Category: Administrative & Regulatory

Understanding the Enhanced Regulation S-P Requirements

On May 16, 2024, the Securities and Exchange Commission adopted amendments to Regulation S-P, the regulation that governs the treatment of nonpublic personal information about consumers by certain financial institutions. The amendments apply to broker-dealers, investment companies, and registered investment advisers (collectively, “covered institutions”) and are designed to modernize and enhance the protection of consumer financial information. Regulation S-P continues to require covered institutions to implement written polices and procedures to safeguard customer records and information (the “safeguards rule”), properly dispose of consumer information to protect against unauthorized use (the “disposal rule”), and implementation of a privacy policy notice containing an opt out option. Registered investment advisers with over $1.5 billion in assets under management will have until November 16, 2025 (18 months) to comply, those entities with less will have until May 16, 2026 (24 months) to comply.

Incident Response Program

Covered institutions will have to implement an Incident Response Program (the “Program”) to their written policies and procedures if they have not already done so. The Program must be designed to detect, respond to, and recover customer information from unauthorized third parties. The nature and scope of the incident must be documented with further steps taken to prevent additional unauthorized use. Covered institutions will also be responsible for adopting procedures regarding the oversight of third-party service providers that are receiving, maintaining, processing, or accessing their client’s data. The safeguard rule and disposal rule require that nonpublic personal information received from a third-party about their customers should be treated the same as if it were your own client.

Customer Notification Requirement

The amendments require covered institutions to notify affected individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization. The amendments require a covered institution to provide the notice as soon as practicable, but not later than 30 days, after becoming aware that unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred. The notices must include details about the incident, the breached data, and how affected individuals can respond to the breach to protect themselves. A covered institution is not required to provide the notification if it determines that the sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience. To the extent a covered institution will have a notification obligation under both the final amendments and a similar state law, a covered institution may be able to provide one notice to satisfy notification obligations under both the final amendments and the state law, provided that the notice includes all information required under both the final amendments and the state law, which may reduce the number of notices an individual receives.

Recordkeeping

Covered institutions will have to make and maintain the following in their books and records:

  • Written policies and procedures required to be adopted and implemented pursuant to the Safeguards Rule, including the incident response program;
  • Written documentation of any detected unauthorized access to or use of customer information, as well as any response to and recovery from such unauthorized access to or use of customer information required by the incident response program;
  • Written documentation of any investigation and determination made regarding whether notification to customers is required, including the basis for any determination made and any written documentation from the United States Attorney General related to a delay in notice, as well as a copy of any notice transmitted following such determination;
  • Written policies and procedures required as part of service provider oversight;
  • Written documentation of any contract entered into pursuant to the service provider oversight requirements; and
  • Written policies and procedures required to be adopted and implemented for the Disposal Rule.

Registered investment advisers will be required to preserve these records for five years, the first two in an easily accessible place.

COPYRIGHT © 2024, STARK & STARK
For more news on SEC Amended Regulations, visit the NLR Securities & SEC section.

United States | New DACA Report Breaks Down the Trillion-Dollar Cost of Ending the Program

Coalition for the American Dream published a report this week detailing the projected economic and societal costs of ending the Deferred Action for Childhood Arrivals program.

Key Points:

  • Coalition for the American Dream published the report days ahead of the 12th anniversary of the DACA program on June 15.
  • Current DACA recipients number more than 500,000. The report finds that future long-term economic losses and costs could approach $1 trillion over the lifetimes of DACA recipients.
  • Other economic and workforce impacts include:
    • As many as 168,000 U.S. jobs in DACA-owned businesses could be lost.
    • U.S. workforce losses could include 37,000 healthcare workers, 17,000 STEM professionals and 17,000 educators.
    • Lost business training and recruitment costs for current DACA employees could reach $8 billion.

Additional Information: The report’s demographic and economic estimates and business impacts are based in part on data collected in the U.S. Census Bureau’s 2022 American Community Survey, the March 2022-2023-2024 Current Population Surveys and data from U.S. Citizenship and Immigration Services.

Coalition for the American Dream is an organization of more than 100 businesses, trade associations and other groups representing every major sector of the U.S. economy and more than half of American private sector workers. Its mission is to seek the passage of bipartisan legislation that gives Dreamers a permanent solution.

BAL Analysis: The report notes if DACA ended and work authorizations were denied renewal, 440,000 workers would be forced from the U.S. workforce over a two-year period, with the most acute impact on health, education and STEM occupations. The business community continues to show strong support for DACA and the crucial role Dreamers play in the U.S. economy. Given the uncertain environment, DACA recipients who qualify for a renewal are urged to apply for one as soon as they can.

©2024 Berry Appleman & Leiden. All Rights Reserved.
For more on the DACA, visit the NLR Immigration section.

Biden Administration Announces Voluntary Carbon Market Principles

The recent Joint Policy Statement and Principles (Principles) released by the Biden Administration, and related remarks by Secretary of the Treasury Janet L. Yellen, mark a significant milestone in the development of the voluntary carbon market (VCM).

Our views on this announcement and a brief summary of these Principles are set out below.

This is a very encouraging, and intriguing, governmental announcement in respect of an unregulated, international market.

One of the critical aspects of this announcement is the US government’s approach to balancing market promotion with non-regulation. The VCM is notably unregulated, and the intention is for it to remain so. As such, the announcement appears to be striving to foster integrity and growth within the market whilst avoiding the imposition of rigid regulatory frameworks that could stifle growth. There is a clear nod from the government to the market’s voluntary nature, thereby allowing for flexibility and the opportunity for diverse, creative solutions to emerge. However, the VCM has faced challenges that are not unusual for a nascent, evolving market and the government clearly wants to stimulate the market by providing clear guidance that enhances trust and integrity. This delicate equilibrium is essential for the long-term success and scalability of the VCM.

