of AI system “capable of generating text, images, or other media in response to prompts. Generative AI models learn the patterns and structure of their input training data, and then generate new data that has similar characteristics.”^[17] Consumer-grade generative AI tools, now in the hands of millions of people across the globe, are transforming the way people work, create, and interact with one another.

The law frequently lags behind technological, political, social, and economic developments. This is because creating laws and regulations specific to the new context and challenges takes time, diverse inputs, and planning. When technological change provokes political, social, and economic uncertainty, it also provokes tremendous legal uncertainty—as the nature of legal problems that people face are also transformed. As technology triggers rapid changes, the gap between the law and newly evolving legal problems becomes exponentially bigger.

This lag between technology and the law can often create anxiety around technological change and development. The Court’s sanctions order and opinion shows how a sound appreciation for the principles of Rule of Law can act as a safeguard or safe harbor during times of uncertainty provoked by technological change. In the context of technological change and lagging legal change, new laws, regulations, policies, and guidelines are reliably derived from existing laws, regulations, policies, and guidelines and, therefore, will unwaveringly uphold basic principles of the Rule of Law. Knowledge of and appreciation for what is existing (here the rules of professional responsibility) can help lawyers better navigate uncertainty, avoid sanction, and achieve more favorable results for their clients.

If you are interested in learning more about the Rule of Law and business, please sign up to take the ABA Business Law Section Rule of Law Working Group’s CLE webinar, available online free for ABA members.

This article is part of a series on intersections between business law and the rule of law, and their importance for business lawyers, created by the American Bar Association Business Law Section’s Rule of Law Working Group. Read more articles in the series.

1. Mata v. Avianca, Inc., No. 54, 22-cv-1461 (PKC), at 1 (S.D.N.Y. June 22, 2023). ↑

2. See, e.g., Josh Russell, Sanctions ordered for lawyers who relied on ChatGPT artificial intelligence to prepare court brief, Courthouse News Service, June 22, 2023. ↑

3. Mata v. Avianca, Inc., No. 54, 22-cv-1461 (PKC), at 1 (S.D.N.Y. June 22, 2023) (internal citations omitted). ↑

4. Id. at 1–2. ↑

5. Id. at 1. ↑

6. Id. at FN 2 (noting that the document Schwartz filed was “a creature of New York state practice” that did not satisfy federal court requirements for opposing a motion to dismiss). ↑

7. Id. at 5. ↑

8. Id. at 7. The Court requested the following cases, stating that failure to comply would result in dismissal of Plaintiff’s case: Varghese v. China Southern Airlines Co., Ltd., 925 F.3d 1339 (11th Cir. 2019); Shaboon v. Egyptair, 2013 IL App (1st) 111279-U (Ill. App. Ct. 2013); Peterson v. Iran Air, 905 F. Supp. 2d 121 (D.D.C. 2012); Martinez v. Delta Airlines, Inc., 2019 WL 4639462 (Tex. App. Sept. 25, 2019); Estate of Durden v. KLM Royal Dutch Airlines, 2017 WL 2418825 (Ga. Ct. App. June 5, 2017); Ehrlich v. American Airlines, Inc., 360 N.J. Super. 360 (App. Div. 2003); Miller v. United Airlines, Inc., 174 F.3d 366, 371-72 (2d Cir. 1999); In re Air Crash Disaster Near New Orleans, LA, 821 F.2d 1147, 1165 (5th Cir. 1987); and Zicherman v. Korean Air Lines Co., Ltd., 516 F.3d 1237, 1254 (11th Cir. 2008). ↑

9. Id. at 11. ↑

10. Id. at 2. ↑

11. See also further articles from this series: John H. Quinn, Rule of Law – What is It?, Business Law Today, (Sept. 3, 2021); Kimberly Lowe, The Business Lawyer and the Rule of Law – The Rule of Law Is Our Business, Business Law Today, (June 29, 2021). ↑

12. Precedent, Law.Jrank.org. ↑

13. Mortimer N.S. Sellers, The Doctrine of Precedent in the United States of America, 54 Am. Journal Compar. L. 67, 87 (2006) (citing Moragne v. States Marine Lines, 398 U.S. 375, 403, 90 S.Ct. 1772, 1789 (1970)). ↑

14. Mata v. Avianca, Inc., No. 54, 22-cv-1461 (PKC), at 1–2 (S.D.N.Y. June 22, 2023). ↑

15. Id. at 22 (internal citations omitted). ↑

16. Id. at 23-4. This portion of the Court’s opinion should be of particular interest to counsel advising on development of generative AI projects, as it suggests that any AI hallucinations that fabricate court judgments to include court signature and seal might potentially lead to criminal charges. See also Dredeir Roberts, How General Counsels Battle the Weaknesses in the United States Rule of Law, Business Law Today (Aug. 12, 2022). ↑

17. Generative Artificial Intelligence, Wikipedia. ↑

As private equity funds (PE funds) face increased scrutiny for their environmental, social, and governance (ESG) practices, it is increasingly important for PE funds to consider ESG factors in their investment decisions and operation of portfolio companies. This article discusses the trend of integrating of ESG considerations into M&A deals.

A focus on ESG can be a competitive advantage for target companies, PE funds, and other strategic acquirers. It assists PE funds and portfolio companies in creating value, mitigating risk, and becoming more resilient. Consideration of ESG factors in M&A transactions is undeniably rising. Failing to account for critical ESG elements can negatively impact a business and undermine its success.

PE funds are displaying a heightened level of selectivity in light of the evolving ESG landscape. According to the results of PwC’s 2021 Global PE Responsible Investment Survey,^[i] 37% of respondents reported declining investment opportunities based on environmental, social, and governance considerations.

To ensure that ESG factors are effectively considered in M&A transactions, PE funds should conduct ESG-focused due diligence, allocate ESG risks in the transaction agreement, and perform post-closing ESG integration. This article explores the growing importance of ESG in M&A and provides guidance on how to integrate ESG considerations into the deal-making process.

Drivers of ESG Importance

Financial Implications

The business landscape is undergoing significant transformation, as consumer consciousness, spending habits, employee demands, regulatory environments, and industry perspectives have all shifted towards ESG considerations. The growing impact of climate change on the operations and value of companies has prompted a significant shift in investment, as ESG trends continue to gain traction. Natural disasters, which have caused an estimated $280 billion in losses in 2021 alone,^[ii] have made the risks associated with ESG all the more tangible and quantifiable, affecting M&A activities. In addition, businesses must also consider the impact of ESG on financing, as poor ESG ratings and performance can restrict access to capital. Lenders and institutional investors have made it clear that prioritizing ESG is now a must for businesses, or they risk losing access to funding. The United Nations–supported Principles for Responsible Investment (UNPRI) is an example of a growing group of investor signatories incorporating ESG issues into their investment analysis, promoting responsible investment. UNPRI consists of approximately 3,800 asset owners and investment managers with nearly $121 trillion in assets under management.^[iii]

Regulatory Compliance

Across jurisdictions, the ESG regulatory landscape is steadily evolving. Regulators along with other oversight bodies have been expending resources to monitor and create rules and guidance on ESG matters. The US Securities and Exchange Commission (SEC) is evaluating current disclosure practices of climate-related risks and has proposed rule^[iv] changes that would require registrants to include certain climate-related disclosures in their registration statements and periodic reports, including information about climate-related risks that are reasonably likely to have a material impact on business, operations, and financial condition, and certain climate-related financial statement metrics. PE funds should not only consider impending changes to regulations but should also consider “soft” laws such as standards, recommendations, and codes of practice. ESG factors will be a key consideration for both the buyer and target, as various regulatory bodies continue to bring additional ESG rules and regulations into force.

Demands of LPs

Limited partners (LPs) are frequently demanding that PE funds asses investment opportunities from an ESG lens and ensure that any portfolio companies are evaluated using ESG metrics. A recent survey^[v] conducted by Bain & Company and the Institutional Limited Partners Association found that 80% of surveyed LPs expect to ramp up requests to their general partners for ESG reporting during the next three years. It is common for LPs and other stakeholders, such as lenders, to require the PE funds to provide non-regulatory reports on ESG matters. As such, a PE fund should ensure that it has established and implemented an effective ESG framework for any investment decision. Once the acquisition is complete, it should also establish effective ESG policies and procedures, including setting ESG metrics and targets, for each portfolio company. In doing so, a PE fund can not only avoid potential liability relating to ESG issues, but also attract new investees, as portfolio companies that can establish that they continually address ESG issues have an opportunity to create value.

Reputational Risk

Shareholders and investors are becoming increasingly attuned to ESG issues. By directing their investments to companies with comprehensive and established ESG disclosures, shareholders and investors globally are a key driving force behind growing ESG disclosure. Since ESG factors overlap with core corporate values, failure to address ESG issues may have a disproportionately negative reputational impact on a business. When considering a transaction, PE funds should understand all ESG matters associated with the transaction, evaluate how to mitigate any reputational risks, and ensure that processes are in place to monitor the business’s reporting method.

ESG Considerations

ESG Due Diligence

PE funds should consider broadening the scope of their due diligence to include performing targeted ESG investigations. ESG due diligence will look different for each transaction and will depend on the nature and type of business the target is conducting and the relevant operating jurisdictions. Due diligence should go beyond a routine examination of organizational performance and consider wide-ranging impacts and dependencies across the global value chain.

The due diligence process must integrate ESG into each stage of the deal and should inform the PE fund of any potential impact of the merger or acquisition on its sustainability strategy and the long-term value of the combined entity. Red flag checks may include assessing the future fitness of the target and relevant assets and media scans to understand any major ESG-related risks. Due diligence should identify any human rights violations, corruption, environmental degradation, privacy breaches, data breaches, harassment, workplace misconduct, workplace diversity issues, gender inequity, greenhouse gas emissions, and previous instances of non-compliance, as well as the target’s ESG ratings, the use of ESG standards, and the target’s level of community engagement. This will identify potential liabilities or cultural concerns that can be investigated further. Other due diligence considerations may also flag physical and transitional risks associated with climate change. Because ESG due diligence covers such a broad scope, PE funds should consider engaging experts in different areas to review their respective ESG findings with other experts to capture a comprehensive and interdisciplinary view of ESG risks.

