Category: Financial Services Law

A New Year’s Booster Shot: Congress Grants the SEC a Statutory Disgorgement Remedy and Extended Statute of Limitations

Congress opened 2021 by overturning one of President Trump’s vetoes for the first time. By large bipartisan majorities, the House and Senate overturned a presidential veto and enacted the 2021 National Defense Authorization Act (“NDAA”).1 Tucked away in the $740.5 billion defense bill were provisions granting the U.S. Securities and Exchange Commission (“SEC”) statutory authority to seek disgorgement in federal court and providing a 10-year statute of limitations for that remedy.2

Congress’s actions were in response to two landmark Supreme Court decisions that curtailed the SEC’s disgorgement powers—Kokesh v. SEC3 and Liu v. SEC4. As we detailed previouslyKokesh limited the SEC’s ability to obtain disgorgement in cases of long-running frauds, as the Supreme Court held that disgorgement was a “penalty” and thus subject to the five-year statute of limitations for penalties found in 28 U.S.C. § 2462. In Liu, the Court answered the question of whether the SEC could obtain disgorgement awards in federal court at all, which was previously unresolved as the SEC’s authorizing statutes only provided for disgorgement in administrative proceedings but were silent on disgorgement in federal court. The Court held that federal courts could continue to award the SEC disgorgement, subject to certain limiting principles.5

The 2021 NDAA addresses limitations placed on the SEC’s ability to obtain disgorgement in both cases:

  • First, the law grants the SEC express statutory authority to seek disgorgement in federal court actions. Specifically, Section 6501 of the NDAA grants the SEC the authority to seek, and the federal district courts jurisdiction to “require disgorgement .. . of any unjust enrichment by the person who received such unjust enrichment as a result of” a violation of the federal securities laws.
  • Second, the law establishes a ten-year statute of limitations—up from the five-year limitations period set by Kokesh—for securities violations that involve an element of scientere., knowledge of wrongdoing. Specifically, Section 6501 provides a ten-year statute of limitations for violations of: (1) Section 10(b) of the Exchange Act6; (2) Section 17(a)(1) of the Securities Act7; (3) Section 206(1) of the Investment Advisers Act8; or (4) “any other provision of the securities laws for which scienter must be established.”

While the statue provides the SEC with the express authority to seek disgorgement in federal court actions, the extent of its impact remains to be seen. These new amendments do not purport to define to what extent or in what amount disgorgement may be awarded. Notably, the law does not address any of the limiting principles laid out by the Supreme Court in Liu. As we previously detailed, those principles have already impacted federal court decisions regarding appropriate disgorgement amounts to be awarded to the SEC, and it will largely be up to the courts to see whether, or how, they implement these equitable limitations going forward. What seems clear, however, is that Congress’s actions give the SEC the footing it needs to continue pursuing aggressive disgorgement awards in federal court, extending its reach to conduct as far back as a decade in time. The impact will be most acutely felt in cases of long-running, intentional frauds, which may have gone unaddressed under the previous five-year statute of limitations.

1   H.R. 6395.

2   President Trump’s veto was unrelated to these provisions; it is reported that he objected to the annual bill because it failed to place limits on social media companies and allowed the renaming of military bases named after Confederate leaders. See AP News, Trump vetoes defense bill, setting up possible override votehttps://apnews.com/article/donald-trump-politics-defense-policy-bills-babbd8bbce66db1b1b28b0f4f3cb3f13 (Dec. 23, 2020).

3   581 U.S. ___; 137 S. Ct. 1635 (2017).

4   591 U.S. ___ (June 22, 2020).

5   Specifically, Liu limited federal court disgorgement awards in three material ways: (1) by indicating that disgorged funds typically should be disbursed to harmed victims; however, the Court left open whether returning funds to the U.S. Treasury could be considered to the benefit of victims; (2) by casting doubt on whether joint-and-several liability may be imposed for disgorgement awards; however, as the defendants in Liu were a married couple, the Court left it to the lower courts to determine whether joint liability should be imposed; and (3) by holding that disgorgement awards should be limited to “net” profits, i.e., profits after deducting legitimate business expenses.

6   15 U.S.C. § 78j(b).

7   15 U.S.C. § 77q(a)(1).

8   15 U.S.C. § 80b-6(1).

© Copyright 2020 Cadwalader, Wickersham & Taft LLP

The U.S. Department of Justice Releases its Cryptocurrency Enforcement Framework

Earlier this year, the U.S. Department of Justice (“DOJ”) released its highly anticipated Cryptocurrency Enforcement Framework (the “Framework”).  The Framework was developed as part of the Attorney General’s Cyber-Digital Task Force, and contains three sections:  (1) Threat Overview; (2) Law and Regulations; and (3) Ongoing Challenges and Future Strategies.

The “Threat Overview” section details various illicit uses of cryptocurrency and highlights how criminals increasingly have used cryptocurrency to fund illicit and illegal activities, including purchasing and selling illegal drugs and firearms, funding terrorist organizations, laundering money, and engaging in other illegal activities on the dark web.  The Framework also discusses how hackers have targeted cryptocurrency marketplaces for theft and fraud activities.