These Principles therefore serve as voluntary (but government-endorsed) guidelines, moving towards establishing a structure that market participants can follow to ensure the credibility and reliability of carbon credits.

The Principles do not reshape the current market. They are based instead, in large part, on existing best practice advocated by private sector and non-governmental organisations and initiatives. We have considered in some detail in a prior article these existing quasi-regulatory bodies and their functions – much of which is echoed in the Principles.

The Principles seek to bolster integrity in three main areas: on the supply side, demand side and the actual market itself.

Supply-side

  • Principle 1 – “Integrity & Standards”: Carbon credits must meet strict integrity standards and be certified through robust, transparent verification processes to ensure additionality, quantifiability and permanence.
  • Principle 2 – “Avoid Harm”: Generating credits should cause no environmental or social harm and promote co-benefits including sustainable development and increased biodiversity, involving relevant stakeholders in the process.

Demand-side

  • Principle 3 – “Buyer Responsibility”: Companies offsetting credits should set net-zero strategies, maintain an inventory of emissions (detailing Scope 1, 2, and 3 emissions) and regularly report.
  • Principle 4 – “Transparency”: Companies offsetting credits should publicly disclose details of purchased and retired credits annually, ensuring information is accessible and comparable.
  • Principle 5 – “Accurate Claims”: Public offsetting claims must accurately reflect the climate impact of credits and only use those meeting high integrity standards, prioritising internal emissions reductions.

Market-side

  • Principle 6 – “Market Integrity”: Stakeholders should seek to improve market functionality, transparency and equity to enhance the market’s overall health and high-integrity.
  • Principle 7 – “Facilitate Participation”: Policymakers and market participants should lower transaction costs and barriers for credit providers, ensuring market certainty and bankability of VCM projects, especially from developing regions.

On the supply side (Principles 1 and 2), inspiration has been drawn from, amongst other sources, the Core Carbon Principles and other standards of the Integrity Council for the Voluntary Carbon Market. On the demand side (Principles 3, 4 and 5), inspiration has been drawn from, amongst other sources, the Claims Code of Practice and other standards of the Voluntary Carbon Market Initiative. On the market side (Principles 6 and 7) the message is more general and is aimed at promoting the integrity of the standards/registries and their participants and focussing on the policymakers. The Principles conclude with a rallying cry for policymakers and buyers to consider ways to enhance market certainty for lenders undertaking long term investments. The current financing landscape of the VCM is an area which we have also considered in some detail in a prior article.

The Principles and comments from Treasury acknowledge that the VCM, in its current state, suffers from some key challenges that inhibit growth at the scale needed to achieve national and international climate goals. The seven Principles outlined above are the government’s initial efforts at assisting to overcome those challenges. They reflect the importance of a functioning carbon reduction infrastructure (both physical and financial) to the government, and a high level of understanding of the carbon abatement ecosystem. And, perhaps most importantly, these statements recognise and encourage the involvement and initiative of all participating stakeholders to take demonstrative steps to establish a market-based approach to carbon reduction. As Secretary Yellen’s statement says, “harnessing the power of markets and private capital is critical.”

While the VCM principles announcement reflects an attempt to improve confidence in voluntary carbon offsets, at the same time the US Department of Agriculture (USDA) signalled its interest in establishing public protocols specifically for third-party verification of offsets deriving from forestry and farming. This action reflects a keen interest on both sides of the political aisle in Congress. Sen. Debbie Stabenow (D-MI), chair of the Senate Agriculture Committee noted that both the VCM principles and the USDA announcement established that, “Voluntary carbon credit markets generate new revenue streams for farmers, foresters, and rural communities, and there is clear enthusiasm across private industry and the public sector to tap into that potential.” Sen. Stabenow further notes that these actions “will strengthen the integrity of these markets and build a foundation for the future.

The VCM principles and USDA statement can be seen as part of an effort to implement the Growing Climate Solutions Act which was designed to break down barriers for farmers, ranchers, and foresters interested in participating in carbon markets and in embracing so-called climate-smart agricultural practices. The Act was passed by Congress on a bipartisan basis and signed into law by President Biden on December 29, 2022. As the House and Senate consider “farm bills” in the near future, we can expect more action on agricultural offsets.

These announcements clearly underscore the government’s commitment to promoting the VCM without the enforcement of laws or regulations. It is a firm message of support for the VCM, and explicit recognition that development of the VCM is critical to unlocking carbon abatement projects globally. It clarifies that the current administration recognises the VCM as another component of the energy transition required to achieve national and international climate goals, as well as sustainable environmental practices. In particular, these seven Principles provide a framework that can guide the VCM’s growth. Whilst the Principles goldplate (rather than reinvent) existing best practice, this achieves the sensitive balancing act required from a government seeking to promote an unregulated market.

© 2024 Bracewell LLP
For more on the Carbon Market, visit the NLR Environmental Energy Resources section.

Cybersecurity Crunch: Building Strong Data Security Programs with Limited Resources – Insights from Tech and Financial Services Sectors

In today’s digital age, cybersecurity has become a paramount concern for executives navigating the complexities of their corporate ecosystems. With resources often limited and the ever-present threat of cyberattacks, establishing clear priorities is essential to safeguarding company assets.

Building the right team of security experts is a critical step in this process, ensuring that the organization is well-equipped to fend off potential threats. Equally important is securing buy-in from all stakeholders, as a unified approach to cybersecurity fosters a robust defense mechanism across all levels of the company.Digit

This insider’s look at cybersecurity will delve into the strategic imperatives for companies aiming to protect their digital frontiers effectively.

Where Do You Start on Cybersecurity?
Resources are limited, and pressures on corporate security teams are growing, both from internal stakeholders and outside threats. But resources to do the job aren’t. So how can companies protect themselves in real world environment, where finances, employee time, and other resources are finite?

“You really have to understand what your company is in the business of doing,” Wilson said. “Every business will have different needs. Their risk tolerances will be different.”

