In the previous installment, SEC Issues New Guidance on Cybersecurity Disclosure and Policies, we explored the text and implications of the recently issued SEC guidance. When that guidance was issued, the SEC had not yet brought a formal enforcement proceeding for failure to make timely disclosure regarding cybersecurity risks and/or cyber incidents. But the timing of the issuance of the guidance did make you wonder: was the SEC just taking the opportunity to reiterate and expand on past guidance or was it signaling that an enforcement action might be imminent? Was it just a gentle reminder or a warning shot?
In 2017, the co-director of the SEC’s Enforcement Division had warned that, although the SEC was “not looking to second-guess good faith disclosure decisions,” enforcement actions were certainly possible in the right circumstances. Indeed, the co-director had cautioned that no one should mistake the absence of enforcement actions for an unwillingness by the SEC to pursue companies with inadequate cybersecurity disclosures before and after breaches or other incidents. Apparently, SEC Enforcement has now identified circumstances it considers to be “right”: in April, the SEC announced “that the entity formerly known as Yahoo! Inc. has agreed to pay a $35 million penalty to settle charges that it misled investors by failing to disclose one of the world’s largest data breaches in which hackers stole personal data relating to hundreds of millions of user accounts.”
In its Order, the SEC found that, in late 2014, Yahoo learned of a massive cyber breach by hackers associated with the Russian Federation—at that time considered the largest breach of its kind—that affected over 500 million user accounts, resulting in the “theft, unauthorized access, and acquisition of hundreds of millions of its users’ data, including usernames, birthdates, and telephone numbers,” referred to internally as the company’s “crown jewels.” The company neither admitted nor denied the findings in the Order.
By December, the Order indicates, after the company’s information security team had drilled down and reached certain conclusions about the breach (including the hacking of the “email accounts of 26 Yahoo users specifically targeted by the hackers because of their connections to Russia”), the company’s Chief Information Security Officer advised members of senior management and legal teams of the problem. Throughout 2015 and early 2016, the company’s security team found that the same hackers continued to target the company, and by June 2016, the company’s new Chief Information Security Officer concluded and communicated to senior management that the company’s “entire user database, including the personal data of its users, had likely been stolen by nation-state actors through several hacker intrusions (including the 2014 breach), and ultimately could be exposed on the dark web in the immediate future.” But, the Order found, this information was not disclosed.
The Order charges that the company’s “senior management and relevant legal staff did not properly assess the scope, business impact, or legal implications of the breach, including how and where the breach should have been disclosed in Yahoo’s public filings or whether the fact of the breach rendered, or would render, any statements made by Yahoo in its public filings misleading….Furthermore, Yahoo’s senior management and legal teams did not share information regarding the breach with Yahoo’s auditors or outside counsel in order to assess the company’s disclosure obligations in its public filings. Yahoo did not maintain disclosure controls and procedures designed to ensure that reports from Yahoo’s information security team raising actual incidents of the theft of user data, or the significant risk of theft of user data, were properly and timely assessed to determine how and where data breaches should be disclosed in Yahoo’s public filings, including, but not limited to, in its risk factor disclosures or MD&A. To the extent that Yahoo shared information regarding the breach with affected users, they only notified the 26 users whose email accounts were accessed during the breach.”
Observations and Commentary
You might note that there seems to be a certain consistency between the issues identified in this Order and the SEC’s advice in its new guidance on cybersecurity disclosure. For example, the new guidance emphasized the importance of disclosure controls and procedures related to cybersecurity. In that regard, the guidance urged companies to regularly assess whether their disclosure controls and procedures adequately captured information about cybersecurity risks and incidents and ensured that it was reported up the corporate ladder to enable senior management to make decisions about whether disclosure is required and whether other actions should be taken. In addition, given that CEO and CFO certifications required as part of periodic reporting address the effectiveness of disclosure controls, the certifying officers would need to take into account the adequacy of controls and procedures for identifying cybersecurity risks and incidents.
In particular, the Order found that the company’s “risk factor disclosures in its annual and quarterly reports from 2014 through 2016 were materially misleading in that they claimed the company only faced the risk of potential future data breaches” that might expose the company to loss and liability “without disclosing that a massive data breach had in fact already occurred.” These risk factor disclosures “misleadingly suggested that a significant data breach had not yet occurred, and that therefore the company only faced the risk of data breaches and any negative effects that might flow from future breaches.” In addition, according to the Order, the company’s MD&A did not address the breach as a known trend or uncertainty.
Observations and Commentary
In its new guidance, the SEC advised that, in crafting risk factors, companies should consider whether cybersecurity risks and incidents were among the company’s most significant risks, taking into account prior incidents and the probability of occurrence and potential magnitude of future incidents. The SEC emphasized that companies needed to disclose information regarding material prior incidents to provide appropriate context. As emphasized in the guidance, “if a company previously experienced a material cybersecurity incident involving denial-of-service, it likely would not be sufficient for the company to disclose that there is a risk that a denial-of-service incident may occur.”
In addition, the guidance advised that, in MD&A, companies should consider whether risks related to cybersecurity could represent an event, trend or uncertainty that is reasonably likely to have a material effect on results of operations, liquidity or financial condition. Likewise, a material cyber incident could cause reported financial information not to necessarily be indicative of future operating results or financial condition.
In addition, the SEC found that there were also disclosure violations in connection with the proposed sale of the company’s operating business in July 2016: although the company “was aware of additional evidence in the first half of 2016 indicating that its user database had been stolen, Yahoo made affirmative representations denying the existence of any significant data breaches in a July 23, 2016 stock purchase agreement [that] was attached to a Form 8-K filed with the Commission on July 25, 2016.”
Observations and Commentary
You might recall that, in 2005, the SEC issued a Section 21(a) Report of Investigation concerning The Titan Corporation, to “provide guidance concerning potential liability under the antifraud and proxy provisions of the federal securities laws for publication of materially false or misleading disclosures regarding provisions in merger and other contractual agreements.” The report enunciated the SEC’s view that disclosures regarding material contractual terms, such as representations, may be actionable and highlighted the SEC’s intent to consider bringing enforcement actions if it “determines that the subject matter of representations or other contractual provisions is materially misleading to shareholders because material facts necessary to make that disclosure not misleading are omitted.” The report emphasized that companies should ensure that disclosures regarding material contractual provisions such as representations are not misleading: “When an issuer makes a public disclosure of information—via filing a proxy statement or otherwise—the issuer is required to consider whether additional disclosure is necessary in order to put the information contained in, or otherwise incorporated into that publication, into context so that such information is not misleading. The issuer cannot avoid this disclosure obligation simply because the information published was contained in an agreement or other document not prepared as a disclosure document.”
In the Order, the SEC also found that, in September 2016, the company issued a press release disclosing the data breach and attached it as an exhibit to a Form 8-K. The company also amended various disclosures, including risk factors and MD&A, to reflect the occurrence of the breach and corrected its prior statements regard the effectiveness of its disclosure controls. The day following the announcement, the company’s market cap fell nearly $1.3 billion. In addition, the disclosure led to a renegotiation of the acquisition agreement, including a 7.25% price reduction.
The SEC concluded that the company “acted negligently in filing materially misleading periodic reports with the Commission” and violated a number of provisions of the Securities Act and the Exchange Act, as well as related rules. In settlement, the company agreed to cease and desist and pay $35 million; Yahoo also agreed to certain undertakings, including cooperation in connection with any further SEC investigation of the matter.
In February, the SEC announced that it had adopted long-awaited new guidance on cybersecurity disclosure. While the new guidance builds on Corp Fin’s 2011 guidance on this topic, it carries more weight because it bears the imprimatur of the Commission itself rather than its staff. The guidance itself is not a revelation: its significance is less in what it says than in the fact that the SEC felt compelled to issue it. The message is this—with the increasing importance of cybersecurity and the increasing incidence of cyber threats and breaches, companies need to review their disclosures regarding cybersecurity and consider how to augment their policies and procedures to ensure that information regarding cybersecurity risks and incidents is effectively communicated to management to allow timely decisions regarding required disclosure and compliance with insider trading policies.
The guidance highlights companies’ increasing reliance on digital technology to conduct their operations and engage with customers and others. That makes companies in all industries vulnerable to the threat of cybersecurity incidents, such as stolen access credentials, malware, ransomware, phishing, structured query language injection attacks and distributed denial-of-service attacks. Whether these incidents are a consequence of unintentional events or deliberate attacks, the SEC cautions that they represent a continuous risk to the capital markets and to companies, their customers and business partners—a risk that calls for more timely and transparent disclosure.
In a published statement, SEC Chair Jay Clayton expressed his view that the guidance “will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors.” He encouraged “public companies to examine their controls and procedures, with not only their securities law disclosure obligations in mind, but also reputational considerations around sales of securities by executives.” He also indicated that Corp Fin will be monitoring cybersecurity disclosures as part of the selective filing review process. Experience teaches that we can expect to see new staff comments on cybersecurity disclosures (or the lack thereof) in the near future.
Procedures and policies
While the new guidance addresses disclosure obligations under existing laws and regulations (much like the 2011 guidance), the real focus is on cybersecurity policies and procedures, particularly with respect to disclosure controls and procedures and insider trading and selective disclosure prohibitions.
Disclosure controls and procedures
In the guidance, the SEC encourages companies to adopt, and regularly assess compliance with, comprehensive policies and procedures related to cybersecurity, particularly disclosure controls and procedures. “Disclosure controls and procedures” are controls and other procedures designed to ensure that information required to be disclosed in the reports that a company files under the Exchange Act is recorded, processed, summarized and reported within the time periods specified in the SEC’s rules and forms and is communicated to management to allow timely decisions regarding required disclosure. The guidance urges companies to assess whether their disclosure controls and procedures capture information about cybersecurity risks and incidents and ensure that it is reported up the corporate ladder to enable senior management to make decisions about whether disclosure is required and whether other actions should be taken. According to the guidance, “[c]ontrols and procedures should enable companies to identify cybersecurity risks and incidents, assess and analyze their impact on a company’s business, evaluate the significance associated with such risks and incidents, provide for open communications between technical experts and disclosure advisors, and make timely disclosures regarding such risks and incidents. The controls should also ensure that information is communicated to appropriate personnel to facilitate compliance with insider trading policies.”
Given that CEO and CFO certifications required as part of periodic reporting address the effectiveness of disclosure controls, the certifying officers will need to take into account the adequacy of controls and procedures for identifying cybersecurity risks and incidents. Moreover, the guidance advises, “to the extent cybersecurity risks or incidents pose a risk to a company’s ability to record, process, summarize, and report information that is required to be disclosed in filings, management should consider whether there are deficiencies in disclosure controls and procedures that would render them ineffective.”
Insider trading policies
Information regarding cybersecurity risks and incidents may be material nonpublic information, and insiders could violate the antifraud provisions or their own internal company codes of ethics and insider trading policies if they traded company securities on the basis of that information. The SEC advocates that companies put in place prophylactic policies designed to avoid even the appearance of improper trading during the period following an incident—when the company is investigating and determining the facts, consequences and materiality of an incident—and prior to the dissemination of disclosure. Accordingly, companies should be in the habit of analyzing when it would be appropriate to implement trading restrictions and consider imposing restrictions under their insider trading policies once it is known that a cyber incident has occurred that could be material.
Corporate communication policies
The SEC reminds companies that they may have disclosure obligations under Regulation FD in connection with cybersecurity matters. Regulation FD prohibits the selective disclosure of material nonpublic information to certain enumerated persons unless that information has been publicly disclosed within the meaning of Regulation FD.
Accordingly, the SEC stated that it expects companies to have policies and procedures to ensure that any disclosures of material nonpublic information related to cybersecurity risks and incidents are not made selectively, and that any Regulation FD required public disclosure is timely made.
Observations and commentary
Companies should review their disclosure controls and procedures to ensure that they appropriately address cybersecurity risks and incidents. In developing disclosure controls, companies should be sure to include appropriate escalation procedures for cyber incidents, both for purposes of evaluating the significance of the event and determining whether it is likely to develop into a material event that requires the imposition of trading restrictions on insiders. Boards may want to assign oversight of cybersecurity (including data privacy and protection) to an appropriate committee, often the audit committee or a risk committee.
In addition, controls should require the input of both IT and business personnel. In previewing the expected guidance in a 2017 presentation, Corp Fin Director William Hinman advocated that, because it may be hard to determine the significance of attacks initially, IT and business personnel should promptly consider the impact of the event together, with an eye toward understanding the business implications.
SEC Commissioner Kara Stein expressed similar views in a recent speech at Stanford. Why, she asked, in light of the general agreement on the importance of cybersecurity, were companies “not doing more to implement robust cybersecurity frameworks and to provide meaningful disclosures regarding the risks of data loss.” One possible reason could be that companies “tend to view cyberthreats as a technology problem instead of, more appropriately, a business risk.” However, when cybersecurity is viewed to be simply an “IT” problem, it is then “hoisted on the shoulders of a company’s chief information officer. Too often, this has led to a failure to integrate cybersecurity into a firm’s enterprise risk management framework. To be sure, some companies are focused on cyberthreats and recognize their potential economic threat. But companies need to do more than simply recognize the problem. They need to heed the calls of their shareholders and treat cyberthreats as a business risk.”
That view was echoed by new Commissioner Robert Jackson recently in remarks to the Tulane Corporate Law Institute. The difficulty in developing effective controls and procedures related to cybersecurity, he contended, is that the “technologists,” who best understand the cyber threats, are typically in a separate silo from the lawyers and business people who would usually be involved in developing controls and procedures: “One recent survey noted that 70% of executives at the S&P 500 named their IT department as a primary owner for cyber risk management—compared to just 37% who identified the C-suite or the board. The same survey noted that, especially at large and growing companies, responsibility for these issues is often scattered throughout the organization, creating the risk that key information might not make its way to the decisionmakers who need it most.” But Jackson saw a critical role for counsel in overcoming these barriers: counsel should act as ”ambassadors” to reach across the knowledge and cultural divide, much as they did with the accounting profession when SOX was initially enacted. Many lawyers then learned “more than [they] ever wanted to know about the ‘dismal science’ of accounting” to help their corporate clients build SOX 404-compliant systems of internal control over financial reporting. Now, he suggested, counsel “might even have to sit in front of a computer and open a program other than Microsoft Word” to learn more about corporate clients’ information technology systems.
Companies should review their insider trading policies and Regulation FD or similar corporate communication policies to ensure that they address cyber incidents. Insider trading policies should contemplate appropriate trading holds and restrictions in the event a cyber incident has occurred that could be material.
Disclosure obligations
In general
With regard to disclosure, the SEC has continued Corp Fin’s principles-based approach and has elected not to adopt more prescriptive new rules—so far at least. Much like the 2011 guidance, the new guidance explains that, although there are no disclosure requirements that specifically refer to cybersecurity risks and incidents, the obligation to disclose material cybersecurity risks and incidents could still arise in the context of many of the disclosure documents required of public companies, including registration statements and periodic and current reports.
In determining whether disclosure regarding cybersecurity risks and incidents is necessary, companies will need to assess the potential materiality of any identified risk and the impact of any incidents. But how is “materiality” assessed in the context of cybersecurity? The SEC notes that the Basic v. Levinson test, which involves weighing the probability of an event against the magnitude of its potential impact, is still a relevant part of the analysis. Thus, the materiality of cybersecurity risks or incidents may depend on the likelihood of an incident, the frequency of prior incidents, the impact on operations—particularly with regard to any compromised information, including personally identifiable information, trade secrets or other confidential business information—and the harm that could result, such as harm to reputation, financial performance and customer and vendor relationships. Also at issue are the possibility of litigation or regulatory investigations or actions, including regulatory actions by state and federal governmental authorities and non-US authorities.
The SEC advises companies to consider revisiting prior disclosures as they may have a “duty to update” (where disclosure that is still alive in the marketplace becomes false as a result of subsequent developments) or a “duty to correct” (where prior disclosures are determined to have been untrue when made, including, the SEC observes, “if the company subsequently discovers contradictory information that existed at the time of the initial disclosure.”) With respect to the existence of a general duty to update, the SEC at least tacitly acknowledged (in Footnote 37) that there is a considerable split of judicial authority on this topic.
Although companies are expected to disclose cybersecurity risks and incidents that are material to investors, the SEC makes clear that they are not expected to provide detailed roadmaps or specific technical information about potential system vulnerabilities that would compromise a company’s security protections.
