Category: Securities Law

Federal Agencies Have Placed a Heightened Priority on Whistleblowers and Speedy Cooperation

As new areas of the law emerge, driven in part by technology and the free flow of information, federal agencies are becoming more aggressive with a tried and true carrot-and-stick approach to law and regulatory enforcement.

In a recent PLI panel on government enforcement priorities in May 2024, Brent Wible, Chief Counselor, Office of the Assistant Attorney General, Department of Justice (DOJ or Department); Daniel Gitner, Chief of the Criminal Division, US Attorney’s Office for the Southern District of New York (SDNY or the Office); and Antonia Apps, Director of the New York Regional Office of the Securities and Exchange Commission (SEC or Commission) shared their thoughts, priorities and practices in 2024 enforcement and beyond.

All of the government lawyers stressed that the DOJ and enforcement agencies are open and are actively encouraging whistleblowers with new incentives and programs. To that end, Mr. Gitner from the SDNY stated very directly that corporations need to understand that there is a “need for speed” in corporate self-disclosures. Otherwise, whistleblowers will be closing the door to the benefits of corporate self-disclosures. Put differently, enforcement agencies do not want a corporation to complete lengthy internal investigations before reporting.

A uniform theme and stance taken by all is that whistleblowers are valuable, and bounties will be paid in cash or in deferred prosecution agreements or possibly both. Whistleblowers must be protected. Internal and external whistleblowers should be encouraged.
This article focuses on three whistleblower initiatives—(i) the SEC’s Whistleblower Program, (ii) the SDNY Whistleblower Pilot Program and (iii) DOJ’s Pilot Whistleblower Program for voluntary self-disclosure—and how those programs may impact a corporation’s response to whistleblowers, internal investigations, and disclosures.

SEC 21F WHISTLEBLOWER PROGRAM

Since its inception more than a decade ago, the SEC’s Whistleblower Program is widely viewed as successfully incentivizing whistleblower reports of violations of the securities laws. In its 2023 fiscal year, the SEC received more than 18,000 tips from whistleblowers and issued the most awards to whistleblowers ever in one year, totaling nearly US$600 million. That year, the Commission also issued its largest ever award of US$279 million to a single whistleblower.1

What is the SEC’s Whistleblower Program?

Section 21F of the Securities Exchange Act of 1934, codified as part of the Dodd-Frank Wall Street Reform and Consumer Protection Act, requires the SEC to pay awards to whistleblowers who provide information to the SEC about violations of federal securities laws.2 Accordingly, the SEC has issued a series of rulemakings implementing Section 21F to create its whistleblower program. To qualify as a whistleblower, an individual must voluntarily provide the SEC with original information in writing about a possible violation of federal securities law that has occurred, is ongoing, or is about to occur.3 To qualify for an award, this information must lead to a successful enforcement action with monetary sanctions totaling more than US$1 million.4

“Original” information means that it cannot be found in publicly available sources and is not already known by the Commission, but is instead the product of the whistleblower’s independent knowledge or analysis.5 A submission is “voluntary” if the whistleblower provides it to the SEC before receiving a regulatory request or demand for information relating to the same subject matter. Therefore, a submission of information that is made in response to a request, inquiry, or demand by the SEC, the Public Company Accounting Oversight Board, a self-regulatory organization (such as the Financial Industry Regulatory Authority), or a separate federal or state governmental body does not qualify as a voluntary submission.6 Additionally, a submission that is required under a legal or contractual duty to the Commission is not considered voluntary and is thus ineligible for an award.7

The SEC’s whistleblower rules also include anti-retaliation protections intended to ensure that the incentives provided to whistleblowers for reporting are not outweighed by a fear of reprisal from their employer. Under Rule 21F-17, companies are prohibited from interfering with or impeding a whistleblower’s communications to the SEC about a possible violation of the securities laws, including through enforcement or threatened enforcement of a confidentiality agreement that may be read to prevent whistleblower communications with the SEC.8

The SEC is taking violations of Rule 21F-17 seriously and has increased enforcement activity in this area over the last two years. The Commission brought a number of actions, with significant civil penalties, focused on corporate agreements containing confidentiality language that, according to the SEC, does not provide an express exception for whistleblower communications. The enforcement actions extend to different types of companies, including publicly traded companies, privately held companies, broker-dealers and investment advisers, and to a variety of forms of agreements with employees and customers alike.9

For example, a gaming company paid US$35 million to settle claims that it had violated the whistleblower protection rule by requiring former employees to execute separation agreements that obligated them to notify the company of any request for information received from the Commission, in addition to compliance failures regarding workplace complaints.10 In January 2024, the SEC settled the largest ever standalone Rule 21F-17 case, imposing US$18 million in civil penalties against a dually registered investment adviser and broker dealer for allegedly requiring clients to sign a confidential release agreement—without expressly allowing for direct communications to regulators regarding potential securities law violations—in order to receive certain credit or settlement payments.11 In another case involving US$10 million in civil penalties, the Commission charged a registered investment adviser with a standalone violation of Rule 21F-17 based on employment agreements that contained a confidentiality clause prohibiting external disclosure of confidential company information, without a carve-out for voluntary communications with the SEC concerning possible violations of the securities laws.12 As recently stated by the co-chief of the SEC Enforcement Division’s Asset Management Unit, “Investors, whether retail or otherwise, must be free to report complaints to the SEC without any interference. Those drafting or using confidentiality agreements need to ensure that they do not include provisions that impede potential whistleblowers.”13

SDNY WHISTLEBLOWER PILOT PROGRAM

In February 2024, the SDNY launched a whistleblower pilot program. The purpose of the program is to encourage early and voluntary self-disclosure of criminal conduct by individual participants.14 The program is applicable to disclosures of conduct committed by public or private companies, exchanges, financial institutions, investment advisers, or investment funds involving fraud or corporate control failure or affecting market integrity, or criminal conduct involving state or local bribery or fraud relating to federal, state, or local funds.15 In exchange for a qualifying self-disclosure, the Office will enter into a non-prosecution agreement with the whistleblower.16