“You really have to understand what your company is in the business of doing. Every business will have different needs. Their risk tolerances will be different.”

BRIAN WILSON, CHIEF INFORMATION SECURITY OFFICER, SAS
For example, Tuttle said in the manufacturing sector, digital assets and data have become increasingly important in recent years. The physical product no longer is the end-all, be-all of the company’s success.

For cybersecurity professionals, this new reality leads to challenges and tough choices. Having a perfect cybersecurity system isn’t possible—not for a company doing business in a modern, digital world. Tuttle said, “If we’re going to enable this business to grow, we’re going to have to be forward-thinking.”

That means setting priorities for cybersecurity. Inskeep, who previously worked in cybersecurity for one of the world’s largest financial services institutions, said multi-factor authentication and controlling access is a good starting point, particularly against phishing and ransomware attacks. Also, he said companies need good back-up systems that enable them to recover lost data as well as robust incident response plans.

“Bad things are going to happen,” Wilson said. “You need to have logs and SIEMs to tell a story.”

Tuttle said one challenge in implementing an incident response plan is engaging team members who aren’t on the front lines of cybersecurity. “They need to know how to escalate quickly, because they are likely to be the first ones to see something that isn’t right,” she said. “They need to be thinking, ‘What should I be looking for and what’s my response?’”

“They need to know how to escalate quickly, because they are likely to be the first ones to see something that isn’t right. They need to be thinking, ‘What should I be looking for and what’s my response?’”

LISA TUTTLE, CHIEF INFORMATION SECURITY OFFICER, SPX TECHNOLOGIES
Wilson said tabletop exercises and security awareness training “are a good feedback loop to have to make sure you’re including the right people. They have to know what to do when something bad happens.”

Building a Security Team
Hiring and maintaining good people in a harrowing field can be a challenge. Companies should leverage their external and internal networks to find data privacy and cybersecurity team members.

Wilson said SAS uses an intern program to help ensure they have trained professionals already in-house. He also said a company’s Help Desk can be a good source of talent.

Remote work also allows companies to cast a wider net for hiring employees. The challenge becomes keeping remote workers engaged, and companies should consider how they can make these far-flung team members feel part of the team.

Inskeep said burnout is a problem in the cybersecurity field. “It’s a job that can feel overwhelming sometimes,” he said. “Interacting with people and protecting them from that burnout has become more critical than ever.”

“It’s a job that can feel overwhelming sometimes. Interacting with people and protecting them from that burnout has become more critical than ever.”

TODD INSKEEP, FOUNDER AND CYBERSECURITY ADVISOR, INCOVATE SOLUTIONS
Weighing Levels of Compliance
The first step, Claypoole said, is understanding the compliance obligations the company faces. These obligations include both regulatory requirements (which are tightening) as well as contract terms from customers.

“For a business, that can be scary, because your business may be agreeing to contract terms with customers and they aren’t asking you about the security requirements in those contracts,” Wilson said.

The panel also noted that “compliance” and “security” aren’t the same thing. Compliance is a minimum set of standards that must be met, while security is a more wide-reaching goal.

But company leaders must realize they can’t have a perfect cybersecurity system, even if they could afford it. It’s important to identify priorities—including which operations are the most important to the company and which would be most disruptive if they went offline.

Wilson noted that global privacy regulations are increasing and becoming stricter every year. In addition, federal officials have taken criminal action against CSOs in recent years.

“Everybody’s radar is kind of up,” Tuttle said. The increasingly compliance pressure also means it’s important for cybersecurity teams to work collaboratively with other departments, rather than making key decisions in a vacuum. Inskeep said such decisions need to be carefully documented as well.

“If you get to a place where you are being investigated, you need your own lawyer,” Claypoole said.

“If you get to a place where you are being investigated, you need your own lawyer.”

TED CLAYPOOLE, PARTNER, WOMBLE BOND DICKINSON
Cyberinsurance is another consideration for data privacy teams, but it can help Chief Security Officers make the case for more resources (both financial and work hours). Inskeep said cyberinsurance questions also can help companies identify areas of risks and where they need to prioritize their efforts. Such priorities can change, and he said companies need to have a committee or some other mechanism to regularly review and update cybersecurity priorities.

Wilson said one positive change he’s seen is that top executives now understand the importance of cybersecurity and are more willing to include cybersecurity team members in the up-front decision-making process.

Bringing in Outside Expertise
Consultants and vendors can be helpful to a cybersecurity team, particularly for smaller teams. Companies can move certain functions to third-party consultants, allowing their own teams to focus on core priorities.

“If we don’t have that internal expertise, that’s a situation where we’d call in third-party resources,” Wilson said.

Bringing in outside professionals also can help a company keep up with new trends and new technologies.

Ultimately, a proactive and well-coordinated cybersecurity strategy is indispensable for safeguarding the digital landscape of modern enterprises. With an ever-evolving threat landscape, companies must be agile in their approach and continuously review and update their security measures. At the core of any effective cybersecurity plan is a comprehensive risk management framework that identifies potential vulnerabilities and outlines steps to mitigate their impact. This framework should also include incident response protocols to minimize the damage in case of a cyberattack.

In addition to technology and processes, the human element is crucial in cybersecurity. Employees must be educated on how to spot potential threats, such as phishing emails or suspicious links, and know what steps to take if they encounter them.

Key Takeaways:
What are the biggest risk areas and how do you minimize those risks?
Know your external cyber footprint. This is what attackers see and will target.
Align with your team, your peers, and your executive staff.
Prioritize implementing multi-factor authentication and controlling access to protect against common threats like phishing and ransomware.
Develop reliable backup systems and robust incident response plans to recover lost data and respond quickly to cyber incidents.
Engage team members who are not on the front lines of cybersecurity to ensure quick identification and escalation of potential threats.
Conduct tabletop exercises and security awareness training regularly.
Leverage intern programs and help desk personnel to build a strong cybersecurity team internally.
Explore remote work options to widen the talent pool for hiring cybersecurity professionals, while keeping remote workers engaged and integrated.
Balance regulatory compliance with overall security goals, understanding that compliance is just a minimum standard.

