Subject to Inquiry

Subject to Inquiry

THE LATEST ON GOVERNMENT INQUIRIES AND ENFORCEMENT ACTIONS

Government Investigations and White Collar Litigation Group
Compliance, Enforcement and Prosecution Policy and Trends

The U.S. Department of Justice is Ramping Up its Enforcement of the Servicemembers Civil Relief Act

iStock_000005983304-capitol-bldg-thumb-225x336-15Think you are in compliance with the Servicemembers Civil Relief Act?  Now would be a good time to make sure since the federal government is increasing its enforcement efforts as part of its Servicemembers and Veterans Initiative.

The Servicemembers Civil Relief Act (SCRA) is a federal law that provides a wide range of protections to eligible servicemembers.  The law’s purpose is to postpone or suspend certain civil obligations so that members of the Armed Forces can focus their full attention on their military responsibilities without adverse consequences for them or their families. The first iterations of this federal law date back to the Civil War.  Contrary to beliefs held by many, the SCRA applies to all companies, not just banks.  The current law is very broad in scope, providing benefits and protections related to rental agreements, security deposits, prepaid rent, evictions, installment contracts, interest rates on all debt: including home loans, credit cards and student loans, mortgage foreclosure, civil judicial proceedings, automobile leases and repossessions, life insurance, health insurance and income tax payments.

The Civil Rights Division of the U.S. Department of Justice (DOJ) is tasked with enforcing the SCRA and has been aggressively doing so since 2011.  The Office of the Comptroller of the Currency (OCC) and the Board of Governors of the Federal Reserve System have also brought enforcement actions in the last few years.  In just the past five years, these agencies have brought more than 35 actions requiring payments in excess of $650,000,000 in fines and remediation.

Through the government’s enforcement actions, it has been retroactively imposing standards that go beyond what is set forth in the statutory text and legislative history.  To make matters more challenging, there has been no public guidance issued as to what the government believes is required in order to comply with the SCRA.  One can glean some of the requirements by reading the Consent Orders from settlements, but unless you have been party to one of these settlements, certain requirements remain unknown.

The number of enforcement actions will almost certainly increase.  On November 2, 2016, DOJ announced a new program, the Servicemembers Civil Relief Act Enforcement Support Pilot Program, to support its enforcement efforts related to protecting the rights of current and former military personnel as part of DOJ’s Servicemembers and Veterans Initiative. The new pilot program funds Assistant U.S. Attorney and trial attorney positions to assist with SCRA enforcement, and also designates military judge advocates currently serving as legal assistance attorneys to serve as Special Assistant U.S. Attorneys to support DOJ’s enforcement efforts related to the SCRA.  U.S. Attorneys throughout the country will also be appointing Initiative Liaisons to work with local military and veteran communities.

We have significant experience representing companies in SCRA enforcement actions and private litigation.  We are also compliance counsel to clients concerned with avoiding an enforcement action by the federal regulators.

Financial Institution Regulation

CFPB Report Highlights Continued Focus on Mortgage Redlining

IGovernment-Regulatory-and-Criminal-Investigations.jpgn its Fall 2016 Supervisory Highlights report, issued October 31, the Consumer Financial Protection Bureau (CFPB) identified mortgage redlining as an ongoing “priority area” in the Bureau’s supervisory work.  In the mortgage industry, “redlining” is a form of disparate treatment where a lender provides unequal access to credit, or unequal terms of credit, on the basis of race, color, national origin, or other prohibited characteristics of the geographic area in which the credit seeker resides or wishes to reside in.  Redlining takes its name from the historical practice of mortgage lenders drawing actual red lines on maps to delineate areas where credit was restricted or unavailable. The Bureau’s ongoing focus on redlining issues dovetails with its now one-year-old rule expanding the scope of mortgage lenders’ mandatory reporting under the Home Mortgage Disclosure Act (HMDA).

In its fall Supervisory Highlights report, the Bureau emphasized that CFPB examiners will continue to focus on discriminatory lending practices in an effort to ensure that minority borrowers are afforded equal access to credit.  Examiners will evaluate lenders’ compliance management systems, lending patterns, marketing efforts, neighborhood mapping tools, and lending policies and procedures, among other factors, in order to determine whether a financial institution engaged in discriminatory lending practices.  Examination teams typically assess redlining risk at the Metropolitan Statistical Area (MSA) level for each supervised entity, considering the unique characteristics of each MSA.  Initial analyses typically compare a given institution’s lending patterns to other lenders in the same MSA to determine whether the institution received significantly fewer applications from minority areas relative to other lenders in the MSA.

