This morning, once again without an open meeting—whatever happened to government in the sunshine?—the SEC  voted to propose amendments intended to improve the disclosure requirements for financial statements relating to acquisitions and dispositions of businesses.  According to the press release, the proposed changes are designed to “improve for investors the financial information about acquired and disposed businesses; facilitate more timely access to capital; and reduce the complexity and cost to prepare the disclosure.”  The proposal will be open for public comment for 60 days.

The proposed amendments affect Rules 3-05 and Article 11 of Reg S-X, as well as related rules and forms.  Under Rule 3-05, acquiring companies must provide separate audited annual and unaudited interim pre-acquisition financial statements of the acquired business, with the number of years required determined on the basis of the relative significance of the acquisition. Article 11 applies to pro forma financial statements, and requires the company to file unaudited pro forma financial information with regard to the acquisition or disposition, including adjustments that show how the acquisition or disposition might have affected the historic financial statements. (The proposal also applies to rules and forms related to real estate businesses and investment companies, not discussed in this post.)

Among other things, the proposed changes would make the following changes:

Significance test. Currently, to determine the significance of an acquisition (and therefore the extent of the financial disclosure), under Rule 3-05, companies apply prescribed investment, asset and income tests set forth in the “significant subsidiary” definition in Rule 1-02(w). The proposal would revise the significance tests by modifying the investment test and the income test. The new investment test would “compare the registrant’s investment in and advances to the acquired business to the aggregate worldwide market value of the registrant’s voting and non-voting common equity (‘aggregate worldwide market value’), when available.” The new income test would reduce the frequency of anomalous results that occur from relying solely on the net income component by requiring that “the tested subsidiary  meet both a new revenue component and the net income component.” It would also require use of after-tax income. The changes would also expand the use of pro forma financial information in measuring significance, and conform the significance threshold and tests for a disposed business.

Number of years.  Currently, if none of the significance tests exceeds 20%, no Rule 3-05 financial statements are required.  Between 20% and 40%, financial statements are required for the most recent fiscal year and any required interim periods; between 40% and 50%, a second fiscal year is required, and over 50%, a third fiscal year is required (unless net revenues of the acquired business were less than $100 million in its most recent fiscal year).  The proposal would reduce the number of years of required financial statements for the acquired business from three years to two years for an acquisition that exceeds 50% significance. In addition, the proposal would revise Rule 3-05 “where a significance test measures 20%, but none exceeds 40%, to require financial statements for the ‘most recent’ interim period specified in Rule 3-01 and 3-02 rather than ‘any’ interim period.”

Acquisition of component of entity. Where the acquisition is of a component, such as a product line or a line of business spread across more than one sub or division, but constitutes a “business” as defined in Rule 11-01(d),  the proposal would eliminate the need to make some allocations of corporate overhead, interest and income tax expenses by permitting the omission of certain expenses for these types of acquisitions if required conditions are satisfied.

Clarifications. The proposal would also revise “Rule 3-05 and Article 11 to clarify when financial statements and pro forma financial information are required, and to update the language to take into account concepts that have developed since adoption of the rules over 30 years ago.”

Individually insignificant acquisitions.   Currently, if the aggregate impact of “individually insignificant businesses” acquired since the date of the most recent audited balance sheet exceeds 50%, the company must include in a registration statement or proxy statement audited historical pre-acquisition financial statements covering at least the substantial majority of the businesses acquired, as well as related pro forma financial information as required by Article 11. The proposal would modify and enhance the required disclosure for the aggregate effect of acquisitions for which financial statements are not required or are not yet required, by, among other things, requiring “pro forma financial information depicting the aggregate effects of all such businesses in all material respects and pre-acquisition historical financial statements only for those businesses whose individual significance exceeds 20% but are not yet required to file financial statements.”

International acquisitions. The proposal would modify Rule 3-05 to permit financial statements “to be prepared in accordance with IFRS-IASB without reconciliation to U.S. GAAP if the acquired business would qualify to use IFRS-IASB if it were a registrant, and to permit foreign private issuers that prepare their financial statements using IFRS-IASB to provide Rule 3-05 Financial Statements prepared using home country GAAP to be reconciled to IFRS-IASB rather than U.S. GAAP.”

Omission of financial statements. Currently, Rule 3-05 financial statements are not required once the operating results of the acquired business have been reflected in the audited consolidated financial statements of the acquiring company for a complete fiscal year, unless the financial statements have not been previously filed or, when previously filed, the acquired business is of major significance. Under the proposal, financial statements would no longer be required in registration statements and proxy statements once the acquired business is reflected in filed post-acquisition company financial statements for a complete fiscal year, thus eliminating the requirement to provide financial statements when they have not been previously filed or when they have been previously filed but the acquired business is of major significance.

Use of pro forma for significance test.  Currently, a company may use pro forma, rather than historical, financial information if the company “made a significant acquisition subsequent to the latest fiscal year-end and filed its Rule 3-05 Financial Statements and pro forma financial information on Form 8-K.” The proposal would “expand the circumstances in which a registrant can use pro forma financial information for significance testing,” allowing companies, for all filings, to “measure significance using filed pro forma financial information that only depicts significant business acquisitions and dispositions consummated after the latest fiscal year-end for which the registrant’s financial statements are required to be filed,” subject to satisfaction of specified conditions.

Pro forma financial information. Currently, pro forma financial information typically includes a pro forma balance sheet and pro forma income based on the historical financial statements of the acquiring company and the acquired or disposed business. Pro formas generally include “adjustments intended to show how the acquisition or disposition might have affected those financial statements had the transaction occurred at an earlier time.” In addition, the existing pro forma adjustment criteria “preclude the inclusion of adjustments for the potential effects of post-acquisition actions expected to be taken by management, which can be important to investors.” The proposal would “revise Article 11 by replacing the existing pro forma adjustment criteria with simplified requirements to depict the accounting for the transaction and present the reasonably estimable synergies and other transaction effects that have occurred or are reasonably expected to occur.”  More specifically, the proposal would allow inclusion of “disclosure of ‘Transaction Accounting Adjustments,’ reflecting the accounting for the transaction; and ‘Management’s Adjustments,’ reflecting reasonably estimable synergies and transaction effects.” In particular, “Management’s Adjustments would be required for and limited to synergies and other effects of the transaction, such as closing facilities, discontinuing product lines, terminating employees, and executing new or modifying existing agreements, that are both reasonably estimable and have occurred or are reasonably expected to occur.” The proposal would also revise Rule 11-01(b) to raise the significance threshold for the disposition of a business from 10% to 20%.

Smaller reporting companies. The proposal would make corresponding changes to the smaller reporting company requirements in Article 8 of Reg S-X.

Before the recent controversy involving The Boeing Company and its 737 MAX 8, a New York Times article suggested that actions on the part of McKinsey & Company may have exposed itself and possibly Boeing to liability under the Foreign Corrupt Practices Act (“FCPA”).[1] However, no definitive conclusion should be drawn from the Times article.  A violation of the FCPA is not necessarily involved, certainly by McKinsey and Boeing. Yet the article raises a number of important issues that merit consideration.

Background

What the article suggests is that because of Boeing’s need for titanium in 2006, “it did what many companies do when faced with vexing problems: it turned to McKinsey & Company, the consulting firm with the golden pedigree, purveyor of ‘best practices’ advice to businesses and governments around the world.”

Boeing asked McKinsey to evaluate a proposal, potentially worth $500 million annually, to mine titanium in India through a foreign partnership financed by an influential Ukrainian oligarch.

McKinsey says it advised Boeing of the risks of working with the oligarch and recommended “character due diligence.” Attached to its evaluation was a single PowerPoint slide in which McKinsey described what it said was the potential partner’s strategy for winning mining permits. It included bribing Indian officials.

The partner’s plan, McKinsey noted, was to “respect traditional bureaucratic process including use of bribes.” McKinsey also wrote that the partner had identified eight “key Indian officials”—named in the PowerPoint slide—whose influence was needed for the deal to go through. Nowhere in the slide did McKinsey advise that such a scheme would be illegal or unwise.

According to the article, “neither McKinsey nor Boeing was charged in the case, and Boeing has not been accused of paying bribes. But several employees of the two companies are believed to have testified before a grand jury. Boeing continued to pursue the venture even after being advised that its partner’s plans included paying bribes, records show.” Importantly, the article notes that “ultimately the deal fell apart.” 

Consideration of All Relevant Factors

By itself, the disclosure on the PowerPoint slide does not constitute a violation of the FCPA. A multitude of factors come into play before any determination can be made as to whether an FCPA violation may be involved. In particular, evidence of corrupt intent is required. This is the lynchpin to any violation of the FCPA’s anti-bribery provisions.[2] A host of other factors may also be involved. 

For example, what precisely happened next? What were the roles of McKinsey and Boeing? As is, the disclosure reveals a suggested course of conduct that, if pursued, would constitute a violation of the FCPA’s anti-bribery provisions. Disclosures of this sort can and do surface as part of due diligence. Indeed, they pose a significant red flag. In most situations, such a disclosure may effectively preclude proceeding. But they do not automatically pose an absolute bar to proceeding. 

In the context of the article, what the disclosure represents is corroboration of what may have been intended, assuming the parties proceeded in the manner suggested. In a vacuum, it does not constitute conclusive evidence of improper inducements. Nor does the disclosure, by itself, demonstrate that improper inducements were actually made or even attempted. But the disclosure does reflect intent in terms of what was contemplated. From a prosecutor’s perspective, it would be invaluable corroborating evidence along with whatever other evidence may exist.

Consultants Should Err on the Side of Making Disclosures

Consultants should certainly err on the side of making candid disclosures. In this situation, it is not known what disclaimers may have been formally or informally made in conjunction with the PowerPoint slide. But regardless, proposals should not leave the realities of a relationship or transaction vague or ill-defined.  The more the realities are spelled out, the more likely potential problems can be avoided. Either the prospective endeavor does not proceed or special measures are undertaken to ensure that improper inducements are not made. 

Mere language in an agreement or other forms of admonitions do not constitute special measures. Much more is required. The special measures may impact the structure of a transaction. They may mean that a range of carefully designed controls are instituted. In essence, it means that special efforts must be undertaken to put in place effective mechanisms to preclude the prospect of improper inducements. In many situations, taking such steps may not be realistic or even possible. In others, creative and effective mechanisms may be possible.