The “Law and Regulations” section of the Framework details the existing statutory and regulatory framework that DOJ and others have used and can use to regulate cryptocurrency.  As the Framework explains, DOJ is not the only enforcement actor in this space, and many other agencies – including, among others, the U.S. Treasury Department, the Securities & Exchange Commission, the Commodity Futures Trading Commission, and the Internal Revenue Service – have been actively enforcing violations by criminal cyber actors.  While the Framework is generally supportive of a broad, multi-pronged enforcement landscape, it highlights the difficulty of tracking and complying with an increasingly complex web of regulations created by these various agencies.

The third and final section of the Framework discusses current challenges and strategies for future enforcement.  This section notes the inherently decentralized and cross-border nature of cryptocurrency, and the problems it poses for enforcement.  Though the global nature of cryptocurrency might complicate investigations, the Framework makes clear it will not hinder DOJ’s willingness or ability to prosecute cases, stating, “The Department also has robust authority to prosecute VASPs [Virtual Asset Service Providers] and other entities and individuals that violate U.S. law even when they are not located inside the United States.  Where virtual asset transactions touch financial, data storage, or other computer systems within the United States, the Department generally has jurisdiction to prosecute the actors who direct or conduct those transactions.”  The enforcement section emphasizes the Bank Secrecy Act (BSA) and Anti Money Laundering (AML) laws as primary tools of enforcement, particularly for actors who deal with “anonymity enhanced cryptocurrencies” and technology that obscures the ownership of particular assets.  The report stresses that obligations to safeguard systems, protect consumer data, and properly maintain customer information apply not only to conventional virtual asset exchanges, but also to peer-to-peer exchanges, kiosk operators, and virtual currency casinos.

The DOJ released the Framework at a time when interest in cryptocurrency is at an all-time high.  Bitcoin passed $20,000 recently, and the record-setting level is a clear indication of increased interest in the major digital asset.  Cryptocurrencies continue to attract an increasing number of investors, including well-known companies and fund managers.  Further, the CME announced plans to expand its cryptocurrency offerings by adding Ether futures to its existing Bitcoin futures, while the CBOE recently announced plans to launch indexes tied to various digital assets in early 2021.  The Framework represents a clear indication from the DOJ that it is focused on cryptocurrency-related crimes.  Individuals and companies seeking investment or exposure to the cryptocurrency market should review their compliance obligations in light of the Framework, and ensure any deficiencies are resolved quickly.

Commentators have noted the Trump administration’s aggressive stance towards cryptocurrency, and the Framework certainly tracks that stance.  Of course, it remains to be seen whether the Biden administration will continue to take such an aggressive enforcement posture in the cryptocurrency space.  Some commentators have noted that they expect that the Biden administration will be different.  Notably, Mr. Biden has chosen Gary Gensler to lead his financial policy transition team, and Mr. Gensler has been supportive of cryptocurrencies in past writings.

© 2020 Faegre Drinker Biddle & Reath LLP. All Rights Reserved.
For more, visit the NLR Communications, Media & Internet section.

You Took a PPP Loan. Now Get Ready to Talk About It.

Late on Tuesday, December 1, The U.S. Small Business Administration released detailed information about the borrowers who received loans from the federal government’s $659 billion Paycheck Protection and Economic Injury Disaster Loans Program.  The information released includes the names, precise amounts, addresses, industry codes, and lender information for the COVID-19 relief program’s roughly 5.2 million loans. The SBA had previously only released detailed information for loans above $150,000 and with dollar ranges rather than specified loan amounts.  A searchable database is located here.

Did your company, or perhaps one of your clients, apply for and accept a business loan from the Paycheck Protection Program (PPP) established by the US Federal government’s Coronavirus Aid, Relief, and Economic Security Act (CARES Act) to help certain businesses, self-employed workers, sole proprietors, nonprofit organizations and tribal businesses continue paying their workers ?  If so, you must be prepared to answer questions about your acceptance of that loan if asked about it.

We have two former journalists on our staff.  Thom Fladung, our managing partner, is the former managing editor of Detroit Free Press, The Plain Dealer and the Akron Beacon Journal.  Before coming to Hennes Communications, Howard Fencl ran TV newsrooms for more than 20 years.  Both agree that once the loan recipient information goes up on a searchable, public database, it will immediately become “low-hanging fruit,” with news editors sending reporters out to do follow-up stories about who took what, how much and why.

Frankly, we don’t have any problem with this disclosure.  The SBA routinely makes public information about the dollars loaned to small businesses, so why should PPP dollars, disbursed from the U.S. Treasury Department, be any different?

What’s different this time is the sheer size of the PPP program and the fact that an extraordinary number of companies and professional service firms – and their clients – received these “forgivable loans,” in some cases worth multi-millions of dollars, as did a wide variety of schools and other organizations with large endowments.

