On April 18, 2018, the Government of Canada (Innovation, Science and Economic Development Canada) published the final regulations relating to the mandatory reporting of privacy breaches under Canada’s federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (“PIPEDA”). These regulations (the “Regulations”), which include fines of up to $100,000CAD for non-compliance, will come into force on November 1, 2018.
By way of background, within Canada, PIPEDA applies to:
all private sector organizations regulated by provinces that do not have substantially similar private sector privacy legislation (all provinces except Alberta, British Columbia, and Quebec), that collect, use, or disclose personal information in the course of their commercial activities;
federal works, undertakings and businesses (i.e. airlines, banks, interprovincial railways/trucking, and broadcasting, including the employees of those organizations); and
all personal information that flows across provincial or national borders in the course of commercial transactions.
Outside of Canada (and as discussed further, below), PIPEDA applies to foreign organizations (including those situated in the United States) that have a real and substantial connection to Canada and that collect, use, or disclose the personal information of Canadians in the course of their commercial activities.
Why should organizations both within and outside Canada pay careful attention to this legislative update? To date, much of the Canadian private sector and other organizations subject to PIPEDA have not been subject to mandatory privacy breach notification. With the exception of Alberta, data breach reporting under PIPEDA has been voluntary for private sector organizations across Canada. However, the recent amendments to PIPEDA and the Regulations will mean that private sector organizations subject to PIPEDA will soon face mandatory breach reporting and record-keeping requirements, which will require organizations to revise internal privacy policies and procedures to ensure compliance with these significant legislative changes.
Below, we provide a brief overview of the key provisions to which organizations should be turning their minds as the coming-into-force date approaches.
Breach Notification Provisions in PIPEDA
Overview
In June 2015, Canada passed Bill S-4 – The Digital Privacy Act into law. This bill made a number of important amendments to PIPEDA relating to mandatory breach notification and record-keeping. Once these provisions come into force, organizations subject to PIPEDA will be required to report privacy breaches in certain circumstances to affected individuals and to the Office of the Privacy Commissioner of Canada (the “Commissioner”).
Pursuant to section 10.1 of PIPEDA, organizations will need to both notify individuals (unless prohibited by law) and report to the Commissioner all breaches of security safeguards involving personal information under their control where it is reasonable to believe that the breach creates a “real risk of significant harm to the individual” (we refer to this legal test as the “notification threshold”). This must be done “as soon as feasible” after the organization determines that the breach has occurred, and the notification to affected individuals and report to the Commissioner must contain certain prescribed information, as noted below.
In determining whether the above notification threshold has been met, there are a number of definitions that organizations must keep in mind. A “breach of security safeguards,” for instance, means the loss of, unauthorized access to, or unauthorized disclosure of personal information resulting from: a) a breach of an organization’s security safeguards (referred to in clause 4.7 of Schedule 1), or b) a failure to establish those safeguards. The term “significant harm” on the other hand includes, among other harms, humiliation, damage to reputation or relationships, and identity theft. A “real risk” will require the consideration of such factors as the sensitivity of the information, the probability of misuse, and any other prescribed factor.
Content and Manner of Report to the Commissioner
The report to the Commissioner must be in writing and be submitted by any secure means of communication. The Regulations require this report to contain certain information, including but not limited to a description of the circumstances of the breach and, if known, the cause; a description of the steps that the organization has taken to reduce the risk of harm to affected individuals or to mitigate that harm; and a description of the steps that the organization has taken or intends to take to notify affected individuals of the breach. The Regulations also consider that an organization may not have all the information it needs at the time that a report is made, and as such, explicitly allow an organization to submit new information to the Commissioner after the initial report has been turned in. This is one important change that has been implemented by legislators since the draft regulations were released in September 2017.
Content and Manner of Notification to Affected Individuals
The notification to affected individuals must contain sufficient information to allow the individual to understand the significance of the breach to them and to take steps, if any are possible, to reduce the risk of harm that could result from it or to mitigate that harm. The notification must also contain certain information, such as a description of the circumstances of the breach and the personal information that was affected, the steps the organization has taken to reduce the risk of harm that could result from the breach, and contact information that affected individuals can use to obtain further information about the breach.
With respect to the manner of notification, notification must be conspicuous and given directly to the affected individuals either by phone, mail, email, in person, or by any other form of communication that a reasonable person would consider appropriate in the circumstances. In prescribed situations, however, indirect notification will also be acceptable.
Organizations may give indirect notification to affected individuals where direct notification would be likely to cause further harm to the affected individual, cause undue hardship to the organization, or where the organization does not have contact information for the affected individual(s). This form of notification must be given either by public communication or similar measure that could reasonably be expected to reach the affected individuals. That said, while organizations may be tempted to rely on indirect notification in order to avoid the costs associated with notifying individuals directly, it is not yet clear whether such public communications will be considered by regulators to be a reasonable method of communication in practice.
Notification to Other Organizations
In addition to notifying affected individuals and the Commissioner, it is important to note that PIPEDA will now require organizations to notify a third group, namely government institutions or other organizations if the organization believes that the institution or other organization may be able to reduce or mitigate the risk of harm to the affected individuals.
Mandatory Record-Keeping for all Breaches
Additionally, PIPEDA will now require organizations to keep and maintain records of all breaches of security safeguards. This means that regardless of whether the breach notification threshold is triggered, an organization must maintain a record of every such breach for a period of 24 months from the day that the organization determines that a breach occurred. These records must be provided to the Commissioner upon request and they must contain sufficient information to allow the Commissioner to verify compliance with PIPEDA’s breach reporting provisions. Organizations should not ignore this new record-keeping provision, particularly in light of the financial penalties they will soon face for non-compliance.
Enforcement and Penalties
In order to enforce these new breach reporting and record-keeping requirements, PIPEDA now includes financial penalties. Specifically, if an organization knowingly violates either of these requirements, it will face fines of up to $100,000CAD. While these financial penalties in no way come close to the prospective penalties under the European General Data Protection Regulation (GDPR), they clearly ‘add teeth’ to the above-noted requirements.
Implications for U.S. and Other Foreign Businesses
As noted in our last article and as underscored by recent Canadian jurisprudence[1] relating to the extra-territorial reach of Canadian privacy legislation, foreign organizations that have a real and substantial connection to Canada and that collect, use, or disclose the personal information of Canadians in the course of their commercial activities are subject to PIPEDA. Accordingly, such organizations must ensure that their corporate privacy and data management practices align with the legislative amendments outlined above.
Accordingly, we recommend that such organizations review, revise, and implement new privacy policies and procedures prior to November 2018 to ensure compliance with the mandatory privacy breach notification, reporting, and record-keeping requirements under PIPEDA. The legal threshold for breach notification and reporting must be carefully considered and organizations should consider creating a breach response plan in advance of any breaches. Finally, a fine-tuned record keeping system will be crucial to ensuring that all breaches of security safeguards are recorded by the impacted entity in a thorough and consistent manner.
[1] See, for example: T.(A.) v. Globe24h.com [2017] F.C.J. No. 96.
After an unexpectedly slow start, the Trump administration’s deregulatory push finally gained momentum in late 2017.
In the field of student lending, this slowdown affected the Department of Education (DOE), the Consumer Financial Protection Bureau (CFPB), and the Department of Justice (DOJ). Unwilling to let this vacuum stand, various states invoked their own consumer protection laws and passed new regulations regarding some of the most visible participants in the student loan market: the DOE’s servicers of federal student loans, the middlemen between borrowers, and the market’s biggest lender. In response, the DOJ and DOE have sought to stymie these efforts by invoking an argument infrequently made in prior years: essentially, federal law—they now argue—preempts all such state regulatory action.
This article examines these events and summarizes likely arguments.
State of the Law
Federal Government’s Regulatory Framework for Post-Secondary Education
Passed to keep the door to higher education open to all students of ability regardless of socioeconomic background, the Higher Education Act of 1965 (HEA) commenced the federal government’s large-scale involvement in higher education. Among other initiatives and programs, this far-reaching statute established the Federal Family Education Loan Program (FFELP), a now-defunct system of loan guarantees meant to encourage lenders to loan money to students and their parents on favorable terms.
The HEA authorized the secretary of DOE to “prescribe such regulations as may be necessary to carry out the purposes” of the act and served as the legal anchor for numerous DOE regulations. The Health Care and Education Reconciliation Act of 2010 (HCERA) dismantled the FFELP. Although current loans remained unaffected, HCERA left the Federal Direct Loan Program, created in 1993, as the sole source of federal student loans. In addition, HCERA limited private participation in this program to servicers alone.
Once a student graduates, loan servicers act as the primary point of contact between borrowers and the federal government. Because of their prominent role, servicers have attracted the attention of state and federal officials. The DOE currently contracts with eight private servicers.
As of January 1, 2018, the DOE has three Title IV Additional Servicers (TIVAS): (1) Navient Corporation (Navient); (2) FedLoan Servicing, an affiliate of the Pennsylvania Higher Education Assistance Agency (PHEAA); and (3) Nelnet, Inc.
The DOE has an additional five for-profit servicers: (1) the Missouri Higher Education Loan Authority (MOHELA); (2) Granite State Management & Resources; (3) the Oklahoma Student Loan Authority (OSLA); (4) the Higher Education Servicing Corp. (HESC) and EdFinancial on behalf of the North Texas Higher Education Authority; and (5) CornerStone.
For decades, the federal government routinely defended these servicers against borrowers’ lawsuits with precisely the same argument. For example, on October 1, 1990, the DOE contended that its regulations governing the FFEL Program, then known as the Guaranteed Student Loan program, preempted state laws regarding the conduct of loan collection activities.
A second such instance took place 19 years later. In 2009, the DOJ, on behalf of the DOE, advanced a reading of the DOE’s operating statutes in Chae v. SLM Corporation, a case launched against Sallie Mae, a FFEL program loan servicer, in the U.S. District Court for the Central District of California. Specifically, the DOJ argued in its motion for summary judgment that the state consumer protection laws on which the plaintiffs relied conflicted with federal law and were thus preempted. Both the district court and the Ninth Circuit agreed.
Regardless of the version, Congress’s purpose remains the ultimate touchstone in every preemption case. Federal courts, moreover, tend to favor a presumption against preemption.
Express preemption occurs whenever Congress or a federal agency enacts a law that directly revokes specified powers from the states. Customarily, the Supreme Court has narrowly and strictly construed these explicit provisions to preserve traditional areas of state regulation regarding health, safety, and welfare. As it has often repeated, to displace traditional state regulation, the federal statutory purpose must be “clear and manifest.” For this reason, when a statute’s express preemption clause is susceptible to more than one plausible reading, federal courts ordinarily decline to adopt the preemptive one.
Like field preemption, conflict preemption does not turn on any express statement of congressional intent. Instead, conflict preemption bars a state law’s enforcement when an actual clash between state and federal law inevitably occurs. It often arises where it is impossible for a private party to comply with both state and federal requirements or where state law stands as an obstacle to the accomplishment and execution of the full purposes and objectives of Congress. In some cases, field preemption may be treated as “a species of conflict preemption,” where state regulatory processes are preempted by conflict with federal law as well as by field preemption—and for the same general reasons.
Impending Battle Over Federal Preemption’s Reach
Initial Forays
For years, as student loan debt crossed the $1.4 trillion mark and the number of borrowers passed 44 million, borrowers and their advocates criticized the federal government’s chosen servicers for purportedly not working on behalf of debtors’ best interests.
Capitulating to these concerns, various states began enacting laws that forced student-loan servicers to hold licenses to operate within their borders and to comply with certain consumer protection guidelines in 2015.
As these laws took effect, servicers responded with lawsuits and lobbyists. In particular, the National Council of Higher Education Resources (NCHER), a student loan industry trade group, urged the federal government to endorse the application of field and/or conflict preemption of state consumer laws purporting to regulate servicers’ conduct, in either court filings or official agency publications, as one more way of beating back these escalating efforts.
Federal Government’s Position
On March 12, 2018, the DOE formally posted a notice of interpretation (NI) contending that, under its interpretation of federal statutory and regulatory law, the DOE alone possesses the power to regulate student loan servicers.
The DOE acknowledged the motivation behind this NI: the enactment by certain states of “regulatory regimes that impose new regulatory requirements on servicers of loans” or disclosure requirements on loan servicers with respect to loans made under the HEA. Such claims, the NI asserts, “are preempted because . . . state[s have] sought to proscribe conduct Federal law requires and to require conduct Federal law prohibits.” “This is not a new position,” the NI added.
Months earlier, just as it had in Chae years prior, the DOJ had telegraphed its endorsement of this approach when it took the rare step of filing a Statement of Interest (SOI) in a Massachusetts case in defense of PHEAA, a Pennsylvania-based national servicer, pursuant to longstanding federal law.
In this document, the DOJ reasoned that the servicer’s practices are either required or authorized by federal statutes, federal regulations, or the servicer’s contract with the DOE; thus, the Massachusetts Attorney General’s state-law claims violated the Supremacy Clause.
More specifically, the DOJ argued for conflict preemption for three reasons: (1) PHEAA cannot comply with Massachusetts’ interpretation of the relevant statutes and the actual requirements of federal law; (2) Massachusetts’ claims “stand as an obstacle to the accomplishment and execution of the full purposes and objectives of Congress” as expressed in the HEA; and (3) Massachusetts’ requested relief would likely “require PHEAA to violate its contract with DOE.”
Although the Massachusetts state court denied PHEAA’s motion to dismiss on February 28, 2018, in an opinion released on March 1, 2018, it did not address the DOJ’s preemption argument. Instead, it sidestepped the issue by narrowly construing the SOI’s text.
According to the court, the DOE was “not actually argu[ing] that any of . . . [Massachusetts’] claims . . . [are] preempted by federal law, or that any of the alleged misconduct by PHEAA at issue here is affirmatively allowed by federal law.” Instead, the SOI amounted merely to an admonition that the state’s complaint could conflict with the DOE’s requirements. Given that “any relief against PHEAA could be structured . . . as not to interfere or otherwise conflict with the . . . [DOE’s] legal rights, and it is therefore not inevitable that the . . . [DOE] will have an interest in whatever judgment may be entered,” the court was disinclined to find preemption.
Servicers applauded the DOE’s position. Within weeks, many submitted comment letters requesting the tendering of similar statements in dozens of pending state court cases. As the NCHER had already argued in the summer of 2017, state regulations can only “add an unnecessary web of regulations which are both duplicative and potentially contradictory to existing federal regulations and policies.” Already “heavily regulated” by the DOE and CFPB, “new state-level regulations” pointlessly “replicate these requirements with no additional benefit for borrowers, and at burdensome cost to servicing entities.” “To do things for some borrowers in Illinois, a different thing for borrowers in California, something else different for folks in Maine—it is a federal program and it gets confusing,” NCHER’s president maintained.
Response by State-Level Actors and Consumer Advocates
Consumer advocates and state officials have challenged these preemption arguments. With about a dozen states having recently passed or considering legislation to more strictly oversee and license federal loan servicers, two groups announced their outright opposition to any such assertion of federal preeminence. On March 2, 2018, the Conference of State Bank Supervisors, which represents regulators in all 50 states, pointed out that, “Congress has deliberately preserved this cooperative state-federal regulatory framework for nonbank financial services activities for the benefit of consumers and providers of financial services alike.” Usually, “[p]reemption of state licensing or regulation is a policy response that Congress has carefully considered and chosen to do in certain circumstances through specific legislation.” It thus saw as improper DOE’s attempt to compel preemption “through a mere interpretive notice,” a decision more rightly “rest[ing] with Congress and not with a federal agency.”
Meanwhile, in equally blunt terms, the attorneys general (AGs) of more than two-dozen states rebuked this campaign, both before and after the NI’s publication. On October 23, 2017, 25 AGs wrote, “These requests defy the well-established role of states in protecting their residents from fraudulent and abusive practices. . . . The department cannot sweep away state laws that apply to student loan servicers and debt collectors.” As one signatory, Virginia’s Attorney General Mark Herring, explained, “We cannot allow student-loan servicers to sidestep state law and oversight and deny students and borrowers these vital protections from student loan abuses.” Within days of the NI’s release, 30 AGs reiterated these contentions.
Debating the Potential Ramifications of the Federal Government’s New Posture
The legal issues regarding the renewed emphasis on federal preemption by the DOE and DOJ remain largely unresolved; however, states will probably contest any such finding with three primary arguments.
First, they are likely to argue that consumer financial protection in the United States has always been a patchwork of state and federal law, so conflict or field preemption should not apply.
Second, they are likely to claim that the anti-preemptive provision of the Dodd-Frank Consumer Financial Protection Act of 2010 allows them to circumvent this danger.
Third, they may point to case law suggesting that informal position statements akin to the NI are entitled to less deference.
The DOE and DOJ likely will counter these arguments in several ways.
First, as the DOJ noted in its SOI in Massachusetts, Congress created the Direct Loan Program to simplify the delivery of student loans to borrowers and eliminate borrower confusion, provide borrowers with a variety of repayment plans, replace FFEL, minimize unnecessary cost to taxpayers and borrowers, and create a more streamlined program that can be managed more effectively at the federal level. The same can be said about the original FFEL program.
State regulation could lead to the emergence of different plans for loan forgiveness for borrowers in every state, resulting in borrowers being treated differently depending on the state in which they live, to the detriment of uniformity and efficiency. At the same time, given that more borrowers may be forgiven after fewer payments, one more objective—that of conserving taxpayer funds—may be imperiled by overly aggressive state regulation. The same hit to the U.S. Treasury would come from servicers’ requests for increased payments from the federal government to compensate for the added administrative complexity created by the need to comply with dozens of jurisdictions’ new mandates. All these harms would arguably undermine the ability of the DOE to fulfill the HEA’s obvious and dominant goals—a fact that favors preemption.
Second, the DOE could point to actual conflicts between federal and state laws and regulations with respect to servicing of loans made by private lenders and guaranteed by the federal government through the FFEL program. Depending on the state regulation, examples may include deadlines for borrower communications and requirements around the resolution of disputes raised by borrowers.
Recent events indicate that the DOE and state AGs are preparing to clash over the question of whether federal preemption bars (in whole or in part) regulation by the states of federal student loan servicers. It remains to be seen how courts will resolve this coming conflict.
More than seven years since the Dodd-Frank Act’s whistleblower incentive provisions became effective, and more than five years since the first SEC whistleblower program award, only a few courts have put the program under a microscope. In the absence of meaningful case law and in light of the SEC’s practice to heavily redact orders granting and denying awards, how do we know what makes the program really tick? The short answer: it’s all in the footnotes.