Copyright © 2024 Womble Bond Dickinson (US) LLP All Rights Reserved.

by: Theodore F. Claypoole of Womble Bond Dickinson (US) LLP

For more on Cybersecurity, visit the Communications Media Internet section.

American Privacy Rights Act Advances with Significant Revisions

On May 23, 2024, the U.S. House Committee on Energy and Commerce Subcommittee on Data, Innovation, and Commerce approved a revised draft of the American Privacy Rights Act (“APRA”), which was released just 36 hours before the markup session. With the subcommittee’s approval, the APRA will now advance to full committee consideration. The revised draft includes several notable changes from the initial discussion draft, including:

  • New Section on COPPA 2.0 – the revised APRA draft includes the Children’s Online Privacy Protection Act (COPPA 2.0) under Title II, which differs to a certain degree from the COPPA 2.0 proposal currently before the Senate (e.g., removal of the revised “actual knowledge” standard; removal of applicability to teens over age 12 and under age 17).
  • New Section on Privacy By Design – the revised APRA draft includes a new dedicated section on privacy by design. This section requires covered entities, service providers and third parties to establish, implement, and maintain reasonable policies, practices and procedures that identify, assess and mitigate privacy risks related to their products and services during the design, development and implementation stages, including risks to covered minors.
  • Expansion of Public Research Permitted Purpose – as an exception to the general data minimization obligation, the revised APRA draft adds another permissible purpose for processing data for public or peer-reviewed scientific, historical, or statistical research projects. These research projects must be in the public interest and comply with all relevant laws and regulations. If the research involves transferring sensitive covered data, the revised APRA draft requires the affirmative express consent of the affected individuals.
  • Expanded Obligations for Data Brokers – the revised APRA draft expands obligations for data brokers by requiring them to include a mechanism for individuals to submit a “Delete My Data” request. This mechanism, similar to the California Delete Act, requires data brokers to delete all covered data related to an individual that they did not collect directly from that individual, if the individual so requests.
  • Changes to Algorithmic Impact Assessments – while the initial APRA draft required large data holders to conduct and report a covered algorithmic impact assessment to the FTC if they used a covered algorithm posing a consequential risk of harm to individuals, the revised APRA requires such impact assessments for covered algorithms to make a “consequential decision.” The revised draft also allows large data holders to use certified independent auditors to conduct the impact assessments, directs the reporting mechanism to NIST instead of the FTC, and expands requirements related to algorithm design evaluations.
  • Consequential Decision Opt-Out – while the initial APRA draft allowed individuals to invoke an opt-out right against covered entities’ use of a covered algorithm making or facilitating a consequential decision, the revised draft now also allows individuals to request that consequential decisions be made by a human.
  • New and/or Revised Definitions – the revised APRA draft’s definition section includes new terms, such as “contextual advertising” and “first party advertising.”. The revised APRA draft also redefines certain terms, including “covered algorithm,” “sensitive covered data,” “small business” and “targeted advertising.”
Copyright © 2024, Hunton Andrews Kurth LLP. All Rights Reserved.2154by: Hunton Andrews Kurth’s Privacy and Cybersecurity of Hunton Andrews Kurth
For more on the American Privacy Rights Act, visit the NLR Communications Media Internet section.

Whistleblower Tax Fraud Lawsuit Against Bitcoin Billionaire Settles for $40 Million

MicroStrategy’s founder is alleged to have falsified tax documents for ten years. The settlement resolves the first whistleblower lawsuit filed under 2021 amendments to the DC False Claims Act.

Key Takeaways
On June 3, the District of Columbia Office of the Attorney General announced the $40 million settlement with Michael Saylor
It is the largest income tax recovery in D.C. history
The settlement, which resolves a qui tam lawsuit filed under the DC False Claims Act, underscores the power of whistleblowers in combatting tax fraud
On June 3, the District of Columbia Office of the Attorney General (OAG) made a landmark announcement. The billionaire founder of MicroStrategy Incorporated, Michael Saylor, settled a tax fraud lawsuit for a staggering $40 million. This case, stemming from a qui tam whistleblower suit filed under the District’s False Claims Act, marks a significant milestone in the fight against tax fraud. The OAG declared this as the largest income tax recovery in D.C. history, underscoring the importance of this case.

The DC False Claims Act
This settlement is not just a victory for the District but also a testament to the power of whistleblowers. Under the 2021 extension of the D.C. False Claims Act, individuals have the power to file qui tam suits against large companies and suspected tax evaders. The 2021 amendments even offer monetary awards to those who report tax cheats. This settlement, the first settlement under these amendments, serves to put would-be tax cheats on notice.

As the District of Columbia expands its arsenal against tax fraud, other states should take note. The DC False Claims Act, now covering tax fraud, has become a powerful tool in the fight against financial misconduct. With the District joining the ranks of Delaware, Florida, Illinois, Indiana, Nevada, New York, and Rhode Island as states where false claims suits may be brought based on tax fraud claims, the fight against tax cheats looks promising.

The Case Against Saylor
In 2021, unnamed whistleblowers filed a lawsuit against Saylor, alleging that he had defrauded the District and failed to pay income taxes from 2014 to 2020. The OAG independently investigated these claims and filed a separate complaint against Saylor. The District’s lawsuit alleged that Saylor claimed to be a resident of Florida and Virginia to avoid paying over $25 million in income taxes. Another suit was filed against MicroStrategy, claiming it falsified records and statements that facilitated Saylor’s tax avoidance scheme.