Of course, prudence dictates that disclosures of the nature suggested by the article include disclaimers and appropriate cautionary language. But the disclosure itself is a positive development as it allows for a company to make an informed decision. It also allows for a company to take a range of measures to ensure that what is suggested does not take place. From a compliance perspective, the critical factor is what is done with the information. 

From the content of the Times article, it is not really known what took place. It is suggested that Boeing went forward before finding another source of the titanium. But we really do not know the specifies of what that entailed. Could going “forward” mean conduct of a very preliminary nature? Were special measures undertaken? Did Boeing, for example, exercise control over each step in the process?  Are there other critical facts of which we are not aware? In any event, it would appear that McKinsey put Boeing on notice regarding what might be involved. And Boeing is certainly well equipped to understand the implications.

Vicarious Liability

In a larger context, the allegations contained in the Times article signal the degree to which issues of vicarious liability may arise where there are incorrect assumptions as to what may expose a company to liability under the FCPA. Simply retaining the services of a well-respected firm does not, by itself, foreclose a company’s prospect of vicarious liability. 

Mere size should never be determinative. But the experience and reputation of a well-respected consulting firm may prove critical as to the likelihood of exposure to vicarious liability. This is because a firm of such stature is more likely to have in place a compliance program and related controls that tend to minimize the prospect of questionable conduct. An additional and compelling factor is the greater likelihood that the firm has the relevant experience. In short, an experienced and reputable firm is less likely to stumble due to sheer ignorance.

However, it is a mistake to believe that retaining the services of a well-respected consulting firm relieves a company of any oversight. The law applies equally to big and small firms as it does to highly-reputable and less-reputable firms. A consulting firm acts on a company’s behalf. What it does on behalf of a company may expose that company to liability. Quite simply, a company cannot take a head-in-the-sand approach to what a consulting firm does on its behalf. It must carefully monitor the efforts of its consulting firm.

Consulting Firm Liability

The Times article also raises the larger issue as to how a consulting firm may expose itself to liability as an accessory. Here, without more information, no assessment can be made as to whether there was a misstep on the part of McKinsey. Proper disclaimers may well have been made in conjunction with the PowerPoint presentation or in other ways. Yet, without appropriate and timely disclaimers or cautionary admonitions, a consulting firm may later be deemed to be an accessory if a proposed relationship or transaction proceeds in a particular manner. 

This is fundamentally similar to advising employees about what is said in emails. One must always operate on the basis that whatever information is communicated may be misconstrued. As a result, the utmost care needs to be exercised when conveying sensitive information. This is particularly so when a consulting firm is reporting on situations or on a course of conduct that could be perceived as questionable. A footnote or reliance on boilerplate language may not suffice.  The recipient should be on clear notice as to the issues of concern.

In sum, the Times article very much merits consideration. In the absence of more facts, no conclusions should be drawn as to the conduct of either McKinsey or Boeing. But from a legal perspective, it prompts careful thought and reexamination of relationships with consulting firms. It serves as a reminder of the care required in overseeing the work of consultants. In its own way, the article also serves as a vital reminder to consultants as to the care required in conveying information assembled on a client’s behalf.  

[1]W. Bogdanich and M. Forsythe, “‘Exhibit A’: How McKinsey Got Entangled in a Bribery Case,” The New York Times (Dec. 30, 2018).

[2]15 U.S.C. §§ 78dd-1, 78dd-2, 78dd-3 (2019).

Oracle’s decade-long copyright infringement suit against Google may be heading to the Supreme Court. The case involves the copyrightability of application programming interfaces (APIs) and the application of the fair use doctrine to copying APIs for the purpose of creating interoperable programs. The case pits software copyright owners against software developers creating interoperable programs.

As Google was developing its Android mobile operating system, it wanted to use Java so that the vast network of Java developers would develop applications for the Android mobile operating system and could use the Java programming shortcuts with which they were familiar from Java app development. Google wanted rapid application development for its Android mobile operating system. Google initially sought a license from Oracle, which now owns Java, but the negotiations broke down, in part because Google refused to make the implementation of its programs compatible with the Java virtual machine or interoperable with other Java programs, which violates Java’s “write once, run anywhere” philosophy.

Ultimately, Google copied the declaring code of 37 APIs in their entirety and the structure, sequence, and organization of the 37 APIs—over 11,000 lines of code in total—as part of its competing commercial platform. Google only had to copy 170 lines of code to ensure interoperability. It was undisputed that the copied APIs could have been written in multiple ways, and Google could have written its own APIs. It would have required more time and effort, and it would have required more effort by developers of mobile applications for Android mobile, but it could have been done. After copying Java’s code, Google purposely made its Android platform incompatible with Java, which meant that Android Apps run only on Android devices, and Java Apps do not run on Android devices.

In Oracle v. Google I, the Federal Circuit held that in light of the evidence and controlling precedent, the Java APIs were copyrightable, reversing the district court’s judgment that they were not, after a jury verdict finding copyright infringement. After Oracle v. Google I, the U.S. Supreme Court denied certiorari, probably in part due to the interlocutory nature of the case. However, the United States took the position that the Java code at issue was copyrightable, and there was no circuit split on the merger doctrine or section 102(b). On remand, the jury returned a verdict that Google’s copying of 37 APIs and the structure, sequence and organization of the corresponding implementing code was a fair use.

In Oracle v. Google II, the Federal Circuit held that no reasonable jury could conclude that Google’s copying of over 11,000 lines of code, where it only had to copy 170 lines of code for interoperability, was a fair use. On the fair use factors, the Federal Circuit concluded that Google’s use of the Java code was overwhelmingly commercial (Factor 1), the nature of the work—software—favored Google (Factor 2), the amount of the work taken was neutral or favored Oracle because the code was a highly valuable part of the Java platform (Factor 3), and the effect on Oracle’s existing and potential markets heavily favored Oracle because the Android platform caused Oracle to lose customers and impaired Oracle’s ability to license its work for mobile devices (Factor 4).

These decisions reflect the Federal Circuit’s strong view of the copyrightability of software. That view informed its decision on fair use, particularly regarding the first and fourth fair use factors—namely, the overwhelming commercial nature of Google’s use of the Java APIs and the substantial evidence of market harm to Oracle from Google’s unauthorized copying of the Java APIs.

Google again has petitioned for certiorari, arguing that the APIs are not copyrightable, and the Federal Circuit should not have reversed the jury’s fair use verdict. Now that the Federal Circuit has ruled for Oracle on the issue of fair use, only the damages phase of the case remains. At this juncture, there are two issues that potentially could be dispositive of the case if the Supreme Court granted certiorari and ruled for Google. If Google were to prevail on either copyrightability or fair use, the case would be over, and there would be no need for a trial on Oracle’s damages. If the Supreme Court believes either Federal Circuit decision is erroneous, however, it may be more likely to grant certiorari at this point.

Google’s appeal is important for several reasons. It involves the scope of copyright as applied to software and the application of the fair use defense in copying software code for purposes of interoperability. Second, the decision involves the somewhat complicated application of longstanding copyright doctrines—merger, scènes à faire, and the idea/expression dichotomy embodied in section 102(b)—to software. A Supreme Court decision on copyrightability and fair use in the context of software would impact the use of existing software code to build new programs, thereby significantly impacting the software industry. Oracle’s potential damages in the case have been estimated variously at between $8 billion and $9 billion, a number staggeringly large for a copyright software case (or any other case for that matter). Last, if copyrights in the Java code were timely registered and Oracle ultimately prevails, it could be awarded attorney’s fees in the court’s discretion, which at this point are substantial. See 17 U.S.C. §§ 504–505.

Any Supreme Court decision in Google could have substantial impact on the issue of copyrightability and the application of longstanding copyright doctrines such as the merger doctrine, scènes à faire doctrine, and section 102(b), which prohibits copyright protection for a command structure, system, or method of operation, among other things. A decision on these subsidiary issues in assessing copyrightability could have substantial impact on how these doctrines are applied in the software context. Similarly, a Supreme Court decision on fair use of computer code would significantly impact the industry and the balance between software copyright owners and others seeking to use their code in creating competing programs. This is a case to watch.

On March 27, 2019, the Supreme Court held (in a 6-2 decision) in Francis V. Lorenzo v. Securities and Exchange Commission[2] that a person who (1) knowingly disseminates false and misleading statements to prospective investors and (2) acts with the intent to defraud can be held liable under subsections (a) and (c) of Securities and Exchange Commission Rule 10b-5 (Rule 10b-5), and other relevant statutory provisions, even if such person was not the “maker” of such statements.

Rule 10b-5 makes it unlawful for any person, directly or indirectly, to:

• employ any device, scheme, or artifice to defraud,
• make any untrue statement of a material fact or to omit to state a material fact necessary in order to make the statements made, in the light of the circumstances under which they were made, not misleading, or
• engage in any act, practice, or course of business which operates or would operate as a fraud or deceit upon any person in connection with the purchase or sale of any security.

In June 2009, Waste2Energy Holdings, Inc. stated in a public filing that its assets were worth approximately $14,000,000 (including intellectual property valued at more than $10,000,000). In the summer of 2009, Waste2Energy Holdings, Inc. hired Charles Vista, LLC to sell $15,000,000 of debentures to investors. In early October of 2009, Waste2Energy Holdings, Inc. publicly disclosed and informed Francis Lorenzo (Petitioner), Vice President of Investment Banking at Charles Vista, LLC, that Waste2Energy Holdings, Inc.’s total assets were worth $400,000, significantly less than previously disclosed to the public. After becoming aware of Waste2Energy Holdings, Inc.’s overvaluation of its assets, Petitioner, at the direction of his direct superior, sent e-mails, the contents of which were supplied by his direct superior, to prospective investors that included false and misleading information regarding the valuation of Waste2Energy Holdings, Inc.’s assets.