In this first-of-a-kind article, we tie together more than 350 footnotes in 120 SEC whistleblower orders so that you can get easy answers to four key questions: Who qualifies for SEC whistleblower awards? What procedural rights and responsibilities do they have? When does the SEC make exceptions? And how does the SEC calculate and allocate awards?
Background
In March 2018, the SEC whistleblower program announced its largest-ever awards: $33 million to one whistleblower, and an additional $50 million to be shared between two others in the same action.[1] These awards are massive—staggering even—but they are also consistent with the SEC’s long track record of granting multimillion dollar awards to qualified whistleblowers. In fact, “[t]he SEC has awarded more than $262 million to 53 whistleblowers since issuing its first award in 2012,” and it has an Investor Protection Fund dedicated to paying any eligible whistleblowers who come forward in the future.[2] The upper limit on these awards is 10–30 percent of the monetary sanctions recovered, meaning high-quality information about high-impact securities law violations will only break these records over time.
Given these record-breaking awards, and the U.S. Supreme Court’s recent decision in Digital Realty Trust, Inc. v. Somers,[3] whistleblowers will be sprinting to the SEC, but what are the requirements to qualify for a financial award under the SEC whistleblower program, and how does a tip get submitted, evaluated, and ultimately awarded once the SEC has prosecuted its case? Although courts have increasingly weighed in on Dodd-Frank antiretaliation claims,[4] they haven’t had much chance to scrutinize the SEC whistleblower program. In fact, only six opinions have been issued at the time of this writing, and most of them were cursory and involved a pro se claimant.[5]
Luckily, there’s another way to read the tea leaves. Over the years, the SEC has created a custom of interpreting the Dodd-Frank Act and its whistleblower rules thereunder in publicly available orders granting or denying awards.[6] Although the main text of these orders can certainly provide important insights, they are often heavily redacted, and it’s more often the footnotes where the SEC provides the clearest guidance, applies the facts to the rules, and signals how it will approach novel issues in future cases.
With hundreds of footnotes scattered throughout scores of SEC whistleblower orders, it’s a daunting task see the forest through the trees, but we’re here to help. Below we present a “field guide” to SEC whistleblower awards. Our noble goal is to restate all of the SEC’s valuable guidance in a digestible format—in other words, we comb through the fine print so you don’t have to.
Anyone who wants to understand this process should carefully consider these issues with experienced counsel, along with a host of other requirements that the SEC has not yet addressed in its orders.
Who Qualifies for an SEC Whistleblower Award?
Under the Dodd-Frank Act, a “whistleblower” is defined as “any individual who provides . . . information relating to a violation of the securities laws to the [SEC]” in a manner consistent with the SEC whistleblower rules.[7] However, only certain whistleblowers qualify for an award under the SEC whistleblower program. In the first part of our field guide, we consider footnotes related to the four main elements of eligibility: “voluntarily provided” the SEC with “original information” that “led to the successful enforcement” of a “covered . . . or related action.”[8] We also consider footnotes related to special timing issues, getting assistance from professionals like lawyers and accounting experts, eligibility of foreign whistleblowers, and potential disqualifications for providing false information.
1. Voluntarily Provided
To begin, only whistleblowers who “voluntarily” provide information to the SEC are eligible for an award.[9] This generally means that the individual has no preexisting legal or contractual duty to report the information to the SEC, and the SEC has not already sent the individual a “request, inquiry, or demand” for that information.[10] Sometimes, however, a whistleblower has already volunteered information to a government authority other than the SEC, and the SEC subsequently contacts or subpoenas the whistleblower for similar information. A November 2017 order confirmed that such a whistleblower is still eligible for an award: “a claimant’s ‘submission of information to the [SEC] will be considered voluntary if [he] voluntarily provided the same information to’ any authority of the federal government ‘prior to receiving a request, inquiry, or demand from the [SEC].’”[11] In the SEC’s view, the whistleblower did not need to provide exactly the “same information” to the other government authority; it is sufficient if the information “‘relates to the subject matter of’ the [SEC]’s later inquiry.”[12]
2. Original Information
Likewise, only whistleblowers who provide “original information” to the SEC are eligible for an award.[13] Per the SEC whistleblower rules, original information must be: (i) derived from the whistleblower’s “independent knowledge” or “independent analysis”; (ii) not already known to the SEC (unless the whistleblower is the “original source” of the information); (iii) not exclusively derived from allegations in certain public sources (unless the whistleblower is “a source” of the information); and (iv) provided to the SEC for the first time after July 21, 2010, the date Dodd-Frank was enacted.[14]
The final element is analyzed further below. As for the first three elements, various SEC orders have deemed the following examples not to be “original”: providing information that appeared to be “largely copied from a third party’s publicly-available court filings”;[15] merely providing “an article written from a press release from NASDAQ, printed in a [securities trade group] magazine”;[16] merely providing “an internet link to a news article (including information taken from that news article)”;[17] and providing a promotions mailer that the SEC had already received “several years earlier” and that “was publicly available on the internet.”[18]
Another issue is dirt provided by individuals who obtained the information through positions of trust, such as attorneys, officers, directors, public accountants, and compliance and internal audit professionals. This information is generally deemed not to be “original” under the whistleblower rules, but there are a variety of exceptions.[19] For instance, in August 2014 and April 2015, the SEC granted awards to compliance/internal audit professionals under two of these exceptions: the first whistleblower was eligible because he had reported the information up the ladder “at least 120 days before reporting the information to the [SEC],”[20] and the second was eligible because he “had a reasonable basis to believe that disclosure of the information to the Commission [was] necessary to prevent the relevant entity from engaging in conduct that [was] likely to cause substantial injury to the financial interest or property of the entity or investors.”[21] Likewise, in November 2017, the SEC granted an award to someone who had apparently received the information pursuant to up-the-ladder reporting because he had “reported the information to other responsible persons at the entity . . . or such persons knew about it, at least 120 days before Claimant reported the information to the Commission.”[22]
What about government employees? A July 2017 order clarified that, “[g]enerally speaking, an employee of a federal, state, or local government agency can . . . be eligible for an award.”[23] However, under the Dodd-Frank Act, a whistleblower is disqualified if he or she “is, or was at the time [he or she] acquired the original information submitted to the [SEC], a member, officer, or employee of” certain types of government organizations.[24] These exclusions include “appropriate regulatory authorities” and “law enforcement organizations.” Although “appropriate regulatory authority” is explicitly defined (it includes banking regulators, such as the Fed or the FDIC),[25] “law enforcement organization” is not. In the July 2017 order mentioned above, the SEC had to decide “whether the exclusion . . . applies to an entire governmental agency that may contain components with law enforcement responsibilities, or only to those divisible sub-agency components that perform the law enforcement responsibilities.”[26] The SEC ultimately granted an award to the government employee, finding that “it is reasonable to interpret the exclusion flexibly and, in appropriate cases such as this one, to apply it only to employees of a clearly separate agency component that performs law enforcement functions, rather than to all employees of an entire agency that happens to have been granted law enforcement powers among its many other separate responsibilities and powers.”[27]
3. Led to Successful Enforcement
In addition, an individual is eligible for a whistleblower award only if the original information he or she provided “led to” a successful enforcement action.[28] This is the causation element and becomes relevant only if there is original information in the first place.[29] As summarized in a November 2016 order, original information “leads to” a successful action if either: (i) “the original information caused the staff to open an investigation, reopen an investigation, or inquire into different conduct as part of a current investigation, and the [SEC] brought a successful action based in whole or in part on conduct that was the subject of the original information”; or (ii) “the conduct was already under examination or investigation, and the original information significantly contributed to the success of the action.”[30]
The second prong may be relevant when two or more whistleblowers independently provide information regarding similar conduct.[31] It may also be relevant when a sole whistleblower provides information far along into an open SEC investigation. For instance, a May 2016 order found that the whistleblower had “significantly contribute[d]” to the action after the preliminary award determination was issued because his tip caused the staff to focus on a certain issue, and “this evidentiary development strengthened the [SEC]’s case by meaningfully increasing Enforcement staff’s leverage during the settlement negotiations.”[32] The order noted, however, that the whistleblower would have failed the first prong because the SEC already knew about similar misconduct. The SEC explained that a tip generally causes the SEC to “inquire into different conduct” where “staff has an open investigation into one type of misconduct, and a whistleblower subsequently submits a tip alerting staff that the entity is engaged in substantially different misconduct”; not where it causes staff merely to “initiate new and more directed inquiries” into misconduct it already knew about it.[33]
In making a determination under either prong, the SEC examines the administrative record—including the TCR System and TCR Repository[34]—and looks at a variety of factors related to the chronology of events and interactions among the whistleblower and various SEC stakeholders. These factors include: (1) how the Office of Market Intelligence (OMI) disposed of the tip (e.g., entering an “NFA” indicating the tip was closed and no further action should be taken, versus forwarding the tip to investigative staff for further action);[35] (2) how, if, and when investigative staff received the tip from OMI, the whistleblower, or another source;[36] (3) how investigative staff disposed of the tip (e.g., entering an NFA, versus using the tip to open or further a Matter Under Inquiry (MUI) or formal investigation);[37] (4) the extent to which investigative staff relied on the tip and worked with the whistleblower during the investigation;[38] and (5) the factual and legal nexus between the tip and the misconduct ultimately charged in the enforcement action.[39] In a June 2016 order granting an award, the SEC cautioned that this determination is fact-intensive and therefore “not precedential.”[40] In an April 2014 order, the SEC warned that although it has “a general practice of taking reasonable steps to develop the record,” the claimant has “the ultimate responsibility” to “specifically identify those correspondence or communications in which the purported ‘original information’ was provided to the Commission.”[41]
4. Covered Actions and Related Actions
Furthermore, an award is available to an otherwise eligible whistleblower only if there is a “covered judicial or administrative action,” meaning “any judicial or administrative action brought by the [SEC] under the securities laws that results in monetary sanctions exceeding $1,000,000.”[42] In an April 2016 order, for instance, the SEC denied an award in part because the monetary sanctions were less than $1 million.[43]
Whistleblower awards are calculated not just from the recovery in SEC covered actions, but also amounts collected in certain “related actions” brought by other government authorities. The related action must be “based upon” the same original information that the whistleblower provided to the SEC.[44] Eligible non-SEC entities are: (1) the U.S. Attorney General, (2) an “appropriate regulatory authority” (e.g., as noted above, banking regulators such as the Fed or the FDIC), (3) a “self-regulatory organization” (e.g., FINRA or the Municipal Securities Rulemaking Board), or (4) a state attorney general in a criminal case.[45] Related actions do not extend to other entities, and the SEC has denied claims on that basis, including in a September 2017 order.[46] In addition, the SEC’s orders have made clear that awards from related actions are available only if the whistleblower otherwise qualifies for an award in an SEC covered action.[47] In other words, if a claimant “does not qualify for an award in a Commission covered action,” the related action request will be denied.[48]
5. Special Timing Issues
1. Eligibility Begins After July 21, 2010
In many cases, an individual who provided information to the SEC prior to the enactment of Dodd-Frank has attempted to claim an award under the whistleblower program. However, as mentioned above, the whistleblower rules deem a submission to be “original information” only if it was “[p]rovided to the [SEC] for the first time after July 21, 2010 (the date of enactment of [Dodd-Frank]).”[49] This eligibility start-date rule can make or break awards, even for committed whistleblowers.
In an October 2013 order, the SEC denied an award claim in part because the individual’s SEC reporting efforts—which spanned four years and preceded a $19 million enforcement action—occurred completely prior to the enactment of Dodd-Frank.[50] The claimant challenged the start-date rule, but after a lengthy analysis, the SEC concluded that “the whistleblower statutory provisions do not authorize awards for information originally provided prior to Dodd-Frank’s enactment” and “our interpretation of ‘original information’ ensures that the [Investor Protection] Fund is used to reward those who provide new, high quality tips, not to pay for information that was already in the Commission’s possession on July 21, 2010.”[51] The claimant appealed to federal court, and in Stryker v. SEC—one of the rare appeals of these orders—the Second Circuit deferred to the start-date rule.[52]
Before and after Stryker, the SEC has routinely denied awards, or disregarded certain information for the purpose of determining awards, on the basis of that rule.[53] Some whistleblowers apparently have tried to get creative, but a May 2017 order denied an award for an individual who provided the SEC with a letter that “merely restated” information previously submitted before the July 21, 2010 eligibility date.[54] One claimant asked the SEC to reconsider the rule, but in a June 2017 order the SEC refused to change its mind.[55] The most that these whistleblowers can get was demonstrated in a November 2016 order in which the SEC denied an award under the start-date rule but, as a consolation prize, merely “agree[d]” that this whistleblower “should be lauded.”[56]
2. “In Writing” Requirement for Pre-August 12, 2011 Submissions
Relatedly, Dodd-Frank created a safe harbor for the very specific situation where information is submitted after July 21, 2010, but prior to the effective date of the SEC whistleblower rules (which was August 12, 2011). Even if it does not comport with all of the requirements of the SEC whistleblower rules, such information may still be deemed “original information” if it was submitted “in writing.”[57]
A November 2016 order confirmed that the safe harbor has limited use and did not apply where “the Claimant first approached the [SEC] after the effective date of the Commission’s whistleblower program rules.”[58] As summarized in a May 2017 order, such tips “must be submitted through the [SEC]’s online portal or on Commission Form TCR. If the [SEC] receives an individual’s information in another manner or through another source . . . , the individual will generally not be able to recover an award for that information.”[59]
6. Professional Assistance
A variety of other eligibility issues can arise in certain circumstances. One involves the use of professional assistance. Whistleblowers who report anonymously must be represented by counsel.[60] Otherwise—as the SEC made clear in a November 2017 order—“the [SEC] does not require whistleblowers to retain experts or other professionals to assist them in their whistleblowing.”[61] Although it may be prudent for whistleblowers to seek professional assistance, they are eligible for a full award “whether or not their information is accompanied by expert knowledge or analysis, or provided with the assistance of a lawyer or other professional.”[62]
As for experts who wish to submit their own whistleblower claims, that same November 2017 order drew a line between experts who are acting in furtherance of others’ whistleblowing efforts and those who are acting on their own behalf. Given that only individuals are eligible for whistleblower awards, professionals who provide expert reports or other assistance to the SEC through a firm (e.g., an “incorporated entity”) are less likely to be eligible for an award.[63]
7. Foreign Whistleblowers
Foreign whistleblowers also present unique eligibility issues. Although agents of foreign governments are not eligible for awards,[64] the SEC has signaled that it would happily shell out awards to other types of foreign whistleblowers. In a September 2014 order granting an award, the SEC announced: “In our view, there is a sufficient U.S. territorial nexus whenever a claimant’s information leads to the successful enforcement of a covered action brought in the United States, concerning violations of the U.S. securities laws, by the [SEC], the U.S. regulatory agency with enforcement authority for such violations. When these key territorial connections exist, it makes no difference whether, for example, the claimant was a foreign national, the claimant resides overseas, the information was submitted from overseas, or the misconduct comprising the U.S. securities law violation occurred entirely overseas.”[65]
8. Disqualification for Providing False Information
Finally, what about “whistleblowers” who mislead the SEC? A claimant is disqualified from receiving a whistleblower award if he or she knowingly provides false information or documentation in (i) the whistleblower submission under consideration, (ii) his or her “other dealings with the [SEC],” or (iii) his or her dealings with another authority in connection with a related action.[66] In May 2014 and August 2015 orders, the SEC interpreted “other dealings with the SEC” to include “statements or representations in previous whistleblower submissions as well as a claimant’s correspondence with [SEC] officials.”[67]
The SEC has permanently barred at least two individuals from the program, including an individual who submitted 143 frivolous award claims[68] and an individual who submitted 25 frivolous award claims.[69] The SEC found that both of these individuals had engaged in bad-faith conduct, failed to correct their actions when the SEC explained the whistleblower rules, and then attempted unsuccessfully to withdraw their applications when unfavorable orders were issued.[70] The SEC has also threatened to bar at least two individuals, including one who represented on Form WB-APP, under penalty of perjury, that he was “the 44th President of the United States,”[71] and another who represented that he was entitled to an award “notwithstanding the lack of even a superficial factual nexus” between the information he provided and the covered action.[72] Despite their permanent bar, at least one of these individuals subsequently filed award claims, which were summarily rejected.[73]
What Procedural Rights and Responsibilities Do Award Claimants Have?
In the second part of our field guide, we consider footnotes related to two procedural aspects of the SEC whistleblower program: filing a whistleblower claim and contesting the SEC’s preliminary award determination.