The District’s allegations against Saylor paint a picture of a lavish lifestyle. Saylor is accused of unlawfully withholding tens of millions in tax revenue by claiming to live in a lower tax jurisdiction to avoid paying D.C. income taxes. The OAG’s investigation revealed that Saylor owned a 7,000-square-foot luxury penthouse overlooking the Potomac Waterfront and docked multiple yachts in the Washington Harbor. He purchased three luxury condominium units at 3030 K Street NW to combine into his current residence and a penthouse unit at the Eden Condominiums, 2360 Champlain St. NW. The Attorney General compiled several posts from Saylor’s Facebook, in which he boasted about the view from his D.C. residence.

Whistleblower Tax Fraud Lawsuit Against Bitcoin Billionaire Settles For $40 Million

Furthermore, the OAG found evidence that Saylor purchased a house in Miami Beach, obtained a Florida driver’s license, registered to vote in Florida, and falsely listed his residence on MicroStrategy W-2 forms. Attorney General Brian L. Schwalb stated, “Saylor openly bragged about his tax-evasion scheme, encouraging his friends to follow his example and contending that anyone who paid taxes to the District was stupid.”

The lawsuits allege that records from Saylor’s security detail provide Saylor’s physical location and travel from 2015 to 2020 and show that across six years, Saylor spent 449 days in Florida and 1,397 days in the District. Saylor allegedly directed MicroStrategy employees to aid his scheme to avoid paying District income taxes. The District claims that for the last ten years, MicroStrategy has falsely reported its income tax exemption on Saylor’s wages, claiming he was tax-exempt due to his residential status.

Saylor agreed to pay the District $40 million to resolve the allegations against him and MicroStrategy.

A copy of the settlement can be found here.

Copyright Kohn, Kohn & Colapinto, LLP 2024. All Rights Reserved.

by: Whistleblower Law at Kohn Kohn Colapinto of Kohn, Kohn & Colapinto

For more on Whistleblowers, visit the NLR Criminal Law / Business Crimes section.

Acting U.S. Attorney Levy Forecasts False Claims Act COVID Cases Targeting Private Lenders Of CARES Act Loans That Failed In Their Obligation To Safeguard Government Funds

Acting U.S. Attorney Joshua Levy discussed the enforcement priorities for the Massachusetts U.S. Attorney’s Office (USAO) during a Q&A session on May 29, 2024, and made clear that the historical focus of the office remains the top priority: detecting and combating health care fraud, waste, and abuse. In particular, both Levy and Chief of the USAO’s Civil Division, Abraham George, have recently indicated that the government will pursue large dollar COVID fraud cases both criminally and civilly. As we have discussed previously, we expect False Claims Act (FCA) COVID cases to materialize in the coming years as the government zeroes in on wrongdoers via enhanced data analytics and AI tools as well as via traditional investigative methods and the forthcoming Whistleblower Rewards Program.

Recent COVID FinTech Lender, Kabbage, $120 MM False Claims Act Settlement

The recent Kabbage settlement is illustrative of the types of COVID cases the office is looking to bring pursuant to the FCA. Acting U.S. Attorney Levy discussed the settlement, publicized in May, with now-bankrupt online lender, Kabbage Inc. Kabbage allegedly knowingly processed and submitted thousands of false claims for Paycheck Protection Program (PPP) loan forgiveness, loan guarantees, and processing fees. The PPP – a loan program for small businesses created via the Coronavirus Aid, Relief, and Economic Security (CARES) Act – was administered the federal Small Business Administration (SBA). The CARES Act authorized private lenders to approve PPP loans for eligible borrowers who could later seek forgiveness for the loans if borrowers used the loans for eligible expenses, including employee payroll.

Among other things, participating PPP lenders were obligated to 1) confirm borrowers’ average monthly payroll costs by PPP loan documentation; and 2) follow applicable Bank Secrecy Act/Anti-Money Laundering (BSA/AML) requirements. SBA guaranteed any unforgiven or defaulted PPP loans as long as the private lender adhered to PPP requirements.

Private lenders received a fixed fee calculated as a percentage of the loan amount. Here, U.S. Attorney Levy’s office alleged that Kabbage awarded inflated and fraudulent loans to maximize its profits, then sold its assets and left the remaining company financially depleted, leading to bankruptcy. Kabbage was allegedly aware of the following errors as of April 2020, failed to correct them, and continued to make improper loan disbursements after learning of the issues:

  1. double-counting state and local taxes paid by employees when calculating gross wages;
  2. failing to exclude annual compensation above $100,000 per employee; and
  3. improperly calculating employee leave and severance payments.

Kabbage also allegedly failed to implement appropriate fraud controls to comply with the PPP, BSA, and AML by knowingly:

  1. removing underwriting steps to facilitate processing a high volume of loan applications and maximizing loan processing fees;
  2. setting substandard fraud check thresholds;
  3. relying on automated tools that were inadequate in identifying fraud;
  4. devoting insufficient personnel to conduct fraud reviews;
  5. discouraging its fraud reviewers from requesting information from borrowers to substantiate their loan requests; and
  6. submitting to the SBA thousands of dubious PPP loan applications that were fraudulent or highly suspicious.

The settlement, which will result in the U.S. securing up to $120 million pursuant to bankruptcy proceedings, resolves qui tam complaints brought by two separate whistleblowers: an accountant who submitted PPP loan applications to multiple lenders and a former analyst in Kabbage’s collection department.

Predictions for Future COVID Fraud Enforcement

Acting U.S. Attorney Levy’s comments make clear that we can expect to see FCA COVID cases targeting private lenders of CARES Act loans that failed in their obligation to safeguard government funds. To date, COVID fraud prosecution has largely targeted “low-hanging fruit” criminal cases, such as those involving submission of false information to obtain COVID relief funding that the recipient spends on luxury items. We discussed in April that the COVID Fraud Enforcement Task Force (CFETF) and a bipartisan group of Senators had, via a report and draft legislation, pleaded with Congress to increase funding to prosecute COVID fraud. Investigations such as those involving Kabbage require a large investment of resources and, as U.S. Attorney Levy commented, his office must prioritize large-dollar COVID fraud cases most likely to result in specific and general fraud deterrence.

