Category: Administrative & Regulatory

The Rise of Annuities – A Riddle Wrapped in a Mystery Inside an Enigma? [Podcast]

“A riddle wrapped in a mystery inside an enigma.” That’s Winston Churchill describing Russia in 1939. The words puzzle and paradox have long been associated with annuities, marking them as one of the most difficult financial products to demystify. Recently, there has been a significant increase in annuity sales, which has added to the enigma. Why are they suddenly becoming so popular? Estate planning attorneys should know at least some basics.

The Original Annuity Riddle

The original annuity puzzle (the annuity market participation puzzle) refers to the economic paradox where retirees rarely choose to annuitize their wealth despite theoretical models suggesting this would be optimal for lifetime consumption smoothing and longevity risk protection. Classical economic theory, particularly as developed by Yaari (1965) (1), suggests that risk-averse individuals without strong bequest motives should convert a substantial portion of their wealth into lifetime annuities to hedge against outliving their assets; this optimizes their economic utility. They benefit from the insurance aspect of an annuity. Payouts are generally guaranteed for a lifetime, but the contract is priced according to average life expectancies.

However, in practice, voluntary annuity participation rates remain remarkably low across most developed countries. This discrepancy between theoretical predictions and observed behavior has sparked extensive research into potential explanations, including behavioral biases, bequest motives, concerns about healthcare costs, mistrust of insurance companies, desire for liquidity, existing annuities through Social Security and pensions, and the role of family risk-sharing.

The disinterest in annuities seems to be changing. Figure 1 shows a very recent trend of significantly increased annuity sales.

Growth in Annuity Sales Volume since 2004. Data from LIMRA

Figure 1: Growth in Annuity Sales Volume since 2004. Data from LIMRA. © wealthcarelawyer.com

The New Annuity Mystery – Why are Annuities Suddenly so Attractive?

There is no definitive answer. However, it is interesting that growth is driven almost exclusively by fixed annuities. A fixed annuity provides a guaranteed interest rate and principal protection since the insurance company bears the investment risk, but it typically offers lower potential returns with simpler features and lower fees. This maximizes the insurance aspect of an annuity.

In contrast, the returns of a variable annuity are tied to the performance of an investment portfolio chosen by the owner who bears the investment risk. These annuities offer higher potential returns and associated downside risk but with more complex features, higher management fees, and optional features like guaranteed income riders.

The most recent record federal deficit increase (red) seems to precede the increase in annuity sales. In contrast, good stock market performance should reduce the interest in annuities.

Figure 2: The most recent record federal deficit increase (red) seems to precede the increase in annuity sales. In contrast, good stock market performance should reduce the interest in annuities.

© wealthcarelawyer.com

Annuities are priced by calculating the present value of future payment obligations, adjusted for mortality risk, expenses, and profit margins. Insurance companies start with the principal investment and determine what payment stream they can provide based on current interest rates, actuarial tables (which predict how long they will need to make payments), their operating costs, and their desired profit margin. Higher interest rates generally allow for larger payments. In contrast, longer life expectancies, additional guarantee features, and higher expenses reduce the payment amounts the insurer can offer for a given principal investment.

In the first quarter of 2024, annuity sales reached a record $113.5 billion, marking the highest first-quarter sales figure in the 40-year history of Limra’s data tracking. While it is unclear what caused the sudden increase in the popularity of annuities, we believe that concern for the viability of Social Security because of the ballooning deficit may have contributed to it. LIMRA offers an alternative evaluation:

“Favorable economic conditions and demographic shifts have driven demand for investment protection and guaranteed lifetime income solutions that are unique to annuity products. During their discussion, Hodgens focused on the economic factors, such as higher interest rates and prolonged market volatility, which have enhanced the value and appeal of fixed annuity products, particularly fixed-rate deferred (FRD) and fixed indexed annuities (FIA).” (2).

It is also possible that current affluent baby boomers, as the sandwich generation, see value in diversifying with annuities: The annuity is considered spending money to help assure a certain standard of living, while investments are invaded only sparingly to allow for a growing legacy for the next generation. A guaranteed income stream from an annuity can provide psychological permission for retirees to spend more freely on themselves. Without an annuity, many retirees tend to be overly conservative with spending, worried about depleting their savings too quickly or not having enough for longevity and emergencies.

The Annuity Product Enigma

In an effort to make annuities more attractive, the industry has developed numerous products that address various concerns and preferences clients may have. As a general rule, many of the special flavors partially defeat the economic purpose of an annuity, which is utility maximization for persons without a strong bequest motive.

Some of the major annuity families and species

Figure 3: Some of the major annuity families and species. © wealthcarelawyer.com

Annuity contracts have evolved from basic guaranteed income instruments into complex financial products, each structured to address specific risk-transfer and income objectives. This evolution has produced three distinct primary classifications: Fixed, Variable, and Indexed annuities.

Fixed Annuities represent the foundational form. The Single Premium Immediate Annuity (SPIA) facilitates direct risk transfer through immediate income guarantees, leveraging mortality credits to enhance returns. Deferred Income Annuities (DIAs) modify this framework by introducing a time delay element, optimizing for future income maximization. Qualified Longevity Annuity Contracts (QLACs) emerged as a specialized adaptation to retirement account regulations, permitting Required Minimum Distribution deferral to age 85, subject to statutory limitations ($200,000). Multi-Year Guaranteed Annuities (MYGAs) provide fixed-rate guarantees over specified periods, offering liquidity features absent in traditional fixed annuities.

Variable Annuities evolved to incorporate market exposure through separate account structures. The basic Investment-Only variant provides tax-deferred market participation, while Living Benefit riders introduced protective features:

  • Guaranteed Lifetime Withdrawal Benefits (GLWB) ensure sustained withdrawal rates
  • Guaranteed Minimum Income Benefits (GMIB) protect future income bases
  • Guaranteed Minimum Accumulation Benefits (GMAB) provide principal protection parameters

Indexed Annuities represent a hybrid development, linking returns to market indices while maintaining principal protection. Structured/Buffered variants modify this framework by accepting defined downside exposure in exchange for enhanced participation rates.