1. Filing a Whistleblower Claim
What happens when the SEC’s investigation is coming to a close and the whistleblower believes a potential award is on the horizon? Per the whistleblower rules, the next steps involve waiting for the SEC to issue a Notice of Covered Action and then filing a whistleblower award claim: “[w]henever a Commission action results in monetary sanctions totaling more than $1,000,000, the Office of the Whistleblower will cause to be published on the Commission’s Web site a ‘Notice of Covered Action.’ . . . A claimant will have ninety (90) days from the date of the Notice of Covered Action to file a claim for an award based on that action, or the claim will be barred.”[74] Specifically, the claimant must complete a Form WB-APP and mail or fax a signed copy and any attachments to the Office of the Whistleblower within 90 calendar days of the Notice of Covered Action.[75]
The SEC has denied claims where the claimant failed to declare, under penalty of perjury, that the Form WB-APP is “true and correct to the best of [his] knowledge and belief” at the time of submission.[76] The SEC has also routinely denied claims that were filed after the 90-day window.[77] In particular, the SEC has made clear that it is not required to provide potential claimants with direct, actual notice of the covered action (e.g., by calling a whistleblower who aided investigative staff and telling him or her it is now time to file a claim).[78] Instead, as noted in a December 2016 order, whistleblowers must take a proactive approach and actively monitor the SEC website: a “potential claimant’s responsibility includes the obligation to regularly monitor the Commission’s web page for [Notice of Covered Action] postings and to properly calculate the deadline for filing an award claim.”[79]
In rare cases, a claimant may withdraw his or her claim and then later attempt to reinstate it. As the SEC made clear in an October 2013 order, it will not recognize such a request if: (i) the withdrawal was “voluntary and unconditional”; (ii) the claimant “failed to provide a ‘good cause’ explanation for seeking reinstatement”; and (iii) the claimant “did not identify any factual or legal basis to suggest that” reinstatement would not “needlessly tie up the processes and limited resources of the [SEC]’s whistleblower program.”[80]
2. Contesting a Preliminary Determination
Once the covered action is fully appealed (or the time for filing appeals has expired), the Claims Review Staff “will evaluate all timely whistleblower award claims submitted on Form WB-APP” and issue a so-called preliminary determination.[81] Within 60 days, the claimant may then submit a written response contesting either “the denial of an award” or “the proposed amount of an award.”[82] In deciding whether to contest a preliminary determination, a claimant may, within 30 days, request to review a copy of the administrative record (i.e., certain materials that “formed the basis of” the preliminary determination), and/or meet with the Office of the Whistleblower, which “may in its sole discretion decline” the meeting.[83]
Before providing the claimant with a copy of the record (or certain nonpublic materials therein), the whistleblower office may require him or her to sign a confidentiality agreement.[84] Several SEC orders have confirmed that this prerequisite is “standard practice,” and the claimant’s refusal to sign in a form acceptable to the whistleblower office is proper grounds to withhold these materials.[85] Even if a confidentiality agreement is signed, claimants are entitled to receive only certain enumerated materials, which may be redacted.[86] In October 2013 and November 2017 orders, the SEC found that the whistleblower office properly withheld requested materials when those materials went beyond the enumerated materials and/or those that “formed the basis of” the preliminary determination,[87] and in a May 2017 order, the SEC found that a claimant was not prejudiced by the redaction of two sentences in a staff declaration because the sentences “ha[d] no material bearing on the Claimant’s potential eligibility.”[88]
If a claimant ultimately decides not to contest the preliminary determination, or fails to timely contest, then: (a) the preliminary determination becomes a final order;[89] and (b) he or she cannot appeal to a federal court because he or she has failed to exhaust administrative remedies.[90] It is apparent that this outcome has occurred when the SEC publishes an order with the following stamp at the top: “Final Order–This Preliminary Determination Became the Final Order of the Commission on [Date] Pursuant to Rule 21F-10(f) of the Exchange Act.”[91] Alternatively, if there are multiple claimants, one of whom did contest a preliminary determination, then the SEC may note in the final order that others did not contest.[92]
If a claimant does decide to contest the preliminary determination, SEC orders have made clear that “[a]ny factual or legal contentions not expressly raised and addressed in [the claimant]’s Response are deemed waived.”[93] In addition to substantive arguments regarding their eligibility for an award or the SEC’s finding of facts, some claimants have raised constitutional due process issues. The SEC has not been convinced by these arguments, including in a lengthy October 2013 order analyzing the claimant’s assertions that the whistleblower office “committed numerous procedural errors that denied [claimant] a fair proceeding.”[94] Finally, some claimants have requested oral argument before the Commission itself, but SEC orders have suggested that oral argument would be entertained only if it would “benefit the Commission’s consideration” of the award application.[95]
When Does the SEC Make Exceptions?
Moving on to the third part of our field guide, we consider footnotes related to exceptions. Given the number of technicalities involved in the SEC whistleblower program, it’s no surprise that many claimants have fatal issues, and that many claimants beg the SEC for leniency. There are two paths to receive an exception. Under the whistleblower rules, the SEC may, “in its sole discretion,” waive any of the procedural requirements for whistleblower claims “based upon a showing of extraordinary circumstances.”[96] In addition, section 36(a) of the Exchange Act provides the SEC with the authority to exempt any provisions thereof—including the Dodd-Frank Act securities whistleblower provisions and rules thereunder—“to the extent that such exemption is necessary or appropriate in the public interest, and is consistent with the protection of investors.”[97]
In considering exceptions, the SEC routinely uses its 2010 PennMont decision as precedent.[98] As summarized in an October 2017 whistleblower order, “the ‘extraordinary circumstances’ exception is to be narrowly construed and applied only in limited circumstances.”[99] The “critical question” is whether the facts and circumstances, “as they existed at the time that the failure occurred,” were “sufficiently beyond the control of the claimant to justify the procedural deficiency.”[100] If a timing requirement is at issue, the claimant must proceed “as soon as reasonably practicable” once the extraordinary circumstances end, or the exception generally won’t be granted.[101] Examples of extraordinary circumstances that affect timing may include “serious illness” or “ineffective assistance of counsel.”[102]
Most commonly, claimants ask the SEC to forgive their failure to timely file a whistleblower claim in the requisite 90-day window. The SEC has denied these waiver requests in a number of orders, including a July 2014 order where the claimant’s attorney engaged in “ordinary negligence” (as opposed to “blatant client deception, outright abandonment or similar egregious misconduct” that might support an exception) by failing to advise him of the whistleblower program’s existence, and then waiting a month to submit the whistleblower claim once he became aware.[103]
One claimant unsuccessfully asked the SEC to waive the substantive “led to” requirement. In the related March 2018 order, the SEC explained that its waivers of substantive eligibility requirements have involved either: (i) “the application of our rules to events that predated the adoption of our rules”; or (ii) “unusual factual situations” that “were simply not contemplated by the Commission in crafting the whistleblower rules and the Commission found that a strict application of the rules in those specific instances would be contrary to the public interest and the broader purposes of the whistleblower program.”[104]
Although they are rare, the SEC has granted several waivers over the course of the whistleblower program, including the “voluntarily provided” requirement,[105] the “in writing” requirement for information provided after Dodd-Frank was enacted but before the rules were effective,[106] and the requirement to sign a declaration under penalty of perjury at the time the initial tip was submitted.[107]
How Does the SEC Calculate and Allocate Awards?
In the fourth and final part of our field guide, we consider footnotes related to the award itself. The prospect of a multimillion dollar award may be the final push a whistleblower needs to report his or her concerns to the SEC—or maybe he or she would have blown the whistle anyway, and the award is just an added bonus. Either way, eligible whistleblowers are entitled to 10–30 percent of the monetary sanctions that the SEC and related authorities are able to collect.[108] If there is more than one meritorious claimant, the SEC will allocate the 10–30 percent between or among them.[109]
The SEC considers a number of case-specific factors in determining whether to increase or decrease the award percentage, as well as the relative allocation among multiple whistleblowers.[110] These factors are: “(1) the significance of information provided to the Commission; (2) the assistance provided in the Commission action; (3) law enforcement interest in deterring violations by granting awards; (4) participation in internal compliance systems; (5) culpability; (6) unreasonable reporting delay; and (7) interference with internal compliance and reporting systems.”[111]
Although the SEC has explicitly analyzed these factors in a number of orders,[112] the “unreasonable reporting delay” factor gets the most ink. The SEC has applied the reporting delay factor less severely where: (i) some or all of the delay occurred prior to the enactment of the Dodd-Frank Act’s whistleblower incentive provisions;[113] (ii) the claimant “witnessed a single violation and was unaware of the full extent of the fraud”;[114] and/or (iii) the claimant was “a foreign national working outside the United States” (as it was unclear whether the Dodd-Frank antiretaliation protections would apply extraterritorially).[115]
With respect to the allocation among multiple claimants, the SEC noted in a March 2016 order, for instance, that one claimant was entitled to a greater allocation than the others because his tip “caused the investigative staff to open the investigation”; it came “approximately eighteen months” before the other information was submitted; and the claimant met with staff several times before the other information was submitted.[116] Some claimants have sought to forego an award so that others would receive it, but in a November 2017 order the SEC made clear that the other claimants would have to qualify for an award themselves.[117]
Our final issue is how the SEC determines the amount to which the 10–30 percent is applied when there is a related action. The SEC provided an answer in an April 2016 order: the SEC will not double-count any monetary sanctions that “are either deemed to satisfy or in fact used to satisfy any payment obligations of the defendants in the other action”; such monetary sanctions will first be attributed to the SEC’s covered action “up to the full amount of monetary sanctions ordered . . . , with any remaining amounts attributed” to the related action.[118]
Conclusion
With record-breaking SEC whistleblower awards and the U.S. Supreme Court’s recent Digital Realty Trust decision, whistleblowers now have clear incentives to report suspected securities law violations to the SEC. Whether you are a compliance-focused company or an individual, it is important to seek the advice of experienced counsel who understand the ins and outs of the SEC whistleblower program and—in the absence of concrete judicial guidance—fully appreciate the SEC’s current practices. Millions of dollars could be at stake.
[3]See Digital Realty Trust, Inc. v. Somers, 138 S. Ct. 767, 772–73 (2018) (“To sue under Dodd-Frank’s anti-retaliation provision, a person must first ‘provid[e] . . . information relating to a violation of the securities laws to the Commission.’”) (quoting 15 U.S.C. § 78u-6(a)(6)) (formatting in original); see generally Christopher F. Regan, Thomas A. Sporkin & Matthew E. Newman, Supreme Court Limits Definition of “Whistleblower” in Potentially Hollow Victory for Public Companies, Westlaw J.: Bank & Lender Liability, at 3–4 (Mar. 19, 2018).
[5]See Barnes v. SEC, 698 F. App’x 390 (9th Cir. 2017); Cerny v. SEC, 707 F. App’x 29 (2d Cir. 2017); Givens v. United States, 698 F. App’x 517 (9th Cir. 2017); Smith-Penny v. SEC, 672 F. App’x 19 (D.C. Cir. 2016); Stryker v. SEC, 780 F.3d 163 (2015); Regnante v. SEC Officials, 134 F. Supp. 3d 749 (S.D.N.Y. 2015).
[28] 15 U.S.C. § 78u-6(b)(1); 17 C.F.R. § 240.21F-4(c) (defining “information that leads to successful enforcement”); see also, e.g., SEC WB Order, Exchange Act Release No. 79294, at 7 n.9 (Nov. 14, 2016) (emphasizing “led to” as eligibility requirement).
[29]See, e.g., SEC WB Order, Exchange Act Release No. 70772, at 6 n.17 (Oct. 30, 2013) (“Because the CRS determined that the information provided by Claimant, other than the September 2010 Email, was not original information . . . , the CRS did not need to consider the relationship between Claimant’s information and the opening of either the [Matter Under Inquiry] or the formal ATG Investigation.”).
[30] SEC WB Order, Exchange Act Release No. 79294, at 5 n.6 (Nov. 14, 2016); see also, e.g., SEC WB Order, Exchange Act Release No. 74815, at 2 n.1 (Apr. 27, 2015) (summarizing requirements); SEC WB Order, Exchange Act Release No. 75752, at 2 n.2 (Aug. 24, 2015) (same); SEC WB Order, Exchange Act Release No. 77948, at 1 n.1 (May 31, 2016) (same); SEC WB Order, Exchange Act Release No. 78355, at 1 n.2 (July 19, 2016) (same); SEC WB Order, Exchange Act Release No. 78356, at 1 n.2 (July 19, 2016) (same); SEC WB Order, Exchange Act Release No. 82562, at 2 n.2 (Jan. 22, 2018) (same). Alternatively, the “led to” requirement can be met if the whistleblower internally reported the information pursuant to designated channels, the entity later provided that information to the SEC, and that entity-provided information “led to” the action. See 17 C.F.R. § 240.21F-4(c)(3).
[31]See, e.g., SEC WB Order, Exchange Act Release No. 82181, at 13 n.25 (Nov. 30, 2017) (“[T]he second whistleblower . . . will need to demonstrate that his submission ‘significantly contributed’ to the enforcement action if the investigation was already ongoing when he came forward.”) (citing Securities Whistleblower Incentives and Protections, 76 Fed. Reg. 34300, 34321/3-34322/2 (June 13, 2011)).
[36]See, e.g., SEC WB Order, Exchange Act Release No. 79294, at 7 n.9 (Nov. 14, 2016) (“[T]here is no indication in the record that [redacted] communicated any information from [redacted] to the Covered Action Staff.”); id. at 8 n.12 (“[C]ontrary to Claimant 3’s contention, the investigative staff handling [redacted] disagrees with Claimant 3’s assertion that they had an arrangement with Claimant 3 . . . .”); SEC WB Order, at 1 n.1 (Feb. 18, 2017) (“[N]one of the information provided to the [SEC] by the Claimant was provided to the staff responsible for the Covered Action . . . .”); SEC WB Order, at 2 n.1 (May 2, 2017) (Notice of Covered Action No. [Redacted]) (“Claimant 2’s tip was not provided to the investigative staff handling the ongoing investigation nor was the investigative staff made aware of the tip at any time prior to the resolution of the Covered Action.”); SEC WB Order, Exchange Act Release No. 80596, at 3 n.3 (May 4, 2017) (noting, in conjunction with surrounding text, that the claimant referenced his or her tip in a letter sent to the SEC Chair, the SEC Secretary, and a Commissioner, but not relevant investigative staff); SEC WB Order, Exchange Act Release No. 82562, at 3 n.4 (Jan. 22, 2018) (“That meeting, however, occurred . . . after Final Judgment was entered in the underlying Covered Action, and was not with the investigative staff responsible for the Covered Action.”); SEC WB Order, Exchange Act Release No. 82897, at 12 n.20 (Mar. 19, 2018) (“[N]othing that the Claimants provided to the [SEC] was received by the Covered Action staff (either directly from the Claimants or indirectly through the specialty unit staff to which Claimants #6 and #7 had provided their information).”).
[37]See, e.g., SEC WB Order, Exchange Act Release No. 78355, at 4 n.5 (July 19, 2016) (tip NFA’d by investigative staff); SEC WB Order, Exchange Act Release No. 78356, at 3 n.6 (July 19, 2016) (same); SEC WB Order, Exchange Act Release No. 80596, at 3 n.4 (May 4, 2017) (same); see also SEC WB Order, Exchange Act Release No. 70772, at 6 n.16 (Oct. 30, 2013) (quoting guidance on when an MUI should be opened).
[38]See, e.g., SEC WB Order, Exchange Act Release No. 71849, at 4 n.8 (Apr. 3, 2014) (“Indeed, the primary Enforcement attorney who worked on the [redacted] matter has never heard of [Claimant #1].”); SEC WB Order, at 2 n.2 (May 12, 2014) (“[T]he information . . . was in no way relied upon . . . .”); SEC WB Order, Exchange Act Release No. 79294, at 6 n.7 (Nov. 14, 2016) (“Staff Member 1 was intimately involved in the totality of the investigation leading to the Covered Action and, as such, relative to Claimant 2, may have a clearer understanding of how the disputed events in the investigation unfolded and how those events fit into the broader investigation.”); SEC WB Order, at 2 n.1 (June 20, 2017) (“[N]one of the information . . . was used in the matter in any way.”); SEC WB Order, at 2 n.1 (Jan. 23, 2017) (Notice of Covered Action No. [Redacted]) (“[T]he information was generally duplicative of the information that the [SEC] had already received . . . as part of the company’s earlier self-reporting and/or did not rise to the level of warranting any further investigative efforts on the staff s part given what the staff had already learned directly from [redacted].”); SEC WB Order, Exchange Act Release No. 82181, at 16 n.28 (Nov. 30, 2017) (“[T]he information . . . did not add meaningfully to the information and materials that the Enforcement staff on the Investigation already knew of or which were publicly-available to the staff.”).
[39]See, e.g., SEC WB Order, at 2 n.2 (May 12, 2014) (analyzing “the sole covered action that did bear a superficial factual nexus”); SEC WB Order, Exchange Act Release No. 77948, at 2 n.2 (May 31, 2016) (“[O]ther than identifying the same target company, Claimant’s tip bears no factual or legal nexus to the charges brought by the Commission in the Covered Action.”); SEC WB Order, Exchange Act Release No. 82897, at 10 n.17 (Mar. 19, 2018) (“[S]taff opened a new and separate investigation to test Claimant #5’s allegations and found insufficient evidence to support them.”).
[43] SEC WB Order, at 2 n.1 (April 1, 2016) (“Claimant #2 also claims an award in connection with [redacted]. That action, however, did not result in monetary sanctions over $1,000,000 and therefore, does not qualify as a Covered Action for which an award may be made.”).
[46] SEC WB Order, at 2 n.1 (Sept. 9, 2017, Order 1) (“[S]ome of the cases Claimants . . . identified as the basis for their related action awards are not ‘related actions’ since those cases were not brought by the non-Commission entities designated under Exchange Act Rules 21F-3(b)(1) and 21F-4(g) and (f).”).
[47] SEC WB Order, at 2 n.2 (Sept. 9, 2017, Order 1) (“A related action award may be made only if, among other things, the claimant satisfies the eligibility criteria for an award for the applicable covered action in the first instance.”); SEC WB Order at 2 n.2 (Sept. 9, 2017, Order 2) (same).
[48] SEC WB Order, Exchange Act Release No. 80596, at 7 n.10 (May 4, 2017); see also SEC WB Order, Exchange Act Release No. 72178, at 3 n.2 (May 16, 2014) (similar language); SEC WB Order at 2 n.1 (Apr. 1, 2016) (similar language).
[52] Stryker v. SEC, 780 F.3d 163, 163 (2015) (“Larry Stryker petitions for review of an order of the [SEC] denying his claim for a whistleblower award. . . . Concluding that the SEC’s interpretation of Section 21F was within its authority and consistent with the legislation, we deny the petition.”).
[53]See, e.g., SEC WB Order, at 1 n.2 (Mar. 9, 2014) (Notice of Covered Action No. 2011-46) (citing the Oct. 30, 2013 order); SEC WB Order, Exchange Act Release No. 71849, at 4 n.5–6 (Apr. 3, 2014) (same); SEC WB Order, at 7–9 n.6 (July 23, 2014) (citing only Rule 21F-4(b)(1)(iv)); SEC WB Order, at 1 n.1 (Nov. 30, 2015) (Notice of Covered Action No. [Redacted #2]) (citing Stryker and the Oct. 30, 2013 order); SEC WB Order, Exchange Act Release No. 76921, at 2 n.2 (Jan. 15, 2016) (citing Stryker); SEC WB Order, at 1 n.1 (Apr. 26, 2016) (same); SEC WB Order, Exchange Act Release No. 78025, at 4 n.4 (June 9, 2016) (same); SEC WB Order, Exchange Act Release No. 79294, at 4 n.4, 6 n.8 (Nov. 14, 2016) (same); SEC WB Order, Exchange Act Release No. 80596, at 4 n.5 (May 4, 2017) (same); SEC WB Order, at 1 n.1 (Sept. 11, 2017) (Notice of Covered Action No. 2012-24) (same); SEC WB Order, at 1 n.1 (Sept. 11, 2017) (Notice of Covered Action No. 2012-72) (same); SEC WB Order, Exchange Act Release No. 82181, at 4 n.4 (Nov. 30, 2017) (citing only Rule 21F-4(b)(1)(iv)); SEC WB Order, Exchange Act Release No. 82562, at 2 n.2, 3 n.5 (Jan. 22, 2018) (citing Stryker); SEC WB Order, Exchange Act Release No. 82807, at 3 n.6 (Mar. 6, 2018).