Targeted ESG due diligence will assist buyers in identifying ESG risks that may influence a target’s price and overall deal structure. Once fully cognizant of the potential liabilities and risks of a transaction, companies may mitigate ESG risk through the transaction agreement.

Transaction Agreement

M&A transaction agreements, such as share purchase agreements and asset purchase agreements, are already reflecting the growing importance of ESG factors. Since the beginning of the COVID-19 pandemic, the majority of M&A agreements adopted provisions for COVID-19 in material adverse effect clauses and interim operating covenants. COVID-19 tested the resilience of corporations globally, and has shown investors that ESG matters now more than ever.

Through ESG diligence, a PE fund can understand the potential risks and pitfalls that relate to the target’s operations and industry. The PE fund can then look to address any ESG risks in the transaction agreement through specific indemnities, targeted representations and warranties addressing ESG matters, or through various pre-closing conditions or post-closing covenants of the sellers. The transaction agreement will typically contain customary representations and warranties relating to the various aspects of the operations of the business and the regulatory environment in which it operates. These customary representations and warranties may address several ESG factors. Yet, these representations and warranties should be reviewed and revised in light of specific regulations or codes of conduct that apply to the operations of the business and any ESG factors. PE funds should therefore consider and look to negotiate the inclusion of applicable ESG representations, which may include “MeToo” representations requiring targets to disclose misconduct allegations, compliance with specific codes or principles that the target has voluntarily complied with, or compliance with recommendations of applicable codes of conduct or guidelines issued by oversight bodies.

For ESG risks that are identified in diligence, PE funds should consider the materiality of these identified risks and consider how these issues can be addressed. The purchase agreement should be tailored to suit the needs of each transaction. Depending on the issue identified, the vendors may be able to address the concerns pre-closing. This could include adding provisions such as special pre-closing covenants requiring detailed reporting and disclosure of any new ESG issues that may arise.

If the issue cannot be addressed pre-closing, such as non-compliance with ESG-related regulations, the buyer may wish to negotiate a reduction in the purchase price to reflect the risk assumed. In addition, the buyer may wish to consider a specific indemnity to address the risk for known ESG issues and holdback of a portion of the purchase price that the purchaser can set off against any losses it incurs due to the issues identified. The parties may also look to restructure the transaction to assist in mitigating the risk.

Post-Closing Matters

Post-closing, the buyer should establish procedures to ensure continuous review of ESG factors relating to the operation of the portfolio company. This will include addressing and managing issues identified during the acquisition, but also continuously monitoring the company for ongoing ESG considerations. The PE fund should confirm that the portfolio company has qualified management and an effective board of directors with knowledge and experience to provide effective oversight of the portfolio company, including ESG matters.

Board Matters

PE funds should ensure that the board of the directors of the portfolio company has policies and processes in place to ensure that it understands how ESG issues may impact the company. In developing ESG risk management policies and procedures, the portfolio company and the board of directors should establish an appropriate governance structure and allocate the roles and responsibilities of directors and different board committees. The designation of specific roles ensures that each party knows who is responsible for certain tasks.

A robust ESG risk management framework within a company is integral to the overall culture and success of portfolio company. ESG procedures and policies will look different for each company depending on its industry and the type of business, but generally, an ESG risk management system should:

1. promptly identify material ESG risks;
2. implement appropriate ESG risk management strategies that align with the company’s business strategies and ESG risk profile;
3. integrate ESG risk and risk management into corporate strategy and business decision-making; and
4. properly document and communicate necessary information on ESG risks to applicable parties such as employees, shareholders, and senior executives.

To properly manage ESG risk, the risk must first be identified; to identify risks, companies must develop reporting procedures to gather high-quality ESG data. To maintain consistency among different data sets, companies should aim to have a standard process and create central repositories or reference sets for recording ESG data. Ideally, having automatic processes to record data when possible as opposed to manually adding data would minimize errors in data sets.

Conclusion

As companies, investors, and limited partners are becoming increasingly conscious of social and environmental factors, it is critical to evaluate investment opportunities through an ESG lens. For the foreseeable future, ESG-assessed M&A will be an important tool to generate growth and provide companies with a competitive edge. It will also be crucial in establishing stakeholder trust. For PE funds, decisive steps are needed in risk reduction and long-term value generation. PE funds that take initiative and embrace ESG in M&A will be better positioned to achieve sustainable growth and adapt to constantly evolving expectations.

[i] Global Private Equity Responsible Investment Survey (2021), PwC.

[ii] Hurricanes, cold waves, tornadoes: Weather disasters in USA dominate natural disaster losses in 2021 (2022), Munich Re.

[iii] About the PRI (last accessed May 22, 2023), Principles for Responsible Investment.

[iv] The Enhancement and Standardization of Climate-Related Disclosures for Investors, Release Nos. 33-11042; 34-94478 (2022), US Securities and Exchange Commission.

[v] Limited Partners and Private Equity Firms Embrace ESG (2022), Bain & Company.

In 2023, the European Union and Ukraine will enter treaty relations under the 2019 Hague Convention on the Recognition and Enforcement of Foreign Judgments in Civil or Commercial Matters (the “Convention” or the “Hague Judgments Convention”).^[1] In announcing this news, the EU Council confirmed that there are no “fundamental obstacles” to prevent the EU from entering treaty relations with Ukraine under the Convention. As of September 1, 2023, the two government states will recognize each other’s civil and commercial judgments—thus limiting the “myriad of substantive, procedural, and practical hurdles” that parties may face when seeking recognition and enforcement of their judgments in foreign jurisdictions.^[2]

This agreement between the EU and Ukraine is an important step towards greater recognition of the Hague Judgments Convention, an international treaty that commits contracting states to recognize and enforce judgments in civil or commercial matters. The Convention applies to both monetary and non-monetary judgments that a court may render in civil or commercial matters. While its scope is broad, the Convention specifically excludes subjects viewed as fundamental to state sovereignty or public policy (e.g., criminal, revenue, customs, or administrative matters) and other areas that are subject to various treaty regimes or where the rules vary more significantly across jurisdictions (e.g., family disputes, intellectual property, antitrust, defamation, privacy, or armed forces matters).^[3]

The portability and enforcement of foreign judgments is important to any person or company that does business internationally. In this area, predictability is key.^[4] There exists a general presumption that foreign judgments will be recognized and enforced, and a refusal may create inefficient and uncertain litigation results. Countries may seek to recognize and enforce each other’s judgments for a myriad of reasons—including efficiency, access to justice, and comity.^[5] The current state of recognition and enforcement varies from country to country and court to court, creating confusion and inefficiency. Further ratification of the Hague Judgments Convention may ease some of that burden.

Procedure to Ratify the Hague Judgments Convention

With the EU and Ukraine ratifying the Convention, it will go into effect between these two states later this year. Several steps must take place before a treaty like the Hague Judgments Convention is effective:

• First, the states negotiate the treaty’s terms at a conference. The Hague Judgments Convention was negotiated during and concluded at the Hague Conference on Privacy and International Law on July 2, 2019.
• Second, a treaty opens for signature for a certain time following the conference. The Hague Judgments Convention has been open for signature since 2019, and in addition to the EU and Ukraine, five countries have signed—Costa Rica, Israel, the Russian Federation, the United States, and Uruguay.
• Third, signatory states may choose to ratify the treaty. A signature is not binding unless the state endorses that signature by ratification. Each foreign state has its own ratification procedure. On August 29, 2022, the EU became the first party to ratify the Hague Judgments Convention, and shortly thereafter, Ukraine became the second. The other signatories (including the United States) have yet to ratify the Convention.
• Fourth, with two contracting parties (the EU and Ukraine), the Convention is binding between those foreign states and enters into force on September 1, 2023, one year after the first two states completed ratification.^[6]

Ratification in the United States—Is It Possible? And How Would It Help American Individuals and Companies?

The United States signed the Hague Judgments Convention on March 2, 2022, but has yet to ratify it. Were it to happen, ratification would be a two-step process: the Senate formally gives its advice and consent, which empowers the president to ratify the treaty.^[7] US ratification could create a straightforward path for the recognition of US judgments abroad.^[8] Wider ratification could also provide a natural counterpart to the widely adopted New York Convention of 1958, which provides recognition and enforcement of arbitral awards across international borders.^[9]

As of June 2023, there exists no federal law governing the recognition of foreign judgments in the United States,^[10] and recognition and enforcement of judgments remain questions of state law.^[11] Most US states model their approach to recognizing foreign judgments on the Uniform Foreign Money-Judgments Recognition Act of 1962 and the Uniform Foreign-Country Money Judgments Recognition Act of 2005. US courts are liberal in recognizing foreign judgments, and typically do so unless there are specific mandatory or discretionary grounds to decline recognition.^[12] Grounds to deny recognition include, but are not limited to: doubt about the foreign court’s integrity, lack of due process rendering procedures fundamentally unfair, or judgment by fraud.

The Hague Judgments Convention Could Simplify Enforcement and Recognition of US Judgments Abroad

Because US law is generally receptive to the recognition and enforcement of foreign judgments, the Hague Judgments Convention would not drastically change the procedure for enforcement and recognition of foreign judgments in the US.^[13] For example, if a prevailing party seeks to collect on a Zimbabwean judgment in the US, there is a presumption in US courts that the Zimbabwean judgment should be recognized and enforced, absent any grounds to deny recognition. There are still procedural hurdles and costs the prevailing party will incur. The Hague Judgments Convention could make the enforcement and recognition process more efficient in the US by creating a single framework to replace the myriad of state court procedures.

The story may change for those individuals and companies seeking enforcement and recognition of US judgments abroad. Currently, there are significant differences among governments’ legal systems that can create confusion and inconsistent results. If, for example, a party obtains a judgment in a US court and seeks its recognition and enforcement against a party with assets in Zimbabwe, the party would need to consider carefully how to petition the courts in Zimbabwe and enforce the judgment against those Zimbabwean assets. There may or may not be a similar presumption to recognize and enforce that US judgment in Zimbabwe. The process and likelihood of success may change entirely if the judgment needs to be enforced against assets in a country other than Zimbabwe. The dearth of reliable information about and lack of consistency in the procedure for recognition and enforcement among foreign states complicates what could be a straightforward step following litigation in the selected forum.^[14]

The Hague Judgments Convention may considerably simplify the current process. Article 5(1) of the Hague Judgments Convention presents thirteen bases of recognition and enforcement. If any of these bases are met, a judgment is eligible for recognition and enforcement. These bases include, among others, ensuring:

1. Domicile – the judgment debtor is habitually resident and/or holds their principal place of business in the foreign forum.
2. Consent – the judgment debtor consented to the foreign court’s jurisdiction.
3. Waiver – the judgment debtor waived any jurisdictional objections by arguing the merits in the forum state without contesting jurisdiction.
4. Real Property – the judgment implicates the lease on property within the foreign court’s jurisdiction.

