This article was adapted from Ward Classen’s The Practical Guide to Software Licensing and Cloud Computing, 7^th Edition, available from the American Bar Association Business Law Section.

Many, perhaps trending to most, commercial licensors and licensees are utilizing delivery models other than the historic on-premised method (i.e., using computer hardware located at the end user’s location) for providing and accessing software applications. Most commonly illustrated through the use of “cloud computing,” these delivery models raise many of the same issues involved in traditional software licensing, while at the same time creating issues unique to the respective delivery model. Cloud computing provides on-demand delivery of IT resources and applications via the Internet with substantially pay-as-you-go pricing, allowing customers to reduce initial IT expenses while having the ability to quickly increase or decrease IT resources to meet their perhaps varying needs.

Under a “SaaS” model, access to a software application is provided to the customer as a service. The vendor/cloud provider or another party hosts the software application on its web servers or via a third-party application service provider, allowing customers access to the software using web browser software via a portal and/or the Internet. The customer does not license a copy of the software but accesses the software as a service on an as-needed basis.

(a) Overview

(i) Benefits

From a software cloud provider’s perspective, SaaS allows the cloud provider to reduce its support costs by maintaining a single version of its software on a single platform. A SaaS model allows cloud providers to monitor how their customers use the application, bring improvements to the market, and address uniformly for all customers any problem that arises. The cloud provider’s support staff is able to evaluate a customer’s problem as each customer is using the same application on the same platform. Updates are automatically made available to customers instead of customers having to wait to receive, install, integrate and pay for, the newest update. In addition, SaaS allows the cloud provider to sell to customers who may not be able to afford the upfront fees required to procure the software and/or the infrastructure to support it.

From the customer’s perspective, the customer is able to reduce its information technology costs by not having to purchase an application license, the hardware required to run it, as well as fees for updates and technical support. All of these costs are built into the fee for accessing the application, allowing the customer to direct its technology budget to those technologies that will provide a competitive advantage in its industry.

For cloud provider–owned applications, the customer’s cost to access the application should be reduced as the price is amortized among several users and the subscription fee is often based on usage. By paying only for its proportionate share of computing power and other resources that it uses, the customer avoids paying for excess capacity. The usage fee is amortized over the period of the customer’s use as differentiated from the purchase of a software license where payment in full is usually due immediately upon acquisition of the license. This payment mechanism evens out the user’s payments over the course of a year, potentially helping cash flow.

The customer will also avoid the significant time and cost of installing an application. In essence, application management has been outsourced, allowing the customer’s IT staff to focus on other projects. Because the software is already operating on the cloud provider’s system, the time to begin using the new application is dramatically reduced. The customer’s software usage is fully monitored by the cloud provider, allowing the cloud provider to instantaneously receive “feedback,” speeding the pace of improvements to the application, and allowing customers to benchmark against their peers. Further, the customer is able to automatically access the most recent updates and enhancements to the application without the risks inherent in transitioning to a new version.

(ii) Limitations

SaaS does have several limitations/reasons for concern. The greatest is that the customer has relinquished control over its IT to a third party and is totally dependent on the third party to consistently deliver access without interruption while using a secure environment. Although the customer is purchasing a service not a software license, a customer still needs contingencies that address sudden cessation of the cloud provider’s business or an event of force majeure, as application continuity is necessary to enable end user business continuity (contingency) plans. The customer also lacks the ability to customize the applications for its needs as most cloud providers will only modify the application for very large customers.

Another challenge for customers is that many cloud providers require customers to use the cloud provider’s non-negotiable template agreement to purchase the cloud provider’s services. These cloud providers argue that pro forma contracts are industry standard and reflect the nature of lower margins and shared services, thus negating the need to negotiate the contract. Although a cloud provider’s contract may be non-negotiable, customers should carefully review the agreement to make sure it meets their needs. For example, does the agreement provide the use rights the customer requires, such as allowing the customer, its contractors, and the customer’s customers to access and the software?

(iii) Delivery Models

SaaS is usually delivered through one of two models: a hosted application model or a software-on-demand model. In the hosted application management model, a hosting provider hosts the desired application, delivering the application to its customers over the Internet. Under the software-on-demand model, the cloud provider (i.e., the software cloud provider/licensor or cloud provider) provides its customers network-based access to a single copy of an application modified for SaaS over a network. Software on demand is also known as the “application service provider” model. In both cases, the customer is paying for access to the application. The cloud provider may choose to have someone else host it, but delivery is the same and essentially “on-demand.” In most situations, the cloud provider will provide, maintain and host an application while providing the customer access to the application. The application may be held in a dedicated environment with its own instance of the application, or alternatively, the application may be hosted in a multi-tenant environment with a common version of the application running on a logically partitioned environment.

A shared multi-tenant environment uses a single instance of the application to provide access to multiple customers. All customers access and use the same instance of the application, creating an efficient means of implementing patches, upgrades, fixes and maintenance. A single tenant environment provides access by a single customer creating a more expensive service that cannot be easily scaled. A shared environment creates greater security risks as many clients’ data may be hosted on a single server. Thus, clients with sensitive data will often insist on dedicated servers. The language below reflects the potential convers of customers.

Dedicated/Partitioned Environment. Any time Services are performed at the Customer Facilities, Vendor shall provide the Services using hardware, software and related resources dedicated solely to supporting Customer. Unless otherwise expressly provided in this Agreement, all Services provided from the Vendor’s Facilities shall be provided using partitioned or dedicated Equipment. Vendor shall not provide any Services from a shared processing environment unless specifically approved in writing by Customer.

The cloud provider may choose to deliver SaaS either by hosting the application itself or by outsourcing the hosting of the application to a hosting provider. Usually, the cloud provider will use its own proprietary software which it provides to its customers. In some cases, a hosting provider will license a copy of the software from the cloud provider and set up a SaaS model with its own customers. In the latter case, the hosting provider acquires rights from the software cloud provider and provides access and use of the application to customers. This approach is often co-defined through a “reseller” situation.

(b) Contractual Provisions

(i) Services

The underlying SaaS agreement between the parties should clearly set forth the cloud provider’s obligations and the services it will provide. In a SaaS relationship, most cloud providers will provide:

• Access to an identified application,
• Technology updates,
• Data storage,
• Data back-up,
• Data security, and
• User support.

To the extent a service is not listed, the customer should assume it is not included. For example, if data back-up is not listed, the customer should assume the cloud provider will not be providing such services and the customer should back-up its own data on a regular basis. To the extent the cloud provider desires to implement a material change in the provided services, the cloud provider should be required to provide the customer advance notice of any material change, and the customer should have the right to terminate the agreement for convenience without penalty.

If applicable, proof of concept or beta testing should be conducted prior to making any long-term commitments to the cloud provider. The customer should ensure that the data created by the application is compatible with the customer’s legacy systems (e.g., that the data schema are susceptible to “extract transform and load” (“ETL”) modification and injection to other current systems) and thus avoid any potentially costly and time-consuming data migration project. The cloud provider should also be willing to provide the customer a written commitment as to the application’s future features and functionality that will be made available to customers. A prudent cloud provider may be hesitant to do so, however, to retain the maximum flexibility to operate its business.

(ii) Ownership of Data

From the customer’s perspective, the agreement should clearly state:

• the customer owns its data (and all intellectual property rights related thereto);
• the customer will have immediate access to its data without charge upon demand;
• upon termination of the agreement the customer may take its data to a new cloud provider; and
• the format in which the data will be returned to the customer.

The agreement should also describe how and in what format the data will be returned and prohibit the cloud provider from withholding data for non-payment. Return of the data should be prompt and not conditioned on the customer meeting a payment demand by the cloud provider.

Sometimes it is the customer’s responsibility to remove the data, i.e., to copy it onto its own system. If this is the case, the customer should make sure that once the data has been copied and the customer has confirmed it has a reliable copy of its data, the cloud provider destroys the data that remains on the cloud provider’s systems. Usually, the cloud provider will want to do so in accordance with its own practices, e.g., by overwriting, etc. To the extent any data is contained on backup tapes, the backup tapes should be immediately destroyed, and an authorized officer of the cloud provider should certify that the tapes have been destroyed. Finally, the agreement should set strict time frames for the destruction or return of the data.

Some customers may require the cloud provider to issue a “destruction certificate” as proof of action by the cloud provider. However, there may be issues with respect to multi-tenancy environments where redundant data sets or similar copies of data continue to exist. Unless the relationship is managed in a single tenant database, it may not be possible to assure total destruction of the data. Contrary to the point above, it is also critical from the customer’s perspective that the cloud provider be prohibited from destroying the customer’s data in the event of non-payment until the customer has provided written instructions to do so.

Prudent cloud providers should develop an internal guidance/checklist setting forth the actions to be completed prior to executing a destruction certificate to avoid unintentionally creating liability on the cloud provider’s behalf. To avoid potential problems, the certificate should be signed by the team lead for the team that completed the work, usually a member of the IT department. 

(iii) Cloud Provider Access and Use of Customer Data

Cloud providers often seek access to the customer’s data for many reasons including the cloud provider’s desire to aggregate and resell the customer’s data to third parties. Under no circumstances should the cloud provider be able to sell the customer’s data to a third party even if it has been “cleansed” of any identifying information. The cloud provider should be contractually prohibited from accessing or disclosing the customer and customer data. While prudent customers should seek to limit the cloud provider’s use of their data, the cloud provider should have the ability to collect and analyze usage data to improve the quality of the cloud provider’s services including as input for its product/services “roadmap.” The agreement should clearly state that all customer data, including customer data, is confidential regardless of whether it is displayed or accessible by the cloud provider. Allowing the cloud provider to access customer data may raise antitrust issues as well as limit the customer’s ability to claim trade secret protection for such data. For a discussion of trade secrets in the cloud see Sandeen, Lost in the Cloud: Information Flows and the Implications of Cloud Computing for Trade Secret Protection, 19 Va. J.L. & Tech. 1 (2014).

The customer should not agree to amorphous language such as the cloud provider will “comply with industry standards” or the cloud provider will “use commercially reasonable efforts to protect the customer’s confidential information.” A prudent customer will also seek to prohibit the storage of users’ credentials and passwords by the cloud provider.

Model language favoring the cloud provider:

We routinely collect and analyze metadata regarding your usage of the Cloud Services, excluding any personal data. We may use this information to gauge Cloud Services usage levels and application performance, as well as to create anonymized statistics for our own marketing purposes.

The following language provides the cloud provider even greater leeway to utilize the customer’s data.

Vendor may use and reproduce Company Data at the direction of Company (such direction taking the form of the terms of this Agreement and the relevant Schedules) for the limited purposes of providing, operating, and maintaining the Services provided to Company. Company will secure for Vendor the right to use and reproduce Company Data, including any Personal Information therein, solely to the extent necessary to provide the Services to Company, without creating any obligations for Vendor beyond those set forth in this Agreement. Vendor may use usage patterns, trends, and other statistical data derived from use of the Services (but not Company Data itself) for the purposes of providing, operating, maintaining, or improving the Services and any Vendor products and services used to deliver the Services.

Compare the preceding language to the following language which favors the customer:

Customer grants Vendor a limited, royalty-free, non-exclusive, non-transferable and non-sublicensable license to process the Customer Data only in the United States as instructed by Customer and only to provide the services for Customer’s benefit so long as Customer uploads or stores Customer Data in the System, subject to all terms and conditions of this Agreement.

(iv) Data Retention

Given significant numbers of customers, relatively short contract lengths, and the commoditized nature of cloud computing, many cloud providers retain customer data for very short periods of time. To the extent the customer has specific concerns, it should ensure the underlying agreement allocates not only responsibility for data retention and backup but also the time period in which data will be retained. The period of retention will depend on RTO/RPO’s, requirement for the retention of metadata and the cost of doing so. RTO and RPO are common terms used to measure “Recovery Time Objectives” or how long it will take to recover data and resume using an application that has gone down. “Recovery Point Objectives” speaks to data freshness at the time of recovery. Sometimes, companies can recover data that is a week old meaning all the data from the current week would be lost. For mission critical applications, RPOs of less than one hour are standard.

Another issue for consideration is litigation holds for litigation, including the ability of the cloud provider to retain metadata. A prudent customer will contractually provide how it will notify the cloud provider of any litigation hold and how the cloud provider will preserve the relevant data. The failure to do so may lead to discovery sanctions on the customer in the event of any litigation.

Further, to the extent a cloud provider is required to destroy or retain the customer’s data, the parties should realize that it is virtually impossible to destroy all data as customers’ data will be inevitably retained in backup tapes and the memory of the servers. As a result, some negotiated transactions include provisions for ongoing but secure storage by the former cloud provider of former customer data for specified, tax, quality control, or other purposes.

(v) Pricing and Payment

Customers may be charged through various means, including on a per-user per-month basis, on a monthly subscription for the customer’s entire company, and results for a customer’s use of the application. For example of the last, infrequent pricing metric, a marketing software company is paid according to the number of solid leads generated through the customer’s use of the software.

Customers should carefully evaluate a contract’s pricing model to ensure the pricing structure is clearly delineated and that the customer has the ability to independently verify any amounts that it is billed by the cloud provider. If access is based on the number of seats or users, the definition of “users” will serve as the basis for establishing the aggregate fee paid by the customer. As such, the customer should clearly understand how the application will be used and who will be accessing and using the application.

For example, if a cloud provider defines a “user” as a named individual accessing the system, the “named user” terminates their employment, and a replacement employee is hired, is the customer is required to purchase a new license of the new employee or may it transfer the license from the old employee to the new employee? Like a traditional license, the price should be fixed for a set period of time, and the amount of any future price increases should be capped.

Further, if the customer’s customers will be indirectly accessing the application, do they need a license? The customer’s failure to obtain the rights it requires or understand its use rights may prevent it from achieving the synergies it expected from using the application as well as cause the customer to incur significant unforeseen costs. See SAP UK Limited v. Diageo Great Britain Ltd [2017] EWHC 189 (TCC) February 16, 2017 (SAP successfully sought additional compensation for Diageo’s customers access and use of SAP’s software).

Most cloud providers require the customer to pay quarterly or annually in advance, eliminating any payment risk.

(vi) Performance Standard/Service Level Agreements (SLAs)

Service levels are very important as they establish the cloud provider’s minimum performance obligations and the degree of access that the customer will have to the application or services, including the customer’s own data. Many cloud providers, however, do not offer meaningful SLAs, arguing the application must meet the demands of multiple customers. Most cloud providers will at least offer availability service levels, and some may be willing to provide additional remedies beyond service credits for an additional fee. If appropriate, customers should seek to negotiate additional SLAs including response times, bandwidth and security breaches, although most cloud providers will only agree to meet minimum legal requirements. SLAs almost never cover failover guarantees or contingencies that address issues beyond the cloud provider’s control, such as the sudden cessation of the cloud provider’s business or an event of force majeure. Cloud providers should avoid being measured on any customer-dependent elements such as location processing capability.

Service levels should reflect the usage of the application. For example:

• How is the application being used?
• Where are the employees using the application located?
• What time of day will the employees be accessing and using the application?

A successful service level should be objective, critical to the successful performance of the services, tailored to the services, and achievable by the measured party. Common service levels include:

• Availability (both network and application)
• Remedies (including financial penalties/credits)
• Problem response time
• Issue resolution/Escalation Procedures, including status reporting
• User support
• Data return (Recovery Time/Recovery Point Objectives)
• Simultaneous visitors/users
• Page response times

(vii) Data Security

Security is important when utilizing a SaaS model, but it is especially important for those customers utilizing a public cloud. By centralizing a party’s data in a secure data center, a party may actually increase its security (e.g., via the greater skills, resources, oversight, and testing that may be enabled by greater scale, i.e., a cloud provider testing and optimizing cybersecurity on behalf of multiple customers and its overall business model, versus a single entity attempting to achieve cybersecurity excellence only on its own behalf and outside its core focus or competencies). On the other hand, the customer has ceded control over its data and now is dependent on the cloud provider for protection.

There are three aspects of security: physical security, technical security and administrative security. Prudent customers should undertake a comprehensive risk assessment that evaluates the scope of the purchased services and seek to identity any threats and vulnerabilities to receiving those services. It should assess the cloud provider’s security policies and ascertain the potential risk of a threat triggering a vulnerability as well as the potential impact if such a threat occurs. Customers will typically address their concerns with the cloud provider and incorporate its security requirements in the underlying agreement—often as a detailed, separate exhibit to the contract. Depending on the value of the contract and the importance of the application, the customer should visit the facility from which the cloud services are provided, if applicable and allowed, and request a written copy of the cloud provider’s security protocol for the building’s physical security and the security of the network from intrusion, and viruses, as well as annual updates. The customer should closely examine and vet the cloud provider’s policies as well as ascertain the specific type of infrastructure used by the cloud provider to provide the hosting services.

The cloud provider should undertake an external and internal security analysis several times a year. The results of these efforts should be provided to the customer without the customer having to request it.

Most important, however, is the definition of “data,” as the definition will establish the cloud provider’s security, confidentiality, and privacy obligations. Is “data” limited to information stored by the cloud provider, or does it include data created and collected by the cloud provider in the course of delivering services to the cloud provider? Customers should seek to draft the definition of “data” as broadly as possible to ensure that its data is completely secured.

Security Standards

Multi-tenancy creates significant risks that other customers may be able to access or extract a customer’s data, increasing the risk of viruses and malware entering the customer’s environment as well as other security lapses. As such, customers should carefully negotiate the agreement’s security standards after identifying potential risks and potential approaches to mitigate the identified risks. Such risks, both internal and external, as well as the agreed upon risk mitigation controls, must be continually monitored during the term of agreement.