[55] SEC WB Order, Exchange Act Release No. 34-80871, at 1–2 n.3, 2 n.4 (June 7, 2017); see also id. at 2–3 n.5 (also declining to delay final resolution of the award so the claimant would have an opportunity to petition for a rulemaking).
[56] SEC WB Order, Exchange Act Release No. 79294, at 8 n.13 (Nov. 14, 2016) (“Although we are not able to consider Claimant 3 for an award in that case because it pre-dates the enactment of our whistleblower program, we agree with the views expressed by a staff attorney assigned to [redacted] that Claimant 3 ‘should be lauded for [Claimant 3’s] assistance’ in connection with that case.”).
[57] 15 U.S.C. § 78u-7(b) (“Information provided to the Commission in writing by a whistleblower shall not lose the status of original information . . . solely because the whistleblower provided the information prior to the effective date of the regulations, if the information is provided by the whistleblower after July 21, 2010.”); see also 17 C.F.R. § 240.21F-9(d) (SEC Rule 21F-9(d) implementing the safe harbor); SEC WB Order, Exchange Act Release No. 79747, at 1 n.2 (Jan. 6, 2017) (describing Rule 21F-9(d)); SEC WB Order, Exchange Act Release No. 81227, at 1–2 n.2 (July 27, 2017) (same); SEC WB Order, Exchange Act Release No. 70772, at 3 n.10 (Oct. 30, 2013) (noting that the Whistleblower Office confirmed that it was not necessary to resubmit such information once the rules became effective).
[58] SEC WB Order, at 1 n.1 (Nov. 7, 2016) (Notice of Covered Action No. [Redacted #2]).
[59] SEC WB Order, Exchange Act Release No. 80596, at 6 n.9 (May 4, 2017); see also, e.g., SEC WB Order, Exchange Act. Release No. 77037, at 1–2 n.3 (Feb. 2, 2016) (“[W]histleblowers are required to submit their information about a possible securities law violation through the [SEC]’s online system, or by mailing or faxing a Form TCR, and to declare under penalty of perjury that the information submitted is true and correct to the best of the individual’s knowledge and belief.”) (citing 17 C.F.R. § 240.21F-9(a), (b)); SEC WB Order, Exchange Act Release No. 79604, at 4 n.6 (Dec. 19, 2016) (“Rule 21F-8(a) requires that, in order to be eligible for a whistleblower award, a whistleblower ‘must give the Commission information in the form and manner that the Commission requires,’ specifically referencing the TCR submission procedures set out in Rule 21F-9.”).
[63]Id. at 8 n.13 (“The record indicates that the [redacted] expert report and certain other assistance that Claimants #3 and #4 rely upon in seeking an award were provided by an incorporated entity . . . and not by Claimants #3 and #4 in their individual capacities. . . . The [redacted] firm itself would be ineligible for an award for those submissions, because only individuals can qualify as whistleblowers under Section 21F. These additional considerations further counsel against any determination that would retroactively deem Claimants #3 and #4 in their individual capacities as whistleblowers before their [redacted] Form TCR.”); see alsoid. at 10–12 (detailing related issues with failure to provide “original information”).
[69] SEC WB Order (Aug. 5, 2015) (25 Notices of Covered Action).
[70] SEC WB Order, at 3 n.6 (May 12, 2014) (“We caution [redacted] that we will not entertain any attempt by [redacted] to withdraw [redacted] WB-APPs following the issuance of this Preliminary Determination given: (i) [redacted] previous gamesmanship with withdrawing and then seeking to reinstate a WB-APP; and (ii) [redacted] repeated unwillingness to withdraw these frivolous applications when [redacted] had a reasonable opportunity to do so, see supra note 4, and that [redacted] attempt now to change course would simply be a transparent effort to evade the consequences of [redacted] bad faith conduct.”); see also SEC WB Order, at 3 n.4 (Aug. 5, 2015) (25 Notices of Covered Action) (similar language).
[71] SEC WB Order, at 1 n.1 (Feb. 13, 2015) (Notice of Covered Action No. 2011-206).
[72] SEC WB Order, at 2 n.3 (May 24, 2015) (“Claimant #2 made a clear false and fictitious statement on the Form WB-APP by claiming to be entitled to an award notwithstanding the lack of even a superficial factual nexus between any information Claimant #2 provided to the Commission and the Covered Action.”).
[73] SEC WB Order, Exchange Act Release No. 77322, at 1 n.2 (Mar. 8, 2016) (“On August 5, 2015, the Commission issued a final order . . . determining that . . . this claimant is ineligible for an award in all of [redacted] pending or future covered or related actions . . . .”); SEC WB Order, Exchange Act Release No. 79294, at 1 n.1 (Nov. 14, 2016) (“[T]his claimant’s application was not processed because this claimant had previously been permanently barred from submitting award applications as a result of numerous false and fictitious statements this claimant made in connection with earlier award claims.”).
[84]See 17 C.F.R. § 240.21F-12(b) (“The Office of the Whistleblower may also require you to sign a confidentiality agreement, as set forth in § 240.21F-[8](b)(4) of this chapter, before providing these materials.”); id. § 240.21F-8(b)(4) (“You may be required to: . . . Enter into a confidentiality agreement in a form acceptable to the Office of the Whistleblower, covering any non-public information that the Commission provides to you, and including a provision that a violation of the agreement may lead to your ineligibility to receive an award.”).
[85]See, e.g., SEC WB Order, Exchange Act Release No. 76921, at 4 n.4 (Jan. 15, 2016) (claimant refused to sign even after extension given); SEC WB Order, Exchange Act Release No. 77529, at 3 n.1 (Apr. 5, 2016) (claimant refused to sign unless the SEC agreed “to provide Claimant with counsel and to pay for Claimant’s legal costs and expenses in connection with Claimant’s challenge of the Preliminary Determination”); SEC WB Order, Exchange Act Release No. 77530, at 2 n.2 (Apr. 5, 2016) (same); SEC WB Order, Exchange Act Release No. 29604, at 2 n.2, 3 n.4 (Dec. 19, 2016) (general refusals to sign).
[86]See 17 C.F.R. § 240.21F-12(b) (“These rules do not entitle claimants to obtain from the Commission any materials . . . other than those listed in paragraph (a) of this section. Moreover, the Office of the Whistleblower may make redactions as necessary . . . .”).
[87]See, e.g., SEC WB Order, Exchange Act Release No. 70772, at 6 n.15, 7 n.18 (Oct. 30, 2013) (Whistleblower Office properly withheld copies of defendants’ deposition transcripts in underlying action); SEC WB Order, Exchange Act Release No. 82181, at 15–16 n.27 (Nov. 30, 2017) (finding that the provided materials were not over-redacted, that the whistleblower office properly withheld “the submissions made by other claimants” as well as certain “internal deliberative process files,” and that certain of the claimant’s supplemental submissions were in fact included in the record); see also, e.g., SEC WB Order, Exchange Act Release No. 80596, at 6 n.8 (May 4, 2017) (disagreeing that claimant should be permitted to review “a full record”).
[89] 17 C.F.R. § 240.21F-10(f). Or, in the case of a preliminary determination that an award should be granted, a “proposed final determination” that becomes a final order in 30 days unless a Commissioner requests a review. Id. § 240.21F-10(f), (h).
[93] SEC WB Order, Exchange Act Release No. 82897, at 7 n.10 (Mar. 19, 2018); see, e.g., SEC WB Order, Exchange Act Release No. 71849, at 4 n.7 (Apr. 3, 2014) (by failing to specify communications at issue, claimant waived argument that information contained therein “led to” success of the enforcement action); SEC WB Order, Exchange Act Release No. 72659, at 5 n.2 (July 23, 2014) (claimant waived due process argument); SEC WB Order, Exchange Act Release No. 77037, at 2 n.5 (Feb. 2, 2016) (claimant waived argument that he qualified as a “whistleblower”).
[94] SEC WB Order, Exchange Act Release No. 70772, at 14–19 (Oct. 30, 2013); see also SEC WB Order, Exchange Act Release No. 78025, at 6 n.7 (June 9, 2016) (“We have considered Claimant #5’s various constitutional claims, but we find them frivolous.”); SEC WB Order, Exchange Act Release No. 72659, at 5 n.2 (July 23, 2014) (finding, sua sponte, that due process does not require the claimant to receive actual notice of the whistleblower award program’s existence).
[98]In the Matter of the Application of PennMont Sec. (PennMont), Exchange Act Release No. 61967, 2010 WL 1638720 (Apr. 23, 2010), aff’d, PennMont Sec. v. SEC, 414 F. App’x 465 (3d Cir. 2011).
[109] 17 C.F.R. § 240.21F-5(c); see also, e.g., SEC WB Order, Exchange Act Release No. 82181, at 2 n.2 (Nov. 30, 2017) (“[I]n the context of an award proceeding involving two or more meritorious whistleblower claimants, the award must be allocated among the claimants and may never exceed an aggregate percentage amount of 30% of the monetary sanctions collected.”); SEC WB Order, Exchange Act Release No. 82897, at 2 n.4 (Mar. 19, 2018) (same).
[110] 15 U.S.C. § 78u-6(c)(1); 17 C.F.R. § 240.21F-6; see also, e.g., SEC WB Order, Exchange Act Release No. 73174, at 3 n.4 (Sept. 22, 2014) (“[E]ach award determination involves a highly individualized review of the facts and circumstances surrounding the particular case.”).
[112]See, e.g., SEC WB Order, Exchange Act Release No. 78719, at 1–2 n.1 (Aug. 30, 2016) (culpability mitigated because claimant “did not financially benefit from the misconduct”); SEC WB Order, Exchange Act Release No. 81227, at 2 n.3 (July 27, 2017) (among the positive factors considered, “Claimant alerted the [SEC] to a serious, multi-year fraud that would have otherwise been difficult to detect” and “continued to provide substantial assistance to Enforcement staff during the investigation”); SEC WB Order, Exchange Act Release No. 79294, at 3 n.3 (Nov. 14, 2016) (“Among the actions that Claimant 1 is relying on to seek an upward adjustment to Claimant 1’s award include [redacted]. We find that this action cannot fairly be construed as an attempt to report a potential securities violation by participating in an internal compliance system.”); SEC WB Order, Exchange Act Release No. 76338, at 3 n.6 (Nov. 4, 2015) (claimant’s delay caused “the great majority of the total disgorgement ordered in the underlying enforcement matter”).
[118] SEC WB Order, Exchange Act Release No. 77530, at 2 n.1 (Apr. 5, 2016); see also, e.g., SEC WB Order, Exchange Act Release No. 72301, at 2 n.1 (June 3, 2014) (“A portion of the disgorgement and prejudgment interest ordered to be paid in the Covered Action was ‘deemed satisfied’ by Respondents’ payment of that amount pursuant to a civil action brought by [redacted] and shall be included in our calculation of the award payment to the claimants here. We interpret Section 21 F(b)(l) of the Exchange Act, which provides for payment of awards based on ‘what has been collected of the monetary sanctions’ imposed in a Commission Covered Action, to include amounts that are deemed satisfied when collected in actions brought by other governmental authorities.”); SEC WB Order, Exchange Act Release No. 80521, at 2 n.1 (Apr. 25, 2017) (similar).
Background. Effective July 1, 2018, recent changes to Regulation CC[1] provide new warranty and indemnity rights, liabilities, and obligations potentially impacting a bank, particularly a bank providing a remote deposit capture (RDC) service, including a mobile RDC service, in its role as a depository bank. The new indemnities and warranties are based in part on new definitions of “electronic check” and “electronic returned check” in Regulation CC § 229.2(ggg) for purposes of Regulation CC, subpart C, dealing with the forward collection and return of checks as both paper and electronic checks and electronic returned checks.[2] An “electronic check” and an “electronic returned check” mean an electronic image of, and electronic information derived from, a paper check or a paper returned check. Presently, Regulation CC, subpart C, applies only to paper checks.[3] Generally, Regulation CC, subpart C, presently presumes the forward collection and return of paper checks.[4] However, under Regulation CC § 229.30, as amended, both electronic checks and electronic returned checks are subject to subpart C, except where “paper check” or “paper returned check” is specified. These new warranty and indemnity rights, liabilities, and obligations could amplify the operational risks a bank faces, particularly those associated with RDC service, as detailed below.
Image quality warranty and no double debit warranty. Under new Regulation CC § 229.34(a)(1), a bank transferring or presenting an electronic check or an electronic returned check and receiving settlement or other consideration for it warrants that (a) the electronic image of the check represents all of the information on the front and back of the original check as of the time that the original check was truncated, and the electronic information includes an accurate record of all MICR line information required for a substitute check under § 229.2(aaa) and the amount of the check (i.e., the Image Quality Warranty); and (b) no person will receive a transfer, presentment, or return of, or otherwise be charged for an electronic check or electronic returned check, the original check, a substitute check, or a paper or electronic representation of a substitute check such that the person will be asked to make payment based on a check it has already paid (i.e., the No Double Debit Warranty).[5] In explaining these new warranties, the Regulation CC commentary provides that the electronic check and electronic returned check warranties in § 229.34(a) “correspond to the warranties made by a bank that transfers, presents, or returns a substitute check . . . . (See § 229.52 and commentary thereto).”[6] In the case of a transfer of an electronic check for collection or presentment, under Regulation CC § 229.34(a)(2)(i), these warranties run in favor of the transferee bank, any subsequent collecting bank, the paying bank, and the drawer.[7] Whether a bank creates an electronic check or its customer creates an electronic check through RDC, the bank makes the Image Quality Warranty and the No Double Debit Warranty under Regulation CC § 229.34(a)(1) when it transfers or presents an electronic check. In the case of a transfer for return, a bank makes these warranties to a transferee returning bank, the depository bank, and the owner.[8] As a paying bank, when and as it identifies a check as a suspected duplicate check (a check it has previously paid) and elects to dishonor it by creating an electronic returned check, it could breach the Image Quality Warranty or the No Double Debit Warranty through the electronic returned check.
These risks under Regulation CC, as amended, are amplified when a bank provides a payable-through-draft service or a third-party draft service as a treasury management service to a commercial customer as the population of warrantees increases as to electronic checks. In instances where a bank provides a payable-through-draft service, a commercial customer issues drafts drawn on it and payable through the bank offering this service. In instances where a bank provides a third-party draft service, the bank provides its commercial customer with draft stock to be provided by the commercial customer to its customers to enable its customers to draw these third-party drafts on the commercial customer. Similar to the payable-through-draft service, the bank providing the third-party draft service acts as a “payable through bank” for drafts issued under such service. An example of a third-party draft is a “convenience check” drawn by a credit-card holder against the cardholder’s line of credit associated with the credit card issued by the commercial customer to the convenience check drawer. In both instances, a drawer of a payable through draft—a commercial customer—or a drawer of a third-party draft—a customer to a commercial customer—could be a warrantee of the Image Quality Warranty or the No Double Debit Warranty granted by the payable through bank if such drafts are converted to an electronic check and presented for payment under the service. Further, upon dishonor of a payable through draft or a third-party draft by its drawer or purchaser of the service, in instances where a payable through bank returns such draft as an electronic returned check, it could act as a warrantor of the Image Quality Warranty or the No Double Debit Warranty as well as to the returned electronic check. In sum, in the case of transfers of an electronic returned check for return, under Regulation CC § 229.34(a)(2)(ii), these warranties applicable to an electronic returned check (the Image Quality Warranty and the No Double Debit Warranty) run in favor of the transferee returning bank, any subsequent returning bank, the depository bank, and the owner[9] of an electronic returned check. A bank providing the payable-through-draft service or the third-party draft service could also be the depository bank of a payee of such draft. In such instances, a customer of that depository bank—the payee owner of the draft—could be a warrantee upon dishonor of the draft by the drawer or the commercial customer purchasing the service. The “consideration” the bank receives to cause the warranty liabilities to attach to it could be the revocation of the provisional credit granted by the bank (as depository bank) under Uniform Commercial Code § 4-214 to the payee owner through the original deposit transaction of the draft. Additionally, a bank providing an RDC service could also be the paying bank of a check it accepts for deposit from its payee owner through that RDC deposit service. As a paying bank of that check, it could elect to dishonor the check. If the dishonored check is viewed as an electronic returned check, the owner of the check could be a warrantee of the Image Quality Warranty and the No Double Debit Warranty.[10] Damages for breach of these warranties could be the consideration received by the bank that presents or transfers the check or returned check, plus interest compensation and expenses related to the check or returned check, if any.[11]
A RDC indemnity. Under new Regulation CC § 229.34(f)(2), a novel indemnity is provided to address the allocation of liability where a depository bank accepts a check through RDC to create an electronic check for forward collection, and another depository bank suffers a loss resulting from the latter accepting the original paper check. Under Regulation CC § 229.34(f)(2), this indemnity would be provided by a bank that accepted a check via RDC (Bank A) to a bank that accepted the original paper check for deposit (Bank B),[12] in the event the latter bank incurs a loss because the check had already been paid. (Even if Bank B could, it has no obligation to charge the check against its customer; as a potential holder in due course, it has no obligation also to pursue a claim against the drawer of the check.) This indemnity obligation attaches to Bank A if it (a) is a truncating bank because it provides a RDC service, (b) does not receive the original check, (c) receives settlement or other consideration for an electronic check, and (d) does not receive a return of the check. Under Regulation CC § 229.34(f)(3), Bank B may not pursue an indemnity claim against Bank A if the original check bore a restrictive indorsement inconsistent with the means of deposit, e.g., “for mobile deposit at Depository Bank A only” and the payee’s account number.[13] The indemnity amount under Regulation CC § 229.34(i) is the amount of the loss suffered by Bank B up to the amount of settlement or other consideration received by Bank A, and interest and expenses incurred by Bank B, including costs and reasonable attorney’s fees. Under Regulation CC § 229.38(g), an action to enforce this indemnity must be commenced by Bank B within one year after the occurrence of the violation involved.
Electronically created item indemnity. Under new Regulation CC § 229.34(g), a bank transferring or presenting an electronically created item (ECI) and receiving a settlement or other consideration for it must indemnify (as set forth in Regulation CC § 229.34(i) detailed above) each transferee bank, any subsequent collecting bank, the paying bank, and any subsequent returning bank against losses resulting from the fact that (a) the electronic image or electronic information is not derived from a paper check; (b) the person on whose account the ECI is drawn did not authorize the issuance of the item in the amount stated on the item or to the payee stated on the item; or (c) a person receives a transfer, presentment, or return of, or otherwise is charged for an ECI such that the person is asked to make payment based on an item or check it has already paid. In explaining the losses a paying bank could suffer with respect to an ECI, the Regulation CC Official Commentary provides that such losses include losses arising from a failure to comply with Regulation E because the paying bank would not be able generally to identify an ECI from an electronic check.[14] Given that the paying bank could view the ECI as an electronic check, it could fail to grant a consumer drawer of the check rights and remedies under Regulation E.
