The requirements of the Bank Secrecy Act (BSA) and anti-money-laundering laws (AML) are pervasive and longstanding, yet they continue to vex companies trying to comply with them. Regulators have hit virtually all large banks, and many nonbanks, with BSA/AML-related enforcement actions, resulting in large fines, deferred prosecution agreements, criminal consequences, and reputational damage.

New BSA/AML requirements are making compliance more, not less, challenging. The Financial Crimes Enforcement Network’s Customer Due Diligence Rule,[1] for example, will add to compliance costs and could contribute to further de-risking of bank accounts for money services businesses and other customers. This has made it more difficult for customers to maintain accounts and added to the demanding nature and already high cost of BSA/AML compliance.

The nexus between BSA/AML requirements and law enforcement and national security concerns will ensure that compliance remains a top priority for regulators and the Department of Justice. Understanding exactly what is required of an institution from a BSA/AML perspective is therefore more critical than ever.

Background

Enacted in 1970, the BSA is primarily a recordkeeping and reporting statute. Its purpose is to require certain reports or records where they have a high degree of usefulness in criminal, tax, or regulatory investigations or proceedings, or in the conduct of intelligence or counterintelligence activities, including analysis, to protect against international terrorism.[2]

Tax evasion was the BSA’s initial purpose, but it subsequently became a primary weapon in the fight against narcotics, money laundering, terrorist financing, human trafficking, elder abuse, and other illicit activity. The Patriot Act,[3] enacted shortly after 9/11, expanded the BSA beyond banking, and now most nonbank financial institutions have BSA-related obligations, including compliance programs and suspicious-activity reporting. Even entities not subject to the BSA often assume compliance responsibilities because they contract with an entity subject to the BSA.

Chief among this expanded scope of institutions subject to the BSA are money services businesses (MSBs)—money transmitters, check cashers, providers of prepaid access, and dealers in foreign exchange, among others—and residential mortgage loan originators (RMLOs). The specific requirements for these categories of institutions are discussed in detail below.[4]

Requirements for MSBs

Compliance program. The fundamental requirement for MSBs under the BSA is the development and implementation of a BSA/AML compliance program that is reasonably designed to prevent the MSB from being used to facilitate money laundering and the financing of terrorist activities. The written compliance program must be commensurate with the risks posed by the location and size of, and the nature and volume of the financial services provided by, the MSB and made available for inspection by the Department of the Treasury.

These programs must incorporate what are referred to as the four pillars:

1. policies, procedures, and internal controls that are reasonably designed to assure compliance with the BSA, including procedures to verify customer identification (applicable only to providers or sellers of prepaid access), file reports, maintain records, and respond to law enforcement requests;
2. a designated person to assure day-to-day compliance with the program;
3. education and training of appropriate personnel; and
4. independent review to monitor and maintain an adequate program.

Registration. MSBs (other than providers of prepaid access) are required to register with FinCEN and renew that registration every two years; states in which the MSB does business often require registration as well. Agents generally do not have to register.

Reporting. MSBs have specific reporting requirements, the most important of which are currency transaction reports (CTRs) on cash transactions exceeding $10,000 and suspicious-activity reports (SARs) on suspicious transactions exceeding $2,000. MSBs must retain CTRs and SARs for five years from the date of filing.

An MSB may disclose SARs to only a limited group: FinCEN; a federal authority (such as the IRS) or state authority with power to examine the MSB for compliance with the BSA; and federal, state, and local law enforcement. Strict confidentiality requirements apply, with criminal penalties for unauthorized disclosure. The business may share facts, transactions, and documents underlying a SAR with other institutions and, in limited circumstances (permitted by regulation or regulatory guidance), may share the actual report within the organization. MSBs are protected from civil liability extending from SAR filings. FinCEN and its delegates are responsible for examining MSBs for compliance with these requirements.

Requirements for RMLOs

RMLOs are subject to program requirements that are similar to those applicable to MSBs. Although RMLOs are not required to submit CTRs, they are required to file similar reports (Form 8300) when receiving cash payments over $10,000. They are also subject to SAR requirements, although the filing threshold is $5,000. The SAR recordkeeping and confidentiality requirements also apply, as well as the safe harbor from civil liability. As with MSBs, FinCEN and its delegates conduct compliance examinations.

Sanctions

Sanctions are not formally part of the BSA, but are related and important. Compliance with the sanctions regime is required for all U.S. persons, not just financial institutions. The Office of Foreign Assets Control (OFAC) is responsible for administering U.S. sanctions. There is no formal program requirement, but regulators expect banks and most nonbank financial institutions to have an effective filtering process in place to screen accounts and transactions for the involvement of individuals and entities that are on the Specially Designated Nationals and other lists or are OFAC-sanctioned jurisdictions, such as Iran and North Korea. Companies are expected to block or reject (depending on the exact sanctions) attempted transactions that result in hits and report them to OFAC. Sanctions compliance has been under intense scrutiny in recent years, and violations have resulted in large fines.

Conclusion

Although nonbanking institutions are not regulated for BSA/AML and sanctions compliance to the same degree that banks are, they are widely perceived as vulnerable to illicit activity and therefore subject to significant scrutiny. Enforcement agencies include FinCEN, DOJ, and OFAC as well as federal, state, and local regulators. As fines over many years have made clear, the costs of getting it wrong in this area can be severe. Institutions subject to the BSA/AML requirements should therefore take care to develop, implement, and maintain procedures covering the following areas:

• risk assessment
• customer identification
• customer due diligence/enhanced due diligence (CDD/EDD)
• customer risk rating
• monitoring
• investigation
• SARs
• CTRs

The primary purpose of these procedures is to help companies develop a deep enough understanding of their customers to be aware of which ones present AML risks, and then help companies successfully manage those risks while identifying and reporting suspicious transactions.

Given the expanding role of nonbanking institutions in the payment system and the overall economy—and the persistent focus on money flows implicating national security or law enforcement concerns—BSA/AML compliance is poised to be an area of increasing importance for the foreseeable future.

[1]  See Customer Due Diligence Rule, 31 C.F.R. § 1010.230.

[2] See Bank Secrecy Act, 31 U.S.C. § 5311 et seq.

[3] See Pub. L. No. 107-56, 115 Stat. 272 (2001).

[4] Much of the subsequent discussion of the requirements of BSA/AML laws and related compliance obligations are descriptions drawn from 31 C.F.R. §§ 1010, 1020, and 1029. For more information, see https://www.law.cornell.edu/cfr/text/31/subtitle-B/chapter-X.

INTRODUCTION

For much of 2018, Canada was the focal point of the global cannabis industry due mainly to Canada’s federal legalization of cannabis for recreational purposes, which occurred on October 17, 2018. Fueled by optimism surrounding both Canadian and global prospects, we saw a significant uptick in capital raising in the cannabis industry, with nearly US$13.8 billion raised in 2018, up from US$3.5 billion in 2017. Much of this capital raising activity was a result of U.S. cannabis companies that looked north of the border for access to capital markets.

Despite being only 6 months removed from legalization, Canadian licensed producers (LPs) appear to have shifted their focus to (i) developing “next generation” products, such as edibles and “vapes,” which are set to become legalized in Canada in October 2019, but which have been legal for some time in certain U.S. states, such as Colorado, California and Washington, and (ii) implementing a rest-of-world strategy that includes exposure to the U.S. cannabis market—both resulting in an increasing number of transactions reaching across the border. As U.S. clients are requiring more and more guidance from counsel, U.S. law firms are grappling with how to advise with respect to both the Canadian and U.S. cannabis industries.

With respect to the development of next generation products, significant investments from major U.S. alcohol and tobacco companies have given credibility to the Canadian cannabis industry and provided certain players with an experienced partner for the next phase of legalization (both domestically and abroad). Constellation Brands (Constellation), a leading international producer of wine, beer and spirits, made a US$4 billion investment in Canopy Growth Corporation (Canopy). The investment closed in November 2018 and brought Constellation’s ownership stake in Canopy to approximately 37%. In December 2018, Altria Group Inc. (Altria), parent company of Philip Morris USA, announced a US$1.8 billion investment in Cronos Group Inc. (Cronos), representing a 45% ownership interest in Cronos.

With respect to exposure to the U.S. market, the enactment of the 2018 Farm Bill in the U.S., which created a federally legal environment for the cultivation, distribution and sale of industrial hemp, has provided an opportunity for Canadian LPs to establish a toe-hold in the U.S. market after having previously been denied access due to the restrictions of the major Canadian and U.S. stock exchanges against operations which are offside U.S. federal law. The significance of the Farm Bill stems from the presence of the non-psychoactive cannabinoid, cannabidiol (CBD), which is found in industrial hemp and for which the Brightfield Group has estimated a potential market of US$22 billion by 2022 in the U.S. alone.

Canadian LPs, including Canopy and Tilray Inc. (Tilray), have already taken advantage of the liberalized U.S. hemp laws to establish a presence south of the border. On October 15, 2018 Canopy announced that it had entered into an agreement to acquire the assets of Ebbu, Inc., a  Colorado-based hemp research leader. Canopy has also taken a step toward establishing a cultivation presence in the U.S. by announcing on January 14, 2019 that it had been granted a licence by New York State to process and produce hemp. Canopy stated that it intends to invest between US$100 million and US$150 million toward the establishment of large-scale production capabilities focused on hemp extraction and product manufacturing within the U.S. Tilray, meanwhile, announced the acquisition of Manitoba Harvest, a Canadian hemp-based food processor with products currently sold in grocery store chains throughout Canada and the U.S. The company has been developing products containing hemp-derived CBD and plans to enter the U.S. CBD market once approved by the FDA.

CONSIDERATIONS FOR US LAW FIRMS

Cannabis continues to be a Schedule I narcotic under the federal Controlled Substances Act in the US. We have found little evidence of enforcement of federal law against cannabis companies operating within states that have established a legal framework, but, despite this, U.S. law firms have understandably been hesitant to provide legal services to companies that operate in the cannabis space. However, as was the case in Canada, the volume of activity in the space and the involvement of well-established, “traditional” clients have necessitated that major U.S. law firms become familiar with both the U.S. and Canadian cannabis industries.

The primary consideration from a U.S. legal perspective is that providing advice to a company that operates in violation of U.S. federal law, regardless of compliance with state cannabis laws, could be seen as aiding and abetting in the commission of a federal crime. Furthermore, a firm that accepts payment for such services could be in receipt of proceeds of crime under applicable anti-money laundering statutes. However, to advise a cannabis company that operates exclusively in Canada, or any other jurisdiction which has a legal framework regulating cannabis, does not appear to be a violation of U.S. law. As a result, many U.S. law firms have gotten comfortable advising cannabis companies that do not have U.S. cannabis operations, such as Canopy and Tilray. Similarly, U.S. law firms have gotten comfortable advising U.S. companies who do business with cannabis companies that operate solely outside of the U.S., such as Constellation, Altria and other U.S. investors.

U.S. law firms should take comfort from the policies of major stock exchanges (the TSX and TSX-V in Canada, and the NYSE and NASDAQ in the U.S.), which prohibit the listing of cannabis companies that operate in violation of U.S. federal law. Although such issuers are subject to continuous monitoring by the exchanges, law firms are best advised to conduct their own diligence prior to agreeing to act on behalf of any cannabis company.

Another consideration that has provided some comfort for U.S. law firms with respect to aiding and abetting in the commission of a federal crime is the degree to which a prospective client “touches the plant.” Any company that cultivates, processes, or sells cannabis would be said to “touch the plant”—these are the clients that U.S. law firms have been most hesitant to advise. However, as the degree of contact with the plant decreases, the comfort with providing legal services increases. For example, a client that is providing security systems or hydroponic lights to in the cannabis industry is generally viewed as a much less risky client than one that directly touches the plant.

Even still, some U.S. law firms have gotten comfortable advising clients that touch the plant with the reasoning that general corporate, securities and transactional advice is not aiding and abetting the commission of a crime, as they are not advising on any matter that is a violation of federal law.

One final concern expressed by some U.S. law firms is that of reputational risk. There remains a degree of stigma associated with cannabis use, and that is considered by the general counsel and ethics committees of law firms when deciding whether to accept a cannabis-related mandate. Furthermore, as a relatively nascent sector, the cannabis industry has experienced some growing pains in both Canada and the U.S. in the form of questionable dealings by executives and directors. Many firms fear the prospect of seeing their name alongside their client’s in a news story regarding unscrupulous behaviour.

Ultimately, the level of comfort a law firm has with working in the cannabis space exists on a spectrum. Many large firms simply won’t advise on cannabis-related matters. Others have taken a cautious approach, working exclusively on deals that do not involve U.S. cannabis operations or with companies that are several steps removed from touching the plant. At the opposite end, there are those that have leapt headfirst into the industry, advising U.S.-focused clients that do in fact touch the plant, with an eye toward establishing a first-mover advantage in the industry and “being on the right side of history.”

LOOKING FORWARD

Even for firms that have avoided the cannabis industry to date, the reality in the U.S., as it was in Canada, is that traditional firm clients, whether it be investment banks, retailers, pharmaceutical or consumer packaged goods companies, will get involved in the cannabis space and firms will need to get smart in a hurry.

Federal legalization of cannabis in the U.S. appears to be on the horizon, whether it be as part of a 2020 election campaign or sometime prior. We expect that there will continue to be interest in U.S. hemp and cannabis assets from Canadian LPs in the interim and expect that there will be an explosion of activity in the form of capital raising and domestic M&A upon federal legalization in the U.S. At that time, firms that have developed experience, expertise and relationships in the cannabis industry will be well positioned to capitalize on the opportunity.

Recent months have been busy for banking lawyers focused on the cannabis industry and the legal and regulatory risks of providing financial services to marijuana-related businesses. Of principal note, in mid-December, President Trump signed the Agriculture Improvement Act of 2018 (the 2018 Farm Bill) into law, which lifted the federal prohibition on hemp production. This law also has significant implications regarding the legality of cannabidiol (CBD), a popular hemp derivative. This article will first explain the significance and implications of the 2018 Farm Bill, describe possible divergences in state and federal law regarding cannabis generally, and briefly touch on international developments.

For decades, the United States has been the only industrialized nation where hemp was not a legally authorized crop. Schedule I of the federal Controlled Substances Act of 1970 (CSA), 21 U.S.C. § 801 et seq., has long prohibited the growing, production, and sale of marijuana, which has been defined under the CSA as including all parts of the Cannabis sativa L. plant, with the exception of “the mature stalks of such plant, fiber produced from such stalks, oil or cake made from the seeds of such plant, any other compound . . . of such mature stalks (except the resin extracted therefrom), fiber, oil, or cake, or the sterilized seed of such plant which is incapable of germination.”[1] Hemp has been subject to the marijuana definition because it is also a variety of the Cannabis sativa L. plant. Hemp is characterized by low levels of tetrahydrocannabinol (THC), the primary psychoactive chemical in marijuana, and high levels of CBD, believed to have numerous therapeutic benefits. It is also capable of use in a diverse array of products, including construction materials, clothing, paper, cosmetics, pharmaceuticals, food, and dietary supplements.

Passage of the 2018 Farm Bill marks the first change in the federal classification of marijuana since Congress designated it a Schedule I controlled substance in 1970. Specifically, the 2018 Farm Bill’s hemp-specific provisions amend the CSA so that hemp, so long as it contains 0.3 percent THC or less, no longer comes within the federal definition of marijuana.[2] Certain cannabinoid derivatives of hemp would therefore also be removed from the purview of the CSA, including hemp-derived CBD. The 2018 Farm Bill’s hemp provisions build on the framework set forth in the 2014 farm bill, which allowed for some legal cultivation of hemp by states. The previous iteration of the farm bill allowed cultivation of hemp for research purposes under state-approved pilot programs connected to universities or state agricultural departments.[3] Some states declined to participate, however, and the Drug Enforcement Agency often took the position that the 2014 farm bill allowed only for the cultivation, not sale, of hemp and hemp-derived products.[4]

Section 10113 of the 2018 Farm Bill allows states to regulate hemp production if they so choose. Otherwise, federal requirements to be promulgated by the U.S. Department of Agriculture (USDA) will constitute the default regulatory regime in all 50 states. States must submit their plans to the USDA for approval prior to becoming effective. USDA review is meant to ensure that state laws comply with at least the minimum level of federal statutory requirements, and the USDA must act within 60 days of receipt. However, the USDA has indicated that it will not begin acting on state plans it receives until it promulgates its own regulations regarding hemp production, which it expects to do in fall 2019.