While the guidance recognizes that it may take time to investigate and understand the implications of an incident, the need for an investigation will not, by itself, let the company off the hook: “an ongoing internal or external investigation—which often can be lengthy—would not on its own provide a basis for avoiding disclosures of a material cybersecurity incident.”
Observations and commentary
Companies may find some of the guidance here difficult to navigate: providing adequate non-generic disclosure about risk, protections or incidents that does not, at the same, increase the company’s exposure or jeopardize cybersecurity efforts could turn out to be a tricky exercise. And it could be equally challenging to find the point at which the company has sufficient factual information about a breach to make disclosure that is timely. There is an inherent tension between the need to disclose promptly to satisfy requirements to inform investors and the need to keep the matter confidential to allow the investigation to proceed without tipping off the malefactors and to gain a satisfactory understanding of the facts and implications of the incident. This tension requires that companies make a difficult judgment call in every case. That may explain why, although, according to Audit Analytics, there were 64 cyber breaches at public companies in 2017, only 24 breaches were disclosed in SEC filings, and the substance of those disclosures varied widely. Companies may want to look to Chair Clayton’s statement regarding the hack of the SEC’s own systems in August 2017. Whether the new guidance provides an impetus for companies to disclose these incidents more frequently remains to be seen.
Risk factors
Companies should consider whether cybersecurity risks and incidents are among the company’s most significant risks, taking into account prior incidents and the probability of occurrence and potential magnitude of future incidents. Among other things, a company’s risk factors could appropriately address the adequacy and costs of preventative actions and protections (such as insurance), the possibility of theft of assets (such as intellectual property and personal information), the potential for reputational harm, disruption to operations and loss of revenue, legal and regulatory requirements and, with regard to any incidents, the costs associated with remediation, investigation and litigation.
One important point to consider in crafting risk factors is the need to provide context by including disclosure regarding prior material incidents. As emphasized in the guidance, “if a company previously experienced a material cybersecurity incident involving denial-of-service, it likely would not be sufficient for the company to disclose that there is a risk that a denial-of-service incident may occur.”
As always, the SEC cautions companies to “avoid generic cybersecurity-related disclosure and provide specific information that is useful to investors.” Generic disclosure is an issue that applies to all disclosure, but seems to be especially problematic in connection with risk factors.
Observations and commentary
According to Audit Analytics, over 90% of the Russell 3000 include risk factors regarding cybersecurity.
At a meeting of the SEC’s Investor Advisory Committee at the end of 2017, the Committee debated a discussion draft regarding cybersecurity risk disclosure. The draft advocated that, when it comes to disclosure of cybersecurity risk, public companies could and should be doing more: “Although under the current regulatory regime companies disclose certain risks or loss events associated with cybercrime, such disclosures often appear to be minimal and/or boilerplate, and do not provide investors with sufficient information on the company’s ability to address cybersecurity concerns. The nature of the…past attacks is commonly described in terms so general investors have no ready way of assessing whether those attacks are likely to recur. Given the gravity of risks associated with cyberattacks, investors have a right to know whether public companies are prioritizing cybersecurity and whether they have directors who can play an effective role in cyber-risk oversight.” The draft advocated disclosing “specific, non-proprietary and non- sensitive information” about prior cyberattacks, including “summary information derived from root-causes analyses of how the attacks were or were not successful, to clarify the nature and significance of ongoing risks.”
Other disclosure areas
The guidance also advises that companies consider whether cybersecurity or cyber incidents should be included as part of their discussions of MD&A, business, legal proceedings, financial statements and board risk oversight. For example, in MD&A, risks related to cybersecurity could represent an event, trend or uncertainty that is reasonably likely to have a material effect on results of operations, liquidity or financial condition. Likewise, a material cyber incident could cause reported financial information to be a poor indicator of future operating results or financial condition. In this analysis, factors to be considered include the cost of cybersecurity efforts and ongoing enhancements, the costs and other consequences of cybersecurity incidents, and the risks of potential cybersecurity incidents. Other factors may include the potential loss of intellectual property; the costs of insurance; and costs related to litigation and regulatory investigations, preparing for and complying with proposed or current legislation, engaging in remediation effortsand addressing harm to reputation; as well as the loss of competitive advantage that could result from an incident. The impact on reportable segments should also be considered.
With regard to business operations, companies should consider disclosing incidents or risks that could materially affect their products, services, relationships with customers or suppliers or competitive conditions. That could include, for example, incidents that affect the viability of a new product or theft of customer information that might affect the company’s reputation and competitive position.
Companies are required to disclose the extent of their boards’ role in risk oversight, including how the board administers that function. If cybersecurity risks are material, the SEC believes that the board’s role in overseeing that risk should be discussed, along with the company’s cybersecurity risk management program and how the board engages with management on cybersecurity issues.
Observations and commentary
While the guidance was adopted unanimously, some of the SEC Commissioners were not exactly enthused about it, viewing it as largely repetitive of the 2011 guidance—and hardly more compelling. The SEC will be looking at feedback about whether any further guidance or rulemaking is needed.
Some of that feedback is already here—from two of the Commissioners. In a published statement, Commissioner Jackson expressed his reluctant support for the guidance, which, he said, “essentially reiterates years-old staff-level views on this issue. But economists of all stripes agree that much more needs to be done.” That includes the White House’s own Council of Economic Advisers, which Jackson quoted at length: Companies may tend to underinvest in cybersecurity, the Council’s report said, but regulators can provide investment incentives through, for example mandatory disclosure requirements. However, the report continued, “the effectiveness of the SEC’s 2011 Guidance is frequently questioned. There are concerns that companies underreport events due to alternative interpretations of the definition of ‘materiality’…. There are also concerns that the disclosure requirements are too general and do not provide clear instructions on how much information to disclose, and that they therefore ‘fail to resolve the information asymmetry at which the disclosure laws are aimed.'”
In his Tulane remarks, Jackson shed more light on the reasons for his reluctance to fully endorse the SEC guidance: the “rising cyber threat,” he maintained, is “the most pressing issue in corporate governance today,” and guidance alone was not enough to address it. In particular, Jackson advocated adoption of an 8-K disclosure requirement in the event of a material cyber incident. He was apprehensive that the types of judgments required under the guidance “have, too often, erred on the side of nondisclosure, leaving investors in the dark—and putting companies at risk.” In a study by Jackson and his staff, in 2017, 97% of companies that suffered data breaches did not file an 8-K, although he acknowledged that it was likely that not all of those incidents were material. What’s more, Jackson expressed concern that financially motivated hackers would seek to profit by trading on their knowledge of the breach before the investing public discovered what they had done. To tackle this problem, Jackson suggested that the insider trading laws might be expanded beyond “insiders” to address traders that take advantage of nonpublic information about a breach, even when the trader is not a corporate insider. As these remarks signal, Jackson, who has just begun his term at the SEC, has a lot of ideas on this topic and appears to have no plans to drop the subject.
Commissioner Kara Stein likewise “supported the Commission’s guidance, but not without reservation.” In her statement, she indicated that she was “disappointed with the Commission’s limited action.” While the guidance includes “valuable reminders,” she said, the problem “is that many of these reminders were offered by the staff back in 2011. If our staff has already provided guidance regarding cyber-related disclosures, the question, then, is what we, as the Commission, should be doing to add value given seven additional years of insight and experience…. The more significant question is whether this rebranded guidance will actually help companies provide investors with comprehensive, particularized, and meaningful disclosure about cybersecurity risks and incidents. I fear it will not…. That is why, as I have remarked before, it is imperative that the Commission do more. As we have heard from a variety of commenters since the 2011 staff guidance, guidance, alone, is plainly not enough. This makes it all the more confusing that the Commission more or less reissued that very guidance. Simply put, seven years since the staff guidance was released, despite dramatic increases in cyberattacks and their related costs, there have been almost imperceptible changes in companies’ disclosures. This to me strongly suggests that guidance alone is inadequate.” These critiques may suggest that the SEC is primed for further rulemaking if the new guidance does not bring improved results.
According to a study from the NACD, only 19% of corporate directors agreed that their boards have “a high level of understanding” of cyber risks, and a survey from the Harvard Business Review found that only 8% of directors viewed cybersecurity as a “strategic threat.” Nevertheless, notably absent from the SEC’s guidance was a proposed recommendation from the SEC Investor Advisory Committee to require companies to provide disclosure about board cybersecurity expertise, using essentially a “comply or explain” approach. The potential recommendation would have required information on whether any director “has experience, education, or expertise in cybersecurity, and if not, why a company believes that such board-level resources are not necessary for the company to adequately manage cyber risks.” Those advocating the disclosure viewed cybersecurity as analogous to financial statement audit risk in that it is a risk to which all companies are exposed; as a result, like financial expertise, board cyber expertise was appropriate. However, the possible recommendation was certainly contentious: one committee member viewed board expertise in cybersecurity as a bit like a “melting ice cube.” Instead, he argued, the question should be whether adequate resources have been made available to the board. Notably, a bipartisan bill introduced in the Senate, the “Cybersecurity Disclosure Act of 2017,” would have mandated SEC rules requiring disclosure of board expertise or experience in cybersecurity, and, if none, disclosure of other cybersecurity-related actions performed by the company that were taken into account by the nominating committee. According to Audit Analytics, the number of directors of public companies with cybersecurity experience grew from five in 2012 to more than 20 in 2016.
In the fall 2016 issue of In Our Opinion, I wrote an article entitled Dealing with Government Investigations in Audit Responses that focuses on the SEC enforcement action against RPM International Inc. and its general counsel. A federal court subsequently denied the defendants’ motions to dismiss the SEC action. Sec. & Exch. Comm’n v. RPM Int’l, Inc., 282 F. Supp. 3d 1 (D.D.C. 2017). RPM involved a qui tam complaint against the company for violation of the False Claims Act. Although filed confidentially, the complaint was shared along the way by the government with the company, but the underlying potential liability was not disclosed by the company until later. The article also discusses Indiana Pub. Ret. Sys. v. SAIC, Inc., 818 F.3d 85 (2d Cir. 2016), which involved a company’s failure to disclose a government investigation regarding its overcharging the City of New York following indictment of two employees and threats for recoupment by the mayor of New York.
In September 2017, the U.S. District Court for the Southern District of New York in Menaldi v. Och-Ziff Capital Mgmt. Group LLC, 277 F. Supp. 3d 500 (S.D.N.Y. 2017), found that Och-Ziff did not comply with generally accepted accounting principles by failing to disclose, as required by Accounting Standards Codification 450-20, potential loss contingencies after it received subpoenas from the U.S. Department of Justice (DOJ) and the SEC relating to violations of the Foreign Corrupt Practices Act (FCPA). Although the court dismissed Rule 10b-5 claims against Och-Ziff for failure to disclose the potential loss contingency, finding that the plaintiff failed to adequately plead scienter, the decision could be read to indicate that receipt of a subpoena is sufficient to show a claimant’s manifestation of awareness of a claim. This shifts the standard for required disclosure (and potentially accrual) under ASC 450-20, as interpreted by the Second Circuit in SAIC, from being probable of assertion as an unasserted claim to being reasonably possible as a threatened claim. In my view, however, a proper reading of the court’s decision in Menaldi indicates that whether a subpoena is sufficient to show manifestation of awareness of a claim depends upon the particular circumstance, including what the subpoena indicates about a possible claim, and what the company knows of the underlying basis for that claim.
Menaldi was a securities class action lawsuit against Och-Ziff and certain of its officers and employees alleging various violations of the federal securities laws for failure to disclose improper payments and related government regulatory proceedings and investigations involving its mining activities in Africa. After Och-Ziff entered into a deferred prosecution agreement with the DOJ admitting violations of the FCPA and a settlement with the SEC under which it paid over $400 million as disgorgement, the plaintiff filed a new complaint that included a claim that Och-Ziff engaged in fraudulent financial reporting because it failed to disclose the potential financial impact of the government investigation as required by ASC 450-20.
The court analyzed the requirements of ASC 450-20 and found that Och-Ziff’s failure to disclose the FCPA investigation and its potential consequences was a violation of those requirements. The court, citing the SAIC decision, began with what it called the “threshold question” of whether there was a manifestation by the government of an awareness of a possible claim, shifting the applicable standard for disclosure from the “probability standard” to the “reasonable possibility standard.” The court acknowledged that the manifestation in this case was not as strong as in SAIC, but nevertheless found adequate allegations that the detailed subpoenas concerning its African ventures made Och-Ziff aware that there was an active investigation that could lead to the government’s filing of a claim against it, and that a loss was reasonably possible (i.e., in ASC 450-20 terms, that the likelihood of an adverse outcome was “more than remote”).
Although the court found that ASC 450-20 had been violated, it ruled that the plaintiff had not adequately pled scienter as a basis for a Rule 10b-5 claim, distinguishing SAIC where the defendant company received the results of its internal investigation, knew about the kickback scheme, and was aware of the potential fines and penalties and loss of contracts. Quoting from Godinez v. Alere, Inc., 272 F. Supp. 3d 201, 219 (D. Mass. 2017) (plaintiff adequately alleged that company had sufficient reason to know a product recall was likely so that it should have accrued or disclosed a loss contingency under ASC 450-20), the court stated that, “[T]he existence of a subpoena does not, without more, give rise to a strong inference of scienter on the part of senior management.” In finding as well the absence of reckless conduct, the court described ASC 450-20 in terms that should provide some comfort as follows:
ASC450 is not a ‘reasonably simple and straightforward accounting rule.’ . . . The rule requires many judgment calls in deciding how to respond to contingencies. . . . [T]his claim involves an omission that is based on a qualitative accounting rule rather than an affirmative misstatement about a pending investigation.
277 F. Supp. 3d at 516.
Thus, although a subpoena can be the basis for having to disclose a loss contingency under ASC 450-20, that is not always the case, and a more detailed analysis is required. One lesson from Menaldi is that a company is well advised to look harder at the need for disclosure when it has received a subpoena, and to accelerate internal efforts to determine if there is an underlying basis for claims related to the subject matter of the subpoena. A company may take some comfort in the ability to exercise judgment regarding the requirements of ASC 450-20 based upon the court’s characterization of that accounting rule. However, for a lawyer responding to an audit request, the effect of Menaldi when there is a subpoena that may be a harbinger for government claims likely will be to prompt disclosure in more circumstances of a matter as a threatened claim, rather than as an unasserted claim.
One of the most important issues in the acquisition of a private company is whether an aggrieved buyer can make a fraud claim against the seller after closing based upon representations made outside the four corners of the acquisition agreement (“extra-contractual representations”). As one would expect, Delaware courts rely heavily on the language of the agreement to resolve this issue. Established precedent makes clear that “a standard integration clause[] without explicit anti-reliance representations . . . will not relieve a party of its . . . extra-contractual fraudulent representations.” FdG Logistics LLC v. A&R Logistics Holdings Inc., 131 A.3d 842, 859 (Del. Ch. 2016). Instead, the agreement must contain “language that . . . can be said to add up to a clear anti-reliance clause. . . .” Thus, parties to acquisition agreements would be well advised to take additional care when drafting and negotiating these provisions.
According to a 2017 Deal Study (which analyzed publicly available acquisition agreements for transactions for definitive agreements that involved private targets being acquired by public companies), 55 percent of private acquisition agreements completed in 2016 and the first half of 2017 contained an express non-reliance provision––a 15 percent increase from the same study conducted in 2014. This provision amounts to a representation by the buyer that it only relied on the representations expressly set forth in the acquisition agreement. If enforced, a clear non-reliance provision will prohibit a buyer from bringing a post-transaction fraud claim against the seller based on any extra-contractual representations.
Unlike other jurisdictions, the enforceability of a non-reliance provision is the subject of a considerable body of case law in Delaware. These cases establish that acquisition agreements “without explicit anti-reliance representations” will not bar a claim for fraud. Abry Partners V, L.P. v. F & W Acquisition LLC, 891 A.2d 1032, 1059 (Del. Ch. 2006). Instead, the agreement must include “language that . . . can be said to add up to a clear anti-reliance clause by which the [buyer] has contractually promised that it did not rely upon [extra-contractual representations in executing the agreement].” This approach properly balances the law’s abhorrence of fraud and the strong tradition of freedom of contract under Delaware law.
