Subject to Inquiry

Subject to Inquiry


Government Investigations and White Collar Litigation Group

“White Hat” Ethical Hackers and Corporate Investigations

This post originally appeared in our sister publication, Password Protected.

A “white hat” is an ethical computer hacker who specializes in penetration testing and other testing methodologies to ensure the security of an organization’s information systems. According to the Ethical Hacking Council, “The goal of the ethical hacker is to help the organization take pre-emptive measures against malicious attacks by attacking the system himself or herself; all the while staying within legal limits.” White hat hackers usually present their skills as benefitting their clients and broader society. They may be reformed black hat hackers or may simply be knowledgeable of the techniques and methods used by hackers. However, white hats have been known to offer broader hacking services, such as information gathering about persons or entities at odds with those hiring the white hat. Ethical hackers have been compared to digital versions of private investigators or investigative reporters.

In considering whether to engage a white hat hacker, there are a number of precautions that a company should take to increase the likelihood that the white hat will be credible, professional and ethical and only engage in lawful activities during the course of the engagement.

Credibility. Consider existing relationships, references and certifications. For example, the EC-Council offers a Certified Ethical Hacker accreditation. Many large consulting firms provide ethical hacking services. References from trusted peers are also extremely important.

Background Check. Conduct a thorough background check. Although the white hat may be affiliated with a reputable consulting firm, verify his or her experience and credentials and investigate possible criminal history. Do not assume that what the hacker tells you is true.

Engagement Letter. Have the hacker sign an engagement letter or similar contract that clearly defines the engagement, prohibits any illegal or unethical conduct, and addresses liabilities, indemnification and remedies where appropriate. Specify the hacking methods that are and are not acceptable and which information systems, networks and data may be accessed. Require the hacker to provide proof of adequate professional liability insurance.

Confidentiality Agreement. Require the hacker to sign a confidentiality or non-disclosure agreement that strictly prohibits the use or sharing with others of any information gathered as part of the engagement and that specifies the penalties for violation or references penalties set forth in the primary agreement.

Oversight. Monitor the hacker’s activity and be on the lookout for any suspicious activity—both during and after the white hat’s work. Ensure that the hacker remains within the scope of work defined within the engagement letter. If the scope of work changes, revise the engagement letter accordingly. Keep in mind that access to information systems presents opportunities to set conditions for future remote access or other unauthorized, nefarious activities.

Work Product. Consider the desired work product that will be developed over the course of the white hat’s engagement and whether the white hat should report to the General Counsel or outside counsel to protect privilege. In order to be admissible in evidence in civil litigation, the white hat must be willing to submit a signed affidavit, which describes under oath the results of the investigation, and to possibly testify. Not every white hat makes a good witness.


Supreme Court Holds Internal Complainants Are Not Dodd-Frank Whistleblowers

In an important case clarifying the scope of the anti-retaliation provision of the Dodd-Frank Wall Street Reform and Consumer Protection Act, the U.S. Supreme Court held on Feb. 21, 2018, that the law unambiguously requires an individual to report a securities law violation to the SEC in order to claim whistleblower protection under the provision. This means an employee who makes only an internal report may be protected by the Sarbanes-Oxley Act of 2002, but is not also protected under Dodd-Frank.

In 2010, Congress passed Dodd-Frank and established a robust whistleblower program designed to motivate employees to report securities law violations to the U.S. Securities and Exchange Commission (SEC). In addition to entitling whistleblowers to cash rewards, Dodd-Frank includes an anti-retaliation provision that prohibits employers from discriminating against or terminating employees for making such reports to the SEC.

The interplay between the definition of “whistleblower” and the identification of protected activity under Dodd-Frank has confounded the courts since shortly after Congress passed the law. A “whistleblower” is an individual who reports a securities law violation to the SEC.  However, “protected activity” includes making disclosures required or protected under the Sarbanes-Oxley Act, which does not require a report to the SEC.