Article 7 presents the bases that disqualify a judgment from recognition. These include, among others:

1. Service – the judgment debtor was not notified with sufficient time to arrange for a defense.
2. Fraud – the judgment was obtained by fraud.
3. Public Policy – recognition of the judgment would be manifestly incompatible with the foreign state’s public policy.
4. Procedural Fairness – the proceedings that produced the judgment were not compatible with fundamental procedural fairness in the foreign state.
5. Inconsistent Judgment – the judgment is inconsistent with an earlier judgment from the foreign court.

The Secretary General of the Hague Conference has called the Hague Judgments Convention a “gamechanger for cross-border dispute settlement,” as well as “an apex stone for global efforts to improve real and effective access to justice.”^[15] If ratified by the United States and other foreign states, the Convention could provide litigants with a uniform path for recognizing and enforcing foreign civil judgments worldwide. Before even filing a case, litigants could look to the Convention to guide them on where and how to seek enforcement of an ultimate award. The Convention would obviate the current need to obtain local counsel and tiptoe through idiosyncrasies in foreign jurisdictions to determine enforceability. There is comfort, especially for cross-border litigants seeking to enforce their US judgments abroad, in the predictability that a widely ratified Convention could bring.

Concerns Remain about Ratification of the Hague Judgments Convention

The beauty of the Convention’s simplicity may also lead to a cut-and-dry application, thus limiting the nuanced discretion that courts may take in choosing to enforce a foreign judgment. Applying the Hague Judgments Convention’s simple framework, courts worldwide may find themselves obligated to recognize what they perceive as a corrupted judgment if it does not fall into the narrow grounds that Article 7 provides for nonrecognition.^[16]

Unless countries feel the benefit to their corporate and individual citizens outweighs any possible concerns, there will be hesitance to ratify the Hague Judgments Convention. A prime example of hesitancy in the ratification context is the Hague Convention of Choice of Court Agreement (“COCA”), which has been called the “litigation counterpart” to the New York Convention.^[17] COCA provides, among other things, that when parties have agreed to resolve their disputes in a specific court, (1) the signatory states must abstain from asserting jurisdiction over the matter; and (2) a judgment rendered by that chosen court will be enforced in all signatory states.^[18] Like the Hague Judgments Convention and the Singapore Convention, the United States has signed COCA, but considerations of whether to implement it at the state or federal level have delayed ratification.^[19] There is significant opposition to COCA’s ratification, with the dissenters arguing that COCA would dilute essential protections that the New York Convention provides, including those for party autonomy and procedural fairness.^[20] Unless there is movement on either side, that impasse appears to have delayed COCA’s ratification indefinitely.

We might not see a major change in how foreign judgments are recognized and enforced by US courts if the US were to ratify the Hague Judgments Convention. For individuals and entities who want their judgments recognized internationally, however, ratification could allow greater portability of US judgments abroad. This benefit would be of significant interest to parties engaged in international trade agreements and other cross-border disputes that may require enforcing a judgment abroad.

Without further ratification of the Hague Judgments Convention, the status quo for recognition and enforcement of judgments remains—with all of its benefits and limitations. Moreover, until the Hague Judgments Convention sees further ratification, it is likely that international arbitration will remain a preferred method for resolving cross-border disputes. This is in part because the New York Convention allows easy portability for recognition and enforcement of those arbitral awards, thus allowing international arbitration awards to be enforceable in nearly every jurisdiction worldwide.

1. Council of the European Union Press Release, The EU and Ukraine will recognise and enforce each other’s court decisions (Apr. 24, 2023); see also European Commission, Proposal for a Council Decision on the Accession by the European Union to the Convention on the Recognition and Enforcement of Foreign Judgments in Civil or Commercial Matters, COM (2021) 388 (July 16, 2021) (recommending accession to the Convention so as to ensure the circulation of foreign judgments beyond the EU area and to increase “growth in international trade and foreign investment and the mobility of citizens around the world”). ↑

2. Sarah E. Coco, Note, The Value of a New Judgments Convention for U.S. Litigants, 94 N.Y.U. L. Rev. 1209, 1212–13 (2019) (“Although it is difficult to assess the scope of the problem of non-recognition, a survey by the American Bar Association found that litigants seeking to get U.S. judgments recognized abroad face ‘a myriad of substantive, procedural, and practical hurdles.’”) (quoting Comm. on Foreign & Comparative Law, Survey on Foreign Recognition of U.S. Money Judgments, 56 Rec. Ass’n B. City N.Y. 378, 410 (2001)). ↑

3. Convention on the Recognition and Enforcement of Foreign Judgments in Civil or Commercial Matters, July 2, 2019 (hereinafter “Convention”), at art. 1(2) and 2. ↑

4. See Boris Kozolchyk, The “Best Practices” Approach to the Uniformity of International Commercial Law: The UCP 500 and the NAFTA Implementation Experience, 13 Ariz J. Int’l & Comp. L. 443, 452 (1996) (“Free trade, especially in large volume cross border transactions, presupposes a high degree of uniformity and standardization of commercial law and practice.”). ↑

5. See, e.g., Arthur T. Von Mehren & Donald T. Trautman, Recognition of Foreign Adjudications: A Survey and a Suggested Approach, 81 Harv. L. Rev. 1601, 1603 (1968) (noting “desire to avoid the duplication of effort and consequent waste involved in reconsidering a matter that has already been litigated”); William S. Dodge, International Comity in American Law, 115 Colum. L. Rev. 2071, 2089 (2015) (noting that “[c]omity [has] served . . . as the basis for recognizing foreign judgments”); Christopher A. Whytock, Transnational Access to Justice, 38 Berkeley J. Int’l L. 154, 168–69 (2020) (arguing that failures to enforce foreign judgments can produce access-to-justice gaps). ↑

6. Convention at art. 29. ↑

7. U.S. Const. art. II, § 1 (stating the president “shall have Power, by and with the Advice and Consent of the Senate, to make Treaties, provided two-thirds of the Senators present concur.”). ↑

8. Sarah E. Coco, Note, The Value of a New Judgments Convention for U.S. Litigants, 94 N.Y.U. L. Rev. 1209, 1212–13 (2019). ↑

9. Article 2(3) of the Hague Judgments Convention categorically excludes arbitration proceedings, which the New York Convention addresses. Officially known as the Convention on the Recognition and Enforcement of Foreign Arbitral Awards, the New York Convention has been recognized as one of the most successful international conventions. The Singapore Convention, were it to be ratified, seeks to do for mediation what the New York Convention did for arbitration—it would create a system for recognition and enforcement of mediated settlement agreements without requiring a new litigation or arbitration action. See United Nations Convention on International Settlement Agreements Resulting from Mediation, opened for signature Aug. 7, 2019 (adopted Dec. 20, 2018) (the “Singapore Convention”). The Singapore Convention opened for signature on August 7, 2019. As with the Hague Judgments Convention, the United States has been a signatory to the Singapore Convention since 2019, but has yet to ratify it. Eight countries have ratified the Singapore Convention: Belarus, Ecuador, Fiji, Honduras, Qatar, Saudi Arabia, Singapore, and Turkey. ↑

10. In 2006, the American Law Institute released a proposed federal statute for recognizing and enforcing foreign judgments, but to date, no federal law has been adopted. See Recognition and Enf’t of Foreign Judgments: Analysis and Proposed Fed. Statute (Am. L. Inst. 2006). Notably, the U.S. Constitution’s Full Faith and Credit Clause (guaranteeing that “Full Faith and Credit shall be given in each State to the public Acts, Records, and judicial Proceedings of every other State”) applies between the various U.S. states, but not to recognition and enforcement of foreign judgments. ↑

11. Restatement (Fourth) of Foreign Relations Law of the United States pt. iv, ch. 8, intro. note (Am. L. Inst. 2018) (“Customary international law imposes no obligation on states to give effect to the judgments of other states. Instead, domestic law and treaty regimes typically govern recognition and enforcement.”). ↑

12. See generally Louise Ellen Teitz, Another Hague Judgments Convention? Bucking the Past to Provide for the Future, 29 Duke J. Comp. & Int’l L. 491 (2019) (reviewing the Convention’s negotiations history); see also Hilton v. Guyot, 159 U.S. 113 (1895) ((stating the general rule that “the merits of the case should not, in an action brought in this country upon the [foreign] judgment, be tried afresh, as on a new trial or an appeal, upon the mere assertion of the party that the judgment was erroneous in law or in fact”); Ronald A. Brand, The Continuing Evolution of U.S. Judgments Recognition Law, 55 Colum. J. Transnat’l. L. 277, 282 (2017) (describing the legacy of Hilton as a U.S. regime that is “very receptive” to recognizing foreign judgments). ↑

13. See Brand, supra note 12, at 282 (noting “[Hilton] is the foundation for a system that is very receptive to the recognition and enforcement of foreign judgments. The Hilton legacy is the application of the doctrine of comity to the recognition of foreign judgments–showing respect for, and giving effect to, the decisions of foreign courts.”); see also Samuel P. Baumgartner & Christopher A. Whytock, Enforcement of Judgments, Systematic Calibration, and the Global Law Market 23 Theoretical Inquiries L. 119 (2022) . ↑

14. See Baumgartner, supra note 13, at 126 (“Even if choice-of-law and forum selection clauses are reliably enforced, the effectiveness of the resulting dispute resolution outcomes will be uncertain unless the parties can expect those outcomes to be enforceable. If the defendant lacks assets in the selected forum, the parties’ expectations will depend on whether a different state where the defendant does have assets would enforce the judgment against those assets. Other things being equal, parties would have weaker incentives to select the law and courts of a given state if they do not expect a resulting judgment to be enforceable. Those expectations depend, in turn, on the rules governing the enforcement of foreign judgments.”). ↑

