Category: Administrative & Regulatory

E-Verify Update and Improvements

Poyner Spruill Law firm

​E-Verify has been operational since 1997 as part of a Basic Pilot Program to assist employers to verify electronically that a newly hired employee is authorized to work in the US.  A number of states have made use of E-Verify mandatory, including North Carolina which requires that employers with 25 employees to have been enrolled in E-Verify by July 1, 2013.

Update

Currently there are over 530,000 employers nationwide enrolled in E-Verify.  Statistically, the program has grown rapidly as has its accuracy, having verified close to 24 million cases.  Of those, 98.81% have been confirmed as employment authorized.  The US Citizenship and Immigration Services (USCIS) graphic below provides E-Verify’s latest statistics:

E-verify

The Monitoring and Compliance Branch (M&C Branch) was created by the USCIS in 2009 to ensure E-Verify is being used properly.  Its main function is to monitor and guide E-Verify participants by phone, email, desk reviews and site visits.  This unit does not fine employers, but does refer cases of suspected misuse, abuse or fraud to Immigration Customs and Enforcement (ICE) and the Department of Justice’s Office of Special Counsel for Immigration-Related Unfair Employment Practices (OSC).  There has been an uptick in complaints to the OSC resulting in some sizeable settlements.  All settlement agreements described on the OSC website have one thing in common: all employers participated in E-Verify and the OSC became involved, for the most part, by the USCIS referring the employer to OSC.  Thus, it is noteworthy that participation in E-Verify alone does not protect an employer from enforcement action and penalties.

Recent Improvements to E-Verify System

E-Verify has announced some needed improvements to its system to assist employers who, in doing so, will hopefully not attract M&C Branch attention:

  • Duplicate Case alert now notifies the employer if a social security number  matches any other social security number entered for an existing case with the past 30 days.
  • The user’s name no longer auto-fills: it must now be completed each time to ensure accuracy, providing a prompt to validate or update email and phone number whenever the user’s password expires, which is every 90 days.
  • An employee whose information is entered in E-Verify resulting in a tentative nonconfirmation will receive email notification if they provide their email address on the Form I-9.
  • There is a new photo tool that will display any photo on record with E-Verify, enabling the user to compare it to the photo ID being presented.
  • E-Verify now verifies a driver’s license as to authenticity by matching the data entered by the user against participating state motor vehicle department records. Currently, North Carolina does not participate in this so-called RIDE system.
  • If E-Verify detects fraudulent use of a social security number, it prevents that number from being used more than once.
  • Notices generated by E-Verify are now available in 18 languages.
  • There are monthly webinars in Spanish for employers.
  • E-Verify screens for typographical errors and requires employers to correct them.
  • The Further Action Notice that is generated after a Tentative Nonconfirmation from the Department of Homeland Security includes instructions on how to correct immigration records after resolving the Tentative Nonconfirmation on E-Verify.
  • Updated Further Action Notices are also no longer pre-populated, but are easy to complete.
  • Customer support has been improved and includes an “E-Verify Listens” link that can be accessed by the E-Verify user while in the E-Verify system to assist with E-Verify completion.

While the system is not perfect, it is increasingly pervasive and increasingly “user friendly.”  Further, employers have a strong incentive to use E-Verify properly to avoid settlements generated by  enforcement actions that appear to be directly linked to E-Verify misuse, abuse and fraud.

ARTICLE BY

Jennifer G. Parser
OF
Poyner Spruill LLP

SEC Commissioner Highlights Need for Cyber-Risk Management in Speech at New York Stock Exchange

Proskauer Law firm

Cyber risks are an increasingly common risk facing businesses of all kinds.  In a recent speech given at the New York Stock Exchange, SEC Commissioner Luis A. Aguilar emphasized that cybersecurity has grown to be a “top concern” of businesses and regulators alike and admonished companies, and more specifically their directors, to “take seriously their obligation to make sure that companies are appropriately addressing those risks.”

Commissioner Aguilar, in the speech delivered as part of the Cyber Risks and the Boardroom Conference hosted by the New York Stock Exchange’s Governance Services department on June 10, 2014, emphasized the responsibility of corporate directors to consider and address the risk of cyber-attacks.  The commissioner focused heavily on the obligation of companies to implement cybersecurity measures to prevent attacks.  He lauded companies for establishing board committees dedicated to risk management, noting that since 2008, the number of corporations with board-level risk committees responsible for security and privacy risks had increased from 8% to 48%.  Commissioner Aguilar nevertheless lamented what he referred to as the “gap” between the magnitude of cyber-risk exposure faced by companies today and the steps companies are currently taking to address those risks.  The commissioner referred companies to a federal framework for improving cybersecurity published earlier this year by the National Institute of Standards and Technology, which he noted may become a “baseline of best practices” to be used for legal, regulatory, or insurance purposes in assessing a company’s approach to cybersecurity.