The CFPB has already entered into several redlining settlements, including a $33 million settlement with Hudson City Savings Bank in September 2015.  The Supervisory Highlights report also reiterates that prudential banking regulators, including the Federal Reserve, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency, have made the prevention of redlining a priority.

The CFPB noted that in its supervisory experience institutions with strong fair lending compliance programs tend to examine lending patterns regularly, look for statistically-significant disparities, evaluate physical presence, monitor marketing campaigns and program, and assess Community Reinvestment Act assessment areas and market areas.  The CFPB also advised that financial institutions may reduce fair lending risk by documenting risks they identify and by taking appropriate steps in response to identified risks, as components of their fair lending compliance management programs.

Compliance, Enforcement and Prosecution Policy and Trends, Financial Institution Regulation

The Yates Memo and Individual Representation

At t77006468.jpeghe November 2, 2016 Securities Industry and Financial Markets Association (“SIFMA”) Compliance and Legal Society Regional Seminar in New York, a SIFMA panel discussed the “Yates Memo,” its effect on internal investigations, and considerations regarding individual representation.

The Yates Memo is a September 9, 2015 memorandum issued by Deputy Attorney General Sally Yates to prosecutors and civil attorneys at the Department of Justice.  The memo, titled “Individual Accountability for Corporate Wrongdoing,” provides guidance to Department of Justice attorneys regarding how they conduct their investigations and emphasizes the need to seek accountability from individuals who perpetrate corporate misconduct.

The Yates Memo lists six key steps to “strengthen [the] pursuit of individual corporate wrongdoing,” including that “[c]riminal and civil corporate investigations should focus on individuals from the inception of the investigation” and that “[i]n order to qualify for any cooperation credit, corporations must provide to the Department all relevant facts relating to the individuals responsible for the misconduct.”  In effect, the Yates Memo places a focus on the culpability of individual employees while providing a strong incentive for corporations to disclose information adverse to its employees’ interests.

The SIFMA panel stated that, while it is too early to determine the full effects of the Yates Memo (which has been in effect for approximately 14 months), employees are asking their firm and its corporate counsel whether they should be represented by individual counsel (1) earlier in investigations, and (2) more frequently than ever.  As a preliminary matter, the SIFMA panel cautioned that corporate counsel should not directly answer that question.  Rather, corporate counsel should inform the employee that they represent the firm and remind the employee of their obligation to cooperate in internal investigations.  With regard to whether the firm should provide individual counsel to an employee, the SIFMA panel stated that “the last thing” corporate counsel wants is to realize six months into an internal investigation that an employee needs individual representation.  Thus, corporate counsel should consider factors regarding individual counsel early in an investigation.

The SIFMA panel provided the following rules of thumb to consider at the outset of an internal investigation:

  • If an employee has apparent “exposure” – especially exposure to the Department of Justice – the firm should provide individual counsel at the outset of the investigation.
  • If an employee has no apparent chance of exposure, joint representation is appropriate. Corporate counsel, however, must be sure to obtain an engagement letter with any and all appropriate waivers.
  • If an employee has no apparent exposure, but it is reasonable to believe that individual counsel may eventually be needed (due to the nature of the investigation), a firm should consider retaining “shadow counsel.” Shadow counsel would stay apprised of the investigation but would not appear on behalf of the employee.  Thus, shadow counsel would accrue less legal fees than appearing counsel, but if needed, could seamlessly step in and provide an employee with meaningful advice and representation.

The SIFMA panel also addressed and emphasized the importance of Upjohn warnings post-Yates Memo.  While the panel believed that Upjohn warnings were appropriate as-is, attorneys should be cautious in stating that they will not divulge any otherwise-privileged information “unless necessary.”  The SIFMA panel also suggested documenting an employee’s acknowledgement of Upjohn warnings; providing an employee with written warnings, however, is neither necessary nor recommended.

Immigration and Worksite Enforcement

Big Changes Come With The New Form I-9 Published by USCIS

Government-Regulatory-and-Criminal-Investigations.jpgUnited States Citizenship and Immigration Services (USCIS) has officially published the long awaited revised Form I-9.  The new Form I-9 and instructions can be found at https://www.uscis.gov/i-9.