Tax treatment bifurcates between:

  • Qualified: Pre-tax funding, full distribution taxation
  • Non-Qualified: After-tax funding, exclusion ratio calculations

Contract modifications across all variants may include:

  • Mortality benefit enhancements
  • Inflation adjustment mechanisms
  • Long-term care provisions
  • Premium return options
  • Distribution structure alternatives

This taxonomic framework provides the foundation for analyzing suitability, tax implications, and regulatory considerations across various client objectives and constraints.

Client Self Help

More information about annuities is not necessarily more helpful to consumers: “More complete, and therefore more complex information about annuity products leads to reduced attention and produces worse consumer choices. In an eye-tracking experiment comparing consumer response to a real, relatively brief annuity brochure and an edited and shortened version of the same brochure, we find that the more complex the materials, the faster attention declines.” (3).

This underscores the need for a learned intermediary to digest the information and to tailor it to the individual’s needs, preferences, and financial situation, who can ask clarifying questions to ascertain understanding.

Given a certain contract amount and their ages, many clients want to know what monthly or annual income they can expect given the current rate structures. The Annuity Calculator by annuity.org promises to do that. Others, such as Schwab, have similar annuity calculators, and results may differ.

How to Help Your Estate Planning Clients

The increasing complexity and popularity of annuity products present both opportunities and challenges for estate planning attorneys. Given the recent surge in annuity sales and evolving product complexity, attorneys must establish clear parameters for client discussions regarding these financial instruments.

Estate planning attorneys can appropriately address annuities by maintaining strict professional boundaries while providing valuable guidance. The fundamental framework involves three key components: permissible discussion parameters, professional referral protocols, and risk management considerations.

Permissible Discussion Parameters: Estate planning attorneys may appropriately discuss the theoretical foundations of annuities, including their role in consumption smoothing and longevity risk protection as established in classical economic theory. Discussions may encompass general tax implications, basic product classifications (fixed, variable, and indexed), and integration with estate planning objectives.

Professional Referral Protocols: Given the product complexity illustrated in the annuity taxonomy, specific product recommendations should be deferred to qualified specialists. Appropriate referral channels include:

  • Independent Annuity Brokers
  • Independent Insurance Advisors
  • Certified Financial Planners (CFPs)
  • Chartered Life Underwriters (CLUs)

Risk Management Considerations Documentation protocols should include:

  • Contemporaneous recording of annuity-related discussions
  • Specific referral documentation
  • Clear delineation of scope limitations regarding product recommendations

The attorney’s role should focus on identifying how annuity contracts may integrate with broader estate planning objectives while ensuring clients receive specialized guidance for product selection. This approach aligns with the current market dynamics where product complexity demands specialized expertise beyond the scope of general estate planning practice.

Professional network development should emphasize relationships with independent advisors who maintain appropriate licensing and demonstrate expertise in the evolving annuity marketplace. This network enables appropriate delegation of product-specific guidance while maintaining the attorney’s role in the overall estate planning strategy.

This framework enables estate planning attorneys to address the increasing relevance of annuity products while maintaining appropriate professional boundaries and ensuring clients receive comprehensive guidance from qualified specialists regarding specific product selection and implementation.

Podcast

References

  1. Yaari, M.E., 1965. Uncertain lifetime, life insurance, and the theory of the consumer. The Review of Economic Studies32(2), pp.137-150.
  2. LIMRA, Building on the Record Annuity Sales Momentum, LIMRA (May 22, 2024), https://www.limra.com/en/newsroom/industry-trends/2024/building-on-the-record-annuity-sales-momentum/.
  3. Harvey, Joseph, John G. Lynch, Philip Fernbach, and Ji Hoon Jhang. “Information Overload in Consumer Response to Annuities: Eye-Tracking and Behavioral Evidence.” Consumer Financial Protection Bureau Office of Research Working Paper 23-01 (2023).

https://papers.ssrn.com/sol3/Delivery.cfm?abstractid=4394792

Further reading focused on Income Annuities

  1. LIMRA. (2024, May 22). First Quarter U.S. Annuity Sales Mark 14th Consecutive Quarter of Growth. Retrieved from https://www.limra.com/en/newsroom/news-releases/2024/limra-first-quarter-u.s.-annuity-sales-mark-14th-consecutive-quarter-of-growth/
  2. Fidelity Investments. (2023, June 5). Understanding Annuities. Retrieved from https://www.fidelity.com/learning-center/personal-finance/retirement/what-is-an-annuity
  3. Williams, R. (2023, April 12). The Case for Income Annuities When Rates Are Up. Retrieved from https://www.schwab.com/learn/story/case-income-annuities-when-rates-are-up
  4. Institute of Business and Finance. (2023, January). Certified Annuity Specialist Course Materials.
  5. Financial Industry Regulatory Authority. (2022, July 15). Deferred Income Annuities: Plan Now for Payout Later. Retrieved from https://www.finra.org/investors/insights/deferred-income-annuities
  6. Pfau, W. (2020, May 5). Income Annuities: The Guaranteed Stream Of Income In Retirement. Retrieved from https://www.forbes.com/sites/wadepfau/2020/05/05/income-annuities-the-guaranteed-stream-of-income-in-retirement/?sh=1f05b93e5143
  7. Kitces, M. (2015, April 1). Understanding The Role Of Mortality Credits – Why Immediate Annuities Beat Bond Ladders For Retirement Income. Retrieved from https://www.kitces.com/blog/understanding-the-role-of-mortality-credits-why-immediate-annuities-beat-bond-ladders-for-retirement-income/
  8. Cruz, H. (2005, July 24). Lifetime Income Benefit Rider vs. Annuitization. Retrieved from https://www.chicagotribune.com/news/ct-xpm-2005-07-24-0507240025-story.html
  9. Pfau, W. (n.d.). What Is a Safety-First Retirement Plan? Retrieved from https://retirementresearcher.com/what-is-a-safety-first-retirement-plan/
© 2024 wealthcarelawyer.com. All rights reserved.
For more on Annuities, visit the NLR Estates Trusts section

SEC Enforcement Director Highlights Increased Penalties for Violations of Whistleblower Rule

Recently, the U.S. Securities and Exchange Commission (SEC) has increased enforcement efforts around the whistleblower protection rule Rule 21F-17(a) which prohibits companies from impeding the ability of individuals to blow the whistle on potential securities law violations to the Commission. Most notably, the rule prohibits overly broad non-disclosure agreements and other employment agreements which restrict whistleblowing.

