Congress Introduces Promising Bipartisan Privacy Bill

U.S. Senator Maria Cantwell (D-WA) and U.S. Representative Cathy McMorris Rodgers (R-WA) have made a breakthrough by agreeing on a bipartisan data privacy legislation proposal. The legislation aims to address concerns related to consumer data collection by technology companies and empower individuals to have control over their personal information.

The proposed legislation aims to restrict the amount of data technology companies can gather from consumers. This step is particularly important given the large amount of data these technology companies possess. It would grant Americans the authority to prevent the sale of their personal information or request its deletion. This step gives individuals more control over their personal data. The Federal Trade Commission (FTC) and state attorneys general would be given significant authority to monitor and regulate matters related to consumer privacy. This measure will ensure that the government has a say in matters associated with consumer privacy. The bill includes robust enforcement measures, such as granting individuals the right to take legal action. This step is necessary to ensure that any violations of the legislation are dealt with effectively. While targeted advertising would not be prohibited, the proposed legislation would allow consumers to opt out of it. This step gives consumers more control over the ads they receive. The privacy violations listed in the legislation would also be applicable to telecommunications companies. This measure ensures that no company is exempt from consumer privacy laws. Annual assessments of algorithms would be conducted to ensure that they do not harm individuals, particularly young people. This is an important, step given the rise of technology and its impact on consumers, especially among younger generations.

The bipartisan proposal for data privacy legislation is a positive step forward in terms of consumer privacy in America. While there is still work to be done, it is essential that the government takes proactive steps to ensure that individuals have greater control over their personal data. This is a positive development for the tech industry and consumers alike.

However, as we reported on before, this is not the first time Congress has made strides towards comprehensive data privacy legislation,). Hopefully, this new bipartisan bill will enjoy more success than past efforts and bring the United States closer in line with international data privacy standards.

States Sue the Biden Administration to Stop Loan Relief Plan

On April 9, 2024, seven states filed suit against the Biden administration in an attempt to block its new “SAVE” plan, an income-driven repayment plan that leads to eventual loan forgiveness. The case is pending in the U.S. District Court for the Eastern District of Missouri.

Plaintiff states claim that the plan is unlawful because it evades limits Congress imposed for income-based repayment plans and sets arbitrarily high thresholds that would effectively create a grant program for student borrowers. Plaintiffs allege that the US Supreme Court struck down a similar plan last year proposed by the Biden administration which would have cost taxpayers $430 billion. See Biden v. Nebraska, 143 S. Ct. 2355, 2362 (2023). The states allege that the plan violates the Higher Education Act of 1965 and subsequent amendments, which allows student-loan cancelation to occur only after a borrower pays 15% of their disposable income (which is defined as 150% above the poverty line) after 25 years.

The states further allege that the disposable income threshold would increase from 150% to 225% above the poverty line and that the plan would only require borrowers to pay 5% of their income for 10 years before loans are cancelled, “gut[ting] the statutory purpose of providing loans.”

Plaintiffs seek a declaratory judgment that the relief plan is unlawful and injunctive relief.

Putting It Into Practice: State attorneys general continue to challenge Biden regulatory actions through litigation (previously discussed here and here). Given the success they have achieved thus far, it will be interesting to see how this litigation develops. We will continue to monitor the case for developments.

Supply Chains are the Next Subject of Cyberattacks

The cyberthreat landscape is evolving as threat actors develop new tactics to keep up with increasingly sophisticated corporate IT environments. In particular, threat actors are increasingly exploiting supply chain vulnerabilities to reach downstream targets.

The effects of supply chain cyberattacks are far-reaching, and can affect downstream organizations. The effects can also last long after the attack was first deployed. According to an Identity Theft Resource Center report, “more than 10 million people were impacted by supply chain attacks targeting 1,743 entities that had access to multiple organizations’ data” in 2022. Based upon an IBM analysis, the cost of a data breach averaged $4.45 million in 2023.

What is a supply chain cyberattack?

Supply chain cyberattacks are a type of cyberattack in which a threat actor targets a business offering third-party services to other companies. The threat actor will then leverage its access to the target to reach and cause damage to the business’s customers. Supply chain cyberattacks may be perpetrated in different ways.