The clock is now ticking— While employers may begin using the new Form I-9 immediately, all employers are required to implement use of the newly revised Form I-9 by January 22, 2017.  All previous versions of Form I-9 will be invalid after this January date.

The new I-9 brings with it some big changes aimed at reducing technical errors and making the I-9 easier to complete in a downloadable version.  The new I-9 includes some impressive new features to ensure information is entered properly, such as drop-downs, field checks, and instructions accessed by moving your computer cursor over the question mark symbol associated with the field.

While this new Form I-9 is completed on a computer, it is not considered an electronic Form I-9 that is governed by the electronic I-9 storage regulations.  Rather, the Form I-9 is to be printed, signed, and stored consistent with the proper manner for storing hard copy I-9s.  However, employers using an electronic I-9 platform provided by a vendor should ensure that their vendor’s product is updated to reflect the changes incorporated in this new revision – any issues of noncompliance with vendor-provided electronic I-9s are the responsibility of the employer, not the vendor, when discovered in the context of an ICE audit.

Here are a few other important changes employers should note:

  • USCIS has added a new “Citizenship/Immigration Status” field at the top of Section 2, where the employer must select or write the number corresponding with the Citizenship/Immigration status selected by the employee in Section 1 of the I-9.
  • If the employee does not use a preparer or translator to assist in completing Section 1, he or she must indicate so on a new check box labeled, “I did not use a preparer or translator.”
  • There is a separate supplemental form to enter multiple preparers and translators, also available on https://www.uscis.gov/i-9.
  • There is a dedicated area to enter additional information that employers are currently required to notate in the margins of the Form (such as TPS extensions, OPT STEM extensions, H-1B portability, etc.).
  • It requires employees to provide only other last names used in Section 1, rather than all other names used.
  • It removes the requirement that aliens authorized to work must provide both their Form I-94 number and foreign passport information in Section 1.

On a more technical level, the new instructions provide some interesting guidance on abbreviations.  The new proposed instructions note that the drop-down lists include “the universally used abbreviations” and specifies what to enter on the form.  Here are two excerpted examples:

Full name of List B Document What to Enter on Form
Driver’s license issued by a State or outlying possession of the United States Driver’s license issued by state/territory
ID card issued by a State or outlying possession of the United States ID card issued by state/territory
Full name of List C Document What to Enter on Form
Social Security Account Number card without restrictions Social Security Card (Unrestricted)
Certification of Birth Abroad (Form FS-545) Form FS-545

There has been some concern on what this means for employers in light of the guidance in the I-9 Handbook, which currently states that “[y]ou may use common abbreviations to document the document title or issuing authority, e.g., DL for driver’s license and SSA for Social Security Administration.”

USCIS addresses this issue in the new instructions, and recognizes “you may choose to use these abbreviations or any other common abbreviation to enter the document title or issuing authority.”

And this brings us to an important point.  For employers who rely on the I-9 Handbook, USCIS has announced on its website that the I-9 handbook will be updated soon, but suggests employers refer to the new Form I-9 instructions for the most up-to-date information.

Compliance, Financial Institution Regulation

Tuesday’s GOP Wins May Put the Brakes on the CFPB’s Controversial Oversight of Auto Lending

TheGovernment-Regulatory-and-Criminal-Investigations.jpg CFPB’s imposition of its auto lending guidelines, and use of its admittedly flawed proxy-methodology to determine discriminatory lending in auto finance, may come to an end under the GOP controlled White House and Senate.

The CFPB’s current guidance, published in a March 2013 Bulletin, has been largely criticized as limiting competition and increasing interest rates otherwise available to consumers. But the bulk of the criticism has been directed towards the CFPB’s methodology, which takes a borrower’s last name and address, and compares it to census data to create a rough determination of the race/ethnicity of that borrower. While the CFPB has acknowledged error rates in its methodology of around 20%, an independent, non-partisan review found that number to be closer to 41%. Despite knowing that its approach was error-prone and less accurate than other methods, the CFPB nevertheless relied on it to levy a total of approximately $124MM in remedial fines and $18MM in penalties against Ally Financial, Inc., American Honda Finance, and Toyota Motor Credit Corporation. In addition to the monetary fines, the CFPB required these auto lenders to alter their business practices and establish reporting/monitoring procedures.