While there are scores of reasons – all 100% legal and ethical – why a law firm or other organization took a PPP loan, crisis management specialists know that optics often overshadow facts.  And it isn’t just reporters who will shine a spotlight on loan recipients.  Social media activists may also seek to highlight businesses and organizations in the community that received the dollars – with a direct or implied demand for justification.

If your company or client’s business applied for and accepted PPP dollars in good faith, you must be prepared to defend the loan if questioned by the media or other stakeholders – without looking defensive.

As our good friend, Richard Levick, has said repeatedly, “Use peacetime wisely.”  Levick recently suggested making sure you’re ready to answer such questions as:

  • Did you easily fall within the PPP guidelines or did you have to manipulate the rules to fit?
  • Exactly how was the money used?
  • Did you have access to other funds?
  • Specifically for schools, what has been your historic commitment to scholarships, diversity and economically disadvantaged students? What would the absence of PPP money mean for the future of these programs?
  • How do you currently support your community and the small businesses within it?

Levick further suggested that companies and organizations that come across more sympathetically in this equation will more easily deflect criticism than those who appear to have profited from this stimulus plan.

Now is the time to think about those optics, about how your partners, clients, employees, customers, friends – as well as traditional and social media outlets – are going to think when they find out how much you received.

We are not recommending spin.  We’re talking, instead, of the exact opposite – transparency. If you took the dollars, we’re suggesting the creation of clear, succinct, direct messages and talking points that answer the questions most likely to be asked.

Additionally, once these questions are asked, you’ll probably have just minutes to provide an answer to reporters who are on deadline or social media speculation that will increase by the moment.

© 2020 Hennes Communications. All rights reserved.
For more articles on the legal industry, visit the National Law Review Law Office Management section.

CFTC Whistleblower Program Helping to Drive Record-Level Enforcement Activity

The FY20 reports of the CFTC Whistleblower Program and CFTC Division of Enforcement reveal that the CFTC Whistleblower Program continues to grow and is helping to drive record-level enforcement activity.  The Division of Enforcement reported a total of $1,327,869,760 in monetary relief ordered—the fourth-highest total in CFTC history, the third straight year-over-year increase, and the second straight year in excess of $1 billion. Approximately 30 to 40% of the CFTC’s ongoing investigations now involve some whistleblower component.  Since the inception of the CFTC Whistleblower Program, CFTC enforcement actions associated with whistleblower awards have resulted in sanctions orders totaling nearly $1 billion.

Highlights of the annual report on CFTC Enforcement include:

  • The largest monetary relief ordered in CFTC history ($920 million), which included the highest restitution ($311,737,008), disgorgement ($172,034,790) and civil monetary penalty ($436,431,811) amounts in a spoofing case.
  • The most enforcement actions filed in CFTC history (113)—an increase over the previous high (102) and significantly higher than the 30-year average (58).
  • The most retail fraud actions (56) in a single fiscal year in CFTC history, including a record number of actions involving digital assets (7) and a total of 28 actions since the COVID-19 national emergency was declared on March 13, 2020.

During FY 2020, the CFTC paid whistleblowers $20 million and received 1,030 whistleblower tips and complaints, a jump of 126% over the 455 whistleblower tips received in FY 2019.  Since the inception of the CFTC Whistleblower Program, the CFTC has issued 25 orders granting a total of more than $120 million in awards.  The CFTC’s Whistleblower Office received tips and complaints regarding a wide range of violations, including:

  • failures to supervise;
  • record-keeping or registration violations;
  • swap dealer business conduct;
  • wash trading;
  • solicitation, misappropriation, and other types of fraud;
  • use of deceptive or manipulative devices in trading; and
  • spoofing and other forms of disruptive trading or market manipulation.

Under the CFTC Whistleblower Reward Program, the CFTC will issue rewards to whistleblowers who provide original information that leads to CFTC enforcement actions with total civil penalties in excess of $1 million. A whistleblower may receive an award of between 10% and 30% of the total monetary sanctions collected.

Original information “leads to” a successful enforcement action if either:

  1. The original information caused the staff to open an investigation, reopen an investigation, or inquire into different conduct as part of a current investigation, and the Commission brought a successful action based in whole or in part on conduct that was the subject of the original information; or
  2. The conduct was already under examination or investigation, and the original information significantly contributed to the success of the action.

In determining a reward percentage, the CFTC considers the particular facts and circumstances of each case. For example, positive factors may include the significance of the information, the level of assistance provided by the whistleblower and the whistleblower’s attorney, and the law enforcement interests at stake.

© 2020 Zuckerman Law
For more articles on whistleblowers, visit the National Law Review Criminal Law / Business Crimes section.

Off Payroll Working—April 2021 Changes for the Private Sector

What’s the new law all about?

On 6 April 2021, the delayed off-payroll working/IR35 rules take effect in the private sector, being brought in to address non-compliance with IR35 in the private sector. The new law:

  • applies when an individual provides services personally to a client/end user via a qualifying intermediary (personal service company, partnership or individual);
  • moves responsibility for determining employment status and deducting payroll taxes to the client/end user.