  • Software-Enabled Attack: This occurs when a threat actor uses an existing software vulnerability to compromise the systems and data of organizations running the software containing the vulnerability. For example, Apache Log4j is an open source code used by developers in software to add a function for maintaining records of system activity. In November 2021, there were public reports of a Log4j remote execution code vulnerability that allowed threat actors to infiltrate target software running on outdated Log4j code versions. As a result, threat actors gained access to the systems, networks, and data of many organizations in the public and private sectors that used software containing the vulnerable Log4j version. Although security upgrades (i.e., patches) have since been issued to address the Log4j vulnerability, many software and apps are still running with outdated (i.e., unpatched) versions of Log4j.
  • Software Supply Chain Attack: This is the most common type of supply chain cyberattack, and occurs when a threat actor infiltrates and compromises software with malicious code either before the software is provided to consumers or by deploying malicious software updates masquerading as legitimate patches. All users of the compromised software are affected by this type of attack. For example, Blackbaud, Inc., a software company providing cloud hosting services to for-profit and non-profit entities across multiple industries, was ground zero for a software supply chain cyberattack after a threat actor deployed ransomware in its systems that had downstream effects on Blackbaud’s customers, including 45,000 companies. Similarly in May 2023, Progress Software’s MOVEit file-transfer tool was targeted with a ransomware attack, which allowed threat actors to steal data from customers that used the MOVEit app, including government agencies and businesses worldwide.

Legal and Regulatory Risks

Cyberattacks can often expose personal data to unauthorized access and acquisition by a threat actor. When this occurs, companies’ notification obligations under the data breach laws of jurisdictions in which affected individuals reside are triggered. In general, data breach laws require affected companies to submit notice of the incident to affected individuals and, depending on the facts of the incident and the number of such individuals, also to regulators, the media, and consumer reporting agencies. Companies may also have an obligation to notify their customers, vendors, and other business partners based on their contracts with these parties. These reporting requirements increase the likelihood of follow-up inquiries, and in some cases, investigations by regulators. Reporting a data breach also increases a company’s risk of being targeted with private lawsuits, including class actions and lawsuits initiated by business customers, in which plaintiffs may seek different types of relief including injunctive relief, monetary damages, and civil penalties.

The legal and regulatory risks in the aftermath of a cyberattack can persist long after a company has addressed the immediate issues that caused the incident initially. For example, in the aftermath of the cyberattack, Blackbaud was investigated by multiple government authorities and targeted with private lawsuits. While the private suits remain ongoing, Blackbaud settled with state regulators ($49,500,000), the U.S. Federal Trade Commission, and the U.S. Securities Exchange Commission (SEC) ($3,000,000) in 2023 and 2024, almost four years after it first experienced the cyberattack. Other companies that experienced high-profile cyberattacks have also been targeted with securities class action lawsuits by shareholders, and in at least one instance, regulators have named a company’s Chief Information Security Officer in an enforcement action, underscoring the professional risks cyberattacks pose to corporate security leaders.

What Steps Can Companies Take to Mitigate Risk?

First, threat actors will continue to refine their tactics and techniques. Thus, all organizations must adapt and stay current with all regulations and legislation surrounding cybersecurity. Cybersecurity and Infrastructure Security Agency (CISA) urges developer education for creating secure code and verifying third-party components.

Second, stay proactive. Organizations must re-examine not only their own security practices but also those of their vendors and third-party suppliers. If third and fourth parties have access to an organization’s data, it is imperative to ensure that those parties have good data protection practices.

Third, companies should adopt guidelines for suppliers around data and cybersecurity at the outset of a relationship since it may be difficult to get suppliers to adhere to policies after the contract has been signed. For example, some entities have detailed processes requiring suppliers to inform of attacks and conduct impact assessments after the fact. In addition, some entities expect suppliers to follow specific sequences of steps after a cyberattack. At the same time, some entities may also apply the same threat intelligence that it uses for its own defense to its critical suppliers, and may require suppliers to implement proactive security controls, such as incident response plans, ahead of an attack.

Finally, all companies should strive to minimize threats to their software supply by establishing strong security strategies at the ground level.

Importance of Negotiating Assignment and Subletting Provisions in Health Care Leases

In our ongoing series of blog posts, we examine key negotiating points for tenants in triple net health care leases. We also offer suggestions for certain lease provisions that will protect tenants from overreaching and unfair expenses, overly burdensome obligations, and ambiguous terms with respect to the rights and responsibilities of the parties. These suggestions are intended to result in efficient lease negotiations and favorable lease terms from a tenant’s perspective. In our first two blog posts, we considered the importance of negotiating initial terms and renewal terms and operating expense provisions. This latest blog post in our series focuses on negotiating assignment and subletting provisions.

It is imperative for a commercial tenant, particularly a private equity-owned health care tenant, to include provisions in a lease which allow the tenant the flexibility to assign and sublease the commercial space without the necessity of having to obtain the landlord’s consent and/or to meet burdensome landlord conditions.