In remarks delivered November 6 at Securities Enforcement Forum D.C. 2024, Sanjay Wadhwa, the SEC’s Acting Director of the Division of Enforcement noted the importance of these enforcement efforts and highlighted the increased penalties levied by the Commission in Rule 21F-17(a) cases.

“The SEC’s whistleblower program plays a critical role in our ability to effectively detect wrongdoing, protect investors and the marketplace, and hold violators accountable.” Wadhwa said. “But that program only works if whistleblowers have unfettered ability to share with the SEC information about possible securities law violations. However, all too often we have seen, for example, confidentiality agreements and employment agreements by various advisory firms and public companies that impede that ability, including by limiting customers’ ability to voluntarily contact the SEC or by requiring employees to waive the right to a monetary award for participating in a government investigation. So this past fiscal year, and the year prior, the Commission brought a series of enforcement actions to address widespread violations.”

“There was a similar series of actions addressing this issue some years back,” Wadhwa continued. “And I think for a while there was better compliance, but then things slipped and we’re back here. So, this time around the Commission authorized what I view to be fittingly robust remedies, including the largest penalty on record for a standalone violation of the whistleblower protection rule. It is my hope that these enforcement actions will have a significant deterrent effect and will lead to greater and sustained proactive compliance.”

The record penalty referenced by Wadhwa was an $18 million penalty levied against J.P. Morgan in January. According to the SEC, J.P. Morgan regularly had retail clients sign confidential release agreements which did not permit clients to voluntarily contact the SEC.

In enforcing Rule 21F-17(a), the SEC has found illegal language in severance or separation agreements, employee contracts, settlement agreements and compliance manuals. Language in the various types of contracts found to violate Rule 21F-17(a) has included requiring the prior consent of the company before disclosing confidential information to regulators, preventing the employee from initiating contact with regulators, requiring the employee to waive their right to awards from whistleblowing award programs, including a “non-disparagement clause” that specifically included the SEC as a party the employee could not “disparage” the company to, and requiring the employee to inform the company soon after reporting information to the SEC.

Copyright Kohn, Kohn & Colapinto, LLP 2024. All Rights Reserved.
For more on Whistleblowers, visit the NLR Criminal Law Business Crimes section.

The CTA Filing Deadline is Approaching. Is Your BOIR Filed Yet?

The clock is ticking—just 49 days remain until the one-year filing deadline for the Corporate Transparency Act (CTA)! Entities established before January 1, 2024, must submit a beneficial owner information report (BOIR) by December 31, 2024.

The CTA is a new reporting requirement that came into effect on January 1, 2024. The CTA requires any entity created by or registered to do business by the filing of a document with a secretary of state, or another similar office, to report its information and its beneficial owners to the Financial Crimes Enforcement Network (FinCEN), which is a bureau of the United States Treasury. The goal is to decrease money laundering and fraud.

We previously published advisories on the general application of the CTA and its specific application to entities created for estate planning purposes. The rules and guidelines about which we previously reported are largely unchanged. A reporting company still needs to report its legal name, all trades and d/b/a names, address, and beneficial owners. Beneficial owners are those with substantial control or who own or control 25% or more of the reporting company, directly or indirectly. The reporting company needs to report each beneficial owner’s name, date of birth, residential address, and an identifying number and image from one of four acceptable identification documents.

Although the CTA was declared unconstitutional by a federal district court in Alabama, the ruling only prevents the CTA’s enforcement on the parties directly involved in the case. The court did not issue a nationwide ruling to prevent the law from being enforced. Thus, other companies are expected to continue filing BOIRs. The Alabama case is currently on appeal and oral arguments were held at the end of September 2024.

FinCEN has been periodically updating its Frequently Asked Questions to provide some clarification since the CTA became effective. We outline the most relevant guidance below:

General Updates:

  1. Entities that are created before January 1, 2024, even if dissolved sometime in 2024 before the December 31, 2024, deadline, must still report their information and beneficial owners by December 31, 2024.
  2. Entities that are created in 2024 have 90 days to file the BOIR. Entities created on or after January 1, 2025, will have 30 days to file the BOIR. Entities that are created in 2024 but are wound up, dissolved, or otherwise cease to exist must still file the BOIR with FinCEN.
  3. Beneficial ownership is determined in the aggregate. This means that companies need to analyze each beneficial owner to determine if he or she indirectly/directly substantially controls or owns 25% or more of a reporting company. For example, Individual X owns 10% of Company Y. Individual X is also trustee of a trust that owns 20% of Company Y. Individual X needs to be reported as a beneficial owner because he owns an aggregate 30% of the company.
  4. Beneficial owners may now apply for a FinCEN Identifier here. This allows the beneficial owners to report their information to FinCEN directly, obtain an Identifier number, and simply provide the Identifier to those reporting companies of which he or she is a beneficial owner. This prevents a beneficial owner from having to share personal and sensitive information with a company. This also streamlines the process for any change in the beneficial owner’s information. Each beneficial owner can log into FinCEN and simply update the information within 30 days of the change rather than first providing it to the reporting company and then the company filing a new BOIR to update the information.

a. In order to create a FinCEN Identifier, an individual will have to create a login.gov account. This is the account that the federal government is using to streamline many of its services, such as, global entry and applying for federal jobs.

5. Reporting companies may complete and submit a BOIR online here. A company could also submit a PDF of the report at the same link if it chose to complete a paper copy. There is no fee to submit online. There are also many vendors offering a service to assist with the process and submit the report for a fee.

Real Estate/Corporate Updates:

6.FinCEN clarified that the subsidiary exemption applies when a subsidiary’s ownership interests are entirely controlled or wholly owned, directly, or indirectly, by any of the following types of exempt entities: (1) Securities reporting issuer; (2) Governmental authority; (3) Bank; (4) Credit union; (5) Depository institution holding company; (6) Broker or dealer in securities; (7) Other Exchange Act registered entity; (8) Investment company or investment adviser; (9) Venture capital fund adviser; (10) Insurance company; (11) State-licensed insurance producer; (12) Commodity Exchange Act registered entity; (13) Accounting firm; (14) Public utility; (15) Financial market utility; (16) Tax-exempt entity; or (17) Large operating company. Further, if a reporting company’s ownership interests are controlled or wholly owned by more than one exempt entity, the reporting company may still qualify for the subsidiary exemption if the entities are unaffiliated; however, every controlling or owning entity must itself be an exempt entity in order for the reporting company to qualify for the subsidiary exemption.