New terms to a deposit account agreement for a bank, particularly a bank providing a RDC service. In light of these new warranties and indemnity rights, liabilities, and obligations under Regulation CC, a bank may consider amending its deposit account agreement to strengthen a customer’s indemnity obligations to the bank, especially as to a commercial customer employing the bank’s RDC service (referenced as “you” and “your” in the sample below).[15]
Your Agreement to Indemnify. You will indemnify, defend, and save us and our parent company and its affiliates and each of their respective directors, officers, employees, and agents (collectively, “Indemnitees”) harmless from and against all liabilities, damages, claims, obligations, demands, charges, costs, or expenses (including reasonable fees and disbursements of legal counsel and accountants) awarded against or incurred or suffered (collectively, “Losses and Liabilities”) by Indemnitees arising directly or indirectly from or related to the following (except for Losses and Liabilities arising directly or indirectly from or related to our own gross negligence or willful misconduct):
We warrant to a warrantee that (i) the electronic image of a check accurately represents all of information on the front and back of the original check as of the time that the original check was truncated, and the electronic information includes an accurate record of all MICR line information required for a substitute check and the amount of the check (“Image Quality Warranty”); and (ii) the warrantee will not receive a presentment of or otherwise be charged for an electronic check, an electronic returned check, the original check, a substitute check, or a paper or electronic representation of a substitute check, such that the warrantee will be asked to make payment based on a check it has already paid (“No Double Debit Warranty”).[16] In the case of transfers for collection or payment, we make the Image Quality Warranty and the No Double Debit Warranty to the transferee bank, any subsequent collecting bank, the paying bank, and the drawer. In the case of transfers for return, we make the Image Quality Warranty and the No Double Debit Warranty to the transferee returning bank, any subsequent returning bank, the depository bank, and the owner. If any Indemnitee suffers any Losses or Liabilities arising directly or indirectly from or related to a breach of any of these warranties, you will indemnify the Indemnitee and not hold it responsible or liable.[17]
Through our providing the remote deposit capture service to you, we are required to indemnify a depository bank that accepts the original check from which an electronic check is created for losses incurred by that depository bank if the loss is due to the check having already been paid. If any Indemnitee suffers any Losses or Liabilities arising directly or indirectly from or related to such depository bank indemnity obligation, you will indemnify the Indemnitee and not hold it responsible or liable.
If we transfer or present an “electronically created item” and receive settlement or other consideration for it, we are required to indemnify each transferee bank, any subsequent collecting bank, the paying bank, and any subsequent returning bank against losses that result from the fact that (i) the electronic image or electronic information is not derived from a paper check; (ii) the person on whose account the electronically created item is drawn did not authorize the issuance of the item or to the payee stated on the item; or (iii) a person receives a transfer or presentment, or return of, or otherwise is charged for an electronically created item such that the person is asked to make payment based on an item or check it has paid. If any Indemnitee suffers any Losses or Liabilities arising directly or indirectly from or related to such electronically created item indemnity obligation, you will indemnify the Indemnitee and not hold it responsible or liable.
The indemnity obligation under clause 1 above covers a drawer of a check payable by, at, or through a bank, including a payable through draft. In the case of a drawer of a payable through draft, the drawer enjoys as warrantee both the Image Quality Warranty and the No Double Debit Warranty under Regulation CC § 229.34(a)(1). A payable through bank could breach one or both of these warranties as it accepts a payable through draft through RDC as a depository bank, or creates an electronic check from a paper check and presents the draft to its drawer. Upon breach of one or both of these warranties, the drawer could press a claim against the payable through bank. In that instance, the bank could invoke the indemnity against the indemnitor, the transferor depositing the draft through a RDC service, or the customer depositing a paper check. In the case of transfers for collection or payment, the depository bank in the forward collection and presentment of an electronic check also makes the Image Quality Warranty and the No Double Debit Warranty to the transferee bank, any subsequent collecting bank, and the paying bank. In that instance, the indemnity obligation attaches under clause 1 as well.
In the case of a returned electronic check, a returning bank, any subsequent returning bank, a depository bank, and an owner of a check enjoys as warrantee both the Image Quality Warranty and the No Double Debit Warranty under Regulation CC § 229.34(a)(1) relating to a returned electronic check. A bank as a depository bank could breach one or both of these warranties not only as it charges back an “off-us” check it previously accepted upon return of that check through a return electronic cash letter, but also as a depository bank from a payee of an “on-us” check. Upon breach of one or both of these warranties, the owner could press a claim against the bank. In that instance, as against that owner, the bank would invoke the language “not hold it responsible or liable.” The bank would not invoke the indemnity obligation because it generally attaches if a third party maintains a claim against a bank for which an indemnitor is required to defend. In this case of a chargeback, no third-party claim would be involved.
Further, as a paying bank, when and as it identifies a check as a suspected duplicate check (a check it has previously paid) and elects to dishonor it by creating an electronic returned check, it could breach the Image Quality Warranty or the No Double Debit Warranty through the electronic returned check. In that case, the paying bank could turn to its customer to indemnify it if Losses or Liabilities are incurred by the bank through acts or omissions of the customer.
The indemnity obligations under clauses 2 and 3 above are new indemnities in light of the new remote deposit capture indemnity obligation and electronically created item indemnity obligation under the amended Regulation CC. Clause 2 is available to a bank providing a RDC service in the event another bank accepting the original paper check suffers a loss. If that bank maintains a claim under Regulation CC § 229.34(f)(2) against the bank providing the RDC service, this indemnity clause is available against its customer employing the RDC service. Clause 3 is available to a bank providing a RDC service in the event it incurs liability with respect to an electronically created item transferred or presented by it. Under clause 4, the bank could look to its customer—the party transmitting the electronically created item through RDC.
Conclusion. Effective July 1, 2018, amendments to Regulation CC § 229.34 provide new indemnity obligations and warranties as Regulation CC, subpart C, expands its coverage to capture both paper and electronic checks and electronic returned checks. As to the new Image Quality Warranty and No Double Debit Warranty, a transferee bank, any subsequent collecting bank, a paying bank, and a drawer could become a warrantee. Furthermore, a returning bank, any subsequent returning bank, a depository bank, and an owner of a returned electronic check could enjoy the new Image Quality Warranty and No Double Debit Warranty as a warrantee. Additionally, when a bank provides a RDC service, under Regulation CC § 229.34(f)(2), it could incur an indemnity obligation as to a bank accepting the original paper check. Finally, under Regulation CC § 229.34(g), when a bank provides a RDC service, it could incur a new indemnity obligation as to an electronically created item transferred or presented by it. To mitigate and to spread these risks, an amendment to a deposit account agreement may be in order, especially as to those banks providing a RDC service.
[1] Regulation CC (12 C.F.R. pt. 229) is issued under the Expedited Funds Availability Act (12 U.S.C. §§ 4001–4010) and the Check Clearing for the 21th Century Act (12 U.S.C. §§ 5001–5018), the recent amendments are available at 82 Fed. Reg. 27552 (June 15, 2017).
[2] On March 6, 2018, the Board of Governors of the Federal Reserve System proposed changes to Regulation J (12 C.F.R. pt. 210) in light of these changes to Regulation CC, among other considerations.
[5] The Image Quality Warranty and the No Double Debit Warranty is also presently in the ECCHO Operating Rules § XIX(L)(2) and (7):
Sending Bank Warranties and Indemnification. In addition to the warranties otherwise provided in the Code, Regulation CC, the Rules or other law, each Sending Bank warrants to the Receiving Bank with respect to each Electronic Image sent to the Receiving Bank that:
…
(2) the Electronic Image accurately reflects the Related Physical Check;
…
(7) the Receiving Bank and any other person will not receive a transfer, presentment or return of, or otherwise be charged for, the Electronic Image, the Related Physical Check of that Electronic Image, or a paper or electronic representation of the Related Physical Check such that the person will be asked to make a payment based on an item that it already has paid.
If the Sending Bank breaches any of its warranties set forth in this Section XIX (L), it shall indemnify the Receiving Bank and hold it harmless from and against any damage, expense, or loss, including attorneys’ fees, suffered as a result of the breach.
ECCHO is updating its Operating Rules to conform to the changes to Regulation CC, incorporating the warranties from Regulation CC by reference.
[6]See Regulation CC, Official Staff Commentary § 229.34(a)-2. The “drawee” enjoys these warranties under Regulation CC § 229.52(b); the drawee is not included as a warrantee under § 229.34(a)(1).
[7] In the supplementary information accompanying the final rule, in identifying a drawer (as well as an owner), as a warrantee, the Fed observes:
The Board believes that extending the warranties to the drawer of the check and the owner of the returned check is important to maintain a consistent chain of Check-21-like warranties regardless of whether the check is in the form of an electronic check or a substitute check. The final rule provides protection for drawers and owners from harm that is usually beyond their control, such as harm resulting from illegible images or incorrect MICR lines. (82 Fed. Reg. 27552, 27566–27567 (June 15, 2017).
[12] The bank providing the RDC service accepting for deposit the check could also be the paying bank. In such a case, no Bank B would be involved.
[13] Regulation CC, Official Staff Commentary § 229.34(f)-2-b.
[14]See Regulation CC, Official Staff Commentary § 229.34(g)-2. This commentary appears to be incorrectly numbered; the correct citations should be Official Staff Commentary § 229.34(g)-3. See 82 Fed. Reg. 27552, 27594 (June 15, 2017).
[15] Under Regulation CC § 229.37, subpart C may be amended by agreement, except that no agreement can disclaim the responsibility of a bank for its lack of good faith or failure to exercise ordinary care, or can limit the measure of damages for such lack or failure. As a word of caution, including these terms in a deposit account agreement with a consumer may not be viewed sympathetically by a prudential regulator or a court. The Consumer Financial Protection Bureau may also view such terms unfavorably. Thus, a bank adopting these terms may limit the indemnity obligation to a commercial customer. Additionally, an indemnity obligation may be limited by other considerations. For example, public policy may limit or preclude an indemnitee’s right to enforce an indemnity obligation against an indemnitor.
[16] In the case of a payable through draft, a payable through bank grants this warranty in favor of a drawer of the draft, among others. In some instances, the payable through bank could also be the depository bank of the payee of the draft. In that role as depository bank, the bank could provide an RDC service; this indemnity protects the bank if its commercial customer deposits a payable through draft under which the payable through bank (the depository bank also acting as the payable through bank) incurs liability through a breach of this No Double Debit Warranty.
[17] In the case of a third-party draft, an indemnitor would be the commercial customer. In the case of a payable through draft, a bank providing the payable through draft service would turn to the language assuring that the commercial customer would not hold the bank “responsible or liable.”
In their newly published ABA Business Law Section book titled The Value-Able Law Firm(June 2018), Steve Lauer and Ken Vermilion offer law firms a new, more comprehensive look at the dynamics of value from the corporate client’s point of view.
Several independent forces operating simultaneously have thrust law firms into an unfamiliar environment—a much more competitive one—for which many seem unprepared. Law departments increasingly express the need for more “value” from the legal service their companies require. They focus on the value, rather than simply the “cost,” of that service.
Firms often struggle to understand, however, what clients mean by the term “value.” Value has a completely different look to a law firm’s managing partners than it does to a corporate law department. A firm that hopes to succeed in tomorrow’s environment must rethink its performance metrics and what “client centric” really means.
The focus on value means that a law firm can no longer simply reduce its hourly rates or propose a simplistic alternative fee arrangement when responding to value-seeking law departments. Success now requires a much more nuanced approach.
In addition, new players now compete for a corporate legal departments’ spend. Law firms now must contend with Alternative Legal Service Providers. ALSPs have value propositions and client-focus principles different from those that have motivated law firms for so long.
Finally, law departments must demonstrate in an objective fashion how well they manage the matters entrusted to them by their companies. Satisfying that mandate requires that they develop and implement more meaningful metrics and protocols that demonstrate the overall efficient operations and other management strategies of the law departments. They pass this pressure to external service providers for those matters. Consequently, firms must develop supportive metrics and collect relevant data to meet this ever-increasing expectation.
The changing market for legal service for corporate clients
Until recently, corporate law departments happily assigned outside counsel specific matters and let them run with those assignments with little interference or close oversight. Corporate legal departments were often small and staffed with lawyers who had access to limited internal resources. Those law departments weren’t scrutinized closely by their companies’ CFOs and CEOs. “Value” was inextricably—and simplistically—connected to cost; end of analysis. Law firms’ accountability didn’t extend beyond informing clients of major developments and, perhaps, complying with billing guidelines.
In connection with their selection and management of external service providers, many law departments can now draw on the assistance of corporate procurement personnel, whose expertise in sourcing and metrics constitutes a valuable asset. Particularly, to satisfy the reporting expectations of the C suite, in-house lawyers utilize those capabilities more and more frequently.
The early 2000s brought dramatic changes to a corporation’s search for improved profitability. Process needed to be made more efficient, new technology was deployed to improve productivity and eliminate quality variances in production, and headcount reduction was often a goal. No corporate department was untouched by the “do more with less” mantra.
Suddenly, the legal department was required to provide budgets for its matters that it was expected to achieve. Law departments began to review the companies’ law firms with an eye toward reducing their numbers and costs and providing the C suite more information about significant legal matters, the expected drain on internal resources, and the external resources needed to achieve acceptable results. Suddenly the typical relationship between a corporate legal department and law firms was under stress. Big change loomed.
As they faced their own changing requirements, corporate law departments’ operations personnel began applying disciplined, data-driven process evaluations, developing project management skills, and analyzing cost down to individual employees’ activities. Corporate legal departments began shifting their focus from the “practice” of law to the “process” of law in their search for greater efficiency. Corporate clients have become more engaged with the overall management of outside counsel in a very different and ever-more-demanding manner.
If corporate clients’ greater focus on process weren’t enough to stress traditional relationships between clients and law firms, the emergence of the above-referenced ALSPs added distinct pressures. ALSPs carved out specific legal processes and developed organizations, technology, and artificial intelligence to deliver results more efficiently than law firms. Some clients even directed law firms to utilize ALSPs for their matters.
Finally, corporate legal departments formed professional legal operations and technology organizations and forums for the exchange of ideas. This enabled them to identify improved practices more quickly and to implement the best ones. How can a law firm respond to these new demands?
Recent surveys illustrate general counsel’s disappointment with law firm response to their need to reduce costs. Pressure to reduce costs too often resulted in quality control slippage. Outside lawyers demonstrated little creativity when asked to reduce the costs of services. Firms rarely met expectations regarding understanding the client’s business and culture. Corporate clients began evaluating firms using untraditional criteria: use of technology, project management skills, responsiveness, diversity, etc.
A new, practical construct for delivering “value”
The book explains an approach to the concept of value that is more actionable for outside lawyers by putting meat on the bones of the concept of Value Related Qualities (VRQs).
Here are a few VRQs of legal service or of the lawyers or law firm delivering the service:
expertise
cost control
predictability
speed of resolution or completion
responsiveness
certainty of acceptable resolution
The authors demonstrate how law firms should review their core competencies. What services is a firm really good at delivering to its core clients? Every firm (and each attorney and other professional in the firm) has its own VRQs. A firm might be known for a particular representation, whether transactional or litigation-oriented, environmental, or related to mergers and acquisitions. Perhaps a firm has offices in multiple international jurisdictions and routinely handles multijurisdictional corporate transactions or has well-regarded expertise in international arbitration.
Some firms have strength in handling “bet the company” matters, whereas others excel at handling high volumes of low-risk matters. It’s unlikely that any one firm can effectively be all things to all clients.
The VRQ framework helps identify the strengths of a firm’s performance and match those strengths with its clients’ VRQs. Firms and clients then can have a broader conversation about the creation of value—an innovative conversation that is more meaningful and actionable than the outdated and ineffective cost-per-hour conversation.
Having a particular reputation does not limit the types of matters that a firm can handle competently and legally. That reputation can, however, constitute an “anchor” for the firm’s market presence and its outreach efforts. If a firm understands its existing practice and reputation, it can examine how that current business serves its existing and potential clients’ value-related needs. Reviewing its VRQs and those of the market targets, how much overlap exists? If not a precise matchup, how easily could the firm develop the VRQs needed to more completely service those companies’ needs?
One of the first, and key, steps in understanding VRQs for a client—Fortune 100 or not—is to understand the client’s business and its role in the market. Then it is critical understand its history as well as important company culture characteristics. We believe synergies exist between a client’s overarching business model and the operational framework for the in-house legal department.
Once a firm has aligned its internal resources with the areas of law in which it wants to provide distinguished services to clients, the task of providing evidence of these skills becomes paramount. Enter the world of metrics. How best can a firm demonstrate to clients its core expertise? Developing easy-to-understand metrics that communicate the firm’s ability to deliver value beyond simple cost reduction is essential to winning clients’ work and loyalty. VRQs support the development of value-oriented metrics.
Next, a law firm should focus on the client’s matter-specific objective or goal and strive to understand that objective using the company’s capacity for risk and its business model lens. For example, an insurance company may have decidedly different objectives for the management of its portfolio of tort matters than a modest-sized regional retailer. The former’s lifeblood may be the minimization of cost when managing claims, so its value drivers revolve around cycle times, reusable work product, and analytics that support innovative cost agreements with firms. A regional retailer may seek to eliminate repeat occurrences of similar offences. Yes, there will be a sensitivity to cost, but perhaps a focus on lessons learned and preventative steps to take limiting future exposure may be key. Client-centric firms clearly understand their clients’ objectives before forcing the spade into the soil, and these firms don’t identify objectives in a vacuum. They openly discuss and formally document objectives in advance of developing key components of strategy and execution plans for that strategy. VRQs can fill a critical role in that planning.
There is much more to understanding the VRQ framework and implementing its concepts to benefit both firms and clients. Hopefully this abbreviated look into a better way to create and measure value for your clients will cause you to dig further into the concept of VRQs to enhance how your firm creates value for your clients and is compensated for doing so.
American lawyers lost a good friend and valued adviser when Professor Ronald D. Rotunda died on March 14 at the age of 73. Coming just two months after the death of Geoffrey Hazard, Ron’s passing has deeply affected many in the legal ethics community.