Most leases prohibit transfers by assignment and subletting or require landlord’s prior written consent subject to meeting certain burdensome conditions. In addition, landlords often include a “change of control” provision which provides that sale of a controlling interest is deemed a transfer requiring landlord consent. A health care tenant looking for flexibility for reorganization or internal transfer subject to private equity control will want to push back on change of control provisions and will want to ensure that their lease allows for certain permitted transfers that do not require landlord consent. Carving out “permitted transfers” customarily includes transfers to: (i) an affiliate of the named tenant under the lease (meaning, any entity, directly or indirectly, which controls, is controlled by or is under common control with tenant); (ii) a successor entity created by merger, consolidation or reorganization of tenant; or (iii) an entity which shall purchase all or substantially all of the assets or a controlling interest in the stock or membership of tenant. If the tenant is a management services organization (MSO), the lease should also include explicit landlord permission for a sublease between the MSO and the provider that will occupy the leased premises.

Landlords may accept the concept of permitted transfers but often seek to impose certain conditions to allowing such transfers. Certain conditions on permitted transfers are reasonable, such as requirements for advance notice, that the proposed permitted transferee assume all obligations under the lease, that the permitted transferee operate only for the permitted use set forth in the lease, and that a copy of the transfer document be provided to landlord. However, other conditions, such as requiring a net worth test for the assignee or financial reporting requirements, can be burdensome and serve to undermine the concept of permitted transfers without landlord consent. We advise our clients in these instances to push back or limit these conditions as much as possible.

Other common assignment and subletting provisions should expressly not apply to permitted transfers. These include recapture provisions which allow a landlord to terminate the lease and recapture the space, excess profit provisions which provide that any excess profits realized as the result of a transfer will be shared between landlord and tenant, and administrative fees and reimbursements to landlord which are often charged to tenants in connection with an assignment or subletting request. Restrictions on transfers should not apply to guarantor entities. Often with private equity, the guarantor is the parent entity and cannot be restricted by a landlord as to transfer, restructuring or reorganization at the top of its organization.

In the case of transfers that do not fall within the definition of “permitted transfers” and require landlord consent, a tenant will want to include language that landlord will not unreasonably withhold, condition, or delay such consent. Other tenant protections should also be considered, including a cap on administrative and review fees reimbursable by tenant to landlord, a reasonably short time period for landlord to approve or disapprove a request (i.e., 30 days) or be deemed to have approved, a reasonably short time period for landlord to exercise recapture rights or be deemed to have approved, and a provision that excess profits will be shared equally rather than all belonging to landlord.

Negotiation of assignment and subletting terms is critical for tenants, particularly with respect to private equity-owned health care tenants. The goal for tenants in negotiating these points is to provide flexibility for addressing future financial and operational needs. As with other highly negotiated lease terms, we recommend addressing assignment and subletting provisions in detail in advance in the letter of intent. This makes expectations of the parties clear, saves time and money by avoiding protracted negotiations, and results in an overall efficient lease negotiation process.

In our next post, we will cover the importance of negotiating maintenance and repair terms and will offer suggestions for limiting a tenant’s exposure.

Good News for Offshore Wind Blows in With New Guidance From the Treasury and IRS

The Inflation Reduction Act of 2022 (IRA) includes several tax credits to encourage investment in renewable energy projects, including an Investment Tax Credit (ITC) that is worth up to 30% of the overall project cost. The developer of a renewable energy project can receive a bonus of up to 10% on top of the ITC for a qualified facility that is located or placed in service in an “energy community.” One type of area that can qualify as an energy community under the IRA — the one most relevant to offshore wind projects — is an area that has significant employment or local tax revenues from fossil fuels and a higher-than-average unemployment rate.

In order to apply the criteria to offshore wind facilities, the US Department of Treasury initially proposed that an offshore wind project would be deemed to be located or placed in service at the place closest to the point of interconnection (POI) where there is land-based equipment that conditions the energy generated by the offshore wind project for transmission, distribution, or use.

Stakeholders in the offshore wind industry believed, however, that this approach did not adequately reflect the original intent of the IRA as it neglected to take into account the long-term benefits of activity related to offshore wind projects at locations, particularly ports, that were not at the POI.

Responding to stakeholder advocacy over the past several months, on March 22, the Internal Revenue Service (IRS) released updated guidance in IRS Notice 2024-30 (the Notice). The Notice permits projects with multiple POIs to qualify for the bonus credit, so long as one of the POIs is within an energy community. Stakeholders believe that this will be key in developing the shared transmission infrastructure that will be required for effective use of offshore wind energy.