To avoid ambiguity, the parties should specify the specific security standard the cloud provider must adhere to. The customer should ensure that the data center is ISO compliant as well as SSAE 18/ ISAE 3402 compliant. SSAE 18 SOC 2 and SOC 3 set forth significantly more stringent audit standards and are specifically focused on data centers. ISAE 3402 is the international equivalent of SSAE 18 and should apply and be reported against whenever data is kept in a global environment. See Chapter 7.E of The Practical Guide to Software Licensing and Cloud Computing, 7th Edition, for a more detailed discussion of SSAE 18 and its requirements.

The cloud provider should maintain a written comprehensive information security program that includes reasonable security procedures and practices to ensure the security, confidentiality, privacy, availability and integrity of user content and other information if transmitted through or stored in connection with the services. Sophisticated customers seek to negotiate these cybersecurity specifications, attaching the agreed upon standards as a detailed exhibit to the agreement.

Location of Data

Prudent customers should consider contractually specifying the jurisdiction in which their data must be housed, or alternatively require that all data remain within the continental United States to avoid subjecting the customer to the laws of those jurisdictions in which the data resides, including the jurisdiction’s privacy laws, data transfer laws and jurisdictional discovery rules. The European Union has very restrictive laws as to data protection and prohibits the transfer of data to countries with inadequate data protection laws. To the extent a customer allows its data to be removed from the United States, a customer should monitor the data’s location to avoid any potential prohibition by the jurisdiction to which its data was moved from relocating the data back to the United States. Savvy customers will include an audit provision allowing the customer to audit the cloud provider’s compliance with its contractual obligations related to data location.

The citizenship of the owners of the data will dictate which state laws govern the vendor’s privacy and security obligations.

Physical Security

Physical security should not be overlooked. The cloud provider should be able to provide the customer with a written security plan setting forth the protections implemented at its data centers including:

• limiting and segmenting physical access,
• restricting physical access to required personnel,
• personnel background checks,
• badging, and
• training.

The customer should carefully evaluate the cloud provider’s security protections. The customer should understand who has access to its confidential information and data and under what circumstances.

• Who has the ability to modify such data?
• What controls are in place to protect the customer from an unauthorized individual accessing and modifying the customer’s data?
• Where is the cloud provider’s data center located?
• Does the data center have adequate physical and virtual security?
• Does the cloud provider have appropriate virus protection software and appropriate security measures to protect the customer’s data and internal systems?
• What particular testing and validation processes and third-party certifications, if any, will be required?
• May the customer initiate periodic “penetration testing” and if so under what parameters?
• What if any cybersecurity-specific insurance coverage(s) must the cloud provider procure and maintain on the customer’s behalf, at what levels and for what duration? The customer should ensure the required protections are maintained 24x7x365 days a year.

Technical Security

The cloud provider should utilize advanced software to detect any attempted and any actual intrusions to its network, as well as eliminate viruses and similar problems. A customer should require that its data be encrypted not only at rest (storage) but also during transmission (i.e., both “at rest” and “in transit”). Not all cloud provider applications are encrypted, making data stored on such applications vulnerable to misappropriation or theft. A customer should insist that the cloud provider comply with specific encryption standards for the encryption of the customer’s data. The language below illustrates this point:

Customer will encrypt the Data using the AES-256 standard and store on Vendor Simple Storage Service (S3) devices within the Vendor east coast and west coast data centers. When needed, the encrypted Data will be replicated to Elastic Band Storage (EBS) devices and made available during the boot process to server instances and associated server user accounts with proper credentials. The credentials will be stored and maintained within the Customer-managed data center and presented to the Vendor server instances only during the boot process. No credentials will be stored in the Vendor cloud environment.

The cloud provider should be required to utilize sophisticated intrusion protection and detection software as well as peripheral equipment and be required update it on a continuous basis to ensure it remains current with the latest technology. The cloud provider should be contractually obligated to provide detailed reports for any attempted intrusions of material significance as well as any resulting data breaches. The agreement should establish a change-of-custody log and tightly control and restrict access to any data as well as provide an audit procedure for auditing network and user transactions. In cases where the nature of the customer’s data warrants it, the parties should also consider the use of a virtual private network (VPN) to further reduce security risks.

The parties should establish stringent requirements for the storage of customer credentials and passwords outside of the cloud, including strong access controls. In addition, the agreement should address other common-sense security controls, such as staff screening, firewall standards, access logs and the ability of third-party contractors to access the system. Priority should also be given to preservation of security controls as part of any disaster recovery plans.

Administrative Security

Administrative security refers to the management operational controls and procedures implemented to protect the system’s security, including:

• Authentication of HTTP clients
• Administrative console security
• Naming security
• Use of SSL transports
• The common user registry
• The authentication mechanism
• The authentication protocol

Security Breaches and Incidents

The cloud provider should be obligated to notify the customer immediately in the event of a data breach or suspected breach and provide a detailed written explanation of the nature of such breach/suspected breach and the actions it has taken to remedy such breach. The agreement should address the parties’ respective responsibilities for complying with all federal, state, and local data breach notification laws, including which party has responsibility for drafting a notice to any affected parties, sending the notice, paying for all costs associated with doing so, and identifying costs the responsible party must assume. In addition, the agreement should address which party must pay for any costs associated with complying with new laws enacted after the execution of the agreement.

The most important aspect in framing the parties’ obligations is the definition of “data breach,” as the definition will establish the scope of each party’s obligations. Both parties should ensure they understand the ramifications of the definition and how it will impact their obligations and potential liability.

The agreement also should set out in detail the necessary response on the part of the cloud provider to a data breach, including how quickly the cloud provider must contact the customer to disclose the existence of an intrusion or breach, via what means, how much information the cloud provider must provide the customer, what steps the cloud provider must take to investigate, if the cloud provider will interface with law enforcement and how, how often the cloud provider will update the customer on actions taken to mitigate the effects of any breach, and what remedies the cloud provider will offer, if any. From the customer’s perspective, the customer does not want the affected individuals or entities or its board of directors and executives to first learn that there has been a security breach involving its data from the media or a third party.

(viii) Disaster Recovery

Disaster recovery differs from business continuity in that business continuity addresses issues that may arise in the ordinary course of business such as bugs, hacking, general down time and other service interruptions. Disaster recovery addresses incidents more akin to an event of force majeure such as a natural disaster. The cloud provider’s disaster recovery plans should be carefully reviewed by the customer and include the level of redundancy for the application, i.e., the availability of the application in the event of a failure of the primary server or application (such as a geographically distant “hot” site), the cloud provider’s protocol for backing up data (e.g., what frequency, testing, passwords, chain of custody, etc.), the storage of such data offsite, as well as the duration for which it will retain the backups. See Chapter 7.F of The Practical Guide to Software Licensing and Cloud Computing, 7th Edition, for a more detailed discussion of disaster recovery issues. The cloud provider should be able to provide a detailed plan addressing a power outage, natural disaster, equipment failure, the sudden cessation of its business (bankruptcy notwithstanding) and so on, as well as service level agreements for uptime and the ability to log onto the application independently of the cloud provider (for more information, see Chapter 9, Section A.5 of The Practical Guide to Software Licensing and Cloud Computing, 7th Edition, discussing SaaS Escrow). Finally, the cloud provider should disclose any audit protocols it has adapted to ensure its existing protocols and methodologies are followed. The customer should also ask the cloud provider about any previous security problems or service interruptions.

(ix) Indemnification

As with any commercial agreement, indemnification plays an important role in allocating and managing the parties’ risk. While indemnities have traditionally addressed third-party claims, both parties should provide a direct cross-indemnity to the other, although the breadth of their respective indemnification obligations will likely differ. Many parties will seek an indemnity for breach of contract but doing so cannot be justified as each party’s remedy should lie in a breach of contract claim.

Customers should seek to have the cloud provider indemnify them for:

• Intellectual property infringement claims arising from intellectual property selected and used by the cloud provider
• Compliance with laws
• Breach of confidentiality
• Breach of the agreement’s security obligations and standards by the cloud provider

In those situations where the cloud provider will not agree to indemnify the customer, the customer should seek to have the cloud provider pay for any costs associated with a party’s notification obligations under law or the terms of the contract. These may include investigating the breach, notifying the affected individuals and entities of any breach or security incident, staffing any help desk assisting with questions regarding the breach or security incident and the cost of any credit monitoring.

Model language for the cloud provider’s indemnity obligations follows:

Vendor will defend, indemnify and hold Customer and its respective officers, directors, employees and agents (each an “Indemnified Party”) harmless from and against all liabilities, damages, claims, costs and expenses (including reasonable attorneys’ fees and costs and expenses of expert witnesses) or other losses (collectively, “Losses”) brought by a third party against an Indemnified Party arising from the acts or omissions of Vendor, its employees, affiliates, subcontractors or agents in the performance of the Services.

Vendors should seek to have the customer indemnify them for:

• Intellectual property infringement claims arising from the customer’s content as well as any intellectual property selected and used by the customer
• Compliance with laws
• Breach of confidentiality
• Defamatory statements
• Violation of law
• Breach of the cloud provider’s Acceptable Use Policy (AUP) including non-compliance with the cloud provider’s security policy

Model language for the customer’s indemnity obligations follows:

You agree to indemnify, defend and hold Us, our affiliates and licensors, each of our and their business partners and each of our and their respective employees, officers, directors and representatives, harmless from and against any and all claims, losses, damages, liabilities, judgments, penalties, fines, costs and expenses (including reasonable attorneys’ fees), arising out of or in connection with any claim arising out of:

1. Your use of the Services in a manner not authorized by this Agreement, and/or in violation of the applicable restrictions, AUPs, and/or applicable law,

2. Your Application, Your content, or the combination of either with other applications, content or processes, including but not limited to any claim involving infringement or misappropriation of third-party rights and/or the use, development, design, manufacture, production, advertising, promotion and/or marketing of Your Application and/or Your content,

3. Your violation of any term or condition of this Agreement, including without limitation, Your representations and warranties, or

4. You or Your employees’ or personnel’s negligence or willful misconduct.

(x) Limitation of Liability

To understand and quantify its risk, the customer should undertake due diligence that includes a review of the cloud provider’s technology platform and security practices. Doing so will allow the customer to potentially mitigate any risks associated with the purchased services. By purchasing SaaS services, the customer is outsourcing a service that it did not want to provide itself as well as a set of operational, compliance, and legal risks that it did not want to assume. Thus, a cloud provider should not be expected to assume a risk that the customer itself was unwilling to assume, as the cloud provider is not an insurer of the customer’s risks.

It is in both parties’ interest to limit risk. The mere fact that personally identifiable information (PII) is exposed does not necessarily mean that the cloud provider (as opposed to the customer or a third party) did anything wrong or that it could have prevented the breach. Some industry commentators assert that no cloud provider (or government agency or non-profit) can guarantee against sophisticated intrusions and all technology failures. One solution may be to have the parties share any potential liability. Although the structure of any compromise is subject to negotiation, one compromise may be to have the cloud provider assume liability up to a certain dollar amount, with the customer assuming any excess liability.

Some breaches should naturally result in greater liability on the cloud provider’s behalf. If a cloud provider fails to follow its stated security procedures, there is justification to seek a larger or even unlimited liability. In many contracts, intentional actions impose unlimited contractual liability on the cloud provider’s behalf, at least after negotiation by knowledgeable customers.

The actual limits of liability will depend on the facts of the underlying transaction:

• What is the nature of the stored/processed data?
• Is the data highly confidential and proprietary, or a mere aggregation of data that may be re-assembled from other sources?
• To what extent does the data set include data owned by third parties who have entrusted it to the customer, who may have its own obligations and liability under such arrangements?
• How much revenue is the cloud provider receiving?
• How much risk is arising from the underlying technology platform?
• Is the customer utilizing a public or a private cloud?
• If the cloud provider offers premium services and/or additional security protection at a higher fee, has the customer elected same?

Almost all cloud providers insist on a waiver of any special incident or consequential damages and seek to limit the cloud provider’s liability to any service level credits. Any overarching cap is usually tied to a multiple of the monthly fees received by the cloud provider within a set time period, e.g. three months (though many customers will negotiate seeking longer durations). Common exclusions to the limitation of liability include intellectual property infringement, gross negligence, willful misconduct and some indemnification obligations.

Customers should carefully consider whether a disclaimer of indirect damages is appropriate, as in the event of a breach, a significant portion of the customer’s damages may be indirect damages. For example, the destruction or loss of data will result in substantial consequential or indirect damages. The sensitivity of the data in question will likely determine the importance for a customer to recover its consequential/indirect damages.

At least one court has voided a limitation of liability where the cloud provider acted in a reckless or grossly negligent manner resulting in a substantial loss of the customer’s data. Clark Street Wine and Spirits v. Emporos Systems Corp., Italy, 754 F. Supp.2d 474, 481–82 (E.D.N.Y. 2010) (“In view of great damage to customers and business that breaches of a computer system may cause, a jury may find that the responsible entities, such as [the cloud provider], should take special precautions to protect these systems.”).

(xi) Term

SaaS agreements often have a relatively short term as opposed to on premise licenses. Given the trend of failing prices over the last several years, a fixed priced, shorter term (1–2 year) cloud agreement is often favored by the customer.

Many cloud providers require buyers of subscription-based services to commit to purchase a minimum volume or dollar amount for a set period of time. In doing so, cloud providers argue that “revenue recognition” rules require the cloud provider to seek revenue minimums and committed term lengths to recognize the associated revenue. Contractual minimums also allow the cloud provider to recover its upfront research, development, infrastructure, and other service-enabling costs incurred in establishing the software availability. From the customer’s perspective, minimum commitments create the potential for significant financial risk. Therefore, prudent customers will seek to negotiate shorter minimum terms and favorable termination rights to ensure financial flexibility and avoid limiting their options.

(xii) Suspension and Termination

Most cloud providers insist on the contractual right to immediately suspend access or use of the services in the event the customer undertakes any actions that:

• violate the law,
• violate the cloud provider’s acceptable use policy (AUP),
• adversely impact the ability of other customers to use the service,
• access other customers’ data,
• spam,
• create offensive content,
• cause intellectual property infringement, or
• endanger the security of the system.

While most cloud providers will not relinquish the right of suspension, prudent customers often try to limit suspension solely to material violations of the underlying agreement that threaten the security of the cloud service. In addition, they seek to negotiate a notice and cure period for inadvertent violations to avoid an immediate interruption of the customer’s access to the services. While some cloud providers will agree to provide notice and a very short cure period, other cloud providers are unwilling to do so.

Some large customers take the position that the cloud provider may not terminate the agreement for any reason, including the customer’s nonpayment, arguing that the cloud provider’s remedy lies solely in a suit for breach of contract. Further, the customer’s access and use rights shall continue during the termination process. They do so in the belief that the services are mission critical and cannot be easily transferred to a new cloud provider. From the cloud provider’s perspective, the requirement to bring a suit delays its remedy and increases its costs while creating a significant administrative and financial burden.

Many customers seek the ability to terminate their agreement for convenience. While termination for convenience provisions are common in many services agreements, the customer’s ability to terminate the agreement and the cost to do so will depend on a number of factors, including the pricing model used by the cloud provider and the cost of any capital expenditures the cloud provider made on the customer’s behalf.

If the cloud provider is providing services under a metered model without a commitment, the customer may have the right to terminate the agreement for convenience, but under a subscription model, where pricing discounts are provided based on volume commitments that termination for convenience would negate, cloud providers are unlikely to accept a termination for convenience provision. If the cloud provider purchased hardware and software on the customer’s behalf, another factor that will impact the customer’s ability to terminate for convenience is the amount of any unamortized capital expenditures. In such cases, cloud providers will most likely require the customer to pay the cost of any unamortized capital expenditures as a condition precedent to any termination for convenience.

Also important from the cloud provider’s perspective, revenue is recognized ratably over the life of the contract, and if the contract may be terminated for convenience, the cloud provider will likely be unable to potentially recognize the total contract value to investors, lenders or other constituents.

If the underlying agreement provides the cloud provider the right to make unilateral changes to the parties’ agreement or the underlying application, the customer should insist on the right to terminate the agreement for convenience without charge in the event any such change has a material impact on the services purchased by the customer.

(xiii) Transition Rights

Perhaps the most important issue, but perhaps under-managed, for the customer is transition rights. In the event of the early or natural termination of the agreement, the customer wants to ensure an orderly transition of its business to a new cloud provider. Also known as the “Exit Strategy” or “Exit Plan,” most good customer Program Management Offices (PMOs) contemplate an exit strategy as a part of their Governance, Risk and Compliance (“GRC”) policy; that is, if they have a GRC policy.

The agreement should set out in detail the time period during which the cloud provider must provide transition support to the customer, the cost of such services and preferably the process for coordinating the parties (possibly including not only the end user and initial cloud provider, but also the successor cloud provider, if any). The cloud provider should be contractually obligated to provide services during the transition period at the same service level as it did during the agreement term and to fully cooperate with the customer during the transition of its data to an alternative provider or back in-house. In the event the agreement was terminated due to the customer’s breach, the cloud provider should strictly limit the length of any transition period to limit the time and effort it is required to exert in the transition effort and possibly require pre-payment including any professional services necessary to extract and migrate data to a new solution.