In light of these policies, Delaware courts strictly construe non-reliance provisions when determining whether the provision bars a fraud claim for extra-contractual representations. While Delaware law does not require the use of specific language (i.e. “Magic Words”), the non-reliance provision must come from the buyer’s point of view to ensure the preclusion of fraud claims for extra-contractual representations. In other words, the buyer must clearly acknowledge that it did not rely upon extra-contractual representations in executing the agreement. Yet, as explained in Prairie Capital,[1] the provision does not have to be “framed negatively” in terms of what the buyer did not rely on; it is sufficient if the provision states affirmatively what the buyer did rely on. Prairie Capital III, L.P. v. Double E Holding Corp, 132 A.3d 35, 51 (Del. Ch. 2015.)
The FdG Logistics opinion is illustrative of a situation where the seller failed to shield itself from fraud claims based on extra-contractual representations because the provision was written from the perspective of the seller—not the buyer.
In FdG Logistics the non-reliance provision was formulated solely as a limitation on the seller’s representations and warranties, specifying that the seller had not made any representation and warranties other than those expressly set forth in the agreement. Accordingly, the Chancery Court found the language insufficient to bar the buyer’s fraud claims based on extra-contractual representations made during the negotiation and diligence process. The Court explained that, in balancing the imperatives of holding sophisticated parties to the terms of their contacts and of protecting against the abuses of fraud, “the court will not insulate a party from liability for its counterparty’s reliance on fraudulent statements made outside of an agreement absent a clear statement by that counterparty—that is, the one who is seeking to rely on extra-contractual statements—disclaiming that reliance.”
The following text, which is not a substitute for obtaining legal counsel, demonstrates how to draft language to avoid the result reached in FdG Logistics:
No Other Representations and Non-Reliance. Except as expressly set forth in Article [ ], neither Seller nor any of Seller’s agents, employees or representatives have made, nor are any of them making any representation or warranty, express or implied, in respect of the Seller or the Seller’s business, and any other representations or warranties are hereby expressly disclaimed. Buyer expressly acknowledges and agrees that neither Buyer nor any of Buyer’s agents, employees or representatives is relying on any other representation or warranty of Seller or any of its agents, employees or representatives, including the accuracy or completeness of any other representations and warranties, whether express or implied, except as expressly set forth in Article [ ].
To further protect the seller against a post-closing fraud claim based on extra-contractual representations, in addition to the non-reliance provision above, the agreement should include an integration clause. An integration clause amounts to a representation that the agreement constitutes the entire agreement between the parties and supersedes any prior understandings or representations by the parties. Integration clauses serve to help eliminate any potential ambiguity about the agreement’s scope—including the nature and extent of the parties’ representations and warranties as well as any agreements, conditions, remedies, and qualifications—by defining and limiting the universe of information constituting the deal terms. An example of such provision is provided below.
Integration. This Agreement (including the Exhibits and Schedules hereto), the Ancillary Agreements and the Confidentiality Agreement constitute the entire understanding and agreement, and supersede all prior written agreements, arrangements, communications and understandings and all prior and contemporaneous oral agreements, arrangements, communications and understandings between the parties with respect to the subject matter hereof and thereof.
Because of the increased use of non-reliance provisions in private acquisitions, it is imperative that lawyers understand how these provisions interact with a standard integration clause to limit fraud liability. The purpose of a non-reliance provision is to prevent the buyer from circumventing the limitations on the sellers’ negotiated indemnification obligations by bringing a claim for fraud based on extra-contractual representations, while an integration clause serves to limit the universe of information constituting the deal terms. As this Article illustrates, a standard integration clause without an explicit anti-reliance provision is insufficient. Instead, the agreement must acknowledge that the buyer did not rely on any extra-contractual representations in entering into the transaction. Failure to incorporate language to that effect could result in significant unintended liability for your client.
[1]Prairie Capital III, L.P. v. Double E Holding Corp., 132 A.3d 35, 51 (Del. Ch. 2015).
This writer received three cold e-mails in two weeks asking for legal help around operating a bitcoin ATM (BTM). (For ease of reference we call these machines BTMs, but they generally serve other virtual currencies, including Ether and Litecoin.) Each groundbreaker asked: “What are the legal requirements for an operator putting a BTM in, say, a coffee shop?” Lawyers and businesspeople work on the assumption that for every one person who asks you a question, 100 others also want to ask you the same question or are asking someone else. Ergo, this Flash.
BTMs
So, what’s a BTM? Well, it has the body of a regular ATM, but the motor of a bitcoin trader.
BTMs allow you to purchase bitcoin (BTC) and other virtual currencies. Some BTMs offer bidirectional functionality enabling both the purchase of BTC as well as the redemption of BTC for cash.
Behind the scenes, most BTMs facilitate exchanges of BTC for money. They act as an intermediary between a buyer and seller, typically connecting through an exchange site. On the buy side, after the user signs on, goes through KYC (Know Your Customer, which refers to the operational process of identifying and verifying the identity of customers), and designates the wallet where he or she would like the BTC sent, the user inserts cash to buy BTC. The cash value is transmitted by the BTM operator to an exchange to settle the virtual currency trade with a seller. After settling, the purchased BTC is sent to the user’s wallet. The sell side of bidirectional ATMs operates basically the same, but in reverse.
In another model, BTMs are built to execute transactions directly between the user and the BTM operator. The user buys BTC from the operator who holds a reserve of the virtual currency in its own digital wallet with no third parties involved.[1]
Top of the Legal Requirements Punch List
Whether a BTM operator is a regulated money services business under federal law and a money transmitter under state law occupies the top spots on the BTM operator’s legal punch list.
FinCEN Money Services Business
Under the federal Bank Secrecy Act and its implementing FinCEN regulations, a money services business is defined to include a money transmitter, which is a person who “provides money transmission services . . . or [is] engaged in the transfer of funds.” 31 C.F.R. § 1010.100(ff)(5)(i)(A), (B). The term “money transmission services” means “the acceptance of currency, funds, or other value that substitutes for currency from one person and the transmission of currency, funds, or other value that substitutes for currency to another location or person by any means.” 31 C.F.R. § 1010.100(ff)(5)(i)(A). Stated more plainly, you are a money services business if you accept currency or value from one person and transmit currency or value to another person or location.[2] “Currency” is understood to represent coin and paper money of the United States or of any other country that is designated as legal tender, but “value” would encompass virtual currency.
BTM operators who act as an intermediary between buyers and sellers must register with FinCEN as a money services business. A BTM operator engages in money transmission services if it accepts currency from its users and transmits currency or value to another person or location (e.g., the exchange) to settle the trade. Generally, BTM operators register with FinCEN.
Registering with FinCEN is not difficult, but the related compliance obligations take some upfront and ongoing work. Registration can be completed online through FinCEN’s website. Registration is straightforward and does not have an approval process—it’s automatic. Registrants have a number of compliance obligations, however. The central one is adopting a written anti-money-laundering (AML) program, which must include implementing a variety of KYC policies and procedures. Other obligations include appointing an AML officer, putting in place annual AML training, making suspicious activity and currency transaction reports, keeping transaction records, and undergoing periodic, independent audits. The FinCEN webpage contains links to money services business obligations.
State Money Transmitter
Virtually every state has a money transmitter law, which is an analog to the federal Bank Secrecy Act/FinCEN regulations for money services businesses. These state laws include licensing requirements. The licensing trigger language varies from state to state. Many states follow FinCEN’s formulation—accepting currency or value from one person and transmitting it to another person—but many do not. Some states only cover fiat currencies, while others both fiat and virtual currency. At least one state only covers transmitting money internationally. Mass. Gen. Laws ch. 169, § 1. Because state money transmitter laws are a hodge-podge in terms of applicability and compliance requirements, a determination as to whether a BTM operator needs a money transmitter license in a particular state requires legal analysis specific to each state in which the operator operates a BTM. A BTM operator that has BTMs in a number of states could be licensed in some states, but not others.
Obtaining a state money transmitter license is not as easy as registering with FinCEN. A detailed application must be completed, financial statements provided, surety bond obtained, fingerprints for officers, directors, and individual 10-percent owners submitted, and background investigations on them conducted. It generally takes three to six months for an application to be approved, but can be one year or more in a few states. There can be ongoing obligations, including setting aside collateral equal to the value of transactions handled, reporting, and record keeping. Finally, licensees are subject to periodic examination by the licensing authority.
What Else?
A BTM operator’s legal punch list will include other laws, such as the Gramm-Leach-Bliley Act’s privacy and information security requirements, the CFPB’s UDAAP enforcement authority,[3] and applicable laws of the state in which the BTM is located.
[1] BTMs configured to conduct one-sided transactions in this way may be outside the scope of some state money transmitter laws and their licensing requirements. The Illinois Department of Financial and Professional Regulation has taken this position. See Digital Currency Regulatory Guidance, Illinois Department of Financial and Professional Regulation, at 6 (June 13, 2017). There may also be a similar argument in analyzing the applicability of the federal money services business requirements discussed below, but this further analysis is outside the scope of this Flash. You will see in this discussion that the federal law on this subject is written broadly, and with all the legal uncertainty around tokens and coins at the moment, it would be prudent to proceed conservatively in this area at this time.
[2] Note that the regulation indicates that a money services business also includes a “person engaged in the transfer of funds.” 31 C.F.R. § 1010.100(ff)(5)(i)(B). The supplementary material accompanying the issuance of the regulation states that “[t]his phrase was removed from the definition. . . The final rule, however, includes this phrase to minimize any possible confusion regarding whether there has been a change to the scope of the definition of ‘money transmitter.’ The scope of the definition of ‘money transmitter’ in this final rule is the same as that of the prior regulatory definition.” 76 FR 43585, 43593 (July 21, 2011). This commentary suggests that this additional prong of the definition is not intended to expand the scope of who is a money services business, but rather to avoid confusion. “Engaging in the transfer of funds” on its face is susceptible to broad interpretation, but this commentary is helpful in limiting its reach.
[3] The Consumer Financial Protection Bureau has the authority to take action against persons providing consumer financial products or services in an unfair, deceptive, or abusive manner. The CFPB published a consumer advisory on virtual currencies in August 2014. In this advisory, the CFPB warns consumers of “high transaction fees” charged by BTMs. See CFPB Consumer Advisory: Risks to Consumers Posed by Virtual Currencies, at 3 (Aug. 2014). BTM manufacturers should be mindful of the CFPB’s UDAP authority and should configure their machines in a way that gives prominent and effective disclosure of transaction costs.
As both a practitioner and a law professor, I have noticed over the years how careless lawyers and law students are with language. That carelessness manifests itself in misused words, misspellings, and rampant errors of grammar and punctuation.
Why should you care? Here is the reason: The English language supplies the tools of our profession. Language skills are therefore of critical importance to the ethical obligation of competence. With them, you are better able to communicate, and paying attention to this subdiscipline enhances your ability to concentrate and deploy your language skills to great effect in legal practice. Furthermore, people—including colleagues and the client population—will judge you by, among other things, the way you present yourself in both spoken and written discourse.
Language Lab is a new feature that will appear periodically in Business Law Today. This column will address common errors in grammar, usage, spelling, and punctuation. Comments and suggestions for future columns are heartily welcomed.
Bi-annual/Biannual
The first time I saw the word “bi-annual” (or biannual—both spellings are in use), I thought it was either a typo or a malapropism. It has found its way into the modern lexicon, however, and is defined somewhat confusingly (if not precisely contradictorily) to mean both twice a year and once every two years. At best, therefore, this neologism is ambiguous.
For lawyers, that will not do. We require precision in communication. Imagine interpreting a contract containing this word. What would you say is the intent of the parties?
Early in my career, a senior partner with superb transactional and semiasological skills (no, that’s not a typo; look it up!) told me, “When drafting a document, if you do your job properly, it will never end up in court.” To be sure, he was a product of a less litigious time than our own. But even if in these days, when frivolous claims proliferate, a document you drafted should end up in court, you want to be sure that the trier of fact construing the document does not have any uncertainty about its meaning.
So what does this “bi-” prefix do to the word “annual”? Does it operate like “bifocals”? “Bilateral”? “Bisexual”? “Bicameral”? “Bifurcated”? “Bilingual”? “Bi-coastal”? Some of these refer to two objects; others to one.
According to the dictionary definition, “bi-annual” (or “biannual”) are regarded as interchangeable with “biennial” and “semi-annual,” but these are not equivalencies. Treating them as such may be all right for marketing departments but not for lawyers. (Indeed, I would urge even marketing departments to avoid misusing these words because doing so might end up being costly).
The solution is simple: Avoid ambiguity! If you wish to indicate with a single word something done twice a year, use the word “semi-annual”; if you mean to indicate something done once every other year, use “biennial.” The same principle applies for “semi-monthly” (which means twice a month) and “bimonthly” (which, properly used, means once every two months, although here again the dictionary definition is ambiguous).
So if you have a septic field at your house that you need cleaned once every two years, do not sign a contract with the septic cleaner dude that says “biannual,” unless you are willing to see his smiling face and write him a check twice each year (that is why he is smiling)!
On April 18, 2018, the Government of Canada (Innovation, Science and Economic Development Canada) published the final regulations relating to the mandatory reporting of privacy breaches under Canada’s federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (“PIPEDA”). These regulations (the “Regulations”), which include fines of up to $100,000CAD for non-compliance, will come into force on November 1, 2018.
By way of background, within Canada, PIPEDA applies to:
all private sector organizations regulated by provinces that do not have substantially similar private sector privacy legislation (all provinces except Alberta, British Columbia, and Quebec), that collect, use, or disclose personal information in the course of their commercial activities;
federal works, undertakings and businesses (i.e. airlines, banks, interprovincial railways/trucking, and broadcasting, including the employees of those organizations); and
all personal information that flows across provincial or national borders in the course of commercial transactions.
Outside of Canada (and as discussed further, below), PIPEDA applies to foreign organizations (including those situated in the United States) that have a real and substantial connection to Canada and that collect, use, or disclose the personal information of Canadians in the course of their commercial activities.
Why should organizations both within and outside Canada pay careful attention to this legislative update? To date, much of the Canadian private sector and other organizations subject to PIPEDA have not been subject to mandatory privacy breach notification. With the exception of Alberta, data breach reporting under PIPEDA has been voluntary for private sector organizations across Canada. However, the recent amendments to PIPEDA and the Regulations will mean that private sector organizations subject to PIPEDA will soon face mandatory breach reporting and record-keeping requirements, which will require organizations to revise internal privacy policies and procedures to ensure compliance with these significant legislative changes.
Below, we provide a brief overview of the key provisions to which organizations should be turning their minds as the coming-into-force date approaches.
Breach Notification Provisions in PIPEDA
Overview
In June 2015, Canada passed Bill S-4 – The Digital Privacy Act into law. This bill made a number of important amendments to PIPEDA relating to mandatory breach notification and record-keeping. Once these provisions come into force, organizations subject to PIPEDA will be required to report privacy breaches in certain circumstances to affected individuals and to the Office of the Privacy Commissioner of Canada (the “Commissioner”).
Pursuant to section 10.1 of PIPEDA, organizations will need to both notify individuals (unless prohibited by law) and report to the Commissioner all breaches of security safeguards involving personal information under their control where it is reasonable to believe that the breach creates a “real risk of significant harm to the individual” (we refer to this legal test as the “notification threshold”). This must be done “as soon as feasible” after the organization determines that the breach has occurred, and the notification to affected individuals and report to the Commissioner must contain certain prescribed information, as noted below.
In determining whether the above notification threshold has been met, there are a number of definitions that organizations must keep in mind. A “breach of security safeguards,” for instance, means the loss of, unauthorized access to, or unauthorized disclosure of personal information resulting from: a) a breach of an organization’s security safeguards (referred to in clause 4.7 of Schedule 1), or b) a failure to establish those safeguards. The term “significant harm” on the other hand includes, among other harms, humiliation, damage to reputation or relationships, and identity theft. A “real risk” will require the consideration of such factors as the sensitivity of the information, the probability of misuse, and any other prescribed factor.
Content and Manner of Report to the Commissioner
The report to the Commissioner must be in writing and be submitted by any secure means of communication. The Regulations require this report to contain certain information, including but not limited to a description of the circumstances of the breach and, if known, the cause; a description of the steps that the organization has taken to reduce the risk of harm to affected individuals or to mitigate that harm; and a description of the steps that the organization has taken or intends to take to notify affected individuals of the breach. The Regulations also consider that an organization may not have all the information it needs at the time that a report is made, and as such, explicitly allow an organization to submit new information to the Commissioner after the initial report has been turned in. This is one important change that has been implemented by legislators since the draft regulations were released in September 2017.