Further, the Notice permits offshore wind facilities to attribute their nameplate capacity to additional property — namely, to supervisory control and data acquisition system (SCADA) equipment owned by the owner of the offshore wind project and located in an EC Project Port (as defined in the Notice). SCADA equipment is property that is used to remotely monitor and control the operations of the offshore wind project. The SCADA system is effectively the nerve center for an offshore wind project.

An “EC Project Port” is defined in the Notice as a port that is used either full or part time to facilitate maritime operations necessary for the installation or operation and maintenance of the offshore wind project, and that has a significant long-term relationship with the project’s owner by virtue of ownership or lease arrangements. The personnel based at the port need to include staff who are employed by, or who work as independent contractors for, the project’s owner and who perform functions essential to the project’s operations. Staff based at the port will be considered to perform functions essential to the project’s operations only if they collectively perform all the following functions: management of marine operations, inventory and handling of spare parts and consumables, and berthing and dispatch of operation and maintenance vessels and associated crews and technicians.

Finally, the Notice adds two industry codes from the North American Industry Classification System (NAICS) to those that are used to determine a community meets the IRA’s required percentage of its workforce who are employed in the extraction, processing, transport, or storage of coal, oil, or natural gas. These additional NAICS codes designate oil pipeline infrastructure and natural gas distribution infrastructure. These additional codes are intended to bring the benefits of the energy community bonus credit to more communities and the IRS has amended its list of energy communities accordingly.

Advocates note that the updated guidance in the Notice represents a more holistic approach to the energy communities bonus credit that will give offshore wind project developers more flexibility in identifying ports for their investment, The increased flexibility will bring the economic benefit of the offshore wind industry to more communities, which will ultimately reduce the cost burden to ratepayers.

Fourth Circuit Reverses $1 Billion Award for Vicarious Liability Claim for More than 10,000 Works

On January 12, 2021, the U.S. District Court for the Eastern District of Virginia awarded a group of music recording companies (the plaintiffs) a $1 billion verdict against Cox Communications (Cox). The Virginia court’s ruling found that Cox, an internet service provider (ISP), was contributorily and vicariously liable for copyright infringement committed by certain subscribers on its networks. The plaintiffs alleged that the ISP allowed the unauthorized downloading and distribution of more than 10,000 copyrighted works by Cox subscribers who had already received three or more notices of infringement. The district court in Virginia established that the “takedown” notices sent by the plaintiffs provided Cox with the requisite knowledge of its subscribers’ repeated infringement to substantiate their claim that Cox was contributorily liable, suggesting that Cox had sufficient specific knowledge of infringement to have done something about it.

The plaintiffs’ notice to Cox identified the IP address of the subscriber, as well as the time of infringement and the identification of the infringed work, which the plaintiffs argued was sufficiently specific knowledge for Cox to be able to identify the subscriber and to exercise its policy by suspending or terminating the infringing subscriber. This case proceeded to trial on two theories of secondary liability – vicarious and contributory copyright infringement. The plaintiffs argued that Cox failed to act on these known repeat infringers, and the jury found Cox liable for willful contributory infringement and vicarious infringement, ordering Cox to pay more than $99,000 for each of the infringed-upon works. Cox appealed the jury verdict.

On appeal, before the U.S. Court of Appeals for the Fourth Circuit, Cox raised several questions of law concerning the secondary liability for copyright infringement, as well as what constitutes a derivative work in the Internet Age.

Vicarious Infringement
The Fourth Circuit’s analysis first considered whether the district court erred in denying plaintiffs’ vicarious infringement claim. “A defendant may be held vicariously liable for a third party’s copyright infringement [if the defendant] (1) profits directly from the infringement and (2) has a right and ability to supervise the direct infringer.” See Metro-Goldwyn-Mayer Studios, Inc. v. Grokster, Ltd., 545 U.S. 913, 930 n.9 (2005) (internal citations omitted). The Fourth Circuit found that the plaintiffs failed to establish the first element as a matter of law and thus found that the plaintiffs failed to establish that Cox was vicariously liable.

In reaching this decision, the Fourth Circuit turned to the landmark decision in Shapiro, Bernstein & Co., 316 F.2d 304 (2d Cir. 1963), a case on vicarious liability for infringing copyrighted music recordings. In Shapiro, a department store was sued for the selling of “bootleg” records by a concessionaire operating in its stores. The store had the right to supervise the concessionaire and employees, demonstrating its control over the infringement. There, the store received a certain percentage of every record sale, “whether ‘bootleg’ or legitimate,” giving it “a more definite financial interest” in the infringing sales.” Thus, the Shapiro court found that the financial gains were clearly spelled out from the bootleg sales and acts of infringement in Shapiro.