Cyber-attack prevention is only half the battle, however.  Commissioner Aguilar cautioned that, despite their efforts to prevent a cyber-attack, companies must prepare “for the inevitable cyber-attack and the resulting fallout.”  An important part of any company’s cyber-risk management strategy is ensuring the company has adequate insurance coverage to respond to the costs of such an attack, including litigation and business disruption costs.

The insurance industry has responded to the increasing threat of cyber-attacks, such as data breaches, by issuing specific cyber insurance policies, while attempting to exclude coverage of these risks from their standard CGL policies.  Commissioner Aguilar observed that the U.S. Department of Commerce has suggested that companies include cyber insurance as part of their cyber-risk management plan, but that many companies still choose to forego this coverage.  While businesses without cyber insurance may have coverage under existing policies, insurers have relentlessly fought to cabin their responsibility for claims arising out of cyber-attacks.  Additionally, Commissioner Aguilar’s speech emphasizes that cyber-risk management is a board-level obligation, which may subject directors and officers of companies to the threat of litigation after a cyber-attack, underscoring the importance of adequate D&O coverage.

The Commissioner’s speech offers yet another reminder that companies should seek professional advice in determining whether they are adequately covered for losses and D&O liability arising out of a cyber-attack, both in prospectively evaluating insurance needs and in reacting to a cyber-attack when the risk materializes.

Read Commissioner Aguilar’s full speech here.

ARTICLE BY

Shawn Ledingham
OF
Proskauer Rose LLP

Financial Crimes Enforcement Network (FinCEN) Proposes Anti-Money Laundering Rules

Vedder Price Law Firm

On July 23, 2014, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) issued a Notice of Proposed Rulemaking that would amend existing Bank Secrecy Act regulations with respect to customer due diligence (CDD) requirements for certain covered financial institutions, including mutual funds, brokers or dealers in securities and futures commission merchants and introducing brokers in commodities. The proposed rules would formalize certain CDD requirements and also require that covered financial institutions “identify and verify the beneficial owners of legal entity customers.” FinCEN’s proposal includes a standard certification form that covered financial institutions would be required to use for documenting the beneficial ownership of their legal entity customers. An individual may qualify as a “beneficial owner” of a legal entity customer if the individual either (1) owns 25% or more of the equity interests of the entity, or (2) has significant management responsibilities within the entity. As proposed, covered financial institutions would be exempted from identifying the beneficial owners of an intermediary’s underlying clients if the covered financial institution has no customer identification program obligation with respect to those underlying clients.

Comments on the Notice of Proposed Rulemaking are due by October 3, 2014.

ARTICLE BY

Investment Services Group
OF
Vedder Price

Firewall on the Hill: The Cybersecurity Information Sharing Act

Morgan Lewis logo

U.S. Treasury Secretary Jack Lew is urging Congress to pass legislation to bolster the country’s cyber defenses. The proposed bill—the Cybersecurity Information Sharing Act of 2014 (CISA)—may unleash a brute-force attack in the cyber war, but opposition based on privacy and civil liberties concerns could stop the bill dead in its tracks.

The CISA would enable companies to

  • share information with one another, including an antitrust exemption for the exchange or disclosure of a “cyber threat indicator,” which is broadly defined and includes information that indicates any attribute of a cybersecurity threat;
  • share information with the federal government, including the absence of any waiver of privilege or trade-secret protection and the retained ownership of the disclosed information;
  • launch countermeasures and monitor information systems under broad sets of circumstances, potentially expanding the information to be shared; and
  • monitor and share the information under an umbrella of protection from liability relating to the permitted activities, including a good-faith defense (absent gross negligence or willful misconduct) for activities not authorized by the CISA.

The CISA includes some protections for individuals. Namely, the U.S. Attorney General would develop governing guidelines to limit the law’s effect on privacy and civil liberties. Moreover, companies would be required to remove information that is known to be personal information (and not directly related to a cybersecurity threat) before sharing a cyber threat indicator.

In sum, companies could decide to share a wealth of information with one another and with the federal government if the CISA is passed, when sharing personal information depends on the reach of any future guidelines. If an extensive information-sharing program materializes, and there is at least a perception that sensitive personal information is being shared, companies could feel pressure from customers and advocacy groups to disclose their CISA activities and policies in their privacy statements. Companies should stay informed about developments in cybersecurity legislation, but the potential fallout regarding privacy could substantially weaken or postpone any new system. For every cybersecurity legislative effort, there will be bold countermeasures.