15. Hague Conference on Private International Law, Gamechanger for Cross-Border Litigation in Civil and Commercial Matters to be Finalized in the Hague (June 18, 2019) (quoting the Secretary General of the Hague Conference). ↑

16. Diana A.A. Reisman, Breaking Bad: Fail-Safes to the Hague Judgments Convention, 109 Geo L.J. 879, 906 (2021) (“Prudence dictates that before adhering to the Judgments Convention, the United States explore fail-safes under international law should the judicial integrity of a co-contracting state fall below a minimum standard.”). ↑

17. See Glenn P. Hendrix, Memorandum of the American Bar Association Section of International Law Working Group on the Implementation of the Hague Convention on Choice of Court Agreements, 49 Int’l Law. 255, 256 (2016). ↑

18. See Hague Convention on Choice of Court Agreements, art. 6, 8(2). ↑

19. See Hendrix, supra note 17, at 255 (noting “The Convention enjoys universal support in the United States, but its transmittal to the Senate for advice and consent to ratification has been held up by disagreements over whether it should be implemented by federal law or by a combination of federal and state law.”). ↑

20. See Gary B. Born, Why States Should Not Ratify, and Should Instead Denounce, the Hague Choice-of-Court Agreements Convention, Part I (June 16, 2021); Part II (June 17, 2021); and Part III (June 18, 2021), Kluwer Arbitration Blog (noting that “notwithstanding a valid choice-of-court agreement, there is no justification for recognizing judgments from courts whose integrity and independence are suspect.”). ↑

As an equivalent of the value of transaction test in some jurisdictions, the Turkish Competition Authority (“TCA”) applies a special threshold for concentrations involving technology undertakings. In other words, concentrations that involve technology undertakings are treated differently with regards to the Turkey-related turnover threshold, which determines whether a transaction must be authorized by the TCA. The usual threshold for Turkey-related turnover is irrelevant if you are regarded as a a technology undertaking under Turkish merger control rules. This special local threshold exception aims at catching a greater number of transactions in the digital/high-tech markets, with a view to preventing acquisitions of innovative companies to eliminate them as a possible source of future competition (“killer acquisitions”). We have already witnessed the practical application of this turnover exception threshold in several cases, e.g., the Twitter deal as a result of which Elon Musk faced a gunjumping fine in Turkey for failing to notify and obtain approval from the TCA. The case underlines that the notification requirement is also applicable to foreign-to-foreign transactions to the extent that the merger control thresholds are met and irrespective of nexus with Turkey. In this short article we provide what you should know about merger control thresholds in Turkey, particularly if you may be qualified as a technology undertaking by the TCA.

Thresholds in General: Legal Framework

The notification procedure and time frame of merger control in Turkey are broadly aligned with the corresponding procedure and time frame in the EU. The Turkish Competition Law requires prior notification to the TCA of transactions that involve a change of control on a lasting basis and that meet certain financial thresholds regarding the turnover of the parties to the transaction.^[1] As stated in Article 7 of the TCA’s Communiqué No. 2010/4 (Merger Communique),^[2] a concentration is notifiable in Turkey where:

• the aggregate turnover of the transaction parties in Turkey exceeds TRY 750 million (approx. EUR 35.6 million), and the turnover of at least two of the transaction parties each in Turkey exceeds TRY 250 million (approx. EUR 11.9 million); or
• either the turnover in Turkey of (i) the acquired assets or businesses in acquisitions, or (ii) any of the transaction parties in mergers, exceeds TRY 250 million (approx. EUR 11.9 million), and the worldwide turnover of at least one of the other parties to the transaction exceeds TRY 3 billion (approx. EUR 142.6 million).

According to Article 7(2) of the Merger Communique, the Turkey-related turnover threshold of TRY 250 million prescribed in Article 7(1) shall not apply to concentrations with technology undertakings as their target if the technology undertakings either operate or conduct research and development activities in the Turkish market, or provide services to Turkish users.

Understanding Technology Undertakings: Case Law

The Merger Communique defines technology undertakings as undertakings that have activities in the areas of digital platforms, software and game software, financial technologies, biotechnology, pharmacology, agriculture chemicals and health technologies, or assets related thereto. ^[3] The definition is rather broad. To understand it better, the TCA has issued several decisions demonstrating its interpretation of the technology undertaking exception.

The TCA examined concentrations that did not meet the notification thresholds, but it analyzed the activities of the targets to see if they could be qualified as technology undertakings.

Citrix/TIBCO^[4] was the first decision applying the technology undertaking exemption. Both companies were active in the development of software, and hence there were no doubts as to the application of the technology undertaking exemption.

In Cinven Capital/International Financial^[5] the TCA recognized using digital platforms as being active in the software market. In particular, the target was active in providing savings and investment products through life insurance packages to individual investors. The company’s Turkish turnover was mainly derived from the sales by a third-party distributor since the undertaking did not have any subsidiaries or affiliates in Turkey. The target was considered a technology undertaking as it provided services to its customers with digital access via digital platforms in the life insurance sector in Turkey.

However, in Nielsen/Brookfield,^[6] the target was not viewed as a technology undertaking, even though the target used software as a tool in providing other services. It utilized data analytics tools to provide insights about market conditions and customer trends to their customers.

Providing software services and wifi solutions qualified the target as a tecnology undertaking in Providence/Airties.^[7]

Producing application programming interfaces and ready-to-use pharmaceuticals was viewed as falling within the scope of the technology undertaking definition in the Astorg/Corden^[8] case. Similarly, in Groupe Bruxelles/Affidea,^[9] the TCA also considered sales of diagnostic imaging devices as technology undertaking activities in the biotechnology sector.

In CD&R-TPG/Covetrus^[10] the TCA classified the target’s activities in the pharmaceuticals for animals and software sector as “health technology” and “pharmacology,” and as a result, the concentration was covered by the technology undertaking exemption.

In Berkshire Hathaway,^[11]the technology undertaking threshold was applicable since the target (Alleghany Corporation) was active in the market of financial technologies, i.e., it developed software to manage systems of property and casualty reinsurance and sold those to third parties. The exception applied here even though the activities of the target company were carried out in geographical markets other than Turkey. The main takeaway of this decision is that if the target of the transaction is a technology undertaking anywhere in the world and generates turnover in Turkey by any other means (not necessarily in the areas that constitute a technology undertaking), the concentration shall be assessed in the light of the special technology undertaking threshold.

The Berkshire reasoning is also seen in the Twitter^[12] gun-jumping case. Twitter is a digital/online platform that was recognised by the TCA as a technology undertaking, and hence subject to the threshold exception. Thus, there was no need to check Twitter’s (target) turnover in Turkey for the thresholds analysis. The only threshold that needed to be met for the Twitter deal was on the buyer side (globally TRY 3 billion [approx. EUR 142.6 million] for 2022). Companies controlled by Elon Musk were deemed a single economic unit, and it was concluded that the buyer side notification threshold was met; thus, the Twitter deal was indeed notifiable.

Conclusion

Concentrations involving technology undertakings are placed under a special focus/threshold in Turkey as of May 2022, with a view to catching all concentrations in the digital/high-tech markets and preventing killer acquisitions. While the technology undertaking exception from the turnover threshold for notification is different from the “value of transaction test” adopted by Turkey’s peers in the EU, Germany, and Austria, it may be viewed as a unique Turkish equivalent of that test, or at least it is expected to bring about the same results from its application.

The advantage of this rule is that it enables the TCA to assess concentrations of promising start-ups that operate in Turkey and are likely to cause competition disruptions in the digital markets irrespective of the lack of significant turnover of those start-ups. However, since the definition of the technology undertaking provided in the Merger Communique is not exhaustive and rather vague, it may be broadened at the discretion of the TCA, covering various sectors to catch as many transactions as possible. There is not enough existing case law yet to eliminate uncertanties in how to classify activities under the categories listed in the Merger Communique, all of which brings more legal uncertainty and transaction costs for businesses.

Following the Berkshire case, if the target generates turnover in Turkey by any means, it is highly recommended the target’s activities in other jurisdictions be assessed carefully to verify if those fall under the technology undertaking definition, and to notify the concentration to the TCA in case there is a slight probability of that. It seems that there will be more merger caseload and increased scrutiny in the technology markets in the upcoming years.

Dr. Fevzi Toksoy and Bahadir Balki are the Managing Partners at ACTECON; Hanna Stakheyeva is Of Counsel at ACTECON and an Assistant Professor at Bogazici University, Istanbul, Turkey.

1. These thresholds are applicable as of 4 May 2022. Calculated with an exchange rate of EUR 1 = TRY 21.03, in accordance with the applicable European Central Bank rate as of 11 April 2023. ↑

2. Communiqué No. 2010/4 Concerning the Mergers and Acquisitions Calling for the Authorization of the Competition Board. ↑

3. Article 4(1)(e) of the Merger Communique. ↑

4. Decision No 22-21/344-149 dated 12 May 2022 in relation to a concentration by way of creating a joint venture with the companies Citrix and TIBCO, which were under the sole control of Vista Equity Partners Management, LLC. ↑

5. Decision No 22-23/372-157 dated 18 May 2022 in relation to concentration by way of acquisition of sole control over International Financial Group Limited by Cinven Capital Management General Partner Limited. ↑

6. Decision No 22-24/395-BD dated 26 May 2022 in relation to concentration by way of acquisition of indirect joint control over Nielsen Holdings plc by funds and/or investment instruments. ↑

7. Decision No 22-25/403-167 dated 2 June 2022 in relation to concentration by way of acquisition of sole control over Airties Kablosuz İletişim San. ve Dış Tic. A.Ş. ↑

8. Decision No 22-25/398-164 dated 2 June 2022. ↑

9. Decision No 22-27/431-176 dated 16 June 2022. ↑

10. Decision No 22-32/512-209 dated 7 July 2022 regarding concentration by way of acquisition of joint control over Covetrus Inc. ↑