Content and Manner of Notification to Affected Individuals
The notification to affected individuals must contain sufficient information to allow the individual to understand the significance of the breach to them and to take steps, if any are possible, to reduce the risk of harm that could result from it or to mitigate that harm. The notification must also contain certain information, such as a description of the circumstances of the breach and the personal information that was affected, the steps the organization has taken to reduce the risk of harm that could result from the breach, and contact information that affected individuals can use to obtain further information about the breach.
With respect to the manner of notification, notification must be conspicuous and given directly to the affected individuals either by phone, mail, email, in person, or by any other form of communication that a reasonable person would consider appropriate in the circumstances. In prescribed situations, however, indirect notification will also be acceptable.
Organizations may give indirect notification to affected individuals where direct notification would be likely to cause further harm to the affected individual, cause undue hardship to the organization, or where the organization does not have contact information for the affected individual(s). This form of notification must be given either by public communication or similar measure that could reasonably be expected to reach the affected individuals. That said, while organizations may be tempted to rely on indirect notification in order to avoid the costs associated with notifying individuals directly, it is not yet clear whether such public communications will be considered by regulators to be a reasonable method of communication in practice.
Notification to Other Organizations
In addition to notifying affected individuals and the Commissioner, it is important to note that PIPEDA will now require organizations to notify a third group, namely government institutions or other organizations if the organization believes that the institution or other organization may be able to reduce or mitigate the risk of harm to the affected individuals.
Mandatory Record-Keeping for all Breaches
Additionally, PIPEDA will now require organizations to keep and maintain records of all breaches of security safeguards. This means that regardless of whether the breach notification threshold is triggered, an organization must maintain a record of every such breach for a period of 24 months from the day that the organization determines that a breach occurred. These records must be provided to the Commissioner upon request and they must contain sufficient information to allow the Commissioner to verify compliance with PIPEDA’s breach reporting provisions. Organizations should not ignore this new record-keeping provision, particularly in light of the financial penalties they will soon face for non-compliance.
Enforcement and Penalties
In order to enforce these new breach reporting and record-keeping requirements, PIPEDA now includes financial penalties. Specifically, if an organization knowingly violates either of these requirements, it will face fines of up to $100,000CAD. While these financial penalties in no way come close to the prospective penalties under the European General Data Protection Regulation (GDPR), they clearly ‘add teeth’ to the above-noted requirements.
Implications for U.S. and Other Foreign Businesses
As noted in our last article and as underscored by recent Canadian jurisprudence[1] relating to the extra-territorial reach of Canadian privacy legislation, foreign organizations that have a real and substantial connection to Canada and that collect, use, or disclose the personal information of Canadians in the course of their commercial activities are subject to PIPEDA. Accordingly, such organizations must ensure that their corporate privacy and data management practices align with the legislative amendments outlined above.
Accordingly, we recommend that such organizations review, revise, and implement new privacy policies and procedures prior to November 2018 to ensure compliance with the mandatory privacy breach notification, reporting, and record-keeping requirements under PIPEDA. The legal threshold for breach notification and reporting must be carefully considered and organizations should consider creating a breach response plan in advance of any breaches. Finally, a fine-tuned record keeping system will be crucial to ensuring that all breaches of security safeguards are recorded by the impacted entity in a thorough and consistent manner.
[1] See, for example: T.(A.) v. Globe24h.com [2017] F.C.J. No. 96.
After an unexpectedly slow start, the Trump administration’s deregulatory push finally gained momentum in late 2017.
In the field of student lending, this slowdown affected the Department of Education (DOE), the Consumer Financial Protection Bureau (CFPB), and the Department of Justice (DOJ). Unwilling to let this vacuum stand, various states invoked their own consumer protection laws and passed new regulations regarding some of the most visible participants in the student loan market: the DOE’s servicers of federal student loans, the middlemen between borrowers, and the market’s biggest lender. In response, the DOJ and DOE have sought to stymie these efforts by invoking an argument infrequently made in prior years: essentially, federal law—they now argue—preempts all such state regulatory action.
This article examines these events and summarizes likely arguments.
State of the Law
Federal Government’s Regulatory Framework for Post-Secondary Education
Passed to keep the door to higher education open to all students of ability regardless of socioeconomic background, the Higher Education Act of 1965 (HEA) commenced the federal government’s large-scale involvement in higher education. Among other initiatives and programs, this far-reaching statute established the Federal Family Education Loan Program (FFELP), a now-defunct system of loan guarantees meant to encourage lenders to loan money to students and their parents on favorable terms.
The HEA authorized the secretary of DOE to “prescribe such regulations as may be necessary to carry out the purposes” of the act and served as the legal anchor for numerous DOE regulations. The Health Care and Education Reconciliation Act of 2010 (HCERA) dismantled the FFELP. Although current loans remained unaffected, HCERA left the Federal Direct Loan Program, created in 1993, as the sole source of federal student loans. In addition, HCERA limited private participation in this program to servicers alone.
Once a student graduates, loan servicers act as the primary point of contact between borrowers and the federal government. Because of their prominent role, servicers have attracted the attention of state and federal officials. The DOE currently contracts with eight private servicers.
As of January 1, 2018, the DOE has three Title IV Additional Servicers (TIVAS): (1) Navient Corporation (Navient); (2) FedLoan Servicing, an affiliate of the Pennsylvania Higher Education Assistance Agency (PHEAA); and (3) Nelnet, Inc.
The DOE has an additional five for-profit servicers: (1) the Missouri Higher Education Loan Authority (MOHELA); (2) Granite State Management & Resources; (3) the Oklahoma Student Loan Authority (OSLA); (4) the Higher Education Servicing Corp. (HESC) and EdFinancial on behalf of the North Texas Higher Education Authority; and (5) CornerStone.
For decades, the federal government routinely defended these servicers against borrowers’ lawsuits with precisely the same argument. For example, on October 1, 1990, the DOE contended that its regulations governing the FFEL Program, then known as the Guaranteed Student Loan program, preempted state laws regarding the conduct of loan collection activities.
A second such instance took place 19 years later. In 2009, the DOJ, on behalf of the DOE, advanced a reading of the DOE’s operating statutes in Chae v. SLM Corporation, a case launched against Sallie Mae, a FFEL program loan servicer, in the U.S. District Court for the Central District of California. Specifically, the DOJ argued in its motion for summary judgment that the state consumer protection laws on which the plaintiffs relied conflicted with federal law and were thus preempted. Both the district court and the Ninth Circuit agreed.
Regardless of the version, Congress’s purpose remains the ultimate touchstone in every preemption case. Federal courts, moreover, tend to favor a presumption against preemption.
Express preemption occurs whenever Congress or a federal agency enacts a law that directly revokes specified powers from the states. Customarily, the Supreme Court has narrowly and strictly construed these explicit provisions to preserve traditional areas of state regulation regarding health, safety, and welfare. As it has often repeated, to displace traditional state regulation, the federal statutory purpose must be “clear and manifest.” For this reason, when a statute’s express preemption clause is susceptible to more than one plausible reading, federal courts ordinarily decline to adopt the preemptive one.
Like field preemption, conflict preemption does not turn on any express statement of congressional intent. Instead, conflict preemption bars a state law’s enforcement when an actual clash between state and federal law inevitably occurs. It often arises where it is impossible for a private party to comply with both state and federal requirements or where state law stands as an obstacle to the accomplishment and execution of the full purposes and objectives of Congress. In some cases, field preemption may be treated as “a species of conflict preemption,” where state regulatory processes are preempted by conflict with federal law as well as by field preemption—and for the same general reasons.
Impending Battle Over Federal Preemption’s Reach
Initial Forays
For years, as student loan debt crossed the $1.4 trillion mark and the number of borrowers passed 44 million, borrowers and their advocates criticized the federal government’s chosen servicers for purportedly not working on behalf of debtors’ best interests.
Capitulating to these concerns, various states began enacting laws that forced student-loan servicers to hold licenses to operate within their borders and to comply with certain consumer protection guidelines in 2015.
As these laws took effect, servicers responded with lawsuits and lobbyists. In particular, the National Council of Higher Education Resources (NCHER), a student loan industry trade group, urged the federal government to endorse the application of field and/or conflict preemption of state consumer laws purporting to regulate servicers’ conduct, in either court filings or official agency publications, as one more way of beating back these escalating efforts.
Federal Government’s Position
On March 12, 2018, the DOE formally posted a notice of interpretation (NI) contending that, under its interpretation of federal statutory and regulatory law, the DOE alone possesses the power to regulate student loan servicers.
The DOE acknowledged the motivation behind this NI: the enactment by certain states of “regulatory regimes that impose new regulatory requirements on servicers of loans” or disclosure requirements on loan servicers with respect to loans made under the HEA. Such claims, the NI asserts, “are preempted because . . . state[s have] sought to proscribe conduct Federal law requires and to require conduct Federal law prohibits.” “This is not a new position,” the NI added.
Months earlier, just as it had in Chae years prior, the DOJ had telegraphed its endorsement of this approach when it took the rare step of filing a Statement of Interest (SOI) in a Massachusetts case in defense of PHEAA, a Pennsylvania-based national servicer, pursuant to longstanding federal law.
In this document, the DOJ reasoned that the servicer’s practices are either required or authorized by federal statutes, federal regulations, or the servicer’s contract with the DOE; thus, the Massachusetts Attorney General’s state-law claims violated the Supremacy Clause.
More specifically, the DOJ argued for conflict preemption for three reasons: (1) PHEAA cannot comply with Massachusetts’ interpretation of the relevant statutes and the actual requirements of federal law; (2) Massachusetts’ claims “stand as an obstacle to the accomplishment and execution of the full purposes and objectives of Congress” as expressed in the HEA; and (3) Massachusetts’ requested relief would likely “require PHEAA to violate its contract with DOE.”
Although the Massachusetts state court denied PHEAA’s motion to dismiss on February 28, 2018, in an opinion released on March 1, 2018, it did not address the DOJ’s preemption argument. Instead, it sidestepped the issue by narrowly construing the SOI’s text.
According to the court, the DOE was “not actually argu[ing] that any of . . . [Massachusetts’] claims . . . [are] preempted by federal law, or that any of the alleged misconduct by PHEAA at issue here is affirmatively allowed by federal law.” Instead, the SOI amounted merely to an admonition that the state’s complaint could conflict with the DOE’s requirements. Given that “any relief against PHEAA could be structured . . . as not to interfere or otherwise conflict with the . . . [DOE’s] legal rights, and it is therefore not inevitable that the . . . [DOE] will have an interest in whatever judgment may be entered,” the court was disinclined to find preemption.
Servicers applauded the DOE’s position. Within weeks, many submitted comment letters requesting the tendering of similar statements in dozens of pending state court cases. As the NCHER had already argued in the summer of 2017, state regulations can only “add an unnecessary web of regulations which are both duplicative and potentially contradictory to existing federal regulations and policies.” Already “heavily regulated” by the DOE and CFPB, “new state-level regulations” pointlessly “replicate these requirements with no additional benefit for borrowers, and at burdensome cost to servicing entities.” “To do things for some borrowers in Illinois, a different thing for borrowers in California, something else different for folks in Maine—it is a federal program and it gets confusing,” NCHER’s president maintained.
Response by State-Level Actors and Consumer Advocates
Consumer advocates and state officials have challenged these preemption arguments. With about a dozen states having recently passed or considering legislation to more strictly oversee and license federal loan servicers, two groups announced their outright opposition to any such assertion of federal preeminence. On March 2, 2018, the Conference of State Bank Supervisors, which represents regulators in all 50 states, pointed out that, “Congress has deliberately preserved this cooperative state-federal regulatory framework for nonbank financial services activities for the benefit of consumers and providers of financial services alike.” Usually, “[p]reemption of state licensing or regulation is a policy response that Congress has carefully considered and chosen to do in certain circumstances through specific legislation.” It thus saw as improper DOE’s attempt to compel preemption “through a mere interpretive notice,” a decision more rightly “rest[ing] with Congress and not with a federal agency.”
Meanwhile, in equally blunt terms, the attorneys general (AGs) of more than two-dozen states rebuked this campaign, both before and after the NI’s publication. On October 23, 2017, 25 AGs wrote, “These requests defy the well-established role of states in protecting their residents from fraudulent and abusive practices. . . . The department cannot sweep away state laws that apply to student loan servicers and debt collectors.” As one signatory, Virginia’s Attorney General Mark Herring, explained, “We cannot allow student-loan servicers to sidestep state law and oversight and deny students and borrowers these vital protections from student loan abuses.” Within days of the NI’s release, 30 AGs reiterated these contentions.
Debating the Potential Ramifications of the Federal Government’s New Posture
The legal issues regarding the renewed emphasis on federal preemption by the DOE and DOJ remain largely unresolved; however, states will probably contest any such finding with three primary arguments.
First, they are likely to argue that consumer financial protection in the United States has always been a patchwork of state and federal law, so conflict or field preemption should not apply.
Second, they are likely to claim that the anti-preemptive provision of the Dodd-Frank Consumer Financial Protection Act of 2010 allows them to circumvent this danger.
Third, they may point to case law suggesting that informal position statements akin to the NI are entitled to less deference.
The DOE and DOJ likely will counter these arguments in several ways.
First, as the DOJ noted in its SOI in Massachusetts, Congress created the Direct Loan Program to simplify the delivery of student loans to borrowers and eliminate borrower confusion, provide borrowers with a variety of repayment plans, replace FFEL, minimize unnecessary cost to taxpayers and borrowers, and create a more streamlined program that can be managed more effectively at the federal level. The same can be said about the original FFEL program.
State regulation could lead to the emergence of different plans for loan forgiveness for borrowers in every state, resulting in borrowers being treated differently depending on the state in which they live, to the detriment of uniformity and efficiency. At the same time, given that more borrowers may be forgiven after fewer payments, one more objective—that of conserving taxpayer funds—may be imperiled by overly aggressive state regulation. The same hit to the U.S. Treasury would come from servicers’ requests for increased payments from the federal government to compensate for the added administrative complexity created by the need to comply with dozens of jurisdictions’ new mandates. All these harms would arguably undermine the ability of the DOE to fulfill the HEA’s obvious and dominant goals—a fact that favors preemption.
Second, the DOE could point to actual conflicts between federal and state laws and regulations with respect to servicing of loans made by private lenders and guaranteed by the federal government through the FFEL program. Depending on the state regulation, examples may include deadlines for borrower communications and requirements around the resolution of disputes raised by borrowers.
Recent events indicate that the DOE and state AGs are preparing to clash over the question of whether federal preemption bars (in whole or in part) regulation by the states of federal student loan servicers. It remains to be seen how courts will resolve this coming conflict.
More than seven years since the Dodd-Frank Act’s whistleblower incentive provisions became effective, and more than five years since the first SEC whistleblower program award, only a few courts have put the program under a microscope. In the absence of meaningful case law and in light of the SEC’s practice to heavily redact orders granting and denying awards, how do we know what makes the program really tick? The short answer: it’s all in the footnotes.
In this first-of-a-kind article, we tie together more than 350 footnotes in 120 SEC whistleblower orders so that you can get easy answers to four key questions: Who qualifies for SEC whistleblower awards? What procedural rights and responsibilities do they have? When does the SEC make exceptions? And how does the SEC calculate and allocate awards?
Background
In March 2018, the SEC whistleblower program announced its largest-ever awards: $33 million to one whistleblower, and an additional $50 million to be shared between two others in the same action.[1] These awards are massive—staggering even—but they are also consistent with the SEC’s long track record of granting multimillion dollar awards to qualified whistleblowers. In fact, “[t]he SEC has awarded more than $262 million to 53 whistleblowers since issuing its first award in 2012,” and it has an Investor Protection Fund dedicated to paying any eligible whistleblowers who come forward in the future.[2] The upper limit on these awards is 10–30 percent of the monetary sanctions recovered, meaning high-quality information about high-impact securities law violations will only break these records over time.