ARTICLE BY

Doneld G. Shelkey
A. Benjamin Klaber
OF:
Morgan, Lewis & Bockius LLP

Office for Civil Rights (OCR) to Begin Phase 2 of HIPAA Audit Program

Mcdermott Will Emery Law Firm

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) will soon begin a second phase of audits (Phase 2 Audits) of compliance with Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy, security and breach notification standards (HIPAA Standards) as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act. Unlike the pilot audits during 2011 and 2012 (Phase 1 Audits), which focused on covered entities, OCR will conduct Phase 2 Audits of both covered entities and business associates.  The Phase 2 Audit Program will focus on areas of greater risk to the security of protected health information (PHI) and pervasive noncompliance based on OCR’s Phase I Audit findings and observations, rather than a comprehensive review of all of the HIPAA Standards.  The Phase 2 Audits are also intended to identify best practices and uncover risks and vulnerabilities that OCR has not identified through other enforcement activities.  OCR will use the Phase 2 Audit findings to identify technical assistance that it should develop for covered entities and business associates.  In circumstances where an audit reveals a serious compliance concern, OCR may initiate a compliance review of the audited organization that could lead to civil money penalties.

The following sections summarize OCR’s Phase 1 Audit findings, describe the Phase 2 Audit program and identify steps that covered entities and business associates should take to prepare for the Phase 2 Audits.

Phase 1 Audit Findings

OCR audited 115 covered entities under the Phase 1 Audit program, with the following aggregate results:

  • There were no findings or observations for only 11% of the covered entities audited;
  • Despite representing just more than half of the audited entities (53%), health care providers were responsible for 65% of the total findings and observations;
  • The smallest covered entities were found to struggle with compliance under all three of the HIPAA Standards;
  • Greater than 60% of the findings or observations were Security Standard violations, and 58 of 59 audited health care provider covered entities had at least one Security Standard finding or observation even though the Security Standards represented only 28% of the total audit items;
  • Greater than 39% of the findings and observations related to the Privacy Standards were attributed to a lack of awareness of the applicable Privacy Standard requirement; and
  • Only 10% of the findings and observations were attributable to a lack of compliance with the Breach Notification Standards

The Phase 2 Audit Program

Selection of Phase 2 Audit Recipients

Unlike the Phase 1 Audit Program, which focused on covered entities, OCR will conduct Phase 2 Audits of both covered entities and business associates.  OCR has randomly selected a pool of 550–800 covered entities through the National Provider Identifier database and America’s Health Insurance Plans’ databases of health plans and health care clearinghouses.  OCR will issue a mandatory pre-audit screening survey to the pool of covered entities this summer.  The survey will address organization size measures, location, services and contact information.  Based on the responses, the agency will select approximately 350 covered entities, including 232 health care providers, 109 health plans and 9 health care clearinghouses, for Phase 2 Audits.  OCR intends to select a wide range of covered entities and will conduct the audits between October 2014 and June 2015.

OCR will notify and send data requests to the 350 selected covered entities this fall.  The data requests will ask the covered entities to identify and provide contact information for their business associates.  OCR will select the business associates that will participate in the Phase 2 Audits from this pool.

Audit Process

OCR will audit approximately 150 of the 350 selected covered entities and 50 of the selected business associates for compliance with the Security Standards, 100 covered entities for compliance with the Privacy Standards and 100 covered entities for compliance with the Breach Notification Standards.  OCR will initiate the Phase 2 Audits of covered entities by sending the data requests this fall and then initiate the Phase 2 Audits of business associates in 2015.

Covered entities and business associates will have two weeks to respond to OCR’s audit request.  The data requests will specify the content, file names and other documentation requirements, and the auditors may contact the covered entities and business associates for clarifications or additional documentation.  OCR will only consider current documentation that is submitted on time.  Failure to respond to a request could lead to a referral to the applicable OCR Regional Office for a compliance review.

Unlike the Phase 1 Audits, OCR will conduct the Phase 2 Audits as desk reviews with an updated audit protocol and not on-site at the audited organization.  OCR will make the Phase 2 Audit protocol available on its website so that entities may use it for internal compliance assessments.

The Phase 2 Audits will target HIPAA Standards that were sources of high numbers of non-compliance in the Phase 1 Audits, including:  risk analysis and risk management; content and timeliness of breach notifications; notice of privacy practices; individual access; Privacy Standards’ reasonable safeguards requirement; training to policies and procedures; device and media controls; and transmission security.  OCR also projects that Phase 2 Audits in 2016 will focus on the Security Standards’ encryption and decryption requirements, facility access control, breach reports and complaints, and other areas identified by earlier Phase 2 Audits.  Phase 2 Audits of business associates will focus on risk analysis and risk management and breach reporting to covered entities.