Given that a non-prosecution agreement is promised, the SDNY has identified factors to determine whether a whistleblower qualifies for a discretionary non prosecution agreement. The most salient include: whether and to what extent the misconduct is unknown to either SDNY or the DOJ; whether the information is disclosed voluntarily to SDNY and not in response to an inquiry or obligation to report misconduct; whether the whistleblower provides substantial assistance in the investigation and prosecution of culpable individuals, and in the investigation and prosecution of the disclosed conduct; whether the whistleblower truthfully and completely discloses all criminal conduct they participated in and are aware of; whether the whistleblower is a chief executive officer or chief financial officer of a public or private company, who is not eligible for the pilot program; and the adequacy of noncriminal sanctions, such as remedies imposed by civil regulators.

Mr. Gitner said the defense bar is coming around to a non-prosecution carrot for individuals involved in wrongdoing within the corporation. Mr. Gitner said that SDNY seeks early discussions, and the pilot program seems to be driving toward that goal.

DOJ PILOT PROGRAM ON VOLUNTARY SELF-DISCLOSURES FOR INDIVIDUALS

In March 2024, the DOJ announced an upcoming program to reward whistleblowers who report corporate crimes. The new program seeks to bolster existing whistleblower programs established by the SEC (discussed above), the Commodities Future Trading Commission (CFTC), the Internal Revenue Service, and the Financial Crimes Enforcement Network.17 Accordingly, the program will offer rewards to whistleblowers who provide information on misconduct that is not under the jurisdiction of those agencies. In particular, the Department is interested in criminal abuses of the US financial system, foreign corruption cases outside of the SEC’s jurisdiction, and domestic corruption cases. In order to qualify, an individual must provide original, nonpublic, and truthful information that assists the Department in uncovering “significant corporate or financial misconduct” and is previously unknown to the agency.18 Like the SEC and CFTC, the Department does not plan to provide awards for information that is submitted under a preexisting duty or in response to an inquiry.19 Access to the program is only available where existing programs or qui tam actions do not exist. Additionally, the whistleblower in this program cannot be involved in the criminal activity itself. After compensation to victims, the whistleblower will receive a portion of the resulting forfeiture as a reward.20

Interestingly, however, it appears the Department may be moving away from offering monetary awards to whistleblowers. In April 2024, the Department introduced a pilot program that tracks with the SDNY and offers mandatory non prosecution agreements to individuals who provide information on corporate misconduct.21 Under the program, an individual must voluntarily self-disclose original information to the Criminal Division about criminal misconduct that is not previously known to the Department. The information must be “truthful and complete,” meaning it must include all known information relating to the misconduct, including the individual’s own culpability. In particular, the Department seeks information on violations by financial institutions; violations related to market integrity committed by financial institutions, investment advisers, investment funds, or public or private companies; foreign corruption and bribery violations by public or private companies; violations relating to health care fraud or illegal health care kickbacks; fraud or deception against the United States in connection with federally funded contracting; and bribery or kickbacks to domestic public officials by public or private companies. The whistleblower also cannot be a chief executive officer, chief financial officer, or those equivalents of a public or private company; or an elected or appointed foreign government or domestic government official; nor can the whistleblower have a previous felony conviction or a conviction of any kind involving fraud or dishonesty. Irrespective of this program, the Department still has the discretion of offering a non-prosecutorial agreement to individuals who may not meet the above criteria in full, subject to Justice Manual and Criminal Division procedures.22

TAKEAWAYS

The takeaways here for corporate in-house legal departments are:

  • Federal agencies are incentivizing whistleblowers with cash and non-prosecution agreements. It is clear that wrongdoers and witnesses now more than ever have several whistleblower programs from which to choose. As a result, corporations must become more vigilant at detecting wrongdoing and effectively utilizing internal reporting systems. Careful consideration of an early self-disclosure to the appropriate agency may also be warranted. Internal investigations will take a heightened priority to aid the c-suite and board on disclosure decisions.
  • Not only is protecting whistleblowers a priority but encouraging whistleblowers through heightened compliance programs, updated hotlines or other internal reporting programs should be considered. You may also wish to consider offering financial incentives for timely reporting to the corporation’s internal reporting program. All of which will benefit the company in any government disclosure.
  • The enforcement risk for companies under the SEC’s whistleblower rules is real and potentially significant, including with respect to day-to-day business activities (such as entering into client or employee confidentiality agreements) that may not otherwise be recognized as creating regulatory exposure. Companies may wish to revisit their standard contracts and compliance materials to ensure that any confidentiality provisions align with Rule 21F-17.

We acknowledge the contributions to this publication from our summer associate Minu Nagashunmugam.

https://www.sec.gov/newsroom/enforcement-results-fy23.

https://www.sec.gov/about/offices/owb/reg-21f.pdf, p. 2.

https://www.sec.gov/about/offices/owb/reg-21f.pdf, p. 2.

https://www.sec.gov/about/offices/owb/reg-21f.pdf, p. 3.

5https://www.sec.gov/about/offices/owb/reg-21f.pdf, p. 5.

https://www.sec.gov/about/offices/owb/reg-21f.pdf, p. 5.

https://www.sec.gov/about/offices/owb/reg-21f.pdf, p. 5.

https://www.sec.gov/about/offices/owb/reg-21f.pdf, p. 28.

The SEC’s Office of the Whistleblower has stated that violations of Rule 21F-17 may be triggered by “internal policies, procedures, and guidance, such as codes of conduct, compliance manuals, training materials, and other such documents.” SEC, Whistleblower Protections (last updated July 1, 2024) https://www.sec.gov/enforcement-litigation/whistleblower-program/whistleblower-protections#anti-retaliation.

