Subject to Inquiry

Subject to Inquiry


Government Investigations and White Collar Litigation Group
Immigration and Worksite Enforcement

Employer Update: DHS Extends Temporary Protected Status and Work Authorization for El Salvador, Haiti, Sudan, and Nicaragua

The Department of Homeland Security (DHS) announced on March 1, 2019, an extension of the Temporary Protected Status (TPS) for qualifying individuals from El Salvador, Haiti, Sudan, and Nicaragua. DHS also announced a nine-month automatic extension of these TPS beneficiaries’ Employment Authorization Documents (EADs), allowing beneficiaries to work in the United States until January 2, 2020. The Department took this action to ensure its continued compliance with the preliminary injunction order of the U.S. District Court for the Northern District of California in Ramos v. Nielsen, No. 18–cv–01554 (N.D. Cal. Oct. 3, 2018).

The announcement provided welcome news to employers awaiting word on whether they could continue to employ individuals with work authorization expiring on March 4, 2019. However, the January 2, 2020, extension could change in the future depending on the outcome of the lawsuit.

For now, employers should be prepared when reviewing employment documentation of new or current employees from these four countries. Taking an adverse employment action against a TPS beneficiary under the mistaken belief that they cannot work because their EAD card is expired can subject a company to investigation by the Department of Justice’s Immigrant and Employee Rights Section and can result in significant fines. Current employees from these four countries who are TPS beneficiaries need not provide any further documentation to continue working. However, employers must take steps to update these employees’ Form I-9s to remain complaint with federal law.

The Federal Register notice provides guidance to employers on updating Form I-9s for existing employees. Specifically, the notice instructs:

For Section 1, the employee should:

  • Draw a line through the work authorization expiration date in Section 1;
  • Write 1/2/20 above the previous date; and
  • Initial and date the correction in the margin of Section 1.

For Section 2, employers should:

  • Determine if the Employment Authorization Document (EAD) is auto-extended by confirming the EAD’s code category is A12 or C19 and has one of the following expiration dates:

If the EAD is auto-extended:

  1. Draw a line through the expiration date in Section 2;
  2. Write 1/2/20 above the previous date; and
  3. Initial and date the correction in the Additional Information field in Section 2.

The notice also provides specific instructions for completing Form I-9s for new hires falling under TPS protected status.

This notice received little attention upon its release, but it has a far-reaching impact on employers throughout the United States. For employers and HR professionals, understanding and complying with this Federal Register notice will help mitigate risk and avoid potentially costly mistakes.

Sanctions, Trade Embargo, and Export Controls

What the Venezuela Sanctions May Mean for Future Sanctions Programs

When the Trump Administration designated Venezuelan state-owned oil producer Petreoleos de Venezuela (“PdVSA”) on January 28, 2019, pursuant to preexisting sanctions relating to the political situation created by the Maduro regime, it sent a significant but not unanticipated ripple through the global petroleum markets.  The impact of the sanctions for commodities traders and petroleum refiners—particularly in the U.S. Gulf Coast, where PdVSA’s steady supply of heavy crude has long been a sizable staple feedstock—was fairly immediate, and appears to have had the intended effect of isolating PdVSA, impairing its production capabilities and reducing its cash revenues.  According to industry reports, many of the larger commodity traders around the world have largely if not entirely backed away from trading in PdVSA crude, and PdVSA has been cut off from its primary sources of naphtha and other diluents it needs to move its heavy crude through pipelines.  Whether the sanctions will have the intended political effect of forcing regime change in Venezuela remains to be seen.

Although at a high level the PdVSA sanctions are not functionally different from other OFAC sanctions designations, their political contours, the immediacy of the underlying humanitarian crisis in Venezuela, and the proximity and entanglement of PdVSA in U.S. markets—including the fact that one of PdVSA’s most valuable assets is the U.S.-based Citgo—makes them appear like a different creature.  So, what can the Venezuela sanctions, as imposed against PdVSA, tell us about the future of U.S. sanctions?