Do the new rules affect me?

The law affects all UK businesses that use intermediaries other than those in the small business exemption, and requires cooperation along the contingent labour supply chain.

Is “doing nothing” an option?

Not without risking a tax bill, HMRC investigation and bad press.

What must end users do to comply?

  • Use reasonable care to make employment status determination statement (SDS)/IR35 assessments for theircontractors, asking if, absent the intermediary, the nature and conditions of the work would cause the worker to be classed, for tax purposes, as an employee;
  • before first payment, provide a copy of the SDS, and rationale, to the contractor and down the supply chain;
  • implement a process for resolving employment status disputes (and appeals); respond to challenges within the 45 day time limit.

As end users, what steps should we be taking now?

The team: Who will take ownership of off payroll working compliance? Multi-disciplinary: HR, tax, procurement, legal.

Audit of contingent workforce and review of labour supply chains: Who are your contractors and how are they engaged (e.g., directly, through personal service company or umbrella)?

Assess the impact of the new regime: Carry out SDSs and analyse what impact the new regime will have. Do engagements need ending, or renegotiating? Do working practices and arrangements need to change?

Implementing compliance process going forward: How will new contractors be identified? How will working practices be monitored and how will SDSs be kept up to date?

© 2020 Vedder Price
For more articles on L&E, visit the National Law Review Labor & Employment section.

What Happens to an Employee’s Seniority after an Asset Sale?

In the recent decision of Manthadi v Asco Manufacturing, 2020 ONCA 485 (“Manthadi”), the Ontario Court of Appeal has clarified that an employee’s past service with their former employer does not automatically transfer to a successor employer for the purposes of calculating their common law reasonable notice entitlements. Instead, in order to fashion an appropriate notice period, the courts will consider the employee’s prior service broadly as a form of “experience” that was to the benefit of the purchaser/successor employer.

Background

In 1981, Ms. Manthadi was hired as a welder for an Ontario company. Her employment remained secure until the end of 2017, when the company was purchased in an asset sale by ASCO Manufacturing Limited (“ASCO”). After the sale, Ms. Manthadi continued to work similar hours at a similar rate of pay for ASCO until December 13, 2017, when she was laid off and never recalled.

Following the termination of her employment, Ms. Manthadi brought a successful summary judgment motion alleging wrongful dismissal. The motion judge found the common law and ESA to mirror one another with respect to how they treat an employee’s continuous employment. As such, the motion judge found that for the purposes of calculating her common law reasonable notice entitlements, Ms. Manthadi was deemed to be continuously employed by ASCO since 1981. On this basis, the motion judge found that the common law reasonable notice period for Ms. Manthadi was 20 months.

Court of Appeal

On appeal, the Ontario Court of Appeal overruled the summary judgment motion on a few grounds, including the improper use of a summary judgment motion for determining the matter. However, the Court of Appeal also took the opportunity to review and restate the law in terms of an employee’s right to reasonable notice from a purchaser of an ongoing business.

The Court of Appeal began by stating that “a sharp distinction must be drawn between termination of employment by a successor employer under the ESA and under the common law” (at para 48). Whereas notice under the ESA provided that Ms. Manthadi would be continuously employed, the common law was “equally clear that such employees are terminated (by constructive dismissal) when their employer sells the business and there is a change in the identity of the employer” (at para 48).

This distinction between the ESA and common law raises problems for long-term employees. Specifically, the duty to mitigate requires wrongfully dismissed employees to minimize their damages by taking up new work. In the context of a sale of a business, long-term employees are usually offered identical employment with the purchasing company. Failure to accept this employment will likely be considered a failure to mitigate, potentially ending any claim. Accepting the employment, however, means that any claim of wrongful or constructive dismissal will likely be mitigated out of existence.

The Court of Appeal recognized this problem for long-term employees, noting at paragraph 53:

“Thus, long-term employees, who are employed by the purchaser of their employer’s business, have little prospect of obtaining damages for the termination of their employment. Damages aside, people need jobs. Employees terminated by the sale of a business often have no realistic option other than to accept the offer of a new contract of employment with the purchaser if such is offered. If they are subsequently terminated by the purchaser, the new start date of their term of service weighs in favour of a shorter notice period than had the business not been sold.”

The resolution, says the Court of Appeal, involves reliance on the factors pronounced in the time-tested case of Bardal v The Globe & Mail Ltd. (1960), 1960 CanLII 294 (ON SC). Better known as the Bardal factors, the Court relies on such factors to determine reasonable notice at common law. In considering the Bardal factors, the Court accepted that the “experience” of an employee (and the benefit that such experience had for the purchaser) was a relevant factor that the Court could rely upon in fashioning the appropriate reasonable notice period where there had been a sale of a business and successive employment.

Implications from Manthadi

Prior to this decision, long-term employees seeking common law notice were usually given the benefit of having prior years of service recognized despite any sale of the business. This is no longer to be presumed. Rather, for calculating reasonable notice at common law, prior years of service with a former employer are translated into “experience.” While the Court of Appeal in Manthadi considered this to provide greater flexibility, it will almost certainly raise areas of contention for similar wrongful dismissal disputes going forward.