To harmonize these provisions, some courts concluded that including Sarbanes-Oxley-protected reports created a narrow exception to the requirement that an employee provide information to the SEC in order to claim whistleblower status under Dodd-Frank. The SEC likewise expanded the definition of “whistleblower” when it issued its final rule implementing Dodd-Frank to cover an employee who reported security violations to his or her supervisor, but not to the SEC. This definition was codified in 17 C.F.R. § 240.21F-2. In 2015, the SEC reiterated that whistleblower protection is not contingent on an employee providing information to the SEC, but even covers internal reports of wrongdoing.

In the case before the Supreme Court, Paul Somers sued his former employer, Digital Realty Trust Inc., alleging that Digital Realty fired him shortly after he reported to senior management (but not to the SEC) suspected securities law violations. Both the U.S. District Court for the Northern District of California and the U.S. Court of Appeals for the Ninth Circuit found Dodd-Frank ambiguous and deferred to the SEC’s final rule and interpretive guidance. The case presented the Supreme Court with a circuit split, in which the Ninth and Second Circuits held that employees were protected by merely reporting to their supervisor, while the Fifth Circuit held that employees must provide information to the SEC to avail themselves of the law’s protections.

The Supreme Court found no ambiguity in Dodd-Frank’s anti-retaliation provision, which protects an individual who provides “information relating to a violation of the securities laws to the Commission.” The court found that, not only does the plain language of the law require a report be made to the SEC, but also that Dodd-Frank’s “core objective” was to motivate reports to the SEC. Dodd-Frank’s purpose, the court found, was narrower than that of the Sarbanes-Oxley Act, which was designed to disturb the “corporate code of silence” that kept employees from reporting fraud “even internally.”

This case presents a welcome resolution to the circuit split over whether internal whistleblowers can maintain a Dodd-Frank anti-retaliation lawsuit against their employers. The distinction and decision are important because significant differences exist between the anti-retaliation provisions of Dodd-Frank and Sarbanes-Oxley. To seek relief under Sarbanes-Oxley, an individual must file a complaint with the Secretary of Labor within 180 days of the alleged violation. By contrast, Dodd-Frank’s whistleblower provision contains a six-year statute of limitations and no administrative exhaustion requirement. The two laws also provide for different remedies.

To read the Supreme Court’s opinion, click here.

For further information about Sarbanes-Oxley, Dodd-Frank or whistleblower protections, please contact the authors, your McGuireWoods contact or a member of McGuireWoods’ labor and employment or government investigation and white collar litigation groups.

Enforcement and Prosecution Policy and Trends

SEC Launches Self-Reporting Initiative for Investment Advisers

In line with Chairman Jay Clayton’s oft-stated priority of protecting the long-term interests of Main Street investors, on Feb. 12, 2018, the Securities and Exchange Commission’s Division of Enforcement announced the launch of a new self-reporting initiative for investment advisers. This new initiative — the Share Class Selection Disclosure Initiative — aims to address undisclosed conflicts of interest associated with the receipt of 12b-1 fees by investment advisers, their affiliates or their supervised persons paid by advisory clients who were eligible to invest in a lower-cost share class of the same mutual fund.

The SEC’s position on investment advisers’ disclosure obligations regarding conflicts of interest as they pertain to mutual fund share classes are well-known. Indeed, the Office of Compliance Inspections and Examinations released a National Exam Program Risk Alert on the topic in July 2016, as well as identified mutual fund share class disclosures as one of its 2018 National Exam Program Examination Priorities. Additionally, the SEC has brought numerous enforcement actions against investment advisers for deficient disclosures concerning conflicts of interest arising from the receipt of 12b-1 fees.

This focus is expected to continue: Enforcement has been clear that mutual fund share class selection practices will remain a priority, and enforcement actions outside of the self-reporting initiative will likely result in more serious charges.