Given these record-breaking awards, and the U.S. Supreme Court’s recent decision in Digital Realty Trust, Inc. v. Somers,[3] whistleblowers will be sprinting to the SEC, but what are the requirements to qualify for a financial award under the SEC whistleblower program, and how does a tip get submitted, evaluated, and ultimately awarded once the SEC has prosecuted its case? Although courts have increasingly weighed in on Dodd-Frank antiretaliation claims,[4] they haven’t had much chance to scrutinize the SEC whistleblower program. In fact, only six opinions have been issued at the time of this writing, and most of them were cursory and involved a pro se claimant.[5]
Luckily, there’s another way to read the tea leaves. Over the years, the SEC has created a custom of interpreting the Dodd-Frank Act and its whistleblower rules thereunder in publicly available orders granting or denying awards.[6] Although the main text of these orders can certainly provide important insights, they are often heavily redacted, and it’s more often the footnotes where the SEC provides the clearest guidance, applies the facts to the rules, and signals how it will approach novel issues in future cases.
With hundreds of footnotes scattered throughout scores of SEC whistleblower orders, it’s a daunting task see the forest through the trees, but we’re here to help. Below we present a “field guide” to SEC whistleblower awards. Our noble goal is to restate all of the SEC’s valuable guidance in a digestible format—in other words, we comb through the fine print so you don’t have to.
Anyone who wants to understand this process should carefully consider these issues with experienced counsel, along with a host of other requirements that the SEC has not yet addressed in its orders.
Who Qualifies for an SEC Whistleblower Award?
Under the Dodd-Frank Act, a “whistleblower” is defined as “any individual who provides . . . information relating to a violation of the securities laws to the [SEC]” in a manner consistent with the SEC whistleblower rules.[7] However, only certain whistleblowers qualify for an award under the SEC whistleblower program. In the first part of our field guide, we consider footnotes related to the four main elements of eligibility: “voluntarily provided” the SEC with “original information” that “led to the successful enforcement” of a “covered . . . or related action.”[8] We also consider footnotes related to special timing issues, getting assistance from professionals like lawyers and accounting experts, eligibility of foreign whistleblowers, and potential disqualifications for providing false information.
1. Voluntarily Provided
To begin, only whistleblowers who “voluntarily” provide information to the SEC are eligible for an award.[9] This generally means that the individual has no preexisting legal or contractual duty to report the information to the SEC, and the SEC has not already sent the individual a “request, inquiry, or demand” for that information.[10] Sometimes, however, a whistleblower has already volunteered information to a government authority other than the SEC, and the SEC subsequently contacts or subpoenas the whistleblower for similar information. A November 2017 order confirmed that such a whistleblower is still eligible for an award: “a claimant’s ‘submission of information to the [SEC] will be considered voluntary if [he] voluntarily provided the same information to’ any authority of the federal government ‘prior to receiving a request, inquiry, or demand from the [SEC].’”[11] In the SEC’s view, the whistleblower did not need to provide exactly the “same information” to the other government authority; it is sufficient if the information “‘relates to the subject matter of’ the [SEC]’s later inquiry.”[12]
2. Original Information
Likewise, only whistleblowers who provide “original information” to the SEC are eligible for an award.[13] Per the SEC whistleblower rules, original information must be: (i) derived from the whistleblower’s “independent knowledge” or “independent analysis”; (ii) not already known to the SEC (unless the whistleblower is the “original source” of the information); (iii) not exclusively derived from allegations in certain public sources (unless the whistleblower is “a source” of the information); and (iv) provided to the SEC for the first time after July 21, 2010, the date Dodd-Frank was enacted.[14]
The final element is analyzed further below. As for the first three elements, various SEC orders have deemed the following examples not to be “original”: providing information that appeared to be “largely copied from a third party’s publicly-available court filings”;[15] merely providing “an article written from a press release from NASDAQ, printed in a [securities trade group] magazine”;[16] merely providing “an internet link to a news article (including information taken from that news article)”;[17] and providing a promotions mailer that the SEC had already received “several years earlier” and that “was publicly available on the internet.”[18]
Another issue is dirt provided by individuals who obtained the information through positions of trust, such as attorneys, officers, directors, public accountants, and compliance and internal audit professionals. This information is generally deemed not to be “original” under the whistleblower rules, but there are a variety of exceptions.[19] For instance, in August 2014 and April 2015, the SEC granted awards to compliance/internal audit professionals under two of these exceptions: the first whistleblower was eligible because he had reported the information up the ladder “at least 120 days before reporting the information to the [SEC],”[20] and the second was eligible because he “had a reasonable basis to believe that disclosure of the information to the Commission [was] necessary to prevent the relevant entity from engaging in conduct that [was] likely to cause substantial injury to the financial interest or property of the entity or investors.”[21] Likewise, in November 2017, the SEC granted an award to someone who had apparently received the information pursuant to up-the-ladder reporting because he had “reported the information to other responsible persons at the entity . . . or such persons knew about it, at least 120 days before Claimant reported the information to the Commission.”[22]
What about government employees? A July 2017 order clarified that, “[g]enerally speaking, an employee of a federal, state, or local government agency can . . . be eligible for an award.”[23] However, under the Dodd-Frank Act, a whistleblower is disqualified if he or she “is, or was at the time [he or she] acquired the original information submitted to the [SEC], a member, officer, or employee of” certain types of government organizations.[24] These exclusions include “appropriate regulatory authorities” and “law enforcement organizations.” Although “appropriate regulatory authority” is explicitly defined (it includes banking regulators, such as the Fed or the FDIC),[25] “law enforcement organization” is not. In the July 2017 order mentioned above, the SEC had to decide “whether the exclusion . . . applies to an entire governmental agency that may contain components with law enforcement responsibilities, or only to those divisible sub-agency components that perform the law enforcement responsibilities.”[26] The SEC ultimately granted an award to the government employee, finding that “it is reasonable to interpret the exclusion flexibly and, in appropriate cases such as this one, to apply it only to employees of a clearly separate agency component that performs law enforcement functions, rather than to all employees of an entire agency that happens to have been granted law enforcement powers among its many other separate responsibilities and powers.”[27]
3. Led to Successful Enforcement
In addition, an individual is eligible for a whistleblower award only if the original information he or she provided “led to” a successful enforcement action.[28] This is the causation element and becomes relevant only if there is original information in the first place.[29] As summarized in a November 2016 order, original information “leads to” a successful action if either: (i) “the original information caused the staff to open an investigation, reopen an investigation, or inquire into different conduct as part of a current investigation, and the [SEC] brought a successful action based in whole or in part on conduct that was the subject of the original information”; or (ii) “the conduct was already under examination or investigation, and the original information significantly contributed to the success of the action.”[30]
The second prong may be relevant when two or more whistleblowers independently provide information regarding similar conduct.[31] It may also be relevant when a sole whistleblower provides information far along into an open SEC investigation. For instance, a May 2016 order found that the whistleblower had “significantly contribute[d]” to the action after the preliminary award determination was issued because his tip caused the staff to focus on a certain issue, and “this evidentiary development strengthened the [SEC]’s case by meaningfully increasing Enforcement staff’s leverage during the settlement negotiations.”[32] The order noted, however, that the whistleblower would have failed the first prong because the SEC already knew about similar misconduct. The SEC explained that a tip generally causes the SEC to “inquire into different conduct” where “staff has an open investigation into one type of misconduct, and a whistleblower subsequently submits a tip alerting staff that the entity is engaged in substantially different misconduct”; not where it causes staff merely to “initiate new and more directed inquiries” into misconduct it already knew about it.[33]
In making a determination under either prong, the SEC examines the administrative record—including the TCR System and TCR Repository[34]—and looks at a variety of factors related to the chronology of events and interactions among the whistleblower and various SEC stakeholders. These factors include: (1) how the Office of Market Intelligence (OMI) disposed of the tip (e.g., entering an “NFA” indicating the tip was closed and no further action should be taken, versus forwarding the tip to investigative staff for further action);[35] (2) how, if, and when investigative staff received the tip from OMI, the whistleblower, or another source;[36] (3) how investigative staff disposed of the tip (e.g., entering an NFA, versus using the tip to open or further a Matter Under Inquiry (MUI) or formal investigation);[37] (4) the extent to which investigative staff relied on the tip and worked with the whistleblower during the investigation;[38] and (5) the factual and legal nexus between the tip and the misconduct ultimately charged in the enforcement action.[39] In a June 2016 order granting an award, the SEC cautioned that this determination is fact-intensive and therefore “not precedential.”[40] In an April 2014 order, the SEC warned that although it has “a general practice of taking reasonable steps to develop the record,” the claimant has “the ultimate responsibility” to “specifically identify those correspondence or communications in which the purported ‘original information’ was provided to the Commission.”[41]
4. Covered Actions and Related Actions
Furthermore, an award is available to an otherwise eligible whistleblower only if there is a “covered judicial or administrative action,” meaning “any judicial or administrative action brought by the [SEC] under the securities laws that results in monetary sanctions exceeding $1,000,000.”[42] In an April 2016 order, for instance, the SEC denied an award in part because the monetary sanctions were less than $1 million.[43]
Whistleblower awards are calculated not just from the recovery in SEC covered actions, but also amounts collected in certain “related actions” brought by other government authorities. The related action must be “based upon” the same original information that the whistleblower provided to the SEC.[44] Eligible non-SEC entities are: (1) the U.S. Attorney General, (2) an “appropriate regulatory authority” (e.g., as noted above, banking regulators such as the Fed or the FDIC), (3) a “self-regulatory organization” (e.g., FINRA or the Municipal Securities Rulemaking Board), or (4) a state attorney general in a criminal case.[45] Related actions do not extend to other entities, and the SEC has denied claims on that basis, including in a September 2017 order.[46] In addition, the SEC’s orders have made clear that awards from related actions are available only if the whistleblower otherwise qualifies for an award in an SEC covered action.[47] In other words, if a claimant “does not qualify for an award in a Commission covered action,” the related action request will be denied.[48]
5. Special Timing Issues
1. Eligibility Begins After July 21, 2010
In many cases, an individual who provided information to the SEC prior to the enactment of Dodd-Frank has attempted to claim an award under the whistleblower program. However, as mentioned above, the whistleblower rules deem a submission to be “original information” only if it was “[p]rovided to the [SEC] for the first time after July 21, 2010 (the date of enactment of [Dodd-Frank]).”[49] This eligibility start-date rule can make or break awards, even for committed whistleblowers.
In an October 2013 order, the SEC denied an award claim in part because the individual’s SEC reporting efforts—which spanned four years and preceded a $19 million enforcement action—occurred completely prior to the enactment of Dodd-Frank.[50] The claimant challenged the start-date rule, but after a lengthy analysis, the SEC concluded that “the whistleblower statutory provisions do not authorize awards for information originally provided prior to Dodd-Frank’s enactment” and “our interpretation of ‘original information’ ensures that the [Investor Protection] Fund is used to reward those who provide new, high quality tips, not to pay for information that was already in the Commission’s possession on July 21, 2010.”[51] The claimant appealed to federal court, and in Stryker v. SEC—one of the rare appeals of these orders—the Second Circuit deferred to the start-date rule.[52]
Before and after Stryker, the SEC has routinely denied awards, or disregarded certain information for the purpose of determining awards, on the basis of that rule.[53] Some whistleblowers apparently have tried to get creative, but a May 2017 order denied an award for an individual who provided the SEC with a letter that “merely restated” information previously submitted before the July 21, 2010 eligibility date.[54] One claimant asked the SEC to reconsider the rule, but in a June 2017 order the SEC refused to change its mind.[55] The most that these whistleblowers can get was demonstrated in a November 2016 order in which the SEC denied an award under the start-date rule but, as a consolation prize, merely “agree[d]” that this whistleblower “should be lauded.”[56]
2. “In Writing” Requirement for Pre-August 12, 2011 Submissions
Relatedly, Dodd-Frank created a safe harbor for the very specific situation where information is submitted after July 21, 2010, but prior to the effective date of the SEC whistleblower rules (which was August 12, 2011). Even if it does not comport with all of the requirements of the SEC whistleblower rules, such information may still be deemed “original information” if it was submitted “in writing.”[57]
A November 2016 order confirmed that the safe harbor has limited use and did not apply where “the Claimant first approached the [SEC] after the effective date of the Commission’s whistleblower program rules.”[58] As summarized in a May 2017 order, such tips “must be submitted through the [SEC]’s online portal or on Commission Form TCR. If the [SEC] receives an individual’s information in another manner or through another source . . . , the individual will generally not be able to recover an award for that information.”[59]
6. Professional Assistance
A variety of other eligibility issues can arise in certain circumstances. One involves the use of professional assistance. Whistleblowers who report anonymously must be represented by counsel.[60] Otherwise—as the SEC made clear in a November 2017 order—“the [SEC] does not require whistleblowers to retain experts or other professionals to assist them in their whistleblowing.”[61] Although it may be prudent for whistleblowers to seek professional assistance, they are eligible for a full award “whether or not their information is accompanied by expert knowledge or analysis, or provided with the assistance of a lawyer or other professional.”[62]
As for experts who wish to submit their own whistleblower claims, that same November 2017 order drew a line between experts who are acting in furtherance of others’ whistleblowing efforts and those who are acting on their own behalf. Given that only individuals are eligible for whistleblower awards, professionals who provide expert reports or other assistance to the SEC through a firm (e.g., an “incorporated entity”) are less likely to be eligible for an award.[63]
7. Foreign Whistleblowers
Foreign whistleblowers also present unique eligibility issues. Although agents of foreign governments are not eligible for awards,[64] the SEC has signaled that it would happily shell out awards to other types of foreign whistleblowers. In a September 2014 order granting an award, the SEC announced: “In our view, there is a sufficient U.S. territorial nexus whenever a claimant’s information leads to the successful enforcement of a covered action brought in the United States, concerning violations of the U.S. securities laws, by the [SEC], the U.S. regulatory agency with enforcement authority for such violations. When these key territorial connections exist, it makes no difference whether, for example, the claimant was a foreign national, the claimant resides overseas, the information was submitted from overseas, or the misconduct comprising the U.S. securities law violation occurred entirely overseas.”[65]
8. Disqualification for Providing False Information
Finally, what about “whistleblowers” who mislead the SEC? A claimant is disqualified from receiving a whistleblower award if he or she knowingly provides false information or documentation in (i) the whistleblower submission under consideration, (ii) his or her “other dealings with the [SEC],” or (iii) his or her dealings with another authority in connection with a related action.[66] In May 2014 and August 2015 orders, the SEC interpreted “other dealings with the SEC” to include “statements or representations in previous whistleblower submissions as well as a claimant’s correspondence with [SEC] officials.”[67]
The SEC has permanently barred at least two individuals from the program, including an individual who submitted 143 frivolous award claims[68] and an individual who submitted 25 frivolous award claims.[69] The SEC found that both of these individuals had engaged in bad-faith conduct, failed to correct their actions when the SEC explained the whistleblower rules, and then attempted unsuccessfully to withdraw their applications when unfavorable orders were issued.[70] The SEC has also threatened to bar at least two individuals, including one who represented on Form WB-APP, under penalty of perjury, that he was “the 44th President of the United States,”[71] and another who represented that he was entitled to an award “notwithstanding the lack of even a superficial factual nexus” between the information he provided and the covered action.[72] Despite their permanent bar, at least one of these individuals subsequently filed award claims, which were summarily rejected.[73]
What Procedural Rights and Responsibilities Do Award Claimants Have?
In the second part of our field guide, we consider footnotes related to two procedural aspects of the SEC whistleblower program: filing a whistleblower claim and contesting the SEC’s preliminary award determination.