11. Decision No 22-42/625-261 dated 15 September 2022 in relation to indirect acquisition of Alleghany Corporation by Berkshire Hathaway Inc. The company generated turnover in Turkey through an affiliate that operates in the field of design, production, and service solutions for the trailer, private transport, and mobilized business markets. None of the target’s activities in Turkey were considered as falling within the scope of the technology undertaking definition. ↑

12. “The Examination about the Acquisition of the Sole Control of Twitter Inc. by Elon R. Musk” dated 6 March 2023. ↑

The United States Supreme Court’s fractured ruling in Mallory v. Norfolk Southern addressed personal jurisdiction under a Pennsylvania law that required out-of-state corporations to consent to jurisdiction for “any cause of action” as part of registering to do business in the Commonwealth. Other commentators have covered varying aspects and implications of the case, but we write to highlight that the opinion should not be read to limit the ability of Delaware corporations to use exclusive forum provisions to govern internal corporate claims.^[1]

As background, the plaintiff in Mallory was a freight car mechanic and a citizen of Virginia. He sued his former employer, Norfolk Southern, in Pennsylvania, even though the injuries for which he sought workers’ compensation allegedly occurred in Ohio and Virginia, and Norfolk Southern was incorporated and had its principal place of business in Virginia. Norfolk Southern had prevailed in the Pennsylvania Supreme Court on its argument that the Commonwealth’s registration statute violated the Fourteenth Amendment’s Due Process Clause, and Mallory appealed to the Supreme Court. Five justices of the U.S. Supreme Court voted to reverse that decision and concluded that the Due Process Clause did not prohibit a state from requiring an out-of-state corporation to consent to personal jurisdiction as part of registering to do business. But Justice Alito joined only portions of Justice Gorsuch’s plurality decision and concurred based on the assumption “that the Constitution allows a State to impose such a registration requirement.” Given that assumption and the dormant commerce clause discussion in Justice Alito’s concurrence, the remanded case may eventually return to the Supreme Court on other grounds.

Much of the reaction to Mallory has been to portray the ruling as a setback for corporations that permits them to be hailed into plaintiff-friendly venues throughout the country. To start, this misses what the Supreme Court justices agreed on: the statutory scheme in Pennsylvania is not one that exists in most states.

But even assuming laws like Pennsylvania’s sweep the nation and are upheld against future constitutional challenges, the impact of the ruling can be mitigated in the realm of stockholder and derivative corporate litigation, given the ability to adopt exclusive forum provisions for internal corporate claims. Admittedly, Mallory did not involve an internal corporate dispute. But assuming the plaintiff was a stockholder rather than an injured employee, it should play out as follows. The stockholder files suit in Pennsylvania state court. The corporation moves to dismiss based on the exclusive forum provision in its charter or bylaws. The stockholder’s argument would need to be that the corporation’s registration to do business in Pennsylvania, and agreement to be subject to suit there for “any cause of action,” would trump the corporation’s exclusive forum provision. But they have a problem. As a stockholder, they too are committed to litigate in the designated forum.^[2] Existing precedent does not elevate general jurisdiction above the parties’ agreed-upon forum, as courts enforce exclusive forum provisions even if the corporation is unquestionably subject to general jurisdiction in that state’s courts.^[3] The result should thus be the corporation prevailing on its motion to dismiss, and the stockholder refiling in the designated forum.

All of this is to say that Mallory should not impact where stockholder and derivative litigation occurs. Mallory simply highlights the need for corporations to adopt exclusive forum provisions to ensure consistency and predictability in the forum for any internal corporate disputes.^[4]

Myron T. Steele is senior counsel in the Corporate Litigation Group of Potter Anderson & Corroon LLP. He is the former Chief Justice of the Supreme Court of Delaware. Nicholas D. Mozal is counsel in the Corporate Litigation Group of Potter Anderson & Corroon LLP. The views expressed by the authors are not necessarily the views of Potter Anderson & Corroon LLP or any of its clients.

1. 8 Del. C. § 115. ↑

2. See Boilermakers Loc. 154 Ret. Fund v. Chevron Corp., 73 A.3d 934, 939 (Del. Ch. 2013) (“As our Supreme Court has made clear, the bylaws of a Delaware corporation constitute part of a binding broader contract among the directors, officers, and stockholders formed within the statutory framework of the DGCL.”). ↑

3. See City of Providence v. First Citizens BancShares, Inc., 99 A.3d 229, 231 (Del. Ch. 2014) (holding Delaware corporation could enforce provision requiring suit to be brought in North Carolina); Wong v. Restoration Robotics, Inc., 78 Cal. App. 5th 48, 57 (2022) (enforcing federal forum provision in bylaws of Delaware corporation governing claims under Securities Act of 1933 and stating stockholder could not press such claims against corporation headquartered in California in California state court). ↑

4. Although a current split exists between the Seventh and Ninth Circuits as to the reach of such provisions for certain claims and the Supreme Court may eventually weigh in on that question, compare Lee v. Fisher, No. 21-15923 (9th Cir. June 1, 2023) with Seafarers Pension Plan v. Bradway, 23 F.4th 714, 717 (7th Cir. 2022), there is no reason to think the current scheme will be entirely upended. ↑

The Board of Governors of the Federal Reserve System (Fed), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) (collectively, the Agencies) issued the long-awaited final Interagency Guidance On Third-Party Relationships: Risk Management (Final Guidance) on June 6, 2023. The Final Guidance replaces the disparate set of guidance and FAQs separately issued by the Agencies over the years, thereby bringing greater consistency to supervisory expectations for banks in managing risks arising from their business relationships with service providers, contract counterparties, and other third parties.

The Final Guidance will be of particular interest to fintech companies, especially those that partner with or are looking to partner with banks. The Final Guidance explicitly calls out bank-fintech partnerships as within its purview, underscoring the potential risks raised by partnerships that involve novel or complex structures, as well as arrangements where the fintech company rather than the bank serves as the main point of contact for interactions with the end user (such as certain banking-as-a-service models).

Fintech companies that currently partner with banks, or are seeking to, should pay close attention to the Final Guidance, as it is now the definitive source of guidance on supervisory expectations and also a sign of greater supervisory scrutiny on such partnerships. Small banks, which many fintech companies tend to partner with, will likely find the new guidance challenging to implement. In a rare dissenting statement, Federal Reserve Governor Bowman predicted that more resources will be needed to “ensure that small banks understand and can effectively use the guidance to inform their third-party risk management processes.” The Final Guidance notes that the Agencies plan to, but have not yet, developed these additional resources to assist community banks and other smaller banks. Consequently, fintech companies looking to partner with banks, especially small banks, should be prepared for a more rigorous and potentially drawn-out diligence process with their potential bank partner, as well as ongoing monitoring.

Overview of the Final Guidance

Banking organizations are required to operate in a safe and sound manner and in compliance with applicable regulations, whether their activities are performed internally or outsourced to a third party. Operating in a safe and sound manner requires a bank to establish risk management practices governing its activities, including risks arising from its third-party relationships. The Final Guidance provides sound risk management principles that banks can use when developing and implementing risk management practices to assess and manage risks associated with third-party relationships.

The Final Guidance is striking in its expansive scope. It broadly defines third-party relationships, encompassing any business arrangement between a banking organization and another entity, whether the arrangement is formalized by contract or otherwise established. Included in the scope of third-party relationships are:

• outsourced services,
• the use of independent consultants,
• referral arrangements,
• merchant payment processing services,
• services provided by affiliates and subsidiaries, and
• joint ventures.

Importantly, the Final Guidance emphasizes that a bank’s use of such third parties does not diminish or remove its responsibilities to meet those requirements and ensure compliance with applicable regulations, such as those related to consumer protection and financial crimes. In issuing the Final Guidance, the Agencies sought to promote consistency in supervisory approaches to third-party risk management by replacing each agency’s existing guidance on the topic,^[1] each of which is rescinded and replaced by the Final Guidance.

Key Considerations for Fintech Companies

The Final Guidance lays out a risk management framework that outlines a series of essential steps for banking organizations that partner with fintech companies, including engaging in sufficient planning, conducting due diligence for third-party selection, negotiating contracts, monitoring on an ongoing basis, and, if necessary, effecting efficient termination. The Final Guidance also details a set of best practices for governance of third-party risk management, including oversight and accountability, independent reviews, and documentation and reporting.

Fintech companies seeking to enter into partnerships with banks should take note of the following key areas in the Final Guidance:

1. Heightened due diligence requirements

The Final Guidance calls for the scope and degree of a bank’s due diligence to align with the level of risk and complexity of the third-party relationship. Fintech companies should pay particular attention to this requirement, as the Final Guidance states that greater operational or technological complexity leads to increased risk. It is likely that a fintech company that is preparing to partner with a bank will have to undergo more thorough and rigorous due diligence with the bank. If the fintech companies will perform higher-risk activities, including critical activities, the Final Guidance calls for more comprehensive diligence.

The Final Guidance sets forth a wide range of topics that, as part of its due diligence, a banking organization should consider about a third party:

• strategies and goals;
• legal and regulatory compliance;
• financial condition;
• business experience;
• the qualification and backgrounds of key personnel and other human resources considerations of a third party;
• risk management;
• information security;
• management of information systems;
• operational resilience;
• incident reporting and management process;
• physical security;
• reliance on subcontractors;
• insurance coverage; and
• contractual arrangements with other parties.

2. Contract negotiation

The Final Guidance stresses the importance of contract negotiation for banks when entering into third-party arrangements. While a fintech company may initially seek to offer its own standard contract or form provisions, a bank may try to seek modifications, resulting in a more involved and drawn-out negotiation than a fintech might expect to encounter with other entities. Fintech companies should therefore expect greater attention from banks than their typical transaction counterparties in the following commercial terms, on the basis of the Final Guidance:

• nature and scope of the arrangement;
• performance measures or benchmarks;
• responsibilities for providing, receiving, and retaining information;
• the right to audit and require remediation;
• responsibility for compliance with applicable laws and regulations;
• cost and compensation;
• ownership and license;
• confidentiality and integrity;
• operational resilience and business continuity;
• indemnification and limits on liability;
• insurance;
• dispute resolutions and customer complaints;
• subcontracting;
• foreign-based third parties;
• default and termination; and
• regulatory supervision.