Possibly, Nothing

All sanctions regimes, export controls, import controls and other forms of trade restriction are reflections of foreign policy.  In the case of sanctions, their form and function tends to be highly particularized to the political situation at issue.  The Venezuela sanctions appear unique in part because of the specific circumstances in which they are imposed: Maduro’s government is in crisis, Venezuela is a significant crude producer and exporter for the international oil market, and PdVSA is a critical element of the Venezuelan economy and of great  symbolic importance to the Venezuelan people.  Combine that with Venezuela’s physical proximity to the United States and the fact that the imposition of sanctions against PdVSA is cutting that company off from its biggest export market and cutting U.S. refiners off from one of their largest sources of feedstock, and you have a uniquely impactful sanctions action that is unlikely to be repeated.

It’s Complicated

Sanctions can be a blunt instrument, but they can also be a precise tool, as they appear to be here.  The Venezuela sanctions continue a trend of applying incremental pressure to targeted sectors of an economy or particular operators in that sector, without going so far as to impose a comprehensive embargo against an entire country.  Unlike the Russia/Ukraine sectoral sanctions, the Venezuela sanctions, through the PdVSA designation, went from incremental to exponential in the pressure being applied.  But like the sectoral sanctions, the Venezuela sanctions are more complex in design and application.  It is reasonable to expect that future sanctions programs will probably look more like the Venezuela sanctions and Russia/Ukraine sectoral sanctions than the Cuba embargo.

Sanctions to the Front

As of this writing, the Maduro regime remains in place and it is unclear whether the regime change being sought by the Trump Administration will occur—at least in a reasonably orderly fashion.  Regardless of that outcome, the PdVSA designation has certainly impacted the political conversation, and moved Venezuela’s political and humanitarian crisis more to the forefront in terms of U.S. and international awareness and attention.  As a result, it is possible that the current and future administrations will feel emboldened to consider the use of sanctions more liberally, particularly if Maduro does step aside without internal armed conflict or outside military intervention.  On that point, we can’t ignore that the Trump administration has not shied away from applying sanctions and appears ready and willing to do so to further its foreign policy agenda.

For now, we remain relatively early in the life cycle of the PdVSA designation, with the first wind-down deadlines set to pass and the global commodities markets remaining in a wait-and-see posture.  More time needs to pass before we will have a clear understanding of the likely political and economic trajectory of the situation in Venezuela, and that clarity may remain elusive.  For now, we have to view the posture of the Venezuela sanctions as dynamic and subject to significant change with limited notice.


Positive FCA Enforcement Trend for Defense Contractors: DOJ Reaffirms Commitment to Exercise Statutory Authority to Dismiss

Following recent changes to Department of Justice policy regarding individual accountability in government investigations of corporate wrongdoing, DOJ has recently further demonstrated its willingness to consider a flexible approach in applying the False Claims Act.

In a January 28, 2019 speech by Deputy Associate Attorney General Stephen Cox to the 2019 Advanced Forum on False Claims and Qui Tam Enforcement, DOJ reaffirmed its commitment to applying the so-called Granston Memo, which sets forth the factors under which DOJ may dismiss qui tam actions under the False Claims Act. False Claims Act enforcement remains a key DOJ enforcement priority, but DOJ is now expressly allowing government investigators to exercise discretion in identifying qui tam actions that should be dismissed.

Issued in January 2018, the Granston Memo described the DOJ’s exercise of its authority to dismiss qui tam cases brought under the False Claims Act pursuant to 31 U.S.C. § 3730(c)(2)(A). Authored by the Director of the DOJ’s Commercial Litigation Branch, Fraud Section, Michael Granston, the Memo was generally interpreted as a signal of DOJ’s greater willingness to consider dismissing certain qui tam matters pursuant to its statutory authority. Specifically, the Granston Memo set forth a list of seven factors under which the DOJ historically exercised its statutory right to dismiss qui tam actions:

  1. Curbing meritless qui tam matters
  2. Preventing parasitic or opportunistic qui tam actions
  3. Preventing interference with agency policies and programs
  4. Controlling litigation brought on behalf of the United States
  5. Safeguarding classified information and national security interests
  6. Preserving government resources
  7. Addressing egregious procedural errors

The Granston Memo stated that these factors were neither exhaustive nor mutually exclusive, noting that “there may be other reasons for concluding that the government’s interests are best served by the dismissal of a qui tam action.” It further suggested that, although the DOJ may exercise its authority in connection with a decision not to intervene in a qui tam matter, it may also move to dismiss the matter at a later stage of litigation.