OCR will present the organization with a draft audit report to allow management to comment before it is finalized.  OCR will then take into account management’s response and issue a final report.

What Should You Do to Prepare for the Phase 2 Audits?

Covered entities and business associates should take the following steps to ensure that they are prepared for a potential Phase 2 Audit:

  • Confirm that the organization has recently completed a comprehensive assessment of potential security risks and vulnerabilities to the organization (the Risk Assessment);
  • Confirm that all action items identified in the Risk Assessment have been completed or are on a reasonable timeline to completion;
  • Ensure that the organization has a complete inventory of business associates for purposes of the Phase 2 Audit data requests;
  • If the organization has not implemented any of the Security Standards’ addressable implementation standards for any of its information systems, confirm that the organization has documented (i) why any such addressable implementation standard was not reasonable and appropriate and (ii) all alternative security measures that were implemented;
  • Ensure that the organization has implemented a breach notification policy that accurately reflects the content and deadline requirements for breach notification under the Breach Notification Standards;
  • Health care provider and health plan covered entities should ensure that they have a compliant Notice of Privacy Practices and not only a website privacy notice;
  • Ensure that the organization has reasonable and appropriate safeguards in place for PHI that exists in any form, including paper and verbal PHI;
  • Confirm that workforce members have received training on the HIPAA Standards that are necessary or appropriate for a workforce member to perform his/her job duties;
  • Confirm that the organization maintains an inventory of information system assets, including mobile devices (even in a bring your own device environment);
  • Confirm that all systems and software that transmit electronic PHI employ encryption technology or that the organization has a documented the risk analysis supporting the decision not to employ encryption;
  • Confirm that the organization has adopted a facility security plan for each physical location that stores or otherwise has access to PHI, in addition to a security policy that requires a physical security plan; and
  • Review the organization’s HIPAA security policies to identify any actions that have not been completed as required (e.g., physical security plans, disaster recovery plan, emergency access procedures, etc.)
ARTICLE BY

Patrick Callaghan
Daniel F. Gottlieb
Edward G. Zacharias
Of:
McDermott Will & Emery

FDA Denies Citizen Petition’s Request to Ban Marketing of Non-Absorbable Surgical Mesh Products for Transvaginal Repair of Pelvic Organ Prolapse

Covington BUrling Law Firm

 

On July 14, 2014, FDA publicly posted its response denying Public Citizen’s August 2011 citizen petition concerning the marketing of non-absorbable surgical mesh products for transvaginal repair of pelvic organ prolapse (POP).  In its response, FDA took the position that a ban or recall of POP devices is not warranted at this time.

As background, in August 2011, Public Citizen filed a citizen petition asserting that POP devices “offer no clinically significant benefits in comparison to surgical repairs for POP performed without placement of surgical mesh” and “have high rates of serious complications.”  Public Citizen requested that the agency take the following actions: (1) ban the marketing of all available non-absorbable surgical mesh products for transvaginal repair of POP; (2) order all manufacturers to recall these products; and (3) classify all new non-absorbable surgical mesh products for transvaginal repair of POP as class III devices and approve the products only under a premarket approval application (PMA).

In its response, dated May 1, 2014, FDA denied the citizen petition.  While the agency rejected Public Citizen’s call for a ban or recall of POP devices, FDA noted that it shares some of the concerns outlined in the citizen petition and is taking actions to address these concerns.  In addition, the agency also determined that “a citizen petition is not the appropriate mechanism for requesting a reclassification of a device.”

FDA explained that in September 2011, the agency convened an advisory committee meeting of the Obstetrics and Gynecology Devices Panel to discuss the safety and efficacy of transvaginal surgical mesh products used for repair of POP.  The Panel determined that “a favorable benefit-risk profile” for these devices “had not been well-established” and that the devices should be reclassified from class II to class III.  The Panel also recommended that manufacturers conduct postmarket studies of currently marketed surgical mesh products for transvaginal repair of POP.  As of May 2014, FDA had issued 126 postmarket surveillance orders to 33 manufacturers of these devices.

FDA explained that it has evaluated information from the Panel’s recommendations and the published scientific literature and has tentatively determined that the device should be reclassified as a class III device.  On May 1, 2014, FDA published a proposed order in the Federal Register to reclassify surgical mesh for transvaginal repair of POP from class II to class III.  On the same day, FDA published another proposed order in the Federal Register to require the filing of a PMA following the reclassification of the device to class III.  Thus, although FDA did not grant Public Citizen’s third request, the agency “initiated the process that could ultimately result” in reclassification of the device and the requirement to submit a PMA for these devices.