Moreover, the Final Guidance states that if a contract is unacceptable for a bank, the bank may consider other approaches, such as looking to bring the activity in-house or looking to other third parties. Accordingly, it will be important for fintech companies negotiating with banks to ensure that they are adequately protecting their own interests and, at the same time, address where appropriate the many areas of focus that their bank counterparty is now expected to scrutinize. For additional insights into strategic approaches to contracting for fintech companies, please see a recent article the co-authors have written separately discussing “Financial Infrastructure as a Service: Top Legal Considerations for Innovators.”

3. Ongoing monitoring

The Final Guidance also requires banks to engage in ongoing monitoring throughout the duration of a third-party relationship, commensurate with the level of risk and complexity of the relationship and the activity performed by the third party. Fintech companies should expect the following examples of typical monitoring activities from their bank partner:

• review of reports regarding their performance and the effectiveness of their controls;
• periodic visits and meetings with their representatives to discuss performance and operational issues; and
• regular testing of the bank’s controls that manage risks from its third-party relationships, particularly when supporting higher-risk activities, including critical activities (in certain circumstances, based on risk, a bank may also perform direct testing of the third party’s own controls).

Awareness of the areas of supervisory sensitivity will be critical to a fintech company’s success in partnering with a bank to deliver banking services.

Additional Considerations

The Agencies declined to establish any “safe harbors” in the Final Guidance, even for small banks. Rather, key to the third-party risk management framework—as contemplated under the Final Guidance—is the need for banks to tailor their risk management practices commensurate to their size, complexity, risk profile, and the nature of their third-party relationships. This tailored approach acknowledges the variety among different third-party relationships and the unique challenges that arise from such relationships. However, given the breadth of the Final Guidance, this tailoring may be easier said than done, particularly for community banks.

With respect to supervisory exams of a bank’s third-party risk management, the Final Guidance noted that supervision will also be tailored based on the degree of risk and the complexity associated with the bank’s activities and its third-party relationships. While the Final Guidance focuses on bank responsibility for third-party arrangements, it also recognizes that in certain circumstances, an agency may examine the functions or operations that a third party performs on behalf of a banking organization, allowing the Agencies the flexibility needed to address the unique challenges faced by the range of banking organizations and their various types of third-party relationships. In these cases, the agency may address violations of laws and regulations through corrective measures, including enforcement actions, to address unsafe practices by the third party.

Takeaway

Small banks in particular are likely to face challenges in implementing the Final Guidance and some degree of uncertainty in meeting supervisory expectations, which may translate to more challenging contract negotiation dynamics for fintech companies and greater hesitation by banks to enter into innovative arrangements. As bank-fintech partnerships increase in their complexity and incorporate novel strategies or technologies, the Agencies will require banks to step up their risk management, which their fintech partners will need to address.

1. SR Letter 13–19/CA Letter 13–21, “Guidance on Managing Outsourcing Risk” (December 5, 2013, updated February 26, 2021); FIL–44–2008, “Guidance for Managing Third-Party Risk” (June 6, 2008); OCC Bulletin 2013–29, “Third-Party Relationships: Risk Management Guidance,” and OCC Bulletin 2020–10, “Third-Party Relationships: Frequently Asked Questions to Supplement OCC Bulletin 2013–29.” ↑

The furthest- and widest-reaching federal business entity law ever enacted, the Corporate Transparency Act (“CTA” or “Act”)^[1] will impact an estimated 32.6 million current businesses, with its implementation going into effect on January 1, 2024. An estimated additional five million newly formed businesses will also be swept under the CTA’s purview each subsequent year.^[2] However, many business owners, investors, and advisers are unaware of the CTA and its looming deadline, and when they learn of it, they are often taken aback by its scope (and even its mere existence). Now is the time to review the CTA’s requirements and get prepared before the law goes into effect at the beginning of next year.

CTA Overview

The CTA requires certain businesses (including privately held and nonprofit entities) to report direct and indirect, human, beneficial ownership, control, and service provider information to the Financial Crimes Enforcement Network (“FinCEN”) of the U.S. Department of Treasury.^[3] This information will be used by federal, state, local, and tribal law enforcement authorities to streamline their investigations, bypassing the “shell game” historically posed by multiple levels of business entity ownership and affiliation.^[4]

Covered Businesses

The CTA impacts “reporting companies,” which include corporations, limited liability companies, limited partnerships, business trusts, and other “similar entities”^[5] that are created or registered by the filing of a document with a secretary of state or a similar Indian tribal office.^[6] There is no “grandfathering” of previously formed entities: the CTA will sweep in all business entities in existence on January 1, 2024. Exempted from the CTA’s reporting regime are specified excluded entities, which generally include heavily regulated business entities or large operating companies. However, the vast majority of private businesses and many nonprofit businesses will be swept up in required compliance.

Reportable Information and Owners

The information to be reported to FinCEN (“beneficial owner information,” or “BOI”) is certain personal identifying information (“PII”), which includes (1) full legal name, (2) date of birth, (3) residential (or sometimes business) physical commercial street address, and (4) an image of an acceptable government-issued ID (e.g., a U.S. passport or state-issued driver’s license) that includes both an ID number and the person’s photograph.^[7] This reported information must be kept current and accurate with FinCEN by the reporting company on an ongoing basis.

This information will need to be reported for persons who have “substantial control” over the business or who own, directly or indirectly, 25 percent or more of the equity in the business (each a beneficial owner). Every business will have at least one person to report, regardless of its ownership structure. In many instances, informed business decisions will need to be made as to who constitutes reportable beneficial owners.

For reporting companies formed on or after January 1, 2024, the same PII must also be reported for “company applicants” (i.e., incorporators and organizers), including those who directed the formation filing. This reported information is only reported as of the reporting company’s formation and is not required to be updated with FinCEN thereafter.

Mechanics and Timing of Filings

Filings will be made through an electronic interface with the online Beneficial Ownership Secure System (“BOSS”).

Businesses in existence on January 1, 2024, will have one year to file their initial report—but file an initial report they must do, even if they subsequently dissolve or otherwise alter their structure in a manner to become compliant with a CTA exemption. Businesses formed on or after January 1, 2024, will have thirty days from formation to file their initial report with FinCEN.

Any change to the status quo of a business in existence on January 1, 2024, will need to be reported as a separate amendment filing, delivered with the initial “as of January 1, 2024” report filing required to be made on or before December 31, 2024. Businesses formed on or after January 1, 2024, will have thirty days to file a correction or change to any information previously reported.

Penalties

There are steep, escalating fines ($500 per day up to $10,000 per violation) and possible jail time (up to two years) for those failing to timely and properly comply with the CTA’s requirements.^[8]

It bears noting that failure to timely file a required initial report could result in up to a $10,000 fine but that subsequent events that would necessitate an amendment to such required but missing filing, had the initial report been made, would also cause penalties to accrue—meaning that a failure to file an initial report may result in aggregate fines accruing well in excess of $10,000 prior to an initial notification of violation from FinCEN to the reporting company. Also, the intent of the reporting company and its agent with regard to noncompliance will be a factor in FinCEN’s assessment of possible criminal penalties.

Bearing this in mind, the remainder of this article is an appeal to the better angels of our character—as well as a direct rebuttal of initial impulses expressed by many upon first learning of the CTA.

CTA Denial

“I am a sophisticated business owner, and I have never heard of this.”

The enactment of the CTA in 2021 came as a shock to many (to some, a much later aftershock). However, the CTA’s intent—to end the position of the United States as a haven for “shell” companies used in the commission of money laundering, terrorist financing, financial and tax fraud, and other domestic and international illicit activity and corrupt practices—was present in proposed federal legislation for decades.

The CTA marks a seismic shift in the legal landscape for businesses operating in the United States. Prior to the CTA, entity beneficial owner disclosure was solely (if at all) the purview of state or tribal law. Now it is a focus and purview of federal law enforcement agencies.

The CTA has largely flown under the radar to date, but it is now time to become educated on the actions that may be taken prior to the CTA’s January 1, 2024, implementation date, and after. The Act’s impact on and implications for businesses, particularly small businesses, are complicated and difficult to succinctly communicate, and the CTA has not received widespread mass media attention. In fact, federal lawmakers and industry groups have decried the lack of CTA public education undertaken by FinCEN to date.

Many professional advisers and business professionals have been caught off guard by this fundamental change in business entity law, now taking on a federal facet for the first time. Those that are aware have, by and large, taken a wait-and-see approach to either advising their clients and business associates or evaluating their own compliance profile. This is because much of the mechanics of compliance remains elusive. The ability for businesses to begin directly interfacing with FinCEN on filing and compliance continues to be in the future, giving those persons “in the know” little to offer as current action items—causing many to defer sounding the alarm bell until more is known from FinCEN. However, the wait must end, as there is limited and dwindling time remaining to take action before the window of opportunity closes at the end of 2023.

“I have a small business. The Corporate Transparency Act only applies to large businesses.”

The CTA’s impact on small businesses is counterintuitive to many business owners, who erroneously believe that their business is “too small” to be within FinCEN’s sights and the CTA’s purview. Quite the opposite: A business’s small size is precisely why such a business must comply with the Act! The Act is designed to cast a broad net to “catch” a small niche of nefarious actors hiding behind the “corporate veil.”

Unfortunately, the vast majority of business entities that now must comply with the CTA, including most small businesses, are unwitting and innocent bycatch in the CTA’s net. This is because they will not be able to meet the criteria to be a large operating company that is expressly excluded from CTA compliance. The CTA’s “large operating company” exception is an exception to the CTA’s reporting requirements for businesses that meet all three of the following criteria:

1. The business must have a commercial, physical street address in the United States.
2. The business must have twenty-one or more full-time employees (excluding full-time equivalent employees, part-time employees, independent contractors, and leased employees).
3. The business must have filed a prior year’s federal income tax return demonstrating more than $5 million in annual, U.S.-only, gross receipts or sales.

All home-based businesses, and those with only a virtual (online) presence, will not meet the physical street address part of this three-part test. In addition, by necessity, every business entity formed on or after January 1, 2024, will not initially qualify for this exclusion because such business entities will not have the prior year’s tax return necessary to establish the gross revenue part of the test. The same will be true of virtually all business entities formed between January 1, 2023, and December 31, 2023. Further, many large portfolios of business entities will likely not meet this exception because employees of the portfolio’s operations are typically consolidated into one, or a few, of the portfolio’s business entities, with the remaining business entities not having employees, thus failing the employee prong of the test. Under FinCEN’s BOI Final Rule,^[9] employee head count may not be attributed across affiliated entities for purposes of meeting the employee count threshold—each business entity must stand alone in this respect.