Trusts and Estates Updates:

7.If there is a corporate trustee, the reporting company will be reporting those individual beneficial owners that indirectly own or control at least 25% of the ownership interests of the reporting company through the ownership in the corporate trustee. This will be determined by multiplying the percentage of ownership of the corporate trustee with the trust’s ownership/control of the reporting company. For example, if Individual A owns 70% of the corporate trustee of a trust, and that trust holds 30% of the reporting company, Individual A holds or controls 21% of the reporting company (70% x 30 = 21). If Individual A owned 90% of the corporate trustee, then it would own/control 27% of the reporting company (90% x 30 = 27) and the company must report Individual A as a beneficial owner. There may be other beneficial owners if someone else at the corporate trustee exercises substantial control over the reporting company.

A reporting company may submit the corporate trustee’s information in lieu of each beneficial owner’s information only if all of these conditions are met:

a. The corporate entity is an exempt entity from the reporting requirements.

b. The individual owns or controls 25% of the reporting company only through the corporate trustee.

c. The individual does not exercise substantial control over the reporting company.

A company can obtain its own FinCEN Identifier when it submits an initial BOIR for its beneficial owner(s). This way, such company may be reported as a beneficial owner, such as a corporate trustee that meets the above requirements. For example, when LLC A reports Individual A as its beneficial owner, LLC A has the option of clicking a button to obtain its own FinCEN Identifier.

8. An individual who has the power to remove a trustee, remove and replace a trustee, and/or appoint an additional trustee is deemed to have substantial control through the power to change the person who makes decisions for the trust, and thereby, the reporting company. While this is not explicit in the Frequently Asked Questions, it is consistent with FinCEN’s position that someone who has the power to remove a senior officer of a reporting company is a beneficial owner.

While this is an extensive list, it is by no means an exhaustive list, and various circumstances not discussed above may change how the CTA applies in a particular case.

Copyright 2024 Goulston & Storrs PC.
For more on the CTA, visit the NLR Corporate Business Organizations section

The Cybersecurity Maturity Model Certification (CMMC) Program – Defense Contractors Must Rapidly Prepare and Implement

The Department of Defense (DoD) has officially launched the Cybersecurity Maturity Model Certification (CMMC) Program, which requires federal contractors and subcontractors across the Defense Industrial Base (DIB) to comply with strict cybersecurity standards. The CMMC program aims to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) in DoD contracts from evolving cyber threats by requiring defense contractors to implement comprehensive cybersecurity controls. The CMMC Program, which must be confirmed by contracting officers, moves beyond the prior self-assessment model for many contractors to a certification-based approach verified by DoD-approved third-party assessors known as CMMC Third Party Assessor Organizations (C3PAOs).

This client alert outlines the key elements of the CMMC program, providing a detailed analysis of the new certification requirements, timelines for implementation, and practical steps contractors can take to prepare for compliance.

CMMC Overview and Purpose

The CMMC Program represents the DoD’s commitment to ensuring that companies handling FCI and CUI meet stringent cybersecurity standards. The program was developed in response to increasing cyber threats targeting the defense supply chain and is designed to verify that defense contractors and subcontractors have implemented the necessary security measures to safeguard sensitive information.

The CMMC Program consists of three levels of certification, with each level representing an increasing set of cybersecurity controls. The certification levels correspond to the type of information handled by the contractor, with higher levels required for contractors handling more sensitive information, such as CUI.

The DoD officially published the CMMC final rule on October 15, 2024, establishing the CMMC Program within federal regulations. The rule will be effective 60 days after publication, marking a significant milestone in the program’s rollout. DoD expects to publish the final rule amending the DFARS to add CMMC requirements to DoD contracts in early 2025. Contractors that fail to meet CMMC requirements will be ineligible for DoD contracts that involve FCI or CUI and could face significant penalties if they inappropriately attest to compliance.

The overall scope of the CMMC rule is relatively clear; however, some key elements are ambiguous and, in some cases, may require careful consideration. Particularly at the outset of any assessment process, a pre-risk gap assessment internal review, ideally conducted under legal privilege, is recommended to permit sufficient time to address shortfalls in technical controls or governance. The typical timeline for implementing a CMMC-type program may take many months, and we strongly recommend that clients begin this process soon if they have not already started—it is now unquestionably a requirement to do business with the DoD.

CMMC Certification Levels

The CMMC Program features three certification levels that contractors must achieve depending on the nature and sensitivity of the information they handle:

Level 1 (Self-Assessment)

Contractors at this level must meet 15 basic safeguarding requirements outlined in Federal Acquisition Regulation (FAR) 52.204-21. These requirements focus on protecting FCI, which refers to information not intended for public release but necessary for performing the contracted services. A self-assessment is sufficient to achieve certification at this level.

Level 2 (Self-Assessment or Third-Party Assessment)

Contractors handling CUI must meet 110 security controls specified in NIST Special Publication (SP) 800-171. CUI includes unclassified information that requires safeguarding or dissemination controls according to federal regulations. To achieve certification, contractors at this level can conduct a self-assessment or engage a C3PAO. Most defense contracts involving CUI will require third-party assessments to verify compliance.

Level 3 (Third-Party Assessment by DIBCAC)

Contractors supporting critical national security programs or handling highly sensitive CUI must achieve Level 3 certification. This level adds 24 security controls from NIST SP 800-172 to protect CUI from advanced persistent threats. The Defense Contract Management Agency’s (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) will conduct assessments for Level 3 contractors. This is the most stringent level of certification and is reserved for contractors working on the most sensitive programs.

Each certification level builds upon the previous one, with Level 3 being the most comprehensive. Certification is valid for three years, after which, contractors must be reassessed.

Certification Process and Assessment Requirements

Contractors seeking certification must undergo an assessment process that varies depending on the level of certification they are targeting. For Levels 1 and 2, contractors may conduct self-assessments. However, third-party assessments are required for most contracts at Level 2 and all contracts at Level 3. The assessment process includes several key steps:

Self-Assessment (Level 1 and Level 2 (Self))

Contractors at Level 1 or Level 2 (Self) must perform an internal assessment of their cybersecurity practices and submit their results to the Supplier Performance Risk System (SPRS). This system is the DoD’s centralized repository for contractor cybersecurity assessments. Contractors must affirm their compliance annually to maintain their certification status.

