Insurance litigation with respect to COVID-19 claims inevitably will be impacted by state and possible federal legislative initiatives currently being proposed. Businesses and insurers should particularly monitor legislative efforts at the state level designed to address civil liability claims derived from COVID-19 as businesses assess reopening scenarios and insurers assess the attendant potential litigation risks.
Various states, including North Carolina, Oklahoma, Utah, Wyoming, Louisiana and Kansas, have already adopted state legislation providing businesses with some type of limited civil liability immunity if customers and employees contract COVID-19 at their premises. In some of these states, the laws cover acts or omissions arising after the date of the emergency order, while in other states, the laws are effective from and after the date of adoption. For example, Iowa’s legislature has approved a measure supported by the Iowa Insurance Institute and NAMIC that provides retroactive immunity from COVID-19 lawsuits.
Under the legislation adopted in these states, businesses in compliance with state and federal guidance, such as that issued by the Centers for Disease Control and Prevention, the Occupational Safety and Health Administration, and/or the state’s Department of Health, would be afforded liability shield protection for potential claims of persons alleging that they contracted COVID-19 on the businesses’ premises. However, immunity typically would not be available if the business acted in a manner deemed to constitute gross negligence, recklessness, or the intentional infliction of harm.
There are few differences in the legislation enacted by these states. In North Carolina, civil immunity is afforded to an emergency response entity or an “essential business” (as listed in the North Carolina Stay at Home Order; as amended, including industries such as health care, critical infrastructure, law enforcement, grocery, hardware stores, pharmacy, banking, eateries for takeout, and lawyers). North Carolina law provides this immunity for acts or omissions taking place on or after March 27, 2020, and until such time as North Carolina’s emergency declaration is rescinded or expires. In Oklahoma, Utah, and Wyoming, the immunity is not limited to essential businesses and appears to be provided to every type of business.
This legislative liability immunity would not necessarily prevent potential plaintiffs from asserting their COVID-19 claims against a business, but it would work as a defense against such claims. To preserve this defense, businesses would need to document the policies they adopted and are maintaining with respect COVID-19, and likewise they would need to record any event in which procedures were not followed, along with the corrective action taken to remedy the breach, in order to combat potential civil claims.
Wyoming faced challenges in adopting its immunity legislation, which was not approved as a standalone bill, but as an amendment to another bill discussed in the Wyoming House and the Senate. The amended law, which applies only during declared public health emergencies, provides immunity to businesses that act in ”good faith” and follow state health orders at the time of the alleged exposure to the coronavirus.
In Kansas, Bill HB 2016 was approved by the House and the Senate on June 4, 2020 and signed by the Governor on June 9, 2020. The legislation gives any person conducting business in Kansas immunity from liability in a civil action for a COVID-19 claim if such person was acting pursuant to, and in substantial compliance with, public health directives applicable to the activity giving rise to the cause of action when the cause of action accrued. The protection will expire on January 26, 2021.
In addition to these state initiatives, the business community is pushing Congress to adopt legislation that would provide legal protection in the face of concerns that businesses could face an avalanche of lawsuits as they begin to reopen. In response, Senator Majority Leader Mitch McConnell is promoting a proposal which he envisions will be introduced soon, intended to expand liability protections for businesses. Such protections would provide liability safe harbors for businesses that comply in good faith with governmental guidance.
This liability protection would not be offered to those businesses that are grossly negligent or that act with intentional or willful disregard for safety. It is possible that this legislation could act as the minimum standard for liability protections that could facilitate uniformity among those states adopting similar legislation, beyond which states could always enact more strict immunity protection.
Senator McConnell has indicated that he intends to include this proposal in any further relief or stimulus proposals, including potentially the proposed Heroes Act discussed below. The proposal would give employers latitude to abide by the guidelines of the Centers for Disease Control and Prevention or the guidelines of other federal, state, or local governmental entities. The proposal would be retroactive to 2019 and would provide protection against lawsuits through 2024.
House Democrats recently introduced a new stimulus relief package known as the Heroes Act, which will likely exceed $2.2 trillion in stimulus funding, and is expected to include new state and local aid, more direct payments to Americans, and an increase in food assistance. The Heroes Act does not include liability immunity for businesses. Senator McConnell has countered that any new stimulus package would need to include liability immunity, such as the proposal he is advancing.
Several organizations and associations, including the National Association of Mutual Insurance Companies, the National Association of Professional Insurance Agents, the American Property Casualty Insurance Association, and the Independent Insurance Agents & Brokers of America, sent a letter to Congress on May 27, 2020, asking Congress to enact liability relief legislation affording immunity to businesses as a consequence of COVID-19 claims from employees and customers.
The legislative grant of immunity to a business from civil suit due to COVID-19 would undoubtedly impact the insurance industry, particularly those carriers issuing comprehensive general liability coverage (GCL). It is beyond the scope of this article to address the interplay of legislation providing immunity from liability and workers’ compensation insurance, and that certainly merits consideration.
GCL policies would cover “bodily” injury caused to third parties on the insured (i.e., business) premises. A claim made by customer or third-party or conceivably by an employee, alleging COVID-19 harm caused by an insured that failed to exercise reasonable care in implementing and enforcing policies with respect to potential exposure to the novel coronavirus, could be covered by a GCL policy, absent a specific exclusion. To the extent that immunity is granted to businesses for any harm caused by coronavirus, there arguably would be fewer claims made against those businesses under CGL policies. This, in turn, could translate into fewer claims to be paid, and thus may afford a benefit to CGL insurers. How this evolves in the future is uncertain but bears watching.
Part I: The SEC Should Strengthen the Custody Rule for Investment Advisers
Introduction
The Securities and Exchange Commission (SEC or Commission) should strengthen the custody rules for investment advisers. The SEC’s current rules may not be sufficiently rigorous to prevent the “next Madoff.” Although the Commission amended its custody rule, i.e., Rule 206(4)-2[2] in 2009, these amendments would not prevent a determined fraudster from repeating Bernie Madoff’s heinous financial crimes. This article explains why the SEC should strengthen the rule to require that an investment adviser keep client assets at a custodian that is unaffiliated with that adviser.
Background
In 1962, the SEC adopted a custody rule for registered investment advisers under the authority of the general antifraud provision of section 206.[3] In its adopting release, the Commission explained the rule’s requirement.[4] Briefly, the SEC required registered advisers to hold customers’ securities in a reasonably safe place, to provide clients with an itemized statement of their holdings every three months, and to retain an independent accountant to conduct a surprise audit of the customers’ funds and securities.
The SEC made only minor changes to the custody rule between 1962 and 1997.[5] In 2003, the Commission amended the rule to eliminate the requirement that the adviser retain an independent public accountant to conduct a surprise audit under certain circumstances.[6] The Commission noted in the 2003 Adopting Release:
Under the amended rule, when qualified custodians send quarterly account statements directly to advisory clients, the adviser is no longer required to send its own quarterly statements or to undergo an annual surprise examination. Receiving quarterly account statements directly from the qualified custodians will enable advisory clients to identify questionable transactions early and allow them to move more swiftly than relying on an annual surprise examination.[7]
The Current Custody Rule
After the Madoff[8] and other scandals,[9] the SEC reexamined the custody to rule to consider whether to adopt further changes. As discussed below, on December 30, 2009, the Commission adopted substantial changes to the rule.[10] In particular, the SEC reexamined its decision to eliminate the surprise audit provision.[11] When it adopted the final rule, the Commission restored that provision.[12]
In its current iteration, the custody rule affords significant protections to the customers of investment advisers. Briefly, Rule 206(4)-2 requires an adviser registered or required to be registered under section 203 of the Advisers Act to comply with the following requirements:
Use a qualified custodian to hold customers’ funds and securities.[13] The qualified custodian must maintain the customers’ funds and securities either in a separate account under each client’s name or in accounts that contain only the clients’ funds and securities in the adviser’s name as agent or trustee.[14] Rule 206(4)-2(d)(6) defines a “qualified custodian” as a regulated bank, savings association, broker-dealer, futures commission merchant, or certain foreign financial institutions.[15]
Notify each client of the name and other information about the custodian;[16]
Have a reasonable basis for believing that the custodian sends account statements to the customers.[17]
NB: In the 2009 Amendments, the Commission “eliminate[d] an alternative to the requirement under which an adviser can send quarterly account statements to clients if it undergoes a surprise examination by an independent public accountant at least annually.”[18]
Have an independent public accountant perform a surprise audit at the custodian to verify the customers’ funds and securities.[19]
NB: Hedge fund managers are exempt from the surprise audit requirement if they retain an independent accounting firm that is subject to oversight by the Public Company Accounting Oversight Board (PCAOB) to conduct an annual audit of the custodian.[20] The hedge fund industry did not believe that the surprise audit was workable and urged the SEC to adopt a more rigorous audit requirement for custodians for private funds than is otherwise required. The SEC agreed.[21]
When the Commission proposed amendments to the rule, it proposed additional safeguards for when an adviser or related person maintains client funds or securities as a qualified custodian.[22] In addition, the Commission asked whether it should require that custodians be independent of the investment adviser:
We request comment on whether, as an alternative to our proposal to impose additional conditions on advisers that serve as, or have related persons that serve as, qualified custodians for client assets, we should simply amend rule 206(4)-2 to require that an independent qualified custodian hold client assets. The use of a custodian not affiliated with the adviser would address the conflict, and potentially greater risks to client assets, that may be presented when an adviser or its related person acts as custodian for client assets.[23]
The Commission declined to require that the custodian be independent from the adviser.[24] It made only modest changes to that portion of the proposed rule. The final rule provides that if the adviser maintains, or has custody because a related person maintains, client funds or securities pursuant to this section as a qualified custodian in connection with advisory services that the adviser provides to clients,” then the independent public accountant that the adviser hires to perform the independent verification (including the surprise audit) required in subsection (a)(4) must be registered with and subject to the regular inspection by the PCAOB. In addition, the adviser must obtain (or receive from its related person) a periodic internal control report prepared by that independent public accountant. That report must:
opine on whether the controls are adequate to protect the customers’ funds and securities;
verify that the funds and securities are reconciled to a custodian other than the adviser or its related person; and
subject the independent reporting accountant to PCAOB oversight.[25]
The custody rule also includes an exemption from the surprise examination requirement in subsection (a)(4) where the adviser is operationally independent of the related person custodian.[26]
In the intervening years, the SEC and its staff have identified significant concerns regarding investment advisers’ compliance with the custody rule.[27] The SEC’s Office of Compliance, Inspections, and Examinations (OCIE) stated in its 2014 Exam Priorities:
[The National Examination Program] continues to observe non-compliance with . . . the Custody Rule. In March, 2013, the NEP published a Risk Alert, sharing observations regarding the most common issues of non-compliance. Given the importance of this requirement for a fiduciary, the staff will continue to test compliance with the Custody Rule and confirm the existence of assets through a risk-based asset verification process. Examiners will pay particular attention to those instances where advisers fail to realize they have custody and therefore fail to comply with requirements of the Custody Rule.[28]
That document refers to another OCIE Risk Alert documenting a wide variety of violations of the custody rule that OCIE identified during investment adviser examinations.[29] The SEC continues to bring enforcement actions against investment advisers for custody rule violations, even if the amounts of the settlements have been relatively modest.[30]
Recommendation
As outlined below, the SEC could do more to enhance the investor protections of the custody rule. The 2009 Amendments, and in particular the changes that the SEC added in subsection (a)(6) of the rule, are very helpful. Requiring that the adviser retain an independent accounting firm under PCAOB oversight to verify custody should reduce the likelihood that a fraudster will not deposit the necessary funds and securities with the custodian or remove them illegally. Nonetheless, it is my view that the SEC should take the next step and require the adviser to use a custodian that is unaffiliated in any way with the adviser.