Self-Reporting Initiative

The new self-reporting initiative is available to investment advisers, other than those already contacted by Enforcement on this issue, that did not explicitly disclose in their Forms ADV the conflict of interest associated with the 12b-1 fees the firm, its affiliates or its supervised persons received for investing advisory clients in a fund’s 12b-1 fee paying share class when a lower-cost share class was available for the same fund. To participate, an eligible investment adviser must self-report by June 12, 2018, and, within ten days of providing that notification, confirm its eligibility by submitting the SEC’s questionnaire. For any participating eligible investment adviser, Enforcement will recommend the following standardized settlement terms to the SEC:

  • On a neither-admit-nor-deny basis, entry of an order directing the respondent to cease and desist from committing or causing any violations and future violations of Sections 206(2) and 207 of the Investment Advisers Act of 1940 (IAA)
  • A censure
  • A respondent-administered distribution to affected clients of disgorgement of ill-gotten gains and prejudgment interest thereon
  • Remedial undertakings, including, to the extent necessary, correcting any relevant disclosures, moving clients to lower-cost share classes, updating relevant policies and procedures, and notification of the settlement terms to clients

Key Considerations

Importantly, eligible investment advisers that participate in the self-reporting initiative will not face the panoply of more draconian relief available to and obtained by the SEC in prior share class disclosure enforcement actions. Specifically, eligible investment advisers will not be required to pay a monetary penalty. Nor will there be any requirement to retain an independent compliance consultant and adopt and implement all of its recommendations. Investment advisers that elect not to participate in the self-reporting initiative and subsequently face an enforcement action for share class disclosure violations should anticipate financial penalties greater than those imposed in past actions involving similar conduct.

Similarly, the violations against participating eligible investment advisers will be limited to Sections 206(2) and 207 of the IAA. Generally, IAA Section 206(2), a non-scienter-based fraud statute, imposes a fiduciary duty on the investment adviser to disclose to its clients all conflicts of interest that may impact the investment adviser’s ability to render objective advice. IAA Section 207 makes it unlawful for any person willfully to make any untrue statement of, or omit to state any, material fact in Forms ADV.

Enforcement has indicated that it does not intend to recommend additional charges relating to the conduct at issue in the self-reporting initiative, even where the facts would support such charges. In this regard, previous share disclosure enforcement actions have also included findings that the investment adviser failed to seek best execution, in violation of IAA Section 206(4), and failed to adopt and implement policies and procedures reasonably designed to prevent violations as required by Rule 206(4)-7 thereunder. Thus, eligible investment advisers that do not avail themselves of the self-reporting initiative should, if supported by the facts, expect to face these additional charges in any share class disclosure enforcement action.

The self-reporting initiative is available only to investment advisers. Participation does not shield eligible investment advisers from investigation or separate enforcement actions for other misconduct. There is no similar program for individuals, and Enforcement has expressly provided no assurances that associated persons will be offered similar settlement terms for their involvement in the violations.

Next Steps

The deadline to self-report is four months away, but investment advisers would be well-served to act quickly to determine whether they will participate in the self-reporting initiative. In this regard, investment advisers should promptly review their Forms ADV and supplements to assess the sufficiency of their conflicts of interest disclosures associated with 12b-1 fees. To be sufficient, the disclosures must clearly describe the conflicts of interests associated with (1) making investment decisions in light of the receipt of the 12b-1 fees, and (2) selecting the more expensive 12b-1 fee paying share class when a lower-cost share class of the same fund was available to the same investor.

Investment advisers that identify deficient disclosures and intend to self-report should consider voluntarily undertaking the remedial measures that will otherwise be ordered under the self-reporting initiative.

Should you wish to discuss the self-reporting initiative, please contact any of the authors or any of McGuireWoods’ securities enforcement and regulatory attorneys.


Full D.C. Circuit Court, Reversing Decision Below, Holds that CFPB’s Independent Structure is Constitutional; also Reinstates Important RESPA Rulings

In a long-awaited constitutional decision regarding the Consumer Financial Protection Bureau (“CFPB”), the full D.C. Circuit Court of Appeals today in PHH v. CFPB reversed a prior ruling by a three-judge panel that the CFPB is unconstitutionally structured.  As we previously reported, that prior panel’s prior decision — stayed since its issuance in October 2016 — had held that Congress had unconstitutionally impeded the President’s Article II authority to “faithfully execute[]” the laws by creating an independent agency headed by only a single Director (as opposed to a multi-member commission structure).  The prior panel’s remedy had been to strike language from the Dodd-Frank Act that makes the Director removable only “for cause,” a change that would have made the Director removable at the pleasure of the President and turned the CFPB from an independent agency into an executive agency, with other regulatory ramifications.