During his January 28 speech, Cox reiterated that DOJ views the Granston Memo as part of its “gatekeeping role,” advising that “when qui tam cases are non-meritorious, abusive, or contrary to the interests of justice, they impose unnecessary costs on the Department, on the judiciary, and on the defendants.” These “bad cases” result in bad case law and consume scarce DOJ time and resources. In this regard, Cox advised that DOJ views its ability to dismiss cases as “an important tool to protect the integrity of the False Claims Act and the interests of the United States.” Although he advised that DOJ has used this authority only sparingly, Cox specifically stated that DOJ has instructed its lawyers to consider dismissing qui tam cases when they are not in the DOJ’s best interests, as it has done on roughly two dozen matters since 2017.

Indeed, two recent matters demonstrate the DOJ’s willingness to use the Granston Memo factors to dismiss matters where a relator’s case is weak and dismissal is otherwise in the government’s interest.

First, in an amicus brief filed in opposition to a petition for certiorari in Gilead Sciences, Inc. v. United States ex rel. Campie, et al., the DOJ stated that it would dismiss the relators’ qui tam on remand pursuant to Section 3730(c)(2)(A). In the underlying case, the 9th U.S. Circuit Court of Appeals had decided that the relators had adequately pled the materiality element of the False Claims Act under the standard set forth in Health Services, Inc. v. United States ex rel. Escobar, even though the agency at issue had continued to accept and pay for products that failed to comply with certain regulatory requirements. Although the brief did not reference the Granston Memo by name, DOJ stated that its decision to dismiss the matter was based upon its own investigation of relators’ allegations, as well as the potential for “burdensome discovery and Touhy requests for [agency] documents and [agency] employee discovery (and potentially trial testimony), in order to establish ‘exactly what the government knew and when,’ which would distract from the agency’s public-health responsibilities.” Accordingly, the DOJ’s decision can reasonably be read as based on the Granston Memo’s priorities of preventing interference with agency policies and programs and preserving government resources (with the added bonus of preserving a materiality standard under the 9th Circuit decision that strongly benefits DOJ).

Second, in motions filed in December 2018, DOJ moved to dismiss 10 qui tam matters filed by a business that the DOJ contends was created primarily for the purpose of filing qui tamactions. These matters included: United States ex rel. SAPF, LLC, v. Amgen, Inc. and United States ex rel. SMSPF, LLC v. EMD Serono, Inc., both in the Eastern District of Pennsylvania; United States ex rel. SMSF, LLC v. Biogen, Inc., in Massachusetts; United States ex rel. NHCA-TEV, LLC v. Teva Pharma., in the Eastern District of Pennsylvania; United States ex rel. SCEF, LLC v. Astra Zeneca PLC, in the Western District of Washington; United States ex rel. Miller v. AbbVie, Inc., in the Northern District of Texas; United States ex rel. Carle, v. Otsuka Holdings Co., in the Northern District of Illinois; United States ex rel. CIMZNHCA v. UCB, Inc., in the Southern District of Illinois; United States ex rel. Health Choice Group, LLC v. Bayer Corp., in the Eastern District of Texas; and United States ex rel. Health Choice Alliance, LLC, also in the Eastern District of Texas. The relator had dismissed an 11th related action, United States ex rel. Health Choice Advocates, LLC v. Gilead, also in the Eastern District of Texas. DOJ justified the dismissal of the matters under Section 3730(c)(2)(A) based on the government’s interests in “preserving scarce government resources and protecting important policy prerogatives of the federal government’s healthcare programs,” similarly aligning with the Granston Memo factors.