The Madoff fraud itself indicates that an adviser using an affiliated custodian may more easily commit fraud than if the custodian were unaffiliated. The indictment and plea notes that Bernard L. Madoff Investment Securities (BLMIS) was registered with the SEC as both a broker-dealer and as an investment adviser.[31] The indictment alleges that “the BLMIS ADV contained false statements made for the purpose of deceiving the SEC and hiding the defendant’s unlawful conduct. . . . The BLMIS ADV filed with the SEC provided, among other things, that BMLIS had custody of advisory clients’ securities.”[32] In the Plea Allocution of Bernard L. Madoff, Mr. Madoff states, “I . . . knowingly gave false testimony under oath that . . . my firm had custody of the assets managed on behalf of my investment advisory clients.”[33]
If the SEC had required BLMIS to use a separate entity, Mr. Madoff would have needed many more confederates to commit his fraud. The current requirement that a PCAOB-inspected auditor review the custody arrangements is an important reform, but a clever fraudster might be able to circumvent that requirement. It is obvious that the more people necessary to commit a fraud, the less likely it is that the fraudsters will be able to keep their scheme a secret.[34]
The SEC should amend the custody rule so that a registered investment adviser must use a custodian that has no relation to the adviser. When the Commission declined to adopt the independent custodian requirement, it expressed concern that the requirement would be inconsistent with some business models.[35]
Although I commend the Commission for its consideration of cost factors and varying business models,[36] I believe that it should reconsider this decision. After the SEC adopted its rule, Congress enacted the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (Dodd-Frank Act), which includes the Volcker Rule.[37] As a consequence of that requirement and pressure from institutional investors, nearly all hedge fund managers use unaffiliated custodians. In addition, many retail investment advisers use platforms operated by large broker-dealers to execute trades and maintain custody.
If the Commission were to revise the custody rule, it should examine the existing exemptions. After 10 years of experience with the rule, the Commission should consider whether it needs to expand, retain, or reduce current exemptions.[38]
Some investment advisers probably could reconfigure their arrangements to accommodate a requirement of an independent custodian, though others might not be able to do so easily. It is my view that the benefit of requiring a separate custodian substantially would outweigh the cost. Retail and institutional investors would have many investment advisers from which to choose, and their assets would enjoy a greater level of protection.[39]
The current custody rule is a substantial improvement over the 2003 iteration. Nonetheless, we should not wait for another Madoff to steal yet another horse before locking the barn door.
Part II: Congress Should Augment the SEC’s Rulemaking Authority; SEC Should Make Better Use of Existing Authority
Introduction
Congress should enact a general rulemaking provision for the Advisers Act that is analogous to section 15 of the Securities Exchange Act of 1934 (Exchange Act) for broker-dealers. Initially, Congress enacted the Advisers Act as a broad statement of principles with relatively few specific mandates. As fiduciaries, the Advisers Act requires investment advisers to act in the best interests of their clients. Given that advisers are fiduciaries, the SEC adopted relatively few rules under the Advisers Act compared to the SEC’s and FINRA’s regulation of broker-dealers.
Over time, Congress and the SEC have imposed more specific requirements on investment advisers. Unfortunately, Congress did not grant the SEC general rulemaking authority under the Advisers Act. Accordingly, the SEC has had to use its broad antifraud authority under section 206 as the basis for adopting a number of rules that, arguably, the Commission could better address under a grant of general rulemaking. Consequently, an investment adviser that fails to satisfy rules that are prophylactic in nature will find that it has violated an antifraud rule, which may have unduly harsh consequences for the adviser. To remedy this problem, Congress should grant the SEC broader authority to adopt prophylactic rules under the Advisers Act. The SEC should have the authority to delineate those offences that are inconsistent with its regulatory mandates from those that are deceptive and fraudulent. The SEC itself has the authority to begin this process, which Congress could then augment. I explain the basis for my suggestions below.
Discussion
In the seminal case SEC v. Capital Gains Research Bureau,[40] the Supreme Court explained the general purpose and operation of the Advisers Act. The court rejected the adviser’s argument that it was legal for it to recommend a stock that it secretly bought for itself and then sold, even if its recommendation was legitimate. The court explained:
The Investment Advisers Act of 1940 was “directed not only at dishonor, but also at conduct that tempts dishonor.” United States v. Mississippi Valley Co., 364 U.S. 520, 549. Failure to disclose material facts must be deemed fraud or deceit within its intended meaning, for, as the experience of the 1920s and 1930s amply reveals, the darkness and ignorance of commercial secrecy are the conditions upon which predatory practices best thrive. To impose upon the Securities and Exchange Commission the burden of showing deliberate dishonesty as a condition precedent to protecting investors through the prophylaxis of disclosure would effectively nullify the protective purposes of the statute. Reading the Act in light of its background we find no such requirement commanded. . . . The statute, in recognition of the adviser’s fiduciary relationship to his clients, requires that his advice be disinterested. To insure this it empowers the courts to require disclosure of material facts. It misconceives the purpose of the statute to confine its application to “dishonest” as opposed to “honest” motives. . . . The high standards of business morality exacted by our laws regulating the securities industry do not permit an investment adviser to trade on the market effect of his own recommendations without fully and fairly revealing his personal interests in these recommendations to his clients. [Emphasis added.][41]
In the intervening years, the SEC adopted rules that impose obligations on investment advisers that are more specific than a general fiduciary standard would require. For example, the SEC adopted Rule 206(4)-7 in 2003 requiring advisers to have written policies and procedures to prevent a violation of the Advisers Act and its rules, to review the adequacy of those policies annually, and to appoint a chief compliance officer.[42] There are several others.[43]
A compliance rule probably is wise policy, but the failure to appoint a chief compliance officer without any other wrongdoing should not be fraudulent conduct by the adviser that is a violation of section 206 of the Advisers Act. Investment advisers operated for decades under the Advisers Act without appointing a chief compliance officer, and most did so without violating their fiduciary obligations to customers or committing fraud. Given the limitations of the Advisers Act, the SEC had little choice but to adopt this rule under section 206. However, a violation of Rule 206(4)-7 does not mean that an adviser behaved wrongfully with respect to its clients; that rule is only a means to the end of ensuring that the adviser complies with the law and protects its clients. Indeed, it is possible that a tenacious litigant and a friendly court might conclude that Rule 206(4)-7 is not an antifraud rule. If a court so concluded, it could find that the custody rule exceeds Congress’s grant of authority.
A better answer is for Congress to amend the Advisers Act and to grant the SEC authority analogous to its authority over broker-dealers. The Exchange Act grants broad authority to the Commission to prohibit fraudulent practices at broker-dealers, but Congress also granted the SEC authority to adopt prophylactic rules.
Below are two examples of antifraud rules that the SEC adopted to regulate broker-dealers. The SEC adopted these rules under section 10 of the Exchange Act, that statute’s broad antifraud provision:
Regulation SHO, which governs short sales. Subsection 10(a)(1) of the Exchange Act grants the Commission specific authority to regulate short selling.[44]
Rule 10b-3, which prohibits broker-dealers from engaging in certain fraudulent activities.[45] The better-known Rule 10b-5 applies to any person.
By comparison, in section 15(c)(3) of the Exchange Act,[46] Congress grants the SEC authority to establish financial responsibility rules, separate and apart from the antifraud authority in section 10. The SEC used this authority to adopt the net capital rule[47] and the customer protection rule,[48] both of which are essential to protecting customers’ assets held at a broker-dealer. A broker-dealer must be able to demonstrate “moment to moment” compliance with the net capital rule.[49] A broker-dealer that violates the net capital rule must begin liquidation. Neither rule is an antifraud rule.
Congress should enact legislation analogous to section 15 of the Exchange Act that would grant the SEC authority to adopt additional prophylactic rules under the Advisers Act without having to invoke the antifraud authority of section 206.
Some critics might object to this suggestion, arguing that such additional authority would water down or diminish the SEC’s current prohibitions. For example, they might fear that enacting such a provision would diminish the importance of an adviser complying with the insider trading prohibitions under section 10(b) of the Exchange Act and Rule 10b-5. In fact, the opposite is true. When Congress enacted section 204A of the Advisers Act, it required advisers subject to the reporting requirements of section 204 to maintain and enforce policies and procedures reasonably designed to prevent insider trading.[50] Congress added this provision in section 3 of the Insider Trading and Securities Fraud Enforcement Act of 1988. An investment adviser violates section 204A if it fails to establish, maintain, and enforce such a system, even if the adviser never trades on insider information. Section 204A is a separate, prophylactic requirement and is independent of the insider trading prohibitions in section 10(b) of the Exchange Act and Rule 10b-5, as well as section 206 of the Advisers Act. Clearly, Congress deemed it important to ensure that the SEC had independent authority to ensure that investment advisers adopted policies and procedures designed to prevent insider trading.
The SEC could use its current authority to demonstrate the importance of separate authority to adopt prophylactic rules in addition to antifraud rules. Congress added a separate and explicit custody provision to the Advisers Act itself after the financial crisis of 2008 and the Madoff scandal. Section 411 of the Dodd-Frank Act amended the Advisers Act to include the following provision:
Section 223. An investment adviser registered under this title shall take such steps to safeguard client assets over which such adviser has custody, including, without limitation, verification of such assets by an independent public accountant, as the Commission may, by rule, prescribe.[52]
Further, as noted, the SEC amended the custody rule after the Madoff fraud, but before Congress enacted section 223 as part of the Dodd-Frank Act. After notice and comment, the SEC could adopt the text of the custody rule under the authority of section 223. It then could adopt a separate rule providing that the willful violation of the custody rule is a violation of section 206, the antifraud provision.
This change would make clear that an adviser that was merely negligent did not violate the Advisers Act’s antifraud provisions. It also would remove any doubt as to the validity of a custody rule because the statutory basis would not be section 206, the antifraud provision.
The SEC should have the authority to distinguish between negligence and Madoff-style fraud. Advisers who make a minor error complying with the custody rule should not have to explain to their clients why a technical error is not really fraud. This first step could demonstrate to Congress the wisdom of augmenting the SEC’s power.
Similarly, if Congress expanded the SEC’s power, it could adopt prophylactic rules regarding advertisements by investment advisers; cash payments for client solicitations; political contributions by certain investment advisers; and proxy voting.[53] The Commission could then adopt antifraud rules for each of these provisions prohibiting willful violations. Accordingly, an investment adviser that makes a minor mistake with regard to any of these rules would not be subject to a charge that it had committed fraud.[54] By the same token, the SEC would retain the authority to charge a violation of both the prophylactic rule and the antifraud rule in egregious cases.
The current framework does nothing to distinguish serious violations from negligent errors. An adviser that commits a minor violation must explain why a fraud charge overstates the nature of the wrongdoing. For example, an adviser to a hedge fund would find it awkward to explain a minor mistake to the board of an institutional investor. Indeed, the adviser might be reluctant to settle an enforcement action with the SEC for that reason. By the same token, an adviser that commits serious fraud may try to excuse its behavior to less sophisticated investors by saying that the SEC calls any minor transgression fraud. The law should not paint the serious wrongdoer and the minor transgressor with the same brush.
To be clear, I am not suggesting that Congress should alter the existing fiduciary duty inherent in the Advisers Act. Congress should not, as the Supreme Court cautioned, “impose upon the Securities and Exchange Commission the burden of showing deliberate dishonesty as a condition precedent to protecting investors through the prophylaxis of disclosure would effectively nullify the protective purposes of the statute.” I am suggesting that Congress should grant the SEC greater flexibility so that its rulemaking authority would better match the evolution of the regulatory framework. The SEC should have greater authority to impose a broader range of prophylactic rules in addition to its antifraud rules.
Conclusion
The SEC has listed a review of the custody rule as a priority on its regulatory agenda.[56] That is a wise decision. More than 10 years have passed since the Commission adopted its last set of amendments to the custody rule. Regulators should reassess any rule after a significant period of time has elapsed to determine what has worked well and what could work better. Even the most brilliantly drafted rule may need adjustments in light of external developments.[57] The forthcoming review of the custody rule will afford the SEC the opportunity to consider suggestions from the public, including those outlined above.