“My industry’s lobbyists would never allow such a law to get passed.”

Lobbyists had staved off attempts to implement the CTA, and its predecessor bills, for decades. However, in December 2020, the U.S. Congress, majority-controlled by Republican lawmakers in both the House and the Senate, passed the CTA as part of the 2021 National Defense Authorization Act—which then-President Donald Trump vetoed^[10] (his sole veto during his term of office). On January 1, 2021, Congress, by a two-thirds vote in both the House and Senate, overrode Trump’s veto and passed the CTA into law.

Since the CTA’s adoption, the political landscape has changed. President Joe Biden and a Democratic-controlled Senate now hold office through at least 2024. A change of party control, if any, of the presidency or the Senate will not take effect until mid-January 2025—and control of the House may then also be uncertain. By that time, all existing business entities will have been required to file their initial CTA report into the BOSS, and a full year of newly formed entities will also have been required to comply with the CTA. In short, hopes of a conservative government sea change, with an overturning of the CTA, doesn’t account for the Act’s conservative lawmaker origins or the political cycle timing between now and the Act’s January 1, 2024, implementation.

Hope for a legislative repeal or delay in the implementation of the CTA likely ended with the recent passage of the bipartisan Fiscal Responsibility Act of 2023 ( “debt ceiling bill”),^[11] which lacked provisions pertaining to the CTA. In mid-June 2023, subsequent to the passage of the debt ceiling bill, the Accountability Through Confirmation Act and the Protecting Small Business Information Act were each introduced in the House Financial Services Committee by Committee Chairman Patrick McHenry (R-NC). These bills are intended to effectively delay the date that the BOI reporting requirements go into effect and to “reform” FinCEN with requirements intended to increase transparency and accountability within the agency, while protecting individuals’ privacy and businesses’ sensitive information in the BOSS reporting regime. It bears noting that Representative McHenry was also the sponsor of the debt ceiling bill. With the current gridlock in Congress, these new bills seem unlikely to move beyond the House or to become laws.

Further, the Biden administration has shown no indication of delaying the CTA’s implementation, with the U.S. Department of Treasury and FinCEN expressing publicly, and repeatedly, that implementation of the CTA by the end of 2023 is a top priority. The stated goals of the CTA—combating the use of “shell” companies in the commission of money laundering, terrorist financing, financial and tax fraud, and other domestic and international illicit activity and corrupt practices—appear to align with the administration’s agenda. In other matters, the administration has shown a proclivity to support initiatives to reign in business rather than favor it.

The CTA mandated that FinCEN promulgate regulations under the CTA prior to January 1, 2022. On December 7, 2021, FinCEN published a proposed rule related to BOI under the CTA, with a public comment period extending through February 7, 2022. In response to this notice of proposed rulemaking (NPRM), FinCEN received over 240 formal comments, with submissions coming from a broad array of individuals and organizations, including members of Congress, government officials, groups representing small-business interests, corporate transparency advocacy groups, the financial industry and trade associations representing their members, law enforcement representatives, and other interested groups and individuals. In addition to these formal responses to the NPRM, FinCEN also received, accepted, and considered many additional comments and inquiries from the public. The extensive, thorough, detailed, and pointed feedback, often in direct opposition to the proposed implementation of the Act and to specific components of the Act, was considered, weighed, and utilized by FinCEN in its adoption of the CTA BOI Final Rule, issued on September 30, 2022. FinCEN went to great length in the Final Rule to describe, with specificity, the extreme vetting on each point in the Final Rule. That Final Rule, with limited exceptions, stayed true to the CTA and the proposed rule initially proposed. FinCEN did not exercise its discretion to expand the list or scope of the enumerated reporting company exceptions (in spite of numerous pleas to do so), nor did it show any reluctance to, or anticipate delay in, implementing the CTA. Based on this process, the implementation of compliance and enforcement of the CTA’s reporting obligations will most certainly begin January 1, 2024. Hopes that a “white knight” will ride in to thwart the CTA, or that a delay or elimination of this reporting obligation implementation would occur, were vanquished last year (in 2022) and confirmed by the CTA’s omission from the bipartisan debt ceiling bill.

“That can’t be constitutional.”

A lone small business advocacy group, National Small Business United (affiliated with the National Small Business Association), has filed suit against the U.S. Department of Treasury and FinCEN contesting the constitutionality of Congress’s actions in passing the CTA into law, as well as the CTA’s implementation by FinCEN. Three other advocacy groups (Transparency International U.S., Financial Accountability & Corporate Transparency Coalition, and Main Street Alliance) jointly authored an amicus brief in support of the government’s position and the CTA. This case remains in an early stage of pleadings.^[12] Pending the outcome of this case, the constitutionality of the CTA will be affirmed or better defined.

“I just won’t report.”

Statements similar to the foregoing are uttered by a shocking number of business owners with whom I speak about the CTA and its reach, application, and exposure. However, there are a number of factors uniquely associated with the CTA, its origins, and its implementation that make its enforcement and your possible noncompliance exceptionally problematic. Chief among these, at least for individuals,^[13] is that their refusal will be conspicuously noted on a reporting company’s filing with FinCEN. A checkbox is included on the BOI reporting questionnaire: “(check if you are unable to obtain any required information on one or more Beneficial Owners).” Once checked, this conspicuous omission will be a red flag to FinCEN, and other law enforcement agencies, for initial or further investigation.

Further, the Internal Revenue Service (“IRS”) recently announced its taxpayer enforcement initiatives, which include plans to hire nearly 87,000 new employees and invest $80 billion over the coming years^[14] to improve tax enforcement and customer service, with more than one-third of the new hires being enforcement staff. The agency also plans to hire more data scientists to complement traditional tax attorneys and revenue agents in using new data analytics technology to identify audit targets. FinCEN’s BOSS database, created under the CTA, will likely be a key component to such data analytics technology and will provide an inexpensive, efficient investigative tool and corroborating (or “red flag”) source of taxpayer information for the IRS. The IRS initiatives’ stated aims are to close the “tax gap” between taxes owed and those paid, and to rebuild the IRS’s audit capabilities and computer technology. The IRS’s stated goals also include expanding enforcement for taxpayers with complex tax filings and high-dollar noncompliance, including high-income and high-wealth individuals, complex partnerships, and large corporations.^[15]

Hopes that the CTA is nothing more than another pro forma survey data collection initiative by the government are naïve and misguided. FinCEN’s BOSS database will be a critical point of diligence for investigation by federal government agencies. Your business entity’s conspicuous absence from the BOSS database, or your personal omission from a reporting company’s CTA filing, will most certainly be discovered—and will spearhead other federal investigations into you and your business practices.

“If I get caught, I’ll just pay the fine.”

The CTA provides for civil fines of $500 per day, up to $10,000, per violation of the Act. The Act also provides for a criminal penalty of up to two years’ imprisonment for CTA violations. It is important to note that the fine is per violation—not simply for violating the Act. The Act has requirements for filing report corrections and amendments based on changing circumstances, and CTA violations will likely involve multiple instances of noncompliance before FinCEN comes knocking on your door. Each reporting obligation also has a very short window (thirty calendar days) within which to make the required filing, making inadvertent violations of the CTA highly likely. Further, with only twenty days needed to reach the maximum fine of $10,000 per violation, many violations will likely come with the maximum $10,000 price tag.

These factors, in combination, could cause a simple act of not reporting to turn into the accrual of tens of thousands of dollars, or even hundreds of thousands of dollars, in fines by the time FinCEN identifies the violation and pursues collection. This will be particularly true in the first year of implementation, when 32.6 million reporting companies are projected to require reporting, with five million additional reporting companies being added each year thereafter.

Also, did I mention prison time? Noncompliance could be a costly proposition—far in excess of an initial $10,000 price tag.

“CTA responsibilities do not implicate fiduciary duties.”

Persons with “substantial control” over a reporting company under the CTA not only will be required to disclose their own PII as “beneficial owners” of the reporting company but will also, in many instances, owe fiduciary duties to the reporting company as well as to the (other) owners of the reporting company to properly comply with the CTA. Any decision by a reporting company’s management not to report under the CTA, or to partially report or to inaccurately report, will directly implicate actionable duties owed to the reporting company, its owners, and possibly third parties. Further, such actions may constitute “for cause” termination events with respect to such “substantial control” person, as the act or omission may constitute gross negligence, willful misconduct, fraud, material misrepresentation, or an illegal act with respect to the reporting company. A “substantial control” person’s evasion of the law could also implicate denial or cancellation of the reporting company’s directors and officers (D&O) insurance coverage for the event in question, and expose the individual to uncovered personal liability for the action in question. Further, grievous failure to comply with the CTA could result in imposition of a criminal sentence of up to two years in federal prison for the offending individual.

Under most states’ business statutes, the concept of fiduciary duties is prevalent and applies to the behavior of officers, managers, directors, and other governing and management parties to the business entity itself and, in some instances, to the owners of the business entity directly. Principal among the fiduciary duties is the “duty of care.” The duty of care requires that a person act with the prudence that a reasonable person in similar circumstances would use. If a person’s actions do not meet this standard of care, then the acts are considered negligent and may result in actionable damages enforceable against the individual. However, a fiduciary may discharge the duty of care by exerting appropriate diligence and informed consideration with respect to the action in question. Further, in most instances, a fiduciary may discharge its duty of care on a subject by hiring a professional adviser that the fiduciary reasonably believes has the necessary experience and expertise to advise on the subject and by relying on such advice in making the business decision. Thus, “substantial control” persons may insulate themselves against duty-of-care claims by retaining legal counsel to evaluate and advise on the reporting business decisions in question. Further, to the extent that a waiver of fiduciary duties is permitted by the applicable state and included in the applicable business entity’s charter documents, such waiver will not extend to the fiduciary duty of good faith, which could be implicated by a failure to file a CTA report.