Under section 10113, state plans must include information concerning locations of hemp production, testing for THC concentration, disposal of noncompliant plants, compliance with the bill’s enforcement provisions, participation in law enforcement information sharing, and a certification that the state has sufficient resources to carry out its plan. These requirements indicate Congress’s desire to maintain a strict legal separation between marijuana and hemp.[5] As an additional step to ensure that marijuana is not grown under the auspices of hemp legalization, the 2018 Farm Bill bars individuals with felonies related to a controlled substance from entering into hemp production for 10 years following conviction.[6]

Notwithstanding hemp’s removal from Schedule I of the CSA, the legality of certain FDA-regulated categories of hemp products—including products containing hemp-derived CBD—remains uncertain at the federal level. Specifically, the 2018 Farm Bill provides that it does not “affect or modify the Federal Food, Drug, and Cosmetic Act [‘FFDCA’] . . . [or] the authority of the Commissioner of Food and Drugs and the Secretary of Health and Human Services.”[7] The U.S. Food and Drug Administration (FDA) has taken the position that cannabinoids, including CBD, are impermissible for use in food and dietary supplements.[8] Despite the existence of counterarguments, at the present time certain CBD products currently on the market, particularly those intended for ingestion, may therefore remain unlawful. The FDA has intermittently sent warning letters to entities that sell CBD products, including dietary supplements and topical cosmetic products, for making unproven drug claims about CBD’s health-related properties.[9] Moreover, FDA Commissioner Scott Gottlieb indicated in a statement released with the passage of the 2018 Farm Bill that the agency will “continue to closely scrutinize products that could pose risks to consumers . . . warn [them] and take enforcement actions.”[10] That said, the FDA is under significant political pressure to take a more relaxed attitude toward these issues. For instance, Oregon Senators Ron Wyden and Jeff Merkley recently sent a letter to the FDA Commissioner arguing that “it was Congress’ intent to ensure that both U.S producers and consumers have access to a full range of hemp-derived products, including hemp-derived cannabinoids.”[11] As a result, the FDA has indicated it will hold a public meeting in the near future to evaluate ways in which the current regulatory framework should be changed.[12]

Another difficulty for stakeholders in the industry will be accounting for the various treatments of hemp and CBD under state law. The 2018 Farm Bill does not preempt state law, and states could choose to regulate hemp and hemp-derived CBD in a more restrictive manner. In fact, it provides: “No Preemption—Nothing in this subsection preempts or limits any law of a State or Indian tribe that (i) regulates the production of hemp; and (ii) is more stringent than this subtitle.”[13] States have their own controlled substances laws that often mimic the provisions of the CSA as it existed prior to the 2018 Farm Bill’s amendments. This means that hemp and certain hemp products may still come within the marijuana definition under state law. Many state attorneys general have even publicly declared—prior to passage of the 2018 Farm Bill—that products containing CBD come within state marijuana prohibitions and are therefore subject to state enforcement.

States have chosen to react to the passage of the 2018 Farm Bill in several different ways. Some have chosen the path of Alabama. Alabama’s attorney general recently announced that because of the 2018 Farm Bill, the state is altering its prior position that the sale of CBD products violates state law.[14] Iowa has chosen to move more cautiously. The state attorney general and state agriculture officials met in January to determine whether CBD processed from industrial hemp should be legalized, and resulting legislation is currently pending.[15] On the other hand, not all states have reacted in tandem with the federal government. The South Dakota attorney general, for instance, confirmed that CBD products would remain illegal in the state and that the law would be enforced.[16] Although state legislators passed a bill legalizing hemp, the South Dakota governor vetoed it, and so the state’s prohibition remains in effect.[17] Participants in the industry, and financial services firms that deal with them, must be cognizant of the laws of states in which CBD products may be distributed.

Looking forward, there is ample evidence that the rules of the road regarding cannabis regulation will continue to evolve. FDA Commissioner Scott Gottlieb has stated that federal legislation addressing the divergence between state and federal law regarding marijuana is “inevitable” and will happen “soon.”[18] Several bills to this effect have already been introduced into Congress this year.[19] Further, it seems that President Trump is amenable to these changes. In June 2018, he said that he supported the STATES Act, which would protect states with legal marijuana regimes from federal interference.[20] He also nominated William Barr for attorney general, who has said that he would not go after companies that have relied on the “Cole Memorandum,” the U.S. Department of Justice guidance issued during the Obama administration directing prosecutors generally not to enforce the federal marijuana prohibition in states that have legalized marijuana (so long as those marijuana activities do not target minors or present other risks).[21] This represents a decidedly less aggressive approach than former Attorney General Jeff Sessions, who rescinded that guidance early last year.

With these federal developments looming in the background, states have continued to legalize marijuana use in different contexts. As of this writing, medical marijuana is legal in 33 states and the District of Columbia, with 10 of these and the District of Columbia also having legalized recreational marijuana. The pace of this change appears to be accelerating: 21 states considered adult-use marijuana legalization bills in 2018.[22] Voter initiatives ushered in legalization in Michigan,[23] Missouri,[24] Oklahoma,[25] and Utah.[26] For financial services companies, whether and how to engage with cannabis companies operating legally under state law will thus present a growing challenge.

Change also is evident both north and south of U.S. borders. Canada’s Cannabis Act was fully implemented as of October 18, 2018; as a result, U.S. financial institutions (and others) have been faced with how to engage with companies conducting legal cannabis business there.[27] Additionally, Mexico’s Supreme Court held in October that an absolute ban on recreational marijuana use is unconstitutional. A bill introduced by the ruling party (the National Regeneration Movement, or MORENA) in November would allow companies to grow and sell marijuana for commercial, medicinal, and recreational use.[28] However, Mexican legislators are still considering how marijuana legalization should be implemented.[29]

These shifting developments continue to pose compliance and legal challenges for financial services firms. Until a final U.S. federal resolution is reached, those challenges will remain present.

[1] 21 U.S.C. § 802(16) (2018).

[2] Agriculture Improvement Act of 2018, Pub. L. No. 115-334, sec. 12619 (2018).

[3] 7 U.S.C. § 5940 (2018).

[4] Statement of Principles on Industrial Hemp, 81 Fed. Reg. 53395 (Aug. 12, 2016).

[5] See 7 U.S.C. § 5940(a)(2); Agriculture Improvement Act of 2018, Pub. L. No. 115-334, sec. 10113, § 297A(1) (2018).

[6] Agriculture Improvement Act of 2018, Pub. L. No. 115-334, sec. 10113, § 297B(e)(3)(B) (2018).

[7] Agriculture Improvement Act of 2018, Pub. L. No. 115-334, sec. 10113, § 297D(c)(1) (2018).

[8] U.S. Food and Drug Admin., FDA and Marijuana: Questions and Answers (June 25, 2018).

[9] See, e.g., U.S. Food and Drug Admin., Warning Letter to Hemp Oil Care (Feb. 26, 2015); U.S. Food and Drug Admin., Warning Letter to Natural Organic Solutions (Feb. 26, 2015).

[10] Statement from FDA Commissioner Scott Gottlieb, M.D., on signing of the Agriculture Improvement Act and the agency’s regulation of products containing cannabis and cannabis-derived compounds (Dec. 20, 2018).

[11] Letter from Ron Wyden & Jeffrey A. Merkley, U.S. Senators, to Scott Gottlieb, FDA Commissioner (Jan. 15, 2019).

[12] See supra note 11.

[13] Agriculture Improvement Act of 2018, Pub. L. No. 115-334, sec. 10113, § 297B(a)(3) (2018).

[14] Office of the Alabama Attorney General, Guidance on Alabama Law Regarding the Possession, Use, Sale, or Distribution of CBD (Dec. 12, 2018).

[15] Associated Press, Iowa Lawmakers To Weigh Hemp Regulations, Keloland Media Group, Jan. 3, 2019.

[16] Christopher Vondracek, South Dakota unlikely to allow CBD oil even though it’s in farm bill, Rapid City J., Dec. 16, 2018.

[17] Lisa Kaczke, What’s South Dakota missing without legal industrial hemp?, Argus Leader, March 22, 2019.

[18] Kyle Jaeger, Federal Marijuana Action Is An ‘Inevitability,’ Trump FDA Chief Says, Marijuana Moment, Nov. 19, 2018.

[19] See, e.g., Regulate Marijuana Like Alcohol Act, H.R. 420, 116th Cong. (2019); Strengthening the Tenth Amendment Through Entrusting States Act, S. 3032, 115th Cong. (2018).

[20] Eileen Sullivan, Trump Says He’s Likely to Back Marijuana Bill, in Apparent Break With Sessions, N.Y. Times, June 8, 2018.

[21] Sarah N. Lynch, U.S. attorney general nominee will not target law-abiding marijuana businesses, Reuters, Jan. 15, 2019.

[22] National Conference of State Legislators, Marijuana Overview (Dec. 14, 2018).

[23] Michigan Proposal 1, Marijuana Legalization Initiative (2018) (recreational).

[24] Missouri Amendment 2, Medical Marijuana and Veteran Healthcare Services Initiative (2018) (medical).

[25] Oklahoma State Question 788, Medical Marijuana Legalization Initiative (2018) (medical).

[26] Utah Proposition 2, Medical Marijuana Initiative (2018) (medical).

[27] Cannabis Act, S.C. 2018, c. 16 (2018) (Can.).

[28] Carrie Kahn, Mexico Looks To Be Next To Legalize Marijuana, NPR, Nov. 14, 2018.

[29] Chris Roberts, Mexican Lawmakers Reach Across Party Lines to Launch Marijuana Reform Process, Marijuana Moment, March 15, 2019.

Often referred to as the intersection between venture capital and leveraged buyouts,[i] growth private equity investment (“growth equity”) has skyrocketed in recent years and continues to draw the attention of limited partners seeking exposure to emerging technology companies with potentially lower risk profiles than those financed at earlier stages of development.[ii] In 2018, growth equity investment reached record levels, with $66.1B invested across 1,057 deals in the United States (“U.S.”) alone.[iii] 2018 also saw the largest-ever growth equity fundraise with the close of New York-based Insight Venture Partners’ $6.3B technology-focused growth equity fund.[iv] This article will provide an overview of growth equity as an alternative investment asset class, and will also discuss its increasingly important presence in the financial technology (“Fintech”) sector.[v]

I. Defining Growth Equity

To date, there is no universally accepted definition of growth equity (also commonly referred to as growth capital or expansion capital) due, in part, to its similarity to other forms of alternative investment. The U.S. National Venture Capital Association (“NVCA”) and its Growth Equity Group have described growth equity as a “critical component” of the venture capital industry, and have defined growth equity investments as those that exhibit some, if not all, of the following characteristics: investors typically acquire a non-controlling minority interest in the company; investments are often unlevered or use only light leverage; the company is founder-owned and/or founder-managed with a proven business model, positive cash flows and rapidly growing revenues; and, invested capital is geared toward company expansion and/or shareholder liquidity, with additional financing rounds typically not expected until the growth equity investor’s exit.[vi] The European Bank for Reconstruction and Development has defined growth equity in a similar way, but has included mezzanine financing within its definition as a result of private equity investment patterns in the emerging Europe and Central Asia regions, which typically consist of combinations of venture, growth and buyout strategies.[vii] 

From the company perspective, growth equity investment, in its varying shapes and sizes, fundamentally serves as a financing mechanism that fuels later-stage expansion into new product and/or geographic markets, often in preparation for a future merger, acquisition or initial public offering. In contrast to multi-investor early-stage venture financing rounds, growth equity investment may provide the company with the benefit of a higher-stake single investor who can provide strategic business and operational guidance that can translate into greater market share and profitability. This benefit, however, can become a double-edged sword for founders as a result of the growth equity investor’s potentially more significant influence over management decisions.

II. Growth Equity Investors

Growth equity investors include, but are not limited to, traditional private equity and venture capital firms that offer growth equity as one of several investment strategies, specialist growth equity firms, strategic corporate investors, and non-traditional institutional investors, such as pension funds and single family offices, which historically have not invested in emerging companies. According to Pitchbook data, the ten most active growth equity investors in 2018 were Business Growth Fund, Bpifrance, Foresight Group, Warburg Pincus, Kohlberg Kravis Roberts, The Blackstone Group, CM-CIC Investissement, Caisse de dépôt et placement du Québec, TPG Capital and General Atlantic. Of the 24 most active growth equity investors in 2018, the majority were concentrated in the U.S., France and the United Kingdom (“UK”), respectively.[viii]

III. Growth Equity Investment in Fintech

From an industry perspective, technology startups are considered attractive growth equity investment targets as a result of their perceived revenue stability and high growth potential.[ix] Software startups in the Fintech sector, in particular, received an aggregate of $11.9B in funding in 2018,[x] and are projected to attract continued interest from growth equity investors in 2019.[xi]

In the UK alone, growth equity investment in the Fintech sector rose by 57% to $1.6B in 2018,[xii] including General Atlantic’s $250M investment in lending startup Greensill Capital and Banco Bilbao Vizcaya Argentaria’s £85.4M investment in mobile-banking platform Atom Bank. In the U.S., recent examples of growth equity investment in Fintech include DST Global’s lead investment into Chime Bank, Goldman Sachs Principal Strategic Investments’ lead investment into Nav Technologies, and Edison Partners’ lead investment into YieldStreet.

With injections of growth equity financing, Fintech startups are able to deepen their domestic market share, as well as their international reach. Growth equity investment in UK Fintech startups, in particular, has contributed to their expansion into the U.S. market. One such example is UK-based small and medium-sized enterprise lending platform Oak North, which plans to launch in the U.S. in 2019 following a $440M growth equity investment from Softbank Vision Fund and the Clermont Group.[xiii]

IV. Conclusion

Growth equity is projected to continue its upward trend as an investment strategy of choice for later-stage investors in the Fintech sector. With higher levels of growth equity invested in promising Fintech startups, Fintech M&A and IPO activity is likely on the way. Private equity and venture capital attorneys should therefore pay close attention to developments in this space.

Disclaimer

The views and opinions expressed in this chapter are those of the author alone, and do not necessarily reflect the views of the American Bar Association, Crowell & Moring LLP, Stanford University or the University of Vienna.  The material in this chapter has been prepared for informational purposes only and is not intended to serve as legal or investment advice.

[i] PitchBook, 3Q 2018 US PE Breakdown (2018). Available at: https://pitchbook.com/news/reports/3q-2018-us-pe-breakdown.

[ii] Preqin, Growth Equity: Return Expectations and Prospects in Growth PE Investing (November 15, 2017).

[iii] PitchBook, 4Q 2018 Pitchbook–NVCA Venture Monitor (2019). Available at: https://pitchbook.com/news/reports/4q-2018-pitchbook-nvca-venture-monitor.

[iv] PitchBook, 3Q 2018 US PE Breakdown (2018).  See also Insight Venture Partners, Software Investor Insight Venture Partners Closes $6.3 Billion Fund X (July 19, 2018).  Available at: https://www.insightpartners.com/about-us/news-press/software-investor-insight-venture-partners-closes-6-3-billion-fund-x/.   

[v] A further detailed report will be featured in the International Comparative Legal Guide to Fintech 2019, to be published in May 2019.

[vi] National Venture Capital Association Growth Equity Group, Defining Growth Equity Investments.  Available at: https://nvca.org/growth-equity-group/.

[vii] European Bank for Reconstruction and Development, EBRD Transition Report 2015-16 (2015).  Available at: https://www.ebrd.com/news/publications/transition-report/ebrd-transition-report-201516.html https://www.ebrd.com/news/publications/transition-report/ebrd-transition-report-201516.html

[viii] PitchBook, 2018 Annual Global League Tables (January 31, 2019). Available at: https://pitchbook.com/news/reports/2018-annual-global-league-tables).

[ix] PitchBook, 1Q 2018 Pitchbook–NVCA Venture Monitor (April 9, 2018).  Available at: https://pitchbook.com/news/reports/1q-2018-pitchbook-nvca-venture-monitor.

[x] American Banker, Money Keeps Flowing to Fintechs (March 14, 2019).  Available at: https://www.americanbanker.com/list/money-keeps-flowing-to-Fintechs.

[xi] CB Insights, Fintech Trends to Watch in 2019 (February 2019).  Available at: https://www.cbinsights.com/research/report/Fintech-trends-2019/.

[xii] Innovate Finance, 2018 Fintech VC Investment Landscape (February 2019).  Available at: https://cdn2.hubspot.net/hubfs/5169784/Innovate-Finance-2018-FinTech-VC-Investment-Landscape.pdf.