It shall be unlawful for any investment adviser, by use of the mails or any means or instrumentality of interstate commerce, directly or indirectly—
(1) to employ any device, scheme, or artifice to defraud any client or prospective client;
(2) to engage in any transaction, practice, or course of business which operates as a fraud or deceit upon any client or prospective client;
(3) acting as principal for his own account, knowingly to sell any security to or purchase any security from a client, or acting as broker for a person other than such client, knowingly to effect any sale or purchase of any security for the account of such client, without disclosing to such client in writing before the completion of such transaction the capacity in which he is acting and obtaining the consent of the client to such transaction. The prohibitions of this paragraph (3) shall not apply to any transaction with a customer of a broker or dealer if such broker or dealer is not acting as an investment adviser in relation to such transaction; or
(4) to engage in any act, practice, or course of business which is fraudulent, deceptive, or manipulative. The Commission shall, for the purposes of this paragraph (4) by rules and regulations define, and prescribe means reasonably designed to prevent, such acts, practices, and courses of business as are fraudulent, deceptive, or manipulative.
The Commission stated that it also was relying on authority that Congress granted in another portion of the Advisers Act. Part II of this article highlights the limitations of the Commission’s rulemaking authority under the Advisers Act and recommends an alternative.
The rule makes it a fraudulent, deceptive or manipulative act, practice or course of business for any investment adviser who has custody or possession of funds or securities of clients to do any act or to take any action with respect to any such funds or securities unless (1) all such securities of each such client are segregated, marked to identify the particular client who has the beneficial interest therein, and held in safekeeping in a reasonably safe place; (2) all funds of such clients are deposited in one or more bank accounts which contain only clients’ funds; such accounts are maintained in the name of the investment adviser as agent or trustee for such clients; and the investment adviser maintains a separate record for each such account showing where it is, the deposits and withdrawals, and the amount of each client’s interest in the account; (3) the adviser, immediately after accepting custody or possession, notifies the client in writing of the place and manner in which the funds and securities will be maintained; (4) the adviser sends each client, at least once every three months, an itemized statement of the funds and securities in his custody or possession at the end of such period and all debits, credits and transactions in the client’s account during the period; and (5) at least once each calendar year the funds and securities are verified by actual examination by an independent public accountant in a surprise examination and a certificate of the accountant, stating that he has made the examination and describing the nature and extent of it, is sent to the Commission promptly thereafter.
[5] 54 Fed. Reg. 32049 (Aug. 4, 1989); 62 Fed. Reg. 28135 (May 22, 1997). The 2009 Proposing Release, infra note 10, states at note 13:
In 1997, we amended the rule to make it applicable only to advisers who are registered, or required to be registered, with the Commission. Rules Implementing Amendments to the Investment Advisers Act of 1940, Investment Advisers Act Release No. 1633 (May 15, 1997) [62 FR 28112 (May 22, 1997)] at Section II.I.5.
[6] Adoption of Rule 206(4)-2 under the Investment Advisers Act of 1940, Investment Advisers Act Release No. 123 (Feb. 27, 1962) [27 Fed. Reg. 2149 (Mar. 6, 1962)] cited in the 2009 Proposing Release, infra note 10.
[7] Release IA- 2176 (Sept. 25, 2003; 68 Fed. Reg. 56692 (Oct. 1, 2003), at 56697 (citations omitted). The Commission made provision for “the small group of advisers that cannot use the new approach and therefore must continue to undergo an annual surprise examination,” Id (citation omitted).
[8] Numerous government documents, news articles, books, and movies have described Bernard L. Madoff’s Ponzi scheme. Briefly, Madoff, who had earned respect for his broker-dealer operations, ran a massive Ponzi scheme through a separate investment adviser.
In 2003, we amended the rule to eliminate the annual surprise examination with respect to client accounts for which the adviser has a reasonable belief that ‘‘qualified custodians’’ provide account statements directly to clients. We believed that direct delivery of account statements by qualified custodians would provide clients confidence that any erroneous or unauthorized transactions would be reflected and, as a result, would be sufficient to deter advisers from fraudulent activities.
We have decided to revisit the 2003 rulemaking in light of the significant enforcement actions we have recently brought alleging misappropriation of client assets. [footnotes omitted.]
[13] Rule 206(4)-2(a)(1). The custody rule provides certain exemptions from the qualified custodian requirement. Rule 206(a)(4)-2(b) provides six exceptions from the qualified custodian requirement. For example, subsection (2) exempts certain privately offered securities:
(i) You are not required to comply with paragraph (a)(1) of this section with respect to securities that are:
(A) Acquired from the issuer in a transaction or chain of transactions not involving any public offering;
(B) Uncertificated, and ownership thereof is recorded only on the books of the issuer or its transfer agent in the name of the client; and
(C) Transferable only with prior consent of the issuer or holders of the outstanding securities of the issuer.
The SEC staff also has provided guidance exempting privately placed securities in certificated form from the custody rule under certain circumstances.
The Division would not object if an adviser does not maintain private stock certificates with a qualified custodian, provided that (1) the client is a pooled investment vehicle that is subject to a financial statement audit in accordance with paragraph (b)(4) of the custody rule; (2) the private stock certificate can only be used to effect a transfer or to otherwise facilitate a change in beneficial ownership of the security with the prior consent of the issuer or holders of the outstanding securities of the issuer; (3) ownership of the security is recorded on the books of the issuer or its transfer agent in the name of the client; (4) the private stock certificate contains a legend restricting transfer; and (5) the private stock certificate is appropriately safeguarded by the adviser and can be replaced upon loss or destruction.
SEC, Division of Investment Management, IM Guidance Update, Aug. 2013, No 2013-04 [citations omitted], as referenced in Lemke & Lins, infra note 25, at §3:63, n.3.
Limited partnerships subject to annual audit. You are not required to comply with paragraphs (a)(2) and (a)(3) of this section and you shall be deemed to have complied with paragraph (a)(4) of this section with respect to the account of a limited partnership (or limited liability company, or another type of pooled investment vehicle) that is subject to audit (as defined in rule 1-02(d) of Regulation S-X (17 CFR 210.1-02(d)))[if]:
(i) At least annually [the investment adviser] and [sic] distributes its [i.e., the partnership’s] audited financial statements prepared in accordance with generally accepted accounting principles to all limited partners (or members or other beneficial owners) within 120 days of the end of its fiscal year;
(ii) [Such audited financials are reviewed] By an independent public accountant that is registered with, and subject to regular inspection as of the commencement of the professional engagement period, and as of each calendar year-end, by, the Public Company Accounting Oversight Board in accordance with its rules; and
(iii) Upon liquidation [of the fund, the adviser] and [sic] distributes its [i.e., the partnership’s] audited financial statements prepared in accordance with generally accepted accounting principles to all limited partners (or members or other beneficial owners) promptly after the completion of such audit.
[21] 2009 Adopting Release at 1460 and discussion at note 47. See also letter from Stuart J. Kaswell, Executive Vice President and Managing Director, General Counsel, Managed Funds Association, July 28, 2009, and Testimony of Stuart J. Kaswell, Hearing Before the Committee on Financial Services, U. S. House of Representatives, 111th Cong., 1st Sess., Oct. 6, 2009, Serial No. 111-84, at 55–56.
[22] 2009 Proposing Release at 25374, Proposed Rule 206(4)-2(a)(6)(i) and (ii).
Some commenters supported requiring an ‘‘independent’’ qualified custodian, although many commenters opposed the requirement. Several argued that use of an independent custodian would be an impractical requirement for many types of advisory accounts held by smaller investors with broker-dealers, such as wrap fee accounts, in which a client receives bundled advisory and brokerage services from a single firm (or related firms) regulated as both an investment adviser and a broker-dealer. It is common for institutional clients to maintain assets in a custodial account, often with a bank that is unaffiliated with the client’s adviser. We are concerned, however, that requiring an independent custodian could make unavailable many advisory accounts popular with smaller investors, which are today maintained by the adviser or its affiliated brokerage firm or bank. Therefore, we are not amending the rule to require use of an independent custodian, although we encourage the use of custodians independent of the adviser to maintain client assets as a best practice whenever feasible.
2009 Adopting Release at 1462 [citations omitted].
[26] Rule 206(4)-2(b)(6)(i) and (ii). As one treatise explains:
The rule includes an exception to the surprise examination requirement where the adviser is “operationally independent” of the related person custodian. In these situations, the surprise examination requirement would not apply, although the requirements relating to client notification, custodian account statement and an internal control report would continue to apply.
An adviser is operationally independent if: (i) the client assets are insulated from creditors; (ii) the adviser’s personnel do not have access to the clients’ assets; (iii) the advisory personnel and the custodian are not under common supervision; and (iv) the advisory personnel do not hold any position with or share premises with the related person. Lemke & Lins, Regulation of Investment Advisers § 2:53 (2017); See also Rule 206(4)-2(d)(5). One can only wonder if Bernard Madoff would have asserted that the separation of its broker-dealer from its adviser qualified as “operationally independent” under this exception.
[27] Lemke, Lins, Hoenig & Rube, Hedge Funds and Other Private Funds: Regulation and Compliance § 3:62 (2017–18) (“the SEC staff has identified investment adviser and fund manager custody issues as an examination priority.”) (emphasis in original).
[30]See, e.g., In the Matter of ED Capital Management et. al, Investment Advisers Act Release 5344 (Sept. 13, 2019). Among other things, the adviser “failed to distribute annual audited financial statements prepared in accordance with Generally Accepted Accounting Principles (“GAAP”) to the investors in the largest private fund that it advised in each fiscal year from 2012 through 2016, in violation of Section 206(4) of the Advisers Act and Rule 206(4)-2 thereunder. . . .” See also In the Matter of Hudson Housing Capital, LLC, Investment Advisers Act of 1940, Release No. 5047 (Sept. 25, 2018).
[33] The Plea Allocution of Bernard L. Madoff at 3, included in United States of America v. Bernard L. Madoff, U.S. District Court for the Southern District of New York, 09 CR 213 (DC), included in Full Madoff Court Transcript, Mar. 12, 2009.
[34] B. Franklin, Poor Richard’s Almanack (1735) (“Three may keep a Secret, if two of them are dead.”).
[37] Section 619 of the Dodd-Frank Act added section 13 of the Bank Holding Company Act of 1956 (BHC Act), also known as the Volcker Rule. The Volcker Rule “generally prohibits any banking entity from engaging in proprietary trading or from acquiring or retaining an ownership interest in, sponsoring, or having certain relationships with a hedge fund or private equity fund.” Department of the Treasury et al, 12 C.F.R. pt. 44, [Docket No. OCC–2018–0010] RIN 1557–AE27, Prohibitions and Restrictions on Proprietary Trading and Certain Interests in, and Relationships With, Hedge Funds and Private Equity Funds, 84 Fed. Reg. 61974 (Nov. 14, 2019). Given that the Volcker rule prevents banks and certain affiliates from sponsoring hedge funds, they may not sponsor and serve as a custodian for the same fund.
[38] As noted, Rule 206(a)(4)-2(b) provides exceptions from the qualified custodian requirement. In the absence of evidence to the contrary, it would be wise to continue such exemptions.
[39] I am not suggesting that the Commission should make any changes to other aspects of the rule. For example, I would not alter Rule 206(4)-2(b)(3)(i) that exempts the adviser from obtaining an independent verification of client funds and securities if the adviser has custody solely as a consequence of having the authority to make withdrawals from client accounts to pay its advisory fees. In addition, I am not suggesting that the SEC should not permit broker-dealers to retain possession and control of customers’ funds and securities. Congress and the SEC have instituted requirements to ensure the protection of customer property. See the discussion, infra, of section 15(c) of the Exchange Act and Rules 15c3-1 and 3-3.