In November 2015, the House of Representatives overwhelmingly, and with bi-partisan support, passed HR 1737, the Reforming CFPB Indirect Auto Financing Guidance Act, which would repeal the CFPB’s current guidance. While the companion measure was introduced in the Senate in March 2016, with hearings held a month later by the Committee on Banking, Housing, and Urban Affairs, it has not been brought to a committee vote. It is widely believed that President Obama, who opposes the measure, would veto the bill upon passage by the Senate.

With a Republican controlled White House and Senate, however, auto lenders and auto dealers are optimistic that the Senate measure will pass and the bill signed into law. If so, along with repealing the current guidance, the law would establish a transparent process the CFPB must follow in issuing subsequent auto finance guidance. Specifically, the process would require the CFPB to:

  • provide a public notice and comment period before finalizing guidance on auto finance
  • publicize its studies, data, methodologies, analyses and other information relied on in creating the guidance
  • redact certain information exempt from disclosure under the Administrative Procedure Act
  • consult with the Board of Governors of the Federal Reserve System, the Federal Trade Commission, and the Department of Justice
  • perform a study on the costs and impact of the proposed guidance to consumers and women-owned, minority-owned, and small businesses

It is highly unlikely that the Senate measure will be brought to a vote before January 2017, which means the measure could become law sometime in the coming year.

Enforcement and Prosecution Policy and Trends

Debt Collection Practices Under Scrutiny of CFPB and NY Attorney General

On NoCashvember 2, the Consumer Financial Protection Bureau (CFPB) and New York Attorney General filed a lawsuit in federal district court in New York over an alleged “massive, illegal debt-collection scheme” that supposedly involved improperly increased debts and threats of arrest or legal action against delinquent borrowers.

Douglas MacKinnon and Mark Gray are accused of operating a network of companies that harassed, threatened, and deceived millions of consumers into paying inflated debts or amounts they may not have owed.  The CFPB claims that the defendants violated the Fair Debt Collection Practices Act (FDCPA).  The New York Attorney General joined the CFPB in claiming that the defendants violated the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act).  The complaint also alleges repeated fraudulent acts and deceptive acts or practices in violation of New York law, as well as violations of New York state debt-collection law.

According to the lawsuit, the companies purchased tens of millions of dollars of debt, often added $200 to each portfolio acquired, and then either collected the inflated debts themselves or sent the inflated debts off to be collected by dozens of other affiliated entities.  The CFPB and New York Attorney General said agents of the companies engaged in illegal activities to collect the debts, including impersonating law enforcement and court officials.  Furthermore, they allege that the scheme has been ongoing since 2009 when MacKinnon established Northern Resolution Group, LLC (NRG).  The company changed its name to Enhanced Acquisitions, LLC in 2014, but purportedly, its business practices remained unchanged.  When MacKinnon and Gray learned in 2012 that a debt seller from which NRG bought payday loan debt would no longer sell to or place debt with companies that did not have FDCPA-compliant collection policies and procedures, they created a new company with policies the CFPB referred to as, “window dressing.”

The CFPB and the New York Attorney General seek to shut down the operation and to obtain compensation for victims and a civil penalty against the companies and partners.  FDCPA compliance can be onerous, but scrutiny of debt collectors remains vigilant by state and federal regulators.  Accordingly, businesses that collect debt should ensure that they (and their partners) have FDCPA-compliant policies, procedures, and practices in place.

Compliance, Fraud, Deception and False Claims

Department of Education Adopts Rules Increasing Student Loan Risk for Schools

780536982As we previously reported, in June the Department of Education (DOE) proposed new rules relating to when students could assert a borrower defense to repayment, effectively a discharge of student loans.  On November 1, DOE adopted the rules in substantially the same form they were proposed.

In commentary, DOE observes that the former borrower defense provisions, which require showing that the student has a state law cause of action against the school, have been relatively rarely used. DOE justified the need for the new rules in the wake of the bankruptcy of Corinthian Colleges.  DOE has approved the discharge of more than 15,000 loans for former Corinthian students, totaling almost $250 million.