Finally, a prudent customer should ensure the underlying agreement sets forth in detail the customer’s rights upon the termination of the agreement and that any such transition will not interrupt its business. To that end, the customer should obtain:

• a contractual commitment regarding its right to continue to use the services during the transition period,
• the right to the immediate return of its data in the contractually agreed format so that it can be utilized by any subsequent cloud provider,
• an agreement on a rate card establishing the rates for any transition assistance fees, and
• a commitment to cooperate with any new cloud provider, preferably for a specified duration.

At the same time, prudent customers will want to require the cloud provider to retain their data for some period of time (30–60) days while they are identifying a new cloud provider or in transition. Cloud providers are hesitant to store data for any length of time due to the cost of storage unless they are compensated for doing so.

In the event the cloud provider is also providing a license to a specific application, the agreement should address ownership and use of the license after termination of the agreement. From the cloud provider’s perspective, the underlying agreement between the cloud provider and the customer should clearly state that the customer does not receive any rights for future use of the application and that upon termination, the customer’s only right is to port its data to a new cloud provider. If the customer purchased a software license as part of the services, the customer should be contractually entitled to transfer the license to the new cloud provider. At the time the agreement is negotiated the customer should understand its rights, including its transfer rights, if it is “purchasing a license.” Although the customer may have paid to “purchase” a license and the cloud provider granted the customer access to use software through a license, the license may terminate with the agreement and prohibit the customer from taking the software to the new cloud provider.

(xiv) Compliance Obligations

Customers often seek to transfer their compliance and regulatory obligations to the cloud provider. Prudent cloud providers will reject the customer’s efforts to do so, as the obligation legally rests with the customer, and the customer cannot escape its liability by contractually requiring the cloud provider to assume such obligations. Agreeing to assume such responsibility is very risky for the cloud provider as, in most cases, the cloud provider lacks the requisite industry knowledge to fully understand the risk it is assuming as well as the cost to comply with such obligations. This is especially true with consumer data laws such as HIPAA, where the cloud provider may not know the type of data being stored by the customer or the citizenship of the data owners.

(xv) Acceptable Use Policies (AUPs)

Acceptable Use Policies (AUPs) are used by cloud providers to establish the parameters of the customer’s access and use of the cloud provider’s network and services. The customer’s failure to abide by these requirements may result in the suspension of the customer’s ability to access the cloud provider’s network and services and in extreme cases the termination of such rights. Cloud providers usually set forth a list of prohibited activities which may include:

• Any activities that are illegal, that violate the rights of others, or that may be harmful to others.
• Content that infringes or misappropriates the intellectual property or proprietary rights of others.
• Content that is defamatory, obscene, abusive, or invasive of privacy.
• Content that may damage, interfere with, surreptitiously intercept, or expropriate any system, program, or data, including viruses, Trojan horses, worms, and time bombs.
• Actions that violate the security or integrity of any network, computer or communications system, software application, or network or computing device.
• Accessing or using the cloud provider’s network without permission, including attempting to probe, scan, or test the vulnerability of the cloud provider’s network or to breach any security or authentication measures used by the cloud provider’s network.
• Forging TCP-IP packet headers, e-mail headers, or any part of a message describing its origin or route.
• Monitoring or crawling of the cloud provider’s network that impairs or disrupts the cloud provider’s network being monitored or crawled.
• Inundating a target with communications requests so the target either cannot respond to legitimate traffic or responds so slowly that it becomes ineffective.
• Interfering with the proper functioning of the cloud provider’s network, including any deliberate attempt to overload a system by mail bombing, news bombing, broadcast attacks, or flooding techniques.
• Using manual or electronic means to avoid any use limitations placed on the cloud provider’s network, such as access and storage restrictions.
• Distributing, publishing, sending, or facilitating the sending of unsolicited mass e-mail or other messages, promotions, advertising, or solicitations (“spam”), including commercial.

The corporation laws of every U.S. jurisdiction permit corporations on the “clear day” (i.e., before an adverse claim arises) to agree to advance defense costs, indemnify, and insure presumptively innocent directors and officers against risks of liability that arise out of their good faith service to the corporation. States’ laws governing alternative entities generally leave the matter of “executive protection” for managers to the law of contracts. In both situations, courts justify protection programs as encouraging responsible and talented individuals to accept the weighty responsibilities these positions impose.

In 2012 and 2013, Business Law Today published checklists created by the Business Law Section’s Director and Officer Liability Committee to assist counsel in supervising the creation or renewal of executive protection programs. Both before and after its first publication, the checklist was vetted through exposure to and comment by attendees at ABA live and webinar programs and at a webinar given to members of the Association of Corporate Counsel. Case law, commentary, and further education in this area have continued to evolve since 2013. The Committee promised that it would update the checklists periodically to reflect changes in the law and insurance markets. This is the 2021 update.

The checklist was initially created by the Committee in response to requests by corporate counsel of major U.S. entities. These counsel had communicated their practical inability to master the nuances of this ethically dangerous, highly complex, and specialized area and to keep up with new developments in the law and the insurance market. They asked for a compendium of issues that they could give their risk manager, insurance broker, and outside counsel so that entity counsel could vet the adequacy and breadth of the entity’s protection program. The goal was to permit entity counsel to meet their ethical duty to advise the entity’s unrepresented “constituent” board members, executives, and managers of the extent to which the program might meet their future needs or might fall short.

This need has become increasingly urgent over time. In particular, the personal exposures of corporate directors and officers and entity managers (sometimes referred to here collectively as “executives”) to governmental administrative and criminal risk have expanded through the “cooperation revolution” in white-collar criminal law that formally began in 1999.[1] The Committee believes that if an executive protection plan is adequate to address the increasing criminalization of executive and managerial risk, it ought to be sufficient to protect against non-criminal legal risks as well.

The updated checklist below highlights issues and suggests alternatives intended to meet the legitimate goals of executive protection from the standpoint of the protected individuals and independent of the “stormy day” potential that the entity may “cooperate” against a protected individual with a governmental enforcement authority. The checklist attempts to do so in a commonsense and balanced manner. It is intended to provide entity counsel with some comfort that he or she has met the “clear day” duty to both the entity and protected managers to provide protection to affected individuals to the “fullest extent permitted by law,” while suggesting possible ways to scale back such protection if such is the desire of the board or other governing authority. The suggestions are designed to meet the ethical rules that govern entity counsel whom the board or other managing authority has charged with creating or supervising the renewal of a protection program for the benefit of otherwise unrepresented entity directors, officers or managers. A comprehensive article on the ethical aspects of “clear day” protection programs is being prepared for publication in The Business Lawyer.

*     *    *

I. Entity Authority

A preliminary issue arises before the careful practitioner attempts to draft any protection program. Does the statute applicable to the creation of the entity require particular language in the entity’s formation document before the entity’s directors, officers, or managers can be protected by mere board action? Some jurisdictions characterize the issue of executive protection as one dealing with the entity’s “internal affairs.” They may require that the entity’s formation document expressly permit its board or governing body to adopt certain resolutions in order to effectively “legislate” protection that is effective to bind otherwise non-consenting shareholders and creditors. The careful practitioner must ascertain whether the entity’s jurisdiction of formation requires appropriate enabling language in the entity’s formation or other governing document and, if so, whether such language in fact appears.

II. Exculpation, Advancement, and Indemnification

Once the issue of authority has been resolved, the practitioner turns to the merits of the protection to be offered. A comprehensive directors’ and officers’ protection program has four elements, regardless of whether the entity is for-profit or not-for-profit:

1. statutory immunity of a corporation’s directors (and in some jurisdictions, officers) from shareholders’ claims for damages resulting from directors’ failure to exercise “due care,” and statutory protection against liability for (typically) volunteer executives of non-profits;
2. contractually mandatory advancement of defense costs and expenses to selected executives until the underlying claims are resolved and then relief from any duty to repay the amounts advanced in a proper case;
3. indemnity from the entity for any amount an executive may agree to pay to settle a claim arising from his or her service to the entity or that the executive may be compelled to pay by judgment in a proper case; and
4. a comprehensive program of D&O insurance that properly meshes with the entity’s advancement and indemnity undertakings.

This checklist addresses these elements in turn.

A.    Exculpation under Certificate/Articles of Incorporation; Statutory Protections for Volunteers of Non-Profits

The careful practitioner will investigate whether the statute governing the entity permits exculpation of its directors and officers and, if so, whether the statutory requirements for providing exculpation have been met through the inclusion of appropriate language in the entity’s governing document. In most jurisdictions, exculpation for money damages for breaches of a director’s or (sometimes) officer’s fiduciary duty of due care (akin to simple negligence) must be included in the entity’s articles or certificate of incorporation. Exculpation for damages for breach of a similar standard, if permitted, will typically be found in the operating or other base agreement for an alternative entity. Is the required language present? If not, can the governing document realistically be amended to provide for exculpation?

If an alternative entity is involved, should a provision be inserted to provide exculpation or clarify the standard of care that managers and members must meet to avoid liability to the entity and other members for both non-fiduciary and fiduciary breaches? Can fiduciary duties be otherwise limited or eliminated under the governing law of the particular entity and is doing so wise and intended by entity participants?

B.    Advancement and Indemnification

Under the law applicable to the entity, may its executives and managers be given a right—whether by contract or under the entity’s governing documents—to mandatory advancement of reasonable defense costs for all claims against them arising from their service? May the executives and managers be given a mandatory right to be relieved from repaying these advances so long as facts are not found in the underlying litigation that they breached the applicable jurisdiction’s standards for breach of fiduciary duty or committed other prohibited misconduct? May the executives and managers also be mandatorily indemnified for any ultimate settlement or judgment against them under the same limits? Does the applicable statute governing the entity permit these rights to be expanded by agreement? Should bylaw or operating agreement provisions providing for contractually mandatory advancement and indemnification specifically provide that the provisions constitute contractual obligations intended to expand on rights otherwise merely permitted by statute?

Case law that has arisen since the beginning of the white collar “cooperation revolution” in 1999 has cast a harsh light on all of the following:

• the law of advancement and indemnification in respect of corporate internal investigations;
• the effect of Fifth Amendment assertions in internal investigations and advancement proceedings;
• the law of privilege as it relates to descriptions in billings that are the subject of advancement proceedings;
• a former executive’s right of access to entity documents to assist in his or her defense where the entity is cooperating with prosecutors; and
• whether a charged executive must make at least a preliminary merits showing of innocence of breach of fiduciary duty as a condition to obtaining advancement.

In most cases, an executive’s need for advancement is urgent. This means that advancement provisions should be drafted in as airtight a manner as possible as mere litigation delay can be sufficient to moot needed relief. All these critical issues are subject to drafting by the careful practitioner. Many issues of this kind have arisen in litigation following publication of the 2013 checklist. A non-exclusive list of salient issues to address includes:

1. Are the advancement and indemnity rights provided truly contractually mandatory, or does the governing statute only permit mandatory advancement rights to be conferred by separate action of the board on a discretionary basis after a claim arises? Is the right to mandatory indemnification contractually guaranteed so long as the indemnified person is not found guilty of disabling conduct in the underlying proceeding for which defense costs are sought? If so, is indemnification automatic, or must the executive prove anew his or her compliance with the required standard of indemnification just because he or she was charged with misconduct that could not be in the legitimate discharge of his or her responsibilities to the entity? If so, does the executive or the entity have the burden of proof?
2. If mandatory rights are granted in corporate bylaws, is the board prohibited from amending the bylaws to eliminate protection for circumstances that accrue during the executive’s tenure but before a claim is made? (Some state statutes cover this question, but many do not.)
3. As a matter of balance, does the right to advancement accrue at a sufficiently early stage to protect the executive involved in an internal investigation without causing premature “lawyering up” that is detrimental to corporate collegiality and informal communication?
4. Generally, the right to advancement covers not just third-party claims but also claims by the entity itself, derivative claims, and internal investigations not instigated by a government enforcement authority or derivative claim, such as claims and investigations precipitated by an internal whistleblower. Has the board or other managing body granting the protection been fully advised of this?
5. Is the board or other managing body clear about the meaning of protection granted “to the fullest extent permitted by law,” the customary formulation of the scope of protection? Is the board or other managing body made aware before it grants “fullest extent” or other expansive protection that a promise to advance can include, unless excluded or limited, claims against an executive for embezzlement, diversion of corporate opportunity, insider trading, and other instances of unauthorized self-enrichment? Is the board informed of the increased likelihood of claims following a change-in-control when the incumbent board is no longer making decisions concerning entity litigation and may itself be the target of claims from its successor?
6. In jurisdictions that statutorily extend the scope of a promise by a corporation to indemnify “to the full[est] extent permitted by law” to include a promise to advance, is it certain in that jurisdiction that there is no requirement that the applicant for advancement make any kind of merits showing as to his or her prospective right to indemnification and/or innocence of the allegations of misconduct made in the underlying case? Is the board or managing body aware of the absolute distinction the law makes between indemnification on the one hand, and advancement (or advance indemnification) on the other? Is the requirement that an executive make a preliminary merits showing expressly eliminated in the promise of advancement in every case?
7. Accusations of misconduct against a putative advancee that go to the merits of the underlying claim can impugn the character of the executive seeking advancement and prejudice the fact-finder. Since the merits of the underlying claim have no bearing on advancement, should allegations of misconduct and bad character be expressly prohibited in the protection plan documents—both as a matter of evidence and professionalism—from any advancement proceeding?
8. Most alternative entity organizational statutes omit detailed provisions for advancement and indemnification. Indemnification and advancement, thus, must be specifically contractually included in the operating or other governing agreement if they are to exist at all. Does the operating agreement specifically provide that contractually mandatory indemnification will be given “to the fullest extent permitted by law,” or is the scope of that promise limited as discussed above? Does the agreement provide a standard of conduct by which non-mandatory indemnification is to be measured analogous to standards employed in corporate contexts to avoid public policy challenges? Does the language specifically extend indemnification to match the breadth of cover granted by the Delaware cases interpreting the phrase “by reason of the fact,” even if no governing statute uses the term? Does the agreement specifically provide for mandatory indemnification without any requirement to re-litigate the underlying case if the executive is “successful on the merits or otherwise” in the underlying case?
9. Do all agreements provide for “fees on fees” as a central feature of advancement and indemnification as opposed to a simple prevailing party fee provision? In jurisdictions that have statutes that make one-way fee provisions reciprocal, is such language sufficient to avoid reciprocity? If not, has a suitable and enforceable waiver of a reciprocal right been obtained from the entity?
10. If the corporation has foreign subsidiaries on whose boards executives are expected to serve, or if they are expected to otherwise supervise foreign operations, is the corporation obligated to post bonds or otherwise pay to secure the release of the executive’s person from physical arrest and his or her personal assets from sequestration as a result of orders issued by a foreign court or governmental agency? May the corporation indemnify and advance defense costs, or even buy insurance for such executives, if the substantive law governing the foreign subsidiary forbids advancement, indemnification, or insurance?
11. If the executive (or former executive or manager) is in any way implicated in a matter that creates potential personal criminal exposure, does the executive:
    1. have access to (but not possession, custody or control of) all relevant corporate documents to which he or she had access during her tenure?
    2. have the express contractual right to assert Fifth Amendment privileges (and his or her lawyer work-product privileges) without jeopardizing his or her advancement and indemnity rights or limiting the amount of defense costs for which he or she is entitled to advancement? Does any bylaw specify a mechanism for resolving privilege disputes?
    3. have the right to receive advancement of defense costs until “final adjudication” (i.e., after appeal) of facts that forbid the corporation from indemnifying him or her under the protection plan in the criminal or civil case for which advancement is sought? Is the corporation prohibited from instituting or continuing any civil case against the executive that requires her to waive her Fifth Amendment rights or the executive’s counsel work-product privileges before final adjudication of the case that gives rise to the need for advancement?
    4. have the right to subrogate herself to the corporation’s Side B coverage should the corporation refuse to advance defense costs and the executive pays such a cost directly?
    5. have the right to judicially compel advancement at the corporation’s expense using summary procedures, i.e., without having to make any assertions of fact, good faith, or innocence that can prompt an evidentiary hearing?
12. Does the most likely jurisdiction in which a suit to compel advancement will be heard treat advancement as a discrete, independent cause of action available for summary judgment, or must it be brought in equity to compel “advance indemnification” by way of preliminary injunction? If the latter, may a bond be required, even though the contractual right to advancement is free of any duty to give security? May the posting of a bond as a condition to advancement be waived in advance by agreement? Should compliance with other standards for awarding preliminary injunctive relief be eliminated by agreement? Will a stipulation that any advancement proceeding be treated as a “summary” proceeding be respected in the enforcing court? Should all defenses other than those going to the existence of a contract for advancement or indemnification and whether the claimant is a covered person asserting a covered claim, be denied the status of defenses to an advancement claim? Should the entity be prohibited from asserting res judicata or collateral estoppel in respect of any ruling made in an advancement case in any later case for indemnification? Should a provision be inserted in the protection plan mandating expansive interpretation of the agreement in favor of covered executives and managers?
13. Should the entity leave its advancement and indemnity exposure unlimited in amount in respect of third-party claims in which the corporation and executive cooperate in the defense? In cases where the interests of the entity and its executives are adverse so as to prohibit a joint defense, should the entity limit its advancement and indemnity duty to the sum of insurance cover and the corporation’s insurance retention, particularly if the entity is not-for-profit?
14. Are executives permitted to be advanced and indemnified against all legal costs in any matter that includes non-indemnifiable claims or parties so long as the facts or issues relevant to the covered and uncovered claims overlap? Where cover is excluded by the agreement and the exclusion is found to apply, must defense costs be allocated, and, if so, by what standard?