Third-Party Assessment (Level 2 (C3PAO) and Level 3 (DIBCAC))

For higher-level certifications, contractors must engage a certified C3PAO to conduct an independent assessment of their compliance with the applicable security controls. For Level 3 certifications, assessments will be performed by the DIBCAC. These assessments will involve reviewing the contractor’s cybersecurity practices, examining documentation, and conducting interviews to verify that the contractor has implemented the necessary controls.

Plan of Action and Milestones (POA&M)

Contractors that do not meet all of the required security controls during their assessment may develop a POA&M. This document outlines the steps the contractor will take to address any deficiencies. Contractors have 180 days to close out their POA&M, after which they must undergo a follow-up assessment to verify that all deficiencies have been addressed. If the contractor fails to meet the requirements within the 180-day window, their conditional certification will expire, and they will be ineligible for future contract awards.

Affirmation

After completing an assessment and addressing any deficiencies, contractors must submit an affirmation of compliance to SPRS. This affirmation must be submitted annually to maintain certification, even if a third-party assessment is only required once every three years.

Integration of CMMC in DoD Contracts

The CMMC Program will be integrated into DoD contracts through a phased implementation process. The program will initially apply to a limited number of contracts, but it will eventually become a requirement for all contracts involving FCI and CUI. The implementation will occur in four phases:

Phase 1 (Early 2025)

Following the publication of the final DFARS rule, CMMC requirements will be introduced in select solicitations. Contractors bidding on these contracts must meet the required CMMC level to be eligible for contract awards.

Phase 2

One year after the start of Phase 1, additional contracts requiring CMMC certification will be released. Contractors at this stage must meet Level 2 certification if handling CUI.

Phase 3

A year after the start of Phase 2, more contracts, including those requiring Level 3 certification, will include CMMC requirements.

Phase 4 (Full Implementation)

The final phase, expected to occur by 2028, will fully implement CMMC requirements across all applicable DoD contracts. From this point forward, contractors must meet the required CMMC level as a condition of contract award, exercise of option periods, and contract extensions.

Flow-Down Requirements for Subcontractors

CMMC requirements will apply to prime contractors and their subcontractors. Prime contractors must ensure that their subcontractors meet the appropriate CMMC level. This flow-down requirement will impact the entire defense supply chain, as subcontractors handling FCI must achieve at least Level 1 certification, and those handling CUI must achieve Level 2.

Subcontractors must be certified before the prime contractor can award them subcontracts. Prime contractors will be responsible for verifying that their subcontractors hold the necessary CMMC certification.

Temporary Deficiencies and Enduring Exceptions

The CMMC Program allows for limited flexibility in cases where contractors cannot meet all of the required security controls. Two key mechanisms provide this flexibility:

Temporary Deficiencies

Contractors may temporarily fall short of compliance with specific security controls, provided they document the deficiency in a POA&M and work toward remediation. These temporary deficiencies must be addressed within 180 days to maintain certification. Failure to close out POA&Ms within the required timeframe will result in the expiration of the contractor’s conditional certification status.

Enduring Exceptions

In some cases, contractors may be granted an enduring exception for specific security controls that are not feasible to implement due to the nature of the system or equipment being used. For example, medical devices or specialized test equipment may not support all cybersecurity controls required by the CMMC Program. In these cases, contractors can document the exception in their System Security Plan (SSP) and work with the DoD to determine appropriate mitigations.

Compliance Obligations and Contractual Penalties

The DoD has made it clear that failure to comply with CMMC requirements will have serious consequences for contractors. Noncompliant contractors will be ineligible for contract awards. Moreover, the Department of Justice’s Civil Cyber-Fraud Initiative looms menacingly in the background, as it actively pursues False Claims Act actions against defense contractors for alleged failures to comply with cybersecurity requirements in the DFARS. In addition, the DoD reserves the right to investigate contractors that have achieved CMMC certification to verify their continued compliance. If an investigation reveals that a contractor has not adequately implemented the required controls, the contractor may face contract termination and other contractual remedies.

Preparing for CMMC Certification

Given the far-reaching implications of the CMMC Program, contractors and subcontractors should begin preparing for certification as soon as possible. As an initial step, an internal, confidential gap assessment is highly advisable, preferably done under legal privilege, to fully understand both past and current shortfalls in compliance with existing cybersecurity requirements that will now be more fully examined in the CMMC process. Key steps include:

Assess Current Cybersecurity Posture

Contractors should conduct an internal assessment of their current cybersecurity practices against the CMMC requirements. This will help identify any gaps and areas that need improvement before seeking certification.

Develop an SSP

Contractors handling CUI must develop and maintain an SSP that outlines how they will meet the security controls specified in NIST SP 800-171. This document will serve as the foundation for both internal and third-party assessments.

Engage a C3PAO

Contractors at Level 2 (C3PAO) and Level 3 must identify and engage a certified C3PAO to conduct their assessments. Given the anticipated demand for assessments, contractors should begin this process early to avoid delays.

Prepare a POA&M

For contractors that do not meet all required controls at the time of assessment, developing a POA&M will be crucial to addressing deficiencies within the required 180-day window.

Review Subcontractor Compliance

Prime contractors must review their subcontractors’ compliance with CMMC requirements and ensure they hold the appropriate certification level. This flow-down requirement will impact the entire defense supply chain.

Conclusion

The CMMC Program marks a significant shift in the oversight of how the DoD manages cybersecurity risks within its defense supply chain. While DoD contractors that handle CUI have had contractual obligations to comply with the NIST SP 800-171 requirements since January 1, 2018, the addition of third-party assessments and more stringent security controls for Level 3 contracts aim to improve the overall cybersecurity posture of contractors handling FCI and CUI. Contractors that fail to comply with CMMC requirements risk losing eligibility for DoD contracts, which could result in substantial business losses.

Given the phased implementation of the program, contractors must act now to assess their cybersecurity practices, engage with certified third-party assessors, and ensure compliance with the new requirements. Proactive planning and preparation will be key to maintaining eligibility for future DoD contracts.