[42] 17 C.F.R. § 275.206(4)-7 (compliance procedures and practices):
If you are an investment adviser registered or required to be registered under section 203 of the Investment Advisers Act of 1940 (15 U.S.C. 80b-3), it shall be unlawful within the meaning of section 206 of the Act (15 U.S.C. 80b-6) for you to provide investment advice to clients unless you:
(a) Policies and procedures. Adopt and implement written policies and procedures reasonably designed to prevent violation, by you and your supervised persons, of the Act and the rules that the Commission has adopted under the Act;
(b) Annual review. Review, no less frequently than annually, the adequacy of the policies and procedures established pursuant to this section and the effectiveness of their implementation; and
(c) Chief compliance officer. Designate an individual (who is a supervised person) responsible for administering the policies and procedures that you adopt under paragraph (a) of this section.
[43] Other rules under section 206 of the Advisers Act that are prophylactic in nature are 17 C.F.R. §§ 275.206(4)-1 (advertisements by investment advisers); 275.206(4)-3 (cash payments for client solicitations); 275.206(4)-5 (political contributions by certain investment advisers; and 275.206(4)-6 (proxy voting).
[44] In the release proposing Regulation SHO, the SEC notes that “[s]ection 10(a) of the Exchange Act gives the Commission plenary authority to regulate short sales of securities registered on a national securities exchange (listed securities), as necessary to protect investors.” Release 34-48709 (Oct. 28, 2003); 68 Fed. Reg. 62972, 62973 (Nov. 6, 2003). In the adopting release for Regulation SHO, the Commission invoked the following provisions as the basis for its authority: “pursuant to the Exchange Act and, particularly, Sections 2, 3(b), 9(h), 10, 11A, 15, 17(a), 17A, 23(a), and 36 thereof, . . ., the Commission is adopting §§ 242.200, 242.202T, 242.203, along with amendments to Regulation M, Rule 105, and interpretative guidance set forth in part 24.” 69 Fed. Reg. 48008, 48029 (Aug. 6, 2004). As a matter of caution, the SEC always cites to multiple statutory provisions as the basis for its rules.
It shall be unlawful for any broker or dealer, directly or indirectly, by the use of any means or instrumentality of interstate commerce, or of the mails, or of any facility of any national securities exchange, to use or employ, in connection with the purchase or sale of any security otherwise than on a national securities exchange, any act, practice, or course of business defined by the Commission to be included within the term “manipulative, deceptive, or other fraudulent device or contrivance”, as such term is used in section 15(c)(1) of the act.
(3)(A) No broker or dealer (other than a government securities broker or government securities dealer, except a registered broker or dealer) shall make use of the mails or any means or instrumentality of interstate commerce to effect any transaction in, or to induce or attempt to induce the purchase or sale of, any security (other than an exempted security (except a government security) or commercial paper, bankers’ acceptances, or commercial bills) in contravention of such rules and regulations as the Commission shall prescribe as necessary or appropriate in the public interest or for the protection of investors to provide safeguards with respect to the financial responsibility and related practices of brokers and dealers including, but not limited to, the acceptance of custody and use of customers’ securities and the carrying and use of customers’ deposits or credit balances. Such rules and regulations shall (A) require the maintenance of reserves with respect to customers’ deposits or credit balances, and (B) no later than September 1, 1975, establish minimum financial responsibility requirements for all brokers and dealers.
Every investment adviser subject to section 204 of this title shall establish, maintain, and enforce written policies and procedures reasonably designed, taking into consideration the nature of such investment adviser’s business, to prevent the misuse in violation of this Act or the Securities Exchange Act of 1934, or the rules or regulations thereunder, of material, nonpublic information by such investment adviser or any person associated with such investment adviser. The Commission, as it deems necessary or appropriate in the public interest or for the protection of investors, shall adopt rules or regulations to require specific policies or procedures reasonably designed to prevent misuse in violation of this Act or the Securities Exchange Act of 1934 (or the rules or regulations thereunder) of material, nonpublic information.
ITSFEA includes a parallel provision for broker-dealers in what is now section 15(g) of the Exchange Act.
[51] Pub. L. No. 100-704, 102 Stat. 4680. See Kaswell, An Insider’s View of the Insider Trading and Securities Fraud Enforcement Act of 1988, 45 Bus. Law 245 (1989), revised & republished in American Bar Association, Securities Law Administration, Litigation, and Enforcement, Selected Articles on Federal Securities Law, Vol. III (1991) at 252.
[52] Aug. 22, 1940, ch. 686, tit. II, § 223, as added Pub. L. No. 111–203, tit. IV, § 411, July 21, 2010, 124 Stat. 1577. The Dodd-Frank Act also amended the Advisers Act to require registration of investment advisers to private funds, i.e., hedge funds. Congress included these changes in a comprehensive expansion of the SEC’s authority in Title IV of the Dodd-Frank Act. By comparison, Congress included custody requirements for registered funds in the original Investment Company Act of 1940 (1940 Act). Section 17(f) of the 1940 Act establishes custody requirements for registered management companies. Other provisions of the 1940 Act establish custody requirements for other types of investment companies, e.g., section 26(a) for unit investment trusts.
[54] As discussed below, such a process could include the Commission’s reassessment of those rules and whether it should make any revisions.
[55] SEC v. Capital Gains Research Bureau, 375 U.S. 180 (1963). See also Commission Interpretation Regarding Standards of Conduct for Investment Advisers, IA-5248 (June 5, 2019); 84 Fed. Reg. 33669 (July 12, 2019) (hereinafter Interpretive Release). The Interpretive Release at note 20 discusses whether negligence or scienter is sufficient for a violation of section 206:
Claims arising under Advisers Act section 206(2) are not scienter-based and can be adequately pled with only a showing of negligence. Robare Group, Ltd., et al. v. SEC, 922 F.3d 468, 472 (D.C. Cir. 2019) (‘‘Robare v. SEC’’); SEC v. Steadman, 967 F.2d 636, 643, n.5 (D.C. Cir. 1992) (citing SEC v. Capital Gains, supra footnote 2) (‘‘[A] violation of § 206(2) of the Investment Advisers Act may rest on a finding of simple negligence.’’); SEC v. DiBella, 587 F.3d 553, 567 (2d Cir. 2009) (‘‘the government need not show intent to make out a section 206(2) violation’’); SEC v. Gruss, 859 F. Supp. 2d 653, 669 (S.D.N.Y. 2012) (‘‘Claims arising under Section 206(2) are not scienter-based and can be adequately pled with only a showing of negligence.’’). However, claims arising under Advisers Act section 206(1) require scienter. See, e.g.,Robare v. SEC; SEC v. Moran, 922 F. Supp. 867, 896 (S.D.N.Y. 1996); Carroll v. Bear, Stearns & Co., 416 F. Supp. 998, 1001 (S.D.N.Y. 1976).
This article is not urging that the Congress or the Commission reduce the SEC’s antifraud authority. Instead, the Commission should have greater flexibility to characterize some behavior as fraud and other behavior as wrongful, but of less severity. It is interesting that the Interpretive Release does not specifically discuss custody with regard to an adviser’s fiduciary duty. For example, the Interpretive Release provides that an adviser’s fiduciary duty includes the duty of care. It then notes that:
The duty of care includes, among other things: (i) The duty to provide advice that is in the best interest of the client, (ii) the duty to seek best execution of a client’s transactions where the adviser has the responsibility to select broker-dealers to execute client trades, and (iii) the duty to provide advice and monitoring over the course of the relationship.
Id. at 33672. Without question, an investment adviser has a fiduciary duty to protect the assets over which it has custody. Lemke & Lins, supra note 26.
[56] Office of Information and Regulatory Affairs, Office of Management and Budget, Executive Office of the President, Securities and Exchange Commission, Amendments to the Custody Rule, RIN 3235-AM32, Fall 2019. The Division is considering recommending that the Commission propose amendments to existing rules and/or propose new rules under the Investment Advisers Act of 1940 to improve and modernize the regulations around the custody of funds or investments of clients by investment advisers.
[57] Many investment advisers consider the custody rule to be extremely complex. Lemke et al., supra note 27, at § 3:62.
Petitioners were 18 individuals and entities who owned working interests in some 70 oil and gas leases in three Texas counties (the Assets).[1] The petitioners (Sellers) wished to sell the Assets after development was complete. The Sellers designated Chalker Energy Partners III, LLC (Chalker) as their representative for the sale process, who then hired Raymond James to conduct the sale.
The bidding process involved the usual steps, beginning with providing bidders access to a data room after signing a confidentiality agreement (NDA). The bidders were to then submit bids, and after receiving the bids the Sellers had 24 hours to select the winning bid. After a bid was approved by the Sellers, Chalker was to negotiate a definitive purchase-and-sale agreement (PSA) with the winning bidder.
The NDA contained a “no obligation” clause providing that “the Parties hereto understand that unless and until a definitive agreement has been executed and delivered, no contract or agreement providing for a transaction between the Parties shall be deemed to exist.” The clause goes on to provide that “the term ‘definitive agreement’ does not include an executed letter of intent or any other preliminary written agreement or offer, unless specifically designated in writing and executed by both Parties.”
Le Norman Operating LLC (LNO) expressed interest in purchasing the Assets and signed the NDA. On the deadline for the bidding procedures, November 5, LNO submitted its bid for $332 million for all of the Assets, stating that the bid was subject to “a mutually acceptable (PSA).” These negotiations eventually fell through after multiple conversations back and forth regarding an increased sale price.
The Sellers subsequently decided to sell 67 percent of the Assets, and LNO responded on November 19 with an e-mail titled “RE: Counter Proposal.” LNO specified a list of items in the proposal and gave the Sellers until 5:00 p.m. the next day to accept.
The Sellers voted to move forward with the sale based on the November 19 e-mail from LNO. Before LNO’s deadline to respond on November 20, Chris Simon, the Raymond James employee guiding the sale process, e-mailed Chalker’s vice president of land and business development, Bill Dukes, to inform him that the Sellers were “on board to deliver 67% subject to a mutually agreeable PSA.” Mr. Dukes sent LNO a revised PSA.
On November 22, Jones Energy presented Chalker with a new offer, and the Sellers elected to pursue the transaction with Jones Energy instead of LNO. Chalker and Jones Energy executed a PSA on November 28. That same day, LNO, unaware of the deal between Chalker and Jones Energy, sent a redline PSA to Chalker.
Once LNO discovered the deal with Jones Energy, LNO demanded that the Sellers honor the alleged contract entered into through e-mail exchange. Subsequently, LNO sued the Sellers for breach of contract, alleging that the Sellers breached the “agreement” that Mr. Simon and Le Norman reached through their e-mails on November 19 and November 20 to sell 67 percent of the Assets.
Analysis and Conclusion
The issue before the court was whether the e-mails between the two parties constituted a “definitive agreement.” Both parties agreed that “unless and until a definitive agreement has been executed and delivered, no contract or agreement providing for a transaction between the Parties shall be deemed to exist.” The no-obligations clause in the NDA was evidence that the parties agreed that a definitive agreement was a condition precedent to contract formation. Chalker’s acceptance stating that the purchase was “subject to a mutually agreeable PSA” demonstrated that a definitive agreement between the parties was a condition precedent to contract formation.
The court compared the exchanged e-mails between Chalker and LNO to a “preliminary agreement,” which the signed NDA specifically stated was not a definitive agreement. As further evidence that no definitive agreement had been reached, the court found that the parties had multiple documents that had yet to be negotiated, including an escrow agreement, a noncompete agreement, and a joint operating agreement. Additionally, LNO continued to modify the PSA demonstrating that there were ongoing negotiations between the parties after the e-mails were exchanged on November 19 and November 20.
LNO argued next that there was a fact issue as to whether the Sellers waived the condition precedent by the e-mails sent on November 19 and 20. The court held that those e-mails were not a waiver of the bidding procedures and that the parties did not waive their right to a definitive agreement. Further, the court found that the no-obligation clause was unambiguous and provided both parties with the “freedom to negotiate without fear of being bound to a contract.”
Notably, the court mentioned that Chalker (and the Sellers) were protected by stating in the NDA that the term of the Agreement was one year or on the date that the parties entered into a further written agreement covering confidentiality. This was clear evidence that both parties agreed that the NDA would govern negotiations for the sale of the Assets. Additionally, the NDA stated that Chalker had the right to “conduct the process relating to a possible transaction in any manner it deems appropriate or change the procedure for conducting that process.”