III. D&O Insurance

A corporation may obtain Side B insurance to cover its advancement and indemnity obligations to its executives. Such cover “protects its own balance sheet,” as the saying goes. A corporation also typically purchases Side A cover to protect its executives directly from claims for matters in which the corporation and executives are joint defendants and are united in the defense. This cover is principally intended to protect the executive where the entity is insolvent or where the law prohibits the entity from advancing or indemnifying the executive as a matter of law (so called “non-indemnifiable loss”), but does not prohibit insurance from doing so. Finally, Side C or “entity” coverage provides protection for claims against the company. The company’s Side ABC policies, thus, are written to cover claims where the interests of the executive and the corporation are not in conflict.

A corporation may also purchase separate standalone Side A-only/difference-in-conditions (DIC) insurance for its executives. This insurance gives executives a separate limit of cover that the entity may not invade. It may “drop down” to cover defense costs and settlements where the ABC insurers become insolvent; where the underlying Side ABC limits are exhausted; where the entity refuses to advance (sometimes forcing the executive into extensive litigation as to his or her right to advancement or indemnification); or where any underlying insurer fails or refuses to pay or attempts to rescind coverage. DIC insurance is particularly valuable to executives because, among other reasons, it often lacks certain exclusions, such as the “insured vs. insured” exclusion or “pollution” exclusion, typically found in traditional Side ABC D&O policies.

Of course, the appropriate structure, scope, and amount of D&O coverage for both entities and executives varies greatly between industries, entity sizes, exposures, and a multitude of other factors impacting risk profiles and likely claims arising from those risks that could be mitigated through insurance. Checklist items to consider when evaluating D&O coverage include:

1. Are all individuals that the board wishes to insure in fact covered? Are those it does not wish to cover excluded from the policy definition of “Insured” so as not to prematurely exhaust policy limits?
2. As a practical matter, will executives—particularly former executives or those whose interests diverge from those of the company—have access to the D&O policies purchased to protect them when a claim arises? What information may or must a risk manager or in-house attorney provide to its former executives in the event of a claim or potential claim implicating the company’s D&O policies? Is the company or its independent broker the authorized representative of all insureds, even individual insureds, for all purposes, including the receipt of policies and the giving of notice? Do individual insureds have the right to notice claims or instruct the entity to do so?
3. Has the board made a reasoned and appropriate decision on policy limits, particularly given that under its Side B coverage, it seeks to cover its complete advancement and indemnity exposure to all covered executives beyond an agreed retention? Are all parties cognizant of the phenomenon of competition among insureds for access to policy limits and the accepted means for reducing such competition? Does the Side ABC policy have a priority of payments provision contemplating such a situation? Are executives’ Side A coverage limits provided exclusively through the Side ABC policy, or has the company also purchased dedicated, standalone Side A-only coverage to mitigate the risk of competition for scarce insurance resources in the event of insolvency or large exposures? Are litigation costs covered when they are incurred in board members’ efforts to preserve policy limits for themselves?
4. Does the policy cover defense costs within overall limits or through sublimits for matters such as derivative investigations (both those that arise immediately after demand and those that arise after the creation of a special litigation committee) and corporate internal investigations?
5. Where advancement coverage incepts before a defined “claim” arises, does the policy give each insured the separate option of not treating the event as a reportable claim or mandatorily reportable circumstance? May individual insureds give a “notice of circumstance” to cement cover under the policy in effect for that year over the objection of the entity?
6. Does the policy cover employment practice claims, crisis management costs, searches, and raids by enforcement authorities, and claims against employed lawyers? If the latter have separate professional liability cover, is it clear which cover is primary?
7. How does the policy respond to government investigations by enforcement authorities prior to the institution of formal enforcement action (e.g., obtaining documents or testimony through subpoenas or informal requests)?
8. Is the policy definition of “wrongful act” sufficiently expansive so that “all risk” coverage is obtained, assuming such is the desire? Does the insurer agree that such cover includes claims by opposing parties for attorney’s fees? Does the policy cover claims for personal injury and property damage arising from a wrongful act as defined? Does the policy cover Section 11 and 12 securities law liability? Is there coverage for all insurable fines and penalties and punitive, moral, and multiple damages to the extent permitted by law—and where there is a dispute as to which law may apply, as determined by the law most favorable to the insured? Does the policy allow for recovery of amounts paid to mitigate or reduce the likelihood of a claim? Does coverage exist for personal liability for corporate taxes and statutory insurance contributions?
9. Does advancement coverage expressly continue until there has been a final adjudication of facts in the underlying proceeding adverse to the insured for which advancement is given that permits the application of the “willful or intentional act” policy exception? Is the insurer prohibited from bringing a suit to accelerate that process? Are the “deliberate and intentional act” or “improper personal benefit” exclusions limited to cases where the act or gain was the result of deliberate misconduct? Is the insurer prohibited from recovering its advances should the executive’s conduct fall within the “willful or intentional act” exclusion?
10. Is the insurer’s obligation to advance defense costs prior to a final judgment or settlement subject to a right to recoupment or repayment in the event it is later determined that the policy did not provide coverage? Does the insurer get the benefit of hindsight to try to recoup legal fees and expenses advanced based on the potential for coverage based on a later-discovered fact not known at the time the insurer determined that advancement was appropriate under the circumstances or from a criminal admission made after the policy limits have been paid out? Can the policy be negotiated so that the insurer has a right of recoupment against the entity but not individuals?
11. Is the definition of “loss” sufficiently expansive? Does it exclude the types of claims against which the board may not wish to insure such as insider trading, embezzlement, diversion of corporate opportunity, and other claims in which the executive is accused of receiving an improper personal gain or benefit?
12. Does the policy contain an exclusion for claims against executives that seek to recover amounts that the corporation should have paid in addition to amounts it did pay in a merger, share exchange, or sale transaction? If so, are executives entitled to advancement and indemnity if personally sued in such a case without being required to allocate their defense costs between other covered claims and the claims seeking an increase in consideration? Generally, are executives permitted to be advanced and indemnified against all legal costs in any matter that also includes uncovered claims or parties so long as the facts or issues relevant to the covered and uncovered claims overlap?
13. Are the exclusions for illegal conduct, “other insurance,” and timing of claims (including the provisions relating to giving of notice of claim or circumstance), reasonable and readily understandable? Are the “notice of circumstance” provisions objective, subjective, or both; and are such provisions mandatory or permissive? Does the policy provide for an extended notice period should the corporation become insolvent?
14. Is there an “insured-versus-insured” exclusion and, if so, is it phrased narrowly to exclude only truly collusive claims?
15. Does the policy contain a clause that conditions or otherwise bases the executive’s Side A cover on the corporation’s fulfillment of an obligation to advance and indemnify “to the fullest extent permitted by law” or comparable language? Is this provision limited to prohibit the insurer from placing on the insured executive the duty to assume the corporation’s Side B retention or deductible in a case where the corporation breaches its statutory or by-law advancement or indemnity obligations?
16. Does the insured corporation have reporting mechanisms in place to ensure that the risk manager is kept fully informed of any potential claim or circumstance requiring notice to the insurer? Does the insurer bear the burden of establishing prejudice from late notice, and is its remedy for late notice limited to the actual damage it sustains as a result? Do the executives have the ability to notice claims or circumstances directly to the insurer under their Side A cover and are executives entitled to receive notices of cancellation or changes in coverage?
17. Does the policy permit an executive subject to potential or actual criminal charges to assert Fifth Amendment privileges against the insurer, and the executive’s counsel work-product privileges, without violating the policy or limiting the executive’s recovery of defense costs due to a claim by the insurer that the executive’s counsel has provided insufficient billing detail or breached a duty to cooperate? Is there an agreed mechanism for resolving privilege disputes by a court (not an arbitration) that requires advancement while any dispute is being resolved? Is there a severability clause that protects “cooperating” executives should “non-cooperating” executives be held to violate the policy’s cooperation clause?
18. Is the policy’s definition of “application” reasonably narrow and understandable? Are the covenants and representations made by the corporation and any insureds in either the application or the policy reasonable and understandable?
19. Is there a broad severability provision that insulates innocent executives from a claim of application fraud due to the guilty knowledge of less than all of their number?
20. Is there an incontestability or similar clause that limits the insurer’s right to rescind a policy? Is the insurer’s right to cancel the policy appropriately limited? Must it notify all affected insureds, or at least all current insureds?
21. Is there a settlement “hammer” clause and has it been appropriately drafted to avoid unfair and unintended results?
22. Does the policy sufficiently define the parameters of the consent-to-settlement clause and the clause permitting the insurer to associate counsel to eliminate micro-management of the defense? Do these clauses specifically exclude criminal matters and matters where the insurer pays defense costs while reserving its right to deny coverage?
23. Does the policy contain an “order of payments” provision sufficient to reasonably mitigate the effects of a corporate insolvency?
24. Are the claim reporting requirements reasonable? Does a broad definition of “claim” result in an undesirable expansion of the insureds’ duties to give notice of claims or circumstance? Does the right to advancement of defense costs arise within a period of less than 60 days after demand is made on the underlying insurer or corporation? How does the policy address “related” or “interrelated” acts for the purposes of giving notice, and how should the company approach notice of “circumstances” likely to give rise to a claim in light of those related-claim provisions?
25. Have the implications of DIC or “dedicated limits” coverage been explored to provide advancement and indemnity coverage:
    1. for risks that the corporation and the underlying Side ABC policy do not cover;
    2. where the corporation refuses or is unable to advance defense costs and indemnify;
    3. to mitigate the risk of program failure due to competition among competing insureds for policy limits;
    4. to avoid loss of coverage in respect of criminal matters in which the executive (or his or her counsel) asserts Fifth Amendment or work-product privileges;
    5. to cover cases where an underlying carrier may not a pay a claim arising in a foreign country due to its unlicensed status; and
    6. to provide reinstated limits or separate limits for boards?
26. Does the policy insure executives for the costs of obtaining release from incarceration and release of sequestered personal assets if they act as directors or agents of a foreign subsidiary or for the parent corporation in a foreign country? Does the policy contain coverage for reputation restoration and cover crisis management public relations services?
27. Does the policy contain appropriate cover for the costs of resisting Dodd-Frank/SOX claw-back claims?
28. Does the carrier selected have a reasonable financial rating and a good reputation for claims handling and payment? If the D&O program has excess insurers, how is excess coverage impacted by insolvency of the primary insurer?
29. Do the insureds have the right to recover their attorneys’ fees under applicable law should they be required to litigate coverage with the insurer?
30. If a DIC policy contains a choice of law clause, does it choose as the applicable law the law of the underlying Side ABC policy? What law is chosen in the Side ABC policy? If the policy contains an arbitration clause, is the legal seat of the arbitration (not just the hearing locale) a venue that understands American plea-bargaining practices?
31. Are there to be one or more excess policies above the negotiated first-tier policy that do not “follow the form” of the first-tier policy? If so, have all questions above been asked in respect of each of the excess policies? Do these policies have appropriate provisions relating to when each layer of excess coverage attaches to avoid gaps in protection, including provisions requiring that upper tiers “drop down” should insureds reach a settlement with the lower tier carrier below its policy limits?
32. Have the appropriate locally issued D&O policies been obtained in respect of foreign subsidiaries and operations and will all applicable foreign taxes be paid?

Conclusion

The time has long passed when executive protection programs could be evaluated by boards based simply on an inquiry into the limits of Side ABC insurance cover and the amount of the premium. The number and complexity of the issues listed above, together with the potentially catastrophic results that can obtain when criminal charges are threatened against companies and individual executives, prove that this is no longer an issue that can safely be treated cavalierly (if it ever was). The amelioration of these risks can only be left to professionals. The boards and executives that such insurance policies are intended to protect have a vested interest in maintaining a D&O program that is both robust and tailored to the company’s current business operations and exposures. The Committee hopes that both corporate counsel and practitioners will find the Checklist a useful resource to guide their professional advice in this age of “cooperation.”

[1] See Bennett, LoCicero & Hanner, “From Regulation to Prosecution to Cooperation: Trends in Corporate White Collar Crime Enforcement and the Evolving Role of the White Collar Criminal Defense Attorney,” The Business Lawyer, Vol. 68, p. 411 (Feb. 2013).

The ongoing pandemic and resulting consequences have created a new normal. The short- and long-term effects are far-reaching and touch upon a number of societal issues and functions. The financial services industry has been far from immune to these ongoing consequences. COVID-19 has forced the industry to fundamentally alter the way in which it operates and focus on ways to evolve current product offerings through technology. In the process of this transition, financial institutions have been tasked—both directly and indirectly—with helping small businesses and consumers navigate this economic storm. The burden falls on them to ensure that affordable credit and other services are readily available and accessible. Many fintech companies and banks have already been doing this, but the pandemic provided a demonstration of those abilities and a specific reason for additional focus and investment. As the evolution of the industry continues to unfold, institutions must work to increase access and financial inclusion and ensure that traditionally underserved communities are not left behind.

Like in previous crises, during the pandemic, the federal government has provided relief to help ensure families and businesses could weather the economic storm. Direct stimulus, relief opportunities and moratoriums on student debt, rent and mortgage obligations, are just a handful of the measures the government has implemented to help those most directly impacted. Additionally, the government and regulatory agencies have used their full powers to provide financial institutions with the flexibilities they need to deploy capital in a safe and responsible way, to ensure credit markets did not dry up and that hard-working families still had access to the financial system and credit products they needed.

While the government has heavily leaned on the financial industry to serve as a partner during this period of uncertainty, financial institutions and their fintech partners have stepped up, working hand in hand to provide access to the Paycheck Protection Program (PPP), Main Street Lending Program (MSLP) and a number of other relief efforts. The partnerships created during this pandemic provide important insight into the growing role of technology in the financial services industry and have truly highlighted how embracing responsible innovation can be utilized to deliver efficient and effective products. By capitalizing on each party’s expertise (banks’ regulatory compliance and controls, with fintech’s innovative models), tech-forward banks and fintechs are able to use partnerships to expand their offerings to a larger, more diverse base and maximize the benefits to consumers and small businesses.

This is not only true in times of crisis, but in the day-to-day offerings small businesses and consumers have come accustomed to expecting from their financial institutions. The pandemic has shown how important it is for all banks to adapt to the evolving nature of the industry in order to facilitate increased financial inclusion and to continue to serve businesses and consumers, particularly those who are traditionally underserved. According to the Federal Reserve Bank of New York, fintech lenders like Cross River were critical in providing PPP loans to underserved borrowers, including Black-owned businesses. Further, the research demonstrates that 95% of those who applied for PPP loans through a large bank had prior relationships with their financial institutions. Effectively leveraging technology and automation was a key way in which banks and their fintech partners were able to originate PPP loans in a safe and compliant manner to underserved communities, especially for borrowers who had no pre-existing relationship.

The financial services and banking industries are no strangers to adaptation—they’ve often had to shift in the face of potential and ongoing crises, from those caused by natural disaster to economic recessions to public health concerns. The lessons learned from each previous crisis, have in part, helped to reshape the way the industry operates, its offers for the next wave of products and its preparation to mitigate any future disasters. Technology and innovation have been strong driving forces pushing the industry forward, creating solutions that empower consumers with faster, safer and more convenient options. The ongoing digital transformation alone is not enough to ensure that communities that have been traditionally underserved are made whole or gain equal access following the pandemic, however. Access to broadband, transparency in product offerings, consumer education and financial literacy efforts are all equally important in achieving the goal of improving financial inclusion and equality throughout the country.

This pandemic has specifically highlighted the need for institutions to offer more digital options that allow customers to get paid, move money and obtain loans without needing to physically enter a bank branch. Whether it be retail banking offerings, deposits, payments, point-of-sale lending or small business lending, the combination of the crisis and the advancement of technology has inspired companies to innovate. Many are creating products to fill gaps in the industry, ultimately expanding financial equality and leading to a more inclusive and resilient financial system. Bank-fintech partnerships in the Marketplace Lending and Buy Now Pay Later ecosystem are prime examples of responsible, transparent offerings that provide consumers with the necessary flexibilities and alternatives to legacy products and often assist those who would not qualify for traditional credit products. Without this innovation filling the gaps, it is hardworking families who are hurt the most, and often forced to turn to high-interest predatory debt traps as the only alternative.  

As the industry moves forward, recovers from the latest crises, and continues to evolve, it is essential that equity and inclusion are made a central tenet of the industry’s mission. If we are to truly learn and improve from previous crises, we must ensure that we are working to expand access and create a more inclusive financial system.

Have you ever asked yourself how someone becomes a general counsel? Have you ever had any interest in one day becoming a general counsel? If you answered yes to either of those questions, whether you are in law school, private practice, government or in-house, the new podcast series Conversations with GCs is for you.

Purpose

The In-House Subcommittee of the ABA’s Corporate Governance Committee created this podcast to help aspiring general counsel (“GCs”) find practical and actionable guidance as they pursue the top in-house legal role. The podcast facilitates conversations with leading GCs that explore the paths that led them to the role of GC, essential GC skills and characteristics, current GC hot topics and advice for those aspiring to be GCs.

The First Three Conversations

The first three episodes capture the inspiring and helpful stories of Chad Perry, Brady Long and Jacqueline Lee. As the host of Conversations with GCs, I am grateful that I was able to sit down with these three remarkable people and talented lawyers; you don’t want to miss out on hearing their stories and learning from their unique perspectives. I’m confident that these conversations will leave a mark on you like they did on me. There were so many insights and takeaways from these rich conversations, but I have pulled out some of the highlights below. To dig deeper into the conversation, click the links to the episodes and listen in!