Article By:

Colleen Kelly
Of:
Covington & Burling LLP

Kentucky Supreme Court Approves Plugging Holes with Others' Piggy Banks using Budget Drafting

McBrayer NEW logo 1-10-13

Budget drafting is one of the most challenging, yet essential, functions of state governments. Unlike the federal government, which has the ability to run large deficits and print its own currency, almost every state – Kentucky included – has a statutory or Constitutional framework requiring a balanced budget. Every two years, the Commonwealth’s budget drafters utilize familiar methods to balance the ledger: debt restructuring, adjusting tax rates and spending levels, infusing federal funds and taxing new revenue sources. Another option, less understood by the public but increasingly utilized by Kentucky policy makers, is “sweeping” restricted funds. This controversial task has just been made easier thanks to a recent decision by the Kentucky Supreme Court. In a 5-2 opinion, the practice of sweeping regulatory accounts was declared lawful, meaning that lawmakers may continue to transfer fees and fines collected by state regulatory agencies to the General Fund without violating the Kentucky Constitution. The legality of sweeping funds that are generated by a statutory tax (rather than fines and fees) was not directly addressed by the Court, leaving open the possibility that the sweeping of such funds may yet be deemed unconstitutional.

As background, state regulatory agencies have the power to police certain occupations and activities in order to protect the health, welfare, and safety of the public. The cost of administering such regulation is borne by those in that occupation, who pay state-imposed fees and/or fines. Regulatory fees can only be levied to compensate an agency for issuing a license and playing a supervisory role over the profession; they cannot be used to generate state general fund revenue.The statutes that govern state agencies contain anti-lapse provisions that allow monies collected in one fiscal year to remain in the agency’s account for the next year. Further, Section 180 of the Kentucky Constitution provides that taxes must be levied with a specific, distinct purpose and cannot be devoted to any other purpose after collected.

Although the practice is not new, the genesis of this case was the passage of the 2008-2010 biennial budget in 2008. Pursuant to an Executive Order by Governor Beshear that year, and in response to a General Fund budget shortfall of hundreds of millions of dollars, anti-lapse provisions were suspended, and funds in certain agency accounts were transferred to the General Fund. Subsequently, two separate set of appellants brought suit, arguing that regulatory fees may only be used by the collecting agency for regulatory purposes, and that their transfer to the General Fund for general revenue purposes, in effect, converts them to taxes, in violation of the Kentucky Constitution.

The two cases made their way through the trial court and Court of Appeals and were then certified for discretionary review at the Kentucky Supreme Court. Because they presented similar issues, the Court consolidated their review and issued a single opinion.

At issue before the Supreme Court wasthe transfer of $700,000 from the Department of Charitable Gaming (“DCG”) and the transfer of $10 million from various funds created within the Department of Housing, Buildings and Construction (“DHBC”). DCG and DHBC both rely upon licensing, permit and inspection fees and fines (for example, for building code violations or illegal gaming) to carry out their regulatory responsibilities.

According to the Court, “it is not unlawful for the General Assembly to provide in a budget bill for the suspension of anti-lapse provisions in agency enabling statutes and for the transfer to the General Fund of surpluses incidentally existing in agency accounts.” The only requirement is that the fees collected bear a “reasonable relation” to the regulatory expense so that a revenue-raising intent does not appear. In addition, though the funds come solely from private sources, the agencies’ supervisory actions (e.g., building codes and gaming regulations) benefit the public at large; thus, they are considered public funds and subject to budget-bill transfer.

The dissent, authored by Judge Venters and joined by Judge Scott, disagrees with the majority that the amounts transferred from the agencies were genuinely “surplus.” There is a clear distinction, as the dissent sees it, between a true surplus left over when a project is complete (such as the construction of a court house or the building of a road) versus the cases at hand where the money could have been used to pay for ongoing regulatory functions. Transferring funds, Venters wrote, results in higher fees on future participants, along with less agency service and protection.

While neither DCG nor DHBC generated funds through statutory taxation, some state agencies do, and these agencies are having substantial portions of their account balances transferred as well. For example, $9 million was swept from the Tourism Marketing Fund in order to balance the 2014-2016 budget. This fund is generated by a 1% tax on hotel rooms in Kentucky, which was passed overwhelmingly by the General Assembly in a 2005 omnibus tax bill. The Supreme Court only gives passing reference, in a footnote, to the important distinction between taxes and regulatory fees in this decision, but does little more to address the constitutionality of sweeping revenues generated through taxes, which is a clear violation of Section 180.[1] The 2014-16 budget calls for agency transfers totaling about $300 million.