Copyright 2024 K & L Gates
For more on Defense Contractors, visit the NLR Government Contracts Maritime Military section

CFPB Imposes $95 Million Fine on Large Credit Union for Overdraft Fee Practices

On November 7, 2024, the CFPB ordered one of the largest credit unions in the nation to pay over $95 million for its practices related to the imposition of overdraft fees. The enforcement action addresses practices from 2017 to 2022 where the credit union charged overdraft fees on transactions that appeared to have sufficient funds, affecting consumers including those in the military community, in violation of the CFPA’s prohibition on unfair, deceptive, and abusive acts or practices.

The Bureau alleges that the credit union’s practices, particularly in connection with its overdraft service, resulted in nearly $1 billion in revenue from overdraft fees over the course of five years. According to the Bureau, the credit union unfairly charged overdraft fees in two ways. First, it charged overdraft fees on transactions where the consumer had a sufficient balance at the time the credit union authorized the transaction, but then later settled with an insufficient balance. The Bureau noted that these authorize-positive/settle-negative violations have been a focus of federal regulators since 2015, and were the subject of a CFPB circular in October 2022. Second, when customers received money though peer-to-peer payment networks, the credit union’s systems showed the money as immediately available to spend. However, the credit union failed to disclose that payments received after a certain time of the day would not post until the next business day. Customers who tried to use this apparently available money were then charged overdraft fees

In addition to monetary fines, the CFPB’s order prohibits the credit union from imposing overdraft fees for authorize-positive, settle negative transactions, and also in cases where there was a delayed crediting of funds from peer-to-peer payment platforms.

The monetary penalties the consent order imposes consist of $80 million in consumer refunds for wrongfully charged overdraft fees and a $15 million civil penalty to be paid to the CFPB’s victims relief fund.

Putting It Into Practice: This order aligns with federal and state regulators’ recent focus on overdraft fees in a broader initiative to eliminate allegedly illegal “junk fees” (a trend we previously discussed herehere, and here). For companies operating in the financial sector or providing peer-to-peer payment services, this enforcement action serves as a critical reminder of the need for transparency and adherence to consumer financial protection laws. Regular audits of fee practices and disclosures can help identify and rectify potential compliance issues before they escalate. Companies aiming to impose overdraft or other types of fees should review agency guidance enforcements to ensure their internal policies and business practices do not land them in hot water.

Listen to this post

Copyright © 2024, Sheppard Mullin Richter & Hampton LLP.
For more on the CFPB, visit the NLR Financial Institutions Banking section.

New Fact Sheet Highlights ASTP’s Concerns About Certified API Practices

On October 29, 2024, the US Department of Health and Human Services (HHS) Assistant Secretary for Technology Policy (ASTP) released a fact sheet titled “Information Blocking Reminders Related to API Technology.” The fact sheet reminds developers of application programming interfaces (APIs) certified under the ASTP’s Health Information Technology (IT) Certification Program and their health care provider customers of practices that constitute information blocking under ASTP’s information blocking regulations and information blocking condition of certification applicable to certified health IT developers.

In Depth

The fact sheet is noteworthy because it follows ASTP’s recent blog post expressing concern about reports that certified API developers are potentially violating Certification Program requirements and engaging in information blocking. ASTP also recently strengthened its feedback channels by adding a section specifically for API-linked complaints and inquiries to the Health IT Feedback and Inquiry Portal. It appears increasingly likely that initial investigations and enforcement of the information blocking prohibition by the HHS Office of Inspector General will focus on practices that may interfere with access, exchange, or use of electronic health information (EHI) through certified API technology.

The fact sheet focuses on three categories of API-related practices that could be information blocking under ASTP’s information blocking regulations and Certification Program condition of certification:

  • ASTP cautions against practices that limit or restrict the interoperability of health IT. For example, the fact sheet states that health care providers who locally manage their fast healthcare interoperability resources (FHIR) servers without certified API developer assistance may engage in information blocking when they refuse to provide to certified API developers the FHIR service base URL necessary for patients to access their EHI.
  • ASTP states that impeding innovations and advancements in access, exchange, or use of EHI or health-IT-enabled care delivery may be information blocking. For example, the fact sheet indicates that a certified API developer may engage in information blocking by refusing to register and enable an application for production use within five business days of completing its verification of an API user’s authenticity as required by ASTP’s API maintenance of certification requirements.
  • ASTP states that burdensome or discouraging terms, delays, or influence over customers and users may be information blocking. For example, ASTP states that a certified electronic health record (EHR) developer may engage in information blocking by conditioning the disclosure of interoperability elements to third-party developers on the third-party developer entering into business associate agreements with all of the EHR developer’s covered entity customers, even if the work being done is not for the benefit of the customers and HIPAA does not require the business associate agreements.

The fact sheet does not address circumstances under which any of the above practices of certified API developers may meet an information blocking exception (established for reasonable practices that interfere with access, exchange, or use of EHI). Regulated actors should consider whether exceptions apply to individual circumstances.

© 2024 McDermott Will & Emery
For more on API Practices, visit the NLR Health Law Managed Care section

HIPAA Gets a Potential Counterpart in HISAA

Americans hear about cybersecurity incidents on a frequent basis. As the adage goes, it is not a matter of “if” a breach or security hack occurs; it is a matter of “when.” At no time was that more evident earlier this year when the healthcare industry was hit with the widespread ransomware attack on Change Healthcare, a subsidiary of the United Health Group. Because of the nature of the Change Healthcare shutdown and its impact across the industry, the U.S. Department of Health & Human Services (HHS) and its HIPAA enforcement arm, the Office for Civil Rights (OCR), conducted investigations and issued FAQ responses for those impacted by the cybersecurity event.

In further response, Senators Ron Wyden (D-OR) and Mark Warner (R-VA) introduced the Health Infrastructure Security and Accountability Act (HISAA) on September 26, 2024. Like HIPAA and HITECH before it, which established minimum levels of protection for healthcare information, HISAA looks to reshape how healthcare organizations address cybersecurity by enacting mandatory minimum security standards to protect healthcare information and by providing initial financial support to facilitate compliance. A copy of the legislative text can be found here, and a one-page summary of the bill can be found here.