It remains to be seen whether trading off “years of service” for “experience” will decrease (or in certain cases increase) the notice entitlements for long-term employees being terminated after an asset sale. If notice entitlements do decrease, then purchasers inheriting a workforce may be exposed to less liability in the event of a wrongful dismissal claim.

© 2020 Miller, Canfield, Paddock and Stone PLC
For more articles on employee asset sales, visit the National Law Review Labor & Employment section.

NY’s Gendered Pricing Law: Will It Curb the Pink Tax

Women often pay more than men for similar goods and services.  A shampoo for men may be nearly identical in chemical makeup to a shampoo for women, but the woman will pay more.  This phenomenon is referred to as the “pink tax” – products marketed to women cost more than their counterparts marketed to men.  Recent data analyzing toys, clothing, personal care products and home health products shows that: (1) products targeted at women are higher-priced than those targeted at men 42% of the time; and (2) of those items more expensive for women, the prices are an average of 7% higher.[1] The pink tax thus places a direct cost on individuals who purchase products marketed to women.

Some states are starting to enact laws aimed at curbing the pink tax.  On September 30, 2020, a New York ban on the pink tax took effect under a newly passed gendered pricing law, Section 391-U.[2]  The law prohibits sellers from charging different prices for any two goods or services that are “substantially similar” but are marketed to or intended for different genders.[3]  It applies to goods and services for personal, family, or household purposes.[4]

Where there is discriminatory pricing under the law, the NY attorney general may seek an injunction to enjoin and restrain the upcharges.[5]  The injunction can be issued without proof of injury in fact.[6]  The court may also tag on a civil penalty not to exceed two hundred fifty dollars for a first violation and five hundred dollars for a subsequent violation.[7]

Although the law is aimed at eliminating the pink tax, there are many loopholes and exclusions.

First, only the attorney general is granted a right of action – there is no private right of action.[8]  Individual consumers may, however, demand a complete written price list from service providers.[9]

Second, the law is limited to goods that are substantially similar.[10]  Substantially similar goods are only those that have no substantial differences in (1) the materials used in production, (2) the intended use, (3) the functional design and features and (4) the brand.[11]  This leaves open the possibility that one company, operating under two brands, can sell products to women at a higher price without violating the law.  For example, if a parent company operates under two gendered hair dye brands, could the brands sell similarly crafted dye for women at a higher price than for men, or would that constitute a violation by the company under Section 391-U?

Likewise, substantially similar services include only those that exhibit no substantial difference in (1) the amount of time needed to provide a service; (2) the difficulty in providing a service; and (3) the cost of providing a service.[12]  This creates further loopholes.  For example, a publisher of two magazines, one targeted at men, and the other targeted at women, could argue that providing subscription services and the content that accompanies those services is always more expensive for women readers.  Rebutting this argument could require extensive testimony from experts in the publishing field.

Third, even where substantially similar goods and services are at issue, the law permits price disparities in many situations.  The law specifically carves out an exemption for price disparities based on: “(a) the amount of time it took to manufacture such goods or provide such services; (b) the difficulty in manufacturing such goods or offering such services; (c) the cost incurred in manufacturing such goods or offering such services; (d) the labor used in manufacturing such goods or providing such services; (e) the materials used in manufacturing such goods or providing such services; or (f) any other gender-neutral reason for having increased the cost of such goods or services.”[13]

The personal care industry may rely on this broad list of exemptions to continue charging higher prices for products advertised to women.  Notably, the price disparity for gendered products in the personal care industry is higher than elsewhere – on average, up to 13% more for women.[14] One of the largest price discrepancies is in hair care – products cost women nearly 48% more, with an average difference of $2.71 per set of shampoo and conditioner.[15]

NY has paired this new law with a social media campaign centered around the hashtag #PinkTax to raise awareness, which at the time of this blog’s publish, has 10.8K posts.[16] With the buzzing publicity surrounding this legislation, the retail industry should be prepared for other states to pass similar laws.

FOOTNOTES

[1]https://www.governor.ny.gov/news/governor-cuomo-unveils-10th-proposal-20…referencing https://www1.nyc.gov/assets/dca/downloads/pdf/partners/Study-of-Gender-P…

[2] 26 N.Y. GBS § 391-U.

[3] 26 N.Y. GBS § 391-U(2)-(3).

[4] Id., at (1)(b)-(c).

[5] Id., at (6).

[6] Id.

[7] Id.

[8] See id.

[9] Id., at (5).

[10] Id., at (1)(d)(i).

[11] Id.

[12] Id., at (1)(d)(ii).

[13] Id., at (4)(a)-(f).

[14] https://www1.nyc.gov/assets/dca/downloads/pdf/partners/Study-of-Gender-P…

[15] Id.

[16] https://www.governor.ny.gov/news/governor-cuomo-launches-campaign-elimin…

Copyright © 2020, Sheppard Mullin Richter & Hampton LLP.
For more articles on the pink tax, visit the National Law Review Tax section.