As we have written previously, the government is playing a long game tracking COVID fraud. The Justice Department’s CFETF reported in April that to date, the DOJ had seized or forfeited $1.4 billion in stolen relief funds as well as bringing criminal charges against 3,500 defendants and 400 civil settlements. With a ten-year statute of limitations and increasingly more accurate data analytics tools, we expect the DOJ will continue to identify and recover misappropriated funds from large and lower dollar fraudsters. So long as COVID fraud enforcement remains a well-funded priority of the government, we anticipate a steady stream of FCA COVID settlements involving lenders and borrowers. The government is casting a wide net to recoup the nearly $300 billion in COVID fraud estimates. We will continue to monitor and report on developments.

©1994-2024 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.
For more on COVID, visit the NLR Coronavirus News section.

Paperless Power: Exploring the Legal Landscape of E-Signatures and eNotes

In an era characterized by rapid technological advancements and the profound shift towards remote work, the traditional concept of signing documents with pen and paper has evolved. Electronic signatures, or e-signatures, have emerged as a convenient and efficient alternative, promising to streamline processes, reduce paperwork, and enhance accessibility. Organizations are increasingly embracing e-signatures for a wide range of transactions, prompting a closer examination of their legal validity.

WHAT IS AN “E-SIGNATURE”?

An e-signature encompasses any electronic sound, symbol, or process associated with a record and executed with the intent to sign. These can range from scanned images of handwritten signatures to digital representations generated by specialized software.

GOVERNING LAW:

The governing law for e-signatures in the United States includes both state-specific laws, like those based on the Uniform Electronic Transactions Act (UETA), and the federal ESIGN. ESIGN applies to interstate and foreign transactions, harmonizing electronic transactions across state lines. Many states, including Massachusetts, have adopted UETA, reinforcing the legal standing of e-signatures within their jurisdictions (MUETA).

VALIDITY AND REQUIREMENTS:

Generally, e-signatures are legally binding in the Commonwealth of Massachusetts. However, certain documents like wills, adoption papers, and divorce decrees are excluded from the scope of ESIGN and MUETA to safeguard consumer rights and maintain traditional legal practices.

The following components must be present for e-signatures to be fully protected and upheld under ESIGN and MUETA:

  • Intent: each party intended to execute the document;
  • Consent: there must be express or implied consent from the parties to do business electronically (under MUETA, consumer consent disclosures may also be required). In addition, signers should also have the option to opt-out;
  • Association: the e-signature must be “associated” with the document it is intended to authenticate; and
  • Record Retention: records of the transaction and e-signature must be retained electronically.

Meeting these requirements ensures that e-signatures have the same legal validity and enforceability as traditional handwritten, wet-ink signatures in Massachusetts.

ENFORCEABILITY OF E-NOTES AND CONCERNS FOR FINANCIAL INSTITUTIONS:

An eNote is an electronically created, signed, and stored promissory note. It differs from scanned signatures on paper or PDF copies. Governed by Article 3 of the Uniform Commercial Code (UCC), eNotes are considered negotiable instruments and therefore require special treatment. ESIGN provides a framework for their use, emphasizing the concept of a “transferable record.” This electronic record, meeting UCC standards, grants the same legal rights as a traditional paper note to the person in “control.” The objective of “control” is for there to be a single authoritative copy of the promissory note that is unique, identifiable, and unalterable. Therefore, proving authenticity and lender control over eNotes can be complex.

In Massachusetts, specific foreclosure laws require the presentation of the original note. Thus lenders should be cautious with eNotes, as possessing an original, physical note greatly reduces enforceability risks.

Further, financial institutions often face heightened scrutiny when using e-signatures due to the sensitive nature of financial transactions and the potential risks involved to ensure security, compliance, and consumer protection.

RECORDABLE DOCUMENTS:

E-signatures have become widely accepted for recording purposes, including in real estate transactions, due to their convenience and efficiency. The implementation of e-signatures for recording has been facilitated and standardized by legislation such as the Uniform Real Property Electronic Recording Act (URPERA). While URPERA offers a comprehensive framework for electronic recording, its adoption varies from state to state. In Massachusetts, URPERA has not yet been formally adopted, leaving recording procedures subject to individual county regulations.

BEST PRACTICES:

Despite the legal recognition of e-signatures under both ESIGN and MUETA, to ensure compliance, organizations should adopt the following best practices:

  1. Obtain Consent: Obtain (and retain) affirmative consent from parties to conduct transactions electronically.
  2. AssociationEstablish a clear and direct connection between an electronic signature and the electronic record it is intended to authenticate.
    • Embedding: One common method of meeting the association requirement is embedding e-signatures directly within electronic documents.
    • Metadata and Audit Trails: Another method is using metadata and audit trails. Metadata contains signature details like signing date, time, signer identity, and transaction specifics. Audit trails chronicle all document actions, reinforcing the link between signatures and records.
  3. Ensure the Integrity of Electronic Records
    • Authenticity and Integrity: Use secure methods to authenticate the identity of signatories and ensure the integrity of the electronic records. This can include digital signatures, encryption, and secure access controls.
    • Single Authoritative Copy: For transferable records (eNotes), ensure that there is a single authoritative copy that is unique, identifiable, and unalterable except through authorized actions.
  4. Maintain Accessibility and Retainability: Ensure that electronic records are retained in a format that is accessible and readable for the required retention period. This includes being able to accurately reproduce the record in its original form.
  5. Security Measures: Implement robust cybersecurity measures to protect against unauthorized access, alteration, or destruction of electronic records. This includes using firewalls, encryption, and secure user authentication methods.
  6. Provide Consumer Protections: Ensure that consumers have the option to receive paper records and can withdraw their consent to electronic records at any time.
  7. Legal and Regulatory Updates: Keep abreast of any updates or changes in the legal and regulatory landscape regarding electronic transactions and records. Adjust policies and practices accordingly to remain compliant.