[xiii] Finextra, OakNorth raises $440 million for US expansion (February 8, 2019).  Available at: https://www.finextra.com/newsarticle/33346/oaknorth-raises-440-million-for-us-expansion

In a case that could indicate the U.S. Supreme Court’s take on contemporary public attitudes toward the use of profane language and lewd images as trademarks, and have wider implications on the authority of the government to regulate and restrict profanity in other contexts, the court is set to decide whether a century-old provision of the U.S. trademark law, which authorizes the U.S. Patent and Trademark Office (USPTO) to reject registration of a trademark it considers to be “immoral” and “scandalous,” passes constitutional muster under the First Amendment.

The “scandalous clause” contained in section 2(a) of the U.S. Trademark Act instructs the USPTO to reject applications for registration of any mark that “consists of or comprises immoral, deceptive, or scandalous matter; or matter which may disparage or falsely suggest a connection with persons, living or dead, institutions, beliefs, or national symbols, or bring them into contempt, or disrepute.”[1] Invoking this clause, the USPTO rejected an application by Erik Brunetti for the mark FUCT for use in connection with a clothing line. The Trademark Trial and Appeal Board (TTAB) affirmed the examiner’s rejection.[2]

Brunetti appealed the TTAB rejection to the Federal Circuit Court of Appeals. While the appeal was pending, the U.S. Supreme Court issued a landmark ruling in Matal v. Tam,[3] which invalidated the disparagement provision of section 2(a) for being in conflict with the First Amendment’s right of free speech. Relying on Tam and expanding its holding, the Federal Circuit struck down the scandalous clause of section 2(a) as similarly failing the constitutional test of the First Amendment.

The USPTO filed a writ of certiorari to the U.S. Supreme Court requesting review of the Federal Circuit’s Brunetti decision, which the Supreme Court granted.[4] Now the issue for the Supreme Court in Brunetti is whether the analysis and reasoning it applied in Tam to reject the disparagement clause of section 2(a) will result in invalidation of the section’s scandalous clause as well.

Eight of the Supreme Court’s regular nine justices participated in the Tam decision. The justices were unanimous in concluding that the disparagement clause of section 2(a) was unconstitutional, but split on their analysis and approach to the issue, resulting in two plurality opinions penned by justices Alito and Kennedy, each of which was signed by four justices. Both plurality opinions rejected the USPTO’s argument that registering a trademark is a form of government speech and that, under the long-standing Supreme Court precedent, the government is permitted to communicate its own viewpoints without violating the First Amendment. The two plurality opinions also agreed that applying the disparagement clause requires the USPTO to engage in impermissible viewpoint discrimination. The opinions split, however, as to the other arguments put forth by the USPTO urging the court to uphold the disparagement clause. The Alito plurality rejected the government’s argument that allowing a trademark to register is analogous to providing a government subsidy and that the government need not subsidize programs it prefers not to encourage. Finally, Justice Alito’s plurality opinion analyzed the disparagement clause as a form of commercial speech and concluded it could not even pass muster under the more relaxed review standard applied to such speech.

On the other hand, the plurality Tam opinion issued by Justice Kennedy focused its analysis and reached its conclusion based on its application of a viewpoint discrimination test, which it articulated as inquiring into “whether—within the relevant subject category—the government has singled out a subset of messages for disfavor based on the view.”[5] The Kennedy plurality found that in exercising its authority under the disparagement clause, the USPTO necessarily engaged in impermissible viewpoint discrimination sufficient to make it constitutionally untenable. Having reached its conclusion based on viewpoint discrimination, the Kennedy plurality found it unnecessary to address the other government arguments, which the Alito plurality opinion had considered and rejected.

Because both Justice Kennedy and Justice Alito’s plurality opinions converged in their rejections on the viewpoint discrimination effect of the disparagement clause, the Supreme Court is expected to apply that ground and its accompanying reasoning and analysis to the scandalous clause at issue in Brunetti. Thus, the key inquiry in Brunetti may well be whether the USPTO’s exercise of its authority under the scandalous clause amounts to discrimination based on viewpoint. If so, then the clause will follow the fate of its disparaging counterpart and fall. If not, then the scandalous clause is likely to survive constitutional First Amendment scrutiny.

The USPTO regularly applies the scandalous clause provision of section 2(a) to reject marks that contain profane language or graphic sexual images—features that were not at issue in Tam. The application of the scandalous clause thus involves evaluation and judgment by the USPTO as to content of the trademark and not any viewpoint it may convey. It has long been settled that the First Amendment permits governments at the federal, state, and local levels to regulate graphic sexual images and profane language on government-run public forums, such as city buses. Relevant to First Amendment analysis of the USPTO’s trademark registration authority is that although a section 2(a) rejection denies registration of the mark with the USPTO, it does not preclude use of the mark in trade and commerce, given that under U.S. trademark laws the underlying rights in a trademark are obtained not by registration of the mark but by use of the mark to identify goods and services in trade and commerce. An owner of an unregistered mark would still have legal “common law” rights in the mark, which rights can be enforced in courts.[6] Therefore, trademark registration is not a requirement for possession of a legally valid and enforceable trademark.

The Supreme Court may well reverse the Federal Circuit’s Brunetti decision and restore the USPTO’s authority to reject trademarks under the scandalous clause of section 2(a), albeit perhaps on a narrower scale. Under either of Tam’s plurality opinions addressing viewpoint discrimination, the scandalous marks provision survives First Amendment scrutiny because the USPTO practice in this regard is content-based and viewpoint-neutral. A fair reading of Tam makes clear that the Supreme Court did not aim to grant First Amendment protection to words, phrases, and imagery that the general public accepts as profane and lewd, and that government restrictions on such is permitted so long as the restriction policy and practice is based on content and does not advocate or discriminate on the basis of particular viewpoint. In fact, even Justice Alito’s plurality opinion specifically recognizes that trademark registration is “more analogous” to “cases in which a unit of government creates a limited public forum for private speech,” wherein “some content-based restrictions are permitted.”[7]

Those “more analogous” cases have repeatedly upheld content-based restrictions on speech in limited public forums created by the government. For example, the Second Circuit Court of Appeals has upheld a Department of Motor Vehicle policy banning use of profane and lewd language on license plates, finding no First Amendment right to use the SHTHPNS license plate.[8] Governmental bans on the use of nude or sexually explicit imagery in clubs have similarly been held to be viewpoint-neutral. In that regard, the Supreme Court has held that “being in a state of nudity is not an inherently expressive condition.”[9] In another case, the Supreme Court held that the First Amendment did not prevent a school district from restricting the use of an offensive form of expression in a public school debate forum.[10] The decision went on to explain that “nothing in the Constitution prohibits the states from insisting that certain modes of expression are inappropriate and subject to sanctions.”

A compromise approach, suggested by Judge Dyk in his concurring opinion in the Federal Circuit’s Brunetti decision invalidating the scandalous provision of section 2(a), is to adopt a narrower reading of the scandalous provision to limit its application to obscene marks. In that regard, Judge Dyk noted that under the Supreme Court’s time-tested “saving construction” precedents, where possible, courts must construe federal statutes to “avoid serious doubt of their constitutionality.”[11] Moreover, certainty in curing an identified defect is not required for a court to engage in a saving construction. Rather, curing the constitutional defect need only be “fairly possible,” and “every reasonable construction must be resorted to.”[12] Judge Dyk’s concurring opinion suggested limiting the reach of the scandalous clause to “obscene marks, which are not protected by the First Amendment.”[13]

[1] 15 U.S.C. § 1052(a).

[2] In re Brunetti, No. 85310960, 2014 WL 3976439 (Aug. 1, 2014).

[3] Matal v. Tam, 137 S. Ct. 1744 (2017).

[4] Iancu v. Brunetti, No. 18-302, 2019 WL 98541 (U.S. Jan. 4, 2019).

[5] Tam, 137 S. Ct. at 1750.

[6] Id. at 1753.

[7] Id. at 1744.

[8] Perry v. McDonald, 280 F.3d 159, 170 (2d Cir. 2001).

[9] City of Erie v. Pap’s A.M., 529 U.S. 277, 289 (2000).

[10] Bethel Sch. Dist. No. 403 v. Fraser, 478 U.S. 675, 685 (1986).

[11] In re Brunetti, 877 F.3d at 1358.

[12] Id.

[13] Id.

More than 740,000 bankruptcy petitions were filed in 2017 by individuals with debts that are predominantly consumer in nature. Through November last year, there were over 700,000 new filings. From these numbers, lawsuits over alleged violations of bankruptcy discharges are frequently in the news, particularly because some of those lawsuits resulted in big sanctions. See, e.g., First State Bank of Roscoe v. Stabler, 247 F. Supp. 3d 1034, 1046 (D.S.D. 2017) (bank and its principal were jointly and severally liable to pay $159,605 in attorney’s fees plus individually liable to pay $25,000 in punitive damages). Attorneys have also borne the brunt of those sanctions. See In re Jon-Dogar Marinesco, Case No. 09-35544 (CGM) (Bankr. S.D.N.Y. Dec. 1, 2016) (compensatory and punitive damages awarded against two law firms).

For consumer debtors, the “principal purpose” of the Bankruptcy Code is a “fresh start.” This means a “new opportunity in life and a clear field of future effort, unhampered by the pressure and discouragement of preexisting debt.” Grogan v. Garner, 498 U.S. 279, 286 (1991). To achieve that purpose, debtors “discharge” most prepetition debts under section 727(b) of the Bankruptcy Code. An injunction under section 524(a)(2) of the Bankruptcy Code prohibits activity to collect discharged debts. See Bessette v. Avo Fin. Servs., Inc., 230 F.3d 439, 444 (1st Cir. 2000).

Congress has not designated a specific sanction for a violation of a discharge injunction. However, bankruptcy courts are vested with powers to protect their jurisdiction. Under section 105(a) of the Bankruptcy Code, a bankruptcy court may “issue any order, process or judgment that is necessary or appropriate to carry out the provisions of this title” and may “tak[e] any action or mak[e] any determination necessary or appropriate” to “enforce or implement court orders or rules.” 11 U.S.C. § 105(a). Hence, a bankruptcy court may use the contempt power to protect its jurisdiction and address violations of the discharge injunction under section 105(a). See Walls v. Wells Fargo Bank, N.A., 276 F.3d 502, 508 (9th Cir. 2002) (contempt is the “traditional remedy” and perhaps the sole remedy for discharge violations).

Discharge violations often arise when a creditor takes action that may be considered an effort to collect on a discharged debt. To prove a violation, the debtor as “the moving party has the burden of showing by clear and convincing evidence that the [creditor] violated a specific and definite order of the court.” Lorenzen v. Taggart (In re Taggart), 888 F.3d 438, 443 (9th Cir. 2018). Clear and convincing evidence is evidence that “instantly tilt[s] the evidentiary scales in the affirmative when weighed against the evidence [the nonmoving party] offered in opposition.” In re Taggart, 548 B.R. at 288 n.11 (citation omitted). Some arguments turn on a creditor’s intentions and awareness of the debtor’s discharge, which can be an important consideration if the underlying conduct was done innocently. However, not all courts agree that these issues should be considered at all. The United States Supreme Court will now decide.

The Emergence of the Good-Faith Defense

There is an argument that a creditor should be shielded from a discharge violation by its good-faith belief that the discharge injunction does not apply to its action relating to a discharged debt. The argument may apply even if the belief was “unreasonable.” Now, the Supreme Court will decide whether to permit this defense, following its grant of certiorari in Taggart. Taggart involves a dispute over interests in a limited liability company. On the eve of a state court trial, Mr. Taggart filed for Chapter 7 bankruptcy. The trial was therefore stayed, and Mr. Taggart ultimately received a discharge of the claim. However, the state court refused to dismiss Mr. Taggart from the litigation, although the parties agreed not to pursue a money judgment against him. Nonetheless, the plaintiffs sought attorney’s fees from Mr. Taggart, alleging his post-bankruptcy participation in the case fell outside the discharge injunction. In defense, Mr. Taggart moved to reopen his bankruptcy to hold his creditors in contempt for violating his discharge injunction.

The bankruptcy court agreed with Mr. Taggart and found the plaintiffs in contempt because they were aware of the discharge and intended their actions. The Bankruptcy Appellate Panel reversed because the bankruptcy court found that subjective or good-faith beliefs were irrelevant. The Ninth Circuit Court of Appeals affirmed that ruling, deciding that creditors could not be in contempt if they believed in good faith that the discharge injunction did not apply. The court of appeals reasoned that a creditor’s good-faith belief excuses a discharge injunction “even if the creditor’s belief is unreasonable.” Taggart, 888 F.3d at 444.

The Rejection of the Good-Faith Defense

Other courts disagree with this reasoning and refuse to allow consideration of the creditor’s intent and awareness. In In re Hardy, 97 F.3d 1384, 1390 (11th Cir. 1996), the Eleventh Circuit held that “the focus of the court’s inquiry in civil contempt proceedings is not on the subjective beliefs or intent of the alleged contemnors in complying with the order, but whether in fact their conduct complied with the order at issue.” Likewise, in In re Pratt, 462 F.3d 14, 19–21 (1st Cir. 2006), the First Circuit held that the creditor’s violation was actionable despite the lack of “bad faith.” The Fourth Circuit reached a similar conclusion in In re Fina, 550 F. App’x 150, 154 (4th Cir. 2014), holding a “good faith mistake is generally not a valid defense.”

Now the Supreme Court will step into the breach. The Court’s rejection of a “good-faith mistake” defense would certainly solidify the debtor’s “fresh start.” However, voiding this defense would subject creditors to strict liability for otherwise innocent activity. In addition, although a creditor’s good-faith intent may remain a factor for determining sanctions, see In re Szenes, 515 B.R. 1, 7–8 (Bankr. E.D.N.Y. 2014) (mere showing that the actions were deliberate is not sufficient for punitive damages; rather, the actions must have been taken with “either malevolent intent or a clear disregard and disrespect of the bankruptcy laws”), damages awards, including shifting attorney’s fees, would remain available where there is liability. As noted, these risks extend to creditors’ counsel personally.    

Fortunately, there should soon be a more uniform standard of accountability. As of this writing, opening briefs have been filed, amici are weighing in with their policy arguments, and the Supreme Court will hear argument on April 24, 2019. The Solicitor General has also expressed interest, requesting argument due to ambiguity over the application of the discharge order to debts owed to the government.  Under the circumstances, the outcome is uncertain, but we can predict that this will be an important benchmark for consumer creditors and debtors as well as the bankruptcy judges who decide these issues. This is equally so for the lawyers who represent those parties.

Introduction

Business lawyers bring a valuable breadth of knowledge and experience to nonprofit boards, but as any business lawyer knows, a director of a nonprofit corporation owes a fiduciary duty of care to the corporation. This duty generally requires the nonprofit director to act with the care an ordinarily prudent person would in a like position under similar circumstances. At a minimum, the duty of care requires a nonprofit director to keep apprised of and understand financial and executive reports, strategic initiatives, budgets and fundraising developments, and other operational matters that materially impact the organization.

One area implicating the duty of care that is often minimized or even neglected by many boards of directors of tax exempt charities (hereinafter Board(s)) is the review and approval of the organization’s annual information return filed with the Internal Revenue Service (IRS), the Form 990. Form 990 is easily accessible by the public and therefore invites scrutiny on a broad range of the organization’s internal operations, including financial performance, compensation of executives and other insiders, results of key programs, and interested transactions. It is thus imperative for the Board and senior staff to understand and help frame the information presented in Form 990 well in advance of the due date for its filing.

Form 990 in All Its Shapes and Sizes

The IRS requires most organizations exempt from federal income tax under section 501(c)(3) of the Internal Revenue Code of 1986, as amended (the Code), and classified by the IRS as public charities (hereinafter organizations or exempt organizations) to file Form 990 by the 15th day of the fifth month after the end of the organization’s fiscal year. Organizations may obtain one, automatic six-month extension of the filing due date by timely filing Form 8868 with the IRS. The type of Form 990 that is filed depends on the annual “gross receipts” and total assets of the filing organization. “Gross receipts” are the total amounts the organization received from all sources (e.g., grants, donations, and earned income) during its annual accounting period, without subtracting any costs or expenses.

Small organizations with annual gross receipts that are normally $50,000 or less may file the Form 990-N “e-postcard” online. Form 990-N is the smallest form in the 990 series and includes only basic information about the organization, including its name, principal officer, website address (if any), business address, and employer-identification number.