In 2013, the Securities and Exchange Commission (SEC) charged Petitioner with, and found Petitioner liable for, violating subsection (b) of Rule 10b-5. Petitioner appealed the SEC’s ruling to the U.S. Court of Appeals for the District of Columbia (Court of Appeals). Relying on Janus Capital Group, Inc. v. First Derivative Traders,[3] a Supreme Court decision holding that only the “maker” of false or misleading statements can be held liable under subsection (b) of Rule 10b-5, Petitioner argued that because his direct superior (1) directed Petitioner to send the e-mails and (2) supplied the content for the e-mails, he was not the “maker” of any false or misleading statements and therefore could not be liable under subsection (b) of Rule 10b-5. The Court of Appeals agreed that Petitioner could not be held liable under subsection (b) of Rule 10b-5; however, the Court of Appeals found Petitioner liable under subsections (a) and (c) of Rule 10b-5.  

Petitioner appealed the Court of Appeals decision to the Supreme Court. In Petitioner’s argument to the Supreme Court, Petitioner claimed that each subsection of Rule 10b-5 governs “different, mutually exclusive, spheres of conduct,” with subsection (b) governing the making of false or misleading statements. Petitioner went on to argue that because he did not have ultimate authority over the false or misleading statements, he could not be held liable under subsection (b) of Rule 10b-5 and that because he was not liable under subsection (b), the remaining subsections could not be applied to the acts in question.

The Supreme Court rejected Petitioner’s interpretation of Rule 10b-5, explaining that the Supreme Court and SEC have a history of recognizing significant overlap among the subsections of Rule 10b-5 and other securities statutes. As a result of this overlap, the Supreme Court reasoned that the making of false or misleading statements is not governed solely by subsection (b) of Rule 10b-5, but also falls within the scope of subsections (a) and (c). The Supreme Court, agreeing with the Court of Appeals, found that by sending the e-mails that Petitioner knew contained untrue and misleading statements, Petitioner violated subsections (a) and (c) of Rule 10b-5. The Supreme Court ultimately held that Petitioner “employ[ed] a “device,” “scheme,” or “artifice to defraud,”” violating Rule 10b-5(a), and “engage[d] in [an] act, practice, or course of business” that “operate[d] . . . as a fraud or deceit” in violation of Rule 10b-5(c).

In dissent, Justice Thomas, joined by Justice Gorsuch, argued that the majority’s interpretation of Rule 10b-5 renders the Supreme Court’s decision in Janus a “dead letter.” Justice Thomas asserts that the subsections of Rule 10b-5 are straightforward and clearly specify the conduct each governs—with subsection (b) governing the making of false or misleading statements. Concluding that the majority opinion broadens the scope of subsections (a) and (c) to cover conduct within the plain meaning of subsection (b), Justice Thomas argues that subsection (b) of Rule 10b-5 is now subsumed into subsections (a) and (c), rendering meaningless the Supreme Court’s decision in Janus (detailing conduct governed by subsection (b)). The majority disagreed with this contention, noting that Janus will still apply (and preclude liability) in instances where an individual neither made nor disseminated false information, as opposed to the case at hand where Petitioner knew of and disseminated false information.

Given the Supreme Court’s broad interpretation of Rule 10b-5, it is likely that future litigants will seek to expand the scope of activities subject to Rule 10b-5. However, as the Supreme Court noted, in cases where a person is only tangentially involved with disseminating false or misleading statements, applying subsections (a) and (c) of Rule 10b-5 may prove more difficult and could cause the Supreme Court to more clearly define the reach of these subsections in the future. For example, as the Supreme Court noted, liability would be inappropriate for a mailroom clerk who disseminated misleading or false statements without the intent to defraud. It is clear that future cases may present factual scenarios that would fall outside the reach of subsections (a) and (c); however, in the case at hand, it was clear Petitioner was directly involved with disseminating false and misleading statements because he sent such statements directly to investors and invited them to follow up with him directly.

[1] Chauncey Lane is a partner in the Dallas office of Husch Blackwell LLP. Cooper Overcash and Michael Caine are associates in the Dallas office of Husch Blackwell LLP. Chauncey, Cooper, and Michael are members of the firm’s Corporate and Securities practice group where they advise domestic and international clients on capital market transactions, Securities and Exchange Commission compliance, and complex commercial transactions.

[2] 587 U.S.___ (2019).

[3] 564 U.S. 135 (2011).

In 2019, we are surrounded by AI—from our personal assistants Siri, Alexa, and Google Home Hub; our retailers predicting what we want before we do (think Amazon/Netflix recommended sections); and our cars that sense when braking is required in an emergency—and AI just keeps getting smarter and more accurate over time as it incorporates more data sets, meaning that AI has become more integrated and trusted within our society.

Throughout the world, healthcare systems are some of the most used and relied upon sectors, but they are stretched in terms of resourcing, technology, and funding. For many years, researchers and technology giants have wondered how we can harness the large amount of data that exists in the world for good—to help our healthcare system cope, grow, and thrive in modern times where we are all living longer and expecting more from our healthcare systems.

In this article, we explore some of the issues with AI and health care—the positive aspects and the barriers to integration and use that exist now or will in the future, as well as some of the trials already conducted in both the United States and the European Union.

What Is AI and How Does It Work?

In its broadest sense, AI is a tool where technology and/or a system can perform tasks and analyze facts/situations independently of a human. There are many different applications of AI, including machine learning, deep learning, and robotics.

• Machine learning is when a system uses algorithms to review data in an iterative process until it “learns” how to make a determination or prediction on its own.
• Deep learning is when a complex system similar to human neural networks is fed large amounts of data until it “learns” by example, discovering patterns in the data.
• Robotics is where a machine performs a task instead of a human; for example, where a machine is programmed to perform a simple (or complex) operation with precision and accuracy based on experience.

AI in the healthcare sector works by analyzing and learning from hundreds of thousands (even millions) of records, images, and/or scenarios to spot patterns, common traits, etc. of certain medical conditions, and to analyze findings and/or cut down the options for consideration by the medical professional.

AI and the Healthcare Sector

The prospect of further integration of AI in the healthcare sector is an exciting and promising development with the potential to transform healthcare systems to be more proactive, use fewer resources, lessen time spent on administrative matters, and, most importantly, focus on patient care.

Many are wary of AI in the healthcare sector, however—a sector based on human decisions, skill, and compassion that many feel uncomfortable relinquishing to a machine. Doctors, nurses, and other medical professionals are all highly trained and trusted to deliver high-quality and personalized health care to those in need. Naturally, there is some hesitation about ceding control of some of these tasks to a machine.

AI advocates are clear to point out that AI in health care is designed to complement and not replace human decision-making, experience, and care. AI is said to present the opportunity to free up more of health professionals’ time to care for patients instead of being burdened with administrative tasks and/or spending hours developing a tailored diagnosis and treatment plan.

Some recent examples of AI within the healthcare sector include the following:

• Machine learning was used to identify chronic heart failure and diabetic patients who required closer observation, then analyzed the results of monitoring kits provided to these patients. The patient’s healthcare providers were then automatically alerted when the patient required medical intervention.
• The National Institutes of Health and Global Good developed an algorithm that analyzes digital images of a woman’s cervix and can more accurately identify precancerous changes that will require medical intervention. This easy-to-use technology (which can be used with a camera phone) is an exciting development for those low-resource areas and countries where such screening is not prevalent.
• The United Kingdom’s National Health Service (NHS) provided patients with complex respiratory needs a tablet and probe that measured heart rate and blood oxygen levels on a daily basis. These results were logged and analyzed by the AI technology, reporting back to the clinical team at a local hospital when there were drops in heart rate and/or blood oxygen levels requiring medical intervention. During the period of this study, admissions at the local hospital for this group dropped 17 percent.
• The NHS Eye Hospital Moorfields worked with Google’s DeepMind for nine months and conducted a trial based on an algorithm developed to spot and diagnose eye conditions from scans. This was aimed at cutting down unnecessary referrals to NHS hospitals, allowing clinicians to focus on more serious and urgent cases.
• For pathologists, instead of individually assessing each image/slide, AI technology can be used to review all images/slides and flag the problematic ones for closer review.

In each of the examples above, the healthcare system saved time and resources by ensuring that only those patients requiring more immediate medical intervention were seen to, and that those who were stable were seen at nonemergency appointments to follow-up. Healthcare professionals were able to prioritize those cases with the most urgency while continuing to monitor the other, less urgent cases.

Another AI advantage is that patients are given more control over their own healthcare. They can monitor their own statistics and outcomes and are comforted that medical professionals can intervene when they have spotted concerning results. This also helps patients understand their own health and how their own body reacts to certain conditions/factors.

The Challenges

There are some concerns that have been raised around the integration of AI technologies into the healthcare system, including data protection, patient trust, biased data, and contractual, regulatory, and ownership issues.

Data Protection

In the United States, personally identifiable health information (PHI) is protected from unauthorized use and disclosure by a variety of laws and regulations, most notably the Health Insurance Portability and Affordability Act and the Health Information Technology for Economic and Clinical Health Act (together, HIPAA). Any use of PHI for AI would likely require new or different consent from the patient. Where the AI is used for the benefit of a particular patient, presumably that consent would not be difficult to obtain, but robust AI technologies require a significant amount of data to be effective, and because the use of that data is not necessarily for the benefit of any particular patient contributing data, consent for use of PHI in AI may not be so readily provided. A revision of HIPAA or applicable state laws to permit the disclosure of PHI for the purpose of AI technologies may be required, as well as additional protections to ensure that once the PHI goes into the “soup pot” of AI datasets, it cannot be individually identified again.