Chad Perry: The Centrality of Curiosity

Chad Perry is the Executive Vice President, General Counsel and Secretary of Tanger Factory Outlet Centers, Inc., a public REIT and leading operator of upscale open-air outlet centers. I genuinely enjoyed my conversation with Chad, which was sprinkled with wisdom and laughter. The theme of curiosity ran through our conversation as it was central to Chad’s openness to new opportunities outside of practicing law within a firm, learning the industries where he found himself, and growing in areas that are outside his areas of expertise.

While most of us will not enjoy Chad’s experience of getting the GC nod while vacationing at the beach, we can all take his advice to keep our eyes open for new opportunities, stay curious where we are and allow that curiosity to take us to new places. He also highlighted the importance of asking good questions to challenge the status quo and remaining flexible as we progress throughout our careers.

Chad’s advice for those advancing our journeys to the GC role included not jumping at the first offer that comes our way, and to look for opportunities in our current roles to expand our perspective and areas of expertise.

To hear more, click here!

Brady Long: The Importance of Adapting and Remembering the Human Element

Brady Long is the Executive Vice President and General Counsel of Transocean, a leading international provider of offshore contract drilling services for oil and gas wells. The first theme that permeated our conversation was always maintaining a focus on adapting. From the collapse of Enron and enactment of SOX at the beginning of his career, to the current changes in the ESG space, Brady emphasized the need to adapt to the ever-changing legal landscape.

A second theme was remembering the human element in every relationship and fighting the current of reducing relationships to merely a means to an end. Brady framed his attention to meaningful relationships in terms of being a good partner to those above him, those who report to him, and the law firms who help him navigate the legal issues facing his company. Brady’s genuine concern for the people and projects that have been entrusted to his care was easy to discern and inspired me to push back against the transactional current that flows so strongly in the legal profession.

Brady’s primary piece of advice for those seeking the GC role was to intentionally develop our networks. In keeping with the theme of remembering the human element, Brady’s take on networking was focused on being respectful to everyone in that network, whether they are ahead or behind us in our journeys to GC sphere, being aware that the chairs can (and often do) turn quite quickly.

To hear more, click here!

Jacqueline Lee: An Unexpected and Joyful Journey

Jacqueline (“Jaci”) Lee is the General Counsel of Flynn Restaurant Group, America’s largest restaurant franchisee with over 2,300 restaurants nationwide. Jaci’s story and perspective were so unique that I lost track of time, and our conversation went much longer than I intended.

As a litigator, Jaci has a passion for storytelling, and she demonstrated that talent as she discussed her path. The first theme that ran through Jaci’s story was the joy that she took in each step of her journey. In a striking moment, she commented that she has loved every job that she has ever had (including her time in Big Law). I had never heard anyone say that, and I’m still pondering the perspective needed to make such a statement.

The second theme that surfaced during our conversation was the unexpected nature of her journey to becoming a GC. She was so happy at her role in Big Law that she never thought that one day she might make the shift to in-house, let alone become a GC. However, one of her law firm mentors took the GC role at Flynn Restaurant Group and asked Jaci to consider joining her. After only a year in-house for Jaci, her mentor went on to another adventure, and Jaci was tapped to take over the GC role. The unique journey of being pulled into the role, rather than pursuing it, was striking to me.

Jaci’s primary advice for those seeking the GC role was to expand areas of expertise, seek stretch projects in our current roles that allow us to contribute beyond our core competencies, and intentionally work on strengthening (not just expanding) our network through introducing people to each other where we think they would benefit from the connection.

To hear more, click here!

Listen In!

It has been said that the best podcasts are those that feel like you are listening in to an interesting conversation taking place at the table next to you at Starbucks. I was fortunate enough to be part of these interesting conversations and invite you to grab your favorite cup of coffee or tea, sit down at the table next to us, and listen in!

Finally, we would love to hear from you. Please send any comments or questions, including any expressions of interest in being a part of the ABA Corporate Governance Committee or its small, but mighty, In-House Subcommittee, to [email protected].

The importance of environmental, social, and governance (ESG) factors—especially environmental considerations—in financial services has increased over the past several years. Recently, ESG considerations have garnered increased attention in the United States as a key platform and policy focus of the Biden administration. New ESG financial policies are expected in both the European Union and the United States, though the exact scope or depth of any particular regulation is still unclear at the moment. Further, while regulators and independent standard-setters all seem to be mindful of the benefits of a unified international regulatory regime, significant risk still remains that different environmental standards and requirements will end up hindering the cross-border activities of various market participants.

This article briefly summarizes recent, notable regulatory developments in various financial regulatory regimes.

U.S. Regulatory Developments

On 20 May 2021, President Joseph Biden issued the Executive Order on Climate-related Financial Risk (the Executive Order), which stated that the Biden administration would prioritize the development of a government-wide strategy for mitigating climate-related financial risk, including by encouraging various financial regulators to better assess such risks. The Executive Order did not create any enforceable rules; however, it lays the groundwork for future federal financial policy by directing federal entities to develop and report on strategies that promote sustainability.

The Executive Order also instructed the Department of Labor (DOL) to reconsider its ESG Rules. The ESG Rules refer to two final rules that the DOL Employee Benefits Security Administration (EBSA) bureau published in late 2020, at the end of President Trump’s term: the “Financial Factors in Selecting Plan Investments” final rule and the “Fiduciary Duties Regarding Proxy Voting and Shareholder Rights” final rule. The ESG Rules required fiduciaries to make investment and shareholder decisions based on “pecuniary factors” and not subordinate investment returns to further nonpecuniary goals. The EBSA under President Biden had already announced, in March 2021, that it would not enforce the ESG Rules. The Executive Order extended that previous announcement and signaled a political willingness to undergo the administrative process to rescind or substantially amend the ESG Rule. On 14 October 2021, the EBSA published a proposed rule that clarifies the consideration of ESG factors by fiduciaries under the Employee Retirement Income Security Act of 1974 (ESG Proposed Rule). The comment period for the ESG Proposed Rule closes on 13 December 2021.

On 24 February 2021, then-Acting Chair of the Securities and Exchange Commission (SEC), Allison Herren Lee, stated that SEC staff would enhance its focus on climate-related disclosure in public company filings and would update its existing 2010 guidance on disclosure of climate change matters. From mid-March to mid-June 2021, the SEC received over 300 comment letters in response to their Request for Comment. Commenters were mixed on many key issues, such as the following:

• Whether the disclosure regime should be principles based or prescription based;
• To what degree disclosures should be qualitative or quantitative;
• Whether climate-related disclosures needed to be audited;
• Whether the disclosure regime should also apply to private companies; and
• Whether the SEC should adopt the metrics and standards of independent standard setters, such as the Financial Stability Board’s Task Force on Climate-related Financial Disclosures or the Sustainability Accounting Standards Board.

On 7 July 2021, the SEC Asset Management Advisory Committee’s ESG Subcommittee issued its recommendations regarding ESG disclosures. On 28 July 2021, SEC Chairman Gary Gensler stated that the SEC intends to issue a mandatory climate risk disclosure rule proposal for public issuers by the end of 2021. On 22 September 2021, the SEC Division of Corporate Finance published a letter with sample comments that could be issued to companies regarding their climate-related disclosures. The comments ask companies to, among other things, identify material effects on the business from pending or existing climate-related legislation, regulations, and international treaties, as well as to disclose material past or future capital expenditures on climate-related projects.

The SEC is also reorienting its various divisions’ focus on ESG. According to the Division of Examination, its 2021 priorities include an enhanced focus on climate-related risks. The Division of Enforcement created a Climate and ESG Task Force to develop initiatives to proactively identify ESG-related misconduct, particularly regarding material gaps or misstatements in issuers’ disclosure of climate-related financial risks.

The Commodity Futures Trading Commission (CFTC) established a Climate Risk Unit, which is intended to help ensure that new climate- or ESG-related products fairly facilitate hedging, price discovery, market transparency, and capital allocation. The Climate-Related Market Risk Subcommittee of the CFTC’s Market Risk Advisory Committee issued its often-referenced Report on Managing Climate Risk in the U.S. Financial System on 9 September 2020.

On 23 March 2021, the Board of Governors of the Federal Reserve System (the Fed) announced the creation of the Financial Stability Climate Committee, which is charged with developing a program to assess and address climate-related risks to financial stability and coordinate its implementation with the Financial Stability Oversight Council and its member agencies. Two months earlier, the Fed announced the creation of a Supervision Climate Committee to study the implications of climate change for banks and financial markets. Additionally, the Fed co-chairs the Basel Committee on Banking Supervision’s Task Force of Climate-Related Financial Risks, which is charged with addressing climate-related financial risks in order to maintain the global financial system’s stability and security.

On 3 August 2021, the heads of the Office of the Comptroller of the Currency (OCC), Federal Deposit Insurance Corporation (FDIC), and National Credit Union Administration (NCUA) testified in front of the Senate Banking Committee regarding their respective agencies’ approach to climate change risk supervision. The written testimonies, as well as a recording of the hearing, are available on the Senate Banking Committee’s website.

The Biden administration has appointed many lead financial regulators who have an extensive history with ESG. Additionally, the Biden administration has also established new regulatory positions to address climate-related matters as they pertain to the financial services industry. Notable regulators and their positions are as follows:

• Janet Yellen, Secretary of the Treasury
• Wally Adeyemo, Deputy Secretary of the Treasury
• Didem Nisanci, Chief of Staff to the Secretary of the Treasury
• John Morton, Climate Counselor for the Department of Treasury
• Brian Deese, Director of the National Economic Council
• Bharat Ramamurti, Deputy Director of the National Economic Council
• Mika Morse, Climate Counsel for the SEC
• Rostin Behnam, Acting-Chairman for the CFTC
• Darrin Benhart, Climate Change Risk Officer for the OCC
• John Kerry, Special Presidential Envoy for Climate

Although beyond the scope of this article, please note that multiple bills regarding various environmental considerations in financial services are currently undergoing the legislative process, such as the Sustainable Investment Policies Act, the Retirees Sustainable Investment Opportunities Act, and the Addressing Climate Financial Risk Act.

State regulators have also been active in the ESG space. For example, the New York State Department of Financial Services (NYDFS) issued an industry letter to New York state-regulated financial institutions on 29 October 2020 that, among other things, set forth the regulator’s expectation that financial institutions will integrate risks from climate change into their governance and risk management frameworks. NYDFS also hired its first Director of Sustainability and Climate Initiatives in 2020. On 9 February 2021, NYDFS announced that it will provide credit under the New York Community Reinvestment Act for financing activities that (in general) reduce or prevent the emission of greenhouse gases.

EU Regulatory Developments

On 21 April 2021, the European Commission issued the Sustainable Finance Package, which is comprised of a proposed Corporate Sustainability Reporting Directive (CSRD), the EU Taxonomy Climate Delegated Act, and the Six Delegated Acts on fiduciary duties, investment, and insurance advice (the Delegated Acts). The measures in the package are intended to help improve capital flows towards sustainable EU businesses and technologies. The proposed CSRD amends the Non-Financial Reporting Directive (NFRD), widening the scope of the nonfinancial and diversity-related disclosure rules to cover all large EU companies and all companies listed on regulated markets (except listed micro-enterprises). The proposed CSRD also mandates additional reporting requirements as well as requirements that all information reported under the NFRD to be audited. The EU Taxonomy Climate Delegated Act clarifies which economic activities most contribute to the European Union’s environmental objectives. The Delegated Acts ensure that financial advisers, asset managers, and insurers include sustainability in their procedures and their investment advice to clients.

On 10 March 2021, Level 1 of the Sustainable Finance Disclosure Regulation (SFDR) became effective. The SFDR imposes mandatory ESG disclosure obligations on asset managers and other financial market participants. A significant number of these disclosure obligations apply to asset managers regardless of whether an express ESG- or sustainability-focused investment strategy is offered. Level 1 disclosures are entity-level disclosures regarding that entity’s policies on the identification and prioritization of principal adverse sustainability impacts. The effective date of the supplemental Level 2 disclosures, which generally consist of detailed pre-contractual and annual reporting disclosures, was recently postponed from 1 January 2022 to 1 July 2022.

Also on 10 March 2021, the European Parliament adopted a resolution stating that the EU should urgently adopt binding requirements for businesses to conduct environmental evaluations of their value chain.

On 8 March 2021, the European Financial Reporting Advisory Group (EFRAG) published a road map for the development of sustainability reporting standards, which are nonfinancial reporting standards. The recommendations in EFRAG’s report likely reveals, in broad strokes, the policy objectives that EU regulators will prioritize in the near future.

Many U.S. climate leaders look to the EU for guidance on ESG policy (some in the industry contend that this is one manifestation of the “Brussels Effect”). Consequently, U.S. financial market participants may wish to consider strategizing for a similar widening of the scope of ESG policy and increased reporting requirements, including nonfinancial disclosures. In contrast, ESG proponents in the United States should closely monitor and learn from the EU’s recent implementation problems. For example, many mandated disclosures have not yet been implemented due to the data protection and privacy measures in the General Data Protection Regulation. Such implementation hurdles reveal that, while political statements and policy mandates can be made relatively quickly, the development of practical implementation processes most likely will take many years.

Third-Party Stakeholders

Third-party stakeholders have played, and continue to play, important roles in addressing climate-related risks.

On 7 July 2021, the Financial Stability Board (FSB), an international body that monitors and makes recommendations about the global financial system to various regulators, published a report titled FSB Roadmap for Addressing Climate-Related Financial Risks. The report focuses on four near-term goals: (1) having firm-level disclosures as the basis for the pricing and management of climate-related financial risks, (2) establishing a consistent set of metrics and disclosures that can provide the raw material for the diagnosis of climate-related vulnerabilities, (3) establishing vulnerability analysis practices that can help serve as the basis for the design and application of regulatory and supervisory frameworks and tools, and (4) supporting the establishment of regulatory and supervisory practices and tools that allow governments to address identified climate-related risks to financial stability.

On 21 April 2021, the Glasgow Financial Alliance for Net Zero (GFANZ) was launched. GFANZ is a coalition of over 160 finance firms with total assets under management in excess of USD $70 trillion. GFANZ is chaired by Mark Carney, the United Kingdom’s Special Envoy on Climate Action and Finance to the United Nations. U.S. Special Presidential Envoy for Climate Kerry and Treasury Secretary Yellen are also involved.

On 14 April 2021, the Bank for International Settlements, an international financial institution that operates as a bank for central banks, released two reports regarding the climate’s potential impact on the financial system. The first report, titled Climate-related Financial Risks – Measurement Methodologies, provides an overview of conceptual issues related to climate-related financial risk measurement and methodologies, as well as practical implementation considerations, by banks and supervisory agencies. The second report, titled Climate-related Risk Drivers and their Transmission Channels, explores how climate-related financial risks can impact the banking system.

In April 2021, the International Financial Reporting Standards Foundation, a nonprofit organization that promotes the development of international financial reporting standards through its International Accounting Standards Board, announced the establishment of the new International Sustainability Standards Board (ISSB). The ISSB is tasked with writing baseline rules for climate change disclosures that aim to replace the various patchwork voluntary disclosure frameworks currently in use. The International Organization of Securities Commissions, an association of national securities regulators, has announced its support for the ISSB. The ISSB is set to be launched by COP26, the UN climate change summit scheduled for the first two weeks of November 2021.

Conclusion

New regulatory policy initiatives are developing rapidly around the world, led by a variety of regulators and third-party stakeholders. Although these actors are aware of the benefits of international coordination, and are currently expending much focus and effort on unifying different standards, it is also clear that there are still many differences that certain financial market participants must navigate.

The financial services team at K&L Gates continues to follow the ESG regulatory developments around the world. This article was prepared at the beginning of October 2021, and there may be many other developments in the weeks prior to its publication. Our financial services team stands ready to assist market participants in navigating these developments.

Mr. Humenik is a partner and Mr. Lee is an associate at K&L Gates, LLP. This article is not intended to be an offer to represent any person. Use of this article does not give rise to a lawyer-client relationship. Please do not consider there to be any lawyer-client relationship between you and K&L Gates or any of its lawyers unless or until: (1) you have sought to retain us, (2) we have had an opportunity to check and clear any conflicts, and (3) you have received a letter from us confirming the retention and its scope.

While most income of nonprofit, tax-exempt organizations is exempt from federal and state corporate income tax, certain income of nonprofits is subject to tax—a tax known as the unrelated business income tax (UBIT). The rules governing UBIT are complex and confusing. This article provides an overview of the basic UBIT rules and examines three key exceptions to UBIT that enable nonprofits to strategically plan to maximize their revenues and minimize their income taxes.

Background

Although nonprofit, tax-exempt organizations (hereinafter referred to as nonprofits) are granted a general exemption from federal corporate income tax by the Internal Revenue Code (the Code) for income from activities that are substantially related to the purposes for which the nonprofit’s tax-exempt status was recognized by the IRS, they nevertheless are potentially taxable for income derived from unrelated business activities. The Code defines an unrelated trade or business as “any trade or business the conduct of which is not substantially related (aside from the need of such organization for income . . .) to the exercise or performance by such organization of its . . . purpose or function constituting the basis for its exemption . . .”

The tax on unrelated business income first appeared in the Code in 1950. Congress’ principal purpose in enacting UBIT was to provide a level competitive playing field for tax-paying business—so that tax-exempt organizations could not use their privileged tax status to unfairly compete with tax-paying businesses in activities unrelated to their purposes. But instead of prohibiting tax-exempt entities from engaging in any business activities at all (and denying or revoking tax exemption because of such activities)—which it had considered doing—Congress chose to specifically permit a certain degree of business activity by tax-exempt organizations, but tax that activity like any other for-profit business. Thus, such business activities are permissible, so long as the activities are not a “substantial part of [the nonprofit’s] activities.” The tax applies to virtually all tax-exempt entities.