Today’s ruling holds that the removable-only-for-cause provision, even as applied to a single Director, is compatible with the Constitution.  Thus, there will be — for now — no changes to the CFPB’s structure.  While a different outcome would have had many impacts across time, the status quo should remain intact unless the U.S. Supreme Court disturbs the ruling.  Currently, the CFPB is led only by a temporary, “Acting Director,” OMB Director Mick Mulvaney, and the President has not yet submitted to the Senate a nominee to fill that position for a full, five-year term.  But once there is a new, Senate-confirmed Director, that person would be removable only “for cause” (technically, for “inefficiency, neglect of duty, or malfeasance in office”), with a term that will last for at least two years into the next four-year presidential term.  Separately, today’s ruling also reinstated the prior panel court’s decisions — all adverse to the CFPB — on important issues relating to the Real Estate Settlement Procedures Act (“RESPA”).

On the constitutional question, today’s court saw no legally important distinction between the Supreme Court-approved multi-member independent commission structures — such as those that lead the FTC and the SEC — and the independent single-Director structure of the CFPB.  The prior panel and PHH had relied heavily on that distinction, with PHH arguing that “multi-member commissions contain their own internal checks to avoid arbitrary decisionmaking.”  The prior panel also noted that whereas staggered, multi-member commissions allow a President in a four-year term to exert some influence by nominating at least some commissioners, a President during a four-year period would on some occasions have such no influence over the CFPB’s Director, who serves a five-year term.

Today’s court found the distinction between a single Director and a multi-member commission “untenable,” with “no footing in precedent, historical practice, constitutional principle, or the logic of presidential removal power.”  The “removal-power doctrine,” it said, does not rely on “the competing virtues of various internal agency design choices.”  Today’s court also noted that the Supreme Court approved for-cause protection for a single individual in its decision upholding the independent counsel statute.

PHH retains a separate challenge:  that the appointment of the ALJ who initially considered its case violated the Constitution’s Appointments Clause.  Today’s court did not reach that issue because it recently upheld a closely analogous ALJ-appointment structure at the SEC in Lucas v. SEC.  Even more recently, however, the Supreme Court agreed to review that decision regarding SEC ALJs, so PHH possibly could still get a day in court on that issue.

A.                RESPA

Today’s court also reinstated the earlier panel’s important decisions regarding RESPA’s prohibition on paying fees / kickbacks for referrals of real estate settlement business.  Those RESPA decisions had been stayed, until today, as part of the broader stay on the prior panel’s October 2016 opinion.  The reinstated RESPA decisions are that:

  1. Courts and the CFPB must give effect to an important RESPA exception, which allows settlement service providers who receive referrals to pay the referrer, nonetheless, for other “goods or facilities actually furnished or for services actually performed” (but not, of course, for the referral). The novel interpretation advocated by the CFPB in this case would virtually have read this exception out of the books, exposing settlement service providers to increased RESPA risk.  The panel court, in the now-reinstated portion of its opinion, held that the exception must apply so long as the payment is for no more than the reasonable market value of the goods or services actually provided.
  2. Even if the Director’s novel interpretation of that RESPA exception in this case had been permissible, the Director violated the Due Process Clause by imposing it on PHH retroactively.
  3. A three-year statute of limitations applies to both administrative proceedings and civil actions (lawsuits in court) enforcing RESPA. Before the panel, the CFPB had taken the position that no statute of limitations applied to its administrative proceedings enforcing RESPA — or, by extension, to administrative proceedings enforcing any of the 18 other consumer protection laws it has authority to enforce.  The reinstated portion of the panel’s decision, moreover, held that the CFPB — in administrative proceedings and in court — must abide by applicable statutes of limitations found in those 19 consumer protection laws.