10 https://news.bloomberglaw.com/securities-law/sec-biggest-whistleblower-penalty-signals-broad-protection-focus?context=search&index=11

11 In re JP Morgan Sec. LLC, File No. 3-21829 (Jan. 16, 2024), https://www.sec.gov/files/litigation/admin/2024/34-99344.pdf.

12 In re D.E. Shaw & Co., L.P., File No. 3-21775 (Sept. 29, 2023), https://www.sec.gov/files/litigation/admin/2013/34-70396.pdf.

13 SEC Press Release (Jan. 16, 2024), https://www.sec.gov/newsroom/press-releases/2024-7.

14 https://www.justice.gov/d9/2024-05/sdny_wb_policy_effective_2-13-24.pdf

15 https://www.justice.gov/d9/2024-05/sdny_wb_policy_effective_2-13-24.pdf

16 https://www.justice.gov/d9/2024-05/sdny_wb_policy_effective_2-13-24.pdf

17 https://www.justice.gov/opa/speech/acting-assistant-attorney-general-nicole-m-argentieri-delivers-keynote-speech-american

18 https://www.justice.gov/opa/speech/deputy-attorney-general-lisa-monaco-delivers-keynote-remarks-american-bar-associations

19 https://www.justice.gov/criminal/media/1347991/dl?inline

20https://www.justice.gov/opa/speech/deputy-attorney-general-lisa-monaco-delivers-keynote-remarks-american-bar-associations

21https://www.justice.gov/criminal/media/1347991/dl?inline

22 https://www.justice.gov/criminal/media/1347991/dl?inline

Listen to this post

Copyright 2024 K & L Gates
For more on Whistleblowers, visit the NLR Criminal Law Business Crimes section

Two Blockbuster U.S. Supreme Court Decisions May Spell End of NLRB’s Expansion of Reach of NLRA as Well as How Agency Prosecutes Cases

The U.S. Supreme Court issued two blockbuster decisions this week, both of which likely will curtail the ability of federal agencies, including the NLRB, to prosecute cases and expand the law.

In a 6-3 decision announced Thursday in Securities and Exchange Commission v. Jarkesy et al., U.S., No. 22-859 (Jun. 27, 2024), the Supreme Court ruled that when the SEC seeks civil penalties against a defendant, the defendant is entitled to a trial by jury. As reported here, this decision could affect a future ruling in Space Exploration Technologies Corp., v. NLRB, No. 24-40315 (5th Cir. 2024), a case challenging the authority of National Labor Relations Board (“NLRB”) Administrative Law Judges (“ALJs”) on the same grounds.

Perhaps more significant, a 6-2 decision announced Friday in Loper Bright Enterprises et al. v. Raimondo, Secretary of Commerce, et al., No. 22-451 (Jun. 28, 2024), eliminates the deference given to federal agencies to interpret laws by reversing the Chevron decision.

Jarkesy: Viability of Agency Administrative Law Judges Put Into Question

Jarkesy Background
In 2013, the Securities and Exchange Commission (“SEC”) initiated an enforcement action and sought civil penalties for alleged fraud against Defendants. Relying on relatively new authority conferred by the 2010 Dodd-Frank Act, the SEC opted to adjudicate the matter itself before an agency ALJ. In 2014, the SEC ALJ issued a decision levying civil penalties as well as other relief against the Defendants.

Defendants petitioned for judicial review at the Fifth Circuit, which held in 2022 that the agency’s decision to have an ALJ adjudicate the case violated the Defendants’ Seventh Amendment right to a jury trial. The Fifth Circuit also identified two further constitutional problems: (1) Congress violated the nondelegation doctrine by authorizing the SEC to choose whether to litigate this action in court or adjudicate the matter itself; and (2) the insulation of SEC ALJs from executive supervision, with two layers of for-cause removal protections, violated the separation of powers doctrine.

On March 8, 2023, the SEC appealed the Fifth Circuit’s decision to the Supreme Court. Oral argument was heard on November 29, 2023.

Jarkesy Supreme Court Decision
The Supreme Court held that the Seventh Amendment of the United States Constitution entitled Defendants to a jury trial where the SEC sought civil penalties for securities fraud. Writing for the majority, Chief Justice John Roberts reasoned that the SEC’s antifraud provisions “replicate common law fraud” claims, which must be heard by a jury. As a result, where a claim brought by an agency (1) resembles common law causes of action; and (2) seeks a remedy traditionally obtained in a court of law, a Seventh Amendment jury right attaches to the claim.

The Court recognized an exception to this general rule under a “public rights” doctrine, which permits non-Article III courts to adjudicate matters that “historically could have been determined exclusively by [the executive and legislative] branches.” However, causes of action that are “quintessentially suits at common law” and not “closely intertwined” with a public right—like the anti-fraud provisions at issue here—are unable to utilize this exception and must be heard in Article III courts.

Because the jury trial issue resolved the case, the Court declined to reach the nondelegation or removal issues. As a result, the Fifth Circuit’s decision in Jarkesy on these issues remains good law.

Sotomayor Dissent in Jarkesy
In dissent, Justice Sonia Sotomayor argued that Congress has latitude—via the Constitution as well as prior Supreme Court decisions—to assign the enforcement of civil penalties “outside the regular courts of law.” This would be the case “even if the Seventh Amendment would have required a jury where the adjudication of those rights is assigned to a federal court of law instead of an administrative agency.”

Justice Sotomayor also raised issue with the majority’s interpretation of a public rights doctrine. Notably, the dissent challenges the majority’s claim that most causes of actions that should be protected under the doctrine involve areas of the law where political branches “traditionally held exclusive power…and had exercised it.” To this end, Justice Sotomayor argues that the majority cannot distinguish between Congress’ enacting of statutes such as the National Labor Relations Act (“NLRA”) and its enacting of the Dodd-Frank Act. The dissent implies that neither labor relations nor securities were traditionally governed by political branches, thus (purportedly) refuting the majority’s reliance upon this principle.