In the European Union, the General Data Protection Regulation (GDPR) came into force in 2018 and brought about significant changes in data protection regulation across the EU and beyond due to its enhanced territorial scope. One of the themes of the GDPR is that data subjects are given more control over their personal data. There are a few separate issues relating to data protection and AI technology when considering AI and healthcare applications:

• Legal basis. There will be different legal bases applicable to different organizations; for example, healthcare providers generally rely on vital interests (as the processing condition) and therefore may rely on the research and statistics exemption to repurpose such data collected for use in AI technology. Other organizations, such as those who utilize wearable technologies like fitness trackers or heart-rate monitors used by individuals (as opposed to patients), will generally rely on consent to process such data and therefore may not as easily repurpose such data collected, such as for the development of AI technology.
• Data subject rights. Under the GDPR, data subjects have enhanced rights; therefore, organizations must carefully consider the legal basis on which they are relying for processing. For example, when relying on consent, a data subject can withdraw that consent at any time, and the organization must stop processing and notify any third party with which the data was shared to stop its processing. Although data subjects have the right to request deletion of their personal data, from a practical perspective, how can data be deleted if it has become part of the algorithm?
• Data Transfers. A scenario likely to occur with AI technology development is the transfer of data between the United States and European Union and indeed across the globe. In a data transfer scenario, both parties (i.e., the transferor and the transferee) have an obligation to ensure that such transfers are protected and that the data is transferred using adequate measures as stipulated in the GDPR.
• It has been noted that medical data is now three times more valuable than credit-card details in illegal markets; therefore, organizations handling and sharing health data for any purpose must ensure that this data is protected from unlawful loss, access, or disclosure to avoid causing substantial distress to data subjects. When such personal data has been anonymized, then security is less of a concern from a data protection/privacy perspective because the data protection legislation does not apply to data where an individual can no longer be identified; however, anonymized data may still pose a commercial risk due to its value.

Patient Trust

Many individuals may not initially feel comfortable knowing that technology has made a potentially life-or-death decision about their healthcare and/or treatment plan. The healthcare sector is grounded in trust and personal care and compassion for those in need, and some see AI as removing that personal element in favor of a machine-led, batch-process type system where the individual and his or her needs may not be at the core of the decisions and care provided.

It could be argued, however, that AI and increased technology use within healthcare systems could actually improve personalized health care and give individuals more control over their own health by involving them in the process and allowing them to monitor their health remotely.

Many patients may also be uncomfortable with the lack of formal qualification and/or testing of AI technologies and machines, in contrast with healthcare professionals such as doctors and surgeons who often study and train for many years acquiring knowledge and skills in a particular area, which instils trust in patients.

Additionally, some patients may be unwilling to accept such AI technology as part of the healthcare system, given that in recent years the growth of AI technologies has brought about some general mistrust around the rapid growth of AI technologies in our daily lives.

How can the healthcare sector alleviate such concerns? All new technology experiences some bumps on the path to acceptance; distrust or suspicion of new technologies and fear of error takes time and education to overcome. Focusing on the patient and individual care, along with reassuring patients that AI technology will not replace doctors, may alleviate the fears of concerned patients. In addition, education about how AI technology will allow doctors to create more personalized healthcare treatment plans for patients and focus more on patient interaction and care will go a long way toward acceptance of AI technology in the healthcare sector. Medical care at its core is about empathy and care for patients, which cannot be replaced by AI technology, but AI technology can free up time and resources from those that provide that empathy and care by doing some of the “heavy lifting” so that the healthcare system can focus on the patients.

In terms of trust of the AI technology itself, there may need to be more legislative governance and/or accepted standards of testing for such technologies to reassure patients that the AI technology produces accurate results and has been thoroughly vetted as suitable to make decisions about health, diagnosis, and treatment.

There may also be a generational gap in that older patients are generally more wary of AI technologies and their infiltration into our daily lives. However, younger individuals—those who have been brought up in the age of social media, wearable devices, and other technologies—are generally more willing to accept and embrace AI than their parents and grandparents.

Overall, in time the benefits of AI to the healthcare experience (i.e., personalized care, diagnosis, and treatment; saved time and resources; and a more effective and cost-efficient healthcare system) will overcome patient mistrust in the technology.

Bias/Accuracy of Data

One concern that has been voiced by medical professionals is that the data available (from healthcare providers) to train AI technology and machines is not always accurate and often contain biases that may feed through into the technology, which may result in AI technology that is not representative of the population and therefore may not always make the correct decisions for every individual.

For example, in the United Kingdom especially, clinical trials (where most medical data is generated for research purposes) are dominated by white, middle-aged males; therefore, much of the data associated with medical trials is dominated in such a way. Ethnic minority populations, older people, and females are traditionally under-represented in medical trials; therefore, there may be implicit (or sometimes even explicit) bias in the data provided to an AI technology machine from which to learn. In other words, will the results provided by an AI technology based primarily on middle-aged, white males apply to individuals who are not middle-aged, white males? How will patients and providers know? However, there is also an argument that deliberately skewing the data the opposite way (e.g., by ensuring trials are reflective of all ethnic groups) could impact the effectiveness of a study where a condition may predominantly affect one group (e.g., sickle cell anaemia, which is most commonly found in those of African, Caribbean, Middle Eastern, and Asian origin).

Put another way, the output from an AI technology skewed in favor of one or more characteristics (i.e., the middle-aged male) may lead to inaccurate outputs and/or inappropriate treatment plans. In addition, some medical conditions are associated with certain groups more than others; therefore, AI technology may not be reflective of the conditions and medical needs of one group where the data used to train it were reflective of another group.

If AI technology is to reach its full potential in the healthcare system, care must be taken with the data used to train AI technologies to ensure that it is reflective of and includes a cross-section of the population, and is therefore fair and unbiased, so that its output is as accurate as possible.

Another issue, particularly with the NHS, is that hospitals are still very much reliant on paper-based records, although there has been for many years a push toward greater digitalization of healthcare records (which not only aids healthcare data-sharing for medical care purposes, but also assists in “feeding” such data to AI technology from which to learn). Nevertheless, legacy systems and the general lack of investment in technology has meant that moving toward any substantive ability to facilitate data sharing has been a slow process. The format of such records will also differ per area, data may not always be correctly labelled, and records are sometimes not kept as up-to-date as they should be. This lack of standardization creates gaps in information and could mean that the data from which the AI technology is learning is not the full picture of any one individual’s health/symptoms.

This brings questions about bigger issues in health care, especially in the United Kingdom, concerning whether it is possible to move forward with AI technology when the healthcare system is still not modernized enough to have easily accessible digital records. Although the United States is farther along in its adoption of electronic health care records and the digital data they contain, the implicit bias concern is equally strong in both countries. In addition, the lack of standardization of electronic data—both in the United States and between the United States and the European Union—makes ensuring a robust data input especially difficult. Although appropriate governmental regulations may address this, the market itself must figure out how to make it technically and financially viable.

Contractual and Regulatory Issues

There are a variety of potential complex contractual issues that must be addressed among developers and various stakeholders in the healthcare system before AI technology is rolled out, particularly regarding the allocation of liability. Where a doctor fails to diagnose correctly, prescribes the wrong dose of medication, or otherwise acts negligently, the patient has a claim against the doctor/healthcare provider, and the hospital or healthcare system in which the doctor/provider worked, for malpractice, negligence, and/or personal injury. However, who is liable where an AI technology failed to spot a cancerous tumour on a scan it analyzed?

There may be a lot of finger-pointing in this case. The doctors would argue that they were not liable because they (presumably) utilized the AI technology correctly, and that the fault lies with the hospital/healthcare system that required its use and/or the vendor/developer of the technology itself. The hospital/healthcare system might argue that is not liable because the third-party technology vendor developed the technology and trained the doctors in its use. The developer might argue that they are not responsible because AI technology is constantly “learning,” and only from the data it is given. It is important that the contracts between the developer and healthcare system, and between the healthcare system and its physicians, are clear on the allocation of liability in the event that a patient is harmed in relation to the use of AI technology.

Another issue that must be addressed by contract is the warranties (if any) that are provided by the developer to the healthcare provider. How likely is a developer to warrant that the AI technology is accurate? If unlikely, how could the healthcare provider understand its limitations? Is the training provided on the AI technology warranted to provide that information?

Regulatory issues also abound. In the United States, AI-enabled technologies may or may not be regulated as medical devices. Current regulations are unclear on this issue, but generally in both the European Union and United States, devices/technology used in the context of medical advice/health care requires approval. The problem with current regulatory approval processes is that approval is granted only to one specific version of a product and/or device, but AI technology and/or devices are constantly learning; if each iteration is a new “version,” then any approved version would be out-of-date almost immediately (and that’s without getting into “custom-made devices” within the medical device sector). Requiring regulatory approval for each version/iteration of the AI technology would be nonsensical. A new regulatory scheme tailored to the reality of AI technology (and other new and emerging technologies) in both the United States and European Union is needed.

Intellectual Property Ownership

Intellectual property and ownership issues regarding AI technologies include the following questions:

Who owns the data? For purposes of developing robust AI technologies, provided the bias issues discussed above are positively addressed, the more data, the better. Therefore, although AI developers/manufacturers could solicit the data from each data subject (i.e., the patient) directly, the more practical route is to acquire vast amounts of data from the healthcare provider, but who owns the data, and can the healthcare provider disclose/use the data this way?

In the United States, the patient generally does not own his or her medical information. The health record is generally owned by the provider that keeps the record (as a normal business record); HIPAA protects the privacy of the information for the benefit of the individual, but ownership of that information is not addressed in any federal law or the laws of 49 states (New Hampshire is the only state where the individual owns his or her information as a matter of statute). This structure applies only to the data fed into the AI technology. Who owns the output? Most likely, the developer or manufacturer will assert ownership to the results because it owns the algorithms that create the AI. What about results that are personal to an individual, such as a diagnosis or treatment plan? Isn’t that part of the health record owned by the provider?

In the United Kingdom, the person who developed the diagnosis and/or treatment plan owns the copyright in that plan (as the author of such plan); however, the personal information would still be owned by the patient (data subject) because it is personal to him or her. If the AI developer “owns” an individual’s diagnosis or treatment plan, can the developer sell or disclose it, or incorporate that information into other products, or use it for some other purpose? Currently, developers and users of AI technology are contracting around these issues, but that means that ownership, use, and disclosure are different across contracts as a result of individual leverage and market forces and, of course, such contracts leave out the patients entirely (unless the patient is providing the data to the AI developer directly).

In the European Union, there is a distinction between “ownership” and “control” over personal data. Data subjects (i.e., an individual) always retain ownership of their personal data (i.e., a company cannot own such information), but do not always have control over their personal data (e.g., a healthcare provider does not need permission to use one’s personal data because it was collected for the provider’s own purposes and control). Under the GDPR, data subjects are given enhanced rights over their own personal data; however, there are circumstances where a party who controls such personal data does not need to comply with the data subject’s requests and can continue to process the personal information (e.g., for medical treatment).