To date, HIPAA and HITECH require covered entities and business associates to develop, implement, and maintain reasonable and appropriate “administrative, technical, physical” safeguards to protect electronic Protected Health Information or e-PHI. However, the safeguards do not specify minimum requirements; instead, they prescribe standards intended to be scalable, depending on the specific needs, resources, and capabilities of the respective organization. What this means is that e-PHI stored or exchanged among interconnected networks are subject to systems with often different levels of sophistication or protection.

Given the considerable time, effort, and resources dedicated to HIPAA/HITECH compliance, many consider the current state of voluntary safeguards as inadequate. This is especially the case since regulations under the HIPAA Security Rule have not been updated since 2013. As a result, Senators Wyden and Warner introduced HISAA in an effort to bring the patchwork of healthcare data security standards under one minimum umbrella and to require healthcare organizations to remain on top of software systems and cybersecurity standards.

Key pieces of HISAA, as proposed, include:

  1. Mandatory Cybersecurity Standards—If enacted, the Secretary of HHS, together with the Director of the Cybersecurity and Infrastructure Security Agency (CISA) and the Director of National Intelligence (DNI), will oversee the development and implementation of required standards and the standards will be subject to review and update every two years to counter evolving threats.
  2. Annual Audits and Stress Tests—Like current Security Risk Assessment (SRA) requirements, HISAA will require healthcare organizations to conduct annual cybersecurity audits and document the results. Unlike current requirements, these audits will need to be conducted by independent organizations to assess compliance, evaluate restoration abilities, and conduct stress tests in real-world simulations. While smaller organizations may be eligible for waivers from certain requirements because of undue burden, all healthcare organizations will have to publicly disclose compliance status as determined by these audits.
  3. Increased Accountability and Penalties—HISAA would implement significant penalties for non-compliance and would require healthcare executives to certify compliance on an annual basis. False information in such certifications could result in criminal charges, including fines of up to $1 million and prison time for up to 10 years. HISAA would also eliminate fine caps to allow HHS to impose penalties commiserate with the level needed to deter lax behaviors, especially among larger healthcare organizations.
  4. Financial Support for Enhancements—Because the costs for new standards could be substantial, especially for smaller organizations, HISAA would allocate $1.3 billion to support hospitals for infrastructure enhancements. Of this $1.3 billion, $800 million would be for rural and safety net hospitals over the first two years, and an additional $500 million would be available for all hospitals in succeeding years.
  5. Medicare Payment Adjustments—Finally, HISAA enables the Secretary of HHS to provide accelerated Medicare payments to organizations impacted by cybersecurity events. HHS offered similar accelerated payments during the Change Healthcare event, and HISAA would codify similar authority to HHS for recovery periods related to future cyberattacks.

While HISAA will establish a baseline of cybersecurity requirements, compliance with those requirements will require a significant investment of time and resources in devices and operating systems/software, training, and personnel. Even with the proposed funding, this could result in substantial challenges for smaller and rural facilities to comply. Moreover, healthcare providers will need to prioritize items such as encryption, multi-factor authentication, real-time monitoring, comprehensive response and remediation plans, and robust training and exercises to support compliance efforts.

Finally, at this juncture, the more important issue is for healthcare organizations to recognize their responsibilities in maintaining effective cybersecurity practices and to stay updated on any potential changes to these requirements. Since HISAA was introduced in the latter days of a hectic (and historic) election season, we will monitor its progress as the current Congress winds down in 2024 and the new Congress readies for action with a new administration in 2025.

© 2024 Winstead PC.
For more on HIPAA, visit the NLR Health Law Managed Care section

What Happened: Policy and Politics

Baseline: The future of the Inflation Reduction Act (IRA), signed in 2022 to boost US clean energy with new tax incentives, hangs in the balance. President-elect Trump and some Republicans in Congress have threatened to repeal all or part of it because they don’t agree with the policy, and they need the revenue savings to offset their 2017 Tax Cuts and Jobs Act (TCJA) extensions. The processing of a tax bill next year provides a rare opening for taxpayers who are dissatisfied with the IRA or with the Biden administration tax regulations which implement the IRA.

Pulse Check: Much depends on whether Republicans gain control of both chambers of Congress, enabling them to tap into the vaunted congressional budget reconciliation process and easing their path to legislative change.

What to Monitor: Expect IRA supporters to spend time educating administration officials and congressional offices about the valuable economic and other benefits provided by these tax provisions, particularly in GOP-represented congressional districts and states. Meanwhile, industries from biofuels to hydropower are lobbying for new tax credits in the 2025 tax bill, aiming to secure a place in the complex tax landscape that lies ahead.

Voters delivered a sweeping victory to Donald Trump on Tuesday, setting him up to be the 47th President, and the first since Grover Cleveland in 1892 to be elected to a second non-consecutive term. After a surprise electoral college victory in 2016 and a narrow defeat in 2020, Trump won an outright majority of the national popular vote, the first Republican to do so since George W. Bush in 2004. While his victory helped propel a pickup of at least four Senate seats, wresting back control of the chamber from Democrats, the fate of the House remains uncertain pending the counting of outstanding California mail ballots that could drag out for a week or more.

The victory was driven by disproportionate gains among key demographics and subgroups that will become clear as the dust settles, but the overall pattern was unmistakable: Trump made significant gains coast-to-coast, in urban, suburban, and rural areas, and among virtually every cohort of the electorate. His improvement in the key battlegrounds was actually dwarfed by his gains in the nation’s bluest states, with double-digit swings in places like New York, Maryland and California. In addition to avenging his 2020 loss, the President-elect can now credibly claim a popular mandate for his policies, and quite possibly the congressional majorities to pursue them legislatively.

The restoration of President-elect Trump represents a return to 2016-17, with many of the same conditions seen seven years ago: the potential for a unified Republican government, and a clear commitment from the new administration to roll back the regulatory agenda of the previous administration and institute “America-first” policies when it comes to energy, immigration and trade. The key difference is that while the outcome of the 2016 election caught even the Trump apparatus flat-footed, preparations for President-elect Trump’s second term have been underway for the past three years. Expect a second Trump administration to be savvier and more focused in carrying out its goals, installing key personnel, and implementing policy.