Next, the Fourth Circuit recognized that courts have found that a defendant may possess a financial interest in a third party’s infringement of copyrighted music, even absent a strict correlation between each act of infringement and an added penny of profits. See Fonovisa, Inc. v. Cherry Auction, Inc., 76 F.3d 259 (9th Cir. 1996). In Fonovisa, the operator of a swap meet allowed vendors to sell infringing goods, and the operator collected “admission fees, concession stand sales, and parking fees” but no sales commission “from customers who want[ed] to buy the counterfeit recordings at bargain-basement prices.” The Fonovisa court found that the plaintiffs adequately showed a financial benefit from the swap meet owner and the sales of pirated recordings at the swap meet, which was a draw for customers. Thus, the infringing sales “enhance[d] the attractiveness of the venue of the potential customers, finding the swap meet operator had a financial interest in the infringement sufficient to state a claim for vicarious liability.”

The Fourth Circuit established that Shapiro and Fonovisa provided the steppingstones of the principles of copyright infringement to the internet and cyberspace and that Congress agreed that “receiving a one-time setup fee and flat periodic payment for service” from infringing and non-infringing users alike ordinarily “would not constitute a financial benefit directly attributable to the infringing activity.” Ellison v. Robertson, 357 F. 3d 1072, 1079 (9th Cir. 2004) (internal citations omitted). The Court also reviewed other court precedents, including A&M Records v. Napster, Inc., 239 F.3d 1004 (9th Cir. 2001), to show that increased pirated music drew in users as a direct financial interest for vicarious liability., but also notes that courts have found no evidence of a direct financial benefit between subscribers of American Online (AOL) and the availability of infringing content.’’ Ellison, 357 F.3d at 1079.

Against this backdrop, the Fourth Circuit held that to prove Cox was vicariously liable, the plaintiffs had to demonstrate that Cox profited from its subscribers’ infringing download and distribution of the plaintiffs’ copyrighted songs, which – given the evidence at trial – it did not. While the district court found it was enough that Cox repeatedly declined to cancel an ISP subscriber’s monthly subscription fee, the Fourth Circuit found this evidence to be insufficient. Instead, the Fourth Circuit found that the continued monthly payment fees for internet service, even by repeat infringers, was not a financial benefit flowing directly from the copyright infringement. Cox established that subscribers paid a flat fee even if all of its subscribers stopped infringing. Recognizing that an internet provider would necessarily lose money if it canceled subscriptions only demonstrates that service providers have a direct financial interest in providing subscribers with access to the internet only. Thus, the Fourth Circuit held that vicarious liability demands proof that the defendant profits directly from the acts of infringement for which it is being held accountable.

To rebut this, the plaintiffs claimed that the jury could infer that subscribers paid monthly membership fees based on the high volume of infringing content. The Fourth Circuit rejected this argument and found that the evidence was insufficient to prove that customers were drawn to Cox’s internet service or that they continued the service because they were specifically drawn to the opportunity to infringe the plaintiffs’ copyrights. The plaintiffs further asserted that subscribers were willing to pay more for the opportunity to infringe based on Cox’s tiered structure for internet access – but the plaintiffs fell short in proving this claim because no reasonable inference could be drawn that Cox subscribers paid more for faster internet to infringe on the copyrighted works. Ultimately, the Court found that the plaintiffs could not establish a causal connection between subscribers’ copyright infringement and Cox’s revenue for monthly subscriptions. Thus, the Fourth Circuit held that Cox was not liable for its subscribers’ copyright infringement and reversed the district court’s ruling on this theory. The court vacated the $1 billion damages award and remanded the case for a new trial on damages, holding that the jury’s finding of vicarious liability could have influenced its assessment of statutory damages.

Contributory Infringement
The Fourth Circuit then examined the remaining issue of contributory infringement. Under this theory, “one who, with knowledge of the infringing activity, induces, causes or materially contributes to the infringing conduct of another is liable for the infringement, too.” Cox argued that the district court erred by taking away the factual determination from the jury that notices of past infringement established Cox’s knowledge that subscribers were substantially certain to infringe in the future. Cox had contracted with a third party to provide copyright violation notices to users and asserted that it used these notices as their safe harbor under the Digital Millennium Copyright Act to alert violators and to terminate access to users who were repeat infringers. Despite this, the Fourth Circuit ultimately agreed with the jury’s finding that Cox materially contributed to copyright infringement occurring on its network and that its conduct was culpable.