NLRB Implications
Similar to the SEC, the NLRB utilizes ALJs to adjudicate violations of the NLRA. Contrary to the SEC, however, the NLRB ALJ scheme has been in place for decades. These judges hear and decide unfair labor practice cases in quasi-judicial hearings that affect the rights of parties to the cases. Moreover, unlike potential violations of the NLRA, the SEC is not always the exclusive forum for vindication of securities issues. The Department of Justice often prosecutes securities laws issues and private plaintiffs can bring lawsuits to vindicate civil claims. Contrast this with the NLRB, which is the exclusive forum for the vast majority of issues arising under the NLRA.

In the wake of the Fifth Circuit’s 2022 decision in Jarkesy, on January 4, 2024, Space Exploration Technologies Corp. (“SpaceX”) filed a complaint in the Southern District of Texas challenging the constitutionality of NLRB ALJs. SpaceX specifically argued that: (1) the NLRB’s structure is unconstitutional in that it limits the removal of NLRB ALJs and Board Members and permits Board Members to exercise executive, legislative, and judicial power in the same administrative proceeding; and (2) the Board’s expanded remedies constitute consequential damages, and therefore violate employers’ Seventh Amendment right to a trial-by-jury.

Because the Supreme Court in Jarkesy declined to reach the nondelegation or removal issues, the Fifth Circuit’s decision on these issues remains good law. This makes the current forum battle even more significant, as the Jarkesy Fifth Circuit opinion could provide dispositive precedent for SpaceX’s removal and nondelegation arguments. In addition, the Supreme Court’s ruling on the Seventh Amendment issue might support SpaceX’s argument that the Board’s expanded consequential damages remedies should be adjudicated in a trial by jury, depending on how the court interprets the current state of NLRB remedies.

As reported here, in Thryv, Inc., 372 NLRB No. 22 (2022), the NLRB expanded remedies under the NLRA to include “all direct or foreseeable pecuniary harms suffered as a result of the respondent’s unfair labor practice.” The Board has been committed to expanding remedies since 2021, when General Counsel Jennifer Abruzzo issued a memorandum on this subject. NLRB Regional Offices have also been aggressive in seeking these expanded remedies, which arguably are punitive rather than remedial in nature. In its Complaint, SpaceX used the Board’s position on remedies, coupled with the Jarkesy Fifth Circuit ruling, to argue that the Board has sanctioned compensatory relief that can only be issued through a trial by jury.

However, this position could be impacted by the Fifth Circuit’s ruling in Thryv, Inc. v. NLRB, No. 23-60132 (5th Cir. May 24, 2024). In this decision, the Court vacated the Board’s ruling in Thryv, Inc., 372 NLRB No. 22 (2022) on the merits, and thus did not reach the consequential damages issue. The Court did however label this remedy as “draconian” and “a novel, consequential-damages-like labor law remedy.” The Board therefore will require a new case to codify the issuing of consequential damages. It remains to be seen how this ruling would impact SpaceX’s Seventh Amendment argument concerning consequential damages, which could be a key element of its potential reliance on the Supreme Court’s ruling in Jarkesy.

Court Deference to Agency Positions Dead: Chevron Reversal
In a massive blow to agency power, the U.S. Supreme Court on Friday reversed Chevron U.S.A. Inc. v. Natural Resources Defense Council, Inc., 467 U.S. 837 (1984), in a case involving a fishing industry rule. Under Chevron, on review of agency action, where the relevant statute was silent or ambiguous regarding a specific issue, courts were directed to defer to agencies and were not to “impose [their] own construction on the statute.” Thus, where an agency offered “a permissible construction of the statute,” courts were to defer to the agency even if the court would have reached a different conclusion. In the years since Chevron was issued, reviewing courts often remarked that they were bound to uphold an agency determination even if they disagreed with the interpretation. Justice Roberts, writing for the majority, held that Chevron could not be reconciled with the Administrative Procedures Act (“APA”), which commands “the reviewing court” to decide “all relevant questions of law” arising on review of agency action, which of course includes interpretation of the federal statute at issue. As a result, the majority determined that there should be no deference to agencies in answering legal questions, although deference is mandated for judicial review of agency policy-making and fact-finding. The majority concluded that, in deciding Chevron, the Supreme Court had required judges to “disregard their statutory duties,” which required this Court to “leave Chevron behind.”

Takeaways
These two Supreme Court decisions could substantially curtail the NLRB’s ability to bring and prosecute actions against parties (not just employers, but unions as well). While the Jarkesy Supreme Court decision is narrow, it could end the ability of the NLRB to bring certain claims in front of agency ALJs (all of whom are employed directly at the Board and who are not subject to removal). The pending SpaceX decision likely will further the development of the law, as it is a direct challenge to the NLRB adjudicatory scheme, and will also give a Circuit Court—and eventually maybe the Supreme Court—a chance to rule on additional constitutional challenges to federal agencies.

In addition, the reversal of Chevron likely will have a substantial effect on the review of NLRB cases. At time of unprecedented expansion of the reach of the NLRA—including finding non-compete agreements and confidentiality clauses unlawful—the end of Chevron deference allows a reviewing court the ability to disregard NLRB actions as not rooted in the NLRA or beyond the scope of the agency’s mandate. There is no doubt many challenges of NLRB actions will be brought as the probability of prevailing in a reviewing court has increased substantially with the end of deference.

As always, we will monitor decisions and agency actions to see how these important developments play out.

© 2024 Proskauer Rose LLP.