Commerce, Culture, and Compliance

Banking, at least since the passage of the Federal Reserve Act in 1913 and the creation of Federal Deposit Insurance under the Glass-Steagall Act of 1933 (FDIC insurance actually became effective January 1, 1934), has been seen (at least in popular portrayals in books and movies) as a rather staid business conducted in marble edifices by men (although that is changing) who were reserved and rather aloof. All that changed in 1973 in the South Jersey town of Cherry Hill, less than 10 miles from Center City, Philadelphia. Vernon Hill, a Wharton School graduate and fast-food restaurant franchise owner (McDonald’s), decided to turn banking “on its ear,” by bringing fast-food convenience to banking.

Commerce Bank

Over the ensuing 33 years, he expanded Commerce Bank from one to over 435 locations, with each branch (internally called a “store”) having a standard and almost identical design. Commerce called itself, with good reason, the most convenient bank in America. Commerce was open 7 days a week (except in Bergen County, New Jersey). Commerce was known for its ”penny arcade” coin counting machines for customers and non-customers alike. It offered no-fee Visa gift cards, reimbursement of foreign ATM fees, and lollipops and dog biscuits in lobbies and drive-throughs. Commerce’s slogan was “No Stupid Fees, No Stupid Hours,” and it became known as “Mc-Bank.” Commerce Bank had “stores” from Florida to New York. The rapid growth and successes of Commerce Bank even led to a Harvard Business Review article in 2002, Frei, Francis X., Hajim, Corey, “Case Study: Commerce Bank” (2002-12-02).

Commerce Bank was a financial institution that placed a premium on market-driven entrepreneurship and innovation. But sometimes it moved too far, too fast for regulators. That culminated in a settlement by Commerce with both the Office of the Controller of the Currency (“OCC”) (the regulator of national banks, i.e., banks incorporated under the National Bank Act of 1863, as amended) and the Board of Governors of the Federal Reserve System (“FRB”), pursuant to which Commerce was substantially restricted in its ability to expand. That led Vernon Hill to retire in 2007 (with significant subsequent litigation between him and the bank). In late 2007, TD Bank, N.A., entered into an agreement to buy Commerce Bank in a transaction that closed March 31, 2008, just in time for the Great Recession of 2007-2009. After 2008, Commerce Bank became TD Bank, N.A., or did it? Who exactly is TD Bank, N.A., and where did IT come from?

TD Bank, N.A.

TD Bank, N.A., is an American subsidiary (incorporated under the National Bank Act) of Toronto-Dominion Bank, one of the so-called “Big Five” Canadian banks (and in fact the second-largest Canadian bank after Royal Bank of Canada). The Big Five have found it difficult to expand within Canada for both regulatory and political reasons. For example, the Bank of Montreal acquired Harris Trust Company of Chicago in 1984, and the Canadian Imperial Bank of Commerce purchased the U.S. investment banking firm Oppenheim & Co. in 1997. Accordingly, Toronto-Dominion cast its eyes south of the border as the 21st century arrived. [It is noteworthy that Toronto-Dominion also looked to the U.S. to grow in capital market services when it acquired Waterhouse Securities in 1996, which, in a later merger, led to Toronto-Dominion becoming the largest owner of TD Ameritrade].

In 1852, the Portland Savings Bank opened its doors in Portland, Maine, and then grew through mergers and acquisitions to become Peoples Heritage Bank in 1983. Around 2000, that institution expanded further throughout New England and became Banknorth. In 2004, Toronto-Dominion, looking for opportunities in the U.S., acquired majority ownership of Banknorth, with the American operation becoming TD Banknorth in 2007. By September 2009 all of the Commerce Bank “stores” and all of the TD Banknorth branches had been rebranded as “TD Bank, N.A.” Subsequent acquisitions in September 2010 in North and South Carolina filled in the reach of TD Bank, N.A., branches, which now stretched from Florida to Maine. It is noteworthy that TD Bank, N.A., adopted, by 2009, the slogan that it was “America’s Most Convenient Bank.”

So, to answer the second question posed above, TD Bank, N.A., is a major financial bank in the U.S. that can trace its origins to the “Down-East” of the rocky shores of Maine as a thrift institution. As of 2009, it “OWNED” the remnants of “Mc-Bank.” It has long been recognized that a key factor in mergers or acquisitions is the divergence (if any) between the cultures of the merging entities, and the ability to manage overcoming that divergence. Clearly, the “Banknorth” origins of TD Bank, N.A., are startlingly different from the entrepreneurial “fast-food” focus of “Mc-Bank.” The Harvard Business Review published a lengthy analysis of the Amazon 2017 acquisition of Whole Foods in the October 2, 2018, issue, “One Reason Mergers Fail: The Two Cultures Aren’t Compatible.” The more encyclopediac March 26, 2019, work from Oliver Engert, Becky Kaetzler, Kameron Kordestani, and Andy MacLean of McKinsey & Company, entitled “Organizational Culture in Mergers: Addressing the Unseen Forces,” defines culture, “… as the vision or mission that drives a company, the values that guide the behavior of its people, and the management practices, working norms, and mindsets that characterize how work actually gets done.”