B.                 Next Steps

PHH may well seek review of this ruling by the U.S. Supreme Court.  Although the likelihood of that Court accepting the case cannot be predicted, the Court has previously showed an interest in cases like this one that present issues at the intersection of constitutional and administrative law; the Court’s very recent decision to review the related Lucas v. SEC decision on the appointment of ALJ’s is an example of that interest.  Regarding the reinstated RESPA rulings, it is extremely unlikely that the CFPB, now under Republican control, will appeal.

At the CFPB now, as noted, only an Acting Director is in charge.  But any new, Senate-confirmed Director would be entitled to serve a five-year term with for-cause removal protection, unless the Supreme Court disturbs today’s ruling.  Thus, that new Director, if he or she chooses, could serve at least two years into the next four-year Presidential term.

Enforcement and Prosecution Policy and Trends, Fraud, Deception and False Claims

DOJ Memorandum Sets Out FCA Dismissal Factors

A January 10 internal memorandum from the director of the fraud section of the DOJ’s civil division commercial litigation branch, which has recently become public, sets out the factors the government should consider in dismissing False Claims Act (FCA) cases in which it has declined to intervene, and may suggest a greater possibility that the DOJ will seek to dismiss such cases.  The memo also provides defense counsel reacting to a government investigation related to a qui tam complaint with a roadmap for arguing for non-intervention and dismissal.

The FCA gives the government authority to dismiss an action brought by a qui tam relator over the objection of the relator, as long as the court provides the relator an opportunity to be heard.  42 U.S.C. § 3730(c)(2)(A).  The memo notes that the DOJ has rarely used this provision when it has declined to intervene in qui tam cases and instead allowed relators to proceed with lawsuits.  Going forward, the memo instructs government attorneys, when they make a decision not to intervene, to also consider whether dismissal is appropriate.

The memo describes several reasons the government may want to dismiss qui tam actions, including that monitoring of cases requires government resources and that weak cases can result in law that harms the government’s own enforcement.  Accordingly, the memo sets out several factors for government attorneys to consider when evaluating whether to dismiss a qui tam action:

  • Whether the complaint is facially lacking in merit for either legal or factual reasons.
  • Whether the qui tam complaint duplicates a preexisting government investigation and adds no new information to the investigation.
  • Whether the action interferes with agency policies or programs. The government specifically notes that dismissal may be appropriate when “an action is both lacking in merit and raises the risk of significant economic harm that could cause a critical supplier to exit the government program or industry.”
  • Whether the action interferes with the government’s efforts to control its own litigation.
  • Whether the action implicates classified information or national security interests.
  • Whether the expected gain from allowing the litigation exceeds the expected cost to the government.
  • Whether the relator has made “egregious procedural errors” that frustrate the ability of the government to litigate the case.

The memorandum should be of great interest to any company or in-house counsel involved in areas, such as healthcare and government contracting, where the risk of FCA claims is high.  The memo provides guidelines for the types of arguments that the government attorney must consider in deciding whether to dismiss, and also presumably in determining whether to intervene in the first instance.  The memo also suggests that the initial stages of a government investigation, before the intervention decision, will be of even more importance to defendants who have the opportunity not only to avoid government intervention but also to have the government affirmatively aid the defendant by dismissing the action and saving the defendant the costs and burdens of litigating the claim against the relator.  Defendants facing FCA claims and their counsel should take into account the factors set out in the memo as they strategize a response to government inquiries connected to qui tam complaints.

Enforcement and Prosecution Policy and Trends

Supreme Court to Review Reimbursements for Internal Investigation Costs

Earlier this month, the Supreme Court agreed to resolve a circuit split over when the costs of an internal investigation can be recovered under the Mandatory Victims Restitution Act (MVRA). The MVRA, which requires convicted criminals to reimburse their victims, can play a meaningful role in helping corporations defray some of the costs incurred to respond to criminal conduct.