The Commodity Futures Trading Commission Cracks Down on Employer Non-Disclosure Provisions

The Commodity Futures Trading Commission (“CFTC”) has now joined the Securities and Exchange Commission (“SEC”) in taking a stand against broad non-disclosure provisions in employment agreements.

Last week, the CFTC announced a settlement with Trafigura Trading LLC, in which the company agreed to pay a $55 million penalty, in part because it required employees to sign agreements that impeded voluntary communications with the CFTC.

In its decision, the CFTC specifically found:

Between July 31, 2017 and 2020, Trafigura required its employees to sign employment agreements, and requested that former employees sign separation agreements, with broad non-disclosure provisions that prohibited the sharing of Trafigura’s confidential information with third parties. These nondisclosure provisions did not contain carve-out language expressly permitting communications with law enforcement or regulators like the Commission.

The CFTC concluded that such non-disclosure provisions violate Regulation 165.19(b), 17 C.F.R. § 165.19(b) (2023), implementing Section 23(h)-(j) of the Act, 7 U.S.C. § 26(h)–(j), even without any additional actions impeding communications.

As a result of this finding, among others involving misappropriation of material nonpublic information and manipulative conduct, the CFTC not only levied a significant fine on Trafigura, but imposed a host of conditions and undertakings with which Trafigura was required to comply. Relevant here, the CFTC required that Trafigura modify its non-disclosure provisions to include language making clear that “no term in any such Agreement should be understood to limit or prevent the filing of a complaint with; or voluntary, lawful communication with; or disclosure of information to any federal, state, or local governmental regulatory or law enforcement agency.”

Director of the Whistleblower Office Brian Young commented, “This is the first CFTC action charging a company under regulations designed to prevent interference with whistleblower communications. This groundbreaking action demonstrates the CFTC’s commitment to protecting potential whistleblowers and puts the market on notice that the CFTC will not tolerate contractual arrangements that could impede communication by potential witnesses.”

We have long reported on the SEC’s targeting of employment agreements. With the CFTC following suit, employers should expect additional agencies to scrutinize language in employment agreements, separation agreements and other employment-related documents, such as employee handbooks and Codes of Conduct. To minimize such scrutiny and exposure employers should take action to modify non-disclosure and other provisions such as non-disparagement and confidentiality clauses that might have the purpose or effect of impeding agency communications. Such modifications must include carve-out language clarifying that nothing precludes current and former employees from communicating in any way with a government agency, such as the CFTC or the SEC. It is more important than ever for employers to work with counsel to conduct a comprehensive review of their policies, practices, and agreements for language that such agencies may find problematic.

©2024 Epstein Becker & Green, P.C. All rights reserved.
For more news on Employer Non-Disclosure Provisions, visit the NLR Labor & Employment section.

The SEC Continues Its War On Crime Victims

More than a decade ago, I expressed concern when the Securities and Exchange Commission charged Koss Corporation and one its CEO, Mr. Koss, with filing materially false financial statements after the corporation had discovered that it had been the victim of employee embezzlement. In the post, I decried the SEC’s decision to punish the victims of crime:

The SEC’s decision to prosecute this case is troubling. Surely, neither Koss Corporation nor Mr. Koss intended or wanted to be the victim of a criminal embezzlement. It is also hard to see how the shareholders’ benefited from the company incurring the legal costs associated with defending and settling the SEC investigation. While the SEC did force the return of bonus compensation, the injunctive relief ordering the company and Mr. Koss not to do this again strikes me as silly. Does it really make sense for the court to order a company not to be the victim of a theft?

I was therefore heartened by the recent statement by Commissioners Hester Peirce and Mark Uyeda on the SEC’s recent settlement of administrative proceeding against R.R. Donnelly & Sons, Co.:

Also concerning is the Commission’s decision to stretch the law to punish a company that was the victim of a cyberattack. While an enforcement action may be warranted in some circumstances, distorting a statutory provision to form the basis for such an action inappropriately amplifies a company’s harm from a cyberattack.

According to the SEC’s press release, R.R. Donnelly & Sons, Co. “cooperated throughout the investigation, including by reporting the cybersecurity incident to staff prior to filing a disclosure of the incident, by providing meaningful cooperation that helped expedite the staff’s investigation, and by voluntarily adopting new cybersecurity technology and controls”. Nonetheless, the SEC thought a just resolution required payment of a $2.125 million civil penalty for transfer to the U.S. Treasury. I remain unconvinced that the expropriation of millions of dollars from a crime victim to the U.S. Treasury protects, much less helps, the shareholders of R.R. Donnelly & Sons, Co.

© 2010-2024 Allen Matkins Leck Gamble Mallory & Natsis LLP
For more news on SEC Punishing Crime Victims, visit the NLR Securities SEC section.

Understanding the Enhanced Regulation S-P Requirements

On May 16, 2024, the Securities and Exchange Commission adopted amendments to Regulation S-P, the regulation that governs the treatment of nonpublic personal information about consumers by certain financial institutions. The amendments apply to broker-dealers, investment companies, and registered investment advisers (collectively, “covered institutions”) and are designed to modernize and enhance the protection of consumer financial information. Regulation S-P continues to require covered institutions to implement written polices and procedures to safeguard customer records and information (the “safeguards rule”), properly dispose of consumer information to protect against unauthorized use (the “disposal rule”), and implementation of a privacy policy notice containing an opt out option. Registered investment advisers with over $1.5 billion in assets under management will have until November 16, 2025 (18 months) to comply, those entities with less will have until May 16, 2026 (24 months) to comply.

Incident Response Program

Covered institutions will have to implement an Incident Response Program (the “Program”) to their written policies and procedures if they have not already done so. The Program must be designed to detect, respond to, and recover customer information from unauthorized third parties. The nature and scope of the incident must be documented with further steps taken to prevent additional unauthorized use. Covered institutions will also be responsible for adopting procedures regarding the oversight of third-party service providers that are receiving, maintaining, processing, or accessing their client’s data. The safeguard rule and disposal rule require that nonpublic personal information received from a third-party about their customers should be treated the same as if it were your own client.