Like many of today’s senior figures in professional responsibility, Ron Rotunda did not expect legal ethics to be his field of expertise. Ron graduated from Harvard Law School in 1970, clerked for Judge Walter Mansfield of the Second Circuit, and spent two years practicing law at Wilmer, Cutler & Pickering before becoming Assistant Majority Counsel to the Senate Watergate Committee amid a Constitutional crisis. From that experience, he evolved into one of the country’s leading experts in Constitutional Law, a demanding field that makes the scope of his body of work in legal ethics all the more remarkable.
In 1974, Ron Rotunda started his academic career at the University of Illinois, where I was also a young professor. That was a watershed year in the study of legal ethics, because the ABA responded to the Watergate scandal by formally requiring all law schools to offer instruction in legal ethics as a condition of maintaining their accreditation. None of the faculty at Illinois—or at most law schools around the country—had the necessary expertise to offer the required courses. The ABA had adopted the Model Code of Professional Responsibility in 1970, and that Code had been quickly adopted in most states. There were few casebooks, however, and those that did exist mostly covered what were then the three “big” issues—the constitutional right to counsel, the lawyer’s duty not to advertise, and the tension between a lawyer’s duty to clients and to the courts.
Thus, Ron Rotunda and others entered the academy at a moment when effective teaching and serious research about legal ethics were in short supply. Ron recognized the need for new materials and brought his seemingly endless energy to the job of producing them. He shared the belief that legal ethics was less a branch of philosophy than a reflection of the realities of a public service career that is central to our constitutional form of government. We decided that legal ethics could be taught most effectively using problems that required students to picture themselves in the roles they were studying to assume. The wisdom of those assumptions, and Ron’s commitment to teaching legal ethics as “real law”—based on rules and court decisions, not platitudes—have been validated by experience. The casebook we co-authored is now in its 13th edition. By now, other casebooks treat those ideas—which were counterintuitive to many at the time—as their own governing principles as well.
Ron Rotunda worked in a variety of professional settings beyond the classroom. He was a member of the ABA Standing Committee on Professional Discipline. He served as a liaison to the ABA Standing Committee on Ethics and Professional Responsibility, and he was a member of the drafting committee for the Multistate Professional Responsibility Exam. He served as an expert witness on legal ethics and malpractice issues, and he worked on the proposed changes to lawyer advertising regulation soon likely to be presented to the ABA House of Delegates. His Legal Ethics: The Lawyer’s Deskbook on Professional Responsibility is perhaps especially important, as it sits on the desks of thousands of lawyers—both ethics specialists and “real” lawyers—around the country.
Ron Rotunda’s interest in public service continued all through his career. He was the only lawyer with a leading role in investigating impeachment of U.S. Presidents Richard Nixon and Bill Clinton, one from each major political party. He also spent a year serving as Special Counsel to the Department of Defense on ethical and constitutional issues relating to Guantanamo Bay detainees.
After retiring from the University of Illinois faculty in 2002, Ron taught at the George Mason University School of Law until 2008. For the last decade, he taught at the Chapman University Fowler School of Law. As the academic world became more specialized in recent years, Ron Rotunda maintained the breadth of his interests and his commitment to making lawyers more effective ambassadors to the institutions and the public whom they serve. All Americans have been affected by his work, and all American lawyers are diminished by his passing.
A New York federal judge held that virtual currencies are commodities that can be regulated by the Commodity Futures Trading Commission (“CFTC”), enjoining the defendants, an individual and affiliated entity, from trading cryptocurrencies on their own or others’ behalf or soliciting funds from others, and ordering an expedited accounting. CFTC v. McDonnell, No. 18-cv-0361, Dkt. 29 (E.D.N.Y. Filed Jan 18, 2018). While the CFTC announced its position that cryptocurrencies are commodities in 2015, this case marks the first time a court has weighed in on whether cryptocurrencies are commodities. Having answered that question in the affirmative, the court went on to hold that the CFTC has jurisdictional authority over defendants’ alleged cryptocurrency fraud under 7 U.S.C. § 9(1), which permits the CFTC to regulate fraud and manipulation in underlying commodity spot markets.
Regulatory Landscape
In recent months, regulators have increasingly turned their attention to cryptocurrency. Although Congress has not yet enacted a regulatory regime for virtual currency, the CFTC and the Securities and Exchange Commission (“SEC”) have exercised concurrent authority over virtual currency primarily by bringing enforcement proceedings.
In September 2015, the CFTC first announced its view that bitcoin and other virtual currencies are commodities within the meaning of the Commodity Exchange Act (“CEA”). See In the Matter of: Coinflip, Inc., CFTC No. 15-29. Initially, the CFTC targeted its enforcement efforts towards unregistered futures and swap marketplaces in virtual currencies. See, e.g., In Re TeraExchange LLC, CFTC No.15-33, 2015 WL 5658082 (Sept. 24, 2015); In re BXFNA Inc. d/b/a Bitfinex, CFTC No. 16-19 (June 2, 2016). More recently, however, the CFTC has begun targeting alleged Ponzi schemes and other frauds involving virtual currencies, regardless of whether those alleged frauds involve trading in futures or swaps. See, e.g., CFTC v. The Entrepreneurs Headquarters Limited, No. 2:18-cv-00345 (E.D.N.Y. Filed Jan. 18, 2018); CFTC v. My Big Coin Pay, Inc., Case No. 1:18-cv-10077 (D. Mass. Filed Jan. 16, 2018); CFTC v. Gelfman Blueprint, Inc., Case No. 17-7181 (S.D.N.Y. Filed Sept. 21, 2017). These more recent enforcement actions have been pursued under the spot market anti-manipulation authority granted to the CFTC as part of The Dodd–Frank Wall Street Reform and Consumer Protection Act, and codified by 7 U.S.C. § 9(1) and 17 C.F.R. § 180.1(a). While the CFTC has acknowledged that its authority in cash or spot markets is limited, it has asserted authority over alleged fraud or manipulation in those markets. SeeCFTC v. McDonnell, No. 18-cv-0361, Dkt. 29 at 22 (citing 7 U.S.C. § 2(c)(2)(C)(i)(II)(bb)(AA)); CFTC Launches Virtual Currency Resource Web Page, Press Release, Dec. 15, 2017, available at http://www.cftc.gov/PressRoom/PressReleases/pr7665-17.
Separately, SEC Chairman Jay Clayton issued a statement in December asserting that many products marketed as cryptocurrencies in fact function as securities, requiring registration with the SEC unless exempted. See SEC Chairman Jay Clayton, Statement on Cryptocurrencies and Initial Coin Offerings (Dec. 11, 2017). Similarly, the SEC has stated that many online platforms for trading cryptocurrencies function in fact as securities exchanges, and must therefore be registered to operate lawfully. See Divisions of Enforcement and Trading and Markets, Statement on Potentially Unlawful Online Platforms for Trading Digital Assets (March 7, 2018). To address these concerns, the SEC has formed a new Cyber Unit within its Division of Enforcement and has brought a number of enforcement actions in the past year concerning alleged frauds in the cryptocurrency market. Chairman’s Testimony on Virtual Currencies: The Roles of the SEC and CFTC before the Committee on Banking, Housing, and Urban Affairs (Feb. 6, 2018) (statement of Jay Clayton, Chairman of the SEC).
For its part, the Internal Revenue Service (“IRS”) asserted in 2014 that virtual currency is “property” and that virtual currency transactions are subject to general tax principles like other kinds of property. Notice 2014-21 (March 25, 2014). To date the IRS has sought trading records from virtual currency exchanges, successfully obtaining a court order compelling the records of roughly 14,000 Coinbase users. SeeUnited States v. Coinbase, Inc., No. 17-CV-01431-JSC, 2017 WL 5890052 (N.D. Cal. Nov. 28, 2017).
Other federal and state authorities such as the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCen), the U.S. Department of Justice, and the N.Y. Department of Financial Services have also undertaken regulatory and/or enforcement efforts concerning cryptocurrency. SeeCFTC v. McDonnell, No. 18-cv-0361, Dkt. 29 at 10-12 (E.D.N.Y. Jan 18, 2018).
Case Background
In January 2018, the CFTC filed a complaint against defendants Patrick McDonnell and his company CabbageTech, Corp., doing business as Coin Drop Markets, alleging that the defendants defrauded virtual currency investors by offering trading and investment services in exchange for U.S. Dollar and cryptocurrency payments, only to close up shop and disappear. Dkt. 1 at 1. Specifically, the CFTC alleged that the defendants inflated their own trading credentials and promised outsized investment returns to induce customers to subscribe to daily investor alerts and hire defendants to trade directly on their behalf. Id. at 1, 4-7. The CFTC alleged that shortly after obtaining payments from numerous customers, defendants shut down the company’s website and chatroom, deleted its social media accounts, and cut off communications with customers, misappropriating the funds without providing the promised advice. Id. at 1, 5, 7.
The court ordered briefing on the CFTC’s request for a preliminary injunction as well as on the authority of the CFTC to bring the instant action. See Dkt. 9, 10. Subsequently, McDonnell filed a pro se motion to dismiss the CFTC’s complaint, arguing in relevant part that the CFTC was politically motivated, and lacked jurisdiction over defendants’ virtual currency activities, which McDonnell argued were not advisory in nature. Dkt. 18, 20. McDonnell’s motion to dismiss did not argue that cryptocurrencies were not commodities, but rather asserted that because his business provided impersonal investment advice to the general public, and did not manage assets, its conduct was outside the scope of CFTC jurisdiction. Dkt. 18 at 1.
The District Court’s Opinion
Senior United States District Judge Jack B. Weinstein denied defendants’ motion to dismiss and granted the CFTC’s motion for a preliminary injunction, holding in relevant part that the CFTC had jurisdictional authority to bring a fraud action against defendants’ allegedly deceptive cryptocurrency scheme despite the absence of futures contracts. Dkt. 29 at 28. In so holding, the court concluded that “[v]irtual currencies are ‘goods’ exchanged in a market for a uniform quality and value,” and therefore fall “well-within” the common definition as well as the CEA’s definition of commodities. Id. at 24.
The court further explained that although the CFTC has traditionally limited its jurisdictional authority to futures and derivatives markets, under Dodd Frank the CFTC may also exercise authority over fraudulent or manipulative conduct in underlying spot markets. Id. at 25. The court held that because virtual currencies are commodities, the CFTC has authority under 7 U.S.C. § 9(1) and 17 C.F.R. § 180.1 to bring a fraud action against defendants even if futures contracts are not involved. The court did not expressly address defendants’ argument that the CFTC lacked jurisdiction over its conduct due to the nature of the advice given, but it necessarily rejected that argument in granting the CFTC’s motion.
In reaching its jurisdictional decision, the court noted that the CFTC’s authority to regulate cryptocurrencies as commodities does not preclude other agencies from regulating cryptocurrencies when they function differently than derivative commodities, at least until Congress sees fit to enact a more tailored regulatory scheme.
The global fight against child labor and forced labor has been led for decades by the International Labor Organization (ILO). The ILO’s most recent estimate is that 25 million people around the world, including millions of children, are currently subjected to forced labor.[1] Under U.S. law, section 307 of the Tariff Act of 1930[2] prohibits the importation of merchandise mined, produced, or manufactured, wholly or in part, in any foreign country by convict, forced, or indentured labor. This law gave the U.S. Customs Service (now the U.S. Customs and Border Protection (CBP)) authority to seize commodities imported into the United States where forced labor was suspected to have been used anywhere in the supply chain.
The Tariff Act defines “forced labor” as “all work or service which is exacted from any person under the menace of any penalty for its nonperformance and for which the worker does not offer himself voluntarily.” Products of forced labor include goods that were produced by convicts and indentured laborers. The ILO defines forced or compulsory labor as service that involves coercion—either direct threats of violence or more subtle forms of compulsion under the menace of any penalty.[3] Goods made by child labor, defined as work that deprives children of their childhood, their potential, and their dignity and that is harmful to their physical and mental development,[4] are included in the forced-labor prohibition especially when combined with any form of indenture. Such tainted merchandise is subject to exclusion and/or seizure by the CBP, may lead to corporate criminal liability, and could even support prosecution of culpable employees individually.
The Trade Facilitation and Trade Enforcement Act of 2015 (TFTEA) removed the “consumptive demand” exception to the United States Tariff Act of 1930,[5] which was a commonly exploited loophole to the prohibition against importing products of forced labor. Prior to the new provision, CBP used the law only 39 times since 1930 to apprehend goods tainted at some point from creation to delivery by forced labor. Since the passage of TFTEA, CBP has issued four new Withhold Release Orders (each a WRO) on specific goods from China.[6] Although 2017 saw more antidumping and countervailing duty orders and intellectual property rights protection activity under TFTEA,[7] there have been no published detentions to date, although CBP has pledged to the U.S. Congress that more import bans under section 307 are forthcoming.
Government agencies other than CBP are also authorized to investigate allegations that forced labor is used to produce goods imported into the United States. U.S. Immigration and Customs Enforcement (ICE), for example, investigates allegations of forced labor related to overseas manufacturing or mining of items that are exported to the United States. The Department of Labor (in consultation with the Department of State and Homeland Security) maintains and annually publishes a list of products that it believes are produced by forced labor, and this list is used to inform the U.S. State Department’s annual Trafficking in Persons Report.
CBP promises to hold goods and issue the dreaded WRO pending further investigation whenever the “information available reasonably but not conclusively indicates that merchandise” to be imported is subject to the anti-forced or indentured labor provision.[8] CBP has made it clear that the “some reasonable indication” standard for issuing a WRO allows it to base a decision on a risk assessment and does not require clear and convincing evidence. Enforcement actions can be triggered by anyone who reports suspicious activity to a CBP officer who then issues a report to the CBP commissioner. Goods can be detained with the commissioner’s issuance of a WRO even when information reasonably but inconclusively indicates that merchandise was made with forced labor. Once a shipment is seized by the CBP and subject to a WRO, the purchaser or importer must provide a detailed demonstration that the commodities were not produced with forced labor as proof of admissibility into U.S. markets. CBP will then decide whether to release shipments on a case-by-case basis. CBP actively seeks the help of NGOs with feet on the ground, and if CBP ultimately deems the gathered information sufficient to make a determination, the commissioner will publish a formal finding in the Customs Bulletin and in the Federal Register.[9]
Enhanced Internal Reviews and Disclosure
In response, responsible importers are taking steps to enhance their compliance measures. They are undertaking review of all products where they commonly act as the importer of record because that role automatically makes them responsible parties for dealings with CBP. Conducting supply-chain audits and performing supplier due diligence to be sure there is no forced labor at any level is clearly now part of good governance as well as corporate social responsibility. In fact, supply-chain audits and due diligence is a legal requirement for certain American companies and large international companies supplying goods and services (including goods and services online) to consumers in California and a growing number of countries outside of the United States.[10]
What is the proper course of action, however, if a company discovers goods tainted by forced labor as part of its compliance monitoring? Do the company’s legal obligations change before and after accepting those goods and incorporating the tainted ingredient into products placed in the U.S. markets? Certainly, a company that discovers goods tainted by forced labor should immediately consider terminating its supply-chain agreement with the offending importer or at least employ greater diligence before accepting delivery of future, possibly tainted goods at the port of entry. However, does the company have a legal obligation to report its findings to the port director or the commissioner of CBP?
Government contractors are bound by the False Claims Act’s mandatory disclosure rule, which provides that contractors must “timely disclose” whenever the contractor has “credible evidence” of certain criminal law violations or violations of the civil False Claims Act.[11] If the importer is member of the Customs-Trade Partnership against Terrorism and part of the Importer Self-Assessment Program, it is expected to take action to mitigate risk and report noncompliance to CBP.
Self-disclosure under TFTEA still appears to be discretionary, however, at least for now. Revised CBP regulations invite “[a]ny person outside the CBP who has reason to believe that merchandise produced in the circumstances mentioned in paragraph (a) of this section [use of convict, forced, or indentured labor] is being, or is likely to be, imported into the United States may communicate his belief to any port director or the Commissioner to CBP.”[12] Nevertheless, if you ask a representative of the CBP’s Office of Trade whether a company’s discovery of forced labor violations must be reported to CBP, you will hear a resounding “Yes.” I know because I asked. Given the use of the “may” above, rather than “shall” in the new regulation, what is the basis of the CBP position?
CBP Expectations
Historically, CBP has operated under the twin principles of “informed compliance” and “shared responsibility,” placing the burden on the importer of record to make entries on the required forms correctly. Failure to make accurate statements with respect to imported goods can result in seized entries, lost import privileges, and civil and criminal penalties. The Department of Justice (DOJ) initiates action seeking criminal penalties by using statutory provisions related to customs matters (goods entering into the United States via fraud, gross negligence, or negligence,[13] goods that were falsely classified upon entry,[14] and entry of goods by means of false statements[15]) or, at its election, through noncustoms provisions (the use of federal provisions regarding the obstruction of justice,[16] the federal conspiracy statute,[17] money laundering,[18] smuggling,[19] and aiding and abetting[20]), with the noncustoms provisions supporting higher criminal penalties.
On October 2, 2016, the DOJ issued Guidance Regarding Voluntary Self-Disclosures, Cooperation, and Remediation in Export Control and Sanctions Investigations Involving Business Organizations. This Guidance memorialized the policy of the National Security Division (NSD) of the DOJ to encourage business organizations to voluntarily self-disclose criminal violations of the statutes implementing the U.S. government’s primary export control and sanctions regimes.[21] It sets forth the criteria that NSD, through the Counterintelligence and Export Control Section and in partnership with the U.S. Attorneys’ Offices, uses in exercising its prosecutorial discretion in determining the possible inducements it can offer an organization to make a voluntary self-disclosure (VSD). For export control and sanctions cases, the Guidance also implements the September 9, 2015 Deputy Attorney General Sally Yates memorandum (Yates Memo) promoting greater accountability for individual corporate defendants and the November 2015 revisions to the Principles of Federal Prosecution of Business Organizations set forth in the U.S. Attorneys’ Manual (USMA Principles).[22]
The Guidance only applies to export control and sanctions violations, however, and rests on the assumption that all criminal violations of U.S. export controls and sanctions harm the national security or have the potential to cause such harm. This threat to national security informs how the NSD and U.S. Attorneys’ Offices arrive at an appropriate resolution with a business organization and distinguishes those cases from other types of corporate wrongdoing, including violations of import controls. Unlike the exporter that finds itself in breach of export controls and sanctions, if an importer truly had no knowledge of the forced labor violations upon original acceptance of the goods, is the failure to report a subsequent discovery as a result of a comprehensive compliance program or audit a violation of law unto itself, or is the violation the failure to amend the original import paperwork?