Internal investigations are an integral part of modern corporate security. When confronted by potential wrongdoing – whether by employees, vendors, or customers – companies often launch internal investigations. In many cases, especially in complex, highly regulated industries, these investigations must be handled by outside counsel in conjunction with external auditors or consultants. Costs of such investigations can mount quickly. And when an internal investigation does uncover wrongdoing, there are additional costs associated with reporting to and cooperating with the appropriate governmental authorities.

Enter the MVRA. Under this statute, federal courts must order persons convicted of crimes to reimburse victims for their financial losses. Moreover, the convicted person must also “reimburse the victim for . . . expenses incurred during the participation in the investigation or prosecution of the offense.” The circuits have been divided, however, over how broadly to interpret this provision in the context of internal investigations. The D.C. Circuit has drawn the line most narrowly, authorizing reimbursement only when the internal investigation was requested or required by the government. Other circuits have been far more expansive, allowing corporations to recover any “foreseeable” cost associated with the criminal activity, regardless of its connection to a law enforcement investigation.

In the case before the Supreme Court, Lagos v. United States, the CEO of a freight company pled guilty to falsifying the company’s books to secure lines of credit. After the company declared bankruptcy, its lender launched an internal investigation that uncovered the fraud and information eventually used to prosecute the CEO. At sentencing, the district court ordered the CEO to pay nearly $5 million to the lender to compensate it for the costs of its internal investigation. The court issued an additional award of $787,000 as reimbursement for legal fees expended during the bankruptcy proceeding. The Fifth Circuit upheld the award. But in a concurring opinion, one judge expressed concern that, while circuit precedent dictated the result, the court had read the MVRA too broadly.

The Supreme Court appears poised to provide clarity on this issue. Should the Supreme Court side with the DC Circuit, corporations across the country will need to think about engaging with law enforcement sooner in cases of suspected wrongdoing to ensure that their investigations are considered to be requested or required by law enforcement.


Unexplained Wealth Orders


For some time there has been a perception that the UK is a safe refuge for corrupt individuals seeking to conceal their unlawfully acquired assets. This has particularly been the case with regard to persons from countries outside the UK.

The Government has sought to address this by amending the Proceeds of Crime Act 2002 (‘POCA’) through the insertion of a new investigative power, which fits in with the existing civil recovery scheme under POCA.

The Power

On application by a designated enforcement authority, the UK High Court may make an Unexplained Wealth Order (‘UWO’) in circumstances where it appears that a person’s possession of assets is disproportionate to their known income.

Conditions for the making of a UWO

Before such an order is made, the High Court must be satisfied that the following conditions have been met:

  • There is reasonable cause to believe that the respondent holds the property and that the value of the property is greater than £50,000.
  • There are reasonable grounds for suspecting that the known source of the respondent’s lawfully obtained income would have been insufficient for the purposes of enabling the respondent to obtain the property.
  • The respondent is a politically exposed person, or there are reasonable grounds for suspecting that the respondent or, a person connected with the respondent, is or has been involved in serious crime, whether in the UK or elsewhere [s.362B]

Note 1: A ‘politically exposed person’ is (a) an individual who is, or has been, entrusted with prominent public functions by an international organization or by a State other than the UK or another EEA State, or (b) a family member of such a person, or a known associate of or connected with such a person [s.362B(7)].

Note 2: A person is ‘involved in serious crime’ if so involved for the purposes of Part 1 of the Serious Crime Act 2007 [s.362B(9)]. This will embrace offences such as money laundering and bribery.

The Effect of a UWO

Such an order requires a respondent to provide a statement within a period specified by the court which (i) sets out the nature and extent of their interest in the relevant property, and (ii) explains how the property was obtained [s.362A(3)

Failure to comply with a UWO

If without reasonable excuse a respondent fails to comply with such an order, the property concerned is presumed to be recoverable property for the purpose of any proceedings taken in respect of the property under Part 5 of POCA (which covers civil recovery of the proceeds of unlawful conduct), unless the contrary is shown [s.362C(2)]


A person commits an offence if, in purported compliance with a requirement imposed by such an order, they knowingly or recklessly make a statement which is false or misleading in a material particular. Conviction may result in a sentence of imprisonment for up to 2 years on indictment or a fine or both. [s.362E]

Interim Freezing Order

Where a UWO has been made, and on application by a designated enforcement authority, the UK High Court may make an Interim Freezing Order, if it considers it necessary to do so in order to avoid the risk of a person disposing of the property concerned before complying with the terms of the order [s.362J].