The most common form of unrelated business income for nonprofits, by far, is advertising income (e.g., in periodicals, on websites, on social media).

UBIT is imposed at the 21% flat federal corporate income tax rate. Deductions are permitted for expenses that are “directly connected” with the carrying on of the unrelated trade or business, and net operating losses are allowed to be carried forward and backward (with certain limitation). Losses from one unrelated business activity are not able to offset gains in another; profits and losses are determined per activity.

Three-Prong UBIT Test. It is important to note that not all business income is subject to taxation or to limitations: only “unrelated business income” as defined in the Code. Unrelated business income will only exist if three conditions are satisfied; if any one of the three is not present, then income from the activity will not be taxable. Unrelated business income must be:

1. from a trade or business;
2. that is regularly carried on; and
3. that is not substantially related to the purposes which form the basis of the organization’s tax-exempt status.

Exclusions. Even if all three conditions of the UBIT test are satisfied, there are numerous statutory exclusions both (A) from the definition of an unrelated trade or business, and (B) in the computation of unrelated business taxable income, which can exempt otherwise taxable income from UBIT. Many such exclusions are potentially applicable to nonprofits, although many are not. The most relevant exclusions for nonprofits typically include:

• qualified corporate sponsorship income
• royalties
• qualified convention or trade show income
• interest, dividends, annuities, and certain capital gains
• certain rental income
• volunteer labor exception

Taxable Subsidiaries. If the gross revenue, net income, and/or staff time devoted to unrelated business activities become “substantial” in relation to the tax-exempt functions of a nonprofit (thereby jeopardizing its tax-exempt status), the nonprofit can “spin off” one or more of the unrelated activities into a separate, but affiliated, wholly-owned entity, commonly referred to as a taxable subsidiary. Such a taxable subsidiary will pay corporate income tax on its net income but can remit the after-tax profits to the parent nonprofit as tax-free dividends; however, the dividends are not tax-deductible for the taxable subsidiary as business expenses.

Note that there is a significant tax advantage to housing unrelated business activities in a taxable subsidiary. For tax-exempt organizations, the expenses of a particular unrelated business can only be used to offset the gross unrelated business income of that particular unrelated business in calculating net income and the corresponding UBIT. However, if the same activities are conducted in a taxable subsidiary, all of the subsidiary’s expenses can be used to offset its gross income before any corporate income tax is imposed on its overall net income, meaning that losses from one activity can be used to offset gains from another activity.

Filing and Payment Requirements. In computing UBIT, a specific deduction of $1,000 is permitted. If a nonprofit has gross unrelated business taxable income of $1,000 or more during its fiscal year, it must file IRS Form 990-T to report such income and pay any tax due. The Form 990-T is due at the same time as the Form 990, however, if a nonprofit expects its annual UBIT (after certain adjustments) to be $500 or more, then it must make estimated tax payments throughout the year. The Form 990-T is subject to public disclosure like the Form 990; however, certain schedules, attachments and supporting documents that do not relate to the imposition of UBIT do not have to be made available for public inspection.

Corporate Sponsorships

Overview. “Qualified corporate sponsorship payments” are excluded in computing the unrelated business taxable income of tax-exempt nonprofits. A “qualified sponsorship payment” is defined as “any payment [of money, property or services] by any person engaged in a trade or business with respect to which there is no arrangement or expectation that the person will receive any substantial return benefit.” In determining whether a payment is a qualified sponsorship payment, it is irrelevant whether the sponsored activity is related or unrelated to the recipient organization’s tax-exempt purposes. It also is irrelevant whether the sponsored activity is temporary or permanent.

Definition of Substantial Return Benefit. A “substantial return benefit” is defined as any benefit other than: (A) goods, services or other benefits of “insubstantial value”; or (B) a “use or acknowledgment”. A substantial return benefit includes:

• advertising;
• providing facilities, services or other privileges to the sponsor (or persons designated by the sponsor), unless such privileges are of “insubstantial value”;
• granting the sponsor (or persons designated by the sponsor) an exclusive or non-exclusive right to use an intangible asset (e.g., name, logo, trademark, copyright, patent) of the tax-exempt organization; note that while payment for providing a sponsor with the right to use such an intangible asset will not constitute a qualified sponsorship payment, it may constitute a tax-free royalty; or
• designating a sponsor as an “exclusive provider.”

Insubstantial Value. Goods, services or other benefits of “insubstantial value” are those that have an aggregate fair market value of not more than 2% of the amount of the payment. Note that if the fair market value of the benefits exceeds 2%, the entire fair market value (as opposed to the cost) of such benefits, not merely the excess amount, is considered a substantial return benefit.

Use or Acknowledgment. A substantial return benefit does not include a “use or acknowledgment” of the name or logo (or product lines) of the sponsor’s trade or business in connection with the activities of the tax-exempt organization. Use or acknowledgment does not include advertising, but may include:

• sponsor logos and slogans that do not contain qualitative or comparative descriptions of the sponsor’s products, services, facilities, or company;
• a list of the sponsor’s locations (e.g., street addresses), telephone numbers, or website URLs;
• value-neutral descriptions (including displays or visual depictions) of the sponsor’s product line(s) or services;
• sponsor brand or trade names and product or service listings; and
• designating a sponsor as an “exclusive sponsor.”

Logos or slogans that are an established part of the sponsor’s identity are not considered to contain qualitative or comparative descriptions. Mere display or distribution (whether for free or remuneration) of a sponsor’s product by the sponsor or the tax-exempt organization to the general public at a sponsored activity will not be considered an inducement to purchase, sell or use the sponsor’s product and thus will not affect the determination as to whether a payment constitutes a qualified sponsorship payment.

Advertising. “Advertising” is defined as any message or other programming material that is broadcast or otherwise transmitted, published, displayed, or distributed, and that promotes or markets any trade or business, or any service, facility, or product. Advertising includes:

• messages containing qualitative or comparative language;
• price information or other indications of savings or value;
• an endorsement; or
• an inducement to purchase, sell or use any company, service, facility, or product.

A single message that contains both advertising and an acknowledgment is considered advertising. The above rules do not apply to activities conducted by a sponsor on its own.

Royalties

Overview. Royalties are excluded in computing the unrelated business taxable income of tax-exempt organizations. This exclusion does not apply to debt-financed income or to royalties received from a “controlled subsidiary.” The IRS defines a “royalty” as any payment received in consideration for the use of a valuable intangible property right, whether or not payment is based on the use made of the intangible property. Payments for the use (even on an exclusive basis) of trademarks, trade names, service marks, copyrights, photographs, facsimile signatures, and members’ names are ordinarily considered royalties and are tax-free. However, payments for services (such as marketing or administrative services) provided in connection with the granting of this type of right are not royalties—and are generally taxable as unrelated business income (unless such services are substantially related to the nonprofit’s purposes, which, in most cases, they are not).

Examples. In an example provided by a federal appeals court in the Sierra Club case, if the Sierra Club manufactured and sold T-shirts with the organization’s logo or other designs on them, the income earned from the sale of such T-shirts would be taxable, as the activity of manufacturing and selling T-shirts is not substantially related to the Sierra Club’s tax-exempt purposes. However, if the Sierra Club created the designs to be screened onto the T-shirts and then licensed those designs to a T-shirt manufacturer in exchange for a fee (perhaps calculated as a percentage of gross T-shirt sales), that income would constitute tax-free royalty income. Sierra Club, Inc. v. Comm’r I.R.S., 86 F.3d 1526 (9th Cir. 1996).

In an example provided by the IRS in a Revenue Ruling, payments for the use of a professional athlete’s name, photograph, likeness, and/or facsimile signature (provided by and through a tax-exempt organization) are generally considered royalties. However, payments for personal appearances and interviews by the athlete (similarly provided by and through a tax-exempt organization) are not excluded as royalties and must be included as income from an unrelated trade or business. Rev. Rul. 81-178, 1981-2 C.B. 135.

Endorsements. When a nonprofit endorses a vendor’s product or service (often referred to as a nonprofit “affinity” program) but does nothing to market the product or service to its members (leaving this task to the vendor), this can be viewed as, in essence, nothing more than an exclusive license of the nonprofit’s name, logo and (sometimes) membership list to the vendor (in connection with the vendor’s promotion and sale of that product or service to the nonprofit’s members, and possibly to others in the industry or profession as well). As stated above, if the nonprofit gets paid for this exclusive license—even if such payments are calculated as a percentage of gross sales of the endorsed product or service to the nonprofit’s members—then the payments will constitute royalties and will be tax-free to the nonprofit. If, however, the nonprofit does market the product or service to its members, then the tax issues become more complex, as described below.

Endorsements can be a useful means for nonprofits to generate non-dues revenue from both members and non-members, promote the nonprofit’s name and brand, and, by extension, the industry or profession in general, and provide a service (e.g., “tailored” products and services, discounted rates/fees, etc.) to nonprofit members.

Options for Structuring Endorsement Arrangements.

1. Royalties-Only. The endorsement or licensing contract that carries the lowest risk of UBIT liability is one in which the nonprofit licenses its name, logo and/or membership list, exercises quality control over the use of its intangible property by the vendor, and not much more. However, even under this scheme, the IRS and the courts have indicated that the nonprofit may engage in certain limited activities without jeopardizing the tax-free royalty treatment of its income.
2. Royalties to Nonprofit; Services Income to Third-Party or Taxable Subsidiary. If administrative and/or marketing services are required, from a tax perspective, it is generally preferable to outsource such services to an unrelated third-party, or to the nonprofit’s taxable subsidiary (with the nonprofit and subsidiary entering into separate, independent contracts with the vendor). In a 1999 Private Letter Ruling issued to AARP (Ltr. Rul. 200149043), the IRS validated the use of an AARP-wholly owned taxable subsidiary to provide such administrative and/or marketing services, provided it is done on an arm’s length basis (e.g., fair market valuation of the payments to each entity, financial separation, employee time records, etc.).
3. Royalties to Nonprofit; Services Income to Nonprofit. If such services must be provided by the nonprofit directly, then nonprofit contracts with the vendor should provide for separate, distinct provisions of the contract—one for the name, logo and/or membership list licensing on the one hand, and one for the administrative and/or marketing services. The fees earned by the nonprofit should be divided between the two sections pursuant to a fair market valuation. The former should be treated as tax-exempt royalty income; the latter as taxable unrelated business income.

Convention and Trade Show Income

Background. Since 1976, one of the Code’s exceptions to unrelated business taxable is for income received from “qualified convention and trade show activities.” In order to qualify for the safe harbor exception, the nonprofit must “regularly conduct as one of its substantial exempt purposes a show which stimulates interest in, and demand for, the products of a particular industry or segment of an industry or which educates persons in attendance regarding new developments or products and services related to the exempt activities of the organization.” The exception applies to 501(c)(6) tax-exempt entities, as well as to 501(c)(3), (c)(4) and (c)(5) organizations. Prior to 1976, the IRS had started to treat nonprofits’ trade show exhibit fees as subject to UBIT, arguing that such fees were akin to taxable advertising income. Note that these UBIT issues generally do not apply to most of the non-trade show-related convention activities of nonprofits—such as the provision of educational content—as such activities are usually substantially related to the tax-exempt purposes of the nonprofit.

2004 IRS Revenue Ruling. In 2004, the IRS issued Revenue Ruling 2004-112 on the subject of virtual trade shows. With the then-increasing prevalence of the Internet and the ability to offer virtual trade shows, questions began to arise as to whether the offering of a web-based trade show is the type of activity that is “of a kind traditionally conducted at … trade shows” (quoting from Section 513(d) of the Code). The guidance describes two hypothetical scenarios—one involving a Section 501(c)(6) nonprofit that offers a semi-annual virtual trade show in connection with each in-person trade show; the other involving a Section 501(c)(6) nonprofit that offers a virtual trade show not in relation to any in-person trade show.

The Revenue Ruling made clear that the key factor in the analysis of whether virtual trade show activity will be considered subject to the Code’s safe harbor is whether or not the virtual show is conducted ancillary to a live show.

In the first hypothetical scenario, a nonprofit conducts two trade shows a year. In conjunction with such shows, the nonprofit has a separate virtual trade show section of its website available for viewing at all times during such shows as well as for three days preceding and three days following such shows. The in-person shows in this first scenario are similar to most trade or professional nonprofit shows—they include members of the nonprofit and suppliers to the industry and exhibitors are charged a fee by the nonprofit in order to participate. The website contains “information and visual displays…and links to the websites of exhibitors represented at the [in-person] trade show.” The website also contains order forms and a function that allows on-line purchases from exhibitors. The nonprofit charges a fee to exhibitors that desire to have information listed on this web page.

According to the IRS, the virtual activities described above fit within the safe harbor for qualified convention and trade show activities because:

• The web activities are “ancillary” to the in-person trade shows;
• The content of the web section serves to “augment and enhance” the in-person trade shows by making available “in an alternative medium the same information available at the show”; and
• The web page is available “during essentially the same limited time period that each trade show is in operation.”

Thus, income generated by the web page will not be subject to UBIT in this scenario.

The second hypothetical scenario provided by the IRS is very similar to the first, except that the organization in the second scenario offers two-week-long virtual trade shows without any connected in-person events. According to the IRS, such activity will not qualify for the safe harbor. The IRS reasoned that the website in this example is “not itself a convention, annual meeting or trade show” within the meaning of the Code, due to the lack of an in-person, face-to-face component.

Current-Day Virtual Trade Shows. Fast forward to 2021. The virtual trade shows of 2021—compared to 2004—are much more interactive. As those nonprofits who have had to transition in 2020 and 2021 from in-person conferences and trade shows to virtual (or hybrid) ones due to the COVID-19 pandemic know, the educational and networking aspects of these virtual trade shows were notable and done in a way not possible in 2004. Today’s virtual conferences and trade shows resemble in many respects their in-person counterparts for which the safe harbor was written. But with no guidance from the IRS since 2004, it is very difficult to say how the IRS would interpret the safe harbor today and apply it to the 2021 virtual (or hybrid) trade show.

Hybrid Trade Shows. Due to the COVID-19 pandemic, it is likely that at least for 2021, and perhaps into 2022, nonprofits will plan to hold many hybrid in-person and virtual conferences and trade shows. The virtual trade show in the first example of the Revenue Ruling featured only “the same information that is available at the [in-person] show” and a function that allows purchases from “members and suppliers represented at the trade show.” But if a nonprofit offered a virtual show in connection with a live show and allowed companies that are not exhibiting at the live show to participate in the virtual show, would this cause the IRS to determine that the virtual show is no longer “ancillary” to the live show and thus not able to qualify as part of the safe harbor? It is simply unclear—as is the application of the 2004 Revenue Ruling to the modern-day virtual-only or hybrid trade show.

No Safe Harbor Does Not Necessarily Mean UBIT. It should be noted that a failure to qualify for the safe harbor does not necessarily mean that the income generated from a virtual trade show will be subject to UBIT. While, in most instances, the IRS likely would take the position that the net income is generated by the sale of advertising-type services and thus subject to UBIT, there may be instances when a nonprofit is able to demonstrate that its activity is substantially related to its tax-exempt purposes even without the help of the safe harbor. Further, if the arrangements with otherwise-exhibiting companies are restructured accordingly, other Code exceptions from UBIT—such as exceptions for corporate sponsorship payments and royalties—may apply to some or all of the income in question.

Conclusion. While the analysis of whether and how the safe harbor applies to current-day virtual or hybrid trade shows is as clear as mud, the ongoing fallout from the pandemic will continue to force nonprofits to consider alternatives to in-person-only conferences and trade shows. The existence of the 2004 Revenue Ruling—unless and until modified by the IRS, which is not likely anytime soon—will continue to pose UBIT risks to nonprofits in the virtual or hybrid trade show environment.

That being said, the 2004 Revenue Ruling, although on the books, does not supersede the clear intent of the Code to provide a safe harbor exception to unrelated business income where a nonprofit conducts an event to educate persons or stimulate interest and demand for products or services of the membership. Therefore, it is arguable that it may not matter whether the activities traditionally conducted at trade shows are done in person or virtually. It would certainly be helpful if the IRS provides guidance in a new and updated Revenue Ruling. Until then, it would be advisable to document how the activities of the trade show meet the Code definitions of the safe harbor.

* * * * *

While paying UBIT is certainly not a bad thing—and nonprofits generally should not let the federal tax laws be the tail that wags the dog—having a thorough understanding of the rules in this area can help nonprofits to plan strategically and attempt to mitigate UBIT to the greatest extent possible.

For more information, contact Mr. Tenenbaum at [email protected].

Most companies will never deal with such a large volume of documents as they might post-acquisition. For compliance teams, managing this data all remotely is even more of a challenge.

So far, 2021 has been an exceptionally busy year for dealmakers and M&A professionals. In just the first half of the year, global mergers and acquisitions totaled $2.8 trillion, up 131% from the same period in 2020, with the strongest showing through June of any year on record, according to Refinitiv. The same report showed that M&A activity in the U.S. more than tripled to $1.3 trillion, another first half record. In the last few months alone we’ve seen the completion of numerous powerhouse deals, including AT&T’s WarnerMedia and Discovery merger and Amazon’s astounding $8.45 billion purchase of MGM Studios.