Therefore, a three-judge panel found that Cox was liable for willful copyright infringement but reversed the vicarious liability verdict and remanded a new trial on damages. The Fourth Circuit held that because Cox did not profit from its subscribers’ acts of infringement, a legal prerequisite for vicarious liability, Cox was not liable for damages under the vicarious liability theory.

The Impact
The Fourth Circuit’s decision recognizes a new dawn breaking in copyright law, one that requires a causal connection between profit and/or financial gain and a defendant’s acts of infringement to prove vicarious liability in a copyright infringement claim under the Copyright Act. The plaintiffs attempted to bridge the financial gap between acknowledging access to infringing content through a monthly internet subscription and high-volume infringing acts. However, the Fourth Circuit found that this leap in logic was a step too far and reversed the award for vicarious liability for lack of evidence to find this missing connection between Cox subscribers and infringing plaintiffs’ content.

While this may be one route the courts may consider to reduce music piracy damages, it remains to be seen whether other courts will take this approach to determining that profit is the key element supporting other vicarious liability claims in cyberspace.

Regulation Round Up March 2024

Welcome to the UK Regulation Round Up, a regular bulletin highlighting the latest developments in UK and EU financial services regulation.

Key developments in March 2024:

28 March

FCA Regulation Round-up: The FCA published its regulation round-up for March 2024.

26 March

AIFMD IIDirective (EU) 2024/927 amending the Alternative Investment Fund Managers Directive (2011/61/EU) (“AIFMD”) and the UCITS Directive (2009/65/EC) (“UCITS Directive”) relating to delegation arrangements, liquidity risk management, supervisory reporting, provision of depositary and custody services, and loan origination by alternative investment funds has been published in the Official Journal of the European Union (“EU”). Please refer to our dedicated article on this topic here.

ELTIFs: The European Commission published a Communication to the Commission explaining that it intends to adopt, with amendments, ESMA’s proposed regulatory technical standards (“RTS”) under Regulations 9(3), 18(6), 19(5), 21(3) and 25(3) of the Regulation on European Long-Term Investment Funds ((EU) 2015/760) as amended by Regulation (EU) 2023/606.

Financial Promotions: The FCA published finalised guidance (FG24/1) on financial promotions on social media.

Cryptoassets: The Investment Association (“IA”) published its second report on UK fund tokenisation written by the technology working group to HM Treasury’s asset management taskforce.

25 March

Cryptoassets: ESMA published a final report (ESMA75-453128700-949) on draft technical standards specifying requirements for co-operation, exchange of information and notification between competent authorities, European Supervisory Authorities and third countries under the Regulation on markets in cryptoassets ((EU) 2023/1114) (“MiCA”).PRIIPS Regulation: the European Parliament’s Economic and Monetary Affairs Committee (“ECON”) published the report (PE753.665v02-00) it has adopted on the European Commission’s legislative proposal for a Regulation making amendments to the Regulation on key information documents (“KIDs”) for packaged retail and insurance-based investment products (1286/2014) (“PRIIPs Regulation”) (2023/0166(COD)).

Alternative Investment Funds: The FCA published the findings from a review it carried out in 2023 of alternative investment fund managers that use the host model to manage alternative investment funds.

AIFMD: Four Delegated and Implementing Regulations concerning cross-border marketing and management notifications relating to the UCITS Directive and the AIFMD have been published in the Official Journal of the European Union (hereherehere, and here).

22 March

Smarter Regulatory Framework: HM Treasury published a document on the next phase of the Smarter Regulatory Framework, its project to replace assimilated law relating to financial services.

21 March

Market Transparency: ESMA published a communication on the transition to the new rules under the Markets in Financial Instruments Regulation (600/2014) (“MiFIR”) to improve market access and transparency.

Retail Investment Package: ECON published a press release announcing it had adopted its draft report on the proposed Directive on retail investment protection (2023/0167(COD)). The proposed Directive will amend the MiFID II Directive (2014/65/EU) (“MiFID II”), the Insurance Distribution Directive ((EU) 2016/97), the Solvency II Directive (2009/138/EC), the UCITS Directive and the AIFMD.

19 March

ESG: The Council of the EU proposed a new compromise text for the Corporate Sustainability Due Diligence Directive, on which political agreement had previously been reached in December 2023.

FCA Business Plan: The FCA published its 2024/25 Business Plan, which sets out its business priorities for the year ahead.

15 March

Customer Duty: The FCA announced that it is to conduct a review into firms’ treatment of customers in vulnerable circumstances.

PRIIPS Regulation: The Joint Committee of the European Supervisory Authorities published an updated version of its Q&As (JC 2023 22) on the key information document requirements for packaged retail and insurance-based investment products (“PRIIPs”), as laid down in Commission Delegated Regulation (EU) 2017/653.