Organizations with gross receipts of less than $200,000 and total assets of less than $500,000 may file a Form 990-EZ, which is more robust than Form 990-N, but less than half the size of Form 990 and includes a basic balance sheet and statement of revenue and expenses. It also reflects changes in net assets or fund balances from the previous fiscal year. In addition, Form 990-EZ requires the organization to provide a statement of program service accomplishments and related expenses, as well as the level of compensation paid to directors, officers, and key employees, among other information.

Form 990 is the most comprehensive of the information returns filed by public charities, and it is the focus of this article. Form 990 is 12 pages without schedules, and requires the organization to report a vast amount of data about the organization which is made publicly available. Most organizations with gross receipts equal to or more than $200,000 or total assets equal to or more than $500,000 must file Form 990.

As a preliminary note, this article will discuss only the Form 990 that is filed by exempt organizations classified by the IRS as “public charities.” Code Section 501(c)(3) organizations classified as “private foundations” file a different annual information return, Form 990-PF, which will not be discussed in this article. However, many of the observations contained in this article with respect to the review of Form 990 may apply to a foundation Board’s review of its Form 990-PF, or to a small public charity’s review of a Form 990-EZ.

Must the Board Review the Form 990?

Form 990 Part VI, Line 11a, asks whether the organization “provided a complete copy of this Form 990 to all members of its governing body before filing.” There is no requirement that the organization actually have the Board review the Form 990. Rather, this question represents an example of the IRS’s “regulation by disclosure” method of promoting what the IRS perceives as good governance practices for exempt organizations. It may therefore reflect poorly on an organization were this question answered in the negative.

Although seldom the case in many organizations, the Board should receive a copy of the draft Form 990 well in advance of the due date for its filing. Enough time should be given to the Board to decide whether to assign the review of the form to specific Board committees, directors, and/or senior staff. Although audit committees are often assigned the task of reviewing the Form 990, it may make sense for other committees, senior staff, or Board members with relevant expertise to review the form’s more qualitative and governance-focused parts.

Does the Organization Have a Process for Review of Form 990?

This is another question asked by the IRS on Form 990, Part VI, Line 11b. The IRS asks the organization to describe any such process on Schedule O. The Form 990 review process typically involves one or more Board committees, Board members, and/or senior staff that review and make recommendations to the full Board with respect to approval of Form 990 based on their respective expertise or Board-assigned tasks. However, there is no “one-size-fits-all” approach to a Form 990 review process, and policies and procedures differ widely from organization to organization. What is important is that the organization undertakes the effort to craft and follow policies and procedures that are effective based on the organization’s unique characteristics, including Board size, budget, internal competencies, and particular operations.

Special Areas of Review on Form 990

Although not intended as an exhaustive list, what follows is a general discussion of selected areas of Form 990 that commonly require special Board attention.

Reporting changes in purpose or mission. Form 990, Part I, Line 1 and Part III, Line 1 ask the organization to briefly describe the organization’s mission. Form 990, Part VI, Line 4 asks the organization to indicate whether it has made any “significant changes to its governing documents” since its last Form 990 filing. The organization must describe these changes on Schedule O. Thus, if an organization amended its bylaws or articles of incorporation to change its mission or purpose, the organization’s next Form 990 filing should reflect that change.

Many changes to an organization’s mission or purpose will not jeopardize its tax-exempt status. However, if there have been substantial changes to an organization’s purpose—changes that call into question whether it is still organized and operating in furtherance of tax-exempt purposes—those changes should be discussed with qualified legal counsel before they are implemented or adopted by the organization, and certainly before they are reported on Form 990. Occasionally, a request for a private letter ruling from the IRS may be necessary to support that any such changes are consistent with recognized tax-exempt purposes.

It is also important to socialize an organization’s change in purpose or mission with the organization’s constituents and stakeholders before implementing the change. A key donor or community partner should not find out about the change indirectly from a Form 990 filing. Senior staff should determine how best to convey changes in mission or purpose to the organization’s stakeholders. They should also consider involving key Board members and outside communications professionals in the implementation process if resources allow. In some cases, the organization might need to consider the advisability of seeking an automatic extension of the Form 990 filing deadline to properly roll out a change that has already been adopted.

Review of financial information. Form 990 reports a bevy of financial information. Organizations are required to complete a detailed statement of revenue and expenses, a balance sheet, and detailed compensation statements for directors, officers, key employees, and contractors. Obviously not every Board or committee member will also be a certified public accountant, but fiduciary duties dictate that each Board or committee member assigned the task of reviewing the financial information in the Form 990 at least know enough about the organization’s general financial condition to spot any material misstatements or omissions.

For instance, does the Form 990 omit a large grant that was recently received or a large capital project undertaken? Has the organization paid compensation to a new executive that is not accurately reflected on the expense and compensation statements? Those assigned the task of reviewing Form 990’s financial information should also consider reviewing that information against the organization’s internal financial statements. They should also follow up with the preparer of Form 990, outside professionals, and any accounting staff, as needed, to answer any questions or help correct any inconsistencies. Nonprofit corporation statutes have long permitted directors to reasonably rely on officers and outside experts in exercising their fiduciary duties.

Review of compensation arrangements with personnel and insiders. It is crucial to the Board’s review of the Form 990 that each director understand and appreciate the substantial impact that Code Section 501(c)(3) status has on an exempt organization’s compensation arrangements with its service providers and insiders. In general, an exempt organization must not confer a “private benefit” on an individual or entity, and must not allow any of its revenue or assets to “inure” to the benefit of insiders, such as its executives, officers, directors, or their respective family members or affiliates. These are general restatements of the “private benefit” and “private inurement” prohibitions that apply to all Code Section 501(c)(3) organizations. The private benefit and private inurement prohibitions are generally implicated any time an unreasonable sum of the organization’s money or property is provided to such persons in exchange for services or property. Violating the prohibitions may jeopardize the organization’s federal income tax exemption.

When news media publish stories about “excessive” compensation paid to nonprofit executives, the origin of those stories is typically the Form 990, which requires detailed reporting on the name and title of a service provider, how much the service provider worked, and the service provider’s total compensation from the organization. Red flags should immediately go up for a director if, to take an extreme example, he or she reviews the Form 990 of a small organization and notices an employee who worked only 15 hours per week but was paid $100,000. This is because, to help avoid application of the private benefit or private inurement prohibitions, or their less punitive cousin, the “intermediate sanctions” rules, compensation paid to a service provider must be reasonable. Approving and documenting a compensation payment in accordance with the “rebuttable presumption” safe harbor of the intermediate sanctions rules, in addition to following any applicable conflict-of-interest policy or state interested transactions laws, will help support that the payment does not violate such rules or prohibitions. See 26 U.S.C. § 4958 and 26 C.F.R. § 53.4958-1, et seq.

If a director identifies a compensation issue on the Form 990, the Board should work collaboratively to better understand the issue and have a plan in place to address it once it is reported. It should also consider whether to further report the issue as an interested transaction or, if appropriate, an “excess benefit transaction” under the intermediate sanctions rules on Form 990, Schedule L. Depending on the circumstances, it may be prudent for the Board to consider consulting competent legal counsel to aid in reviewing the Form 990 disclosures, and public relations specialists to advise it on any related public statements or media inquiries.

Reporting on programs, fundraising events, and related expenses. Similar to compensation paid by exempt organizations, there has been renewed focus among donors, the media, and nonprofit regulators on high-expense programs or events sponsored by exempt organizations. No law specifically prohibits an exempt organization from spending freely on a program or fundraising event with the object of attracting even greater financial support or creating even greater mission impact. However, it is still not uncommon for funders and pundits in the nonprofit space to set expense expectations around an organization’s activities, advising that “overhead” not exceed a stated percentage in relation to the overall budget for an organization or for its particular programs or events.

Part III of Form 990 asks organizations to report revenue and expenses for its “program service accomplishments for each of its three largest program services, as measured by expenses.” It also requires the organization to include “gross income from fundraising events” in Part VIII, Line 8, less “direct expenses,” to calculate the total “net income or (loss) from fundraising events.” The applicable instructions to Form 990 make it clear that common fundraising events like “dinners/dances” and “auctions” are covered by this disclosure. Accordingly, any programs or events that show substantial losses on Form 990 have the potential to draw scrutiny from the media and stakeholders. For this reason, if the Form 990 review process uncovers any such losses, the organization may wish to consider contacting internal or external accounting professionals to confirm that expenses related to such activities are properly allocated and reported.

Conclusion

Serving on the Board of an exempt organization is both a privilege and a responsibility. To help fulfill their duties of care, nonprofit directors should diligently participate in the Form 990 review process. Exempt organizations are well advised to implement and follow a Form 990 review policy and related procedures. This will help ensure that the organization is doing all it can to accurately report information to the IRS and get ahead of any disclosures that may present particular challenges for the organization.

This article is intended for informational purposes only and should not be relied upon as legal advice, as being current or accurate, or as creating an attorney-client relationship between the author and any person or entity.

Recent changes in agendas and leadership at the federal level are prompting companies offering financial products and services to question what consumer protection enforcement will look like on the road ahead. There has been significant discussion about the increasing role of state regulators, including state attorneys general, in filling the perceived void that may be left by agencies like the Consumer Financial Protection Bureau (CFPB). Many state regulators have indicated that they are ready to step up enforcement, and a number already are doing so; however, this does not mean that the industry should shift its focus exclusively to the states.

The Federal Trade Commission (FTC), which once dominated the playing field on many consumer protection issues, is reclaiming a prominent role. By way of example, prior to the CFPB’s inception, the FTC took a series of enforcement actions that significantly reshaped mortgage servicing[1] well before the CFPB codified its rules.[2] However, passage of the Dodd–Frank Act, Pub. L. No. 111-203, § 929-Z, 124 Stat. 1376, 1871 (2010) (codified at 15 U.S.C. § 78o), and creation of the CFPB made the FTC’s role in the federal consumer protection landscape seem uncertain at times for companies offering financial products and services. Under Dodd-Frank, the FTC retained its authority to enforce numerous consumer protection laws and to enforce CFPB rules applicable to entities within the FTC’s jurisdiction (see 15 U.S.C. § 1607(c)), including most providers of financial services that are not banks, thrifts, or federal credit unions. Yet, on certain issues, the FTC seemed to cede enforcement authority to the CFPB, which also acquired many of the commission’s most seasoned consumer protection lawyers.

With a five-member bipartisan commission that includes Rohit Chopra, who previously was student loan ombudsman at the CFPB, the FTC’s consumer protection efforts are picking up steam. Financial services companies subject to FTC jurisdiction and their service providers should be aware of potential consumer protection enforcement priorities for 2019 and beyond.

Although banks are not subject to the FTC’s consumer protection jurisdiction, an uptick in the FTC’s consumer protection enforcement efforts could have significant implications on their ability to establish and maintain relationships with nonaffiliated third parties subject to the FTC’s consumer protection jurisdiction. More specifically, an increase in FTC enforcement efforts could (1) alter how banks use third-party service providers to support key operations, (2) increase the level of oversight of participants in bank partnerships, and (3) increase the risk of enforcement actions by the prudential banking regulators or the Department of Justice for failing to adequately mange third-party relationships. In addition, more broadly, actions taken by the FTC may serve as guideposts for federal and state regulators that do have jurisdiction over banks.

Consumer Protection Agenda under Chairman Simons

The FTC has escalated enforcement over the past year in a number of areas that are relevant to financial services companies and their service providers. While continuing to bring enforcement actions under its general Unfair or Deceptive Acts or Practices (UDAP) authority, the FTC’s consumer protection agenda appears to include significant focus on: (1) financial technology (fintech) companies, especially those involved in lending and payment-related services; (2) privacy and data security; (3) debt collection; and (4) the treatment of military personnel and families. The FTC also has brought cases utilizing a third-party liability theory of sorts, including holding companies liable for not properly guarding against or preventing the conduct of alleged bad actors.

These areas of focus may be driven in part by the type of consumer complaints the FTC receives most frequently. In 2018, imposter scams, debt collection, and identity theft were the of consumer complaints filed with the FTC.[3] Recently, the FTC announced that it will be making its consumer complaint data more accessible by releasing its aggregated data on a quarterly instead of annual basis. It also will publish “Consumer Protection Data Spotlight[s],” which will “take a deep dive into the data to illuminate important stories [the FTC] is hearing from consumers.” This increased transparency into complaint data could lead to more investigatory and enforcement activity.

The FTC also has made clear that it intends to collaborate with other regulators, including the CFPB and the state attorneys general.  Indeed, in February 2019, the FTC and the CFPB reauthorized their memorandum of understanding regarding sharing information and coordinating certain law enforcement activities.[4]  And in March 2019, Chairman Simons advocated for increased collaboration with state attorneys general, noting that such collaboration is critical to the FTC’s mission.[5] 

UDAP. UDAP has been a centerpiece of the FTC’s enforcement agenda for years. The FTC has stepped up its UDAP enforcement generally, including actions brought by the FTC in the last year that involve cryptocurrencies and data breaches discussed below.

The FTC has emphasized that ensuring advertising is truthful and not misleading is one of its core missions. In April 2018, the FTC filed a UDAP-related complaint alleging that an online lender’s claim that its loans had “no hidden fees” was deceptive because consumers were charged origination fees. In October, the FTC brought an enforcement action against an online student loan refinancer for alleged misrepresentations regarding how much borrowers have saved through refinancing student loans, as well as alleged misrepresentations of when customers would pay more under various refinancing options. These lawsuits may be precursors to other similar actions that the FTC may take in reviewing advertising and marketing materials.

The FTC also used its UDAP authority to file a lawsuit against an online payday lending company and its owner who allegedly marketed payday loans using false loan disclosures that did not accurately describe the true cost of the loans. According to the FTC, despite informing customers that they would be charged only a one-time finance fee, the payday company made multiple withdrawals from customers’ bank accounts, assessing a new finance fee each time. This resulted in the customers paying more for the loans than they agreed to pay. In addition to the FTC’s civil case, the United States Attorney’s Office for the Southern District of New York obtained a criminal conviction against the owner of the payday company and its attorney, and a penalty of $528 million against a bank, for violations of the Bank Secrecy Act, including failing to timely report suspicious banking activities. This lawsuit demonstrates how the FTC is working with other enforcement agencies, but also how entities (such as banks) that are not under the FTC’s jurisdiction still can be brought into related proceedings.

The FTC also recently has taken UDAP actions in connection with credit cards and student loans. In December 2017, it filed a suit alleging that the defendants violated the FTC Act and the Telemarketing Sales Rule by misrepresenting that they could reduce credit-card interest rates and save consumers money, but failing to disclose that consumers could also be required to pay a range of additional bank fees totaling one percent to three percent of their credit-card debt. In October 2017, it announced “Operation Game of Loans,” the first coordinated federal-state law-enforcement initiative targeting deceptive student loan debt-relief scams.

Fintech companies. The FTC remains focused on protecting consumers that use various forms of financial technology and ensuring that “market participants offering these exciting new products [] keep in mind important consumer protection principles as they continue to innovate for consumers’ benefit.” Indeed, Chairman Simons recently stated that one of the FTC’s priorities is “policing the financial marketplace.”[7]  Of interest to the FTC are mobile payments, with a focus on the Electronic Funds Transfer Act, marketplace lending, cryptocurrencies, and money transmitters.

The FTC’s recent enforcement action against the recently acquired subsidiary of a worldwide payment systems company indicates that fintechs, especially those in the payments and lending space, may be in the crosshairs of the FTC’s broader agenda. The commission alleged that the subsidiary failed to disclose to users of its peer-to-peer payment service that transfers of funds to external bank accounts were subject to review and could be frozen or removed, and that it misrepresented the extent to which accounts were protected by “bank-grade security systems.” The FTC’s emphasis in this case is consistent with its more general focus on data privacy and security and sends a strong signal that it is willing to rely on its UDAP authority to protect fintech customers.

The commission also has stated that money transmitters have a responsibility to implement controls and procedures to ensure that criminals are not using their services to defraud consumers. In one example, the FTC alleged that a money transmitter was aware that its system was being used for fraud-induced money transfers, but failed to undertake measures to detect and prevent such transfers, such as terminating agents and locations involved in high levels of fraudulent transactions or imposing more robust ID requirements to receive transfers. In another example, the FTC brought an enforcement action in November 2018 against another money transmitter for failing to comply with a prior order to implement a comprehensive fraud prevention program that requires it to “promptly investigate, restrict, suspend, and terminate high-fraud agents.” Here again, the FTC’s enforcement activity is focused on the role of third parties in failing to prevent the illegal conduct of others.