The new borrower defense standards are effective for loans first disbursed after July 1, 2017 for both for-profit and non-profit schools (loans disbursed before that date continue to use the former state-law-claim standard).  Borrowers have a defense to repayment and a claim for previously repaid amounts when (a) the school breached the terms of a contract (such as an enrollment agreement) with the student; (b) the student, a class of which the student was a member, or a government entity on behalf of the student won a favorable contested judgment against the school in court or before an administrative tribunal; or (c) the school or its agents made a substantial misrepresentation that the borrower reasonably relied on in deciding to attend or continue attending the school.

Under the new rules, a student may submit an application to DOE seeking a defense to repayment.  The student’s loans are automatically placed into forbearance, or collection activity is halted if the student is in default, while DOE considers the application.  A DOE official decides whether the student is entitled to a defense to repayment, under a preponderance-of-evidence standard. The school must be notified and may submit a response. The rules do not provide for an appeal process for schools, but students can request reconsideration on the basis of new evidence and the DOE may reopen applications on its own.  If a student is successful, DOE may seek repayment from the school of the loan amount.  Schools cannot compel students to pursue borrower defense claims through any internal dispute process before seeking relief from DOE.

The rules do not include any limitations period for a student seeking to avoid further payment on loans, but do limit the ability of the student to seek repayment from DOE to six years in the case of the breach of contract and substantial misrepresentation standards.  DOE may seek repayment from schools related to successful borrower defense claims for six years in the case of the breach of contract and substantial misrepresentation standards.  All DOE must do to comply with this limitations period, however, is provide notice of the borrower defense claim to the school, which will be done routinely under other provisions of the rules.  There is no express limitations period on either students or the DOE in the case of borrower defenses based upon the judgment standard; presumably the DOE has concluded that there is no need for a separate limitations period when the borrower’s ability to win a judgment would be constrained by the limitations period applicable in the underlying action.

The rules also contain a provision under which DOE staff can initiate a process to determine whether an entire group of students has a borrower defense.  These provisions are similar to a class action; students receive notice and may opt out, but do not need to file a separate application to receive relief.  Nor are students directly involved in seeking relief.  If this group process finds a substantial misrepresentation by the school, there is a rebuttable presumption that each student in the group relied on the misrepresentation.  For open schools, but not closed schools, group determinations by the DOE can be appealed to the Secretary of Education by either the DOE staff or the school.

The criteria for asserting a defense to repayment may be broad and potentially applicable to a wide-range of school actions.  For example, the “substantial misrepresentation” prong could potentially be used against schools that are accused of misrepresenting the opportunities available to students, graduation rates, job placement rates, or salary data.  Commentary to the final rule further illustrates the relative ease with which students can claim a defense to repayment.  Students need not show intent on the part of the school to demonstrate either the breach of contract or substantial misrepresentation criteria.  DOE comments state that, in the case of substantial misrepresentation, students need not show intent because all evidence of intent is likely to be under the control of the school.  Further, while a borrower’s state or federal court or administrative judgment against a school is grounds for borrower defense, a judgment in favor of the school does not automatically bar a student from seeking a borrower defense from DOE (although DOE asserts that it will follow collateral estoppel principles with regard to individual issues).

The new DOE rules will also affect the desirability of settling claims brought by students and state or federal authorities.  Settlements do not automatically entitle affected students to a borrower defense under the judgment prong of the borrower defense rules.  DOE, however, has stated it will consider settlements as evidence and give them “the weight to which they are entitled” in evaluating the appropriateness of a borrower defense under the breach of contract or substantial misrepresentation criteria.  DOE will also consider other court filings and orders as evidence.  Such consideration may affect the decisions of schools regarding whether to settle claims.  Importantly, however, DOE has stated it will not consider any settlement entered prior to July 1, 2017, potentially providing an incentive to resolve current claims before that deadline.

The newly adopted rules present significant risks to non-profit and for-profit schools alike.  In addition to the direct financial risk that DOE may seek repayment from the school in successful borrower defense cases, there may also be significant costs to the school to defend against borrower claims.  Although under the rules no particular form of response from schools is required, and schools need not respond at all, schools may well decide that it is in their best interest to mitigate the risk of successful claims by fully investigating the allegations in applications and responding with detailed briefs and supporting evidence.  The rules require DOE to consider the school’s response.