Customer Notification Requirement

The amendments require covered institutions to notify affected individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization. The amendments require a covered institution to provide the notice as soon as practicable, but not later than 30 days, after becoming aware that unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred. The notices must include details about the incident, the breached data, and how affected individuals can respond to the breach to protect themselves. A covered institution is not required to provide the notification if it determines that the sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience. To the extent a covered institution will have a notification obligation under both the final amendments and a similar state law, a covered institution may be able to provide one notice to satisfy notification obligations under both the final amendments and the state law, provided that the notice includes all information required under both the final amendments and the state law, which may reduce the number of notices an individual receives.

Recordkeeping

Covered institutions will have to make and maintain the following in their books and records:

  • Written policies and procedures required to be adopted and implemented pursuant to the Safeguards Rule, including the incident response program;
  • Written documentation of any detected unauthorized access to or use of customer information, as well as any response to and recovery from such unauthorized access to or use of customer information required by the incident response program;
  • Written documentation of any investigation and determination made regarding whether notification to customers is required, including the basis for any determination made and any written documentation from the United States Attorney General related to a delay in notice, as well as a copy of any notice transmitted following such determination;
  • Written policies and procedures required as part of service provider oversight;
  • Written documentation of any contract entered into pursuant to the service provider oversight requirements; and
  • Written policies and procedures required to be adopted and implemented for the Disposal Rule.

Registered investment advisers will be required to preserve these records for five years, the first two in an easily accessible place.

COPYRIGHT © 2024, STARK & STARK
For more news on SEC Amended Regulations, visit the NLR Securities & SEC section.

Mid-Year Recap: Think Beyond US State Laws!

Much of the focus on US privacy has been US state laws, and the potential of a federal privacy law. This focus can lead one to forget, however, that US privacy and data security law follows a patchwork approach both at a state level and a federal level. “Comprehensive” privacy laws are thus only one piece of the puzzle. There are federal and state privacy and security laws that apply based on a company’s (1) industry (financial services, health care, telecommunications, gaming, etc.), (2) activity (making calls, sending emails, collecting information at point of purchase, etc.), and (3) the type of individual from whom information is being collected (children, students, employees, etc.). There have been developments this year in each of these areas.

On the industry law, there has been activity focused on data brokers, those in the health space, and for those that sell motor vehicles. The FTC has focused on the activities of data brokers this year, beginning the year with a settlement with lead-generation company Response Tree. It also settled with X-Mode Social over the company’s collection and use of sensitive information. There have also been ongoing regulation and scrutiny of companies in the health space, including HHS’s new AI transparency rule. Finally, in this area is a new law in Utah, with a Motor Vehicle Data Protection Act applicable to data systems used by car dealers to house consumer information.

On the activity side, there has been less news, although in this area the “activity” of protecting information (or failing to do so) has continued to receive regulatory focus. This includes the SEC’s new cybersecurity reporting obligations for public companies, as well as minor modifications to Utah’s data breach notification law.

Finally, there have been new laws directed to particular individuals. In particular, laws intended to protect children. These include social media laws in Florida and Utah, effective January 1, 2025 and October 1, 2024 respectively. These are similar to attempts to regulate social media’s collection of information from children in Arkansas, California, Ohio and Texas, but the drafters hope sufficiently different to survive challenges currently being faced by those laws. The FTC is also exploring updates to its decades’ old Children’s Online Privacy Protection Act.

Putting It Into Practice: As we approach the mid-point of the year, now is a good time to look back at privacy developments over the past six months. There have been many developments in the privacy patchwork, and companies may want to take the time now to ensure that their privacy programs have incorporated and addressed those laws’ obligations.

Listen to this post

Copyright © 2024, Sheppard Mullin Richter & Hampton LLP.
For more on Privacy, visit the NLR Consumer Protection section.

UK Regulators Publish Final Securitisation Rules

On 30 April 2024, the Financial Conduct Authority (FCA) published a policy statement (PS24/4) setting out its final firm-facing rules relating to securitisations and summarising feedback to its earlier consultation for the UK securitisation markets (CP23/17). The Prudential Regulation Authority (PRA and together with the FCA, the Regulators) also published a policy statement, in parallel with PS24/4, on its final firm-facing rules for those firms over which it has supervisory responsibility (PS7/24). This also follows the PRA’s own parallel consultation (CP15/23).

Background 

As part of the UK’s post-Brexit regulatory reforms, the UK government is working to repeal and replace retained EU financial services law with new UK domestic rules. In July 2023, the UK government published a draft statutory instrument (SI) to replace the UK’s onshored version of the Securitisation Regulation (UK SR).

Following the publication of the SI, the PRA launched CP15/23 on its proposed firm-facing requirements on 27 July 2023 and the FCA launched its parallel consultation CP23/17 on 7 August 2023. Both of these consultations are explored in further detail in our previous article (available here). While there is some duplication between the two rulebooks, the Regulators noted that they have coordinated their approach with a view to creating a coherent framework.

The Final Rules 

In PS24/4, the FCA has sought, among other things, to incorporate the feedback received on its draft rule proposals set out in its final rules, which are called the ‘Securitisation (Smarter Regulatory Framework and Consequential Amendments) Instrument 2024’.