Culture and Bank Mergers

On August 19, 2020, TD Bank, N.A., accepted a Consent Order from the Bureau of Consumer Financial Protection (“CFPB”) requiring the bank to pay to the bureau (or its agent), within ten days, both a $25 million civil penalty AND $97 million to fund “redress payments” to approximately 1.42 million present and former customers of the bank, who from January 1, 2014, through December 31, 2018, were wrongly charged overdraft fees in violation of the Electronic Fund Transfer Act and Regulation E. In addition, the bank was determined to have failed to meet its obligations under the Fair Credit Reporcting Act by refusing to investigate customer claims of error in the information provided to Credit Reporting Agencies. In relation to the Regulation E violations, the bank was found to have repeatedly falsely described the scope, timing, and costs of the various overdraft protection plans. The bank did not provide customers with a full description of overdraft plans and their costs until after a customer had orally “signed up” for a particular coverage (or declined it), although Regulation E requires written consent to be obtained from a customer to pay overdraft fees BEFORE such fees may be charged. Indeed in off-site locations, not a regular “store,” the bank employees frequently failed to bring the overdraft coverage disclosure forms to the places where those employees sought to enroll new customers. The Consent Order also prevents the bank from seeking any tax reduction or offset because of the civil money penalty, and forbids the bank from referring to the payment of that penalty in response to any other civil litigation brought by any bank customer against the bank (for example, a defamation claim based on the bank’s refusal to investigate customer claims of error with respect to credit information furnished by the bank to a credit reporting agency). One cannot help but note, given the institutional histories set out above, that the CFPB in the Consent Order consistently quotes bank employees who refer to the bank’s “stores.”

The Fair Credit Reporting Act, which dates from 1970, has long required furnishers of credit information to timely investigate and respond to claims of error. Regulation E as it relates to overdraft protection plans and fees dates from 2005. Yet these were apparently “foreign requirements” to the staff and management of TD Bank, N.A., a kind of willful blindness unexpected in a large (the seventh-largest in the U.S. by deposits and the eighth largest by total assets), sophisticated financial institution that styles itself as catering to individual customers; i.e., a truly sizable retail bank. Did the lapses in compliance – including flat-out material misstatements – stem from the cultural disparities between Commerce Bank and Banknorth? That is a question that only careful sociological and economic analysis can answer, but the August 19, 2020, Consent Order certainly suggests that bank examiners ought to look beyond the immediacy of files and financial statements.

©2020 Norris McLaughlin P.A., All Rights Reserved
For more articles on finance, visit the National Law Review Financial Institutions & Banking section.

Ransomware Payments Can Lead to Sanctions and Reporting Obligations for Financial Institutions

With cybercrime on the rise, two U.S. Treasury Department components, the Office of Foreign Assets Control (“OFAC”) and the Financial Crimes Enforcement Network (“FinCEN”), issued advisories on one of the most insidious forms of cyberattack – ransomware.

Ransomware is a form of malicious software designed to block access to a system or data.  The targets of ransomware attacks are required to pay a ransom to regain access to their information or system, or to prevent the publication of their sensitive information.  Ransomware attackers usually demand payment in the form of convertible virtual currency (“CVC”), which can be more difficult to trace.  Although ransomware attacks were already on the rise (there was a 37% annual increase in reported cases and a 147% increase in associated losses from 2018 to 2019), the COVID19 pandemic has exacerbated the problem, as cyber actors target online systems that U.S. persons rely on to continue conducting business.

OFAC

The OFAC advisory focuses on the potential sanctions risks for those companies and financial institutions that are involved in ransomware payments to bad actors, including ransomware victims and those acting on their behalf, such as “financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response.”  OFAC stresses that these payments may violate US sanctions laws or OFAC regulations, and encourage future attacks.

OFAC maintains a consolidated list of sanctioned persons, which includes numerous malicious cyber actors and the digital currency addresses connected to them.[1]  Any payment to those organizations or their digital currency wallets or addresses, including the payment of a ransom itself, is a violation of economic sanctions laws regardless of whether the parties involved in the payment knew or had reason to know that the transaction involved a sanctioned party.  The advisory states that “OFAC has imposed, and will continue to impose, sanctions on these actors and others who materially assist, sponsor, or provide financial, material, or technological support for these activities.”

In addition to violating sanctions laws, OFAC warned that ransomware payments with a sanctions nexus threaten national security interests.  These payments enable criminals to profit and advance their illicit aims, including funding activities adverse to U.S. national security and foreign policy objectives.  Ransomware payments also embolden cyber criminals and provide no guarantee that the victim will regain access to their stolen data.

Any payment to those organizations or their digital currency wallets or addresses, including the payment of a ransom itself, is a violation of economic sanctions laws regardless of whether the parties involved in the payment knew or had reason to know that the transaction involved a sanctioned party.