Where data is shared for the purposes of developing and/or testing AI technology, the key consideration should be transparency: Is the patient fully informed? Is there an appropriate legal basis? Without transparency, processing may be unlawful, and the patient could prevent it.

Who owns the algorithm? The algorithm is likely owned by the company who developed it for use in the device and/or AI technology; however, there are questions around whether someone can own something that is essentially a “self-learning” machine. Is the algorithm something tangible that can be explained? Or is the initial algorithm something tangible, but then the AI learns to improve this, and then the company no longer has control over the decision-making process?

Who owns the device/product/finished AI machine? This will depend on what the device or product is. Where the product is the technology, i.e., the algorithm, the healthcare provider may wish to own this to control more of the output. However, it is likely that the developer/manufacturer would want to claim ownership, especially where such use is novel in the sector.

UK/EU Thoughts

The United Kingdom has been investigating the role of AI in healthcare over the last few years, and in September 2018, the government published a code of conduct for data-driven healthcare technology. The code sets out 10 key principles (some relate to data protection and existing NHS codes of practice):

1. Define the user—who is the product for, and what problem are you solving?
2. Define the value proposition—why has it been developed?
3. Be fair, transparent, and accountable about what data are used—use privacy-by-design principles and data protection impact assessments.
4. Use data that are proportionate to the identified user need—use the minimum personal data required to achieve the purposes.
5. Make use of open standards—build in current standards.
6. Be transparent to the limitations of the data and understand the quality of the data.
7. Make security integral to the design—have appropriate levels of security to safeguard data.
8. Define the commercial strategy—commercial terms that benefit partnership between the commercial organization and healthcare provider.
9. Show evidence of effectiveness for the intended use.
10. Show the type of algorithm being developed or deployed, the evidence base for using that algorithm, how performance will be monitored on an ongoing basis, and how performance will be validated—show the learning method you are building.

It is clear from the United Kingdom’s willingness and prioritization of such a code of conduct that AI technology is seen as a method of advancing its healthcare system. It remains to be seen whether the code will be successful and ensure best practices among organizations working together to develop such technologies in the future. As of the date of this article, the government has more pressing priorities, and cooperation with the European Union in this area may be delayed.

The matter has also been discussed at an EU level, and in April 2018, the European Commission published its Communication on enabling the digital transformation of health and care in the Digital Single Market; empowering citizens and building a healthier society (the Communication). The Communication outlines the need for major reforms in the healthcare sector and how developing new and innovative ways of working (through the use of technology and digital platforms) could assist in transforming health care into a modern, innovative, and sustainable sector.

In December 2018, the European Economic and Social Committee (EESC) released its opinion on the Communication (the Opinion), which largely supports the Communication and the Commission’s roadmap for transformation of the healthcare sector, and outlined some observations of which to take note when implementing such a vision of transformation.

The Communication focuses on three key areas:

1. Citizens’ secure access to and sharing of health data. The Commission highlighted that many data subjects would like to have better access to their health data and have more control/choice over with whom it is shared; however, there is limited electronic access to health records. Often, records are in paper form and scattered among different healthcare providers, i.e., not available electronically in one central location.
2. Better data to promote research, disease, prevention, and personalized health care. Personalized health care is an emerging approach to health care that focuses on using data to better understand individual characteristics to enable care to be provided when necessary. The use of data have increased the healthcare sectors’ ability to monitor, identify, and predict healthcare conditions, which also means they are better equipped to diagnose and treat such conditions.
3. Digital tools for citizen empowerment and for person-centered care. The Commission recognizes that to cope with the ever-increasing demand on healthcare services, health care must move away from treatments and toward health promotion and prevention, which will involve a move away from disease and toward well-being, as well as a move away from fragmented service provisions toward a community-based care model.

Conclusion

There has been significant recognition at national and supranational government levels that AI technology has a role to play in the development of health care; however, many obstacles remain before AI technologies are fully accepted into those healthcare systems. Such issues will require thoughtful and careful consideration by technology developers, healthcare providers, and healthcare professionals to develop a consistent approach to the issues identified as barriers to the full integration of AI technologies into the healthcare systems.

As noted, in the United Kingdom, the government has seen these potential issues arising in discussions about health care and AI and recognize the potential benefits to the NHS of adopting such technologies. The government has therefore published a code of conduct to ensure that healthcare organizations and those developing AI technologies are working together and upholding best practices when dealing with patient data.

In the European Union, the Commission has been considering more effective ways to encourage AI technology in the healthcare sector and has identified some barriers to adoption of AI technology in the healthcare sector and set out some proposals to remedy this.

In the United States, AI technology is becoming more accepted by patients and providers, but regulations are lagging behind innovation and acceptance, which may be dangerous to patients. In addition, the uncertainty around liability, ownership, etc. may be dampening progress in the United States, not to mention the uncertainty around whether AI technologies (and automation in general) will create jobs or eliminate them.

We hope that, moving forward, AI technology companies and the healthcare sector find a way to partner successfully, utilizing patient data in a safe and secure manner while training AI technology/machines to provide healthcare assistance in the future, and ensuring that our healthcare systems move with the times and cope with mounting pressure on staff, time, and resources to the benefit of all.

The authors thank the Health IT Task Force of the Cyberspace Committee for support and assistance with the article.

Introduction

 The Bankruptcy Court for the District of Maryland recently ruled that a secured creditor retains its priority over other junior creditors even though its UCC financing statement lapsed during the bankruptcy case.  The case resolves a conflict between federal bankruptcy law and UCC state law. The freeze rule maintains the petition-date priority of the secured creditors throughout a bankruptcy case.

The Case: Firstrust Bank v. Indus. Bank (In re Essex Constr., LLC), 591 B.R. 630 (Bankr. D. Md. 2018)

Essex Construction, LLC filed for bankruptcy under chapter 11. On the petition date, two banks held perfected security interests in the debtor’s assets: Firstrust Bank and Industrial Bank. On the petition date, Industrial held the senior interest. Industrial recorded its UCC-1 financing statement in 2012; Firstrust in 2014. The debtor filed for bankruptcy in 2016. One year later, in 2017, and while the case was still in chapter 11, Industrial’s financing statement lapsed.

The issue centers on the post-petition lapse of Industrial’s financial statement. Neither bank disputed that Industrial held the senior interest on the petition date. They disagreed on the effect of the post-petition lapse. Firstrust argued that state law—Article 9 of the UCC—mandates that it should jump Industrial in priority and that a chapter 11 proceeding should not change this result under state law.  Industrial asserted that the freeze rule in bankruptcy rendered the post-petition lapse inapplicable for determining priority.

Priority Lost: Article 9 of the UCC

Under section 9-515 of Maryland’s UCC, a filed financing statement remains effective for five years. Industrial filed its statement in 2012, and it remained effective until 2017.  Absent the filing of a continuation statement, the financing statement lapses on the expiration date and rendered unperfected pursuant to section 9-322(a)(2), which states that a perfected security interest has priority over a conflicting unperfected security interest.  In short, a secured creditor will lose its place in line if it fails to file the continuation statement.  Under this rational, Firstrust argued that its security interest had priority over Industrial’s conflicting unperfected security interest because of the lapse in 2017.

Firstrust relied on legislative history. It noted that the UCC used to state the following: “[i]f a security interest perfected by filing exists at the time insolvency proceedings are commenced by or against the debtor, the security interest remains perfected until termination of the insolvency proceedings.”  That language was removed in the current version of the UCC.  Firstrust argued that the removal of this language evidenced the legislature’s intent to eliminate the freeze rule. That rational, however, was not supported by the comments to the section 9-515, which explain that the legislature did not intend to eliminate that rule.  Rather, the comments confirm that the effect of the lapse on priority is left to courts to decide based on federal bankruptcy law.

Priority Regained: Freeze Rule in Bankruptcy

In bankruptcy, the freeze rule freezes the priority of a security interest as of the petition date, which will remain the priority throughout the bankruptcy case. This principle has been recognized by the U.S. Supreme Court since at least 1931: “valid liens existing at the time of the commencement of a bankruptcy proceeding are preserved.” Isaacs v. Hobbs Tie & Timber Co., 282 U.S. 734, 738 (1931).

Two leading cases explain how the freeze rule works. In Halmar Distributors, a debtor moved its inventory to Massachusetts. The senior secured creditor filed proper financing statements in New York, but the junior filed in both New York and Massachusetts. Under the UCC, the senior had to file in Massachusetts within four months to maintain its position. It failed to do so. Yet the court found that the senior maintained its position because the lapse occurred after the debtor filed for bankruptcy. The senior secured creditor’s position was frozen in time on the day of the petition.

The second case is Chaseley’s Foods. It also involved the effect of a lapsed financing statement on a secured creditor’s priority. Again, the court found that the secured creditor maintained its status despite failing to file a continuation statement during a bankruptcy case. The court also addressed the effect of the UCC. It concluded that a bankruptcy case maintains the priority of a secured creditor regardless of whether a provision in the UCC reaffirms this principle. The lapse makes no change.

That is what happened here. Before bankruptcy, Industrial had priority over Firstrust. On the day of the bankruptcy filing, Industrial had priority over Firstrust. Throughout the bankruptcy case, Industrial had priority over Firstrust. Nothing changed when Industrial’s financial statement lapsed shortly after the bankruptcy filing. Under the UCC, Industrial would have lost priority. But the freeze rule maintained Industrial’s priority—a result that the drafters of the UCC affirmed in their comments to Article 9. A senior secured creditor in bankruptcy need not file a continuation statement to maintain its priority.

The American Bar Association’s Derivatives and Futures Law Committee published a first-of-its-kind comprehensive legal guide for practitioners and their clients involved with the fast-developing markets for “crypto” or “virtual” currencies, and the many other types of digital and digitized assets that exist or are recorded on blockchain platforms. The committee’s over 300-page White Paper, “Digital and Digitized Assets: Federal and State Jurisdictional Issues,” reviews the complex web of federal and state statutes and precedents that have been applied to transactions in such digital assets.