Finally, the court addressed whether the Sellers and Chalker had waived their right to a definitive agreement. To waive this right through conduct of the parties, the party alleging waiver must point to evidence showing intentional relinquishment of that right or intentional conduct inconsistent with claiming that right. Although LNO points to inconsistencies in Sellers’ conduct, including a deviation in deadline and format from the specific bidding procedures the Sellers had in place, this was not sufficient evidence to show an intentional relinquishment of the right to a definitive agreement.
[1] No. 18-0352 (Supreme Court of Tex.) (argued Dec. 4, 2019, decision published Feb. 28, 2020).
A new framework for regulating virtual asset businesses in the Cayman Islands will add a welcome degree of certainty and help maintain the jurisdiction’s position as an attractive domicile for legitimate virtual asset businesses.
Introduced by the Cayman Islands Government on May 20, 2020, the new Virtual Assets (Service Providers) Law (“VASP Law”), which will come into force upon issue of a commencement order, derives from recommendations made by the Financial Action Task Force to provide for the regulation of virtual asset businesses and for the registration and licensing of persons who are providing “virtual asset services.”
As part of this framework, amendments have also been made to other pieces of legislation which will provide coherent regulation for businesses intending to issue virtual assets and businesses carrying on or intending to carry on virtual asset services.
According to definitions outlined in the VASP Law, it will likely capture all cryptocurrencies, security tokens, utility tokens, or other digital assets that are tradeable or transferable, with the exception of digital fiat currencies. It applies to any person, service provider or intermediary providing virtual asset services, such as virtual assets issuance, virtual asset trading platforms, and custody services.
Under the new law, those wishing to undertake virtual asset services from the Cayman Islands must register and/or receive an appropriate license from the Cayman Islands Monetary Authority (“CIMA”), and they will be subject to ongoing requirements, such as providing regular audited accounts and undertaking AML audits.
The VASP Law also introduces the concept of a sandbox license that provides CIMA with the flexibility to regulate relevant businesses that utilize innovative technologies and activities by imposing additional requirements to, or allowing certain exemptions from, the standard requirements within the VASP Law.
A sandbox license is meant to operate for a limited timeframe so that CIMA can assess how best to regulate a sandbox license applicant and whether legislative changes may be required to further promote the development of the innovative technologies or activities subject to the licence.
Meanwhile, the Government has also amended a number of existing laws to extend to virtual assets. These include amendments to the Mutual Funds Law (“MF Law”) and the Securities Investment Business Law (“SIB Law”), which are expected to come into force at the same time as the VASP Law.
The definition of “equity interest” under the MF Law has been amended to include “any other representation of an interest.” This amendment is broad enough to capture digital tokens or other virtual assets. The result is that open-ended funds issuing redeemable tokens instead of shares or other equity interests are now covered by the MF Law and will need to be registered or licensed under that law.
The SIB Law has also been amended to extend to virtual assets. In particular, the definition of “securities” now includes virtual assets which can be sold, traded or exchanged immediately or at any time in the future that could potentially be covered by Schedule 1 of the SIB Law. The securities listed in Schedule 1 of the SIB Law are traditional securities including equity interests, debt instruments, options, and futures.
This will mean that registration or licensing under the SIB Law will be a requirement to deal in, arrange deals in, manage, or advise on virtual assets that are securities.
One significant exclusion applies for private issuers of virtual assets that are securities under the SIB Law. Where a private issuer issues, redeems, or repurchases its own virtual assets that represent shares, limited partnership interests, units in a unit trust, debt, or warrants of the private issuer, the activity is excluded. This means that private issuers issuing certain types of security tokens will not be required to register or be licensed under the SIB Law (although they may still need to be registered under the VASP Law).
Importantly, the Cayman Government’s intention has been to provide for appropriate regulation without stifling innovation. As such, it should help to maintain Cayman’s position as an attractive domicile for legitimate virtual asset businesses.
The U.S. Supreme Court held in GE Energy Power Conversion France SAS, Corp. v. Outokumpu Stainless USA, LLC, No. 18-1048, 2020 WL 2814297 (June 1, 2020), that in certain circumstances, even nonsignatories to an agreement may compel arbitration of international disputes. This ruling clarifies that the doctrine of equitable estoppel currently recognized under chapter 1 of the Federal Arbitration Act (FAA), which governs U.S. domestic arbitrations, can also be applied to international arbitration proceedings governed by chapter 2 of the FAA.
Facts and Procedural History
ThyssenKrupp Stainless USA, LLC (TS) entered into certain contracts in 2007 with F.L. Industries, Inc. (FLI) for construction at U.S.-based plants owned by TS. The contracts contained clauses requiring all disputes to be resolved through arbitration, seated in Germany, in accordance with the International Chamber of Commerce’s Rules of Arbitration (collectively, the Agreements). The Agreements also provided that FLI and all of its subcontractors would be treated as one entity for purposes of applying the terms of the Agreements. Thereafter, FLI entered into subcontract agreements with GE Energy Power Conversion France SAS, Corp. (GEP) with respect to designing and manufacturing equipment to be utilized at TS’s plants. Outokumpu Stainless USA, LLC (OS) acquired ownership of a TS plant and claimed that the equipment manufactured by GEP under the Agreements failed and caused substantial damages to OS.
OS commenced suit in state court against GEP, and GEP then removed the case to federal court and moved to compel arbitration under the Agreements. The district court granted GEP’s motion to compel arbitration and dismissed the case, holding that GEP qualified as a “party” under the arbitration clause even though it was not a signatory to the Agreements.
On appeal, however, the Eleventh Circuit concluded that the decision to compel arbitration was inconsistent with the U.N. Convention on the Recognition and Enforcement of Foreign Arbitral Awards (the New York Convention), which requires that an agreement to arbitrate be “signed by the parties.” The appellate court found that because GEP had not specifically signed the Agreements, and unlike TS and FLI was not a party to the Agreements, GEP had no right to compel arbitration. The court did not find persuasive the fact that the Agreements specifically provided that FLI and its subcontractors should be treated as one and the same, which would therefore include GEP. The Eleventh Circuit held that “[p]rivate parties cannot contract around the requirement that the parties actually sign an agreement to arbitrate their disputes in order to compel arbitration.”
In support of its argument that OS should be compelled to arbitrate, GEP had relied heavily upon the doctrine of equitable estoppel, which in this circumstance would mean that a nonsignatory to a written agreement containing an arbitration clause may compel arbitration when a signatory brings a claim arising out of the agreement against the nonsignatory. The Eleventh Circuit held that this doctrine was applicable in cases concerning domestic arbitration under chapter 1 of the FAA, which does not expressly restrict arbitration to the specific parties to an agreement, but it found that in cases concerning international arbitration, which are governed by chapter 2 of the FAA, the doctrine is not applicable because the New York Convention (as applied to international arbitration agreements) imposes such a restriction.
Decision
Upon review, the U.S. Supreme Court reversed the Eleventh Circuit and in a unanimous decision held that the New York Convention did not conflict with the doctrine of equitable estoppel and was actually silent on the question of whether nonsignatories could enforce an arbitration agreement. The court noted that the New York Convention was never intended to “set a ceiling that tacitly precludes the use of domestic law to enforce arbitration agreements.” The court found that the only provision of the New York Convention that addressed the enforceability of arbitration agreements was Article II(3). Although Article II(3) of the New York Convention mandates that the courts enforce written arbitration agreements, Article II(3) does not restrict the courts from enforcing arbitration agreements under other circumstances. The court held that because the New York Convention was “drafted against the back drop of domestic law, it would be unnatural to read Article II(3) to displace domestic doctrines in the absence of exclusionary language;” and was in fact drafted in a manner that was intended to allow domestic contract law to “fill [any] gaps in the Convention.” The court also recognized that courts of numerous contracting states to the New York Convention permit nonsignatories to compel arbitration under their domestic laws. As a result, the court reversed the Eleventh Circuit and remanded the case for further proceedings consistent with its ruling.
Conclusion
By expanding the application of arbitration to international commercial agreements comprised of multitiered arrangements whereby nonsignatories can seek to compel arbitration, the Supreme Court continues to encourage the use of arbitration as a viable and attractive means to resolve disputes.
As workforces shifted to remote work during the pandemic, trade secret information may have been subject to relaxed protective measures, inadvertent disclosures, or misappropriation. Employees, business partners, and vendors may have accessed information using unsecure personal devices, uploaded information to less secure cloud storage systems (intentionally or unintentionally), or printed sensitive documents on home printers, among other possibilities. As shuttered offices reopen, companies should develop a process to understand how employees, business partners, and vendors stored, transmitted, and otherwise used (or misused) trade secret information while working remotely and act to identify issues and resolve any problems identified.
Below is a five-step process companies can follow as employees, business partners, and vendors return to their workspaces. By taking these steps, a company can assess and address the impact of any relaxed protective measures, inadvertent disclosures, and misappropriation. This applies both to trade secrets owned by the company and those owned by a third party, entrusted to the company pursuant to an NDA or other protective measures. Moreover, should a misappropriation occur in the future, evidence that the company took these precautions will aid the company in proving it took “reasonable efforts” to maintain the information’s secrecy. For that reason, the company should document all efforts taken to preserve trade secret information as employees return to the office.
Step 1: Understand How Employees Used Information While Working Remotely
Companies should first take stock of how employees protected, used, or accessed trade secret information while working remotely. In secured office environments, employers enjoy a wealth of tools to safeguard proprietary information: access to rooms or entire floors can be restricted with keycards or biometrics; employees can be monitored to enforce personal device policies and ensure only secure devices are used; company devices can include multiple layers of protection and virus defense, and paper documents can be easily collected for secure destruction. That is not necessarily true or consistent of remote work, where employees may be tempted or required by necessity to access or store data on unsecure personal devices, transmit data through less secure systems (unable to use secure systems), and create and/or keep sensitive paper documents. Simply put, risks abound when employees work from home. The first step in protecting trade secrets is to identify those risks.
Survey employees to identify all company property used offsite. In addition to big-ticket items like computers, confirm whether employees took home tablets, printers, peripheral devices, USB flash drives, hard drives, or any other digital storage device, as well as paper documents.
Confirm whether employees accessed or stored business information on personal devices. Employees may have accessed company databases or downloaded and stored company information onto a personal computer, tablet, cell phone, external hard drive, or cloud-based system. Employees also may have printed information using a home printer. The risk with printers is threefold: in addition to creating a paper record of sensitive information, modern printers often feature memory storage (where the information may remain in digital form) as well as network or internet connectivity (potentially exposing that information to hackers or other third parties).
Determine whether information was exposed to unapproved software or systems. If an employee sent or received information using a personal e-mail account or unapproved chat or collaboration tools, that information could remain stored on the software provider’s servers unless and until it is deleted. Even if the company has a confidentiality agreement in place with the service provider, that agreement may not apply if the employee uploaded information to a personal or consumer account not associated with the company. Pay special attention to employees’ use of cloud storage services and SaaS systems. Many such solutions automatically sync with personal devices. For example, a file downloaded to an employee’s smartphone may automatically upload to the employee’s personal cloud account, perhaps without the employee’s knowledge. Employers should ask whether employees have made use of cloud storage accounts or SaaS systems and, if so, confirm whether those accounts sync automatically with employees’ devices.
Step 2: Ensure Information Is Returned, Deleted, or Destroyed
After determining how employees used or accessed sensitive information, companies should take steps to ensure that information is returned to the company’s custody, deleted, or destroyed. The goal is to ensure that no proprietary information exists beyond the company’s control. In pursuing that goal, employers should take a nonaccusatory and collaborative approach with employees, keeping in mind that (1) the shelter-in-place/stay-at-home regimes were largely imposed with little notice or preparation time; (2) employee access to hardware, software, and related support may vary greatly within an organization; and (3) employee technical sophistication should be expected to vary.