External Assistance

If the High Court makes a UWO, or if an Interim Freezing Order has effect in respect of any property and it is believed that the property is in a country outside the UK, a request may be made via the Secretary of State to the government of the receiving country to prevent any person from dealing with the property concerned [ss. 362S and T].

Implications of a UWO

  • A UWO is a civil measure laid against property. It is not a criminal measure taken against an individual.
  • Its use is confined to illicit assets owned by foreign government officials (as defined) or those with links to serious crime (as defined).
  • A reasonable level of evidence is required before the making of an application for such an order.
  • Approval is required at a high judicial level (High Court Judge).

Potential concerns

  • Undue influence by the State in the private property rights of individuals.
  • Reversal of the ‘burden of proof’ principle.
  • Risk that in due course the provision may be given wider scope outside the category of ‘serious crime’.


While the concerns expressed above are legitimate, they have to be balanced against the international need to make it difficult for those involved in serious crime to secrete their ill-gotten gains, often to the detriment of the citizens of their countries of origin.

Enforcement and Prosecution Policy and Trends, Financial Institution Regulation

Beware What You Share: Privilege Waiver Risks in Investigations

In responding to regulatory and government investigations, firms are often faced with the question of how to balance the desire to cooperate with the need to preserve privilege over an internal investigation.  Financial institutions face this question additionally in their reporting requirements to regulators, including Form U-5 filings and Suspicious Activity Reports.  Two recent decisions illustrate the risk of a waiver of privilege when a firm provides information relating to witness or client interviews.

In the first case, a U.S. Magistrate Judge in the Southern District of Florida held that providing “oral downloads” of otherwise-privileged witness interview notes and memoranda to the Securities and Exchange Commission effectively waived privilege.  SEC v. Herrera, 2017 WL 6041750 (S.D. Fla. December 5, 2017).  The court in Herrera ruled that there is little or no distinction between (a) producing actual interview notes and memoranda to a regulator and (b) orally summarizing that written material’s meaningful substance.

In the second case, the D.C. District Court held that a written submission made to the Department of Justice, which was based on privileged conversations, constituted an implied waiver of the attorney-client privilege for the privileged communications that formed the basis of the submitted responses.  In re Grand Jury Investigation, 2017 WL 4898143 (D.D.C. October 2, 2017).  The court reasoned that the submitted responses contained information obtained by the attorney from her clients, that privilege was impliedly waived as to the content of the submitted responses and that the implied waiver extended to communications relating to the same subject matter.

Firms feeling pressure to cooperate by providing information should be careful about providing information beyond historical facts, and should keep in mind that it is usually safer to provide documents than information from interviews.  Remember also that generally the government is prohibited by policy from asking for a privilege waiver.  And understand that the waiver issues identified above can snowball into subject matter waivers of unpredictable scope.  So think twice (or more) before considering providing information from witness or client interviews in any form.  That said, if a firm decides after careful thought that it must cooperate by providing information from interviews, it should consider the following practice points:

  • Provide “general impressions,” and present information in a broad thematic manner.  Do not quote.  Use hypotheticals, rather than actual questions and answers from the interview.
  • Do not organize the information in a witness-specific manner.  Present information in a way that particular statements cannot be attributed to specific individuals.
  • Avoid relaying the contents of witness interviews in “substantial part.”  Specifically, if a court conducts an in camera review, notes of the oral download should not match the original interview notes.

E.g. S.E.C v. Vitesse, 2011 WL 2899082, at *3 (S.D.N.Y. July 14, 2011); U.S. v. Treacy, 2009 WL 812033, at *2 (S.D.N.Y. March 24, 2009).  As noted, this course of action is risky.  Proceed with caution.