Finally, pending or even anticipated borrower defense applications can be used as a factor by DOE in determining that a private school is not financially responsible, which can endanger the school’s ability to receive federal loan funds and in some circumstances may require the school to provide DOE with a letter of credit for ten percent of the federal funds received by the school in the previous fiscal year.  Such a letter of credit suffices for at most three years, after which the private school must be financially responsible again or potentially provide an even larger letter of credit.

Financial Institution Regulation

CFPB Director Cordray’s Remarks at FinTech Conference Highlight Focus on Increasing Access to Financial Data

77006486Last Monday, October 24, Consumer Financial Protection Bureau (CFPB) Director Richard Cordray spoke on the Bureau’s approach to FinTech at Money 20/20, a conference focused on payments and financial service innovation.  In his remarks, Cordray focused on responding to criticism of the CFPB’s enforcement actions against FinTech start-ups and appeared to warn large financial institutions about limiting access to financial data.  The Bureau also released the first report on “Project Catalyst,” the CFPB’s effort to facilitate innovation in consumer financial products and services.

Cordray began by stating that the Bureau’s enforcement actions against FinTech providers “should not be misread or overread.”  Cordray characterized these actions as not aimed at stifling innovation, but rather addressing “basic meat-and-potatoes issues such as companies that promise one thing to their customers and then do something quite different.”  For example, in March 2016, the CFPB imposed a $100,000 penalty on Dwolla, an online payment platform accused of deceiving customers by claiming that its data protection methods “exceeded industry standards.”

Later, Cordray appeared to rather bluntly warn banks against limiting access to customers’ financial data from FinTech providers with whom customers do business.  For example, some banks and FinTech firms have clashed over the practice of “screen scraping”—a technology that allows financial advisors and other FinTech companies to collect financial data of willing consumers through their bank’s website.  Some large banks have reportedly attempted to limit screen scraping, citing security concerns.  While Cordray recognized that allowing such access can “raise various issues,” he nonetheless expressed that the Bureau is “gravely concerned by reports that some financial institutions are looking for ways to limit, or even shut off, access to financial data rather than exploring ways to make such access, once granted, is safe and secure.”

In what could signal potential future regulation or enforcement activity, Cordray made clear that the Bureau “believes consumers should be able to access this information and give their permission for third-party companies to access this information as well” and that the Dodd-Frank Act supports this position.  In Cordray’s view, Congress specified that consumers should be able to access, in a usable electronic form, their financial information maintained by financial institutions.  Further, in its Project Catalyst report, the Bureau noted that it is working to achieve a “level playing field” for all market participants.

The Project Catalyst report also outlines several areas of consumer finance that the Bureau believes hold potential for consumer benefit.  Most revolve around increasing access to “underserved consumers,” like “unbanked” households and individuals with poor or no credit scores.  In addition to increasing consumer-permissioned access to financial data, the report highlighted efforts by FinTech companies such as:

  • Entering the student loan market to offer high-rate borrowers opportunity to refinance at lower rates;
  • Improving mortgage loan servicing such as through the use of machine learning to detect at an earlier stage when borrowers are likely to suffer financial distress;
  • Assisting with “cash flow management” to help consumers smooth uneven or unexpected changes in income, avoid overdrafts, and reduce reliance on short-term credit; and
  • Making peer-to-peer payment systems that bypass existing reliance on bank accounts or other networks more consumer friendly.

As FinTech providers continue to develop innovative financial products and services, we will continue to follow the Bureau’s efforts to navigate and regulate this evolving space.

Enforcement and Prosecution Policy and Trends

Identifying Enforcement Innovations to Prepare for the Post-Yates Enforcement Environment

During a recent webinar sponsored by the Washington Legal Foundation, we explored the impacts intensive individual-focused criminal enforcement can have on an industry, using the recent history of criminal enforcement of food safety laws as a case study.  The individual prosecutions we discussed in that context were based in large part on application of the Park doctrine, a broad and powerful food safety-specific formulation of the responsible corporate officer doctrine that has returned to vogue over the last several years after sitting largely unused for decades.  The discussion focused, in part, on predicting what tools like the Park doctrine may emerge in the coming years as means for regulators and law enforcement to hold individuals accountable for misconduct, particularly as federal prosecutors implement the Department of Justice’s (“DOJ’s”) Yates Memo.  This post outlines those predictions.