CONCLUSION:

While e-signatures offer significant benefits for modern commerce, including efficiency and convenience, their adoption requires careful consideration, especially regarding legal and regulatory compliance. By adhering to best practices and remaining vigilant, businesses and individuals can leverage e-signatures effectively in today’s digital economy.

© 2024 SHERIN AND LODGEN LLP
For more news on Financial Institution Legal Compliance, visit the NLR Financial Institutions & Banking section.

CFPB Launches Public Inquiry into Rising Mortgage Closing Costs and ‘Junk Fees’

Go-To Guide:
  • The Consumer Financial Protection Bureau (CFPB) has launched a public inquiry into rising mortgage closing costs, seeking to understand the reasons behind the increase, identify who benefits, and find ways to reduce costs for both borrowers and lenders.
  • This inquiry, part of a broader effort against “junk fees,” aims to gather public input on the impact of these fees on consumers’ financial health and the mortgage lending market, with a focus on third-party costs, fee beneficiaries, and the evolving nature of these expenses.

On May 30, 2024, the CFPB issued a new request for information (RFI) from the public regarding “why closing costs are increasing, who is benefiting, and how costs for borrowers and lenders could be lowered.”

As part of a wider effort targeting what both the CFPB and the Biden administration refer to as “junk fees,” the CFPB is focusing on evaluating how these fees affect consumers’ financial health and the broader impact on mortgage lenders. This follows the CFPB’s continued expression of interest in “junk fees,” on which GT reported in a May 2024 blog post.

“Junk fees and excessive closing costs can drain down payments and push up monthly mortgage costs,” CFPB Director Rohit Chopra said in a separate press release. “The CFPB is looking for ways to reduce anticompetitive fees that harm both homebuyers and lenders.”

The Request for Information

According to a recent CFPB analysis, mortgage closing costs surged by over 36% from 2021 to 2023. The CFPB alleges that these unavoidable fees can strain household budgets and limit the ability to afford a down payment, while also hindering lenders from offering competitive mortgage options due to the higher costs they must absorb or pass on.

The CFPB is seeking public input to address these concerns and make mortgage costs more manageable. Some key areas of interest include:

  • Competitive pressure. The CFPB aims to evaluate the extent to which consumers or lenders currently apply competitive pressure on third-party closing costs, seeking to understand market barriers that limit competition.
  • Fee beneficiaries. The CFPB aims to identify the beneficiaries of required services and determine whether lenders have control or influence over the third-party costs that are transferred to consumers.
  • How fees are evolving and their impact on consumers. The CFPB seeks details on which expenses have surged the most in recent years and the factors driving these increases, such as the higher prices for credit reports and credit scores. Additionally, the CFPB is interested in understanding how closing costs affect housing affordability, access to homeownership, and home equity.

Takeaways

The CFPB oversees numerous laws and regulations concerning mortgage lending and real estate settlement, such as the Truth in Lending Act, the Fair Credit Reporting Act, and the Real Estate Settlement Procedures Act. The insights gained from this inquiry are poised to shape rulemaking, guidance, and various policy initiatives moving forward.

The CFPB invites comments and data from the public and stakeholders within 60 days of the RFI being published in the Federal Register.

We have provided ongoing analysis and commentary on this issue as it has developed. See below more context on legislative and regulatory efforts to curb “junk fees”:

Zeba Pirani contributed to this article

©2024 Greenberg Traurig, LLP. All rights reserved.
For more on the CFPB, visit the NLR Financial Institutions & Banking section.

Mandatory Cybersecurity Incident Reporting: The Dawn of a New Era for Businesses

A significant shift in cybersecurity compliance is on the horizon, and businesses need to prepare. Starting in 2024, organizations will face new requirements to report cybersecurity incidents and ransomware payments to the federal government. This change stems from the U.S. Department of Homeland Security’s (DHS) Cybersecurity Infrastructure and Security Agency (CISA) issuing a Notice of Proposed Rulemaking (NPRM) on April 4, 2024. This notice aims to enforce the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Essentially, this means that “covered entities” must report specific cyber incidents and ransom payments to CISA within defined timeframes.

Background

Back in March 2022, President Joe Biden signed CIRCIA into law. This was a big step towards improving America’s cybersecurity. The law requires CISA to create and enforce regulations mandating that covered entities report cyber incidents and ransom payments. The goal is to help CISA quickly assist victims, analyze trends across different sectors, and share crucial information with network defenders to prevent other potential attacks.

The proposed rule is open for public comments until July 3, 2024. After this period, CISA has 18 months to finalize the rule, with an expected implementation date around October 4, 2025. The rule should be effective in early 2026. This document provides an overview of the NPRM, highlighting its key points from the detailed Federal Register notice.

Cyber Incident Reporting Initiatives

CIRCIA includes several key requirements for mandatory cyber incident reporting:

  • Cyber Incident Reporting Requirements – CIRCIA mandates that CISA develop regulations requiring covered entities to report any covered cyber incidents within 72 hours from the time the entity reasonably believes the incident occurred.
  • Federal Incident Report Sharing – Any federal entity receiving a report on a cyber incident after the final rule’s effective date must share that report with CISA within 24 hours. CISA will also need to make information received under CIRCIA available to certain federal agencies within the same timeframe.
  • Cyber Incident Reporting Council – The Department of Homeland Security (DHS) must establish and chair an intergovernmental Cyber Incident Reporting Council to coordinate, deconflict, and harmonize federal incident reporting requirements.