Conclusion

The Corporate Transparency Act is a seismic shift in the beneficial owner reporting regimes in the United States, disturbing long-established norms. Beginning January 1, 2024, tens of millions of unwitting and innocent U.S. business entities, and their beneficial owners, will become bycatch in FinCEN’s dragnet designed to catch nefarious actors hiding behind the “corporate veil.” Whether you like it, hate it, or are indifferent, the CTA has been thoroughly vetted and is here to stay. Compliance is both mandatory and advisable. Just as anonymity in the business entity structure has been pierced by the CTA, so has anonymity in the Act’s compliance, with various touch points and red flags aiding in FinCEN’s ultimate enforcement regime, including FinCEN’s discovery of those choosing not to comply.

1. National Defense Authorization Act for Fiscal Year 2021, tit. LXIV, §§ 6401–6403. ↑

2. See 31 C.F.R. § 1010.380 (2022). ↑

3. National Defense Authorization Act for Fiscal Year 2021, tit. LXIV, § 6403. ↑

4. See 31 C.F.R. § 1010.380. ↑

5. For example, limited liability partnerships, limited liability limited partnerships, decentralized autonomous organizations (“DAOs”), and other entities created through filings with a secretary of state or tribal authority. ↑

6. 31 U.S.C. § 5336 (a)(11)(A) (2021). ↑

7. 31 C.F.R. § 1010.380(g) (“Reporting violations. It shall be unlawful for any person to willfully provide, or attempt to provide, false or fraudulent beneficial ownership information, including a false or fraudulent identifying photograph or document, to FinCEN in accordance with this section.” (emphasis added)). ↑

8. 31 U.S.C. §§ 5336(h)(1), 5336(h)(3)(A). ↑

9. Beneficial Ownership Information Reporting Requirements, 87 Fed. Reg. 59,498 (Sept. 30, 2022). ↑

10. Searches across case law databases for litigation containing the phrase Corporate Transparency Act resulted in only one case found: Trump v. Deutsche Bank AG, 943 F.3d 627, n.55 (2019). ↑

11. H.R. 3746, 118th Cong. (2023) became Pub. L. No. 118-5 (2023). ↑

12. Nat’l Small Bus. United v. Yellen, No. 5:22-cv-01448-LCB (N.D. Ala. 2022). ↑

13. It bears noting that the person responsible for a reporting company’s CTA filing, in some instances, may not be a “beneficial owner” of the business entity, or only one of several “beneficial owners,” and will likely make the filing (even over potential objections) to avoid personal culpability. The willingness of one person to violate the law, problematic on its face, also implicates the rights and risk profile of other persons associated with the reporting company. The other implicated individuals in the business organization may not share this risk tolerance. ↑

14. Note that section 251 of the debt ceiling bill, Pub. L. No. 118-5 (2023), rescinded $1,389,525,000 of IRS earmarked funding. ↑

15. See Beware, the IRS Is Coming: More IRS Audits to Focus on High-Net Worth Individuals and Passthrough Entities, Polsinelli (Apr. 18, 2023). ↑

At this point, almost every business operates some of its information technology (“IT”) assets in the cloud. Cloud‑based IT resources may be infrastructure (supplementing or replacing on‑site data centers and communications systems), platforms, or applications. Also, essential, enterprise‑level applications are now commonly licensed as subscription services maintained by third parties. Many of these third-party services also operate on IT infrastructure sourced from a cloud provider.

Moves to the cloud are multifaceted and multidisciplinary. Lawyers have an important role advising their clients about the legal rights and obligations in the tangle of licensing arrangements inherent in cloud computing. Determining the sources of those rights and obligations can, itself, be a challenge.

This project focuses on the essential steps for determining the legal rights and obligations attendant to operating in the cloud and provides practical tools to assist business lawyers. The project’s contributors are members of the Business Law Section’s Cyberspace Law Committee.

The initial toolkit includes six tools:

• One tool, using one significant cloud service provider as an example, assists lawyers navigating the first step in analyzing legal rights and obligations for cloud environments—that is, finding the applicable legal terms for review and discussion.
• A matrix illustrates “shared responsibility” as that concept appears in provisions of cloud service agreements from two major providers.
• A brief Business Law Today article by our Committee colleague, Lisa Lifshitz, offers Seven Tips for Better Technology Services Agreements.
• The toolkit also offers a checklist of issues to consider when an organization licenses data and a data life cycle checklist to assist with data management strategy.
• A glossary rounds out the initial work product. The glossary is intended to be an open and continuing work in progress. We welcome reader contributions.

The toolkit will also include a resource focusing on the substance of cloud licensing. The forthcoming tool describes contract terms typical for software and cloud services, highlighting, in particular, subject matter that might be prioritized for attention when opportunities for negotiation are limited.

The Lawyer’s Role: More Counselor than Drafter

A lawyer representing the purchaser/licensee in a cloud transaction will almost always be reviewing vendor contracts, not drafting or modifying purchaser/licensee forms. Opportunities for negotiation are limited by bargaining power, the cadence of business operations and IT development, and the volume of material and services that may be necessary or useful to complete the client’s IT effort. In this circumstance, lawyers add value by issue-spotting and helping the business team assess and contextualize risk reflected in the vendor’s legal terms and service descriptions.

Coordination of Relevant Stakeholders

Lawyers are also often well positioned to identify the right decision makers—or at least the appropriate subject matter domains—and facilitate work across stakeholder groups to understand and manage rights and obligations buried in the fine print of cloud contracts.^[1] Establishing and managing online environments and services involve information security (a discipline not entirely the focus of IT architects, engineers, and developers), budget and finance, procurement, compliance and risk, and data management and privacy—each doing its part to support a business team’s advancement of the client organization’s objectives.

The dynamic of coordinating stakeholder input is not new, of course. But lawyers should understand whether processes and controls that the client has in place to bring relevant stakeholders together will operate effectively when technology and services are procured through cloud service providers. Cloud marketplaces make shopping easier and more accessible to more people in an organization. Enabling more people to source material in an online store speeds access to technology components and solutions. Absent proper controls, however, solutions delivered on time with the right functionality may come without adequate attention to budget, security, and other risk considerations.

The following is a rudimentary example: Assume a developer is deploying a new application in an existing cloud environment. The developer enables logging functionality consistent with the organization’s security and operations policies for logging. The logging function can be enabled for no charge, but storage fees will accrue for keeping the log files. The project budget, focused on development and deployment, includes the initial application cost and subscription fees for a term. The budget does not anticipate the incremental cost of storage as log files are retained. What does the organization do when the storage fees begin to accumulate? Turn off logging? (Not likely.) Revise its budget for the ongoing cost?

How could the lawyer have helped the client organization in this illustration? First, the lawyer would have sought out and read the applicable contract. In doing so, the lawyer would probably have found references in the documentation saying that storage is separate. Or, more generally, the lawyer could have reminded the technology team to include colleagues whose role in the design and procurement process is to calculate the cost of ongoing operations and maintenance consistent with security policies and business requirements.

A lawyer engaged early in a project or business process development can work with the organization’s IT department to build review of product documentation into the design process. With proper guidance, a nonlawyer on the project team could be tasked to review documentation for key details—technical, operational, budget, legal red flags—and facilitate communication among relevant stakeholders.

Not a full-time technology lawyer? Business and commercial lawyers with the occasional technology matter in their portfolio add value when they spot issues and raise questions for the technology and business teams to consider. “What’s going on here?” can be a useful flag and does not require the lawyer to be a technology expert. Business lawyers understand that terms drafted by the other side have a thumb on the scale favoring the drafter. (And technology licenses sometimes read like the drafter put an elephant on the scale in the drafter’s favor.) Even when there is no practical likelihood that the organization will be able to negotiate more favorable terms, “What’s going on here?” gives the organization a prompt to consider potential risks, strategies to mitigate risk, and the feasibility of taking a different approach to avoid the risk.

Contracting through a Marketplace Feature

Incorporating cloud-based procurement into an organization’s operations requires a basic understanding of how software, services, and content may be procured from cloud service providers through their “marketplace” features. Organizations need to understand each marketplace through which they source products, material, and services and take appropriate steps to bring marketplace transactions into controls for procurement, contracting, security, and other risk management. Cloud providers have developed account management tools and access controls. It is up to client organizations to take appropriate steps to configure those tools, actively monitor customer portals and notices (and respond as appropriate), and keep account structures and access controls current.

The legal terms for cloud marketplaces and the products, material, and services offered in them are long, winding, and overlapping. They are also subject to provider-instituted changes that can affect ongoing services. Navigating cloud services and the marketplace tries the patience of the most diligent and patient lawyer. Lawyers should anticipate spending some time learning to navigate the legal terms of their clients’ cloud providers. The toolkit includes one paper illustrating contract navigation for the cloud marketplace of one significant service provider.

Lawyers should also keep in mind that cloud marketplaces are not the only channel to acquire software, services, or content for cloud-based systems. Cloud-based information technology may be procured under enterprise agreements with infrastructure or platform providers. Organizations may also engage third parties to manage their information technology. Those managed service providers may build out systems, including applications and storage, in cloud environments or using cloud-based platforms. Many enterprise-wide applications are now provided as a service, for example, office applications like Microsoft 365® and relationship management systems like Salesforce. Organizations may also bring their own software and content to a cloud environment. Managing proprietary and personal information has to be a consideration in reviewing the legal terms for any cloud-based arrangement.

A comprehensive review of procuring software, services, and content for cloud-based systems is beyond the current scope of this project. To start, we aim to contribute some basics that generalist business lawyers will find useful.

The Toolkit: A Dynamic Project

We expect each of the initial tools to evolve over time with feedback from readers and future collaborators. We also recognize opportunities to expand the toolkit with pieces highlighting sector‑specific issues, for example, education, health care, financial services, and service features (such as artificial intelligence components). We welcome volunteers and contributors to the project.

To offer feedback or contact the Toolkit Project coordinators, please email the project’s virtual mailbox at [email protected].

1. This project does not purport to be a comprehensive study of cloud computing for lawyers. For additional background about cloud computing, refer to these other ABA publications: Cloud 3.0: Drafting and Negotiating Cloud Computing Agreements (Lisa R. Lifshitz & John A. Rothchild eds., 2019); and H. Ward Classen, The Practical Guide to Software Licensing and Cloud Computing (7th ed. 2020). ↑