The expectation is that strong policy decisions are ready for implementation on Inauguration Day through Executive Orders that will clearly lay out the regulatory and policy framework for rescinding and replacing the Biden administration agenda. Examination of the Inflation Reduction Act and Infrastructure Investment and Jobs Act mechanisms will certainly occur. President-elect Trump has made clear his intentions to leverage American foreign policy through trade and tariffs rather than military means. Particularly in the energy space, President-elect Trump has pledged a return to American energy dominance backed by a foundation and focus on leveraging domestic traditional energy resources. As observed in his first term, separating campaign rhetoric from implanted policy will continue to be a critical exercise. It is a guarantee that President-elect Trump intends to staff up quickly with political loyalists who have experience in navigating the proclivities of both a Trump administration and Washington bureaucracy, one that he has yet again pledged to dismantle.

President-elect Trump re-assumes the White House with a certain Republican majority in the US Senate and a likely slim majority in the US House of Representatives, providing the ability to implement legislative initiatives while ensuring a full swath of Cabinet-level and senior-level appointees. Legislative action will be necessary for targeting provisions of the Inflation Reduction Act, and while the notion of full repeal exists in rhetoric, it is more likely that Republicans use a more precise approach, preserving legacy provisions that tend to benefit traditional energy sources and targeting those that are more renewable energy focused. However, the slim majorities in each chamber complicate the full breadth of legislation that Republicans can expect to implement. The focus in the early days of Congress will be on the aforementioned Senate confirmation process and resolutions of disapproval under the Congressional Review Act to repeal Biden administration regulations finalized in the last 60 days of the previous Congress, which are both likely to be comfortable party-aligned exercises. The tools of congressional oversight will be trained on assisting the Trump administration in implementing regulatory changes and building a record toward federal agency reforms – such as permitting, federal workforce, and agency re-organization.

© 2024 Bracewell LLP
For more on the 2024 General Election, visit the NLR Election Law Legislative News section

No More Fraud Vampires: Whistleblowers Put a Stake in Phlebotomy Unlawful Kickback Scheme

31 October 2024. Two whistleblowers “stopped the bleeding” caused by an alleged kickback scheme perpetrated by a mobile phlebotomy service based in California. Veni-Express, Inc. and its owners have agreed to pay $135,000 to settle allegations of violating the Anti-Kickback Statute and False Claims Act. While the award for the two whistleblowers has not yet been determined, False Claims Act qui tam whistleblowers may be rewarded between 15-25% of the settlement.

Overview of the Case

According to the allegations, from 2015 to 2019, Veni-Express allegedly submitted false claims to federal health care programs for services that were not actually performed. These services included venipuncture procedures during homebound patient visits and non-reimbursable travel mileage claims for the visits. The fraudulent activities were reportedly conducted with the oversight of the company’s owners, Myrna and Sonny Steinbaum.

Additionally, between July 2014 and June 2015, Veni-Express allegedly paid unlawful kickbacks to Altera Laboratories, also known as Med2U Healthcare LLC, to market their services. These kickbacks were disguised as a percentage of company revenue.

Unlawful Kickbacks and Phantom Billing

The Anti-Kickback Statute (AKS) is a federal law that prohibits healthcare providers from offering, soliciting, or receiving anything of value to induce or reward referrals for services covered by federally funded healthcare programs, such as Medicare and Medicaid. When providers violate the AKS, they compromise patient care by prioritizing financial gain over medical necessity, which can lead to unnecessary, costly, or substandard treatments. Phantom billing, which involves charging Medicare and Medicaid for services never provided, drains funds that could otherwise be used for essential care for beneficiaries. It leads to increased healthcare costs, putting a strain on federally funded healthcare programs and potentially causing cuts or restrictions in services. This fraudulent practice also erodes trust in the healthcare system, which can prevent beneficiaries from seeking the care they need. As the Special Agent in Charge for the Department of Health and Human Services Office of the Inspector General said about the case, “Improper incentives and billing Medicare for services never actually provided divert taxpayer funding meant to pay for medically necessary services for Medicare enrollees.”

Settlement Details

The settlement agreement is based upon the parties’ ability to pay, requiring Veni-Express to pay $100,000, with additional payments contingent upon the sale of company property. Myrna Steinbaum will pay $25,000, while Sonny Steinbaum will contribute $10,000.

Whistleblower Involvement

The whistleblowers in the qui tam actions were a former phlebotomist and a laboratory technical director. The qui tam provision in the False Claims Act allows private citizens with knowledge of fraud to report fraud schemes to the government and share in the government’s recovery.

Implications for Healthcare Professionals

This whistleblower settlement serves as a cautionary tale for healthcare professionals, emphasizing the need for strict adherence to regulatory standards. It underscores the power industry insiders have to speak up and put an end to fraud schemes that taint the healthcare profession.

© 2024 by Tycko & Zavareei LLP
For more on Whistleblowers, visit the NLR Criminal Law Business Crimes section.

IRS Announces 2025 Retirement Plan Limits

The Internal Revenue Service (“IRS”) has announced the following dollar limits applicable to tax-qualified plans for 2025:

  • The limit on the maximum amount of elective contributions that a person may make to a 401(k) plan, a 403(b) tax-sheltered annuity, or a 457(b) eligible deferred compensation plan increased from $23,000 to $23,500.
  • The limit on “catch-up contributions” to a 401(k) plan, a 403(b) tax-sheltered annuity, or a 457(b) eligible deferred compensation plan for persons age 50 and older is unchanged for 2025 at $7,500.
  • As a result of change made by SECURE 2.0, for 2025, employees aged 60, 61, 62, and 63 who participate in a 401(k) plan, a 403(b) tax-sheltered annuity, or a 457(b) eligible deferred compensation have a higher catch-up contribution limit, which for 2025 is $11,250 instead of $7,500.
  • The dollar limit on the maximum permissible allocation under 401(k) and other defined contribution plans is increased from $69,000 to $70,000.
  • The maximum annual benefit under a defined benefit plan is increased from $275,000 to $280,000.
  • The maximum amount of annual compensation that may be taken into account on behalf of any participant under a qualified plan will go from $345,000 to $350,000.
  • The dollar amount used to identify “highly compensated employees” is increased from $155,000 to $160,000.

Additional information regarding benefit plan dollar limits can be obtained in Notice 2024-80, 2025 Amounts Relating to Retirement Plans and IRAs, as Adjusted for Changes in Cost-of-Living.

© 2024 Blank Rome LLP
For more on the IRS, visit the NLR Tax section