Most companies will never deal with such a large volume of documents as they might post-acquisition. And with more deals being closed remotely, the increased use of remote work apps is adding to this challenge, expanding troves of data across a multitude of platforms and creating a storm of fragmented and unstructured data that makes information more difficult to find, process and derive valuable insights from. 

According to market intelligence company IDC, the worldwide volume of data is set to grow from 33 zettabytes in 2018 to 175 zettabytes (or 175 billion terabytes) by 2025, with 80% of it unstructured. From the lens of an M&A professional, unstructured data may mean information buried in existing contracts, old vendor agreements, or IP information, stored within emails and instant messages, virtual meetings, customer interactions, collaborative documents, official records, and almost anything else you can think of with a digital footprint. Combing through these documents manually can risk human error and will certainly cost teams valuable time in searching, processing and understanding all the information that lives across different applications. 

This is where it makes sense to look to technology—and in particular, knowledge integration tools—to help manage this process. 

The power of knowledge integration within the document review process

Unifying information from various applications within a single repository unleashes the potential for rapid search across several data sources, all at once. While this is beneficial during the pre-acquisition stage—to streamline due diligence, for instance—it can also be a powerful capability for supporting a business post-acquisition, by connecting employees of the newly merged company with knowledge and insights that can boost their productivity. Documents (and even specific text within certain documents) that may have previously taken weeks to collect can now be found instantly, on day one post-acquisition. 

Knowledge integration can also help with cutting cost and risk—for instance, by consolidating acquired applications to reduce license costs while retaining the data in one place. 

Overall, knowledge integration can help ensure teams are more prepared, responsive, and empowered. Instead of manually sifting through thousands of documents, dealmakers and their teams can shift their focus toward the bigger, more strategic task at hand: successfully meshing two organizations’ cultures and day-to-day operations to become a new entity. 

The old adage stands true: You don’t know what you don’t know. This is why it’s so important to understand what constitutes your new world of data after a deal is completed; only then can you begin to identify opportunities to generate greater business value. 

For dealmakers, becoming educated on the challenges that unstructured data poses and how that data can be more effectively accessed and managed in a post-acquisition stage is critical. Armed with the right tools, organizations can speed up post-deal day one operations by delivering the information needed to run the business. 

Asking a judge—particularly a bankruptcy judge—to say a few words about the needs and opportunities for pro bono representation in our courts, particularly in the context of Chapter 13 bankruptcy cases, is a high-risk enterprise, for a couple of reasons.^[1] To be honest, there is just so much to say. But I will do my best to be brief—even though we judges are not known for this. I have three things to say: we need your help, we appreciate your help, and we thank you for your help.

First, we need your help. Chapter 13 bankruptcy cases occupy a very particular place in the bankruptcy world, and in the federal justice system. I can’t think of another area of law that more directly and consistently affects a family’s fundamental desire to keep their home, or if that is too much to manage, a family’s hope to find a path forward that is as dignified and decent as possible under the circumstances. And of course, every time a family succeeds in this way, the lender succeeds too—because a non-performing asset (a mortgage in default) is resolved, one way or another. If a Chapter 13 plan is confirmed, the arrears will be repaid; if loss mitigation leads to a modified mortgage or some other resolution, that’s good too; and if the case does not succeed, at least there is closure.

But a successful Chapter 13 case is not easy. In bankruptcy court, we live at the messy crossroads of debtors and their creditors, mortgagors and mortgagees, homeowners and banks. Things can happen quickly, and a misstep at the outset of a case can be devastating to its prospects. The advice of counsel—even the most basic guidance—can make the difference between a case that is dismissed in 45 days and a case that leads to a successful outcome for debtors and creditors.

Most—indeed, nearly all—lenders are represented in these proceedings, and experienced lenders’ counsel is absolutely invaluable in this process. These lawyers have vast experience in understanding and working with a situation to get the best result for their clients, and they are an indispensable part of the process. The Chapter 13 trustee is likewise highly skilled at guiding a process that can be successful for the homeowner and the lender alike. And the bankruptcy court has resources for all of the parties, including regular case conferences on the confirmation of a Chapter 13 plan, a highly successful loss mitigation program, a pro se law clerk, and more.

But many Chapter 13 debtors are not represented by counsel. Their situation may be urgent, and their bankruptcy case may be incomplete, filed in haste to stop a foreclosure sale or an eviction. They may lack even the most basic understanding of whether bankruptcy makes sense for them or how to get the benefits of a bankruptcy case in their particular circumstance. When this happens, the prospects for a successful outcome, one way or another, can be diminished or even lost. That’s an unfortunate result for the debtor and their family, for the mortgage lender and other creditors who might have been paid through a bankruptcy case, and for the bankruptcy system itself.

That doesn’t have to happen. In many of these cases, the debtor may be able to retain counsel. Unrepresented debtors are regularly encouraged to contact the lawyer referral services of local bar associations to obtain referrals to attorneys who are qualified to assist them in evaluating their bankruptcy options and to represent them in a Chapter 13 case. Sometimes family or household members can assist in paying the fee, whether up-front or over time, including through the Chapter 13 plan. But other times, no matter how hard the debtor and the debtor’s family try, the funds to pay an attorney just aren’t there.

Here’s where the need for pro bono counsel comes in. Not for every pro se debtor—that’s not at all what I’m suggesting. But in those situations where the debtor is unable to pay a fee, even with help from contributors, even over time, and still meet their basic needs, then every participant in the process, from the debtor to the secured creditor and all of the other creditors, to the Chapter 13 trustee, and the court, benefit from the service of pro bono counsel.

Second, we appreciate your help. Bankruptcy courts have many tools. We have broad jurisdiction, the Bankruptcy Code and Rules, our extraordinary colleagues, a highly professional, sophisticated, and creative bar, and some of the most interesting cases in the federal system. All of us in the bankruptcy practice have the opportunity to make a difference, every single day. We help companies reorganize, we give families the opportunity to get back on their feet with a fresh start, and we get creditors paid.

But sometimes, it takes a lawyer to get these good results. And in Chapter 13, that “sometimes” is actually most of the time. A missed opportunity to get to a good result is a loss for the debtor, the creditors, and the court. And a saved opportunity to get to that good result, through the service of pro bono counsel, is a win.

It’s hard adequately to describe how satisfying it is to see a pro bono attorney succeed in a case—no matter what the definition of “succeed” proves to be in the particular situation—or how much this representation is appreciated. Bankruptcy court is often where individuals and families land at a moment of crisis in their economic lives, and as hard as we try to make it a user-friendly and accessible place, it can be intimidating. There are countless ways to make a mistake early in a case, and the cost of such a mistake can be high indeed. The costs of a failed case are borne by the debtor and their family, of course. But they are also borne by creditors, who lose the chance to get paid through the orderly administration of a bankruptcy case. This may well be avoided when pro bono counsel steps in early in the case.

Even more fundamentally, every party—whether represented or not—deserves to understand what is expected of them, what is happening to them, and why. We can conduct hearings in person, telephonically, and on video, and we have access to interpretation in countless languages—but courts cannot “interpret” the law for a pro se party or provide legal advice. Here too, it’s hard adequately to describe how satisfying it is to see that a party who would otherwise risk being lost in a maze of legal proceeding is now represented by their own counsel, or how much this work is appreciated.

Third, we thank you for your help. Sometimes it’s worth remembering that “pro bono” means so much more than “for free.” It is derived from “pro bono publico,” and means “for the public good.” According to the Oxford Reference, it was first used in this sense in England in the late seventeenth century, and now is commonly used to mean “work undertaken for the public good without charge, especially legal work for a client on a low income.” According to Wikipedia, it means “professional work undertaken voluntarily and without payment.” When I was in private practice, I liked to think that a characteristic of my pro bono work was that all of the income that it generated—in the form of professional satisfaction—was non-taxable.

It should also generate this: thanks. We don’t say it nearly often enough, and it could never be said too much. Thanks for considering pro bono work, thanks for every hour you have ever spent on pro bono work, and thanks for every hour that you are spending now and that you will invest in the future in pro bono work. Thanks for keeping that family in their home, or for helping them to understand that they need to move on. Thanks for helping your pro bono client get through one of the hardest times they will face, knowing that there is someone in their corner—and thanks for being that “someone” for them. And thanks for providing the secured creditor’s lawyer and the Chapter 13 trustee with a lawyer with whom they can speak in addressing the situations presented by the case.

Finally, thanks for appearing in court on behalf of your client, and helping the court to have the best possible hearing in a difficult situation. And when I have to make a hard decision in a Chapter 13 case, and because of your service the debtor has an advocate, thanks for helping me sleep well that night.

***

Does any of this make it easier to step forward and take on a Chapter 13 bankruptcy case, maybe for the first time? Does it begin to answer the question why someone who owns a home could somehow need a pro bono lawyer to help save that home? Hopefully, it does, at least a little bit. The need for this help is there. We may not see it from the bench every day, but we surely see it often—too often.

Pro bono assistance also fills a critical gap between what the pro se debtor needs and what the court, the Chapter 13 trustee, and counsel for other parties can provide. Closing that gap can make the difference between success and failure of a case.

And finally, pro bono assistance is not just legal work “for free.” It is foundational to the profession, and serves the public good. And it deserves our recognition, and our thanks.

[1] © 2021 Elizabeth S. Stong.

In a keynote panel at September’s Virtual Section Annual Meeting, leaders in the American Bar Association’s Business Law Section shared thought-provoking and informative reflections on the impacts of the past year on the profession and expectations for the year ahead.

During the meeting’s Welcome Reception, Citigroup General Counsel Rohan Weerasinghe and Teresa Wilton Harmon, Managing Partner of Sidley Austin LLP’s Chicago office, discussed the future of legal practice for business lawyers. Jeannie Frey, 2020–2021 chair of the Business Law Section, moderated the panel, whose wide-ranging discussion touched on changing expectations for attorney work-life balance; diversity, equity, and inclusion; and business and professional development.

Work-Life Issues

Harmon highlighted that the COVID-19 pandemic has left the legal profession at a “pivotal moment” in changing work environments. “We have a new economy starting up all around us, we have new ways of working together,” she said. “Firms are recognizing that we’re in a talent business—that health and wellbeing, and satisfaction of our team members, are really important to getting the results that we need.”

The panelists praised the increased flexibility that has come with remote work and expressed hope it will continue; Frey described the remote work world as giving attorneys “permission to be human… to be able to acknowledge that you have other parts of your life and have that be respected.”

But they noted new challenges, too.

“There’s a blurring of when you’re at work and when you’re at home,” Weerasinghe said. “We have to figure out how to deal with that in a post-COVID Zoom environment. I think it’s important to protect people’s personal time just as much as giving them the flexibility.”

Diversity, Equity, and Inclusion Issues

Frey pointed out that in the past year and a half, the “need to acknowledge real systemic social and racial justice issues in the legal profession as well as society at large” has been as significant a focus as the pandemic. She asked Harmon and Weerasinghe whether we can expect to see “real progress in the near future in law firms being more likely to hire, support and promote lawyers of color, women, and other diverse and underrepresented groups.”

The panelists agreed the profession is improving on these issues but has much further to go: “We’ve got to keep fighting,” Weerasinghe said. Harmon discussed some bright spots, noting that she’s seeing stronger buy-in for DEI initiatives, as well as more efforts like the Sidley Prelaw Scholars program that aim to address systemic barriers to a diverse array of talent entering the legal profession.

“Our job is to ensure a just world,” Harmon said. “Racial justice has to be part of our bread and butter every day.”

The conversation turned to how in-house lawyers can work on increasing diversity and inclusion. Weerasinghe highlighted the importance of thoughtful hiring, ensuring that not only candidate pools but also the set of individuals who interview them are diverse. “It’s a key part of making sure we get the right perspective, and we try to minimize—I’d like to say eliminate, but I’m practical—minimize any kind of unconscious bias,” he said. He also pointed out that greater openness to remote work is enabling employers to draw on a larger and more diverse talent pool.

Business Development

As with many aspects of attorneys’ work that have changed during the pandemic, business development has been no exception. The panelists argued those changes presented new chances for success, particularly for young lawyers.

“We’re seeing entire areas, including areas that are focused on technology, and health and life sciences, and fintech, that really weren’t that strong before the pandemic where there’s incredible growth now,” Harmon said. “For newer lawyers… I think it’s actually a neat business development opportunity.”

The panel also discussed the need for young and mid-career lawyers to work with more experienced colleagues, and for those colleagues to actively support them.

“You’re going to have to figure out, as the COVID situation improves, how you can get more visibility on a face-to-face with some potential clients but also work with more senior partners at law firms to get them to introduce you,” Weerasinghe said.

Frey argued that reaching out to connect with up-and-coming attorneys is crucial. “I look around at my team, and I have team members who will be practicing here, I hope, long after I’m gone. I want them to be developing those peer relationships now… so that that relationship with the firm and the individuals can grow, and we can support the professional growth of those more junior lawyers.”

No matter what other opportunities arise in the future, Harmon argued, professional organizations like the ABA should stay part of attorneys’ business development mix.

“That’s always been a huge part of my business plan, of my business development, since I went to my first ABA Section of Business Law meeting as an associate,” Harmon said. “It’s been great to see the ABA stay strong, reach out to more people, and find new ways for people to build connections across their professional lives… It’s a really important part of our fabric as lawyers.”

The Task Force on Residual Interests of the American Bar Association Committee on Securitization and Structured Finance^[1] was organized in response to a series of ongoing litigation proceedings described by one writer as a “multicourt, multistate legal war,”^[2] that involves 15 special purpose Delaware statutory trusts known as the “National Collegiate Student Loan Trusts” (the “Trusts” or “NCSLTs”). These proceedings have raised serious concerns among securitization industry participants—in particular, as to whether securitization documents properly address the role of residual interest holders in special purpose vehicles.

The issues being litigated in the NCSLT proceedings focus on whether certain actions of the residual interest holder in the Trusts were properly authorized. At this point, the legal consequences of such actions largely remain unresolved. Accordingly, the goal of the Task Force in writing this article is to raise awareness of these concerns and the possible ramifications when such concerns aren’t fully considered.

We start by summarizing the background, history and current status of these cases. We then examine issues relating to trust agreements under Delaware law, as well as more generally under securitization indenture documents. Finally, we recommend several principles to consider in drafting securitization documents in light of these cases.

Background

Between 2001 and 2007, the Trusts acquired and provided financing for over 800,000 private student loans in aggregate principal amount exceeding $15 billion through the issuance of over $12 billion in aggregate principal amount of investor notes. Until 2009 the Trusts were owned jointly by an affiliate of First Marblehead Corporation and The Education Resources Institute, Inc. (“TERI”). In 2008 TERI went bankrupt; thereafter Vantage Capital Group (“VCG”), a Florida-based private investor, acquired (through its affiliates) the majority of the beneficial ownership interests (a /k /a, residual equity interests) in the Trusts.

Once it acquired the beneficial interests, VCG took a number of actions in its capacity as beneficial owner. In November 2015 VCG directed the Owner Trustee for the Trusts to engage counsel chosen by VCG, and to enter into a Servicing Agreement (the “Odyssey Servicing Agreement”) with Odyssey Education Resources, LLC, a VCG affiliate (“Odyssey”), to service non-performing loans for certain of the Trusts. That direction was given notwithstanding that the Trusts had pre-existing agreements with other servicers to collect defaulted loans. The Odyssey Servicing Agreement, among other things, allowed Odyssey to purchase such loans from the Trusts at a discount from market price. Then, during the course of 2015 and early 2016, Odyssey incurred more than $1.24 million in legal fees and costs allegedly conducting diligence on the Trusts’ portfolios and submitted those invoices for payment from the Trusts’ assets.

In response to the demand for payment of Odyssey’s invoices, the Indenture Trustee commenced a Trust Instruction Proceeding in Minnesota (later removed and transferred to Delaware Federal District Court) seeking judicial direction. Additional counsel were subsequently engaged at VCG’s direction for other matters, resulting in invoices for millions of dollars of additional legal fee costs, costs that were also submitted for payment from the Trusts’ assets.

These and other actions by VCG seeking to control the Trusts resulted in multiple legal proceedings spanning several states, including four lawsuits in the Delaware Chancery Court. Three of those lawsuits involve various claims and causes of action by VCG, or by the Trusts at VCG’s direction, against the Trusts’ primary and special servicers, administrator, indenture trustee, owner trustee, noteholders and note insurer, and the fourth an action by noteholders against VCG, which proceedings, not surprisingly, have now been consolidated by the Chancery Court.

Finally, independent of those actions, another perhaps even more noteworthy proceeding relating to the Trusts was commenced in 2017 by the Consumer Financial Protection Bureau (the “CFPB”). In that year, the CFPB filed suit against the Trusts in Delaware Federal District Court based on alleged conduct of the Trusts’ servicers. The CFPB also filed a proposed consent judgment, negotiated with counsel retained at VCG’s direction, that would have resulted in a broad transfer of control to VCG over the Trusts’ assets.

Description and Current Status of Relevant Litigation Proceedings

The litigation stemming from VCG’s attempts to act on behalf of the Trusts has now been pending for several years, and the litigation landscape relating to these issues remains in flux. It is therefore unclear whether any of VCG’s attempts to bind the Trusts will succeed, or whether VCG will ultimately face legal consequences for its attempts to control the Trusts without authorization from other trust parties. However, 2020 and 2021 saw material developments in several of these cases.