Confirm company property was returned. Consider preparing a checklist for each employee listing all company property used offsite, including paper documents. Employers may obtain written confirmation from each employee that the list is complete, and all listed items have been returned to the company’s custody.
Inspect company devices—and potentially personal devices—to identify security risks. While working from home, employees may have downloaded unapproved programs or software applications onto company devices (e.g., software to connect to home printers, music streaming software, and the like). Unapproved programs can be potential security risks in that they may expose the device or company systems to intrusion, such as spy-ware, or may send sensitive data to third-party servers for any number or reasons or purposes. Companies should accordingly consider inspecting each company device used in a home setting to ensure that no such software is present, or if it is, address it. Under some circumstances, employers may also consider performing a more comprehensive forensic analysis to verify whether an employee downloaded business information onto personal devices, such as a USB drive. A forensic analysis may be appropriate if the employee is known to have worked with trade secret information from home (such as a software engineer on a development team), gave evasive answers in response to the company’s property use survey, could not remember whether he or she transferred information to a personal device, or allowed others to use company devices for noncompany purposes, including children engaging in remote learning on a company device.
Collect paper documents for proper destruction. If an employee took home paper documents or printed business information at home, require the employee to return the documents to the company (or the company’s vendor) for proper destruction unless the employee can confirm proper shredding at home. Make it easy for the employee to comply because some employees possessing voluminous paper records may be tempted to simply toss them in the trash. Consider sending a courier to pick up the documents, using a remote shredding company that will perform house calls, or supplying prepaid boxes to return paper documents by mail to the company.
Consider inspecting personal devices to ensure no information remains. If the company has a device inspection policy granting it the right to examine personal devices, consider exercising that right and verifying that no business information remains on such devices. Consult legal counsel before inspecting personal devices to ensure the company does not violate privacy rights.
Confirm information has been deleted from personal devices and software. Obtain each employee’s written confirmation that no company information remains stored on any personal device or in any personal software account, including personal e-mail or cloud storage accounts. Provide detailed information as to where data may reside and offer technical assistance to employees who may be unfamiliar with how to properly locate and/or delete data. Remind employees of any confidentiality obligations set out in their employment agreement or proprietary rights agreement with the company.
Step 3: Reinstate Relaxed or Suspended Policies and Security Protocols
In the rush to transition to remote work or based on technical necessity, companies may have relaxed or even suspended policies or protocols designed to preserve trade secret information. Now is the time to reinstate those policies and protocols and to determine whether any inadvertent disclosures occurred. For example, if the company temporarily lifted restrictions on the use of personal devices for company tasks, the restriction should be reinstated once employees have returned to their workspaces. Similarly, if the company loosened access to systems housing sensitive information (such as allowing remote access to certain records outside of a VPN), prior restrictions should be restored. To avoid confusion, the company should clearly communicate to employees which policies have been reinstated and provide training as needed.
Step 4: Confirm Business Partners and Vendors Are Protecting the Company’s Trade Secrets Following a Similar Process
Depending upon the scope of a company’s contract rights and its respective bargaining power with its business partners and vendors, especially technology vendors (e.g., contract manufacturers and designers), companies should take steps similar to those detailed above for returning employees to assess and address the impact of any relaxed protective measures, inadvertent disclosures, or misappropriation by their business partners and vendors stemming from remote working. Some contracts require that a party receiving a company’s trade secret or confidential information must invoke protective measures at least as strong as the receiving party applies to protecting its own trade secret or confidential materials. Some contracts require the receiving party to enact and follow specific, defined protective measures (such as government, regulatory, or industry standards) or measures at least as strong as the disclosing party follows. Moreover, as a verification or confirmation mechanism, many of these contracts provide the disclosing party audit rights or rights to request a certification that the required policies and protocols are in place and followed. Companies should carefully review their contracts on these points with legal counsel.
It is especially important for companies that derive great value from their trade secrets (including competitive advantages and differentiation), and that disclose those materials to business partners and/or vendors subject to NDAs or other protective measures, to follow these steps or similar steps and not limit the investigation to their own internal employees. This is because under state and federal law, trade secret information may lose its trade secret status if inadvertently disclosed or otherwise not reasonably protected, regardless of who is to blame for the inadvertent disclosure or for the failure to follow reasonable protective measures. In other words, a failure by a company’s business partner or vendor to maintain the secrecy of the company’s information could invalidate the trade secret. As a result, trade secret owners must remain vigilant and not blindly relinquish stewardship of their trade secret information to their business partners and vendors. Companies should consult with legal counsel and review applicable agreements before reaching out to business partners and vendors.
Step 5: Be Particularly Vigilant With Employees, Business Partners, and Vendors With Whom the Company Separated During the Pandemic
The pandemic and associated stay-at-home orders forced many companies to furlough and lay off employees, including senior engineers and executives with access to important trade secret information. Similarly, the resulting changes to the economy have forced companies to curtail supply relationships, suspend new product lines, exit or shut down joint ventures, and cancel contracts. Whether justified or not, these actions can result in hurt feelings and worse. Under these circumstances, former employees, business partners, and vendors may be inclined to take or retain a company’s critical business information on the way out the door, including passwords, source code, customer lists, personal and technical data, business plans, financial information, and more. In some cases, the departing employee, business partner, or vendor intends to use the information to establish operations elsewhere. In other cases, the intent is more nefarious and meant to harm the company.
In any event, as return to work occurs, it is critical to use whatever tools may be at hand to review what may have been kept or taken by departed colleagues and partners, and to use legal tools to get the information back. Companies should carefully review the termination clauses in their employment agreements, joint venture agreements, and other contracts with legal counsel and affirmatively exercise their legal rights to obtain or destroy information that might otherwise leave the company inadvertently. If information is missing that includes personal identifiers, it may be necessary to evaluate the company’s obligations under U.S. and international privacy laws as well.
The unprecedented impact of COVID-19 on the American economy has forced many businesses of all sizes and in all industries to seek some form of financial relief. Perhaps the most prominent source is the Coronavirus Aid, Relief, and Economic Security Act (commonly known as the CARES Act), which provides over $2 trillion in assistance through the largest economic stimulus package in U.S. history. A common example of funding under the CARES Act is through the Paycheck Protection Program (PPP) in the form of loans to certain businesses. The CARES Act allocates funds through numerous provisions, the two largest of which are dedicated to corporate and small business loans. Many businesses that receive federal funds will also seek recovery from a second, hotly debated source: insurance. Whether companies are pursuing payment for business interruption, event cancellation, or some other loss, the coming years will bring litigation over coverage and a critical question: Are insurance companies entitled to an offset for any relief that a business receives from the CARES Act (or are losses reduced by any of the ancillary payments for other reasons)? As is often the answer in the legal world, it depends.
While insurers may insist that any CARES Act payment must reduce what is owed under a policy, the analysis begins (and may sometimes end) with the policy itself. The right to an offset is just that—a right that must be grounded in the insurance contract. Many insurance policies contain clauses that specifically address how recoveries from other sources will impact the insurance payout. This frequently takes the form of a “Salvage and Recoveries” provision, “Collection from Others” provision, or some type of subrogation clause. If a policy is devoid of any such language, this should end the inquiry. While different states may have common law doctrines that could affect the outcome, an insurer has no contractual basis to complain. It could have addressed this risk in its policy and failed to do so. As is the case in many jurisdictions, the coverage must be construed broadly and the benefit of the doubt goes to the party that suffered the loss—not the insurance company.
Even when an insurer does address other-source recoveries in its policy, an offset is not necessarily required. Just as before, the policy language and law are key. Generally speaking, one kind of policy provision addressing offset is intended to reduce the carrier’s obligation to pay for the same losses that a policyholder has already recovered from another source. As courts have explained, this requires consideration of the intent behind the “other” funds received by the policyholder. If the statute’s intent is to compensate the company for something other than its losses, courts have held that such a recovery does not entitle the insurer to an offset. That is because the insurance company is obligated to pay for one thing, and the collateral payment may be used to compensate for something different.
This issue was considered in Northrop Gruman Corp. v. Factory Mut. Ins. Co.,[1] where Northrop made an insurance claim for lost earnings from property damage caused by Hurricane Katrina. The federal court in California rejected the insurer’s argument that it was entitled to an offset for federal income tax relief that Northrop received under the Katrina Emergency Tax Relief Act of 2005. Because the Tax Relief Act “was conceived as an incentive to retain employees rather than compensation for a loss,” the court found that the credit received by Northrop was “not a ‘recovery’ or ‘collection for such loss from others’ under the policy language.”
Subrogation clauses are another type of provision on which insurers may rely to claim entitlement to an offset. Such a clause typically provides that “if any person or organization to or for whom we make a payment under this Coverage Part has rights to recover damages from another, those rights are transferred to us to the extent of our payment.” Addressing an offset claim under this language, a Louisiana federal court held that the insurer, RSUI, needed to establish that the policyholder had a “right to recover damages” from the other source.
In Cameron Parish Sch. Bd. v. RSUI Indem. Co.,[2] CPSB was entitled to recovery under its flood insurance policy and received assistance from the Federal Emergency Management Agency policy (“FEMA”) in the wake of Hurricane Rita. RSUI argued that it was entitled to an offset because CPSB was attempting to “re-characterize and ‘double recover’ alleged losses . . . that [were] already [] allotted or promised from FEMA.” The court rejected this argument, holding that “RSUI has not demonstrated that CPSB has a ‘right to recover damages’ from FEMA, and as such, RSUI is not entitled to receive an offset for FEMA funds.” The insurer failed to present evidence of FEMA payments or cite any authority where an insurer was entitled to receive an offset from FEMA payments.
Determining whether CARES Act payments create offset rights for insurers can be impacted by the section under which payment is made and how the recipient ultimately spends the money. For example, one of the most popular sections of the Act is the Small Business Paycheck Protection Program, which is generally open to small businesses with 500 or fewer employees. Funds are provided in the form of loans that will be fully forgiven when used for payroll costs, interest on mortgages, rent, and utilities. At least 75% of the forgiven amount, however, must have been used for payroll. None of these elements are expressly intended to compensate businesses for lost income due to the COVID-19 pandemic. But this is where the policy language becomes key. Business interruption policies may address some of these elements, potentially creating room for debate as to whether an offset is appropriate. Other policies, however, provide coverage entirely unrelated to the compensation that a business might receive under the CARES Act. The greater the distinction between the coverage and the statutory payment, the less likely it is that an offset is due.
Regardless of the type of policy provision at issue, the burden of proving entitlement to an offset will almost uniformly fall to the insurance company. And, as is the case in most jurisdictions, any uncertainty will be interpreted in favor of the policyholder and broader coverage. This was precisely the case in Yorktowne Shopping Ctr., LLC v. Nat’l Sur. Corp.,[3] where the court ruled in the insured’s favor after the insurer failed to demonstrate which portions of a separate recovery entitled the carrier to an offset. Policyholders are placed at an advantage from the outset, as the evidentiary burden and the benefit of the doubt are both in the insured’s favor.
Though insurance companies may seek to deduct any CARES Act recoveries from their insurance payouts, the inquiry is more nuanced than simple arithmetic. Carriers will be quick to point the accusatory “double recovery” finger at policyholders to ensure that they pay out as little as possible. But the “double recovery” accusation assumes the answer. Policyholders, in turn, must be prepared to show that a setoff is not warranted. Ultimately, courts will have to carefully consider whether there is overlap between the statutory payment and the insurance coverage at issue and if there is a basis in the insurance policy to allow the insurer to an offset or to otherwise reduce the loss it is obligated to pay. As with many other aspects of COVID-19 and its ramifications, it is too early to tell how all of the different insurance angles will play out.
[3]Yorktowne Shopping Ctr., LLC v. Nat’l Sur. Corp., No. 1:10-CV-1333, 2011 WL 4829933 (E.D. Va. Oct. 11, 2011) (noting that the party who asserts an offset must prove its claim, and that the insurer failed to offer sufficient evidence to show which portions of a separate judgment and security deposit required an offset under its policy).