PS24/4 makes the following key amendments to CP23/17:

  1. Timeline for implementation. The Regulators have confirmed the implementation timeline for the requirements (see the Next Steps section below), which allows for a six-month transition period for pre-implementation securitisations.
  2. Due diligence – public vs private securitisations. The FCA has adjusted the wording of its final rules to accommodate both public and private securitisations. Specifically, they refer to information provided ‘before pricing or original commitment to invest’ (in appropriate places) to reflect that private securitisations do not have “pricings” per se. In addition, the FCA has included guidance to reflect the fact that ‘pricing’ in the Simple, Transparent and Standardised (STS) template is to be understood as also including the ‘original commitment to invest’.
  3. Due diligence – disclosures by ‘manufacturers’. The FCA has adjusted the due diligence requirements for secondary market investors in relation to disclosures made by ‘manufacturers’ (i.e., the term used by the FCA as shorthand for originators, original lenders, sponsors and/or securitisation special purpose entities, each as defined in the UK SR) by:
    i) introducing a distinction between primary and secondary market investments, so that secondary market investors are not required to conduct due diligence on documents and information that are no longer relevant (e.g., information provided prior to initial pricing such as at issuance, etc.); and
    ii) clarifying that investors are required to conduct due diligence on the most up-to-date information available at the time of the investment, as opposed to documents from the timing of ‘pricing’ or ‘commitment’.
  4. Delegation. The FCA has clarified that it is possible for an institutional investor to delegate its due diligence requirements to an entity that is not an institutional investor, subject to the institutional investor retaining the responsibility for compliance with due diligence requirements. In practice, this means that institutional investors will no longer be able to delegate the responsibility for compliance with the due diligence requirements to AIFMs that are not authorised in the UK, as such AIFMs no longer fall within the definition of an ‘institutional investor’ under the SI.
  5. Risk-retention. The FCA has clarified the scope of the prohibition on hedging of the material net interest required to be retained under the risk retention requirements. Specifically, the FCA has confirmed that hedging in these circumstances is permitted for institutional investors so long as it does not compromise the alignment of interest, in line with the EU’s Risk Retention Technical Standards (Commission Delegated Regulation (EU) 2023/2175). In addition, the FCA confirms that there is no need for risk retention in the context of securitisations of own-issued debt instruments, including covered bonds.
  6. Alignment with the PRA. PS24/4 aligns its drafting with that of the PRA rulebook in areas where the rules are similar – both in the language and ordering of the FCA’s rules. The FCA has stated that in a number of cases, however, it has retained the language on which it consulted where, for example, it considered it provided clarity. In non-shared areas, such as STS provisions, the FCA has retained the language and structure of the rules as proposed in CP23/17.

The FCA’s final rules will be included in the FCA’s securitisation sourcebook (known as SECN) alongside the final FCA securitsation reporting templates, which are in the same form as those currently in effect. Similarly, the PRA’s final rules will be implemented into the PRA rulebook by adding a new Securitisation Part, with consequential amendments to the Liquidity Coverage Ratio (CRR) Part and the Non-Performing Exposures Securitisation (CRR) Part.

Next Steps 

The implementation date for the FCA and PRA rules is 1 November 2024, subject to revocation of the UK SR and related technical standards.

The commencement order that will bring into force the revocation of the UK SR and related technical standards has not yet been laid before Parliament. HM Treasury anticipates making this commencement order later this year once the SI comes into force. The FCA has stated that it will consider delaying or revoking the rules if the commencement order is not made.

The Regulators plan to consult on further changes to their securitisation rules in Q4 2024/Q1 2025, although timings are potentially subject to change. In this second consultation, the Regulators plan to review the definition of public and private securitisations and the associated reporting regime, among other areas for policy consideration.

EU Divergence

HM Treasury and the Regulators have generally sought to retain the existing onshored Securitisation Regulation and associated technical standards in the FCA and PRA rulebooks, save for some targeted adjustments. These adjustments will lead to some potentially notable divergence between the UK’s new regime and the regime in the EU, including in relation to the following:

  • Template requirements. While the EU requires institutional investors to ensure disclosure templates are completed regardless of whether the sponsor, originator or SSPE are located in or outside of the EU, UK institutional investors are only required to ensure that certain prescribed information is provided, regardless of the format. Instead, UK sponsors, originators and SSPEs are under a separate obligation to comply with transparency requirements including the use of disclosure templates.
  • Originator sole purpose test. SECN references certain factors to be taken into account when assessing whether an originator has been established and is operating for the “sole purpose” of securitising exposures. The EU regime has a similar test, but focuses on whether the securitisation and related risk retention assets are the “sole or predominant source of revenue” of the originator. The UK’s regime does not set the same hurdle for meeting the sole purpose test, instead referring more generally to the retainer’s ability to meet its payment obligations.
  • Change of risk retainer. Under the EU’s rules the holder of a retained interest may not sell, transfer or otherwise surrender its rights in relation to the retained interest, unless due to its insolvency, “legal reasons beyond its control”, or where there is retention on a consolidated basis. The new UK regime does not include “legal reasons beyond its control” as a reason to disapply the sale restriction.

PS24/4, PS7/24, CP23/17, and CP15/23 can be found hereherehere and here, respectively.

©2024 Katten Muchin Rosenman LLP
For more news on FCA Securitisation Rules, visit the NLR Financial Institutions & Banking section.

SEC Stays Climate Disclosure Regulations in Response to Consolidated Eighth Circuit Challenges

On April 4, the SEC issued an order staying the implementation of the recently finalized climate disclosure rules (Final Rules) in response to the consolidated legal challenges in the US Court of Appeals for the Eighth Circuit. The SEC has discretion to stay its rules pending judicial review and the SEC stated that a stay would “allow the court of appeals to focus on deciding the merits [of the cases].” However, this voluntary stay should not be taken as a sign that the SEC intends to abandon the Final Rules, as the SEC said it will “continue vigorously defending the Final Rules’ validity in court and looks forward to expeditious resolution of the litigation.”

The Final Rules have faced a slew of legal challenges since adoption and the SEC also noted that the stay avoids potential uncertainty if registrants were to become subject to the Final Rules during the pendency of the legal challenges.