14 March

FCA Regulatory Approach: The FCA published a speech given by Nikhil Rathi, FCA Chief Executive, on its regulatory approach to deliver for consumers, markets and competitiveness and its shift to outcomes-focused regulation.

11 March

AML: HM Treasury launched a consultation on improving the effectiveness of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (SI 2017/692). The consultation runs until 9 June 2024 and covers four distinct areas.

08 March

ESG: The IA published a report on insights and suggested actions for asset managers following the commencement of reporting obligations of climate-related disclosures under the ESG sourcebook.

ESG: The House of Commons Treasury Committee published a report on the findings from its “Sexism in the City” inquiry.

Cryptoassets: The EBA published a consultation paper (EBA/CP/2024/09) on draft guidelines on redemption plans under Articles 47 and 55 of the MiCA.

05 March

Financial Sanctions: The Foreign, Commonwealth and Development Office published Post-Legislative Scrutiny Memorandum: Sanctions and Anti-Money Laundering Act 2018.

AML: The FCA published a Dear CEO letter sent to Annex I financial institutions concerning common control failings identified in anti-money laundering (AML) frameworks.

ESG: The European Commission adopted a delegated regulation supplementing the Securitisation Regulation ((EU) 2017/2402) with regard to regulatory technical standards specifying, for simple, transparent and standardised non-ABCP traditional securitisation, and for simple, transparent and standardised on-balance-sheet securitisation, the content, methodologies and presentation of information related to the principal adverse impacts of the assets financed by the underlying exposures on sustainability factors.

CRD IV: The European Commission adopted a Commission Implementing Regulation that amends Commission Implementing Regulation (EU) 650/2014 containing ITS on supervisory disclosure under the CRD IV Directive (2013/36/EU) (“CRD IV”).

01 March

Alternative Investment Funds: The FCA published a portfolio letter providing an interim update on its supervisory strategy for the asset management and alternatives portfolios.

Corporate Transparency: The Economic Crime and Corporate Transparency Act 2023 (Commencement No. 2 and Transitional Provision) Regulations 2024 (SI 2024/269) have been made and published.

Financial Sanctions: The Treasury Committee launched an inquiry into the effectiveness of financial sanctions on Russia.

EMIR: The FCA published a consultation paperin which it, together with the Bank of England, seeks feedback on draft guidance in the form of Q&As on the revised reporting requirements under Article 9 of UK EMIR (648/2012).

FCA Handbook: The FCA published Handbook Notice 116 (dated February 2024), which sets out changes to the FCA Handbook made by the FCA board on 29 February 2024.

FCA Handbook: the FCA published its 43rd quarterly consultation paper (CP24/3), inviting comments on proposed changes to a number of FCA Handbook provisions.

Amar Unadkat, Sulaiman Malik & Michael Singh also contributed to this article.

Department of Justice Ramps Up Investigations of Private Clubs that Received PPP Loans

As Varnum’s government investigations team has previously discussed, (link) the COVID-era Paycheck Protection Program (PPP) resulted in millions of businesses receiving emergency loans. The PPP’s hurried implementation, coupled with confusion among recipients over eligibility requirements, created an environment ripe for both fraud and the issuance of loans to ineligible recipients. Over the past few years, the Department of Justice (DOJ) has focused on fraud by among other things, opening civil investigations under the False Claims Act and bringing criminal charges against PPP loan recipients who misused loan proceeds on luxury items. But recently, the DOJ has shifted its focus to a new category of PPP recipients: social clubs that may have been technically ineligible for the loans they received.

The opportunity for improper loans to social clubs comes about because of a technical wrinkle in how Congress wrote the American Rescue Plan Act of 2021. In this Act, Congress made social clubs (i.e. golf clubs, tennis clubs, yacht clubs) organized under 26 U.S.C. § 501(c)(7) eligible for PPP loans. However, Congress incorporated an agency regulation that prohibited loans to “private clubs and businesses which limited the numbers of memberships for reasons other than capacity.” The result is that social clubs that limit their number of members for any reason besides capacity were technically ineligible for PPP loans.

In recent months, the DOJ has issued Civil Investigation Demands (CIDs) to clubs that it believes might not have been eligible for PPP loans. These CIDs are demands for documents and interrogatory answers and often relate to employment records, income statements, the membership admission process, prospective members’ applications, the club’s governance, and membership information. CIDs are expansive and the government can use the club’s answer in future civil or criminal proceedings.

Given the DOJ’s new focus, clubs should review their PPP paperwork now and consult with an attorney to determine whether their loan was properly issued. If the clubs find technical violations, proactively approaching the government through counsel may be beneficial. If a club receives a CID, it should immediately contact an attorney to begin preparing the appropriate response.