1. Filing a Whistleblower Claim
What happens when the SEC’s investigation is coming to a close and the whistleblower believes a potential award is on the horizon? Per the whistleblower rules, the next steps involve waiting for the SEC to issue a Notice of Covered Action and then filing a whistleblower award claim: “[w]henever a Commission action results in monetary sanctions totaling more than $1,000,000, the Office of the Whistleblower will cause to be published on the Commission’s Web site a ‘Notice of Covered Action.’ . . . A claimant will have ninety (90) days from the date of the Notice of Covered Action to file a claim for an award based on that action, or the claim will be barred.”[74] Specifically, the claimant must complete a Form WB-APP and mail or fax a signed copy and any attachments to the Office of the Whistleblower within 90 calendar days of the Notice of Covered Action.[75]
The SEC has denied claims where the claimant failed to declare, under penalty of perjury, that the Form WB-APP is “true and correct to the best of [his] knowledge and belief” at the time of submission.[76] The SEC has also routinely denied claims that were filed after the 90-day window.[77] In particular, the SEC has made clear that it is not required to provide potential claimants with direct, actual notice of the covered action (e.g., by calling a whistleblower who aided investigative staff and telling him or her it is now time to file a claim).[78] Instead, as noted in a December 2016 order, whistleblowers must take a proactive approach and actively monitor the SEC website: a “potential claimant’s responsibility includes the obligation to regularly monitor the Commission’s web page for [Notice of Covered Action] postings and to properly calculate the deadline for filing an award claim.”[79]
In rare cases, a claimant may withdraw his or her claim and then later attempt to reinstate it. As the SEC made clear in an October 2013 order, it will not recognize such a request if: (i) the withdrawal was “voluntary and unconditional”; (ii) the claimant “failed to provide a ‘good cause’ explanation for seeking reinstatement”; and (iii) the claimant “did not identify any factual or legal basis to suggest that” reinstatement would not “needlessly tie up the processes and limited resources of the [SEC]’s whistleblower program.”[80]
2. Contesting a Preliminary Determination
Once the covered action is fully appealed (or the time for filing appeals has expired), the Claims Review Staff “will evaluate all timely whistleblower award claims submitted on Form WB-APP” and issue a so-called preliminary determination.[81] Within 60 days, the claimant may then submit a written response contesting either “the denial of an award” or “the proposed amount of an award.”[82] In deciding whether to contest a preliminary determination, a claimant may, within 30 days, request to review a copy of the administrative record (i.e., certain materials that “formed the basis of” the preliminary determination), and/or meet with the Office of the Whistleblower, which “may in its sole discretion decline” the meeting.[83]
Before providing the claimant with a copy of the record (or certain nonpublic materials therein), the whistleblower office may require him or her to sign a confidentiality agreement.[84] Several SEC orders have confirmed that this prerequisite is “standard practice,” and the claimant’s refusal to sign in a form acceptable to the whistleblower office is proper grounds to withhold these materials.[85] Even if a confidentiality agreement is signed, claimants are entitled to receive only certain enumerated materials, which may be redacted.[86] In October 2013 and November 2017 orders, the SEC found that the whistleblower office properly withheld requested materials when those materials went beyond the enumerated materials and/or those that “formed the basis of” the preliminary determination,[87] and in a May 2017 order, the SEC found that a claimant was not prejudiced by the redaction of two sentences in a staff declaration because the sentences “ha[d] no material bearing on the Claimant’s potential eligibility.”[88]
If a claimant ultimately decides not to contest the preliminary determination, or fails to timely contest, then: (a) the preliminary determination becomes a final order;[89] and (b) he or she cannot appeal to a federal court because he or she has failed to exhaust administrative remedies.[90] It is apparent that this outcome has occurred when the SEC publishes an order with the following stamp at the top: “Final Order–This Preliminary Determination Became the Final Order of the Commission on [Date] Pursuant to Rule 21F-10(f) of the Exchange Act.”[91] Alternatively, if there are multiple claimants, one of whom did contest a preliminary determination, then the SEC may note in the final order that others did not contest.[92]
If a claimant does decide to contest the preliminary determination, SEC orders have made clear that “[a]ny factual or legal contentions not expressly raised and addressed in [the claimant]’s Response are deemed waived.”[93] In addition to substantive arguments regarding their eligibility for an award or the SEC’s finding of facts, some claimants have raised constitutional due process issues. The SEC has not been convinced by these arguments, including in a lengthy October 2013 order analyzing the claimant’s assertions that the whistleblower office “committed numerous procedural errors that denied [claimant] a fair proceeding.”[94] Finally, some claimants have requested oral argument before the Commission itself, but SEC orders have suggested that oral argument would be entertained only if it would “benefit the Commission’s consideration” of the award application.[95]
When Does the SEC Make Exceptions?
Moving on to the third part of our field guide, we consider footnotes related to exceptions. Given the number of technicalities involved in the SEC whistleblower program, it’s no surprise that many claimants have fatal issues, and that many claimants beg the SEC for leniency. There are two paths to receive an exception. Under the whistleblower rules, the SEC may, “in its sole discretion,” waive any of the procedural requirements for whistleblower claims “based upon a showing of extraordinary circumstances.”[96] In addition, section 36(a) of the Exchange Act provides the SEC with the authority to exempt any provisions thereof—including the Dodd-Frank Act securities whistleblower provisions and rules thereunder—“to the extent that such exemption is necessary or appropriate in the public interest, and is consistent with the protection of investors.”[97]
In considering exceptions, the SEC routinely uses its 2010 PennMont decision as precedent.[98] As summarized in an October 2017 whistleblower order, “the ‘extraordinary circumstances’ exception is to be narrowly construed and applied only in limited circumstances.”[99] The “critical question” is whether the facts and circumstances, “as they existed at the time that the failure occurred,” were “sufficiently beyond the control of the claimant to justify the procedural deficiency.”[100] If a timing requirement is at issue, the claimant must proceed “as soon as reasonably practicable” once the extraordinary circumstances end, or the exception generally won’t be granted.[101] Examples of extraordinary circumstances that affect timing may include “serious illness” or “ineffective assistance of counsel.”[102]
Most commonly, claimants ask the SEC to forgive their failure to timely file a whistleblower claim in the requisite 90-day window. The SEC has denied these waiver requests in a number of orders, including a July 2014 order where the claimant’s attorney engaged in “ordinary negligence” (as opposed to “blatant client deception, outright abandonment or similar egregious misconduct” that might support an exception) by failing to advise him of the whistleblower program’s existence, and then waiting a month to submit the whistleblower claim once he became aware.[103]
One claimant unsuccessfully asked the SEC to waive the substantive “led to” requirement. In the related March 2018 order, the SEC explained that its waivers of substantive eligibility requirements have involved either: (i) “the application of our rules to events that predated the adoption of our rules”; or (ii) “unusual factual situations” that “were simply not contemplated by the Commission in crafting the whistleblower rules and the Commission found that a strict application of the rules in those specific instances would be contrary to the public interest and the broader purposes of the whistleblower program.”[104]
Although they are rare, the SEC has granted several waivers over the course of the whistleblower program, including the “voluntarily provided” requirement,[105] the “in writing” requirement for information provided after Dodd-Frank was enacted but before the rules were effective,[106] and the requirement to sign a declaration under penalty of perjury at the time the initial tip was submitted.[107]
How Does the SEC Calculate and Allocate Awards?
In the fourth and final part of our field guide, we consider footnotes related to the award itself. The prospect of a multimillion dollar award may be the final push a whistleblower needs to report his or her concerns to the SEC—or maybe he or she would have blown the whistle anyway, and the award is just an added bonus. Either way, eligible whistleblowers are entitled to 10–30 percent of the monetary sanctions that the SEC and related authorities are able to collect.[108] If there is more than one meritorious claimant, the SEC will allocate the 10–30 percent between or among them.[109]
The SEC considers a number of case-specific factors in determining whether to increase or decrease the award percentage, as well as the relative allocation among multiple whistleblowers.[110] These factors are: “(1) the significance of information provided to the Commission; (2) the assistance provided in the Commission action; (3) law enforcement interest in deterring violations by granting awards; (4) participation in internal compliance systems; (5) culpability; (6) unreasonable reporting delay; and (7) interference with internal compliance and reporting systems.”[111]
Although the SEC has explicitly analyzed these factors in a number of orders,[112] the “unreasonable reporting delay” factor gets the most ink. The SEC has applied the reporting delay factor less severely where: (i) some or all of the delay occurred prior to the enactment of the Dodd-Frank Act’s whistleblower incentive provisions;[113] (ii) the claimant “witnessed a single violation and was unaware of the full extent of the fraud”;[114] and/or (iii) the claimant was “a foreign national working outside the United States” (as it was unclear whether the Dodd-Frank antiretaliation protections would apply extraterritorially).[115]
With respect to the allocation among multiple claimants, the SEC noted in a March 2016 order, for instance, that one claimant was entitled to a greater allocation than the others because his tip “caused the investigative staff to open the investigation”; it came “approximately eighteen months” before the other information was submitted; and the claimant met with staff several times before the other information was submitted.[116] Some claimants have sought to forego an award so that others would receive it, but in a November 2017 order the SEC made clear that the other claimants would have to qualify for an award themselves.[117]
Our final issue is how the SEC determines the amount to which the 10–30 percent is applied when there is a related action. The SEC provided an answer in an April 2016 order: the SEC will not double-count any monetary sanctions that “are either deemed to satisfy or in fact used to satisfy any payment obligations of the defendants in the other action”; such monetary sanctions will first be attributed to the SEC’s covered action “up to the full amount of monetary sanctions ordered . . . , with any remaining amounts attributed” to the related action.[118]
Conclusion
With record-breaking SEC whistleblower awards and the U.S. Supreme Court’s recent Digital Realty Trust decision, whistleblowers now have clear incentives to report suspected securities law violations to the SEC. Whether you are a compliance-focused company or an individual, it is important to seek the advice of experienced counsel who understand the ins and outs of the SEC whistleblower program and—in the absence of concrete judicial guidance—fully appreciate the SEC’s current practices. Millions of dollars could be at stake.
[3]See Digital Realty Trust, Inc. v. Somers, 138 S. Ct. 767, 772–73 (2018) (“To sue under Dodd-Frank’s anti-retaliation provision, a person must first ‘provid[e] . . . information relating to a violation of the securities laws to the Commission.’”) (quoting 15 U.S.C. § 78u-6(a)(6)) (formatting in original); see generally Christopher F. Regan, Thomas A. Sporkin & Matthew E. Newman, Supreme Court Limits Definition of “Whistleblower” in Potentially Hollow Victory for Public Companies, Westlaw J.: Bank & Lender Liability, at 3–4 (Mar. 19, 2018).
[5]See Barnes v. SEC, 698 F. App’x 390 (9th Cir. 2017); Cerny v. SEC, 707 F. App’x 29 (2d Cir. 2017); Givens v. United States, 698 F. App’x 517 (9th Cir. 2017); Smith-Penny v. SEC, 672 F. App’x 19 (D.C. Cir. 2016); Stryker v. SEC, 780 F.3d 163 (2015); Regnante v. SEC Officials, 134 F. Supp. 3d 749 (S.D.N.Y. 2015).
[28] 15 U.S.C. § 78u-6(b)(1); 17 C.F.R. § 240.21F-4(c) (defining “information that leads to successful enforcement”); see also, e.g., SEC WB Order, Exchange Act Release No. 79294, at 7 n.9 (Nov. 14, 2016) (emphasizing “led to” as eligibility requirement).
[29]See, e.g., SEC WB Order, Exchange Act Release No. 70772, at 6 n.17 (Oct. 30, 2013) (“Because the CRS determined that the information provided by Claimant, other than the September 2010 Email, was not original information . . . , the CRS did not need to consider the relationship between Claimant’s information and the opening of either the [Matter Under Inquiry] or the formal ATG Investigation.”).
[30] SEC WB Order, Exchange Act Release No. 79294, at 5 n.6 (Nov. 14, 2016); see also, e.g., SEC WB Order, Exchange Act Release No. 74815, at 2 n.1 (Apr. 27, 2015) (summarizing requirements); SEC WB Order, Exchange Act Release No. 75752, at 2 n.2 (Aug. 24, 2015) (same); SEC WB Order, Exchange Act Release No. 77948, at 1 n.1 (May 31, 2016) (same); SEC WB Order, Exchange Act Release No. 78355, at 1 n.2 (July 19, 2016) (same); SEC WB Order, Exchange Act Release No. 78356, at 1 n.2 (July 19, 2016) (same); SEC WB Order, Exchange Act Release No. 82562, at 2 n.2 (Jan. 22, 2018) (same). Alternatively, the “led to” requirement can be met if the whistleblower internally reported the information pursuant to designated channels, the entity later provided that information to the SEC, and that entity-provided information “led to” the action. See 17 C.F.R. § 240.21F-4(c)(3).
[31]See, e.g., SEC WB Order, Exchange Act Release No. 82181, at 13 n.25 (Nov. 30, 2017) (“[T]he second whistleblower . . . will need to demonstrate that his submission ‘significantly contributed’ to the enforcement action if the investigation was already ongoing when he came forward.”) (citing Securities Whistleblower Incentives and Protections, 76 Fed. Reg. 34300, 34321/3-34322/2 (June 13, 2011)).
[36]See, e.g., SEC WB Order, Exchange Act Release No. 79294, at 7 n.9 (Nov. 14, 2016) (“[T]here is no indication in the record that [redacted] communicated any information from [redacted] to the Covered Action Staff.”); id. at 8 n.12 (“[C]ontrary to Claimant 3’s contention, the investigative staff handling [redacted] disagrees with Claimant 3’s assertion that they had an arrangement with Claimant 3 . . . .”); SEC WB Order, at 1 n.1 (Feb. 18, 2017) (“[N]one of the information provided to the [SEC] by the Claimant was provided to the staff responsible for the Covered Action . . . .”); SEC WB Order, at 2 n.1 (May 2, 2017) (Notice of Covered Action No. [Redacted]) (“Claimant 2’s tip was not provided to the investigative staff handling the ongoing investigation nor was the investigative staff made aware of the tip at any time prior to the resolution of the Covered Action.”); SEC WB Order, Exchange Act Release No. 80596, at 3 n.3 (May 4, 2017) (noting, in conjunction with surrounding text, that the claimant referenced his or her tip in a letter sent to the SEC Chair, the SEC Secretary, and a Commissioner, but not relevant investigative staff); SEC WB Order, Exchange Act Release No. 82562, at 3 n.4 (Jan. 22, 2018) (“That meeting, however, occurred . . . after Final Judgment was entered in the underlying Covered Action, and was not with the investigative staff responsible for the Covered Action.”); SEC WB Order, Exchange Act Release No. 82897, at 12 n.20 (Mar. 19, 2018) (“[N]othing that the Claimants provided to the [SEC] was received by the Covered Action staff (either directly from the Claimants or indirectly through the specialty unit staff to which Claimants #6 and #7 had provided their information).”).
[37]See, e.g., SEC WB Order, Exchange Act Release No. 78355, at 4 n.5 (July 19, 2016) (tip NFA’d by investigative staff); SEC WB Order, Exchange Act Release No. 78356, at 3 n.6 (July 19, 2016) (same); SEC WB Order, Exchange Act Release No. 80596, at 3 n.4 (May 4, 2017) (same); see also SEC WB Order, Exchange Act Release No. 70772, at 6 n.16 (Oct. 30, 2013) (quoting guidance on when an MUI should be opened).
[38]See, e.g., SEC WB Order, Exchange Act Release No. 71849, at 4 n.8 (Apr. 3, 2014) (“Indeed, the primary Enforcement attorney who worked on the [redacted] matter has never heard of [Claimant #1].”); SEC WB Order, at 2 n.2 (May 12, 2014) (“[T]he information . . . was in no way relied upon . . . .”); SEC WB Order, Exchange Act Release No. 79294, at 6 n.7 (Nov. 14, 2016) (“Staff Member 1 was intimately involved in the totality of the investigation leading to the Covered Action and, as such, relative to Claimant 2, may have a clearer understanding of how the disputed events in the investigation unfolded and how those events fit into the broader investigation.”); SEC WB Order, at 2 n.1 (June 20, 2017) (“[N]one of the information . . . was used in the matter in any way.”); SEC WB Order, at 2 n.1 (Jan. 23, 2017) (Notice of Covered Action No. [Redacted]) (“[T]he information was generally duplicative of the information that the [SEC] had already received . . . as part of the company’s earlier self-reporting and/or did not rise to the level of warranting any further investigative efforts on the staff s part given what the staff had already learned directly from [redacted].”); SEC WB Order, Exchange Act Release No. 82181, at 16 n.28 (Nov. 30, 2017) (“[T]he information . . . did not add meaningfully to the information and materials that the Enforcement staff on the Investigation already knew of or which were publicly-available to the staff.”).
[39]See, e.g., SEC WB Order, at 2 n.2 (May 12, 2014) (analyzing “the sole covered action that did bear a superficial factual nexus”); SEC WB Order, Exchange Act Release No. 77948, at 2 n.2 (May 31, 2016) (“[O]ther than identifying the same target company, Claimant’s tip bears no factual or legal nexus to the charges brought by the Commission in the Covered Action.”); SEC WB Order, Exchange Act Release No. 82897, at 10 n.17 (Mar. 19, 2018) (“[S]taff opened a new and separate investigation to test Claimant #5’s allegations and found insufficient evidence to support them.”).