Although the practice of transferring funds was commonplace long before this court ruling, it did not take long for policymakers to cite it as justification for subsequent sweeps. Kentucky’s biennial budget bills often include a “General Fund Budget Reduction Plan” which authorizes the governor to cut the budget at the margins in the event of a shortfall, without calling the legislature back to redraft and pass another budget. A one-percent reduction in estimated revenue left a $90.9 million hole that needed to be filled before closing the books on the 2014 fiscal year. Less than one month after the ruling, Governor Beshear transferred almost $50 million from a range of agency funds, including the Board of Nursing, another transfer from Housing, Buildings and Construction, various environmental protection funds, among dozens of others. “The use of fund transfers is a valuable tool in how we manage and balance the overall budget of the Commonwealth, and one that keeps us from making deeper cuts to state agencies,” Governor Beshear said. “The recent ruling by the Kentucky Supreme Court again affirms the constitutionality of this practice, thus ensuring much needed flexibility for the executive and legislative branches.”

For now, it appears that all branches of state government are content with addressing budget shortfalls with money from agency pockets. The Supreme Court was clear that the transfer of regulatory fees does not constitute a hidden tax, but because they remained silent on the issue of the constitutionality of sweeping funds accrued from an express tax, further litigation or legislation may be required before agencies can stop the raid of taxes from their funds.

[1] See Footnote 6, “In a broad sense, perhaps, any monetary exaction by a governmental entity could be thought a tax, but a ‘tax’ in the strict sense of monies levied to meet the general expenses of government has been distinguished in a variety of contexts from more particularized exactions, such as fines, user fees – tolls, for example – infrastructure assessments, or regulatory fees, such as those at issue here…[T]he classic ‘tax’ is ‘imposed by a legislature upon many, or all, citizens. It raises money, contributed to a general fund, and spent for the benefit of the entire community…[T]he classic ‘regulatory fee’ is imposed by an agency upon those subject to its regulation…[I]t may serve regulatory purposes directly by, for example, deliberately discouraging particular conduct by making it more expensive…[O]r, it may serve such purposes indirectly by, for example, raising money placed in a special fund to help defray the agency’s regulation-related expenses.'” (citing San-Juan Cellular Tel. Co. v. Pub. Serv. Comm’s of Puerto Rico, 967 F.2d 683, 685 (1st Cir. 1992)(citations omitted).

New Transportation Investment Center Boosts P3 (Public-Private Partnerships) Projects: “P3 or Not P3?” That is the Question. Obama Says: “P3.”

Beveridge Diamond Logo

 

President Obama last week formally embraced the expansion of Public-Private Partnerships (P3s) as a means to fill the gap in public sector transportation financing. Infrastructure developers and project sponsors should look to a planned September 9 summit on infrastructure investment hosted by the U.S. Treasury Department to learn more about how they may gain access to/benefit from expanded resources for P3s.

In an announcement culminating after a series of events aimed at cajoling Congress into addressing the looming deficit in the Highway Trust Fund, the President established the “Build America Transportation Investment Center,” a new office in the U.S. Department of Transportation (DOT) focused on encouraging P3s. Citing the potential for domestic and foreign investment in American infrastructure, the President moved to create this resource center within DOT to assist states and local governments find ways to expand the use of innovative financing to build needed projects.

For many years, the Office of Innovative Program Delivery Finance was housed within theFederal Highway Administration (FHWA). This latest move will centralize P3 resources at DOT for highway, transit and other crucial projects, particularly those considered to be of regional and national significance and “those that cross state boundaries,” according to the White House statement.

If those sorts of projects are truly the focus of this initiative, perhaps there could be new life (or added momentum) for long-planned, but delayed projects like the Columbia River Crossing in Washington State/Oregon or the New International Trade Crossing between Detroit and Windsor, Ontario or even a variety of high-speed rail proposals that fell victim to budgetary politics during President Obama’s first term.

The President’s announcement offers the promise of additional access to existing DOT credit programs, including the highly successful Transportation Infrastructure Finance and Innovation Act (TIFIA) program. According to government estimates, each dollar of TIFIA loans leverages an additional $10 in private loans, guarantees, and lines of credit. The new Investment Center will also offer technical assistance to states that wish to expand private infrastructure investment and the 20 states that have not yet entered the P3 market at all. The Center may offer case studies of successful projects, examples of deal structures, and analytical toolkits.

The White House also announced that the Treasury Department will host a summit on infrastructure investment in the U.S. on September 9, 2014 for state and local officials to meet with their federal counterparts.

Article By:

James M. Auslander
Brian C. Levey
Fred R. Wagner
Of:
Beveridge & Diamond PC

Illinois Bans Employment Application Questions About Criminal Convictions

Vedder Price Law Firm

On July 21, 2014, Illinois Governor Pat Quinn signed into law the Job Opportunities for Qualified Applicants Act (HB 5701), which generally prohibits private-sector employers from inquiring about an applicant’s criminal history on a job application. When this law goes into effect on January 1, 2015, Illinois will join Hawaii, Massachusetts, Minnesota and Rhode Island as the fifth state to enact a “ban the box” law applicable to private-sector employers. A number of municipalities, including Philadelphia and San Francisco, have passed similar laws prohibiting the use of check-this-box questions on employment applications inquiring about an applicant’s criminal history.