In addition, the proliferation of cryptocurrency is driving the FTC to take action on consumer protection as it relates to this relatively new medium of exchange. Although the FTC’s efforts to date have focused primarily on consumer education, a recent UDAP enforcement action against a cryptocurrency promoter may be a sign of what is to come. The case involved four individuals who allegedly promoted deceptive money-making schemes involving cryptocurrencies through websites, YouTube videos, social media, and conference calls. Exchanges, brokers, wallet providers, and other participants in cryptocurrency markets should keep abreast of the FTC’s activity in this space because enforcement action may move faster than regulation.

Privacy and data security. FTC Chairman Joseph Simons told Congress in July that “privacy and data security top the list of [its] consumer protection priorities . . . .” The FTC has brought more than 500 such cases, and over the course of the past year has taken actions related to data breaches, privacy violations under the Gramm-Leach-Bliley Act, and international privacy frameworks.

The FTC has brought privacy and data security cases against or is currently investigating:

• A leading ride-sharing company, alleging that the company failed to reasonably secure sensitive consumer data stored in the cloud.
• A lead-generation business, alleging that the company misled consumers into completing loan applications and sold those applications, which included consumers’ personal data, to unscrupulous third parties.
• A social-media provider and a major credit-reporting agency for data breaches.

The FTC has brought several recent enforcement actions related to the GLBA’s privacy provisions, which it had regularly enforced prior to the creation of the CFPB. Recent cases against TaxSlayer (Nov. 2017) and a global online payment systems company (May 2018) may signal a recommitment to challenging such conduct.

The FTC also has been actively enforcing the EU-US Privacy Shield Framework, which was designed to facilitate transatlantic transfers of personal data. Although the Privacy Shield Framework is a voluntary mechanism, the FTC is responsible for enforcing its provisions for any organizations that commit to comply. The FTC brought three separate cases enforcing the Privacy Shield in November 2018 alone.

Last year, the FTC established a privacy and data security task force to “better understand the markets for consumer information, incentives for the various parties in that marketplace, and how to quantify costs and benefits of different actions that the FTC or others could take.” The commission said it wanted to deepen its understanding of the “economics of privacy,” which includes studying consumer preferences and the relationship between access to consumer information and innovation. It also held an Information Injury Workshop in December 2017 during which it developed a taxonomy for information injury: loss of opportunity, economic loss, social detriment, and loss of liberty. Although the FTC has yet to provide further guidance regarding the types of injury, its mere acknowledgment that injury goes beyond economic loss suggests that it could broaden its assessment of injury.

Most recently, Chairman Simons expressed the need for privacy and data security legislation that would give the FTC expanded authority.  While the FTC has broad authority under Section 5 of the FTC Act to address consumer harms related to privacy and data security, Chairman Simons has described Section 5 as “an imperfect tool” to address those concerns.[8]  Instead, the FTC supports data security legislation that would provide the agency with (1) the ability to seek civil penalties to effectively deter unlawful conduct; (2) jurisdiction over non-profits and common carriers; and (3) the authority to issue implementing rules under the Administrative Procedure Act as appropriate.[9] 

Moreover, on March 5, 2019, the FTC requested comments on proposed amendments to the GLBA Safeguards Rule[10] and the Privacy Rule.[11] Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, said the aim of the proposal is to “provide more certainty to businesses.”  He also said that it “shows that, where we have rulemaking authority, we will exercise it as necessary to keep up with the marketplace trends and respond to technological developments.”[12]  The Safeguard Rule proposal is modeled in part on the New York State Department of Financial Services Cybersecurity Rule and includes proposed changes such as (1) designation of a Chief Information Security Officer; (2) elaborating on the existing risk assessment requirement, including requiring a written report; (3) requiring encryption of customer data, both at rest and in transit; (4) implementing access control protocols aimed to prevent unauthorized users from accessing customer information; (5) mandating the use of multi-factor authentication to access customer data; (6) requiring the establishment of incident response plans or data security response plans in the event of an incident; and (7) elevating cyber governance to a board-level issue and requiring periodic reports to an organization’s board of directors or other governing bodies.[13] These proposed rulemakings and the FTC’s advocacy for enhanced data security legislation highlights the agency’s focus on privacy and cybersecurity issues.      

Debt collection. Debt collection matters are at the core of the FTC’s enforcement priorities.  In 2018 alone, the FTC filed or resolved 7 cases against 52 defendants and obtained more than $58.9 million in judgments.[14]  For example, on September 7, 2018, it settled with the operators of a company that allegedly used false claims and threats to get consumers to pay debts, including debts that the company did not have authority to collect or that the consumers did not owe.  And on February 4, 2019, the FTC filed a complaint against 10 companies and six individuals who allegedly used deceptive and threatening tactics to collect phantom debt that the consumers did not owe.[15] 

Although the conduct in question in this case appears extreme, the FTC could expand its enforcement efforts to include entities under its jurisdiction that employ service providers engaging in illegal conduct. That could entail reviewing vendor-management policies, procedures, and practices related to debt collection, and pursuing enforcement actions based on a company’s failure to monitor a vendor.

More relevant to those not under FTC jurisdiction, if a financial service company’s debt collectors are engaging in acts that draw the focus of the FTC, this could lead prudential regulators or others that do have jurisdiction over banks to focus on the bank’s vendor management policies, procedures, and practices. Indeed, the FTC already has taken steps to work together with other regulators on debt collection enforcement matters. The FTC and CFPB announced in March 2018 joint efforts to police debt collectors and in February 2019 reauthorized their memorandum of understanding that continues collaboration between the two agencies on this issue. They also issued an annual report to Congress in March 2019[16] on their collective actions to combat illegal debt collection practices under their shared responsibilities under the FDCPA. The two agencies are likely to pursue greater collaboration on debt collection going forward.

In addition, collaboration efforts are extending to the states as well. In November 2018, for example, the FTC and the New York Attorney General’s Office sued a New York-based debt collection company for allegedly deceiving people in a manner that led to them paying more money than they purportedly owed.

Military and veterans. The FTC also has identified fraud targeting military personnel as a priority. Although the FTC does not have enforcement authority under the Servicemembers Civil Relief Act, it can bring actions under its general UDAP authority as well as under the authority granted in other statutes, including TILA, EFTA, FCRA, and FDCPA. In 2017 alone, the FTC received more than 114,000 consumer complaints from service members, their dependents, military retirees, and veterans, with the top complaints related to imposter scams, identity theft, and debt collection.

The FTC last year established a military-specific task force and already has brought a number of cases related to debt collection and mortgage debt relief targeting service members and veterans. See FTC v. BAM Fin., LLC, No. 8:15-cv-01672-JVS-DFM (C.D. Cal.) (unlawful collection practices); FTC v. Mortg. Inv’rs Corp. of Ohio, Inc., No. 8:13-cv-1647 (M.D. Fla.) (unlawful telemarketing and advertising of veterans home loan refinance services). It also has brought cases alleging deceptive practices in the sale of automobile add-on products.

Another area of increased focus will be the implementation of rules related to credit monitoring for active military personnel. As part of the Economic Growth, Regulatory Relief, and Consumer Protection Act, the FTC is required to implement rules requiring credit-reporting agencies to provide free, online credit-monitoring services to active duty military personnel. In November, the FTC issued a notice of proposed rulemaking, 83 Fed. Reg. 57693 (Nov. 16, 2018), soliciting comments on the proposed rule.

Conclusion

Although consumer protection priorities under the Trump administration are different from those under the Obama administration, this does not mean that all federal enforcement agencies are standing down.

• The FTC has reiterated its commitment to taking enforcement action in the privacy and data security space, and has brought a number of actions that allege UDAP violations and violations of specific privacy statutes. Companies would be well-served to review their policies, procedures, and practices related to data breaches as well as general compliance with privacy laws to ensure that there are no gaps.
• The FTC and the CFPB have identified debt collection as a top enforcement priority. Debt collectors and those who hire third parties to collect debt on their behalf should examine their practices and ask themselves whether they have adequate policies, procedures, and practices in place to monitor and rapidly correct infractions, even those that occur by their third-party collectors.
• The FTC appears focused on legal issues related to mobile payments, marketplace lending, cryptocurrencies, and money transmitters, and will scrutinize fintechs if compliance with the spirit and letter of consumer protection is called into question.
• Issues facing service members are a priority for the FTC. Companies serving military consumers should assess their policies, practices, and procedures in connection with service members, with a particular eye toward conduct that could be alleged to violate UDAP, among other laws that may provide protections for members of the military.
• With respect to UDAP, more broadly, there is little doubt that it will remain a central legal vehicle for FTC claims. Matters of interest to the FTC include alleged misrepresentations or deception in advertising as well as fraud. Companies should review their advertising and other consumer-facing materials, as well as origination and servicing practices, for UDAP risk.

The FTC has been rather active over the last year obtaining hundreds of millions of dollars in settlements. Financial services companies and their service providers should keep a watchful eye on FTC’s enforcement agenda.

[1] Order Preliminarily Approving Stipulated Final Judgment, U.S. v. Fairbanks Cap. Corp. Fairbanks Cap. Holding, & Basmajian, No. 03-12219 (D. Mass. Nov. 21, 2003), modified by, U.S. v. Select Portfolio Serv., No. 03-12219-DWP (D. Mass. Sept. 4, 2007); Consent Decree, FTC v. EMC Mortgage Corp., No. 4:08-cv-338 (E.D. Tex. Sept. 9, 2008).

[2] See generally 12 C.F.R. §§ 1024 and 1026.

[3] https://www.ftc.gov/news-events/press-releases/2019/02/imposter-scams-top-complaints-made-ftc-2018

[4] https://www.ftc.gov/system/files/documents/cooperation_agreements/ftc-cfpb_mou_225_0.pdf

[5] https://www.ftc.gov/system/files/documents/public_statements/1466558/naag_remarks_chmn_simons_0.pdf

[6] FTC v. LendingClub Corp., No. 3:18-cv-02454 (N.D. Cal. Apr. 25, 2018).

^[7] https://www.ftc.gov/system/files/documents/public_statements/1451379/simons-_nashville-aba-remarks.pdf

[8] https://www.ftc.gov/system/files/documents/public_statements/1451379/simons-_nashville-aba-remarks.pdf

[9] https://www.ftc.gov/system/files/documents/public_statements/1466607/commission_testimony_re_data_security_senate_03072019.pdf

[10] The GLBA Safeguards Rule requires a financial institution to develop, implement, and maintain a comprehensive information security program. The Privacy Rule requires a financial institution to inform customers about its information-sharing practices and allow customers to opt out of having their information shared with certain third parties.   

[11] While the vote to submit the Privacy Rule for publication was 5-0, the vote to submit the Safeguards Rule was 3-2 with Commissioners Phillips and Wilson dissenting.

[12] Id. 

[13] https://www.ftc.gov/news-events/press-releases/2019/03/ftc-seeks-comment-proposed-amendments-safeguards-privacy-rules

[14] https://www.ftc.gov/news-events/press-releases/2019/03/ftc-cfpb-report-2018-activities-combat-illegal-debt-collection

[15] https://www.ftc.gov/news-events/press-releases/2019/02/ftc-stops-phantom-debt-collection-scheme

[16] https://www.ftc.gov/news-events/press-releases/2019/03/ftc-cfpb-report-2018-activities-combat-illegal-debt-collection

I. Introduction[1] 

After the global financial crisis, a highly respected group of financial supervisors from the industrialized world convened to consider what might have caused the worst financial crisis experienced since the Great Depression.  This group – aptly named the “Senior Supervisors Group” – concluded that a material contributing cause was what they characterized as a “colossal failure of risk management.”[2]  The Senior Supervisors Group was not alone.  Many other bodies have taken up the same topic and reached a similar conclusion.[3]

In the 10 years since the global financial crisis ended, the financial community has responded to the identified causes of the financial crisis, adopting lessons learned and significantly reforming the financial system.  This work has resulted in a financial system with individual institutions that are demonstrably more safe and more sound than before, and a much more resilient banking system overall.  In contrast to what existed on the eve of the crisis – early 2007 – today’s financial system has considerably higher capital and liquidity, as government officials and other commentators have observed.  In addition, and perhaps even more importantly if we accept the conclusion of the Senior Supervisors Group, there has been a revolution in the discipline of risk management and in the “build-out” of processes and procedures for identifying, measuring, monitoring, and controlling risk.  In the United States, for example, one may witness the Dodd-Frank Wall Street Reform and Consumer Protection Act, which President Obama signed into law on July 21, 2010 (the “Dodd-Frank Act”).  The Dodd-Frank Act introduced varied and different requirements for risk management, including a series of “enhanced prudential standards,” as well as governance directed at risk management requirements, like the requirement for a risk committee of the board of directors.

In implementing these and other measures, financial institutions in the United States have overhauled their risk management functions from top to bottom.  Now, after implementation of the Dodd-Frank Act, a financial institution will commonly have a risk committee at the board of directors’ level, a chief risk officer who is a powerful member of senior management, and a risk function populated by experienced risk professionals with expertise in credit, operational, interest-rate, market, compliance, and other types of risk.  The risk professionals will carry out their risk activities in a “three lines of defense” framework, where they will inhabit the so-called “second line.”  This is the line of defense that is empowered to challenge the decisions of the front-line business units, namely those units engaged in generating revenue or those who support the revenue generators.[4]  Perhaps most importantly, the risk professionals now have status and power, so their challenges can no longer be ignored by the front-line units.

In my view, all of this change is very positive.  Like higher capital and more liquidity, the changes in risk management have transformed the post-Dodd-Frank financial institution, and the financial industry.  But in reflecting on any change, particularly one of such scale and size, it is also important to contemplate whether the change has brought with it other, unintended consequences.  This article will discuss whether the rise of the risk management function has had one very specific unintended consequence – the diminution of the legal function.  To place such an important question in a proper context, this article will focus on the potential inverse relationship – it is not only that the legal function has declined in importance, but it is also that the decline has come as the direct result of the rise in risk.

II. The Importance of the Legal Function

Before turning to analyze whether the rise of risk has resulted in a fall of legal, it is useful to take up two preliminary matters.  The first preliminary matter relates to whether any decline in the importance of the legal function might be attributable to something other than the ascendancy of risk – say a decline in the importance of what lawyers do for financial institutions.  If the importance of the work itself has diminished, then the rise of risk might be correlated to the decline of legal but not causative of legal’s decline.  Second, the ascendancy of risk needs to be viewed in a historical perspective.  Risk may be getting so much attention nowadays simply because it is new and not because it is noteworthy.

We begin with the question of whether any potential decline in the legal function is attributable to a decline in the importance of what banking lawyers do.  I do not find any evidence supporting the proposition that the work itself has become less consequential.  Now, as before, legal issues touch every facet of the activities of a financial institution.  While it is true that some legal subjects are less important than before, other legal subjects have taken their place.  For example, when I started my banking law career nearly 40 years ago, the law relating to the collection of checks was a significant subject for banking lawyers.  It is not any longer.  But other areas of substantive law have taken its place, like the law related to privacy and cybersecurity.  These substantive areas are at least as complex as check law, and perhaps much more so. 

The output of the legal function is also just as impactful as it was in earlier times.  A persuasive case can be made that the work of lawyers in a financial institution is even more impactful than before, given the measurable enforcement consequences of a violation of law.  The stakes, at least with respect to penalties, are higher now than they have ever been.[5]  In addition, a material violation will also ordinarily be accompanied by significant reputational damage.

Another topic deserving a brief preliminary discussion relates not to the importance of legal but to the “newness” of risk.  There is a significant difference in longevity between risk, on the one hand, and the legal function, on the other.  The legal function has enjoyed a much longer life in financial institutions than has the risk management function.  Consequently, what is perceived as ascendancy may simply be the attention that something “new” can attract.  If you are in a family that has two cars, you can see this effect in the attention that the new car gets over the old car.  The new car looks different, probably has better technology, and will stimulate olfactory senses with that magical “new car smell.”  The risk function may be like that new car;  it is not overtaking the legal function in importance, it is only the latest and the shiniest new object. 

If you were to examine the financial institution of 20 years ago, you might not find any risk management function whatsoever.  And, if you did find a risk management function, it would likely be much smaller in size, and with rudimentary capabilities.  Most such functions had little in the way of power and even less in terms of sophistication.  If someone from that period were to be magically transported from then to now, he or she would not recognize today’s risk management function.  The financial institution risk management function of today, unlike 20 years ago, is both new and “cutting edge.”

How did such consequential change occur in such a short period of time?  From my vantage point, the financial crisis changed the playing field for risk management.  It highlighted in vivid detail a clear and present need for financial institutions to manage risk better.  And the law reform that turned into the Dodd-Frank Act also transformed risk management into a legal requirement.  That said, this author has the sense that financial institutions were ready, independently of the Dodd-Frank Act, to make real change in the way risk would be managed.  In bank board rooms across the country, there seemed to be a generalized agreement with what the Senior Supervisors Group concluded – we experienced a colossal failure in managing risk and everyone was resolved not to permit it to happen again.