© 2024 Varnum LLP
by: Ronald G. DeWaardRegan A. GibsonGary J. MouwNeil E. Youngdahl of Varnum LLP

For more news on Paycheck Protection Program Fraud Enforcement, visit the NLR Criminal Law / Business Crimes section.

Amendments to New York LLC Transparency Act Delay Effective Date, Among Other Changes

New York Governor Kathy Hochul last month signed into law amendments to the recently enacted New York LLC Transparency Act (as amended, the “NYLTA”), extending the NYLTA’s effective date from December 21, 2024, to January 1, 2026 (the “Effective Date”).

The NYLTA will require all limited liability companies (“LLCs”) either formed under New York law or foreign LLCs that seek to be authorized to do business in New York to submit certain beneficial ownership information to the New York Department of State. LLCs will be required to disclose their beneficial owners unless the LLC qualifies for an exemption from the requirements. New York LLCs and foreign LLCs registered to do business in New York should evaluate their structure with counsel that is familiar with the NYLTA (and the federal Corporate Transparency Act (the “CTA”)) to determine whether they will have a filing obligation under the new law.

For New York LLCs formed on or prior to the Effective Date, and foreign LLCs authorized to do business in New York on or prior to the Effective Date, the deadline to file the required beneficial ownership report or the statement specifying the applicable exemptions(s) from the filing requirement is January 1, 2027. For New York LLCs formed after the Effective Date, and foreign LLCs authorized in New York after the Effective Date, the NYLTA will require that beneficial ownership information be submitted within thirty days of filing the articles of organization for an LLC formed under New York law or the initial application for registration filed by a foreign LLC. Thereafter, the NYLTA (as amended) imposes an ongoing requirement to file an annual statement with the New York Department of State confirming or updating (1) the beneficial ownership disclosure information; (2) the street address of the entity’s principal executive office; (3) status as an exempt company, if applicable; and (4) such other information as may be designated by the New York Department of State.

The definitions of important terms such as “exempt company,” “reporting company,” “applicant,” and “beneficial owner” used in the NYLTA refer to the equivalent definitions in the CTA but are limited in application only to LLCs. Correspondingly, the NYLTA shares the same 23 exemptions from the reporting requirements as the CTA. If an LLC falls within one or more of the available exemptions, however, in a departure from the CTA, the NYLTA requires the entity to submit a statement attested to under penalty of perjury indicating the specific exemption(s) for which the LLC qualifies.

Potential penalties for failing to comply with the NYLTA include monetary penalties of $500 for every day that a required filing under the NYLTA is past due, as well as a potential suspension or cancellation of an LLC.

The amendments to the NYLTA also provide that the beneficial ownership information relating to natural persons will be deemed confidential except (1) by written consent of or request by the beneficial owner of the LLC; (2) by court order; (3) to federal, state, or local government agencies performing official duties as required by statute; or (4) for a valid law enforcement purpose. This is in contrast to the original New York statute, which provided for beneficial ownership information to be made publicly available in a searchable database.

Federal Court Confirms Case Challenging Bank of America’s Fraudulent COVID Relief Program Can Proceed

In a significant step forward for consumer protection, the Northern District of California confirmed that claims that Bank of America’s (“BofA”) misled its customers with false promises to provide overdraft fee relief during the COVID-19 pandemic could proceed.

The litigation centers on allegations that BofA widely advertised a COVID-19 bank fee relief program to garner publicity and goodwill but, instead of honoring its promises, the Bank abruptly and quietly ended any relief just a few months into the raging pandemic. Instead of announcing the shutdown, BofA kept promoting the program when none existed. Plaintiffs and other Americans across the country, who were suffering significant financial hardship as a result of the pandemic, trusted the bank’s marketing, and incurred significant fees that the bank refused to waive.

Plaintiffs Anthony Ramirez, Mynor Villatoro Aldana, and Janet Hobson have lodged claims on behalf of a putative nationwide class and state subclasses. The Court’s denial of BofA’s motion to dismiss supports plaintiffs’ allegations that the bank’s continued advertisement of the defunct relief program was deceptive and unlawful, depriving consumers across the country of millions of dollars in promised fee refunds.

This decision bolsters consumer protection rights and reinforces the judiciary’s role in ensuring that big banks like BofA make good on their promises to financially struggling customers.

The case is Ramirez, et al. v. Bank of America, N.A., Case No.: 4:22-cv-00859-YGR in the United States District Court for the Northern District of California.

A copy of the order is available here.