©2024 Katten Muchin Rosenman LLP
For more news on the SEC Climate Disclosure Regulations, visit the NLR Environmental, Energy & Resources section.

Is the SEC’s Shadow Trading Win Proof That There is a Federal Common Law of Crime After All?

Last week, the U.S. Securities and Exchange Commission‘s Director of Enforcement celebrated a jury verdict in its insider trading case against Matthew Panuwat:

As we’ve said all along, there was nothing novel about this matter, and the jury agreed: this was insider trading, pure and simple. Defendant used highly confidential information about an impending announcement of the acquisition of biopharmaceutical company Medivation, Inc., the company where he worked, by Pfizer Inc. to trade ahead of the news for his own enrichment. Rather than buying the securities of Medivation, however, Panuwat used his employer’s confidential information to acquire a large stake in call options of another comparable public company, Incyte Corporation, whose share price increased materially on the important news.”

I disagree, many have described the SEC’s theory of shadow trading as “novel”. More importantly, you won’t find it in Section 10(b) or Rule 10b-5, the ostensible bases for insider trading prosecutions. I have long decried the “make it up as you go along” aspect of insider trading jurisprudence:

Notably, Rule 10b-5 itself doesn’t explicitly mention insider trading. It would be more than a half century before the SEC finally adopted a rule, Rule 10b5-1 defining just one element of insider trading – when a purchase or sale constitutes trading “on the basis of” material non public information. It is no surprise then that federal courts have struggled to define who can be guilty of insider trading and why. The result is that the crime of insider trading has a decidedly “make it up as you go along” quality. Individuals don’t know where the lines are until the courts draw them and then convict. Consequently, people have gone to prison even as courts have adopted the theories for their convictions. The fact that the U.S. Supreme Court is still defining the crime more than seven decades after Mr. Freeman cobbled together Rule 10b-5 suggests that the definition of insider trading has been too inchoate to support criminal convictions. However “well tuned to an animating principle” a theory might be, I simply don’t think due process exists when a crime is only defined after a conviction.

If Congress truly believes that insider trading should be a crime, it should define the exact elements of the crime rather than leave it to the courts to make up the rules as they send people to prison. The California legislature has in fact done just that in Corporations Code Section 25402. For more on Section 25402, see my article, California’s Unique Approach to Insider Trading Regulation, 17 Insights 21 (July 2003).

Why Bassam Salman Should Not Have Been Convicted.

The willingness of federal courts to send people to prison based on a crime that isn’t expressed, much less defined, in any federal statute is at odds with the principle that only the people’s elected representatives in the legislature are authorized to make an act a crime. United States v. Hudson, 7 Cranch 32, 34, 11 U.S. 32, 3 L.Ed. 259 (1812). While the SEC’s case against Mr. Panuwat was civil, I expect that this novel theory will soon be applied in a criminal prosecution.

© 2010-2024 Allen Matkins Leck Gamble Mallory & Natsis LLP
For more news on SEC Insider Trading Cases, visit the NLR Securities & SEC section.

The SEC Speaks–And Fails to Defend Mandatory Climate Disclosures

During the opening remarks of the two-day SEC Speaks Conference, Chairman Gensler failed to express any statement of support in connection with the SEC’s recently promulgated rule on mandatory climate disclosures. (Instead, his speech focused on a number of other topics, including clearinghouse rules and proposed regulations.) In contrast, Republican SEC Commissioner Uyeda devoted the entirety of his speech to offering critiques of the SEC’s newly enacted mandatory climate disclosure rule.

While most of Commissioner Uyeda’s criticisms had been previously voiced on other occasions, certain legal arguments achieved greater prominence in these remarks. In particular, Commissioner Uyeda emphasized the concept of materiality, noting that “[t]he significant changes in the final rule reflect a recognition that no disclosure rule that veers from materiality is likely to survive a court challenge,” and opining that “changes to selected portions of the rule text intended to mitigate legal risk do not necessarily convert a climate change activism rule to a material risk disclosure rule.” There was also a focus on procedural concerns, including a potential violation of the Administrative Procedure Act due to “the failure to repropose the rule” since “the changes were so significant,” and that “the fail[ure] to consider [the] rule’s economic consequences [renders] the adoption of the rule arbitrary and capricious.” Finally, Commissioner Uyeda compared the climate disclosure rule to the previously enacted conflict minerals rule (which was mandated by Congress), stating that “public companies and investors are stuck with a mandatory disclosure rule that deviates from financial materiality but fails to resolve the social purpose for which it was adopted.” Each of these arguments should be expected to feature in the upcoming litigation in the Eighth Circuit concerning the legality of the SEC’s climate disclosure rule.

Still, the failure by Chairman Gensler and his fellow Democratic Commissioners to offer a robust public defense of the climate disclosure rule may simply reflect a shifting of priorities now that the rule has been enacted. Notably, just a few days ago–on March 22, 2024–Chairman Gensler forcefully defended the SEC’s climate disclosure rule at a conference hosted by Columbia Law School, where his entire speech advocated the concept of mandatory disclosures and stated that the SEC’s climate disclosure rule “enhance[d] the consistency, comparability, and reliability of [climate-related] disclosures.” Moreover, it is altogether possible that a speech on the second day of the conference might offer a rejoinder to the varied critiques of the climate disclosure rule.

Unlike the conflict minerals rule, which was mandated by Congress, the Commission has acted on its own volition to adopt a climate disclosure rule that seeks to exert societal pressure on companies to change their behavior. It is the Commission that determined to delve into matters beyond its jurisdiction and expertise. In my view, this action deviates from the Commission’s mission and contravenes established law.

https://www.sec.gov/news/speech/uyeda-remarks-sec-speaks-040224

©1994-2024 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.
For more on the SEC, visit the NLR Securities & SEC section.