In comparison to the risk management function, which is now in its youth, the legal function is in a very mature state.  Legal functions in financial institutions have been present since they were first chartered.  For example, the Federal Reserve Bank of New York obtained a charter from the Comptroller of the Currency in 1913, and had internal counsel when it opened for business.  The risk function at the Federal Reserve Bank of New York did not arrive until 2008, ninety-five years later.  I use this example to underscore the point that the risk function has become very important in a very short time.  The legal function, in contrast, established itself early and has experienced a lasting legacy.  When we compare one function to the other, we should keep these characteristics in mind. 

Of course, the fact that legal has been a long-time player does not, in itself, make the legal function important.  What is the role of the legal function?  While we will discuss that question throughout this article, the continuous role of the legal function has been to exercise legal judgment, and in the most effective legal functions, the people providing such judgment are made up of experienced and mature lawyers who have the trust of senior management.  In many financial institutions, the chief legal officer is in the “C” suite and in regular contact with the chief executive officer and the board of directors.  

But it is not the position and longevity of the legal function that makes the work of lawyers so important.  It is the nature of the subject matter – legal judgment – that has so much consequence for the way financial institutions carry out their activities.[6]  Shortly before the global financial crisis started, I had the occasion to make the following observation about the work done by banking lawyers:  “Generally, lawyers acquitted themselves with distinction in assisting their financial institution clients in the management of legal, compliance, and reputational risk.”[7]  Nothing since 2007 has altered my view on the role of banking lawyers or the capability of the class as a whole.

The mismanagement of the risks that resulted in the global financial crisis were largely not legal, compliance and reputational risks, the risks typically associated with the legal function.  The problems that caused difficulties at Bear Stearns, AIG, Lehman Brothers, WAMU, Citigroup, and Bank of America arose out of other types of risk.  No federal judge during the global financial crisis felt the need, as Judge Sporkin did almost 30 years ago with respect to the failed Lincoln Savings and Loan, to inquire, “[w]here were the lawyers?”[8]  In the vast literature about the global financial crisis, there is plenty of blame with respect to how risk was managed, but very little is cast on financial institution lawyers. 

Take, as one useful example, the change in the business model for bank lending.  The industry transformed from an industry that originated and held the loans that banks made, to an industry that originated and distributed these loans to other industry participants.  This change in business model resulted in less discipline among banks, and across the financial industry, with respect to credit risk.  Because there was no longer the same incentive for the bank originating the loan to identify, measure, monitor, and control credit risk (because the risk would soon thereafter be transferred to someone else), there was a significant increase in bad loans.  This contributed to the financial crisis.  Note that this was credit risk and not legal risk.  The blame rightly rests with the business people in the front lines who ignored (or did not understand) the implications of a change in business model and what it might mean for managing credit risk across the financial industry. 

While some lawyers could have done a better job cautioning their clients about the implications of the change in business model, and how it had affected credit risk, there is no case to single out lawyers, and even less of a case for blaming the legal professionals for mistaken legal judgments that resulted in the global financial crisis.  While there may have been a colossal failure of risk management, the mismanaged risks were not the responsibility of the legal function.

With all of that said, let me make an observation about shared responsibility.  Financial institutions exist in a highly regulated ecosystem, and lawyers are an indispensable part of the functioning of a modern financial institution.  Virtually every decision – from the smallest to the largest – has a legal component.  In view of this, there is a shared accountability on the part of the lawyers, and on the part of other people who perform within the ecosystem (regulators, business people, academics, members of Congress, etc.), because they all play a part in shaping the ecosystem.

III. Factors that Might Be Prompting a Diminution in the Legal Function

In this section, I will discuss the factors that might be working in concert with the rise of risk to diminish the legal function.  I begin with the terminology used to speak about risk today.  One major development is that we now categorize risk by type.

Risk Typology

A lesson learned during the financial crisis is that there are different types of risk.  AIG, for example, learned a powerful lesson with respect to liquidity risk in September and October of 2008.  At that time, AIG was the world’s largest insurance company,[9] and did not anticipate that a downgrade by the rating agencies would result in a situation where it could not repay its debts as they came due.  It then learned a very hard lesson about liquidity risk, a risk that is distinguishable from insolvency risk[10] – where the liability side of the balance sheet exceeds the asset side.  In September of 2008, AIG was not balance sheet insolvent but it was illiquid, and the governmental rescue of AIG succeeded because AIG and the United States Government acted together to solve AIG’s liquidity problems.

To return for the moment to the observations that I made in early 2007, I spoke about the role of lawyers with respect to legal, compliance, and reputational risk.  Let’s consider how the OCC currently treats these forms of risks in its Part 30,[11] a set of regulatory measures designed in the post-crisis period to foster better risk management in OCC-regulated financial institutions.  In Part 30, the OCC covers a range of risk types, including compliance and reputational risk.  It does not address legal risk,[12] because the OCC wisely did not want to be challenged as trying to regulate the practice of law.   Instead, the OCC could, and has, monitored how well institutions are handling compliance and reputational risk by reviewing the adequacy of their compliance function.

Another problem relates to how the regulatory community defines legal risk, on the one hand, and compliance risk, on the other.  The definitions are not mutually exclusive.  In fact, the definitions substantially cover the same subject matter.  Let’s consider the Federal Reserve’s SR 16-11, which defines “legal risk” as follows: “the potential that actions against the institution result in unenforceable contracts, lawsuits, legal sanctions, or adverse judgments can disrupt or otherwise negatively affect the operation or condition of a financial institution.”[13]  This risk, as it is cast by the Federal Reserve supervisory staff, is the risk that arises from a contract that is unenforceable or from the institution being subject to a legal sanction.  Now consider how the Federal Reserve defines “compliance risk” in SR 16-11, as “the risk of regulatory sanctions, fines, penalties or losses resulting from failure to comply with laws, rules, regulations, or other supervisory requirements applicable to a financial institution.”[14]   The definitions of legal risk, on the one hand, and compliance risk, on the other, are not mutually exclusive; to the contrary there is considerable overlap between them.

Defining different concepts to mean much of the same thing might not be harmful, depending on how the definitions are used.  However, if the definitions are used to define roles and responsibilities, this can cause considerable mischief.  One might also say that using the definitions to define roles and responsibilities is using the definitions inappropriately.  In my view, an inappropriate use of the defined risk types would be to say, as many do, that the compliance function is responsible for compliance risk and the legal function is responsible for legal risk.  If there is substantial overlap between the two risk types, and there is, this could lead to compliance encroaching onto the functioning of legal.

Encroachment by the compliance function onto the legal function is worrisome because of the core competency of lawyers.  Lawyers are special because of the nature of the judgment entrusted to them.  Lawyers make legal judgments. Under the current definitions of these risk types used by the regulators, compliance risk and legal risk are both, directly and materially, affected by legal judgments. 

Why are legal judgments entrusted to lawyers?  In most financial institutions, legal judgments are entrusted to the lawyers who inhabit the legal function (or, in the case of outside counsel, participate in the work of the legal function)[15] because of their special competency.  In the United States, our respective state laws require that the people exercising such judgment be licensed members of the bar because “it protects the public against rendition of services by unqualified persons.”[16]  Consequently, to assign compliance risk to the compliance function without consideration of the types of judgment that are needed to identify, measure, monitor, and control compliance risk is a mistake.  When compliance risk depends, as it often does, on a legal judgment, you need assistance from a qualified professional and that is a lawyer.  The manner in which the regulators have defined legal and compliance risks has ignored this core concept – that a qualified licensed lawyer needs to provide the necessary legal judgment.

Let me use my own past experience as General Counsel of the Federal Reserve Bank of New York to demonstrate the overlap in the definitions.[17]  In the rescue of AIG, a question arose as to whether a so-called “equity participation or kicker” could be offered as partial consideration for the revolving credit facility that rescued AIG from bankruptcy.  This question called for a legal judgment, and I made the judgment that the governing law permitted the Federal Reserve (my client) to receive such consideration.  This legal judgment was challenged in headline-grabbing litigation brought by AIG’s largest private shareholder, who was diluted by the equity participation (hereafter referenced as the “AIG Shareholder Litigation”).[18]  This AIG shareholder claimed that the governing law did not permit such consideration, and that the contractual provisions in the rescue deal relating to the equity participation were not enforceable.  In the Court of Federal Claims, Judge Wheeler ruled for the plaintiff-shareholder on the legal question (contrary to my legal opinion), a ruling that was not sustained on appeal. 

Note that, as the AIG example reveals, a legal judgment can create both legal and compliance risk.  In the AIG Shareholder Litigation, the plaintiff claimed that the Federal Reserve Act did not permit the Federal Reserve to receive an equity participation, which meant that (under plaintiff’s theory) the Federal Reserve had violated its authorizing statute.  This created the risk that an important component of the revolving credit agreement could not be enforced as written, the provision that AIG had to contribute nearly 80% of its equity to a trust for the benefit of the United States Treasury.  A judgment in favor of the plaintiff clearly represented a legal risk but it also created a compliance risk.  At least in theory, an enforcement action could be brought against the Federal Reserve to hold it accountable for the claimed statutory violation.  In simple terms, when there is an error in a legal judgment, or as in the AIG Shareholder Litigation, an alleged error in a legal judgment, it typically creates both legal and compliance risk.  The example also illustrates why the definitions are not fit for the purpose of assigning roles and responsibilities as between legal and compliance.  The question whether the Federal Reserve Act permitted an equity kicker called for a legal judgment.

Another problem with the overlapping definitions of legal and compliance risk is that they obscure what, in many situations, is the key determinant of the risk in a financial transaction or activity.  This key determinant – legal judgment – is a central thesis of this article.  These legal judgments must be made with respect to fuzzy and ambiguous concepts or texts, and take into account interpretations by judges and regulators that morph over time and with changing facts.  The simplistic notion that compliance risk is for compliance and legal risk is for legal does not withstand analysis.  The province and responsibility of the legal function is making legal judgments on behalf of the financial institution.  This is what makes the legal function important.  To the extent that legal judgments are made by another group of professionals, let’s say the compliance professionals, then the importance of the legal function is diminished and a specific type of decision-making gets done by those who are not properly qualified.

With respect to legal risk, there is another development that has occurred among the supervisory community which is relevant to this analysis.  The Basel Committee on Banking Supervision (BCBS) has determined legal risk to be a subcategory of operational risk.  In its seminal manuscript titled Principles for the Sound Management of Operational Risk, the Committee said this plainly:  “Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.  This definition includes legal risk, but excludes strategic and reputational risk.”[19]  Of course, the problem with this bold statement is that operational risk describes almost everything.  Every calamity will be caused either by an externality or by a failure on the part of a process, person, or system.   The inherent credit risk in the sale of a portfolio of bad loans fits the definition, and so does the liquidity risk that AIG experienced in September of 2008.

 Of course, if operational risk covers nearly all risks, and the risk management function has responsibility for operational risk, then the risk management function owns nearly all risks.  This would include legal and compliance risks.  Consequently, the BCBS declaration that legal risk is a component of operational risk is a problem.

Returning to the AIG Shareholder Litigation, let us assume for purposes of argument that the court concluded the Federal Reserve Act prohibited receipt of an equity kicker, and the United States had to pay a judgment of more than $20 billion.  An application of the quoted conclusory statement by the BCBS would result in a conclusion that an operational risk had produced this result, attributable most directly and immediately to a bad selection decision with respect to the General Counsel.  Alternatively, one might say the risk arose from the externality of litigation by AIG’s largest shareholder.  In either variant, we have a risk that would qualify as an operational risk fitting the Basel definition. 

If you categorize risk in this fashion, it might lead you to conclude that managing all these risks is within the role and responsibility of the chief risk officer, because the chief risk officer is charged with identifying, measuring, monitoring, and controlling operational risks (and legal risk, according to the BCBS, is operational risk).[20]  But, in my view, that puts this kind of risk into the hands of an unqualified professional because the key determinant is a legal judgment.  Consequently, the BCBS framework turns us in the wrong direction. 

Legal judgments should be made by those who are qualified, namely the lawyers in the legal function.  Legal risk is not operational risk.  Neither is compliance risk when it depends on legal judgment (it can be operational risk when it is determined by technology, such as when compliance is designing a suspicious activity monitoring system).  The BCBS just got this one wrong.

With respect to the AIG Shareholder Litigation, had I concluded that the Federal Reserve Act did not permit the Federal Reserve Bank to receive an equity participation, this legal judgment would have been binding on the policy makers because they are bound by the common internal-affairs constraint that all corporate officers must follow the law.  No Federal Reserve official has the authority, on behalf of the organization, to violate the law.  This is true in nearly all financial institutions (many would say that a deliberate decision by a corporate officer to violate the law constitutes a breach of the officer’s fiduciary duty). 

The General Counsel is, under the rules governing the organization’s internal affairs, the person who gets to say what the law is.  Senior Federal Reserve officials could resort to other external counsel in an effort to obtain a different legal judgment, but they would nonetheless need a competent opinion from a qualified lawyer.  As a result, this theoretical possibility for the “front line” policy makers  – to go to outside counsel for a different legal judgment – is not usually practicable.  The important point is that a properly licensed lawyer – either the General Counsel or outside counsel – gets to say what the law is.  This is not subject matter for a layperson.  In the end, when it comes to legal judgment, the legal function holds the decisional responsibility.  At issue in the AIG Shareholder Litigation was the legal judgment that the Federal Reserve Act permitted the equity kicker.  If the legal judgment were that the Federal Reserve Act prohibited the equity kicker, then no equity kicker would have been a part of the rescue, and there would have been no AIG Shareholder Litigation.

For purposes of this particular discussion, the imprecision in the definitions of legal and compliance risk is a highly consequential factor that may be empowering the risk and compliance functions to the detriment of the legal function.  I look at this as a kind of “original sin” by the regulatory community, which has caused many successive problems.  The problems with the definitions of risk types are compounded further by the mistaken belief of supervisors that legal risk is a form of operational risk

Three Lines of Defense

Another potentially contributing factor to the diminution of legal is the three lines of defense framework, which has become the accepted framework for managing risk in a financial institution.[21]  Under this framework, the front-line business owns the risk and is the first line of defense.  In the second line of defense are the risk professionals who are empowered to identify risks for the front line and help them to manage and control their risks.  The third line is audit, which will ascertain how well the framework is working.[22]

With respect to the second line, the risk function is intended to operate on an enterprise-wide basis across all risk types.  The risk types would include operational and compliance risks.  While legal risk is not usually referenced, the discussion of the overlapping definitions in the preceding section means legal risk can be reached indirectly, as compliance risk or operational risk.  Being outside the framework could have caused the regulators a problem, if some critical risk management function were to fall outside of regulatory purview.  But the regulators found a way to avoid that result, using the loose definitions of compliance and operational risk.

The OCC has adopted the three-lines-of-defense framework in Appendix D to Part 30.  During the notice-and-comment phase that preceded adopting of Part 30, there was a significant clamor over the OCC’s preliminary attempt to force legal into the three-lines-of-defense framework.  In the final guidance, the OCC withdrew from covering legal, and this was the right regulatory response in the view of the author.  Regrettably, however, there has been too little attention to a view expressed by this author that legal stands in its own right.[23]  Instead, legal is too often forgotten when it comes to the risk management framework.  Alternatively, the legal function is subsumed in the risk taxonomy, and placed under the broader category of operational risk.  In a certain respect, it is “as if” the legal function disappeared.[24]

Again, if this factor were alone, it would not likely result in a diminution in the role of the legal function.  But it is not alone, and the absence of legal is amplified considerably by a trend in the way compliance reports within today’s financial institutions.

The Modern Trend for Compliance Reporting – From Legal to Risk

The modern trend for financial institutions is for compliance to report up to the chief risk officer rather than to the chief legal officer.  This is not a trend that has been fostered by regulatory requirements, although there are many bank examiners who mistakenly believe it is.  A financial institution can, if it wishes, have compliance report up to the chief legal officer.[25] 

There is a rich literature articulating the benefits and challenges with respect to either form of structural reporting, and there are also some other options, like having the chief compliance officer report to the chief operating officer or even the chief executive officer.[26]  The considerations that lead financial institutions to select one reporting relationship over another are beyond the scope of this article.  Here, I will address two considerations that may explain some of the modern trend, and state why I think both are mistaken.  Then, with respect to the modern trend, I will explain what I perceive to be an organizational dynamic inherent in any structure where compliance reports to risk.  The organizational dynamic could result in the diminution of the legal function.