Throughout the 20th and 21st centuries, every national crisis in the United States has left a long wake of investigations in its trail at all levels of government. Those governmental investigations and enforcement actions have followed a familiar pattern when arising out of a public crisis.
First, investigative and regulatory bodies at both the federal and state levels target the obvious scammers. In the context of the COVID-19 crisis, this includes obvious frauds such as selling snake oil as a panacea to COVID-19; selling fake tests to consumers and to states; and promising to deliver medical supplies to hospitals, receiving payment from the government, and then disappearing before ever delivering the goods. This “first wave” of enforcement actions generally takes priority among regulators because the conduct at issue directly impacts public safety. Indeed, the Office of the Inspector General (OIG) announced a “strategic plan” outlining the following four goals relating to the enforcement and protection of the Department of Health & Human Services’ (HHS) COVID-19 response and recovery efforts: (1) protect people, (2) protect funds, (3) protect infrastructure, and (4) promote effectiveness of HHS programs—now and into the future.[1] Unsurprisingly, COVID-19’s first wave has already begun.[2]
Once the first wave is well underway, the government shifts focus to its next target: the more reputable companies and businesses operating in a potentially “grey” area. Typically, the targets of these cases believe they complied with the law but have a genuine disagreement with the government about how a law, regulation, or contractual condition should apply or be interpreted. Although these cases are more resource-intensive, they correspondingly present an opportunity for the government to recover larger amounts of money and generate bigger headlines. These cases constitute the “second wave” of enforcement; notably, most investigative and regulatory bodies follow this two-wave paradigm, whether it be the U.S. Department of Justice (DOJ), the state attorneys general, the Federal Trade Commission, the Consumer Financial Protection Bureau, or the most recent player, local governments.
In the context of the COVID-19 crisis, the second wave is coming, and when it hits, it will be a tsunami.
1. What the COVID-19 Tsunami Will Look Like
The second wave of the COVID-19 crisis is likely to be more extreme and long-lasting than ever before. The factors leading up to the second wave are unprecedented in our history—the federal government has disbursed trillions of dollars to the private sector with minimal federal oversight—and those factors create an environment that is ripe for downstream allegations of fraud. The federal government will have a groundswell of public support to exact retribution against those companies and individuals who took advantage of the public trust during the crisis. In parallel, state and local governments are starving for revenue as a result of severe budget shortfalls caused by COVID-19. As such, the need for funding will usher in an unparalleled era of state and local enforcement action, where states, led by state attorneys general, and localities will rely on lawsuits and investigations as a means of recapturing lost revenue for both consumers and the governmental entities more so than ever before.
A. The Federal Government’s Disbursement of Funds
Whenever the federal government disburses funds to private actors, especially at alarming rates, an environment exists for fraud to flourish because those funds are typically disbursed with numerous conditions tied to them. Such conditions can take the form of details in the statute, regulations promulgated by agencies, or even less formal regulatory guidance. Yet, the risk that many companies accepting those funds run is the failure to comply, even inadvertently, with the “fine print,” thus exposing them to claims of having wronged the government.
In such times, the federal government will turn to a familiar and favorite tool in its box: the Federal False Claims Act (FCA), 31 U.S.C. § 3729–3733. The FCA is no stranger to the healthcare, medical device, or pharmaceutical industries in that the DOJ has used it extensively for decades to successfully combat fraudulent claims for reimbursement submitted to Medicare, Medicaid, TRICARE, and other governmental payors, and to recover tens of billions of dollars in the process. The FCA is a particularly potent tool because it enables the federal government to recover not only treble damages, but also statutory penalties of $5,500 to $11,000 per violation. The crippling exposure that the FCA often generates, sometimes in the billions, is enough to strongarm most companies into lucrative settlements, even where those companies have highly meritorious defenses.
This tool is likely to be front and center in the investigations and enforcement space over the next five to ten years. In the first three months of the COVID-19 crisis, the federal government disbursed trillions of dollars to stimulate the economy to save small businesses and to facilitate the transfer of personal protective equipment (PPE), ventilators, testing, swabs, prescription drugs, and other medical supplies to states and localities. In an effort to contribute during the national crisis, numerous companies have answered the call to provide the necessary medical supplies that states and the nation required to save lives, accepting federal government dollars as payment for those services.
To the extent those companies did not fully comply with all of the terms and conditions of taking those funds, however, they face the very real risk of allegations of fraud or other impropriety by employee whistleblowers or the federal government. That risk is heightened by the speed at which these contracts were executed and funds received, where there often was insufficient time for a thorough review of the associated obligations by outside counsel or even in-house legal departments in some cases.
For these reasons, a spike in FCA investigations and lawsuits is likely coming. Indeed, the OIG has already stated its intentions to audit fund recipients in connection with its goal of protecting HHS funds.[3] Although no industry is immune, the healthcare, pharmaceutical, biotech, and medical supply industries are especially at risk; similarly, companies that participate in the manufacturing, distribution, and brokerage of medical equipment are likely to be hard hit. In the same vein, hospitals, long-term care facilities, testing labs, and nursing homes must be on high alert.
B. The State Response and the Role of State Attorneys General
States, meanwhile, are in dire straits as a result of budget shortfalls caused by COVID-19. The impact will likely continue to plague states for at least the next three to five years. The stay-at-home orders across the country have decreased sales tax revenue, delayed deadlines for filing state income tax returns and paying state income taxes due, and vastly reduced the use of public transportation and toll roads. At the same time, the federal government has largely required the states to assume the responsibility for procuring PPE, tests, ventilators, and other medical supplies at their own expense. Neither the CARES Act nor other federal legislation disbursing federal funds provided significant relief to the states in this regard.
Making matters worse, many states claim to be victims of fraud and contractual breaches at the hands of the private sector. The governor of Massachusetts, for example, claimed that “millions of pieces of [medical] gear evaporate[d] in front of us” after confirmed orders with private vendors. Likewise, Maryland canceled a $12.5 million contract for PPE with a firm that allegedly failed to deliver masks and ventilators as promised. That matter has already been referred to Maryland’s attorney general for review.
States, though, have more ability than ever to combat these two problems simultaneously. Most states have noticed the potency of the federal FCA and enacted state analogs to that statute over the past three decades; however, only recently have states started enforcing them aggressively. That trend is likely to intensify because the state false claims acts empower states to recover treble damages and statutory penalties of approximately $5,500 to $12,000 dollars per violation against actors who defraud the state—a windfall in this era where states are desperate for dollars. Even some large localities, like Miami-Dade and Philadelphia, have tagged along and implemented analogous ordinances, and like their federal counterpart, the exposure generated by these state and local false claims acts often force companies to the settlement table, even where they have worthwhile legal defenses. Such settlements, even at the state or local level, are rarely cheap. Consequently, states and localities will have incentive to file claims under these statutes to pursue revenue windfalls that can help offset their budgetary gaps.
In addition, state attorneys general have ratcheted up enforcement actions in recent years. In addition to prosecuting cases under the state false claims acts, state attorneys general also have power to bring actions against companies that are reported for violations that harm consumers under state consumer protection acts. In light of the public harm that COVID-19 has inflicted, consumer protection act cases are likely to skyrocket in coming months. For these reasons, companies must look not only at the activity of DOJ and federal regulatory bodies, but also at enforcement trends and activity commencing at the state and local level.
Together, the forthcoming investigation and enforcement actions by the federal, state, and local governments will create a tsunami, the likes of which the private sector has never seen.
2. How Companies Can Prepare
There are several steps companies can take to reduce the risk of, and defend against, regulatory inquiries:
Prioritize compliance programs and involve both the compliance department and in-house legal department in all aspects of decision-making during the COVID-19 crisis, including the decision to accept federal funds. Document in detail decisions that were made and the reasons for doing so.
Carefully consider all aspects of accepting federal funds, including the statutory, regulatory, and contractual terms implicated by that acceptance. Closely scrutinize any submission to a government actor that could be construed as a misrepresentation or material omission.
Ensure complete transparency when interacting with federal, state, and local government actors when a government contract or public funds are involved.
Carefully think through the ethical or moral implications of decisions involving governmental funds or contracts. Dilemmas raising ethical or moral considerations are the type to generate media coverage and public interest when a company makes a controversial decision and are also the type that can catch the attention of regulators.
Seek the outside advice of someone with expertise in this area of the law when confronting novel or thorny issues that implicate the federal, state, or local government.
Monitor settlements and enforcement actions because they will provide visibility into ongoing regulatory trends.
Among the interesting data points highlighted in a new report on M&A appraisal litigation in Delaware is the steep decline in both appraisal petitions and cases since 2016.[1] That year, the Delaware Court of Chancery saw its highest-ever number of petitions (76) and cases (47), but over the past two years, those numbers have declined significantly. There were only 26 petitions in 2018, the lowest number since 2012; likewise, cases decreased to their 2012 levels as well. What explains this multiyear decline?
The Delaware Supreme Court’s reversal in DFC Global Corporation v. Muirfield Value Partners L.P.,[2] an appraisal decision on the 2014 acquisition of DFC Global Corporation, occurred in August 2017, and it is likely no mere coincidence that the trend line for appraisal petitions entered its swoon shortly thereafter. In DFC, the Chancery Court gave less weight to the deal price in favor of a “blend of three imperfect techniques”—including deal price, company valuation, and discounted cash flow (DCF) valuation, each equally weighted—and then proceeded to reach a deal price of $10.30 per share, an 8.4 percent premium over the deal price of $9.50 per share.
On appeal, the Delaware Supreme Court reversed and remanded. Chief Judge Leo Strine stopped short of embracing a full-scale presumption in the accuracy and reliability of deal price, but did make clear that under the prevailing circumstances, deal price should receive greater weight. He reasoned that “[m]arket prices are typically viewed superior to other valuation techniques because, unlike [for example], a single person’s discounted cash flow model, the market price should distill the collective judgment of the many based on all the publicly available information about a given company and the value of its shares.”
Furthermore, because the “Court of Chancery found that the sales process was robust and conflict-free,” the Supreme Court found no reason to justify giving the deal price merely one-third weight. The Supreme Court concluded its decision by rejecting the Chancery Court’s argument that the nature of the buyer—in this case, a private equity firm—reduced the fairness of the deal price because a private equity firm’s willingness to pay a certain price does not necessarily equate with an unfair value.
The Delaware Supreme Court’s stance on the primacy of deal price in DFC was further clarified shortly thereafter when the court weighed-in once more in Dell, Inc. v. Magnetar Global Event Driven Master Fund Ltd.,[3] again reversing the Chancery Court’s decision and reaffirming its view of deal price as a useful metric, yet again stopping short of endorsing it as the sole and decisive metric. Ignoring both the company’s pre-deal announcement stock price and the deal price in reaching its fair value determination of $17.62—a 28.1-percent premium over the deal price of $13.75—the Chancery Court relied instead on its own DCF analysis. The Supreme Court reversed, holding that the record “suggested that the deal price deserved heavy, if not dispositive, weight.” As in DFC, however, the Supreme Court in Dell refrained from giving full weight to the deal price, stating that creating a presumption in favor of deal price runs afoul of the Delaware appraisal statute’s guidance to “consider all relevant factors.” Nevertheless, the Supreme Court cautioned that in particular cases, one factor—such as the deal price—may rise above others in terms of importance, depending on the evidence supported by the record. The Supreme Court also criticized the Chancery Court’s decision to award a fair value that is higher than what the market was willing to pay for Dell’s stock, taking a position that both courts would later endorse.
These two reversals form the backdrop against which we have seen the rapid decrease in appraisal litigation in Delaware. For those who might have hoped for a signal from the Delaware Supreme Court that it is backtracking on its embrace of deal price, the court’s April 2019 en banc opinion in Verition Partners Master Fund Ltd. v. Aruba Networks, Inc.[4] provides very little reason to believe the court is growing more skeptical of the primacy of deal price. Although the Aruba decision sheds light on the Supreme Court’s existing precedent, it leaves some related questions unanswered, particularly regarding target valuation in the take-private context.