[43] SEC WB Order, at 2 n.1 (April 1, 2016) (“Claimant #2 also claims an award in connection with [redacted]. That action, however, did not result in monetary sanctions over $1,000,000 and therefore, does not qualify as a Covered Action for which an award may be made.”).
[46] SEC WB Order, at 2 n.1 (Sept. 9, 2017, Order 1) (“[S]ome of the cases Claimants . . . identified as the basis for their related action awards are not ‘related actions’ since those cases were not brought by the non-Commission entities designated under Exchange Act Rules 21F-3(b)(1) and 21F-4(g) and (f).”).
[47] SEC WB Order, at 2 n.2 (Sept. 9, 2017, Order 1) (“A related action award may be made only if, among other things, the claimant satisfies the eligibility criteria for an award for the applicable covered action in the first instance.”); SEC WB Order at 2 n.2 (Sept. 9, 2017, Order 2) (same).
[48] SEC WB Order, Exchange Act Release No. 80596, at 7 n.10 (May 4, 2017); see also SEC WB Order, Exchange Act Release No. 72178, at 3 n.2 (May 16, 2014) (similar language); SEC WB Order at 2 n.1 (Apr. 1, 2016) (similar language).
[52] Stryker v. SEC, 780 F.3d 163, 163 (2015) (“Larry Stryker petitions for review of an order of the [SEC] denying his claim for a whistleblower award. . . . Concluding that the SEC’s interpretation of Section 21F was within its authority and consistent with the legislation, we deny the petition.”).
[53]See, e.g., SEC WB Order, at 1 n.2 (Mar. 9, 2014) (Notice of Covered Action No. 2011-46) (citing the Oct. 30, 2013 order); SEC WB Order, Exchange Act Release No. 71849, at 4 n.5–6 (Apr. 3, 2014) (same); SEC WB Order, at 7–9 n.6 (July 23, 2014) (citing only Rule 21F-4(b)(1)(iv)); SEC WB Order, at 1 n.1 (Nov. 30, 2015) (Notice of Covered Action No. [Redacted #2]) (citing Stryker and the Oct. 30, 2013 order); SEC WB Order, Exchange Act Release No. 76921, at 2 n.2 (Jan. 15, 2016) (citing Stryker); SEC WB Order, at 1 n.1 (Apr. 26, 2016) (same); SEC WB Order, Exchange Act Release No. 78025, at 4 n.4 (June 9, 2016) (same); SEC WB Order, Exchange Act Release No. 79294, at 4 n.4, 6 n.8 (Nov. 14, 2016) (same); SEC WB Order, Exchange Act Release No. 80596, at 4 n.5 (May 4, 2017) (same); SEC WB Order, at 1 n.1 (Sept. 11, 2017) (Notice of Covered Action No. 2012-24) (same); SEC WB Order, at 1 n.1 (Sept. 11, 2017) (Notice of Covered Action No. 2012-72) (same); SEC WB Order, Exchange Act Release No. 82181, at 4 n.4 (Nov. 30, 2017) (citing only Rule 21F-4(b)(1)(iv)); SEC WB Order, Exchange Act Release No. 82562, at 2 n.2, 3 n.5 (Jan. 22, 2018) (citing Stryker); SEC WB Order, Exchange Act Release No. 82807, at 3 n.6 (Mar. 6, 2018).
[55] SEC WB Order, Exchange Act Release No. 34-80871, at 1–2 n.3, 2 n.4 (June 7, 2017); see also id. at 2–3 n.5 (also declining to delay final resolution of the award so the claimant would have an opportunity to petition for a rulemaking).
[56] SEC WB Order, Exchange Act Release No. 79294, at 8 n.13 (Nov. 14, 2016) (“Although we are not able to consider Claimant 3 for an award in that case because it pre-dates the enactment of our whistleblower program, we agree with the views expressed by a staff attorney assigned to [redacted] that Claimant 3 ‘should be lauded for [Claimant 3’s] assistance’ in connection with that case.”).
[57] 15 U.S.C. § 78u-7(b) (“Information provided to the Commission in writing by a whistleblower shall not lose the status of original information . . . solely because the whistleblower provided the information prior to the effective date of the regulations, if the information is provided by the whistleblower after July 21, 2010.”); see also 17 C.F.R. § 240.21F-9(d) (SEC Rule 21F-9(d) implementing the safe harbor); SEC WB Order, Exchange Act Release No. 79747, at 1 n.2 (Jan. 6, 2017) (describing Rule 21F-9(d)); SEC WB Order, Exchange Act Release No. 81227, at 1–2 n.2 (July 27, 2017) (same); SEC WB Order, Exchange Act Release No. 70772, at 3 n.10 (Oct. 30, 2013) (noting that the Whistleblower Office confirmed that it was not necessary to resubmit such information once the rules became effective).
[58] SEC WB Order, at 1 n.1 (Nov. 7, 2016) (Notice of Covered Action No. [Redacted #2]).
[59] SEC WB Order, Exchange Act Release No. 80596, at 6 n.9 (May 4, 2017); see also, e.g., SEC WB Order, Exchange Act. Release No. 77037, at 1–2 n.3 (Feb. 2, 2016) (“[W]histleblowers are required to submit their information about a possible securities law violation through the [SEC]’s online system, or by mailing or faxing a Form TCR, and to declare under penalty of perjury that the information submitted is true and correct to the best of the individual’s knowledge and belief.”) (citing 17 C.F.R. § 240.21F-9(a), (b)); SEC WB Order, Exchange Act Release No. 79604, at 4 n.6 (Dec. 19, 2016) (“Rule 21F-8(a) requires that, in order to be eligible for a whistleblower award, a whistleblower ‘must give the Commission information in the form and manner that the Commission requires,’ specifically referencing the TCR submission procedures set out in Rule 21F-9.”).
[63]Id. at 8 n.13 (“The record indicates that the [redacted] expert report and certain other assistance that Claimants #3 and #4 rely upon in seeking an award were provided by an incorporated entity . . . and not by Claimants #3 and #4 in their individual capacities. . . . The [redacted] firm itself would be ineligible for an award for those submissions, because only individuals can qualify as whistleblowers under Section 21F. These additional considerations further counsel against any determination that would retroactively deem Claimants #3 and #4 in their individual capacities as whistleblowers before their [redacted] Form TCR.”); see alsoid. at 10–12 (detailing related issues with failure to provide “original information”).
[69] SEC WB Order (Aug. 5, 2015) (25 Notices of Covered Action).
[70] SEC WB Order, at 3 n.6 (May 12, 2014) (“We caution [redacted] that we will not entertain any attempt by [redacted] to withdraw [redacted] WB-APPs following the issuance of this Preliminary Determination given: (i) [redacted] previous gamesmanship with withdrawing and then seeking to reinstate a WB-APP; and (ii) [redacted] repeated unwillingness to withdraw these frivolous applications when [redacted] had a reasonable opportunity to do so, see supra note 4, and that [redacted] attempt now to change course would simply be a transparent effort to evade the consequences of [redacted] bad faith conduct.”); see also SEC WB Order, at 3 n.4 (Aug. 5, 2015) (25 Notices of Covered Action) (similar language).
[71] SEC WB Order, at 1 n.1 (Feb. 13, 2015) (Notice of Covered Action No. 2011-206).
[72] SEC WB Order, at 2 n.3 (May 24, 2015) (“Claimant #2 made a clear false and fictitious statement on the Form WB-APP by claiming to be entitled to an award notwithstanding the lack of even a superficial factual nexus between any information Claimant #2 provided to the Commission and the Covered Action.”).
[73] SEC WB Order, Exchange Act Release No. 77322, at 1 n.2 (Mar. 8, 2016) (“On August 5, 2015, the Commission issued a final order . . . determining that . . . this claimant is ineligible for an award in all of [redacted] pending or future covered or related actions . . . .”); SEC WB Order, Exchange Act Release No. 79294, at 1 n.1 (Nov. 14, 2016) (“[T]his claimant’s application was not processed because this claimant had previously been permanently barred from submitting award applications as a result of numerous false and fictitious statements this claimant made in connection with earlier award claims.”).
[84]See 17 C.F.R. § 240.21F-12(b) (“The Office of the Whistleblower may also require you to sign a confidentiality agreement, as set forth in § 240.21F-[8](b)(4) of this chapter, before providing these materials.”); id. § 240.21F-8(b)(4) (“You may be required to: . . . Enter into a confidentiality agreement in a form acceptable to the Office of the Whistleblower, covering any non-public information that the Commission provides to you, and including a provision that a violation of the agreement may lead to your ineligibility to receive an award.”).
[85]See, e.g., SEC WB Order, Exchange Act Release No. 76921, at 4 n.4 (Jan. 15, 2016) (claimant refused to sign even after extension given); SEC WB Order, Exchange Act Release No. 77529, at 3 n.1 (Apr. 5, 2016) (claimant refused to sign unless the SEC agreed “to provide Claimant with counsel and to pay for Claimant’s legal costs and expenses in connection with Claimant’s challenge of the Preliminary Determination”); SEC WB Order, Exchange Act Release No. 77530, at 2 n.2 (Apr. 5, 2016) (same); SEC WB Order, Exchange Act Release No. 29604, at 2 n.2, 3 n.4 (Dec. 19, 2016) (general refusals to sign).
[86]See 17 C.F.R. § 240.21F-12(b) (“These rules do not entitle claimants to obtain from the Commission any materials . . . other than those listed in paragraph (a) of this section. Moreover, the Office of the Whistleblower may make redactions as necessary . . . .”).
[87]See, e.g., SEC WB Order, Exchange Act Release No. 70772, at 6 n.15, 7 n.18 (Oct. 30, 2013) (Whistleblower Office properly withheld copies of defendants’ deposition transcripts in underlying action); SEC WB Order, Exchange Act Release No. 82181, at 15–16 n.27 (Nov. 30, 2017) (finding that the provided materials were not over-redacted, that the whistleblower office properly withheld “the submissions made by other claimants” as well as certain “internal deliberative process files,” and that certain of the claimant’s supplemental submissions were in fact included in the record); see also, e.g., SEC WB Order, Exchange Act Release No. 80596, at 6 n.8 (May 4, 2017) (disagreeing that claimant should be permitted to review “a full record”).
[89] 17 C.F.R. § 240.21F-10(f). Or, in the case of a preliminary determination that an award should be granted, a “proposed final determination” that becomes a final order in 30 days unless a Commissioner requests a review. Id. § 240.21F-10(f), (h).
[93] SEC WB Order, Exchange Act Release No. 82897, at 7 n.10 (Mar. 19, 2018); see, e.g., SEC WB Order, Exchange Act Release No. 71849, at 4 n.7 (Apr. 3, 2014) (by failing to specify communications at issue, claimant waived argument that information contained therein “led to” success of the enforcement action); SEC WB Order, Exchange Act Release No. 72659, at 5 n.2 (July 23, 2014) (claimant waived due process argument); SEC WB Order, Exchange Act Release No. 77037, at 2 n.5 (Feb. 2, 2016) (claimant waived argument that he qualified as a “whistleblower”).
[94] SEC WB Order, Exchange Act Release No. 70772, at 14–19 (Oct. 30, 2013); see also SEC WB Order, Exchange Act Release No. 78025, at 6 n.7 (June 9, 2016) (“We have considered Claimant #5’s various constitutional claims, but we find them frivolous.”); SEC WB Order, Exchange Act Release No. 72659, at 5 n.2 (July 23, 2014) (finding, sua sponte, that due process does not require the claimant to receive actual notice of the whistleblower award program’s existence).
[98]In the Matter of the Application of PennMont Sec. (PennMont), Exchange Act Release No. 61967, 2010 WL 1638720 (Apr. 23, 2010), aff’d, PennMont Sec. v. SEC, 414 F. App’x 465 (3d Cir. 2011).
[109] 17 C.F.R. § 240.21F-5(c); see also, e.g., SEC WB Order, Exchange Act Release No. 82181, at 2 n.2 (Nov. 30, 2017) (“[I]n the context of an award proceeding involving two or more meritorious whistleblower claimants, the award must be allocated among the claimants and may never exceed an aggregate percentage amount of 30% of the monetary sanctions collected.”); SEC WB Order, Exchange Act Release No. 82897, at 2 n.4 (Mar. 19, 2018) (same).
[110] 15 U.S.C. § 78u-6(c)(1); 17 C.F.R. § 240.21F-6; see also, e.g., SEC WB Order, Exchange Act Release No. 73174, at 3 n.4 (Sept. 22, 2014) (“[E]ach award determination involves a highly individualized review of the facts and circumstances surrounding the particular case.”).
[112]See, e.g., SEC WB Order, Exchange Act Release No. 78719, at 1–2 n.1 (Aug. 30, 2016) (culpability mitigated because claimant “did not financially benefit from the misconduct”); SEC WB Order, Exchange Act Release No. 81227, at 2 n.3 (July 27, 2017) (among the positive factors considered, “Claimant alerted the [SEC] to a serious, multi-year fraud that would have otherwise been difficult to detect” and “continued to provide substantial assistance to Enforcement staff during the investigation”); SEC WB Order, Exchange Act Release No. 79294, at 3 n.3 (Nov. 14, 2016) (“Among the actions that Claimant 1 is relying on to seek an upward adjustment to Claimant 1’s award include [redacted]. We find that this action cannot fairly be construed as an attempt to report a potential securities violation by participating in an internal compliance system.”); SEC WB Order, Exchange Act Release No. 76338, at 3 n.6 (Nov. 4, 2015) (claimant’s delay caused “the great majority of the total disgorgement ordered in the underlying enforcement matter”).
[118] SEC WB Order, Exchange Act Release No. 77530, at 2 n.1 (Apr. 5, 2016); see also, e.g., SEC WB Order, Exchange Act Release No. 72301, at 2 n.1 (June 3, 2014) (“A portion of the disgorgement and prejudgment interest ordered to be paid in the Covered Action was ‘deemed satisfied’ by Respondents’ payment of that amount pursuant to a civil action brought by [redacted] and shall be included in our calculation of the award payment to the claimants here. We interpret Section 21 F(b)(l) of the Exchange Act, which provides for payment of awards based on ‘what has been collected of the monetary sanctions’ imposed in a Commission Covered Action, to include amounts that are deemed satisfied when collected in actions brought by other governmental authorities.”); SEC WB Order, Exchange Act Release No. 80521, at 2 n.1 (Apr. 25, 2017) (similar).
Background. Effective July 1, 2018, recent changes to Regulation CC[1] provide new warranty and indemnity rights, liabilities, and obligations potentially impacting a bank, particularly a bank providing a remote deposit capture (RDC) service, including a mobile RDC service, in its role as a depository bank. The new indemnities and warranties are based in part on new definitions of “electronic check” and “electronic returned check” in Regulation CC § 229.2(ggg) for purposes of Regulation CC, subpart C, dealing with the forward collection and return of checks as both paper and electronic checks and electronic returned checks.[2] An “electronic check” and an “electronic returned check” mean an electronic image of, and electronic information derived from, a paper check or a paper returned check. Presently, Regulation CC, subpart C, applies only to paper checks.[3] Generally, Regulation CC, subpart C, presently presumes the forward collection and return of paper checks.[4] However, under Regulation CC § 229.30, as amended, both electronic checks and electronic returned checks are subject to subpart C, except where “paper check” or “paper returned check” is specified. These new warranty and indemnity rights, liabilities, and obligations could amplify the operational risks a bank faces, particularly those associated with RDC service, as detailed below.
Image quality warranty and no double debit warranty. Under new Regulation CC § 229.34(a)(1), a bank transferring or presenting an electronic check or an electronic returned check and receiving settlement or other consideration for it warrants that (a) the electronic image of the check represents all of the information on the front and back of the original check as of the time that the original check was truncated, and the electronic information includes an accurate record of all MICR line information required for a substitute check under § 229.2(aaa) and the amount of the check (i.e., the Image Quality Warranty); and (b) no person will receive a transfer, presentment, or return of, or otherwise be charged for an electronic check or electronic returned check, the original check, a substitute check, or a paper or electronic representation of a substitute check such that the person will be asked to make payment based on a check it has already paid (i.e., the No Double Debit Warranty).[5] In explaining these new warranties, the Regulation CC commentary provides that the electronic check and electronic returned check warranties in § 229.34(a) “correspond to the warranties made by a bank that transfers, presents, or returns a substitute check . . . . (See § 229.52 and commentary thereto).”[6] In the case of a transfer of an electronic check for collection or presentment, under Regulation CC § 229.34(a)(2)(i), these warranties run in favor of the transferee bank, any subsequent collecting bank, the paying bank, and the drawer.[7] Whether a bank creates an electronic check or its customer creates an electronic check through RDC, the bank makes the Image Quality Warranty and the No Double Debit Warranty under Regulation CC § 229.34(a)(1) when it transfers or presents an electronic check. In the case of a transfer for return, a bank makes these warranties to a transferee returning bank, the depository bank, and the owner.[8] As a paying bank, when and as it identifies a check as a suspected duplicate check (a check it has previously paid) and elects to dishonor it by creating an electronic returned check, it could breach the Image Quality Warranty or the No Double Debit Warranty through the electronic returned check.