The new Illinois law applies to private-sector employers with 15 or more employees and to employment agencies. The law prohibits covered employers from asking about an applicant’s criminal record or criminal history until after the employer has deemed the applicant qualified for the position and scheduled an interview. If hiring decisions are made without an interview, then the employer may not inquire about an applicant’s criminal record or history until it has made a conditional offer of employment to the applicant.

These restrictions do not apply to positions (a) for which federal or state law prohibits the employment of individuals who have been convicted of certain crimes or (b) for which individuals are licensed under the Emergency Medical Services Systems Act. In addition, a more limited exception applies to positions requiring a fidelity bond.

Employers with Illinois operations should plan to review the employment application forms they use and make necessary changes this fall in advance of the law’s effective date of January 1, 2015. For most covered employers, this will involve postponing until later in the hiring process the time at which questions are asked about prior criminal convictions.

Article By:

Brandon L. Dixon
Thomas G. Hancuch
Of:
Vedder Price

 

New York Proposes First State Bitcoin Regulations

Proskauer Law firm

One might have thought the biggest news in the digital currency world lately was Dell announcing that it was now accepting bitcoin. However, after a series of highly-publicized hearings in January, New York State rolled out its proposed regulations surrounding bitcoin and virtual currency – the first state in the nation to propose licensing requirements for virtual currency businesses.

 

The July 23rd New York State Register includes a Notice of Proposed Rule Making from the New York State Department of Financial Services (the “NYSDFS”) regarding the regulation of virtual currency (“Regulation of the Conduct of Virtual Currency Businesses,” No. DFS-29-14-00015-P). The proposed rule calls for the creation of the “bitlicense” which the NYSDFS has hinted at in the past. The state agency goals are two-fold: to protect New York consumers and users and ensure the safety and soundness of New York licensed providers of virtual currency products and services. Virtual currency is still a nascent industry that is generally unregulated outside of federal anti-money laundering regulations, and while anti-establishment bitcoin pioneers may revel in the “wild west” atmosphere of the digital currency, the NYSDFS feels that their proposed regulations will protect consumers from undue risk, encourage prudent practices for those engaged in virtual currency business activity and foster the growth of the New York financial sector.

 

The Notice, which refers to the full text of the proposed rule originally made available by NYSDFS on July 17th, marks the beginning of a 45-day window for public comment on the proposed rule. Interestingly, the NYSDFS concurrently released a copy of the proposed regulations on the social news site Reddit to elicit debate (note, Ben Lawsky, Superintendent of Financial Services at the NYSDFS, participated in a Reddit AMA (“Ask Me Anything”) session in February as the agency was developing the rules).

 

The proposed rule appears to be drafted to carefully exclude merchants and bitcoin miners from the scope of the licensing requirement, but include exchanges, digital wallet services, merchant service providers and others in the virtual currency ecosystem. It imposes many of the same types of requirements that we already have in the area of money transmission and clearing house services, including capital requirements, anti-money laundering safeguards, and “know your customer” type issues. It also includes requirements with respect to business continuity and cyber security issues.

 

This alert will outline some of the major elements of the “bitlicense” regulations.

 

Who’s Covered?

 

Under the proposed regulations, “Virtual Currency Business Activity” means any one of the following activities involving New York or a New York resident:

 

(1) receiving Virtual Currency for transmission or transmitting the same;

(2) securing, storing, holding, or maintaining custody or control of Virtual Currency on behalf of others;

(3) buying and selling Virtual Currency as a customer business;

(4) performing retail conversion services, including the conversion or exchange of Fiat Currency or other value into Virtual Currency, the conversion or exchange of Virtual Currency into Fiat Currency or other value, or the conversion or exchange of one form of Virtual Currency into another form of Virtual Currency; or

(5) controlling, administering, or issuing a Virtual Currency.

 

Such “virtual currency businesses” would have to obtain a license from the agency before engaging in any such business activity, though persons chartered under the New York Banking Law to conduct exchange services and are approved by the NYSDFS to engage in virtual currency business activity would be exempt. As previously mentioned, the proposed rules seemingly excludes consumers who buy goods and services with digital currency, merchants who accept digital currency and bitcoin miners from the scope of the licensing requirement, but explicitly include digital currency exchanges, digital wallet apps and services, merchant service providers, virtual currency issuers,  and other similarly situated businesses.  Specially, the agency is not seeking to regulate virtual currency used solely on online gaming platforms or digital units used exclusively for customer affinity or rewards program, but cannot be converted into fiat currency.