Ransomware Initiatives

CIRCIA also authorizes or mandates several initiatives to combat ransomware:

  • Ransom Payment Reporting Requirements – CISA must develop regulations requiring covered entities to report to CISA within 24 hours of making any ransom payments due to a ransomware attack. These reports must be shared with federal agencies similarly to cyber incident reports.
  • Ransomware Vulnerability Warning Pilot Program – CISA must establish a pilot program to identify systems vulnerable to ransomware attacks and may notify the owners of these systems.
  • Joint Ransomware Task Force – CISA has announced the launch of the Joint Ransomware Task Force to build on existing efforts to coordinate a nationwide campaign against ransomware attacks. This task force will work closely with the Federal Bureau of Investigation and the Office of the National Cyber Director.

Scope of Applicability

The regulation targets many “covered entities” within critical infrastructure sectors. CISA clarifies that “covered entities” encompass more than just owners and operators of critical infrastructure systems and assets. Entities actively participating in these sectors might be considered “in the sector,” even if they are not critical infrastructure themselves. Entities uncertain about their status are encouraged to contact CISA.

Critical Infrastructure Sectors

CISA’s interpretation includes entities within one of the 16 sectors defined by Presidential Policy Directive 21 (PPD 21). These sectors include Chemical, Commercial Facilities, Communications, Critical Manufacturing, Dams, Defense Industrial Base, Emergency Services, Energy, Financial Services, Food and Agriculture, Government Facilities, Healthcare and Public Health, Information Technology, Nuclear Reactors, Materials, and Waste, Transportation Systems, Water and Wastewater Systems.

Covered Entities

CISA aims to include small businesses that own and operate critical infrastructure by setting additional sector-based criteria. The proposed rule applies to organizations falling into one of two categories:

  1. Entities operating within critical infrastructure sectors, except small businesses
  2. Entities in critical infrastructure sectors that meet sector-based criteria, even if they are small businesses

Size-Based Criteria

The size-based criteria use Small Business Administration (SBA) standards, which vary by industry and are based on annual revenue and number of employees. Entities in critical infrastructure sectors exceeding these thresholds are “covered entities.” The SBA standards are updated periodically, so organizations must stay informed about the current thresholds applicable to their industry.

Sector-Based Criteria

The sector-based criteria target essential entities within a sector, regardless of size, based on the potential consequences of disruption. The proposed rule outlines specific criteria for nearly all 16 critical infrastructure sectors. For instance, in the information technology sector, the criteria include:

  • Entities providing IT services for the federal government
  • Entities developing, licensing, or maintaining critical software
  • Manufacturers, vendors, or integrators of operational technology hardware or software
  • Entities involved in election-related information and communications technology

In the healthcare and public health sector, the criteria include:

  • Hospitals with 100 or more beds
  • Critical access hospitals
  • Manufacturers of certain drugs or medical devices

Covered Cyber Incidents

Covered entities must report “covered cyber incidents,” which include significant loss of confidentiality, integrity, or availability of an information system, serious impacts on operational system safety and resiliency, disruption of business or industrial operations, and unauthorized access due to third-party service provider compromises or supply chain breaches.

Significant Incidents

This definition covers substantial cyber incidents regardless of their cause, such as third-party compromises, denial-of-service attacks, and vulnerabilities in open-source code. However, threats or activities responding to owner/operator requests are not included. Substantial incidents include encryption of core systems, exploitation causing extended downtime, and ransomware attacks on industrial control systems.

Reporting Requirements

Covered entities must report cyber incidents to CISA within 72 hours of reasonably believing an incident has occurred. Reports must be submitted via a web-based “CIRCIA Incident Reporting Form” on CISA’s website and include extensive details about the incident and ransom payments.

Report Types and Timelines

  • Covered Cyber Incident Reports within 72 hours of identifying an incident
  • Ransom Payment Reports due to a ransomware attack within 24 hours of payment
  • Joint Covered Cyber Incident and Ransom Payment Reports within 72 hours for ransom payment incidents
  • Supplemental Reports within 24 hours if new information or additional payments arise

Entities must retain data used for reports for at least two years. They can authorize a third party to submit reports on their behalf but remain responsible for compliance.

Exemptions for Similar Reporting

Covered entities may be exempt from CIRCIA reporting if they have already reported to another federal agency, provided an agreement exists between CISA and that agency. This agreement must ensure the reporting requirements are substantially similar, and the agency must share information with CISA. Federal agencies that report to CISA under the Federal Information Security Modernization Act (FISMA) are exempt from CIRCIA reporting.

These agreements are still being developed. Entities reporting to other federal agencies should stay informed about their progress to understand how they will impact their reporting obligations under CIRCIA.

Enforcement and Penalties

The CISA director can make a request for information (RFI) if an entity fails to submit a required report. Non-compliance can lead to civil action or court orders, including penalties such as disbarment and restrictions on future government contracts. False statements in reports may result in criminal penalties.

Information Protection

CIRCIA protects reports and RFI responses, including immunity from enforcement actions based solely on report submissions and protections against legal discovery and use in proceedings. Reports are exempt from Freedom of Information Act (FOIA) disclosures, and entities can designate reports as “commercial, financial, and proprietary information.” Information can be shared with federal agencies for cybersecurity purposes or specific threats.

Business Takeaways

Although the rule will not be effective until late 2025, companies should begin preparing now. Entities should review the proposed rule to determine if they qualify as covered entities and understand the reporting requirements, then adjust their security programs and incident response plans accordingly. Creating a regulatory notification chart can help track various incident reporting obligations. Proactive measures and potential formal comments on the proposed rule can aid in compliance once the rules are finalized.

These steps are designed to guide companies in preparing for CIRCIA, though each company must assess its own needs and procedures within its specific operational, business, and regulatory context.

Listen to this post

© 2024 Bradley Arant Boult Cummings LLP
For more on Cybersecurity, visit the NLR Communications, Media & Internet section.