We are still in the early stages of the DOJ’s operation under the requirements of the Yates Memo.  Given the typically long gestation period for most white collar matters, it is reasonable to expect that we won’t be able to spot real post-Yates enforcement trends for some time.  However, we know that regulators and law enforcement both in and beyond the DOJ are focused on bringing civil, regulatory and criminal enforcement actions against individuals.  By examining the tools and techniques they might use against individuals—particularly ones that are new and novel—we can be better prepared to assist clients in avoiding issues on the front end through implementation of well-designed compliance programs, and to navigate enforcement actions on the back end.  Here are a few for your consideration.

  • Anticipatory Obstruction of Justice under 18 U.S.C. § 1519. Enacted as part of the Sarbanes-Oxley Act of 2002, Section 1519 substantially broadens the more familiar obstruction statutes by excluding any requirement that a proceeding be known to the accused or even pending in order for obstruction to have occurred.  Violation only requires (1) knowingly (2) destroying or concealing a record or document (3) with the intent to impede or obstruct any matter (including those contemplated but not yet initiated) within the jurisdiction of the United States.  There is no materiality requirement, and no need to prove any nexus between the allegedly obstructive conduct and the federal matter.  This could prove to be a particularly powerful tool for pursuing individuals not for their underlying misconduct, but for mistakes they make in anticipation of or response to a federal investigation.
  • FCPA Innovations. Like the Park doctrine, the FCPA laid largely fallow for over two decades before emerging to become a consistent enforcement prerogative of the DOJ and SEC.  And in the decade-plus that it has been a preeminent corporate bogeyman, its enforcement has evolved and shown every sign that it will continue to do so.  Some innovations that could see increasing application include:
  • Advisers Act liability being used by the SEC’s to reach non-issuers. In its first significant FCPA settlement against a hedge fund earlier this year, the SEC included charges falling under the anti-fraud provisions of the Investment Advisers Act of 1940 (the “Advisers Act”) in its administrative order, along with charges under the FCPA. Section 206 of the Advisers Act makes it unlawful for covered investment advisers, directly or indirectly, to (1) “employ any device, scheme, or artifice to defraud any client or prospective client” or (2) “engage in any transaction, practice, or course of business which operates as a fraud or deceit upon any client or prospective client.”  It prohibits fraudulent, deceptive or manipulative conduct, which the SEC included in its enforcement action based on the investment advisor allegedly engaging in self-dealing and the improper use of managed investor funds, failing to prevent the use and misuse of managed investor funds by its business partner in corrupt and self-dealing transactions, and by omitting material information regarding those transactions from its disclosures to its investors.

While this case involved an issuer, under the right facts and circumstances, the SEC could conceivably pursue what is essentially FCPA liability against non-issuers subject to the Advisers Act.  Non-issuer registered investment advisers—particularly those with international activities such as the courting of sovereign wealth funds—would therefore be wise to heed this development.

  • Commercial bribery charges being brought by the SEC against issuers under the accounting provisions. SEC officials have previously outlined their ability and intent—under the right facts and circumstances—to pursue FCPA enforcement actions grounded on commercial rather than official bribery, pursuant to the FCPA’s accounting provisions.
  • Increasing use of control person liability in FCPA cases. To date, the SEC has been sparing in its reliance on control person liability under Section 20(a) of the Exchange Act in FCPA enforcement actions.  However, it is a well-established doctrine that is commonly applied in non-FCPA contexts, and can be used to impose liability against high-level executives, even in circumstances where they had little to no direct involvement in violative conduct.
  • Increased Use of Control Person or Responsible Corporate Officer Liability. As the rise of the Park doctrine illustrates in the food safety context, the ability to bring enforcement actions against individual executives under a control person or responsible corporate officer theory of liability can have a transformative effect on the enforcement field in a particular industry.  These are not new liability concepts, but they are infrequently used in most white collar contexts.  As a result, they are often not top of mind when individuals in leadership positions consider their potential exposure.  The risk of their increasing use should be factored into their decision-making, particularly when it comes to the compliance tone they set as managers and senior executives.
  • Increased Criminal Enforcement via the False Claims Act. Per a DOJ policy announced by Assistant Attorney General for the Criminal Division Leslie Caldwell in September 2014, criminal prosecutors from the Fraud Section now review all qui tam cases to determine whether to open a parallel criminal investigation, working in close coordination with the DOJ Civil Division as well as U.S. Attorney’s Offices.  This policy turned previously discretionary review of such cases by criminal prosecutors to mandatory, and could have a significant impact on both individuals and companies facing False Claims Act matters via initiation of ancillary criminal investigations based on allegations raised in a civil qui tam
  • Emergence of the Next FCPA. Predicting what will be the next hot area for regulatory or law enforcement focus can be fraught with peril.  However, it is not difficult to observe when certain industries and areas receive more attention or come within reach of new laws or law enforcers.  Financial services of all kind have clearly been under the gun since the housing crisis and Great Recession, including through the creation of regulators and investigative agencies such as the CFPB and SIGTARP.  An increasing number have also come under the ever-broadening reach of FinCEN as it continues to expand the scope of anti-money laundering (“AML”) laws and regulations to cover institutions previously excluded from most AML requirements, its pending notice of proposed rulemaking to cover investment advisers being a prime example.