The paper was prepared by the Jurisdiction Working Group of the committee’s Innovative Digitized Products and Processes Subcommittee, with contributions from 34 lawyers with expertise in derivatives, securities, FinTech, and related areas of law. The paper summarizes the current interpretations and applications of the federal securities, commodities, and derivatives trading laws, the federal anti-money-laundering statutes, and the state statutes governing money services businesses. It also reviews some of the principal international statutory approaches to regulating crypto assets. Recognizing the complexity and uncertainty of the law in this area, the subcommittee prepared the paper as a service to and resource for practitioners and policy makers. The Commodity Futures Trading Commission (CFTC) included a presentation on the paper at the meeting of its Technology Advisory Committee on March 27th.

Regulators face interpretative obstacles in determining the scope and application of laws that do not envision financial products with the novel, varied, and unique characteristics of digital assets. Recognizing these challenges, the CFTC, the Securities and Exchange Commission (SEC), the Treasury Department’s Financial Crimes Enforcement Network (FinCEN), the Internal Revenue Service (IRS), and state regulators such as New York’s Department of Financial Services (New York DFS) have issued guidance or interpretations concerning application of their rules to digital asset products and market participants. Foreign regulators have done the same. In applying its laws and rules to digital assets, each regulator and standard-setting body must consider the potentially overlapping jurisdiction of other regulators, including cross-border issues.

The paper addresses these themes in eight sections: (1) a factual background describing the various types of digital or crypto assets and blockchain systems; (2) CFTC jurisdiction over digital assets, with an emphasis on virtual currencies; (3) SEC regulation of digital assets under the Securities Act of 1933 and Securities Exchange Act of 1934; (4) regulatory implications under other federal securities laws, specifically the Investment Company Act and the Investment Advisers Act; (5) issues created by jurisdictional uncertainty between the CFTC and SEC, an analytic framework for considering those issues, and potential tools for resolving jurisdictional issues; (6) FinCEN’s regulation of digital assets; (7) international regulation of digital assets and blockchain technology; and (8) state regulation of digital assets. These sections lay out the varying and diverse approaches taken by federal, international, and state regulators with respect to digital asset uses and markets as well as interpretative issues associated with each approach, given that digital asset markets are still in the early stages of development.

Section 1 is a high-level primer on blockchain technology and the different categories of digital and digitized assets and how they function within a blockchain or other electronic ledger. It explains that the absence of uniform definitions for digital assets creates obstacles for regulators in establishing what obligations should apply to these products.

Section 2 provides an overview of the Commodity Exchange Act (CEA) and how the CFTC has applied it to digital assets—with a focus on virtual currencies—and derivatives based on them. It analyzes the potentially broad reach of the CEA’s definition of “commodity” (which covers items one would not expect under a common understanding of the term, such as securities) and the interpretative questions it raises since the CFTC first formally asserted in 2015 that virtual currencies are commodities within its oversight. It analyzes the CFTC’s authority to regulate derivatives on digital assets listed on registered exchanges, swaps on digital assets, and off-exchange leveraged or financed transactions involving digital assets with retail persons, as well as the agency’s anti-fraud and anti-manipulation enforcement authority over digital asset markets. This section also summarizes the current jurisdictional boundaries between the CFTC and the SEC over the various types of financial derivative instruments.

Section 3 explains the application of the Securities Act, the Exchange Act, and SEC regulations to digital assets. It explains the SEC’s treatment of digital assets as securities if they are deemed to be “investment contracts” pursuant to the Supreme Court’s four-part test set out in SEC v. Howey, and the regulatory obligations that apply to issuers and market intermediaries with respect to digital assets that are securities, such as securities registration, reporting requirements and disclosures for issuers, and broker-dealer registration and capital requirements for intermediaries.

Section 4 covers the application of the Investment Company Act and the Investment Advisers Act to investment management activities involving digital assets. Among other things, it summarizes registration requirements for investment companies and for their shares, and explains how the definition of “security” for purposes of determining whether investments trigger investment company status can be broader than the definition in the Securities Act and Securities Exchange Act. With respect to the Investment Advisers Act, the paper explains what constitutes investment advice and summarizes registration requirements and exemptions from registration, and how they can arise in connection with digital assets.

Section 5 analyzes the overlapping and potentially conflicting jurisdiction of the CFTC and SEC and the need for agency guidance to provide a clear and commercially compatible regulatory regime. Recognizing that digital assets can diverge greatly in their characteristics and uses, defying easy “one size fits all” classification, section 5 suggests a framework for applying a jurisdictional analysis to such assets. The discussion includes an explanation of how CFTC and SEC jurisdiction has intersected in the past, and a set of questions for evaluating whether a particular digital asset is within the purview of one agency alone, both agencies together, or neither agency. Section 5 also discusses past instances of jurisdictional debates between the two agencies and how they were resolved. It describes the formal inter-agency process for cooperation mandated as part of the Dodd-Frank Act for clarification of each agency’s jurisdiction over novel products. The paper examines other potential methods to resolve jurisdictional issues without new legislation, including utilizing each agency’s exemptive authority.

Section 5 is particularly timely. SEC FinHub recently issued a “Framework for ‘Investment Contract’ Analysis of Digital Assets” that provides color on how to apply the Howey investment contract analysis to digital assets, and identifies additional considerations for reevaluating whether a digital asset initially sold as a security remains a security in the future. The framework does not address the jurisdictional issues raised in section 5, but may help further illuminate how the SEC and CFTC can jointly address them.

Section 6 explains FinCEN’s regulation of virtual currency issuers and sellers through its authority to regulate “financial institutions” under the Bank Secrecy Act (BSA). These regulations focus on combating money laundering and terrorism financing. This section discusses the scope of FinCEN’s regulatory authority under the BSA and how FinCEN has interpreted the BSA’s term “financial institution” to extend its authority to certain virtual currency businesses deemed to be money services businesses. Those businesses are required to register with FinCEN, submit to examinations by the IRS, and establish an anti-money-laundering program. This section also describes FinCEN’s enforcement actions against virtual currency market participants.

Section 7 provides an overview of international regulations, directives, and guidance regarding virtual currency and other digital asset markets. It discusses European efforts initiated at both the EU level, through EU legislation and European Securities and Markets Authority guidance and statements, and the individual country level. These efforts include compliance obligations under the Markets in Financial Instruments Directive II, the European Market Infrastructure Regulation mitigation requirements, and European Parliament and EU Council amendments to anti-money-laundering legislation to specifically cover cryptocurrency exchanges and custodial wallet providers. Section 7 also summarizes approaches to virtual currency taken by regulators in the United Kingdom, Switzerland, France, Germany, Austria, Slovenia, Malta, Japan, South Korea, Singapore, China, and Australia, and addresses guidance by international bodies such as the International Organization of Securities Commissions, the Financial Services Board, the Financial Action Task Force, and the Bank for International Settlements.

Section 8 discusses key state regulators that also have asserted authority over virtual currency businesses. It focuses on the New York DFS regulations of virtual currency businesses and the requirement that those businesses register for a “BitLicense.” It explains the exemption from BitLicense regulations for virtual currency businesses that are chartered under New York banking law. Section 8 also summarizes the efforts of other states in regulating the issuance of virtual currencies or tokens through initial coin offerings, and an appendix provides a 50-state survey of the state laws and regulations that govern money transmitters and virtual currency regulations (as of January 23, 2019).

The subcommittee is undertaking other projects through its working groups. In addition to the efforts of the Jurisdiction Working Group, the Blockchain Modality Working Group is considering commercial and regulatory issues relating to application of blockchain technology in the financial markets and financial services industry, and the Self-Regulatory Organization Working Group is considering issues for potential implementation of self-regulation with respect to markets for digital assets.

On March 29, 2019, Section members and guests enjoyed a most interesting presentation by guest speaker Chris Gear, the vice-president of team operations and general counsel for Canucks Sports and Entertainment, which owns the Vancouver Canucks Hockey Club and Vancouver Warriors Lacrosse Club.

Chris reminded the audience of the fact that sport has become big business, and referring to the applicable laws as “sports law” is something of a misnomer; more accurately it involves the application of business law discipline to the sport context. Sport franchises are valued in the billions of dollars, and players are paid millions, sometimes hundreds of millions. Sport activities and the collateral aspects of those activities are often focal points in building cities and communities. Their activities are complex businesses that operate within the existing social and legal orders.

Sport, like all of society, continually evolves, as does its footprint. Chris gave the example of the rise of e-sport, which like it or not is now a factor. His company has already invested in the sector, particularly the competitive gaming aspects. In respect of the phenomenon, like any responsible business investment in something new, he sought “expert” advice. Although he could understand why individuals might have an interest in playing e-sports, why would people would pay to watch (often in specially constructed facilities) other people play e-sports, from which the players earn considerable income? The 12-year old expert’s perspective on this was simply, “Dad, you watch other people playing hockey for a living.” There will be much more of this to come.

The seminal events that brought Chris to sports occurred in 1984, when the Edmonton Oilers won the first of five Stanley Cup championships, led by the Great One, Wayne Gretzky, and when Los Angeles hosted the Olympic Games. This led to business school, followed by law school and subsequent professional experience in M&A, corporate finance, and related fields. His insertion in the sports field came from volunteer involvement in an annual PGA golf tournament sponsored by Air Canada, which helped him to understand the needs of sponsors and broadcasters. When Vancouver decided to bid for the 2010 Winter Olympic and Paralympic Games, Chris volunteered to work on the bid as an investment in the community at large.

After Vancouver won the bid, the chief legal officer of the organizing committee offered him a job on the legal team for the ensuing five to six years. It was a whirlwind experience, with long, difficult, but inspiring, work and some 5,000 contracts, for which there were precious few useful precedents (given that the preceding Olympic Games were held nin China, Italy, and Greece). They encountered the usual range of problems, from a lack of snow, interference with the torch relay, and initial bad weather that, fortunately, cleared up by the fourth day of the games.