These risks under Regulation CC, as amended, are amplified when a bank provides a payable-through-draft service or a third-party draft service as a treasury management service to a commercial customer as the population of warrantees increases as to electronic checks. In instances where a bank provides a payable-through-draft service, a commercial customer issues drafts drawn on it and payable through the bank offering this service. In instances where a bank provides a third-party draft service, the bank provides its commercial customer with draft stock to be provided by the commercial customer to its customers to enable its customers to draw these third-party drafts on the commercial customer. Similar to the payable-through-draft service, the bank providing the third-party draft service acts as a “payable through bank” for drafts issued under such service. An example of a third-party draft is a “convenience check” drawn by a credit-card holder against the cardholder’s line of credit associated with the credit card issued by the commercial customer to the convenience check drawer. In both instances, a drawer of a payable through draft—a commercial customer—or a drawer of a third-party draft—a customer to a commercial customer—could be a warrantee of the Image Quality Warranty or the No Double Debit Warranty granted by the payable through bank if such drafts are converted to an electronic check and presented for payment under the service. Further, upon dishonor of a payable through draft or a third-party draft by its drawer or purchaser of the service, in instances where a payable through bank returns such draft as an electronic returned check, it could act as a warrantor of the Image Quality Warranty or the No Double Debit Warranty as well as to the returned electronic check. In sum, in the case of transfers of an electronic returned check for return, under Regulation CC § 229.34(a)(2)(ii), these warranties applicable to an electronic returned check (the Image Quality Warranty and the No Double Debit Warranty) run in favor of the transferee returning bank, any subsequent returning bank, the depository bank, and the owner[9] of an electronic returned check. A bank providing the payable-through-draft service or the third-party draft service could also be the depository bank of a payee of such draft. In such instances, a customer of that depository bank—the payee owner of the draft—could be a warrantee upon dishonor of the draft by the drawer or the commercial customer purchasing the service. The “consideration” the bank receives to cause the warranty liabilities to attach to it could be the revocation of the provisional credit granted by the bank (as depository bank) under Uniform Commercial Code § 4-214 to the payee owner through the original deposit transaction of the draft. Additionally, a bank providing an RDC service could also be the paying bank of a check it accepts for deposit from its payee owner through that RDC deposit service. As a paying bank of that check, it could elect to dishonor the check. If the dishonored check is viewed as an electronic returned check, the owner of the check could be a warrantee of the Image Quality Warranty and the No Double Debit Warranty.[10] Damages for breach of these warranties could be the consideration received by the bank that presents or transfers the check or returned check, plus interest compensation and expenses related to the check or returned check, if any.[11]
A RDC indemnity. Under new Regulation CC § 229.34(f)(2), a novel indemnity is provided to address the allocation of liability where a depository bank accepts a check through RDC to create an electronic check for forward collection, and another depository bank suffers a loss resulting from the latter accepting the original paper check. Under Regulation CC § 229.34(f)(2), this indemnity would be provided by a bank that accepted a check via RDC (Bank A) to a bank that accepted the original paper check for deposit (Bank B),[12] in the event the latter bank incurs a loss because the check had already been paid. (Even if Bank B could, it has no obligation to charge the check against its customer; as a potential holder in due course, it has no obligation also to pursue a claim against the drawer of the check.) This indemnity obligation attaches to Bank A if it (a) is a truncating bank because it provides a RDC service, (b) does not receive the original check, (c) receives settlement or other consideration for an electronic check, and (d) does not receive a return of the check. Under Regulation CC § 229.34(f)(3), Bank B may not pursue an indemnity claim against Bank A if the original check bore a restrictive indorsement inconsistent with the means of deposit, e.g., “for mobile deposit at Depository Bank A only” and the payee’s account number.[13] The indemnity amount under Regulation CC § 229.34(i) is the amount of the loss suffered by Bank B up to the amount of settlement or other consideration received by Bank A, and interest and expenses incurred by Bank B, including costs and reasonable attorney’s fees. Under Regulation CC § 229.38(g), an action to enforce this indemnity must be commenced by Bank B within one year after the occurrence of the violation involved.
Electronically created item indemnity. Under new Regulation CC § 229.34(g), a bank transferring or presenting an electronically created item (ECI) and receiving a settlement or other consideration for it must indemnify (as set forth in Regulation CC § 229.34(i) detailed above) each transferee bank, any subsequent collecting bank, the paying bank, and any subsequent returning bank against losses resulting from the fact that (a) the electronic image or electronic information is not derived from a paper check; (b) the person on whose account the ECI is drawn did not authorize the issuance of the item in the amount stated on the item or to the payee stated on the item; or (c) a person receives a transfer, presentment, or return of, or otherwise is charged for an ECI such that the person is asked to make payment based on an item or check it has already paid. In explaining the losses a paying bank could suffer with respect to an ECI, the Regulation CC Official Commentary provides that such losses include losses arising from a failure to comply with Regulation E because the paying bank would not be able generally to identify an ECI from an electronic check.[14] Given that the paying bank could view the ECI as an electronic check, it could fail to grant a consumer drawer of the check rights and remedies under Regulation E.
New terms to a deposit account agreement for a bank, particularly a bank providing a RDC service. In light of these new warranties and indemnity rights, liabilities, and obligations under Regulation CC, a bank may consider amending its deposit account agreement to strengthen a customer’s indemnity obligations to the bank, especially as to a commercial customer employing the bank’s RDC service (referenced as “you” and “your” in the sample below).[15]
Your Agreement to Indemnify. You will indemnify, defend, and save us and our parent company and its affiliates and each of their respective directors, officers, employees, and agents (collectively, “Indemnitees”) harmless from and against all liabilities, damages, claims, obligations, demands, charges, costs, or expenses (including reasonable fees and disbursements of legal counsel and accountants) awarded against or incurred or suffered (collectively, “Losses and Liabilities”) by Indemnitees arising directly or indirectly from or related to the following (except for Losses and Liabilities arising directly or indirectly from or related to our own gross negligence or willful misconduct):
We warrant to a warrantee that (i) the electronic image of a check accurately represents all of information on the front and back of the original check as of the time that the original check was truncated, and the electronic information includes an accurate record of all MICR line information required for a substitute check and the amount of the check (“Image Quality Warranty”); and (ii) the warrantee will not receive a presentment of or otherwise be charged for an electronic check, an electronic returned check, the original check, a substitute check, or a paper or electronic representation of a substitute check, such that the warrantee will be asked to make payment based on a check it has already paid (“No Double Debit Warranty”).[16] In the case of transfers for collection or payment, we make the Image Quality Warranty and the No Double Debit Warranty to the transferee bank, any subsequent collecting bank, the paying bank, and the drawer. In the case of transfers for return, we make the Image Quality Warranty and the No Double Debit Warranty to the transferee returning bank, any subsequent returning bank, the depository bank, and the owner. If any Indemnitee suffers any Losses or Liabilities arising directly or indirectly from or related to a breach of any of these warranties, you will indemnify the Indemnitee and not hold it responsible or liable.[17]
Through our providing the remote deposit capture service to you, we are required to indemnify a depository bank that accepts the original check from which an electronic check is created for losses incurred by that depository bank if the loss is due to the check having already been paid. If any Indemnitee suffers any Losses or Liabilities arising directly or indirectly from or related to such depository bank indemnity obligation, you will indemnify the Indemnitee and not hold it responsible or liable.
If we transfer or present an “electronically created item” and receive settlement or other consideration for it, we are required to indemnify each transferee bank, any subsequent collecting bank, the paying bank, and any subsequent returning bank against losses that result from the fact that (i) the electronic image or electronic information is not derived from a paper check; (ii) the person on whose account the electronically created item is drawn did not authorize the issuance of the item or to the payee stated on the item; or (iii) a person receives a transfer or presentment, or return of, or otherwise is charged for an electronically created item such that the person is asked to make payment based on an item or check it has paid. If any Indemnitee suffers any Losses or Liabilities arising directly or indirectly from or related to such electronically created item indemnity obligation, you will indemnify the Indemnitee and not hold it responsible or liable.
The indemnity obligation under clause 1 above covers a drawer of a check payable by, at, or through a bank, including a payable through draft. In the case of a drawer of a payable through draft, the drawer enjoys as warrantee both the Image Quality Warranty and the No Double Debit Warranty under Regulation CC § 229.34(a)(1). A payable through bank could breach one or both of these warranties as it accepts a payable through draft through RDC as a depository bank, or creates an electronic check from a paper check and presents the draft to its drawer. Upon breach of one or both of these warranties, the drawer could press a claim against the payable through bank. In that instance, the bank could invoke the indemnity against the indemnitor, the transferor depositing the draft through a RDC service, or the customer depositing a paper check. In the case of transfers for collection or payment, the depository bank in the forward collection and presentment of an electronic check also makes the Image Quality Warranty and the No Double Debit Warranty to the transferee bank, any subsequent collecting bank, and the paying bank. In that instance, the indemnity obligation attaches under clause 1 as well.
In the case of a returned electronic check, a returning bank, any subsequent returning bank, a depository bank, and an owner of a check enjoys as warrantee both the Image Quality Warranty and the No Double Debit Warranty under Regulation CC § 229.34(a)(1) relating to a returned electronic check. A bank as a depository bank could breach one or both of these warranties not only as it charges back an “off-us” check it previously accepted upon return of that check through a return electronic cash letter, but also as a depository bank from a payee of an “on-us” check. Upon breach of one or both of these warranties, the owner could press a claim against the bank. In that instance, as against that owner, the bank would invoke the language “not hold it responsible or liable.” The bank would not invoke the indemnity obligation because it generally attaches if a third party maintains a claim against a bank for which an indemnitor is required to defend. In this case of a chargeback, no third-party claim would be involved.
Further, as a paying bank, when and as it identifies a check as a suspected duplicate check (a check it has previously paid) and elects to dishonor it by creating an electronic returned check, it could breach the Image Quality Warranty or the No Double Debit Warranty through the electronic returned check. In that case, the paying bank could turn to its customer to indemnify it if Losses or Liabilities are incurred by the bank through acts or omissions of the customer.
The indemnity obligations under clauses 2 and 3 above are new indemnities in light of the new remote deposit capture indemnity obligation and electronically created item indemnity obligation under the amended Regulation CC. Clause 2 is available to a bank providing a RDC service in the event another bank accepting the original paper check suffers a loss. If that bank maintains a claim under Regulation CC § 229.34(f)(2) against the bank providing the RDC service, this indemnity clause is available against its customer employing the RDC service. Clause 3 is available to a bank providing a RDC service in the event it incurs liability with respect to an electronically created item transferred or presented by it. Under clause 4, the bank could look to its customer—the party transmitting the electronically created item through RDC.
Conclusion. Effective July 1, 2018, amendments to Regulation CC § 229.34 provide new indemnity obligations and warranties as Regulation CC, subpart C, expands its coverage to capture both paper and electronic checks and electronic returned checks. As to the new Image Quality Warranty and No Double Debit Warranty, a transferee bank, any subsequent collecting bank, a paying bank, and a drawer could become a warrantee. Furthermore, a returning bank, any subsequent returning bank, a depository bank, and an owner of a returned electronic check could enjoy the new Image Quality Warranty and No Double Debit Warranty as a warrantee. Additionally, when a bank provides a RDC service, under Regulation CC § 229.34(f)(2), it could incur an indemnity obligation as to a bank accepting the original paper check. Finally, under Regulation CC § 229.34(g), when a bank provides a RDC service, it could incur a new indemnity obligation as to an electronically created item transferred or presented by it. To mitigate and to spread these risks, an amendment to a deposit account agreement may be in order, especially as to those banks providing a RDC service.
[1] Regulation CC (12 C.F.R. pt. 229) is issued under the Expedited Funds Availability Act (12 U.S.C. §§ 4001–4010) and the Check Clearing for the 21th Century Act (12 U.S.C. §§ 5001–5018), the recent amendments are available at 82 Fed. Reg. 27552 (June 15, 2017).
[2] On March 6, 2018, the Board of Governors of the Federal Reserve System proposed changes to Regulation J (12 C.F.R. pt. 210) in light of these changes to Regulation CC, among other considerations.
[5] The Image Quality Warranty and the No Double Debit Warranty is also presently in the ECCHO Operating Rules § XIX(L)(2) and (7):
Sending Bank Warranties and Indemnification. In addition to the warranties otherwise provided in the Code, Regulation CC, the Rules or other law, each Sending Bank warrants to the Receiving Bank with respect to each Electronic Image sent to the Receiving Bank that:
…
(2) the Electronic Image accurately reflects the Related Physical Check;
…
(7) the Receiving Bank and any other person will not receive a transfer, presentment or return of, or otherwise be charged for, the Electronic Image, the Related Physical Check of that Electronic Image, or a paper or electronic representation of the Related Physical Check such that the person will be asked to make a payment based on an item that it already has paid.
If the Sending Bank breaches any of its warranties set forth in this Section XIX (L), it shall indemnify the Receiving Bank and hold it harmless from and against any damage, expense, or loss, including attorneys’ fees, suffered as a result of the breach.
ECCHO is updating its Operating Rules to conform to the changes to Regulation CC, incorporating the warranties from Regulation CC by reference.
[6]See Regulation CC, Official Staff Commentary § 229.34(a)-2. The “drawee” enjoys these warranties under Regulation CC § 229.52(b); the drawee is not included as a warrantee under § 229.34(a)(1).
[7] In the supplementary information accompanying the final rule, in identifying a drawer (as well as an owner), as a warrantee, the Fed observes:
The Board believes that extending the warranties to the drawer of the check and the owner of the returned check is important to maintain a consistent chain of Check-21-like warranties regardless of whether the check is in the form of an electronic check or a substitute check. The final rule provides protection for drawers and owners from harm that is usually beyond their control, such as harm resulting from illegible images or incorrect MICR lines. (82 Fed. Reg. 27552, 27566–27567 (June 15, 2017).
[12] The bank providing the RDC service accepting for deposit the check could also be the paying bank. In such a case, no Bank B would be involved.
[13] Regulation CC, Official Staff Commentary § 229.34(f)-2-b.
[14]See Regulation CC, Official Staff Commentary § 229.34(g)-2. This commentary appears to be incorrectly numbered; the correct citations should be Official Staff Commentary § 229.34(g)-3. See 82 Fed. Reg. 27552, 27594 (June 15, 2017).
[15] Under Regulation CC § 229.37, subpart C may be amended by agreement, except that no agreement can disclaim the responsibility of a bank for its lack of good faith or failure to exercise ordinary care, or can limit the measure of damages for such lack or failure. As a word of caution, including these terms in a deposit account agreement with a consumer may not be viewed sympathetically by a prudential regulator or a court. The Consumer Financial Protection Bureau may also view such terms unfavorably. Thus, a bank adopting these terms may limit the indemnity obligation to a commercial customer. Additionally, an indemnity obligation may be limited by other considerations. For example, public policy may limit or preclude an indemnitee’s right to enforce an indemnity obligation against an indemnitor.
[16] In the case of a payable through draft, a payable through bank grants this warranty in favor of a drawer of the draft, among others. In some instances, the payable through bank could also be the depository bank of the payee of the draft. In that role as depository bank, the bank could provide an RDC service; this indemnity protects the bank if its commercial customer deposits a payable through draft under which the payable through bank (the depository bank also acting as the payable through bank) incurs liability through a breach of this No Double Debit Warranty.
[17] In the case of a third-party draft, an indemnitor would be the commercial customer. In the case of a payable through draft, a bank providing the payable through draft service would turn to the language assuring that the commercial customer would not hold the bank “responsible or liable.”
Connect with a global network of over 30,000 business law professionals