Like DFC and Dell, which were decided while the Aruba appeal was still pending, Aruba involved a Delaware statutory appraisal claim by the shareholders of Aruba Networks, Inc. following its acquisition by Hewlett-Packard. Notwithstanding the precedent established in DFC and Dell, the Chancery Court ultimately relied solely on the unaffected trading price of the seller leading up to the transaction—that is, the average trading price of Aruba Networks’ shares during the 30 days prior to when the news of the merger with HP emerged. The Chancery Court considered two other valuation methods, including the parties’ competing DCF analyses and the merger price less synergies, but dismissed both as unreliable measures of fair value.
The Supreme Court once again reversed in an unusually combative opinion. Rejecting the Chancery Court’s reliance on Aruba Networks’ market price, the court reiterated the position it expressed in Dell that market prices “can be a proxy for fair value” and that “the price a stock trades in an efficient market is an important indicator of its economic value that should be given weight.” The Delaware Supreme Court concluded that Vice Chancellor Laster erred in finding “that an informationally efficient market price invariably reflects the company’s fair value in an appraisal.” Conversely, the Supreme Court reiterated that an efficient market price “further informed by the efforts of arm’s-length buyers” to find a fair deal price based on a diligence-driven analysis “is even more likely to be indicative of so-called fundamental value.” In other words, “after a process in which interested buyers all had a fair and viable opportunity to bid, the deal price is a strong indicator of fair value, as a matter of economic reality and theory.” The court made clear that its decisions in DFC and Dell did not compel “rote reliance” on market price when calculating fair value, but clearly held the conclusion that deal price less synergies is the best method to assess Aruba’s going concern value, where “synergies” is defined as “other value the Buyer expects from changes it plans to make to a company’s ‘going-concern’ business plan.” The valuation of such synergies is a matter of fact to be assessed based on the record.
Among its many noteworthy takeaways, Aruba strengthens the focus on deal price in an arm’s-length transaction and goes a step further than DFC and Dell by deducting the synergies from the deal price in order to get to the fair value price. Though critical of the Chancery Court’s opinion, the Delaware Supreme Court sides with the Chancery Court’s position—and reinforces recent Delaware jurisprudence—by holding that the deal price should act as a ceiling for a valuation, a result that will likely reinforce the trend in place since 2016 toward decreasing numbers of appraisal petitions. For example, the Supreme Court’s fair value appraisal in Aruba resulted in a 22.6-percent reduction from the deal price, an outcome that would remind petitioners not to overly rely on the statutory appraisal right, especially if there is no clear and convincing basis for such an appraisal claim.
However, Aruba did backtrack in one notable instance. In a clear change of positions, the Supreme Court in Aruba agreed with past Chancery Court arguments, noting that the type of buyer—such as a private equity firm versus public company—might impact the fair value determination because the synergies to be deducted from the deal price could be different based on the new owner. Unlike the case of a public company buyer with characteristically broad stock ownership, ownership of companies in the private equity setting tends to be far more concentrated, which can create efficiency and reduce agency costs. This circumstance can lead to a potentially different calculation for the cost of synergies to be deducted from the deal price. How this precedent will be applied to the valuation of targets in take-private transactions is not entirely clear from the recent jurisprudence, but we see no reason to believe that a return to 2016 levels of appraisal litigation is in the offing.
Chauncey M. Lane is a partner in the Dallas office of Reed Smith LLP. He regularly advises domestic and international clients on buy- and sell-side mergers, divestitures, asset acquisitions, going-private transactions, debt and equity offerings, and corporate governance. He also counsels fund sponsors on all aspects of fund formation, capital raises, and investment adviser compliance, often serving as outside general counsel.
George Khoukaz is an associate in the Kansas City office of Husch Blackwell LLP and a member of the firm’s Corporate and Securities practice group. He regularly advises domestic and international clients on complex commercial and capital market transactions.
This article has been published in PLI Current: The Journal of PLI Press, Vol. 4, No. 1 (2020).
The COVID-19 pandemic has had a disparate effect on privacy regulators, with varying levels of enforcement advocated by different government entities. The California Attorney General, the U.S. Department of Health and Human Services (HHS), European data protection authorities, and other regulators have taken different, often contradictory, approaches to dealing with the competing interests of a struggling economy and the threat of increased privacy and cybersecurity violations. These contradictions are likely to persist, as competing privacy legislation was recently introduced in Congress to regulate the collection and use of personal information during the COVID-19 pandemic.
Businesses struggling with the virus’s economic impact are striving to allocate resources for maximum financial benefit; simultaneously, risks to personal information and privacy rights have increased in a remote global workforce where phishing, malware, and other cyberattacks proliferate and the political pressure to collect and track medical information regarding COVID-19 infections mounts. With the seemingly competing interests of protecting the bottom line and addressing a heightened threat to privacy, some privacy regulators are responding to these new realities by relaxing enforcement efforts, while others decline to do so in recognition of the current risk to privacy and information security.
Below is an update on how different regulators have responded regarding enforcement since the COVID-19 national emergency was declared.
The California Attorney General Remains Steadfast on the California Consumer Privacy Act
The California Attorney General has declared that despite the pandemic, it will not delay enforcement of the California Consumer Privacy Act (CCPA), which is set to begin on July 1.
In late March, as the extent of the COVID-19 pandemic was becoming clear, a joint industry letter by advertising and adtech trade associations asked the Attorney General’s office to delay enforcement of the CCPA until 2021. The letter highlighted that “[t]he public health crisis brought on by COVID-19 juxtaposed with the quickly approaching enforcement date for the CCPA places business leaders in a difficult position. They are forced to consider trade-offs between decisions that are best for their employees and the world at-large and decisions that may help the organizations they lead avoid costly and resource intensive enforcement actions.”
In an email to Forbes magazine, an advisor to the Attorney General responded, “Right now, we’re committed to enforcing the law upon finalizing the rules or July 1, whichever comes first … We’re all mindful of the new reality created by COVID-19 and the heightened value of protecting consumers’ privacy online that comes with it. We encourage businesses to be particularly mindful of data security in this time of emergency.”
On June 2, 2020, the Office of the Attorney General announced that it had submitted the Final Text of the Proposed Regulations to the California Office of Administrative Law (OAL) for approval. The Office of the Attorney General requested an expedited review period of thirty (30) business days which, if approved, means the Final Text of the Proposed Regulations could become effective in mid-July. With less than 30 days until the planned enforcement date, businesses subject to the CCPA should ensure that their CCPA compliance efforts remain on track. As a further incentive to ensure your compliance framework is in place, the California Privacy Rights Act (CPRA), commonly referred to as CCPA 2.0, has garnered enough signatures to appear on the November 2020 ballot in the state of California. Among other measures, the CPRA would create a new enforcement agency (the California Privacy Protection Agency), expand data breach liability, and impose additional obligations on service providers, third parties, and contractors. In a nod to the business community, the CPRA would extent the current moratoriums on certain employee and business-to-business data from 2021 to 2023.
European Regulators Signal Flexibility
The European Data Protection Board (EDPB), an agency created under the General Data Protection Regulation, issued a statement on the processing of personal data in the context of COVID-19. The EDPB stated that even during this pandemic, data controllers and processors must ensure the lawful processing of personal data, but it also noted that an “emergency” might legitimize “the restriction of freedoms provided these restrictions are proportionate and limited to the emergency period.”
The EDPB provided clarification on how public health authorities and employers can process personal data in the context of a pandemic, pointing to legal bases such as processing pursuant to a legal mandate of a public authority and compliance with health and safety obligations that are in the public interest.
The EDPB also issued two new guidelines: (1) “Guidelines 03/2020” on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak and (2) “Guidelines 04/2020“on the use of location data and contact tracing tools in the context of the COVID-19 outbreak. “Guidelines 03/2020” allows health data to be processed for the purpose of scientific research with the consent of the data subject, as long as there is not a significant power imbalance, or without consent for the purpose of complying with national legislation. “Guidelines 04/2020” discusses the use and collection of location data to map the spread of the virus and contact tracing for notification purposes. The guidelines provide that contact tracing applications should be voluntary, rely on proximity information regarding users rather than tracing individual movements, and grant preference to processing anonymized data where possible. The EDPB emphasized in its guidance that response to the crisis and protection of the right to privacy are not mutually exclusive.
Data protection authorities in nearly all EU member states and the United Kingdom have issued similar guidance on the processing and sharing of personal data related to COVID-19. Organizations should continue to monitor guidance issued by the EDPB, the United Kingdom, and national data protection authorities in the countries in which organizations have a presence.
Department of Health and Human Services Relaxes Enforcement of the Health Insurance Portability and Accountability Act
Perhaps the most critical response to the COVID-19 pandemic has been from the Office of Civil Rights in HHS, which is charged with the enforcement of the Health Insurance Portability and Accountability Act (HIPAA). Compounding the conflict between the conservation of resources to protect the bottom line and heightened privacy concerns in the crisis is a third element in play under HIPAA: the critical role of protecting the privacy and security of personal medical and health information as the crisis escalated.
While covered health care entities must continue to comply with the privacy and security rules under HIPAA, HHS has issued guidance and relied on its discretion to relax enforcement and waive penalties for community-based testing sites, public health and health oversight activities conducted by business associates, disclosures made to law enforcement and first responders, and telehealth service providers. With the proliferation of telehealth services during the pandemic, it remains to be seen whether HHS will extend its policy of relaxed enforcement after the emergency has subsided.
Federal Trade Commission Warns of Increasing Threat
On May 19, the Federal Trade Commission (FTC) issued a public warning regarding scammers posing as contact tracers hired by state governments to obtain personal information such as Social Security Numbers from unsuspecting individuals. A few days later, in coordination with the Federal Communications Commission, the FTC instructed service providers that enable robocalling to terminate services to any customers exploiting the pandemic to obtain sensitive information from individuals, threatening such providers with “serious consequences” for failure to comply. These recent statements by the FTC follow warnings of surging complaints since the beginning of the year (upward of 18,000 as of mid-April) related to the coronavirus and signals of increased enforcement activity by the agency.
Congress Proposes Competing COVID-19 Privacy Legislation
Reflecting the larger clash of interests, conflicting privacy legislation is currently pending in both houses of Congress. The COVID-19 Consumer Data Protection Act, introduced by Republican senators in May, seeks to regulate the collection and processing of personal health information, geolocation data, identifiers, and other data during the health emergency. Shortly thereafter, Democratic members of the House proposed the Public Health Emergency Privacy Act, which would broadly regulate “data linked or reasonably linkable to an individual or device, including data inferred or derived about an individual or device.” Most notably, the House bill includes a private right of action (a right not included in the Senate bill). Then, on June 1, 2020, Senators from both sides of the aisle introduced another Senate bill called the Exposure Notification Privacy Act (ENPA), which would regulate contact tracing and exposure-notification apps. Among other obligations, the ENPA would require affirmative express consent to collect data from an individual including COVID-19 status and geolocation, and includes restrictions on how such data may be used. Despite their differences, the speed at which these three bills were introduced underscores the urgency in Congress to address contact tracing technologies and holding government and businesses accountable for how collected personal information is used. Congress has not yet succeeded in passing national privacy legislation. Nonetheless, given the current exigent circumstances, if any one of the proposed bills is passed, it could form the basis for a future, more expansive general privacy legislation at the federal level.
What You Need to Know
The CCPA is set to become enforceable on July 1. If your business is regulated by the CCPA, you have a limited window to comply.
Government authorities have pursued different, frequently contradictory, approaches to enforcing data privacy and cybersecurity regulations during the COVID-19 pandemic.
It is imperative that you understand the data privacy and cybersecurity regulations applicable to your business and develop creative compliance programs that respect the integrity and security of personal information and maximize its value to your business.
If the potential for new federal privacy legislation is realized, additional regulations will be forthcoming, including regulation of contact tracing programs to combat the COVID-19 pandemic.
Connect with a global network of over 30,000 business law professionals