During his time with the Canucks, there have been several legal issues to face, which have included legal proceedings arising from the career-ending injury of an NHL hockey player that took forever to resolve, including jurisdictional issues (whether the case should be resolved in civil court or within the NHL structure, and whether the injury was a personal or club responsibility) and a quantum of applicable damages. Other legal proceedings arose in the context of a trademark of the Vancouver Millionaires, a hockey club that had won the Stanley Cup in 1915, before the NHL was formed. The trademark had been acquired by a squatter, who sold t-shirts with a registered mark. The owner, a hard-rock performer named Thor (but off-stage a reasonable, mild-mannered Clark Kent), agreed to sell it, and the Vancouver team wore the jerseys in an NHL game commemorating the 1915 Stanley Cup winners.

The matter of trademarks is one of the most valuable assets for any professional team, which must be able to protect the rights it has granted to marketing partners and sponsors. A local Honda dealership jumped on the Canucks playoff bandwagon and portrayed itself as (in effect) a Canucks partner, painting the dealership in Canucks colours and generally occupying a great deal of Canucks “space.” This, of course, was not appreciated by the official Canucks sponsor in the automotive category, General Motors. The team sent a cease-and-desist letter to the dealership, which then took it to a local radio station and had it read over the air, painting the Canucks in a bad light. The learning experience for the team was that it had not explained in advance to the public how important it was to the Canucks that the rights granted be respected by the community at large.

An emerging set of rights relates to players. To what extent does a player retain the rights to her or his image, and to what extent does the club or organization own those rights? One solution to the dilemma was to create a group licence, under which the clubs could use four or more players in a club promotion, whereas in promotions involving three players or less, the individual players retained their personal rights, and their consent would be required. A local professional hockey team had a promotion for Canucks Water, using the portraits of four players on water bottles, under the group licence agreement. The agent for one of the four complained that the players union had no right to use his client’s image. The club immediately removed his image and found another player, who then trumpeted around town that they had had to change the complaining player’s bottles because those bottles tasted like piss. What comes around, goes around!

In his current role with the Canucks Management Team, Chris deals on a daily basis with risk management, governance, venue, and other agreements; player compensation; dealerships; sponsorships; the evolving e-sports; and concessions. He considers that sports are good for society and the local community. As he says, “We are all Canucks.”

During the Q & A following his initial remarks, Chris was asked what innovations were being adopted to make the game of hockey more interesting for spectators. Chief among these were the use of chips in the pucks and players’ uniforms to enable better tracking of the movements of both the players and the puck and better replays to demonstrate how plays developed, all as supplementary information for the fan base. There is also the possible use of biometric data and statistics (such as heartbeat, speeds, etc.) if such data is not used improperly, such as a club refusing to pay a large (or long-term) salary to a player who was shown by the biometric data to have an irregular heartbeat.

As we enter the 2019 proxy season, we want to bring your attention to a few topics that are likely to play a prominent role in the coming months.[1] In this article, we discuss some of the significant policy changes adopted by ISS and Glass Lewis applicable to the 2019 proxy season and the SEC’s continued focus on non-GAAP measures.

1. ISS PROXY VOTING POLICY UPDATES

ISS has updated its proxy voting policies for shareholder meetings held after February 1, 2019. The following is a summary of the significant policy changes:

A. Board Composition—Gender Diversity

For the 2019 proxy season, ISS will not issue an adverse vote recommendation due to lack of gender diversity. It will, however, highlight the lack of gender diversity in its report. For companies in the Russell 3000 or S&P 1500 indices, effective for meetings on or after February 1, 2020, ISS intends to recommend a vote against or withhold from the chair of the nominating committee (or other directors on a case-by-case basis) at companies with no women on the company’s board.

B. Board Accountability—Management Proposals (New)

ISS took note of the use of board-sponsored proposals to ratify existing charter or bylaw provisions during the 2018 proxy season. In particular, ISS noted that several companies “obtained no-action relief to exclude shareholder proposals to adopt or amend the right of shareholders to call a special meeting by seeking ratification of their current provision. Notably, none of these ratification proposals made material changes to the provisions that enhanced shareholders’ rights to call special meetings.”

In response, ISS has adopted a new policy to recommend a vote against/withhold from individual directors, members of the governance committee, or the full board where boards ask shareholders to ratify existing charter or bylaw provisions considering certain enumerated factors.

C. Shareholder Rights—Management Proposals to Ratify Existing Charter or Bylaw Provisions (New)

Under this new policy, ISS will generally recommend a vote against management proposals to ratify provisions of the company’s existing charter or bylaws, unless these governance provisions align with best practice. In addition, in certain instances, ISS could also recommend a vote against/withhold from individual directors, members of the governance committee, or the full board, in certain instances.

Action Items:

• In light of the new gender diversity emphasis, companies without any female board members may wish to include a firm commitment, as stated in the proxy statement, to appoint at least one female to the board in the near term.
• For a company that has included a shareholder proposal or management proposal in its proxy statement, consider expanding disclosure in its next proxy statement regarding the outreach efforts by the board to shareholders in the wake of the vote and the level of implementation of that proposal.

2. GLASS LEWIS

In late October 2018, Glass Lewis published its updated U.S. policy guidelines and 2019 shareholder initiatives policy guidelines. The following is a summary of some significant changes to the guidelines that are in effect for annual meetings held after February 1, 2019, except as noted below.

A. Board Gender Diversity

For meetings held after January 1, 2019, Glass Lewis will generally recommend voting against the nominating committee chair of a board that has no female members. Glass Lewis may extend this recommendation to vote against other nominating committee members depending upon several factors, including the size of the company, the industry in which the company operates, and the governance profile of the company. This policy does not necessarily apply to companies outside the Russell 3000 index or those that have provided a robust explanation for not having any female board members.

B. Conflicting and Excluded Proposals

Glass Lewis has updated its policy related to “conflicting” management proposals, and in those instances where a special meeting shareholder proposal is excluded as a result of “conflicting” management proposals, it will take a case-by-case approach, taking into account the following issues: (1) the threshold proposed by the shareholder resolution; (2) the threshold proposed or established by management and the attendant rationale for the threshold; (3) whether management’s proposal is seeking to ratify an existing special meeting right or adopt a bylaw that would establish a special meeting right; and (4) the company’s overall governance profile, including its overall responsiveness to and engagement with shareholders. Glass Lewis noted that it generally favors a 10–15 percent special meeting right and will generally recommend voting for management or shareholder proposals that fall within this range.

With respect to conflicting proposals, Glass Lewis will generally recommend in favor of the lower special meeting right and will recommend voting against the proposal with the higher threshold. In addition, where there are conflicting management and shareholder proposals, and a company has not established a special meeting right, Glass Lewis may recommend that shareholders vote in favor of the shareholder proposal and that they abstain from a management-proposed bylaw amendment seeking to establish a special meeting right.

Glass Lewis also noted that, in certain, very limited circumstances where the exclusion of a shareholder proposal is “detrimental to shareholders,” it may recommend against members of the governance committee.

C. Environmental and Social Risk Oversight

Glass Lewis states that “an inattention to material environmental and social issues can present direct legal, financial, regulatory and reputational risks that could serve to harm shareholder interests,” and that these issues should be carefully monitored and managed by companies, including ensuring that there is an “appropriate oversight structure in place to ensure that they are mitigating attendant risks and capitalizing on related opportunities to the best extent possible.” The key is to have appropriate board-level oversight of material risks to a company’s operations.

In certain instances where “a company has not properly managed or mitigated environmental or social risks to the detriment of shareholder value, or when such mismanagement has threatened shareholder value, Glass Lewis may consider recommending that shareholders vote against members of the board who are responsible for oversight of environmental and social risks.” In instances where there is no explicit board oversight on these issues, Glass Lewis states that it may recommend that shareholders vote against member of the audit committee.

Action Items:

• A company that finds itself without any female board members should provide a sufficient rationale for not having any female board members. Issues addressed in explaining the rationale could include a disclosed timetable for addressing the lack of diversity on the board and any notable restrictions in place regarding the board’s composition, such as director nomination agreements with significant investors.
• A company that qualifies as a Smaller Reporting Companies (SRC) under the new SEC guidelines should consider retaining the full CD&A disclosure, rather than taking advantage of the reduced disclosure requirements available to a SRC.

3. NON-GAAP MEASURES—EQUAL OR GREATER PROMINENCE

On December 26, 2018, the SEC settled charges with a public company that its disclosure gave undue prominence to non-GAAP financial measures included in two earnings releases in violation of section 13(a) of the Exchange Act and Rule 13a-11 thereunder. Although not admitting the factual basis of the charges, the public company agreed to cease and desist from future violations and agreed to pay a civil penalty of $100,000.

Action Items:

• Issuers should review their use of non-GAAP financial measures in SEC filings and earnings releases in light of the May 2016 CD&Is and the SEC’s recent action. Issuers should pay particular attention to ensuring that they present GAAP measures with “equal or greater prominence” whenever they present non-GAAP measures.
• The SEC will measure for “equal or greater prominence” within each particular section of the relevant filing or release. If a headline mentions a non-GAAP measure, then that headline should also mention the comparable GAAP measure. If a group of bullet-pointed highlights mentions a non-GAAP measure, then the bullets should also mention the comparable GAAP measure. Providing the comparable GAAP measure later in a filing or release (or in a footnote) is not sufficient.
• Practically, even though “equal or greater prominence” is the standard used in Regulation S-K, issuers should aim for GAAP measures to have greater prominence than any non-GAAP measures. This means using the comparable GAAP measure first, and before any comparable non-GAAP measure, and highlighting the GAAP measure to a greater degree than the non-GAAP measure. Issuers should also carefully review the use of any non-GAAP measures that indicate an improving picture of the issuer’s finances, where the comparable GAAP measure would indicate the opposite.
• Although the SEC has been willing to allow issuers to correct their disclosures in future filings, this action indicates that the SEC believes that it has provided issuers with enough advance notice of its position on undue prominence of non-GAAP measures, and that the grace period it provided for compliance may be coming to an end.

The 2019 proxy season is well underway, and the topics noted above are a few items that are expected to generate some interesting headlines.

[1] This article is based on a series of Proxy Season client alerts we published in early 2019. The full series is available here <https://www.dlapiper.com/en/us/insights/publicationseries/2019-proxy-season-hot-topics/>.