One widely offered explanation for the movement of compliance to risk relates to independence.  The Basel Committee on Banking Supervision has declared as a core principle that “[t]he bank’s compliance function should be independent.”[27] Many disciples of independence believe that this means the chief compliance officer must be independent of management, although the BCBS never actually said this.  In fact, the BCBS said that “[t]he concept of independence does not mean that the compliance function cannot work closely with management and staff in the various business units.”[28] 

Further, it is simply erroneous to conclude that the risk function is independent of management while the legal function is not.  In my opinion, the erroneous view rests upon a mistaken notion as to what a financial institution’s legal counsel does.  The mistaken notion is that counsel is the advocate for management, most often the so-called “C” suite or even the chief executive officer.  But bank counsel do not act as the advocate for any particular business person or organizational constituent.  A financial institution’s lawyer represents the organization.[29]  Her obligation is to exercise “independent professional judgment and render candid advice”[30] on behalf of the organization, and this necessarily means that counsel can be “independent” of management.  If compliance reports to counsel who are themselves independent, there is no independence problem.  Of course, this is not a structural independence as we often see with respect to audit (many independent auditors report to the Chair of the Audit Committee of the board of directors, rather than to a member of management).  It is judgment independence, and judgment independence is precisely what is needed for compliance.  In sum, there is no independence problem when compliance reports to the chief legal officer.

Another often unspoken reason why some chief legal officers have not objected to the reassignment of compliance to risk relates to a different kind of risk calculus.  Some chief legal officers look at the roles and responsibilities of compliance as roles and responsibilities likely to lead to problems and to the assignment of blame.  Consequently, when a discussion arises with respect to the appropriate reporting relationship, some chief legal officers see this in terms of a way to limit their own personal responsibility.  In my view, this is the wrong reason to move compliance.  It is not a reason grounded in organizational interest; it is a reason grounded in the chief legal officer’s personal interest.[31]

Putting to the side the reasons underlying the modern trend to have compliance report to risk, it is clearly the trend for banking organizations in the post-crisis period.  And when that organizational move is made, there is a very clear organizational dynamic that follows at the time when compliance moves from legal to risk.  Once compliance moves, the chief compliance officer will naturally realign with the chief risk officer, the officer to whom the chief compliance officer now reports.  If a particular risk issue occupies the sometimes mercurial border between legal, compliance, and operational risk, then the lawyers should anticipate that risk and compliance will form a new coalition.  Remember that a reporting relationship usually entails some other components in the typical financial institution – the chief risk officer will now probably be appraising the chief compliance officer’s performance and determining the chief compliance officer’s compensation.

If there is to be a “turf fight” between risk and legal, once the chief compliance officer starts reporting to the chief risk officer, there will be little daylight between compliance and risk. 

Attorney-Client Privilege

Many of those who are familiar with the examinations process would say that there is a generalized antipathy on the part of examinations staff toward lawyers and the legal function.  I wish that this were not true, and I know that it is not universal.  Yet it is my generalized view that this bias exists.  Why?

One factor is the attorney-client privilege.  Financial institution lawyers will raise privilege with examination staff and examination staff will often see it as an obstructionist tactic.  With respect to compliance staff, who are not functioning in the same capacity as legal counsel, and who typically do not interpose privilege objections (and when they do, they assign, appropriately, responsibility to legal), the examination staff have much more agreeable dealings.  As a result, examiners routinely see compliance staff as more cooperative than the legal function.  Further, there is a symbiotic relationship that often occurs between examination staff and compliance staff. 

For example, when compliance needs more resources, often compliance will receive external support from the examiners.  When a compliance professional is having difficulty with a particular business executive, a hushed hallway conversation with the examiner-in-charge can sometimes work a miracle.  Finally, on an interpersonal level, there will typically be a close working relationship between the examiners and the compliance staff; they will see each other as colleagues.  In contrast, the relationship between examiners and lawyers is generally at arm’s length.

With respect to the attorney-client privilege and the work product doctrine, there is a special provision of federal law that is intended to facilitate the communication of privileged information between the financial institution and its prudential supervisor.[32]  Some look at this provision as evidence of an attempt by government to erode privilege.  As one of the proponents of the provision, which was added by the Regulatory Relief Act of 2006, I can state that this provision was supported by the Federal Reserve and the OCC, but that support was not designed to erode privilege.  The  provision was drafted and enacted to reinforce, and not disable, the attorney-client privilege and the work product doctrine. 

Of course, the operative hypothesis underlying Section 1828 (x) is that sharing with a supervisory authority would be considered as fostering the interests of the financial institution.  If, on the other hand, the financial institution wishes to block the supervisor from seeing the legal advice, an assertion of privilege affords a way to accomplish this objective.[33]  When the privilege is asserted, it is asserted on behalf of the bank by bank counsel.  The examination staff will commonly experience the privilege assertion as a hostile act by bank counsel.  Over time, if the examination staff is regularly confronted with privilege assertions from the legal function, the examiners may come to regard the legal function as obstructionist and obdurate, and contrast that perception with what they experience from compliance and risk.

Examiner antipathy toward the legal function is never a good thing.  But it can be especially destructive when there is a conflict between risk/compliance and legal.  The examiners will likely side with risk/compliance and the conflict may be resolved with a legal loss.  Again, this can contribute to a diminution of the legal function. 

Legal “Meremanship” as an Advocacy Tool

One of the most surprising factors contributing to the diminution of the legal function may relate to the arguments that financial institution lawyers make about their own roles.  There are many examples, but perhaps the clearest and the most obvious occurred recently in the United Kingdom with respect to the Senior Managers Regime.

The Senior Managers Regime is designed by regulatory authorities in the United Kingdom to encourage senior managers in covered financial institutions to manage the risks that they are responsible for.  Consequently, the regime is designed to elucidate for senior managers what they are responsible for, that there is a proper focus on skills, capability and conduct within the firm, that a set of conduct rules provide a foundation for behavior, that practices and policies within covered firms provide for a necessary sense of accountability, and that the Financial Conduct Authority can hold the senior officials accountable if they should fail. 

A question arose under the Senior Managers Regime as to how to treat the senior staff of the legal function.  Were the lawyers to be considered within the scope of the Senior Managers Regime and held accountable as officials who had significant responsibility for risk management?  In the comments that were received, “[m]ost respondents argued that the [legal] function was purely advisory” and that a determination otherwise might be compromising to privilege.[34]  Accordingly, the Financial Conduct Authority has now proposed “to exclude the Head of Legal from the requirement to be approved as a Senior Manager.”[35]  Of course, the chief risk officer and the chief compliance officer are included.  What does this contrasting position say about the relative importance of risk/compliance vis-à-vis the legal function?  I believe the answer is obvious.

The argument made in the United Kingdom is an argument that is often heard from counsel in the United States.  It is the “meremanship” argument – to the effect that all lawyers do is give legal advice.  The purpose of this result-oriented argument is to deemphasize lawyer importance.  It is a variation on the argument that “don’t worry about us, we do not really matter.”  One problem with the argument is that it is not really true.  For the reasons stated above, the lawyers within a financial institution do matter, because they are the group that renders legal judgments that have a material effect on how the financial institution carries out its activities.  Returning to the AIG Shareholder Litigation example, when I opined that the Federal Reserve Bank could receive an equity participation as consideration for a rescue loan, that legal judgment enabled the deal to go forward with that particular component which turned out to be worth more than $20 billion.  A decision otherwise would have resulted in a different deal, with considerably less upside for the taxpayer.  As the AIG Shareholder Litigation example demonstrates, legal judgment matters.  Legal judgment can determine the consideration for a material transaction, or the contours of a permitted activity.  The legal function does much more than just whisper advice.

Another problem is that such advocacy becomes a self-fulfilling prophecy.  The essence of the argument is that “lawyers don’t matter.”  More problematic is that the argument is occurring in a context where the role of lawyers is juxtaposed against the role of risk and compliance professionals, who are covered by the Senior Managers Regime.  And, with respect to the risk and compliance professionals, the conclusion reached with those professionals speaks to the following conclusion, that “these people really do matter.”  This returns us to the overall purpose of the Senior Managers’ Regime – to hold those who have material decision making authority responsible for their decisions.  Risk and compliance professionals need to be responsible.  Why not senior personnel exercising legal judgments?

Risk Governance

In the new, post-financial-crisis world, financial institutions are expected to identify, measure, monitor, and control all of the risks they face.  The supervisors of such institutions expect that there will be processes and procedures for governing these risk functions across all of the risk types, and that these governance procedures will encompass risk-appetite statements and a risk-governance framework.

The processes and procedures will be developed under the supervision and control of the risk committee of the board of directors.  The risk committee will be the body that typically approves the risk appetite and the risk-governance framework.  Ordinarily, the senior management will create an internal management committee to perform these tasks, before these kinds of determinations reach the risk committee of the board (or to the full board).

Note that risk governance will typically encompass the following risk types: credit risk, interest rate risk, liquidity risk, price risk, operational risk, compliance risk, strategic risk, and reputational risk.[36]  Once again, the absence of legal risk and the legal function may be problematic, if this absence gives rise to an inference that legal risk and the legal function are not important (or are subsumed under the umbrella of other risk professionals).  The concern is a variant on the concern that I have expressed about meremanship advocacy, except here it is that an inference might be drawn – legal risk and lawyers do not need a framework because they are not important.

This does not mean that we should invite regulators to make legal judgment a part of the risk governance that they are reviewing as a component of enterprise risk management.  An alternative possibility is for the legal function to create its own risk governance framework for matters requiring legal judgment.  This framework would require that lawyers be the core professional staff, and not the risk function.  But, for anyone who has engaged in this exercise, it is not facile and will often be met with a healthy skepticism as to why legal is different from all other risk types. 

If a risk-appetite statement is prepared for legal risk, it will look decidedly different from the appetite statements for other risk types.  Let us hypothesize that we are creating a risk appetite statement for violations of the Volcker Rule.[37]  Having gone through such an exercise, it is likely to result in the only practicable conclusion – that there is a zero appetite for such a violation.  Would the answer be different for sexual harassment, a Truth-in-Lending Act violation, and so on?  No.  Every financial institution will seek to conduct its activities within the bounds of the law, meaning that it has zero risk appetite for violations of law.  Having no appetite for legal violations will be consistent with what most banking organizations practice; it is a permutation on the internal affairs policy referenced earlier that no corporate officer has the authority to violate the law.  When a bank official intentionally violates a legal prohibition, nearly all banks will take disciplinary action against the official.[38]  The goal of such disciplinary action will, of course, be aspirational and designed to send a message that the bank conforms its activities to the bounds of the law.  With that said, in nearly every financial institution, including the  most carefully controlled and the best governed, the goal will not be attained and there will be episodic violations.

Those with experience in these matters will know that legal and compliance risks are different in nature from risks like credit risk and liquidity risk.  Governance practices that work for the later risk types are not easily adapted to the former.  Perhaps what is needed is for the legal profession to intervene with regulators and make sure there is awareness that the legal function is sui generis in its risk management endeavors.

The alternative course – remaining silent with respect to the legal function – has its own potentially destructive consequence.[39]  In a world where risk governance is seen as exceptionally important to the health of the financial institution and the stability of economic ecosystem, being marginalized is a form of diminishment.

Risk Reporting

The final factor leading to a potential diminution in the role of the legal function concerns risk reporting.  In today’s financial institution, it is typical for a bank’s highest legal authority, the board of directors, to also have a risk committee either because it is legally required or because it is considered to be a better governance practice.  The risk committee’s principal task will be risk oversight.  To perform its risk-oversight function in a competent manner, the risk committee will need information from the management about risk in the organization.  This ordinarily leads the board’s risk committee to turn to the chief risk officer and request a risk report, or a risk “dashboard,” that will enable the risk committee to perform its risk-oversight functions.  In its IRM Guidance, the Federal Reserve proposes the principle that independent risk management “should provide the board and senior management with risk reports that accurately and concisely convey relevant, material risk data and assessments in a timely manner.”[40]

An effective risk-reporting mechanism will typically show the risk committee the different types of risk that the organization faces, and will try to gauge trend lines.  The trend lines will show whether risk of a particular type is increasing, decreasing, or remaining constant.  Often, when presented in dashboard form, the risk report will highlight risk trends in colors, where green is good, red is bad, and yellow is a warning sign.  A good risk report will identify “emerging risks” and provide “forward-looking perspectives.”[41]

In most organizations, the risk committee will look to the chief risk officer to provide this kind of information.  The risk committee typically will not want to receive information from many different people.  It will want to hold accountable for risk reporting a key senior officer, and usually that officer is the chief risk officer.  This can place the chief legal officer in an uncomfortable position, particularly with respect to legal and compliance risks.  Often, compliance risk reports will reference legal judgments, and, again, legal judgments are the province of the legal function.  For example, compliance may believe that there has been a violation of the Truth in Lending Act, which involves a legal determination and a legal judgment.  If this view should be written into a risk report, this encroaches on the legal function because it is the province and duty of the legal function to say what the law is and whether the law has been violated.

If there is a legal memorandum from the legal function stating this judgment, it could be appended to the risk report and the problem is solved.  But often these reports do not follow this  practice, and that has consequence.  For example, if a legal conclusion is stated in a report from the chief risk officer or the chief compliance officer, it will not be privileged.[42]  There will likely be significant pressure to get the board books done timely, and not to distinguish this “legal” matter from all the other risk issues that warrant the attention of the risk committee.  In addition, if the legal function should demand special treatment, there may be a perception that legal is “too defensive” or that legal is “causing trouble.”  All of these considerations may create pressure on the legal function to acquiesce, and permit the chief risk officer to follow the path of least resistance and treat a legal risk issue just as it would treat say an information technology risk.  If this should occur, it is another encroachment by risk on what should be legal’s territory.

IV. Diagnostic: Is the Legal Function Being Diminished?

In the preceding section, I summarized seven risk management conditions that might be causing a diminution in the role performed by the legal function.  Is it actually happening?  I try to answer that question in this section. 

Turning to one of the tools used in the discipline of risk management, we need to confront a measurement problem.  How can we measure an amorphous concept like diminution?  Without spending much time on the question, the short answer is we have no quantitative measure of the power and effect within financial institutions of the legal function.[43]  We have identified the risk of diminution, but we have no good quantitative measure of whether it is actually occurring.

Is there qualitative or anecdotal evidence that the power and effect of the legal function is in decline?  I believe that there is evidence this is happening, but it is very early in the process to be drawing firm conclusions.  This is a current topic of conversation among senior internal lawyers within financial institutions.  The degree of concern varies from person to person and from institution to institution, but the topic is often front of mind.  There is also considerable interest among legal and compliance professionals in defining roles and responsibilities, largely driven by concerns about who does what, but especially influenced by structure wherever compliance reports to risk. 

For purposes of this article, my personal perspective is the legal function has, in fact, been diminished by the ascendancy of the risk management function.  I have a sense that this has started to occur, and I hope this article will foster vigorous discussion of that question by the banking bar.

One can also ask, if the legal function has started to decline, how far has it declined?   

Assuming that my perspective of decline is accurate, and further assuming that some impairment has already occurred, can we reverse the trend and repair the damage?  I think the answer is yes.  

V. Taking Affirmative Actions to Reverse the Decline and Repair the Damage

If a conclusion is reached that the legal function in financial institutions is being diminished and that this is a negative trend that needs correction, what remedial actions are needed?  If I have correctly identified the conditions that are causing the diminution, then the future remedial action becomes clear.  We need to focus on the seven conditions that are working in concert to diminish legal.

The first condition concerns risk typology.  The legal function is certainly focused on legal risk.  But this does not mean that this is the exclusive interest of the legal function.  The legal function should be interested in any risk type that is affected by the exercise of legal judgment.  At a minimum, that would include compliance and reputational risk, but we should not stop there.  Legal judgment affects other types of risk, including credit risk.  In fact, when you consider various risk types, legal judgment likely impacts the majority of them (misconduct risk, for example, is heavily influenced by legal factors whereas model risk is probably not).  Lawyers need to be much more assertive about their expertise and their expertise is legal judgment.  But lawyers also should not be shy when rendering judgment and advice.  As the Model Rules frame it, lawyers should feel free to “refer not only to law but to other considerations such as moral, economic, social, psychological, and political factors that may be relevant” to the financial institution’s situation.[44]  In this regard, the legal function brings to the table not only depth of knowledge with respect to legal judgment, but a breadth of knowledge that can be meaningful with respect to managing other risk types.  As legal professionals, we do more than merely give legal advice.  In the best-in-class legal functions, the senior members of the function are typically considered as business partners who are valued for their legal judgment and business acumen.