Penalties for Misstatements to CBP
Federal law prohibits material false statements, acts, or omissions in connection with imports resulting from the importer’s negligence, gross negligence, or fraud.[23] Some typical examples of false statements, acts, or omissions made by importers with respect to goods include misclassifications, undervaluation, antidumping/countervailing duty order evasion, or improper country of origin declarations, but the prohibited activity could also include misstatements with respect to the absence of forced labor. Upon an importer’s discovery of any false statement made in its paperwork, disclosure before a CBP inquiry or issuance of a pre-penalty or penalty notice might be the suggested course of action, yet prior disclosure to CBP does not appear to be required under current law.
The U.S. Attorneys’ Manual section 9-28.900, “Voluntary Disclosures,” now states: “[T]he Department encourages corporations, as part of their compliance programs, to conduct internal investigations and to disclose the relevant facts to the appropriate authorities.” Although “a prosecution may be appropriate notwithstanding a corporation’s voluntary disclosure,” there are concrete, tangible benefits available to entities that do elect to self-disclose corporate misconduct. Where there is a finding of full cooperation and remediation, the corporation and its principals are eligible for a full range of consideration with respect to both charging and penalty determinations.[24]
Importers may look for guidance from the application of corporate compliance programs addressing audits for possible violations of the Federal Corrupt Practices Act of 1977, as amended (FCPA).[25] The Securities and Exchange Commission clearly has taken the position that a company must self-report misconduct in order to be eligible for a deferred prosecution agreement or a nonprosecution agreement. Although there is no blanket affirmative duty to disclose an internal investigation, disclosure may be required if a publically traded company uncovers facts during the investigation that make prior disclosures false or misleading or material.
The DOJ has similarly clarified what is expected and how self-disclosure will vastly affect the ultimate resolution of any FCPA matter. On November 29, 2017, the DOJ announced a new FCPA Corporate Enforcement Policy that formalizes the prior internal guidance, with a few slight revisions, and makes permanent the pilot program[26] established in 2016 to incentivize companies to self-report FCPA violations. The new policy went a step further than the pilot program by creating a rebuttable presumption that the DOJ will decline to prosecute, or impose any penalties on, companies that voluntarily self-disclose potential violations of the FCPA, fully cooperate with the DOJ investigation, and “timely and appropriately” remediate[27] with each of these elements defined in the new policy. Under the revised FCPA enforcement policy, the self-disclosure must be genuinely voluntary (i.e., prior to the “imminent threat” of disclosure or government investigation) and must be made within a “reasonably prompt time” after discovery of the violation. This creates some potential issues for the directors and officers of a company that learn of potential violations and seek to conduct an internal investigation to gather more information. Companies now have to be concerned that protected (and protracted) investigations may jeopardize their ability to make an effective voluntary disclosure. “Full cooperation” in DOJ terms may include deconfliction, which is a request by the government that a company’s legal team step back during an investigation in order to allow the government to interview witnesses first.
Even before the new FCPA policy, the DOJ’s Criminal Division’s Fraud Section released guidance on how it evaluates the effectiveness of a company’s corporate compliance program entitled Evaluation of Corporate Compliance Programs[28] (the Compliance Guideline). The Compliance Guideline sets forth 11 topics and questions investigators may ask when evaluating the adequacy of a compliance program to determine whether to bring charges and the scope of a negotiated plea or other agreements. One of the 11 factors to be taken into consideration is whether the company has implemented an effective and confidential reporting mechanism that can evaluate the risk level or seriousness of reports. Once a report of a compliance breach arrives, the company must timely respond to the complaint and, if appropriate, involve all levels of senior leadership up to the board of directors. In response to investigation findings which should be documented, when warranted, remediation capable of correcting the source of the violations must occur, and all individuals involved in the misconduct must be disciplined.
Should we anticipate a requirement of full cooperation in enforcement of national and international anti-forced labor initiatives? By analogy with FCPA initiatives, there is growing tension between (i) an importer’s need to comply with expanding international legal initiatives requiring supply-chain audits, due diligence, and periodic public reporting with remediation plans to combat the use of forced labor [29] and (ii) a decision not to report violations to CBP upon discovery. If for no other reason, the newly required public reports of efforts to combat forced labor, if complete and accurate, give CBP ample ground to initiate investigations not only with respect to the publically reported discovered violation, but all those that might have occurred at any time within the prior five-year statute of limitations.[30]
The official policy of CBP is clearly to encourage the submission of disclosures before enforcement authorities find violations. It certainly appears to be the case that parties who advise CBP of noncompliance before CBP or ICE discovers the possible noncompliance can expect reduced penalties (to as low as zero) where no fraud is involved. Valid prior disclosures can save the importer time and money, so assuming there is a decision to self-disclose after finding and publishing a report of a supply-chain violation, what should be disclosed and how?
Since businesses are increasingly global, so too are enforcement actions in response to alleged corporate wrongdoing. A company that reports its internal finding of corporate wrongdoing may find itself the focus of not just one law enforcement body, but of many across the world. In addition to the possibility of multiple enforcement actions, a criminal investigation and/or civil proceedings initiated by the victims of forced labor can be devastating to a company’s operations and reputation. Accordingly, companies struggling to both satisfy the legal requirements of global anti-forced labor initiatives and to meet the timeliness and full cooperation criterion of protected self-disclosure must determine the appropriate scope of their disclosures even if an internal investigation is not complete. It is imperative for a company that has discovered forced labor in its supply chain to assess the potential consequences of strategies and tactics in multiple jurisdictions, preserving, to the greatest extent possible, the attorney-client privilege.
Attorney-Client Privilege
General counsel and general business practitioners throughout the United States let out a collective sigh of relief when the U.S. Court of Appeals for the D.C. Circuit granted a writ of mandamus and overturned the district court decision in United States ex rel. Barko v. Haliburton Co.[31] The district court in Barko had held that documents relating to an internal investigation were not protected from disclosure by the attorney-client privilege.[32] In vacating the district court’s order to produce documents, the court of appeals insisted the lower court’s analysis failed to grasp the scope of the attorney-client privilege that protects confidential employee communications gathered by company lawyers in an internal investigation under the seminal Supreme Court case Upjohn Company v. United States.[33]
Three years and counting after the court of appeals decision in Barko, companies have continued to build and invest in robust compliance programs that include self-investigation of potential regulatory violations under the protection of the attorney-client privilege.
The increasing volume of electronic communications has not made an assessment of the scope of the attorney-client privilege in the world of internal audits any easier, however. Should the privilege apply when employees communicate with fellow employees and copy the company’s general counsel? Does such an e-mail implicitly seek legal advice and thus deserve privilege protection without an explicit request for legal guidance but with the mere inclusion of the lawyer as one of the recipients? In Greater New York Taxi Ass’n v. City of New York,[34] the magistrate found that some but not all of the e-mails at issue fit into the framework of privileged communications when the sender indicated that he was soliciting legal advice or that the communication implicated specific legal issues.[35] A similar case in the United Kingdom came to the opposite conclusion, however, holding that communications by corporate lawyers with third parties (including employees) who are not authorized to seek or receive legal advice, and therefore are not the “client” for privilege purposes, are not covered by legal advice privilege (LAP) or litigation privilege (LP), concepts akin to the U.S. attorney-client privilege.[36]
Keeping New York Taxi and other case law in mind, the best practice would be to adopt an aggressive policy in the hope of securing privilege status for as much of the audit results as possible. Officers of the investigating company should state in writing in advance of any e-mail or other communication that the person giving the initial formal instructions to an internal or external lawyer is authorized by the company to obtain legal advice on its behalf. Any employee and executive participating in an internal supply-chain audit or a specific review of a particular shipment should be directed to title all notes as “Attorney Work Product” and to always copy general counsel or outside counsel, as the case may be, as early as possible, explicitly stating that they seek legal advice in all such communications. In addition, companies and their legal advisers should consider the following practical steps in any forced labor inquiry and any decision making with respect to prior disclosure to minimize the risk of inadvertently waiving or losing the attorney-client privilege.
If in-house or outside counsel must obtain data from within the company, whether e-mails or documents, counsel should make clear and document that the collection and use of such information as part of the internal investigation is for the purpose of providing legal advice and counsel to the client company.
Counsel should advise in writing and orally those who collect information during the investigation of the confidentiality of the information and the fact that such information is being collected under the company’s privilege.
The record of the discovered facts should be labeled “Attorney Work Product” and include a statement that, on the information currently available, the drafter entertains a concern that the material gives rise to a real likelihood of a prosecution or other sufficiently adversarial proceeding against the company, and the purpose of the instructions to the lawyer is to give advice to the board (or executive, depending on the stage of the investigation) regarding such concern.
Counsel should indicate in writing also labeled “Attorney Work Product” whether, on the basis of the information initially provided, there would appear to be a reasonable anticipation of a proceeding by the CBP or some other governmental unit.
If a decision is made to proceed with interviews of personnel, in advance of any such interview counsel should inform the person(s) to be interviewed that the dominant purpose of the interview is to enable the lawyer to provide the company with advice regarding the likelihood of prosecution/litigation, and this statement by counsel should be included in the written record of the interview.
At every step, counsel and investigators must state unequivocally before any interview that the investigation is being conducted under the privilege, and that it is the company’s privilege so that waiver or any claim belongs to the company and not to any individual.
Counsel should record in writing within the attorney work product some form of qualitative assessment of what has been said by any person interviewed and his or her thoughts as to its importance or relevance to the legal advice sought.
Attorney-Client Privilege and FAR
An examination of the preservation of the attorney-client privilege under the Federal Acquisition Regulations (FAR) might be helpful in this context. Part 22 of the FAR regulates the application of labor laws to government acquisitions. Subpart 22.1700- 1705, Combating Trafficking in Persons,[37] applies to all federal contracts and represents a policy prohibiting contractors, subcontractors, and their respective agents from conduct including, but not limited to, the following:
engaging in severe forms of trafficking in persons during the period of performance of the contract;
procuring commercial sex acts during the period of performance of the contract; and
using forced labor in the performance of the contract.
Pursuant to FAR Subpart 22.1705, “all solicitations and contracts” are required to include a clause requiring contractors to fully cooperate with the U.S. government by providing access to its facilities and staff to contracting/other responsible federal agencies. The agreed-upon access is to facilitate the federal agencies audits and other investigations to ascertain compliance with the Trafficking Victims Protection Act of 2000 and any other law or regulation restricting the trafficking of persons, the procurement of commercial sex acts, and the use of forced labor.[38] The clause specifies that the requirement for full cooperation does not:
require the Contractor to waive its attorney-client privilege or the protections afforded by the attorney work-product doctrine;
require any officer, director, owner, employee, or agent of the Contractor, including a sole proprietor, to waive his or her attorney client privilege or Fifth Amendment rights; or
restrict the Contractor from—
(A) conducting an internal investigation; or
(B) defending a proceeding or dispute arising under the contract or related to a potential or disclosed violation.[39]
Content of Disclosure to CBP
Turning back to importers, once an internal audit uncovers products tainted by forced labor and a decision is made to proceed with a prior disclosure, the importer should be sure to follow up any verbal report to a CBP officer at every port of entry where the disclosed violation(s) occurred in writing within 10 days. The writing should indicate the importer’s name, address, and contact information and should be addressed to the commissioner of CBP with copies to each applicable port. The written disclosure should list all of the concerned ports, identify the class or kind of merchandise, identify the entry number(s), dates of entry, or drawback claims, and specify the previously believed absence of the use of forced labor as a material false statement. The disclosure should go on to include an explanation as to the true and accurate information or data with respect to labor that should and would have been provided if previously known. Every effort must be made to be sure the disclosure is as complete as possible. If necessary, to maximize the intended benefit of the disclosure, the disclosing importer must first determine whether its internal inquiry and resulting disclosure should look back five years to cover those violations, if any, not barred by the statute of limitations.
Notwithstanding the desire to be thorough in the disclosure, efforts can and should be made to preserve the attorney-client privilege to the extent possible. The U.S. International Trade Commission gives only approved parties to an investigation access to business proprietary information (BPI),[40] and even that access is subject to an administrative protective order (APO) designed to protect the confidentiality of the BPI.[41] Information that is privileged, classified, or “of a type for which there is a clear and compelling need to withhold from disclosure” is nevertheless exempt from disclosure and service under the APO.[42] There is a special procedure for a submitter of BPI to follow if he or she considers that any of the information falls within the exempt categories, requesting an exemption from general availability to the secretary.[43] The submitter must file multiple copies of the same documents claimed to be privileged, with their covers and pages clearly marked as to whether they are the “confidential” or “nonconfidential” versions, and the confidential business information must be clearly identified by means of brackets. All written submissions, except for confidential business information, will be made available for inspection by interested parties.
Contract Rights upon Discovery of Tainted Goods
The discussion above does not distinguish between a company’s pre- or post-acceptance discovery of the impermissible use of forced labor in the production or manufacture of goods. Should the company’s decision to report the infraction to the CBP depend upon the timing of the discovery?
If the supplier’s acts constitute the use of forced or child labor, and such acts are discovered by the would-be buyer before acceptance of the goods, disclosure to the CBP would, under such circumstances, not appear to be legally required under current U.S. law because there was no false or misleading information submitted to CBP by the importer. Referring back to the discussion above with respect to the CBP regulations use of the words “may communicate,” rather than the mandatory “shall communicate,” the regulations seem to pose no risk to a buyer that rejected such goods as nonconforming because there is no entry into U.S. markets attributable to that buyer. What if the buyer accepted identical goods from the same supplier historically (anytime in the five-year period of the statute of limitations)? If that is the case, and it probably will be more often than not, disclosure might be problematic, but nondisclosure may be worse. What if the prohibited acts of the supplier are discovered and disclosed by another, and CBP initiates an investigation of all buyers from that supplier in the prior five-year period? After all, once the tainted goods are revealed by another, such an investigation is likely low-bearing fruit for the CBP’s enforcement arm. In fact, a competitor that can secure the protections afforded by full cooperation would have every incentive to damage the brand and operations of less transparent companies in the same space.
If the discovery of the use of forced labor by the importer precedes acceptance of the goods delivered to a port, the importer must also be sure to evaluate its contract rights with its supplier to reject the goods as nonconforming. There will probably be a contractual obligation to notify the supplier of the importer’s discovery and rejection of goods. Although the contract might have a general reference to a supplier’s obligation to adhere to all applicable law, breach of applicable anti-forced labor laws may not be identified as a breach justifying rejection of the goods or termination of the contract. The importer may find itself in the impossible position of having to choose between violating TEFRA and breaching a contract with a supplier, with both alternatives posing operational and reputational risks.
The Uniform Commercial Code Subcommittee of the ABA Business Section is currently working on model contract clauses designed to protect the human rights of workers in international supply chains. By way of reference and incorporation into the supply contract, a breach of the anti-slavery, human trafficking, and human rights policies of the buyer/importer made known to the seller/supplier and required in the supplier’s performance can be deemed a clear material breach of the contract and support rejection of the tainted goods as nonconforming. Putting these provisions in supply contracts will provide support for a company’s desire to prove that it is complying with prevailing international legal developments to assure fundamental freedoms for all workers. Audit rights, if also included in the contract and utilized regularly, would assist the buyer/importer in its efforts to be vigilant in fighting forced labor throughout the supply chain.
The incorporation of such policies into the supply-chain contract will provide a framework for agreed-upon disclosure by an importer/buyer of the supplier/seller’s use of forced labor to CBP, SEC, California, the United Kingdom, France, and the general public. Without such explicit contractual provisions, an importer that discloses its supplier’s use of forced labor to third parties could arguably otherwise be subject to the supplier’s claim that the importer breached standard nondisclosure covenants by revealing confidential supplier information.
Such contractual incorporation of anti-forced labor and general human rights policies has yet another benefit. Contract provisions that refer to anti-forced labor and human rights policies and incorporate such policies throughout the supply chain will allow businesses to self-regulate. Self-regulation might just be more effective at preventing forced labor and other abuses of human rights than laws governmental agencies find difficult to enforce given their limited resources. Corporate policies, audits, and remediation plans that reflect a broad concern for all supply-chain workers could play an important role in prevention not only of forced labor, but also factory collapses and fires, unacceptable living quarters, sub-par medical care for accidents, shift break restrictions, and similar work-related hardships that do not rise to the level of forced labor as that term is defined in the beginning of this article.
Pitiable working conditions suffered by employees of suppliers are not addressed in the scope of current legal requirements, whether national or international, so disclosure upon discovery is rarely, if ever, required. If such working conditions are violations of supplier contract requirements, however, mistreatment of workers could justify rejection (or threatened rejection) of the goods and/or termination of the contract, unless the contract breach is remedied by the offending supplier within the time period provided. The efforts of internal governmental units and NGO investigators would be supplemented across the world by thousands of internal auditors’ feet on the ground, and what has been pervasive for too long might finally change.
[5]See Trade Facilitation and Trade Enforcement Act of 2015, Pub. L. 14-125, 130 Stat. 122 § 910(a); see also U.S. Customs and Border Protection, Repeal of the Consumptive Demand Clause.
[6] Soda ash, calcium chloride, and caustic soda from Tangshan Sanyou Group and its subsidiaries on March 29, 2016; potassium, potassium hydroxide, and potassium nitrate from Tangshan Sunfar Silicon Industries also on March 29, 2016; Stevia and its derivatives from Inner Mongolia Hengzheng Group Baoanzhao Agricultural and Trade LLC on May 20, 2016; and peeled garlic from Hangchange Fruits & Vegetable Products Co., Ltd. on September 16, 2016.
[7] A March 31, 2017 Executive Order on Establishing Enhanced Collection and Enforcement of Antidumping and Countervailing Duties and Violations of Trade and Customs Laws authorizes the Secretary of Homeland Security, through the commissioner of CBP, to develop implementation plans and a strategy for interdiction and disposal of inadmissible goods and to develop persecution practices to treat significant trade law violations as a high priority. https://www.cbp.gov/trade/trade-community/programs-outreach/convict-importations.
[10]See California’s Transparency in Supply Chain Act of 2012 (TSCA), Federal Acquisition Regulations §§ 52.222-256 (FAR), the UK Modern Slavery Act, the Netherlands Child Labour Due Diligence Law, France’s Corporate Duty of Vigilance Law, proposals for a corporate modern slavery reporting requirement in Australia and Pillar II of the UN Guiding Principles on Business and Human Rights (UN Guiding Principles), and the Sustainable Development Goals (also referred to as Agenda 2030) launched on September 25, 2015.
[16]Id. at § 1519 (“Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, . . . any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States . . . or contemplation of any such matter or case, shall be fined under this title, imprisoned no more than 20 years, or both.”).