Indictments are often viewed as a death knell for a publicly traded company. As a result, whenever a government investigation involves a potential criminal penalty, obtaining a civil or administrative resolution in lieu of a criminal resolution is typically viewed as a favorable outcome for the company. Fares v. Smith[1] highlights that civil administrative actions by components of the U.S. Department of the Treasury (Treasury) can be as devastating for a company as a criminal indictment. Moreover, although an indictment at least requires a grand jury to find that probable cause exists to support criminal charges, Treasury can immediately act without an independent review, and any after-the-fact judicial review of Treasury’s determinations is severely limited.

The Fares matter stemmed from an administrative action taken by Treasury’s Office of Foreign Assets Control (OFAC) that essentially killed a global business: OFAC issued a blocking order that immediately caused the shutdown of a duty-free enterprise that earned over $600 million in revenue in 2015 and employed more than 5,000 individuals throughout Latin America.[2] Although OFAC provides a nominal path for administrative reconsideration,[3] this type of proceeding effectively shifts the burden of proof, requiring the company seeking reconsideration to provide evidence as to why it does not satisfy the criteria for the blocking that OFAC has already imposed. Such a burden requires a business entity to do the nearly impossible work of proving a negative—that it is not engaged in unlawful transactions. The challenging party in Fares did not fare well when it sought judicial review: the court not only granted substantial deference to agency determinations, but citing national security, law enforcement sensitivities, and confidentiality restrictions, also allowed OFAC to withhold substantial portions of the evidence upon which the government relied in making its determination.

The decision in Fares illustrates the challenges with successfully obtaining judicial review of an adverse finding by Treasury. Therefore, the best approach is to take all reasonable steps to avoid being in a situation where judicial review is even necessary through a robust compliance program that identifies and reviews potentially problematic transactions before they become so great that Treasury decides to take administrative action.

Background on Fares v. Smith

In Fares, the plaintiffs asserted due process violations against OFAC for freezing their assets under the Foreign Narcotics Kingpin Designation Act (Kingpin Act).[4] The Kingpin Act authorizes the president to block the U.S. assets of “foreign person[s] that play a significant role in international narcotics trafficking,” referred to as “significant foreign narcotics traffickers.”[5] The secretary of Treasury can derivatively designate foreign persons who “materially assist” or provide “financial or technological support” or “goods or services in support of the international narcotics trafficking activities of” a significant foreign narcotics trafficker.[6] The secretary can also derivatively designate foreign persons deemed to be “owned, controlled, or directed by, or acting for or on behalf of, a significant foreign narcotics trafficker,” or foreign persons who “play[] a significant role in international narcotics trafficking.”[7] Foreign persons designated under the Kingpin Act are referred to as “specially designated narcotics traffickers” (SDNTs).[8]

A designation under the Kingpin Act immediately freezes “all . . . property and interests in property within the United States, or within the possession or control of any United States person, which are owned or controlled by” the designated person.[9] There is no prior notice. A foreign person is permitted to see the unclassified, nonprivileged basis for the designation and seek administrative reconsideration only after getting designated and having all of his or her assets blocked.[10] OFAC will typically disclose a heavily redacted, unclassified administrative record, primarily consisting of news articles and other publicly available information.[11] OFAC can provide an unclassified summary of the classified information upon which it relied for the designation, or even allow counsel with security clearances to view the classified record, but it is often not required to do so.[12] To seek reconsideration, a designated party usually must complete a detailed questionnaire from OFAC and ultimately make a written submission.[13] There are essentially two grounds for delisting: an insufficient basis for the designation or a subsequent change in circumstances.[14]

In Fares, OFAC designated two Panamanian men and the companies they controlled as SDNTs for allegedly laundering money on behalf of multiple international drug traffickers.[15] The companies they controlled, including a company that sold duty-free goods internationally, had hundreds of millions of dollars in revenue and thousands of employees.[16] A few weeks after the designation, the plaintiffs requested OFAC to reconsider its decision, arguing that the designation would cause permanent adverse consequences and that they should be allowed to put their assets into trusts managed by independent persons approved by the U.S. government.[17] OFAC denied the initial request for reconsideration, but agreed to begin production of the administrative record.[18] One month later, OFAC produced the administrative record in two batches, and it was “very heavily redacted” because OFAC maintained that “law enforcement sensitiv[e]” or other forms of “privilege” required the almost complete redaction of the evidence underlying the designation.[19]

About a month after that, the plaintiffs filed suit against OFAC, arguing that OFAC failed to adequately disclose the basis for their designations and therefore did not provide sufficient notice under the Due Process Clause of the Fifth Amendment.[20] Only one day after the plaintiffs filed suit, OFAC provided a “terse[,] . . . two[-]paragraph,” unclassified summary of the evidence underlying the redacted portions of the administrative record.[21] Two months later, OFAC produced “a more substantial summary spanning several pages.”[22] After reviewing the entire record disclosed by OFAC, including the summaries disclosed months after the plaintiffs filed suit, the district court held that “the total body of information” gave the designated parties adequate notice and, therefore, satisfied due process.[23] In particular, unlike other challengers to OFAC’s blocking actions, “who were left in the dark as to the reasons for their designations,” the plaintiffs in Fares were “apprised, primarily via the [more substantial summary provided two months after they filed suit], of the government’s view regarding the basis for their designations, and as such, [could] meaningfully” rebut OFAC’s evidence and arguments.[24]

The D.C. Circuit affirmed the district court’s ruling, but it viewed the issue before it to be very narrow, holding that it essentially had no choice but to rule in OFAC’s favor because the plaintiffs in Fares declined to challenge the unclassified summaries, their involvement in money laundering, the nonspecific nature of the summaries, or the scope or legitimacy of the government’s “sweeping redactions to the administrative record.”[25] Rather, the court found that the plaintiffs in Fares chose to “present a single claim on a single theory[,] . . . insist[ing] that the court . . . order the agency to turn over the actual underlying evidence (or details regarding that evidence that would aid them in identifying its sources), or else require the agency to delist plaintiffs.”[26] The court held that this “all-or-nothing argument” was unavailing and decided the matter based on the narrow issue the plaintiffs in Fares chose to present.[27] To be sure, the D.C. circuit court, in dicta, signaled an openness to consider the broader due process concerns presented by the government’s ability to rely on heavily redacted administrative records,[28] particularly when the government cites law enforcement interests as opposed to national security concerns.[29] Although the dicta might provide cause for hope, it does not provide binding authority with which a designated entity can challenge the current practice of extensively redacting the administrative record.

The Importance of Compliance

Once a company is in the crosshairs of a Treasury component like OFAC and receives notice of an administrative action, the odds are already heavily stacked against the company. For large companies, such as the duty-free company in Fares, which process thousands of transactions each day, rebutting allegations from publicly available news articles and short summaries of confidential or classified information will essentially require a company to prove a negative—that it is not involved in unlawful activity—an endeavor that will require a costly and time-intensive review of tens, if not hundreds, of thousands of transactions that occurred during whatever multiyear period is under investigation. Even after such a review is completed, there is no guarantee that the review will directly address, or address to OFAC’s satisfaction, all of the specific transactions reflected in the classified, or otherwise confidential, portions of the evidence upon which OFAC relied but has withheld.

These substantial procedural and evidentiary obstacles highlight the need to take the necessary steps to maximize the likelihood that OFAC will not even consider initiating one of these administrative actions. Companies should work with outside counsel to ensure that they have a robust, state-of-the-art compliance program in place that minimizes the likelihood that sustained, violative transactions might occur and that can be lauded if some violative transactions do nevertheless occur. The immediate and substantial penalties associated with administrative action, coupled with minimal opportunity for agency or judicial review, make it incumbent on companies to do everything within their power to be proactive and to avoid an SDNT designation or any other comparable designation. As Fares demonstrates, obtaining post-designation relief can be challenging. For many businesses, designation in and of itself may be a fatal blow, and even if the business survives that blow, the prospects for relief through reconsideration can be dim.

[1] Fares v. Smith, 249 F. Supp. 3d 115 (D.D.C. 2017), aff’d, 901 F.3d 315 (D.C. Cir. 2018).

[2] Fares v. Smith, No. 16-1730 (CKK), at Dkt. No. 1 (Compl.) ¶ 7 (D.D.C. filed Aug. 25, 2016).

[3] 31 C.F.R. § 501.807 (setting forth administrative reconsideration process that, inter alia, requires Treasury to “provide a written decision to the blocked person”).

[4] Fares, 249 F. Supp. 3d at 118.

[5] 21 U.S.C. §§ 1903(b), 1907(7).

[6] Id. § 1904(b)(2).

[7] Id. § 1904(b)(3)–(b)(4).

[8] See 31 C.F.R. §§ 598.803, 598.314.

[9] 21 U.S.C. § 1904(b).

[10] See 31 C.F.R. § 501.807.

[11] Fares, 249 F. Supp. 3d at 125. See also Sulemane v. Mnuchin, No. 16-1822 (TJK), 2019 WL 77428, at *5–*7 (D.D.C. Jan. 2, 2019) (rejecting arguments that OFAC’s reliance on “open-sourced” news articles violated the Administrative Procedures Act).

[12] See, e.g., Al Haramain Islamic Found., Inc. v. U.S. Dep’t of Treasury, 686 F.3d 965, 983 (9th Cir. 2012).

[13] See, e.g., Kadi v. Geithner, 42 F. Supp. 3d 1, 29 (D.D.C. 2012).

[14] 31 C.F.R. § 501.807(a).

[15] Fares, 249 F. Supp. 3d at 119.

[16] U.S. Treasury Office of Foreign Assets Control, “Treasury Sanctions the Waked Money Laundering Organization” (May 5, 2016); 81 Fed. Reg. 28,937 (May 10, 2016); Fares v. Smith, No. 16-1730 (CKK), at Dkt. No. 1 (Compl.) ¶ 7 (D.D.C. filed Aug. 25, 2016).

[17] Fares, 901 F.3d at 319.

[18] Id. at 319–20.

[19] Id. at 320.

[20] Id.

[21] Id.

[22] Id.

[23] Fares, 249 F. Supp. 3d at 127.

[24] Id.

[25] Fares, 901 F.3d at 322–23.

[26] Id. at 323.

[27] Id. at 323–26.

[28] Id. at 324–25.

[29] Id.