The next condition is the three-lines-of-defense framework.  This framework is fine for creating a conceptual model for the work of risk professionals, but it should not be either a model or a constraint on lawyers.  We have to continue functioning as we always have, and, as I said in the article in the Business Law Today, the legal function within banking organizations has worked well for more than a century.  With respect to the three lines of defense, the lawyers may move from line to line, depending on the function performed.  If a lawyer is drafting transactional documents at the direction of a front-line business person, the lawyer (as an agent) will be in the first line (assuming that the lawyer is not exercising legal judgment but simply codifying the intention of the business personnel).  If the lawyer is assisting in identifying the risks in a potential new product, to inform a senior management committee that is deciding whether to greenlight or redlight the new product, and authorize it to be offered by the financial institution, the lawyer will be in the second line.  The lawyer is performing a second-line function by informing the decision-makers about risk.  There may also be times when lawyers are assisting internal audit – let’s say they are auditing some kind of human resource practice or procedure.  When acting in this capacity, the lawyers may be in the third line.  The important point is the three lines of defense mode does not neatly fit the work of a legal function; it does not matter where the lawyers are found, so long as they are performing their historical role and making the necessary legal judgments.  And, perhaps most importantly, the lawyers often perform a hugely consequential function that does not fit into any one of the three lines of defense.  Consider the role performed by a senior lawyer who is handling “bet the company” litigation.  Such a lawyer is not in any line of defense but is performing a classic function in managing and controlling the legal risk presented in the litigation.  To avoid a diminution of legal, we must become more assertive about the role of lawyers in risk management, and how they stand apart from the three lines of defense.

Moving to reporting relationships, we need to develop a more realistic understanding that organizational dynamics will change when (and if) compliance moves from legal to risk.  In a certain respect, this is like stating rain is wet.  When the reporting line of the chief compliance officer changes from the chief legal officer to the chief risk officer, who but a fool would ignore the change in organizational dynamics?  Yet this point is hardly mentioned in the literature.  Further, because the distinction between legal, compliance, and operational risks is often obscure, there will be inevitable conflict as to roles and responsibilities.  Having sensitivity to the organizational dynamics is important, because it permits those who are on the playing field to discuss the subject matter and do what is required – namely, work it out.  Alternatively, if they cannot work it out, then they can escalate the dispute to a higher authority who must likewise be sensitive to organizational dynamics.  These dynamics should also be considered when senior officials resolve the inevitable conflicts that come with an escalated matter.

The next condition is privilege.  Financial institution lawyers should closely examine privilege assertions that withhold information that would otherwise be seen by their regulators.  This action has real consequence, and it can and does breed examiner resentment directed toward lawyers.  When privileged matter is solicited by a regulator who is performing prudential oversight (and not acting in an enforcement capacity),[45] sharing privileged information with an appropriate legend will not result in a waiver and likely will not have any negative consequence.  In fact, it might reveal to the examiners just how well the legal function has helped the organization to function in a safe and sound manner.  Providing such material to a prudential supervisor, certainly in a context where there is no likelihood of enforcement action, might be one small, additional step.  While inevitably there will be certain occasions that warrant a privilege assertion, the assertion of privilege in response to a regulator’s request should not be reflexive; if privilege is not asserted, the hidden benefit could be the avoidance of examiner enmity. 

As for legal “meremanship,” I am reminded of what President Obama said “[T]he first thing we do is stop doing stupid things.”  We should stop arguing that the legal function is not important.  We are important – we make legal judgments and, almost every day, those judgments directly and materially affect the way in which banks conduct their activities.  Arguing we merely give legal advice now threatens to turn us into advisors about nothingness.  If it were true that we are unimportant, then I would have no objection.  But it is not true and we know it.  This could, of course, mean that we will be held accountable for our legal judgements, perhaps even to regulators.  Is that necessarily a “bad” outcome?

With respect to a risk governance framework, lawyers should work to fashion our own unique framework with respect to the exercise of legal judgment.  We should not remain in a kind of twilight zone, because this is not in the interest of the financial community and diminishes the rule of law in society.  And when we finally start to analyze our framework, we will likely discover that we actually have one.  We just have never codified it or conformed our practice to a written policy and procedure. 

With respect to risk reporting, I am reminded of the situation in 2006 that needed to be remedied with Section 1828 (x).  Having the chief risk officer recite a legal judgment in a risk report creates a non-privileged record that could be subject to discovery in third-party litigation against the financial institution.  This is a problem that needs attention.  It is also a problem that perhaps needs some creativity and initiative.  What about a risk report from both the chief risk officer and chief legal officer?  What about a risk report that contains an addendum with legal memoranda?  The problem can be addressed if it receives proper attention.

Finally, the whole of these seven conditions is more than the sum of its parts.  Yet, if we address each one individually, we can reverse the potential diminution and start to repair the damage.  The legal, compliance and risk functions can work together seamlessly, with each being cognizant of their unique roles and responsibilities, and each regarding the other with mutual respect.

VI. Conclusion

The ascendancy of risk management and the chief risk officer is one of the truly noteworthy changes in financial institutions since the end of the global financial crisis.  In the view of the author, the change has materially contributed to the safety and soundness of banks and banking.  There is anecdotal evidence that this change has produced an unintended consequence, and the unintended consequence is a relative diminution in the role of the legal function.  This unintended consequence is dangerous, particularly if the diminution becomes material.  The legal function performs a hugely consequential role in the functioning of financial institutions.  The role needs to be better understood and appreciated.  The rise of the risk function should not mean there will be a decline in the legal function. 

[1] I gratefully acknowledge the invaluable assistance of my Sullivan & Cromwell colleagues, Camille Orme and Cristina Liebolt.  The views, thoughts, and opinions expressed in this article belong solely to the author, and do not necessarily reflect the views of Sullivan & Cromwell, or anyone affiliated with the firm.

[2] Senior Supervisors Group, Risk Management Lessons from the Global Banking Crisis of 2008 (October 21, 2009).

[3] See, e.g., David Moss, “An Ounce of Prevention: The Power of Public Risk Management in Stabilizing the Financial System,” Harvard Business School (working paper) (Jan. 5, 2009); Tobias Adrian, Risk Management and Regulation, International Monetary Fund: Monetary and Capital Markets Development (2018); Risk and Insurance Management Society, Inc., “The 2008 Financial Crisis:  A Wake-Up Call for Enterprise Risk Management,” (2008); Federal Reserve Bank of New York, “Economic Policy Review: Special Issue: Behavioral Risk Management in the Financial Services Industry The Role of Culture, Governance, and Financial Reporting,” August 2016, Vol 22:1; Society of Actuaries, the Casualty Actuarial Society and the Canadian Institute of Actuaries, “Risk Management: The Current Financial Crisis, Lessons Learned and Future Implications,”  The Financial Crisis Inquiry Edition, Final Report of the National Commission on the Causes of the Financial and Economic Crisis in the United States, submitted pursuant to Public Law 111-21, January 2011; Anil K Kashyap, Lessons from the Financial Crisis of Risk Management, University of Chicago, Booth School of Business and NBER (paper prepared for the Financial Crisis Inquiry Commission) (February 27, 2010); Daniel Zéghal and Meriem El Aoun, Enterprise Risk Management in the US Banking Sector Following the Financial Crisis, Modern Economy, 7, 494-513 (April 29, 2016); OECD, Corporate Governance and the Financial Crisis: Key Findings And Main Messages, June 2009; Permanent Subcommittee on Investigations, United States Senate, Wall Street And The Financial Crisis: Anatomy of a Financial Collapse (April 13, 2011); Philippe Jorion, Risk Management Lessons from the Credit Crisis, European Financial Management (2009).

[4] See, e.g., the definition used by the OCC for a “front-line unit.”  12 C.F.R. Part 30, App. D, at I(E)(6).  The Federal Reserve has recently used the expression “business line management” to refer to “the core group of individuals responsible for the prudent day-to-day management of the business line and who report directly to senior management.”  Board of Governors of the Federal Reserve System, Proposed Supervisory Guidance – Independent Risk Management and Effective Senior Management, 83 Fed. Reg. 1351 (Jan. 11, 2018) (hereafter “IRM Guidance”).

[5] A recent report by the Group of Thirty notes that, since the financial crisis, the “banking industry has paid an estimated US$350 billion to US$470 billion in penalties (including fines and litigation/settlement charges) for conduct-related matters . . . .”  Banking Conduct and Culture – A Permanent Mindset Change at 3 (November 2018).

[6] See E. Norman Veasey & C. DiGuglielmo, Indispensable Counsel:  The Chief Legal Officer in the New Reality (2012).

[7] Thomas C. Baxter, Jr. and Brian Baxter, The Financial Institution Lawyer:  Four Flavors of Failure, Bus. Law Today vol. 16, no. 4 (March/April 2007).

[8] Lincoln Sav. & Loan Ass’n v. Wall, 743 F. Supp. 901 (D.D.C. 1990).

[9] See, e.g., Emilios Avgouleas, A New Framework for the Global Regulation of Short Sales:  Why Prohibition is Inefficient and Disclosure is Insufficient, 15 Stan. J.L. Bus. & Fin. 376, 380; Lila Zuil, “AIG’s Title as World’s Largest Insurer Gone Forever,” April 29, 2009, available at https://www.insurancejournal.com/news/national/2009/04/29/100066.htm

[10] Today, AIG is a publicly traded company which has no continuing dependence on the United States Government.

[11] See 12 C.F.R. § 30.

[12] In Appendix D to Part 30, the regulation expressly provides that a “[f]ront line unit does not ordinarily include an organizational unit or function thereof within a covered bank that provides legal services to the covered bank.”

[13] Board of Governors of the Federal Reserve System, Supervisory Guidance for Assessing Risk Management at Supervised Institutions With Total Consolidated Assets Less Than $50 Billion, SR 16-11 (June 8, 2016).

[14] Id.  In the more recent IRM Guidance, the Federal Reserve uses the terms compliance risk and legal risk, but does not define those terms.  IRM Guidance, supra n. 4.

[15] I am mindful that there are some financial institutions that are very small in asset size, and do not have lawyers.  For these institutions, whose official staff are charged with knowledge of the law’s restrictions and requirements, the official staff must do the best that they can.  But in the vast majority of financial institutions, the chief legal officer or General Counsel is the official charged with making legal judgments.  Other officials are authorized to take action within the scope of their authority; ordinarily, no official has authority to violate the law, which empowers the chief legal officer because she is the person who gets to say what the law is.

[16] See New York Rules of Professional Conduct Rule 5.5, Comment 1 (January 1, 2017).

[17] This example is not protected by the attorney-client privilege because the Court of Federal Claims determined that privilege was waived.  Starr Int’l Co. v. United States, Order of Jan. 6, 2015 (Court of Federal Claims, Doc. No. 417) (filed Jan. 6, 2015).  All of the legal judgments are from the public record in the litigation.

[18] Starr Int’l Co., Inc. v. United States, 121 Fed. Cl. 428, 430 (2015), aff’d in part, vacated in part, 856 F.3d 953 (Fed. Cir. 2017).

[19] Basel Committee on Banking Supervision, Principles for the Sound Management of Operational Risk at 3n.5 (2011).

[20] In the Federal Reserve IRM Guidance proposal, the text provides that “Business line management should incorporate appropriate feedback from [independent risk management] on business line risk positions, implementation of the risk tolerance, and risk management practices, including risk mitigation.”  IRM Guidance, supra n. 4 at 1358.  The IRM Guidance says nothing about the legal function.

[21] The Institute of Internal Auditors (IIA) announced that it will seek public comment from May 28 to July 30, 2019 on an updated model of the Three Lines of Defense.  See IIA, “IIA Sets Exposure Period for ‘Three Lines of Defense’ Update,” (Jan. 29, 2019), available at https://na.theiia.org/news/press-releases/Pages/IIA-Sets-Exposure-Period-for-Three-Lines-of-Defense-Update.aspx; see also IIA, “IIA Launches Global Review of ‘Three Lines of Defense’”, (Dec. 5, 2018), available at https://na.theiia.org/news/press-releases/Pages/IIA-Launches-Global-Review-of-Three-Lines-of-Defense.aspx.  The IIA originally released a position paper on the model in 2013.  See IIA, IIA Position Paper:  The Three Lines of Defense in Effective Risk Management and Control, (Jan. 2013), available at https://na.theiia.org/standards-guidance/Public%20Documents/PP%20The%20Three%20Lines%20of%20Defense%20in%20Effective%20Risk%20Management%20and%20Control.pdf.

[22] Internal auditors would be quick to say that they have other responsibilities, and their role in the three lines of defense describes only one part of a multi-faceted audit function.

[23] Thomas C. Baxter, Jr. and Won B. Chai, Enterprise Risk Management:  Where is Legal and Compliance?, The Banking Law Journal, Volume 133, Number 1 (2016).

[24] In the Federal Reserve’s IRM Guidance, this is literally true.  There is no reference whatsoever to a General Counsel, a Chief Legal Officer, or any lawyer whatsoever.  The legal function is never mentioned, notwithstanding a repeated refrain that senior management should be attentive to “compliance with internal policies and procedures, laws, and regulations, including those related to consumer protection.”  IRM Guidance, supra n.4 at 1356.

[25] While every organization is different, I note that, at the Federal Reserve Bank of New York, the chief compliance officer reported to me when I was General Counsel.  This organizational fact should aid in rebutting the mistaken notion on the part of some supervisors that this structure is not permitted because of independence concerns.

[26] See M. DeStefano, Creating a Culture of Compliance: Why Departmentalization May Not Be The Answer,  10 Hastings Bus. L.J. 71 (Winter 2014); C. Bagley, M. Roellig, and G. Massameno, Who Let the Lawyers Out?:  Reconstructing the Role of the Chief Legal Officer and the Corporate Client in a Globalizing World, 18 Univ. of Penn. J. Bus. L. 419 (Winter 2016).

[27] Basel Committee on Banking Supervision, Compliance and the Compliance Function in Banks at 10 (April 2005).

[28] Id. At 10.

[29] E.g., New York Rules of Professional Conduct, Rule 1.13 (Jan. 2017) (“[T]he lawyer is the lawyer for the organization and not for any of the constituents.”).

[30] New York Rules of Professional Conduct Rule 2.1 (Jan. 2017).

[31] In a prior position when the author served as General Counsel and Executive Vice President of the Federal Reserve Bank of New York, the Chief Compliance Officer reported to me and not to the Chief Risk Officer.

[32] 12 U.S.C. §1828 (x).

[33] Last year, seven major law firms, including Sullivan & Cromwell, released a white paper relating to whether or not the federal financial regulators could compel the production of privileged information.  Bank Regulators’ Legal Authority to Compel the Production of Material that is Protected by Attorney-Client Privilege (May 16, 2018).  A potential collateral consequence of the assertion of that legal right is the effect that it might have on bank examiners.  In some respects, it is analogous to how a jury might consider a criminal defendant’s exercise of the right not to testify in her own defense. 

[34] Financial Conduct Authority, Optimizing the Senior Managers & Certification Regime at 9-12 (January 2019).

[35] Id. at 13.

[36] 12 C.F.R. Part 30, App. D, at II (B).  See also IRM Guidance, where the Federal Reserve identifies “credit, market, operational, liquidity, interest rate, legal and compliance” as risk types.  IRM Guidance, supra n.4 at 1361.

[37] See 12 U.S.C. § 1851.

[38] Where there is controversy, the controversy typically relates to the degree of discipline, contrasting the “slap on the wrist” to the so-called “capital offense.”

[39] It is noteworthy that in the Federal Reserve’s proposed IRM Guidance, the legal function is no where mentioned.  Further, there are extensive discussions of the Chief Risk Office and the Chief Audit Executive , but no reference whatsoever to the Chief Legal Officer or General Counsel.

[40] IRM Guidance, supra n.4 at 1311.

[41] Id. at 1361

[42] The privilege protects communications between an attorney and her client, not between a risk or compliance professional and its Risk Committee.

[43] Some might look at the number of people working in the risk function at various times over the last 10 years, and compare it to the number of people working in the legal function.

[44] New York Rules of Professional Conduct Rule 2.1 (Jan. 2017).

[45] This is not always clear.  Regulators should be candid about the function they are performing, and if the information is going to be shared with enforcement or if enforcement staff are accompanying an examination team, this should be transparent to the financial institution.