[21]See Arms Export Control Act, 22 U.S.C. § 2778; International Emergency Economic Powers Act, 50 U.S.C. § 1705.
[22]See U.S. Dep’t of Justice, United States Attorneys’ Manual 9-28.000, 9-28.900 (2015) (“[P]rosecutors may consider a corporation’s timely and voluntary disclosure, both as an independent factor and in evaluating the company’s overall cooperation and the adequacy of the corporation’s compliance program and its management’s commitment to the compliance program.”).
[26] In an April 5, 2016 memorandum titled The Fraud Section’s Foreign Corrupt Practices Act Enforcement Plan and Guidance, the DOJ rolled out a program under which companies could receive a reduction in criminal penalties of up to 50 percent, avoidance of a compliance monitor, and even a declination to prosecute. Since its inception through the end of November 2017, the leniency program yielded 30 voluntary disclosures, and the DOJ issued seven declinations. See DOJ’s Pilot Program Declinations.
[27] U.S. Dep’t of Justice, United States Attorneys’ Manual 9-47.120, FCPA Corporate Enforcement Policy (2017).
You’ve worked out the thousands of details necessary to close an acquisition, you’re getting close to the signing date, and then . . . your antitrust colleague asks whether the deal team considered the relevant antitrust issues that may stem from the acquisition.
Don’t wait until this question stops you in your tracks. To help you think through these important issues early, below is a practical guide—and best practices—to dealing with antitrust issues during the lifecycle of an acquisition. Of course, each transaction is different and must be evaluated on a case-by-case basis, thus we recommend you contact antitrust counsel early in the process so that he or she can provide proper guidance.
Counsel, we’re ramping-up the due diligence process; are there any antitrust issues that I need to keep in mind?
As soon as possible, you should discern the competitive relationship between the parties. This is a key point that directly influences the level of antitrust scrutiny in the contemplated deal under Section 7A of the Clayton Act, 15 U.S.C. § 18, which prohibits transactions in the United States that may “substantially” lessen competition. Other jurisdictions around the world have similar tests. In general, transactions among competitors will be viewed more critically by antitrust authorities than other transactions. To determine whether your client competes with its merger partner, you should ask questions such as whether the parties have competing products or services and whether they compete for the same types of customers.
In addition, important antitrust issues can arise in the due diligence process, particularly with respect to sharing competitively sensitive information (CSI) with your merger partner.[1] If you determine that the parties are competitors even in broad terms, your client must take precautions to protect the flow of CSI. Section 1 of the Sherman Act, 15 U.S.C. § 1, prohibits a “contract, combination . . . or conspiracy” that unreasonably restrains trade. Information exchanges among competitors can therefore be risky under Section 1 because they may increase competitors’ (and to be clear, merging parties are considered competitors until they close the transaction) ability to collude or coordinate behavior that lessens competition between or among them. For instance, competitors exchanging price information could facilitate illegal coordination among them, and there are notable examples of competition enforcers finding instances of such facilitation when reviewing merger parties’ documents during the pendency of a review.[2]
Enforcement bodies around the world—including the Antitrust Division of the U.S. Department of Justice (DOJ), U.S. Federal Trade Commission (FTC), and European Commission (EC)—will investigate the improper sharing of CSI between competitors. They have made clear that the due diligence process does not provide a shield.[3] The most competitively sensitive information includes nonaggregated data relating to: (i) pricing, including information related to margins, discounts, and rebates; (ii) other confidential, customer-specific data for current or potential customers (i.e., relating to product plans or terms that will be offered); (iii) detailed research and development efforts or product forecasts; and (iv) other forward-looking, market-facing activities.[4] Although there are many categories of information that can be shared with fewer restrictions—such as balance sheets, aggregated and/or anonymized customer information, and operational systems—note that these are just examples of common categories of CSI and not an exhaustive list of information that should be monitored.
Given the importance of due diligence in evaluating the transaction, however, there are standard ways of sharing CSI that can limit antitrust risk involved in this process. For instance, CSI can be shared with outside counsel and other third parties assisting in the evaluation of the transaction to prevent a direct exchange between competitors. Further, certain CSI (e.g., relating to costs and prices) many times can be shared on an aggregated and historic level. Additionally, you can establish a clean team consisting of a small number of individuals within the organization to evaluate the CSI. Keep in mind that clean team members may need to be screened off from certain of their day-to-day responsibilities for a period, given the sensitive information they will learn. Regardless of how CSI is shared, it should be used only for the purpose of analyzing the potential transaction and only within a small group of individuals that must see it in order to properly diligence the potential acquisition. The most important thing with any protocol that is implemented is that it establishes a clear structure that limits who can see this information and how it can be used.
If an antitrust enforcement body believes there may have been an improper information exchange, it will likely open a separate investigation.[5] This will not only expose the parties to additional antitrust risk, which could include fines, but it could also lengthen any investigation related to the deal itself.
Counsel, the deal is moving forward; what else should the deal team be doing?
Given that a merger filing may be necessary, as explained below, it is never too early to remind members of the business team that their correspondence (including e-mails, voicemails, instant messages, text messages, handwritten notes, standalone documents, and presentations) regarding the deal may be evaluated by antitrust regulators. It is imperative that the business team members be factual and accurate in their communications because overstatements or hyperbole could be misinterpreted. Recent cases and statements from antitrust enforcers show that the U.S. government has relied heavily on the merging parties’ ordinary course documents when evaluating a transaction’s potential harm or filing a complaint to block a transaction. For instance, then-Acting Associate Attorney General and former Assistant Attorney General for Antitrust Bill Baer noted that the DOJ’s “assessments of competitive effects do not simply rely on quantitative evidence provided by expert testimony; we look at likely effects as shown by qualitative evidence, including party documents and industry and customer witness testimony.”[6] This is a trend that we have also noticed in cases with the EC in which the regulator will increasingly issue questions that focus solely on the merging parties’ internal documents.
Counsel, we’re negotiating the merger agreement; what about antitrust-related provisions in the agreement?
There are several antitrust-related deal points that can be addressed in the merger agreement itself, particularly where the deal carries antitrust risk. If the parties expect a lengthy regulatory review resulting in a divestiture or lawsuit to block the merger by an antitrust regulator, they can negotiate certain terms to alleviate some of that risk. For example, a “hell or high water” provision can be included that requires the parties to see the regulatory review process through litigation with the antitrust authorities and to use all or best efforts to get a deal cleared; a divestiture provision can be included that requires the buyer to divest certain assets in order to alleviate regulators’ concerns; or a termination fee provision can be included in the event that one or both of the parties decide against completing the acquisition because of regulatory concerns. Finally, and particularly for deals that may not close for an extended period of time due to antitrust scrutiny, your client should consider timing provisions, which specify a date by which the deal must be closed.
Counsel, it’s now time to consider the merger control process; what do we need to think about?
It is important to evaluate whether any antitrust-related filings are necessary as the deal progresses. In the United States, a deal can trigger a Hart-Scott-Rodino (HSR) filing obligation that requires the acquirer to pay a filing fee and provide certain documents to antitrust enforcers. The HSR filing requirements depend primarily on the value of the transaction and the size of the merging parties. Filings may also be required in many other jurisdictions around the world, with different filing tests or thresholds—including those relating to the parties’ turnover, asset values, and market shares. Antitrust counsel should be consulted early to manage the jurisdictional filing analysis.
Failure to comply with antitrust regulatory requirements can result in substantial fines. For instance, the EC has the authority to impose fines up to 10 percent of the aggregate worldwide turnover of the parties for failing to make a merger notification. In the United States, if a party is found in violation of the HSR Act,[7] 15 U.S.C. § 18a, it can be fined up to $40,000 per day.[8] Other jurisdictions (including Brazil, China, Canada, India, Japan, and Germany, among others) also have penalties for violation of applicable merger notification laws.
Finally, as noted above, some jurisdictions require the production of documents and the submission of accurate information as part of the filing. For instance, the U.S. antitrust bodies and the EC require the production of certain deal-related documents prepared by or for any officer or director. Failure to adhere to this requirement can result in penalties for the company. The DOJ, for example, imposed a $550,000 fine against a party for failure to provide required documents, even though the DOJ ultimately found that the deal did not pose any substantive antitrust issues.[9] In the EU, the EC fined Facebook EUR110 million for allegedly submitting misleading information in its acquisition of WhatsApp.[10] These cases provide an important reminder that filing requirements must be taken very seriously.
Counsel, we’ve now signed; are there pre-closing issues that we should be aware of?
Many of the questions we get from our clients relate to the scope of proper conduct after the deal has been signed, but before regulatory approval and closing. At a high level, the rule is that the two merging parties are still separate companies and must act accordingly. That means that they cannot go to customers jointly and sell products of the future, combined company. They also cannot exchange CSI without proper safeguards in place, integrate research and development efforts, or make any public statements (in press releases or to investors) that would imply that the two companies are one.
The merging parties have every incentive to start selling the benefits of the deal to clients and investors as soon as it is signed, but antitrust regulators will focus on improper conduct in combining the two merging parties, known as “gun jumping,” before they have received a chance to review the acquisition. For example, in November 2016, the French Competition Authority fined telecommunications company SFR and its parent Altice EUR80 million for allegedly implementing two transactions before receiving regulatory clearance.[11] Two months later in the United States, the DOJ settled gun-jumping allegations stemming from Duke Energy’s acquisition of Osprey Energy Center. There, Duke allegedly took control over Osprey’s output as well as received the right to Osprey’s day-to-day profits and losses.[12]
There is, however, some pre-closing conduct that is permissible. For instance, it is permissible for your clients to tout to customers or investors the benefits of merging the two companies and to begin to plan for day one of the merged company, including discussions on how to combine corporate functions, but it is not permissible to actually combine them. Another way to address pre-closing issues, in addition to the continued assistance by outside counsel and other third parties, is to have an isolated integration clean team that has no market-facing responsibilities in either company. These clean teams have the ability to plan for integration but are not exposed to CSI from either of the merging parties. This best practice allows the parties to structure the interim period between signing and closing in a way that prevents CSI from ever traveling from one party to the other.
Finally, your clients will often be eager to announce the acquisition for a whole host of strategic reasons. In those instances, it is important to make clear in any public statement that regulatory approvals are pending and that closing will occur only after those approvals are obtained. This rule applies to shareholder calls and any other public forum where executives may be talking about the acquisition.
Counsel, we’ve got approval from the regulators; what’s next?
Once you receive approval from all necessary regulatory agencies, no further antitrust obstacles prohibit you from closing, so close! Regulatory approval often is the last hurdle before an acquisition can close, so it is not difficult to convince clients to do everything they must do in order to complete this step. Although limited, there is some antitrust risk while the companies are still separate even after any antitrust review of the deal has closed.[13] Once they have merged operations, however, the two companies are now one and cannot be liable under the antitrust laws aimed at illegal agreements between competitors.
[1] Of course, nonantitrust issues can arise during the due diligence process as well. For instance, the sharing of personally sensitive information can result in privacy concerns.
[3] The FTC in a recent blog post highlighted this point, noting that that agency “looks carefully at pre-merger information sharing to make sure that there has been no inappropriate dissemination of or misuse of [CSI] for anticompetitive purposes.” Holly Vedova et al., Fed. Trade Comm’n, Avoiding antitrust pitfalls during pre-merger negotiations and due diligence (Mar. 20, 2018).
[4]See, e.g., id.; see also Michael Bloom, Fed. Trade Comm’n, Information exchange: be reasonable, (Dec. 11, 2014); Omnicare, Inc. v. UnitedHealth Group, 629 F.3d 697, 709–11 (7th Cir. 2011).
[5] The FTC highlighted this point in its recent blog post, noting that “if FTC staff uncover documents in their merger review indicating that a problematic exchange occurred, or that the parties may not have fully lived up to the protocols they established to protect confidential information, this may well result in FTC staff pursuing a separate investigation, potentially costing additional time and resources.” Vedova, supra note 4.
[11]See Press Release, Autorité de la concurrence (Republique Francaise), Gun jumping/Rachat de SFR et de Virgin Mobile par Numéricable – L’Autorité de la concurrence sanctionne le groupe Altice à hauteur de 80 millions d’euros pour avoir réalisé de manière anticipée deux opérations notifiées en 2014 (Nov. 8, 2016).
[13] For instance, as the FTC recently noted: “[companies] must also be conscious of the risks of sharing information with a competitor before and during merger negotiations—a concern that remains until the merger closes.” Vedova, supra note 4.
Digital accessibility is about the ability of people with disabilities to find, read, navigate, interact with, and create digital content. It is about people who use computers without being able to see a screen or hold a mouse, and it is about students who watch videos for school and pleasure who can’t hear or understand the audio.
Digital accessibility is achieved by meeting well-established and internationally accepted design standards and maintaining a culture of accessibility in business policies and processes.
Accessibility can be a team motivator, a source of creativity, and a business differentiator. It benefits not just people with disabilities, but aging boomers and anyone who prefers technology that is easy to navigate and use. In addition, digital accessibility is a civil right. Why? Because without it, people with disabilities are excluded from government services, employment, education, private sector offerings, and a host of other activities that happen online.
The Americans with Disabilities Act (ADA) has required digital accessibility for decades. There has recently been an increase in lawsuits and administrative complaints about digital accessibility in virtually every sector of the economy. For these reasons, digital accessibility is something every business lawyer should understand.
This article cannot cover everything a lawyer must know to advise businesses about accessible technology, but a good starting point is vendor contracts. Even companies with a commitment to digital inclusion can run into trouble if they purchase inaccessible content or technology.
In a recent accessibility lawsuit in Florida, a plaintiff sued both the website owner and the vendor who “designed and hosted” the website. Gil v. Sabre Technologies, Inc. et al., 1:18-cv-20156 (S.D. Fla. 2018). In addition, a federal judge ruled in 2017 that a grocery chain’s inaccessible website violated the ADA. The decision, now on appeal, ordered Winn-Dixie to “require any third party vendors who participate on its website to be fully accessible to the disabled.” Gil v. Winn-Dixie Stores, Inc., 242 F. Supp. 3d 1315 (S.D. Fla. 2017).
The risk of inaccessible products and ADA lawsuits can be minimized by implementing basic smart practices in vendor contracts. We welcome feedback about other practices that have helped your clients stay ahead of the legal curve and offer technology that is available to everyone.
Smart Practices for Addressing Accessibility in Vendor Contracts
Adopt an Accessibility Policy
Before asking vendors to deliver accessible digital products, an organization needs its own accessibility policy. At a minimum, the policy should state the organization’s commitment to digital accessibility and the standard for accessibility. The most commonly used standard is the Web Content Accessibility Guidelines 2.0 Level AA.
Other policies that build a strong accessibility foundation include putting accessibility in performance evaluations to hold employees accountable, ensuring all technologies (not just web) are covered, developing an effective training program, and having an efficient way for customers, employees, etc. to report barriers (and to fix them).
Include Accessibility Requirements in Requests for Proposals
Issuing an RFP for technology? Accessibility requirements must be included. Attach the organization’s accessibility policy, and be specific. Don’t just say the technology will “meet federal requirements.” List federal accessibility laws, such as the ADA and section 508 (federal procurement). For web content, specifically identify the applicable accessibility standard, e.g., WCAG 2.0 AA. In addition, list some disabilities as examples to ensure vendors know what is expected. A good resource is WebAIM’s People with Disabilities on the Web.
State the Requirements for Evaluating Accessibility
It is not enough to require accessibility. RFPs should specify how accessibility will be evaluated. Resources include the Web Accessibility Initiative’s Web Accessibility Evaluations Tools List and guidance for selecting tools. If a business is not sure what testing tool is best, ask what tool the vendor uses. The answer (or lack of one) will speak volumes.
Remember that 100-percent automatic (computerized) testing is not sufficient. RFPs should include requirements for user testing and require vendors to include disabled people in product testing. If possible, specify at what points in the development process disabled people should evaluate the product. Having users review a product early in the development cycle avoids costly fixes later. A review before delivery catches last-minute errors.
Evaluate Proposals for Accessibility
Insist that vendors provide accessibility information and be sure to read it and ask questions. Understand exactly what the vendor will do to ensure accessibility. In 2018, any vendor that says they’ve never worked with accessibility principles should be passed over. Vendors who provide seemingly strong accessibility answers should be questioned the same way vendors are evaluated for security and privacy issues. In other words, take it seriously and be specific. How do they know their product is accessible? What tests and standards did they use? Will they share test results?
Review VPATs with Care
Some vendors offer Voluntary Product Accessibility Templates (VPATs). If one is offered, it is important to read it and understand what it means. A vendor often will not answer the actual question for an accessibility standard or will give an unacceptable answer. For example, Section 508 requires that “At least one mode of operation . . . that does not require user vision shall be provided. . . .” The answer, “Support Line is available,” means the product is not accessible, and customers who can’t use the product online are expected to call someone who may or may not be able to help. Remember that a VPAT that says a product is “partially compliant” means it is “not compliant” in some respect. It’s up to your client to find out what that means and how to address it for their customers.
Put Accessibility in the Contract
Once a vendor is identified that can meet other criteria and deliver an accessible product, accessibility details must be spelled out. To avoid lawsuits and ensure all customers can use the business’s technology, make accessibility a contract term. Some specifics include the following:
state the accessibility standard (e.g., WCAG 2.0 Level AA);
state how and when the technology will be tested;
hold the vendor responsible if the product turns out not to be accessible by requiring the vendor to remediate barriers immediately, deliver a new product, return money paid, pay any damages and attorney’s fees incurred by the business, and/or pay any damages and fees the business must pay because of a complaint;
allow the business to do its own testing upon delivery, and require the vendor to remediate any identified accessibility barriers; and
given that accessibility defects may not be immediately apparent, specify vendor responsibility whenever a barrier needs remediation.
After the Ink Is Dried
Accessibility is not a “one and done” issue. It must be maintained and periodically evaluated. When problems arise, an efficient remediation system must be in place. Once a vendor has delivered an accessible product, here are some steps to prevent problems down the road:
when a customer or employee raises an accessibility problem, get the problem into the right hands and fix it as soon as possible;
train all customer-facing staff about the company’s accessibility policy and how to escalate to the appropriate person;
build a monitoring program that suits the size of the company to ensure accessibility is maintained, and train content creators (anyone who can post to the company’s website) to recognize, and use content management systems that flag, accessibility errors.
Finally, don’t keep a business’s accessibility commitment in the closet. Accessibility is a brand differentiator and a way to bring in more customers both with and without disabilities. Be explicit and transparent about accessibility efforts. It will make technology more usable for everyone.
Connect with a global network of over 30,000 business law professionals