The Trust Instruction Proceeding pending in Delaware Federal District Court^[3] initially sought instructions as to whether Odyssey was properly appointed as special servicer. Intervening investors also asserted that (x) the new Odyssey Servicing Agreement violated the clauses granting liens to the Indenture Trustee (the “Granting Clauses”) and requiring consent of the Indenture Trustee or noteholders (the “Consent Clauses”) in the Trusts’ Indentures and (y) the Trusts (acting through VCG) were engaged in self-dealing. In September 2018, the District Court ruled that the actions taken on behalf of the Trusts did not violate the Granting Clauses and Consent Clauses in the Trusts’ Indentures and that the related invoices should be paid from the Trusts’ assets.

In August 2020, the Third Circuit reversed in part,^[4] holding that:

• The Trusts (here, acting through VCG) may appoint a new servicer so long as the appointment does not violate any terms of the Trusts’ governing agreements, including those agreements’ prohibitions on improper self-dealing.
• The Odyssey Servicing Agreement did violate the Granting and Consent Clauses because it impermissibly reserved for the Trusts (again, acting through VCG) several rights conveyed by the Granting Clause to the Indenture Trustee, including the right to replace any servicer for cause, and violated the Indenture Trustee’s right to consent to modifications to any servicing agreement and the Trust governing agreements.

The Court did not reach the issue of whether the Odyssey Servicing Agreement also constituted improper self-dealing prohibited by the Indenture, but noted that VCG “stands on both sides” of the Agreement, and that “[i]t is hard to see how such a transaction could be considered as conducted at arm’s length.”

The case was remanded to consider whether invoices submitted for payment from the Trusts’ assets are payable even if the Odyssey Servicing Agreement was invalid and thus void. The case remains pending before the Delaware Federal District Court as of the date of publication of this article.

The CFPB action in Delaware Federal District Court^[5] sought, among other things, to hold the Trusts liable under the Consumer Financial Protection Act of 2010 (the “CFPA”) for alleged servicing violations and to approve a CFPB Consent Judgment entered into by VCG’s counsel purportedly on behalf of the Trusts. The Consent Judgment would have (w) placed servicing control of the entire 800,000-loan portfolio in the hands of VCG, (x) required proceeds of collections to be turned over to an account under VCG’s control, (y) authorized VCG to audit all 800,000 loans held by the Trusts, at the Trusts’ expense, and (z) required payment of almost $20 million by the Trusts in restitution, disgorgement, and civil money penalties.

The court issued two important rulings in this case in the last twelve months:

• In May 2020,^[6] the court refused to enter the proposed CFPB Consent Judgment based upon the court’s holding that VCG’s counsel had not been authorized to enter into the CFPB Consent Judgment on behalf of the Trusts.
• In March 2021,^[7] the court dismissed the CFPB’s complaint based upon findings that the CFPB initially filed the case in September 2017 when the bureau’s structure violated the U.S. Constitution’s separation of powers,^[8] that the CFPB’s attempted ratification was untimely, and that the CFPB was not entitled to equitable tolling of the statute of limitations given an absence of pleaded facts showing that the bureau diligently pursued its rights.

The court’s March 2021 ruling on the motion to dismiss was notable for what it did not address. First, it did not respond to the Trusts’ important substantive arguments that the Trusts are not “covered persons” under the CFPA (although the court noted that it “harbors some doubt that the Trusts are ‘covered persons’ under the plain language of the statute”). In addition, the ruling did not address the assertion that the CFPB did not state claims against the Trusts based on alleged servicing violations, because those claims could only lie against the servicers themselves. Those arguments, therefore, remain open legal questions on which a court has not yet ruled.

The court order allowed the CFPB to replead its case by filing an amended complaint, noting, however, that it was “hardly clear” that the bureau could “cure the deficiencies noted in the memorandum opinion.” The CFPB filed an amended complaint on April 30, 2021. On October 1, 2021, after the motion to dismiss the amended complaint was fully briefed, Judge Noreika, the presiding judge, was replaced (possibly due to a backlog of jury trials) by Judge Stephanos Bibas, a 2017 appointee to the Third Circuit. Judge Bibas has indicated that he will hear oral argument before deciding the motion.

It is of course unknown at this point whether or how the change in presiding judge will affect the progress, timing and result of the CFPB proceeding.

Actions taken by or at the behest of VCG are also at the core of a series of four lawsuits involving the Trusts that have been consolidated in the Delaware Chancery Court for the purpose of resolving proposed declarations regarding certain common contract interpretation issues:^[9] (1) a March 2016 action filed in the name of the Trusts (at VCG’s direction) seeking emergency authorization to compel the Pennsylvania Higher Education Assistance Agency, the primary servicer for performing loans, to provide its books and records for an audit by Boston Portfolio Advisors, a former member (along with VCG) of Odyssey; (2) a March 2018 action filed in the name of the Trusts (at VCG’s direction) against the Indenture Trustee, the Administrator, and certain special servicers alleging their failure to supervise servicing; (3) a November 2018 action filed by noteholder investors against VCG for breach of contract, civil conspiracy, and breach of fiduciary duty; and (4) a November 2019 action filed by VCG against the Trusts’ Owner Trustee, Indenture Trustee, Administrator, Note Insurer, and Noteholders seeking declaratory relief regarding various Trust constituents’ rights and certain contract interpretation issues under the Trusts’ governing agreements.

In August 2020, the Court issued a lengthy memorandum opinion containing rulings on the following subjects:

• Ownership of Collateral and Rights to Act on Behalf of Trusts. The court ruled that the Granting Clauses of the Trusts’ Indentures convey all the beneficial interest in and the right to control the collateral to the Indenture Trustee for the benefit of the Note Insurer and the Noteholders, even pre-Event of Default. The Trusts retain legal title to the collateral and the right to exercise authority over such collateral to the extent of fulfilling the Trusts’ obligations. Until the Indenture is discharged, the Trusts cannot take any action that “derogates from the Granting Clause or otherwise violates a Basic Document.”
• Fiduciary Duties. The court ruled that the residual interest holders owe the Note Insurer and the noteholders fiduciary duties when acting on behalf of the Trusts, or when directing Trust parties to act on behalf of the Trusts or their assets. This duty arises because of the Note Insurer’s and the noteholders’ relationship to the collateral, not because of their relationships to the Trusts. The Trusts must “regulate their conduct” and act in the best interests of the collateral’s beneficial owners, and the residual interest holders’ duty “surely entails” an obligation not to use control of the collateral to advantage themselves at the expense of the Note Insurer and noteholders.
• Delegation of Owner Trustee’s Duties. The court held that the Owner Trustee cannot delegate its authority to agents answerable only to residual interest holders without those directions flowing through the Owner Trustee. Specifically, the Owner Trustee could not fully delegate to VCG’s counsel the Owner Trustee’s rights to approve the proposed CFPB Consent Order.
• Other Rulings. The court’s ruling also (1) defined the Administrator’s and the Owner Trustee’s rights and obligations; (2) held that the Trusts’ governing agreements must be read as a whole, including incorporating provisions from other documents; (3) declined to issue requested declarations regarding certain parties’ rights to direct the Trusts’ activities at issue in the case; (4) issued a declaration that amendments to the governing documents require Indenture Trustee, Note Insurer, and noteholder consent; and (5) held that, to be paid by the Trusts, Owner Trustee expenses must relate to the Owner Trustee’s limited contractual duties, but that certain Administrator expenses may include Trust expenses reimbursable by the Trusts’ assets.

As of the date of publication of this article, discovery is proceeding on the remaining common contract interpretation issues. Trial on these issues is expected to commence next year.

We note that, in addition to the proceedings described above, there are or have been cases or proceedings involving the Trusts in other jurisdictions, including New York, Illinois and Florida, mostly seeking reimbursement for fees and expenses incurred by various professionals at VCG’s direction. We have, in the interest of brevity, focused on the proceedings with the greatest relevance to the concerns that the Task Force seeks to highlight.

Effect of the Delaware Statutory Trust Act

The rulings of the Delaware Chancery Court described above have highlighted some significant statutory principles under Delaware law that relate to the scope of rights of beneficial owners of trust interests. Accordingly, those rulings as well as the Delaware Statutory Trust Act need to be carefully considered by transaction participants in determining the appropriate rights of residual owners.

A stated policy of the Delaware Statutory Trust Act, 12 Del. C. § 3801, et seq. (the “Act”), is to give maximum effect to the principle of freedom of contract and to the enforceability of governing instruments (collectively referred to as the “Trust Agreement”). Although the default rule under the Act is that the business and affairs of a statutory trust are managed by or under the direction of its trustees, in practice that default rule is frequently altered by the provisions of the Trust Agreement. For example, to the extent provided in the Trust Agreement, any person (including a beneficial owner) may be given rights to direct the trustees or other persons in the management of the statutory trust. In addition, pursuant to Section 3806(b)(7) of the Act, a Trust Agreement “may provide for the appointment, election or engagement, either as agents or independent contractors of the statutory trust or as delegates of the trustees, of officers, employees, managers or other persons who may manage the business and affairs of the statutory trust and may have such titles and such relative rights, powers and duties as the governing instrument shall provide.”

In practice, the trustee of a statutory trust used in a securitization transaction retains limited discretion with respect to the statutory trust and its assets. Subject to its rights under the Trust Agreement, the trustee will act upon proper direction by the person with the authority to direct the trustee as provided by, and in accordance with, the Trust Agreement. Such direction can also require additional persons, such as investors or an indenture trustee, to provide consent to the giving of such direction. Trust agreements are often drafted so as to require such consents for non-ministerial actions, such as material changes to transaction documents adversely affecting holders; replacing an indenture trustee, administrator or servicer; selling or assigning the trust estate; and such other significant actions as the parties deem necessary. When drafting and negotiating the Trust Agreement, the parties should carefully consider what actions might require additional consents and what actions may be taken unilaterally by the person authorized to direct the trustee in the management of the statutory trust.

Section 3809 of the Act incorporates the laws of the State of Delaware pertaining to trusts and makes such laws applicable to statutory trusts, except to the extent otherwise provided in the Trust Agreement or the Act. Consequently, although trustees of a statutory trust may have duties similar to those of a common-law trustee (such as care, loyalty, good faith, candor and safekeeping of trust assets), contractual provisions in the Trust Agreement often alter those duties. These duties may not apply to those persons who have the right to direct the trustee or otherwise control the management of the statutory trust or the trust estate. However, under current Delaware case law, it is likely that such persons would have, at a minimum, a duty not to use their control of the statutory trust or control over the trust estate to their advantage at the expense of others who might have a beneficial interest in the statutory trust or the trust estate.^[10]

The full scope of the duties of a directing party has not been completely fleshed out under Delaware law, but fortunately the Act provides for a method to manage such duties. The Act permits the expansion, restriction or elimination of duties in the Trust Agreement “to the extent that, at law or in equity, a trustee or beneficial owner or other person has duties (including fiduciary duties) to a statutory trust or to another trustee or beneficial owner or to another person that is a party to or is otherwise bound by the” Trust Agreement. However, the Trust Agreement cannot eliminate the implied contractual covenant of good faith and fair dealing. A provision to restrict or eliminate fiduciary duties must be clear and unambiguous in the Trust Agreement in order to be enforceable.

It should be noted that a beneficial owner’s beneficial interest in a statutory trust is freely transferable. As such, if one of the rights of a beneficial owner in the trust is the right to direct the trustee, the parties to the transaction should consider whether restrictions on transfer of that beneficial interest are needed in order to have some limits on who might exercise the direction right. Any such restrictions should be set forth in the Trust Agreement.

Transaction Documents and Other Considerations

The non-recourse, senior/subordinate structure typical in securitizations contemplates that senior security holders will have prioritized control of collateral proceeds, but that they will also benefit from other control provisions, such as the Consent Clauses referenced above. It is not surprising that the Third Circuit relied heavily on the Granting Clauses and Consent Clauses of the NCSLT indentures—provisions typical of indenture documents with this structure—in holding that the beneficial holders exceeded their authority. The potential disconnect between Granting and Consent Clauses, on the one hand, and the trust agreement provisions in the NCSLT’s transaction documents, on the other hand, was clearly a gap the residual interest holders tried to exploit.

The lessons learned in these cases are clear. Securitization documents that are not clearly drafted may inadvertently permit residual holders to claim that they should receive collateral proceeds that would otherwise be used to pay amounts owed on senior classes of notes. Any attempt by a residual holder to rely upon unclear provisions in transaction documents to settle or compromise, either directly or indirectly, claims related to trust assets could have unanticipated, adverse consequences on senior holders and trustees.

Although the marketplace has many examples of providing “first loss” holders with some level of control over asset dispositions, drafters should consider addressing the risk of a residual holder gaining control over, and title to, trust assets. For example, drafters may wish to include express restrictions on who may appoint additional servicers and the terms of such appointments, as well as conditions to payment of fees and reimbursement of expenses of such additional servicers. In an effort to avoid potential conflicts, parties should also consider whether and under what circumstances affiliation between a servicer and holders of residual interests should be permitted.

Attention should also be given to the level of disclosure provided to investors in respect of asset dispositions and the expected level of indenture trustee involvement in such dispositions. As a result of the NCSLT cases, parties should take a fresh look at existing forms with a view towards clearly and unambiguously defining the role of the indenture trustee, while reducing the possibility of conflicting instructions from different investor groups.

One notable aspect of the NCSLT litigation decisions is court reliance on the conveyance language of the “Granting” Clause. As indicated by the name of that clause, practitioners may think of the conveyance language in this clause as merely a precautionary supplement to the security interest grant. But the NCSLT courts found the reverse: that, when considered in the context of the complete trust agreements and the commercial context, the “Granting” Clause is a conveyance supplemented by a precautionary security interest. Although there are certainly structures, particularly in the consumer area, that contemplate a trustee holding record title to assets, it will be interesting to see whether the marketplace starts to re-evaluate granting clauses containing conveyance language with respect to other asset types, useful as it may have been for the NCSLT noteholders.

Finally, substantive consolidation is another important area to consider when granting residual holders any degree of control over a special purpose vehicle. Although not raised as an issue in the NCSLT cases, control over an entity of the type asserted by the NCSLT residual interest holders could be a negative fact in a substantive consolidation analysis (a discussion of which is beyond the scope of this article).

Task Force Recommendations

The series of unfortunate circumstances giving rise to the NCSLT disputes has made it apparent to many in the securitization industry, including investors and trustees as well as originators and sponsors, that:

1. Unclear provisions in securitization documents could present unforeseen problems, inasmuch as residual owners may seek to exploit such provisions to gain control of a securitization trust in ways not anticipated by other participants.
2. As evidenced by the NCSLT litigation, residual owner rights could involve control over trust assets and therefore raise substantive consolidation concerns.
3. Residual owners might engage in self-dealing or have conflicts of interest.
4. The securitization industry needs to be aware of and consider these risks in its documentation.

In all circumstances, unless specifically negotiated and agreed upon by the relevant transaction parties, transaction parties must seriously consider whether the rights of residual owners should be subject and subordinate to provisions to the contrary in any other relevant transaction documents. True to their name, residual owners are entitled to residual cash flows, but securitization documents need to be clear on the other rights of residual owners and provide adequate protection to other parties should those rights extend beyond mere receipt of cash flows. Accordingly, the Task Force recommends the following in drafting securitization documents:

1. If residual owners are entitled to rights beyond mere receipt of residual cash flow, those rights should be expressly and explicitly addressed in the relevant transaction documents. 
2. If residual owners are given greater rights (and notwithstanding that such rights may give rise to obligations as a matter of law), consideration should be given as to whether to pair those rights with explicit contractual obligations, so that such rights are exercised in a manner consistent with, and not contrary to, the interests of other transaction parties.
3. Consideration should also be given as to whether the rights of transferee holders of residual interests should be more limited than those made available to the originator/sponsor.

[1] Although this is a Task Force effort, special thanks go to Richard Facciolo, Elizabeth Frohlich, Jim Gadsden, Barbara Goodstein (Chair), Ori Lev, Doug Rutherford, Andrew Silverstein, and Craig Wolson for their contributions.

[2] Montgomery, Jeff, “Chancery Suit Seeks $150M in Student Loan Trust Damages,” Law360, November 14, 2018.

[3] In re Nat’l Collegiate Student Loan Trusts 2003-1, et al., Case No. 1:16-cv-341 (D. Del) (notice of removal filed Mar. 25, 2016).

[4] In re Nat’l Collegiate Student Loan Trusts 2003-1, et al., 971 F.3d 433 (3d Cir. 2020).

[5] Consumer Fin. Prot. Bureau v. National Collegiate Master Student Loan Trust, et al., Case No. 1:17-cv-01323 (D. Del) (filed Sept. 18, 2017), and related actions.

[6] Consumer Fin. Prot. Bureau v. Nat’l Collegiate Master Student Tr., C.A. No. 17-1323 (MN), 2020 WL 2915759 (D. Del. May 31, 2020).

[7] Consumer Fin. Prot. Bureau v. Nat’l Collegiate Master Student Tr., C.A. No. 17-1323 (MN), 2021 WL 1169029 (D. Del. Mar. 26, 2021).

[8] Relying upon Seila Law LLC v. Consumer Fin. Prot. Bureau, 591 U.S. ____ , 140 S. Ct. 2183, 207 L. Ed. 2d 494 (2020).

[9] In re National Collegiate Student Loan Trusts Litigation, Docket No. 12111-VCS (Del. Ch.) (filed Mar. 16, 2016), and consolidated actions.

[10] See, e.g., Cargill, Inc. v. JWH Special Circumstance LLC, 959 A.2d 1096 (Del. Ch. 2008) (citing In re USACafes L.P. Litig., 600 A.2d 43 (Del. Ch. 1991)).