 

Other Important Requirements

 

  • Application Details:  Applicants would have to submit financial, insurance and banking particulars; organization charts and background reports for the principal officers and stockholders (along with fingerprints for officers, principals and employees); and an explanation of the methods used to calculate the value of virtual currency in fiat currency, among other things. Upon filing of an application, the agency will investigate the financial condition and responsibility of the applicant before issuing the bitlicense, and may revoke the license on sufficient grounds. Moreover, if the licensee wants to make a “material change” to an existing product or service, it would need the NYSDFS’s prior approval; similar approval would be required in the event of any changes of control or mergers and acquisitions.
  • Compliance: Applicants would have to comply with all federal and state laws and regulations, appoint a compliance officer to monitor activity within the business, and maintain written compliance policies relating to anti-fraud, anti-money laundering, cybersecurity, and privacy and data security. In addition, virtual currency businesses would have to submit quarterly financial statements and audited annual financial statements to the NYSDFS.
  • Capital Requirements: The proposed regulations do not outline specific capital requirements. Rather, the text suggests that licensee shall maintain levels of capital as the NYSDFS determines is sufficient to ensure financial stability, taking into account basic financial barometers. The proposed regulations also would require licensees to only invest earnings in high-quality investments with maturities of up to one year, such as certificates of deposit regulated under U.S. law, money market funds, state or municipal bonds, or U.S. Gov’t securities.
  • Anti-Money Laundering: Each licensee would be expected to enforce an anti-money laundering program with adequate internal controls and training, as well as a written policy reviewed and approved by the licensee’s board. Under the regulations, virtual currency records would have to include records containing the identity and physical addresses of the parties involved, the amount of the transaction, the method of payment, the date(s) on which the transaction was initiated and completed, a description of the transaction, and special reports of any aggregate daily transactions that exceed $10,000 or otherwise involve suspicious activity. Covered businesses would also have to conduct adequate due diligence on new customers, with enhanced scrutiny for foreign entities. Such regulations are presumably similar to the March 2013 Financial Crimes Enforcement Network (“FinCEN”) Guidance (FIN-2013-G001), which clarified that federal anti-money laundering regulations covering  “money services businesses” also applied to virtual currency exchanges.
  • Examinations: Each licensee would have to permit the NYSDFS to examine the licensee’s accounting and operations at least once every two years to determine financial stability, business soundness and compliance.
  • Cybersecurity: Under the bitlicense regulations, each licensee would have to establish an effective cybersecurity program for their electronic systems and maintain a written cybersecurity policy that covers data and network security, data governance, access controls, business continuity and disaster recovery, customer privacy, vendor management, and incident response, among others. Licensees would also have to appoint a Chief Information Security Officer responsible for implementing the cybersecurity program and also submit an annual report assessing the cybersecurity program.
  • Protection of Customer Assets: The regulations would require each licensee to maintain a bond or trust account for the benefit of its customers in an amount acceptable to the NYSDFS, and hold virtual currency of the same type and amount the licensee is storing for a customer. The licensee would be prohibited from selling or encumbering virtual currency assets stored on behalf of a customer.
  • Consumer Protection: The proposed regulations require certain disclosures before a consumer may enter into a transaction, including disclosure of the material risks associated with digital currency (e.g., digital currency is not legal tender, transactions are generally irreversible, values may fluctuate, and cyberattacks are a real concern), the general terms and conditions of conducting business with the licensee, and a detailed receipt following the completion of any transaction.

 

Looking Ahead

 

All entities involved in or planning on being involved in virtual currency-related businesses should study this proposed rule carefully. There is still an opportunity to voice concerns and have the final rule reflect any issues that the NYSDFS views as important (for example, some commentators have suggested that the regulations should contain exemptions for smaller digital currency start-ups that handle small transactions, while the Bitcoin Foundation suggests that the comment period should be open for a longer period of time to allow the industry to digest the proposal). It is likely that whatever is enacted in New York will be used as a model in other states that wish to enact a similar virtual currency licensing structure. Moreover, the regulations, as they stand today, require that any entity engaged in a “virtual currency business activity” would have to apply for a license within 45 days of the effective date of the regulations or risk being deemed to be conducting an unlicensed virtual currency business, further suggesting the importance in getting up to speed with the emerging digital currency regulatory environment in New York. It remains to be seen how onerous the final regulations and compliance obligations will be to both established digital currency service providers and start-ups alike.

Article By:

Robert. J Cleary
James P Gerkis
Martin T Hamilton
Arnold S Jacobs
Jeffrey D Neuburger
Dietrich L Snell
Of:
Proskauer Rose LLP