Compliance, Financial Institution Regulation

CFPB Announces Intent to Reconsider Disclosure Rule

On December 21, 2017, the Consumer Financial Protection Bureau (CFPB) issued a public statement regarding implementation of the Home Mortgage Disclosure Act (HMDA), noting that it plans to reconsider aspects of the mortgage data rule.

The HMDA, enacted in 1975, requires many lenders to report information concerning applications they receive for particular mortgage loans and other loans they purchase. The Dodd-Frank Act directed the CFPB to expand the collection of this data, prompting the Bureau to issue a rule in 2015 that required financial institutions to collect and report additional mortgage information beginning in 2018. The CFPB then issued a final rule in August of 2017 regarding this collection of information.

Despite this relatively recent final rulemaking, the CFPB has announced that it “intends to engage in a rulemaking to reconsider various aspects of the 2015 HMDA Rule such as the institutional and transactional coverage tests and the rule’s discretionary data points.” According to the CFPB, this rulemaking will likely re-examine, among other things, lending-activity criteria that determines whether data and transactions must be reported.

At this point, it is unclear how the regulations will change, but it appears likely that the modifications will reduce the amount of information about borrowers that banks and other lenders are required to submit to regulators. Further, the number and types of institutions required to report certain information could be reduced. For now, lenders will have to comply with the rule coming into effect, though the CFPB has said that it “does not intend to require data resubmission unless data errors are material.” Moreover, the Bureau doesn’t intend to assess penalties with respect to data collected in 2018 and reported in 2019, and will only use examinations of 2018 data as diagnostic, to aid in identifying compliance weaknesses.

This announcement may signal a new approach by the CFPB, which traditionally has taken an expansive view toward regulation of financial institutions, particularly as this news comes less than a month after Mick Mulvaney, the Director of the Office of Management and Budget, took the reins at the CFPB. This new rulemaking should be closely tracked so financial institutions may appropriately adjust their compliance programs to this shifting landscape.


Pending U.S. Supreme Court Case Could Impact Judicial Deference to Agency Rulemaking

A petition for certiorari pending before the U.S. Supreme Court has the potential to narrow the application of Chevron deference to agency rulemaking.  Under Chevron U.S.A. v. Natural Resources Defense Council, a 1984 Supreme Court case that is widely considered a foundational case in administrative law, courts interpreting an ambiguous provision of a federal statute defer to an agency’s interpretation of that statute.  During Justice Neil Gorsuch’s confirmation proceedings, commentators noted his expressed skepticism of deference to agencies and speculated that his confirmation might lead to the trimming of Chevron deference and thus the scope of agencies’ authority to interpret the laws they enforce and implement.

The now-pending case of Perez-Guzman v. Sessions, No. 17-302, involves a complex statutory and regulatory scheme under immigration law pertaining to the circumstances in which an alien whose prior removal order has been reinstated may apply for asylum.  Perez-Guzman, the party seeking the Supreme Court’s review, casts the case as presenting the question of whether a court must defer to an agency’s interpretation when the agency is interpreting two statutory provisions that conflict with each other.  He argues that when ambiguity arises in that circumstance, rather than from a “gap” in a statute that Chevron presumes Congress intended for the agency to fill, it is for a court to resolve the conflict between the laws at issue.

Perez-Guzman also points to a concurrence in an earlier case by two current members of the Court signaling that they would not apply Chevron deference in this circumstance, thus suggesting that multiple members of the Court may be inclined to hear the case.  After Perez-Guzman filed his petition in August, the government waived its right to respond to the petition.  Thereafter, the Court requested the government to respond, often an indication that at least one Justice has interest in the case.  In its response, the Solicitor General states that review is unwarranted because the Chevron issue need not be decided and that an earlier case effectively resolved this issue against Perez-Guzman.

Perez-Guzman has attracted significant amicus support from immigration attorneys and the Cato Institute alike.  The Court will likely decide whether to take up the case in January or February.

We use cookies to enhance your experience of our website. By continuing to use this website, you agree to the use of these cookies. For more information and to learn how you can change your cookie settings, please see our policy.