It should be noted, in closing, that if companies and their executives are concerned about the potential impact of the Yates Memo and what some may perceive as the over-criminalization of regulatory matters, they should be less focused on the back end of an enforcement issue, and more on the front end.  They should be investing in compliance programs that in addition to preventing or forestalling violations of law and regulation, will provide both the company and the executives a demonstrable basis to show that if issues have arisen, they have done so in spite of reasonable best efforts to avoid them.  In other words, they should use the Yates Memo as it was intended (and as it has been incorporated into the Principles of Federal Prosecution of Business Organizations in the U.S. Attorneys’ Manual), as a roadmap for cooperation and demonstration of a healthy corporate and management environment.

This post first appeared on The FCPA Blog.

Compliance

Effective November 3, 2016: Final DoD Cyber Incident Reporting Rule

binarydataOn Tuesday, October 4, 2016, the Department of Defense (DoD) issued a long-awaited final rule implementing statutory requirements (10 U.S.C. §§ 391, 393) as part of 32 C.F.R part 236 regarding the reporting, by defense contractors, of certain cyber incidents relating to the contractor’s electronic systems.  These reporting requirements are above and beyond what contractors are required to report under the myriad of potentially applicable data breach notification laws and regulations (including those imposed by the FTC and 47 states) or any other express contractual reporting or cyber incident response requirements.  The final rule does not abrogate any such other mandatory reporting obligations.

The final rule responds to and addresses numerous industry comments on an October 2, 2015 interim rule on the same subject matter and takes effect as of November 3, 2016. Specifically, the final rule requires contractors and subcontractors to report cyber incidents which result in the actual or potentially adverse effect on a “covered contractor information system” or “covered defense information residing therein,” or on the contractor’s ability to provide “operationally critical support.”  The final rule does not change the content or timing of the incident reports, which must be made within 72 hours of the contractor’s awareness of the breach.

The final rule applies broadly in terms of the systems and information covered. For the purpose of the final rule, a “covered contractor information system” is defined as an “unclassified information system that tis owned or operated by or for a contractor and that possess, stores, or transmits covered defense information.”  In turn, “covered defense information” is defined as “unclassified controlled technical information or other information (as described in the Controlled Unclassified Information (CUI) Registry) that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government wide policies, and is (1) [m]arked or otherwise identified in an agreement and provided to the contractor by or on behalf of the DoD in support of the performance of the agreement; or (2) is [c]ollected, transmitted, used, or stored by or on  behalf of the contractor in support of the performance of the agreement.”  These definitions serve to expand the scope of the final rule to subcontractors which maintain such systems or information and which must now report incidents to the prime contractor for reporting to the government. (The final rule does not provide further guidance on what constitutes “operationally critical support.”)  Although the rule does not modify existing contracts by operation of law, it expressly states that it provides DoD with the “option to modify . . . preexisting agreements where deemed appropriate.”

Finally, the final rule expands the Defense Industrial Base Cybersecurity (DIB CS) information sharing program. Although the DIB CS program is not mandatory, it is designed to facilitate information sharing between DoD and program participants on cyber threat issues.

DoD contractors and subcontracts should familiarize themselves with this rule and the reporting obligations thereunder, to the extent that they maintain covered systems or information. To the extent that the rule is applicable to a DoD contractor or subcontractor, it must be prepared to identify and report cyber incidents within 72 hours of discovery of that incident.

 

Also posted on Password Protected – Data Privacy & Security News and Trends