OFAC encourages financial institutions to implement a risk-based compliance program to mitigate exposure to potential sanctions violations.  Accordingly, these sanctions compliance programs should account for the risk that a ransomware payment may involve a Specially Designated National, blocked person, or embargoed jurisdiction.  OFAC encouraged victims of ransomware attacks to contact law enforcement immediately, and listed the contact information for relevant government agencies.  OFAC wrote that it considers the “self-initiated, timely, and complete report of a ransomware attack to law enforcement to be a significant mitigating factor in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus.”  OFAC will also consider a company’s cooperation efforts both during and after the ransomware attack when evaluating a possible outcome.

Such cooperation may also be a “significant mitigating factor” in determining whether and to what extent enforcement is necessary.

FinCEN

FinCEN’s advisory also encourages entities that process payments potentially related to ransomware to report to and cooperate with law enforcement.  The FinCEN advisory arms these institutions with information about the role of financial intermediaries in payments, ransomware trends and typologies, related financial red flags, and effective reporting and information sharing related to ransomware attacks.

According to FinCEN, ransomware attacks are growing in size, scope, and sophistication.  The attacks have increasingly targeted larger enterprises for bigger payouts, and cybercriminals are sharing resources to increase the effectiveness of their attacks.  The demand for payment in anonymity-enhanced cryptocurrencies has also been on the rise.

FinCEN touted “[p]roactive prevention through effective cyber hygiene, cybersecurity controls, and business continuity resiliency” as the best ransomware defense.  The advisory lists numerous red flags designed to assist financial institutions in detecting, preventing, and ultimately reporting suspicious transactions associated with ransomware payments.  These red flags include, among others: (1) IT activity that shows the existence of ransomware software, including system log files, network traffic, and file information; (2) a customer’s CVC address that appears on open sources or is linked to past ransomware attacks; (3) transactions that occur between a high-risk organization and digital forensics and incident response companies or cyber insurance companies; and (4) customers that request payment in CVC, but show limited knowledge about the form of currency.

Finally, FinCEN reminded financial institutions about their obligations under the Bank Secrecy Act to report suspicious activity, including ransomware payments.  A financial institution is required to file a suspicious activity report (“SAR”) with FinCEN if it knows, suspects, or has reason to suspect that the attempted or completed transaction involves $5,000 or more derived from illegal activity.  “Reportable activity can involve transactions . . . related to criminal activity like extortion and unauthorized electronic intrusions,” the advisory says.  Given this, suspected ransomware payments and attempted payments should be reported to FinCEN in SARs.  The advisory provides information on how financial institutions and others should report and share the details related to ransomware attacks to increase the utility and effectiveness of the SARs.  For example, those filing ransomware-related SARs should provide all pertinent available information.  In keeping with FinCEN’s previous guidance on SAR filings relating to cyber-enabled crime, FinCEN expects SARs to include detailed cyber indicators.  Information, including “relevant email addresses, Internet Protocol (IP) addresses with their respective timestamps, virtual currency wallet addresses, mobile device information (such as device International Mobile Equipment Identity (IMEI) numbers), malware hashes, malicious domains, and descriptions and timing of suspicious electronic communications,” will assist FinCEN in protecting the U.S. financial system from ransomware threats.

[1] https://home.treasury.gov/news/press-releases/sm556

© Copyright 2020 Squire Patton Boggs (US) LLP
For  more articles on cybersecurity, visit the National Law Review Communications, Media & Internet section.

COVID-19: FCA and PRA Updates on Working from Home and Key Workers

On September 24, the UK Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) updated their respective statements, originally published in March, regarding key workers and working from home during the COVID-19 pandemic. Both the FCA and PRA advised firms to follow government advice on remote working until notified otherwise.

In addition, the FCA further updated its statement in respect of work-related travel and the responsibilities of senior managers under the Senior Managers and Certification Regime (SM&CR), explaining that:

  • firms should continue to discuss working arrangements with staff and support their employees in facilitating appropriate working arrangements; and
  • senior managers are expected to take account of changes in the applicability of local and national lockdown restrictions and to review and update employee working arrangements on a continuing basis.

A key financial worker is one who fulfills a role that is necessary for a firm to continue to provide essential daily financial services to consumers or to ensure the continued functioning of markets. Firms should identify a key worker by determining which activities, services or operations, of which, if interrupted, are likely to lead to the disruption of essential services to the real economy or financial stability.

Individuals essential to support functions so identified are that firm’s key financial workers. Firms should also identify any critical outsource partners who are essential to continued provision of services, even where these are not financial services firms.

The FCA also suggests that firms consider issuing a letter to all individuals they identify as key workers. The FCA recommends that the letter includes a notice, expressly stating “the individual has been designated as a key worker in relation to their employment by [firm name]” and is signed by someone with appropriate authority.

The FCA update on remote working is available here.

©2020 Katten Muchin Rosenman LLP
For more articles on employment, visit the National Law Review Labor & Employment section.