Cox’s comments and these cases serve as strong indicators that DOJ is starting to exercise the discretion granted to government investigators in the Granston Memo to dismiss unmeritorious matters. While it remains to be seen how frequently and under what circumstances DOJ will exercise this discretion, defendants should analyze the application of the Granston Memo factors in any new matter to determine whether there is a possibility of terminating litigation at a stage that would avoid costly discovery and litigation.

For more information on McGuireWoods’ Government Contract Investigations and Enforcement team, please click here.

McGuireWoods’ Government Investigations & White Collar Litigation Department is a nationally recognized team of nearly 60 attorneys representing Fortune 100 and other companies and individuals in the full range of civil and criminal investigations and enforcement matters at both the federal and state levels. Our team is comprised of a deep bench of former senior federal officials, including a former Deputy Attorney General of the United States, former U.S. Attorneys, more than a dozen federal prosecutors, and an Associate Counsel to the President of the United States. Strategically centered in Washington, DC, our Government Investigations & White Collar Litigation Department has been honored as a Law360 Practice Group of the Year and earned the trust of international companies and individuals through our representation in some of the most notable enforcement matters over the past decade.


New Rules for Small Business Government Contractors

On Dec. 17, 2018, President Trump signed the Small Business Runway Extension Act of 2018 into law. It amends § 3(a)(2)(C)(i)(II) of the Small Business Act “by striking ‘3 years’ and inserting ‘5 years,’” so a contractor’s size will be measured by the annual average of its previous five years’ revenue, instead of the annual average of its previous three years’ revenue.

Notably, the amendment does not alter employee-based size standards, or the definition of a small business concern using a headcount rather than average revenue.

Implementation Timeline

In a recently issued SBA information notice, the Small Business Administration (SBA) indicated its position that the new five-year average is not effective until SBA issues a formal rule implementing the statute. While this legal theory may be open to challenge, it is important to note that SBA’s position would require that current contracts and solicitations continue to use the old three-year average until completion of the formal rulemaking process.


According to a House Committee on Small Business report on the bill before its Dec. 17 signing, the purpose of the amendment is to “help advanced-small contractors successfully navigate the middle market as they reach the upper limits of their small size standard.” Since many small businesses have initially lean operating years, this change may allow overgrown businesses (i.e., other than small business concerns) to potentially qualify as small businesses when their earlier revenue is considered.

At the same time, if a qualified small business concern had higher revenues in, e.g., 2013 and 2014, it may no longer qualify as a small business concern when the two additional years’ revenue is added and measured against the applicable size standard(s) for the applicable revenue-based NAICS code(s). Pursuant to the Federal Acquisition Regulation (FAR), a change in size status “does not change the terms and conditions of the contract,” but the contracting officer “may require a subcontracting plan for a contract containing 52.219-9, Small Business Subcontracting Plan, if a prime contractor’s size status changes from small to other than small as a result of a size representation.”

The statutory amendment is intriguing, given SBA’s opposition to the change. On April 27, 2018, the SBA responded to a comment proposing a change in calculating average annual receipts using a five-year period rather than a three-year period. The commenter claimed that the change “would allow small businesses to plan and increase capacity before entering full and open competition and provide longer transition time from small business status to other than small business status.” SBA rejected that comment in the following response:

SBA does not adopt this comment. SBA believes that calculating average annual receipts over three years ameliorates fluctuations in receipts due to variations in economic conditions. SBA maintains that three years should reasonably balance the problems of fluctuating receipts with the overall capabilities of firms that are about to exceed the size standard.

Notwithstanding SBA’s stated opposition to the change, the bill passed in the House on Sept. 25 and in the Senate on Dec. 6. The bill went to President Trump’s desk on Dec. 11 and went into immediate effect on Dec. 17 when he signed it.

Ultimately, the Small Business Administration will need to update its size regulations — particularly, 13 C.F.R. § 124.104 — to resolve the inconsistency and clarify that the measurement period is five years, not three. There is no forecast as to when SBA will implement this change to its regulations, nor any indication of whether a similar revision will be made to FAR provisions, including FAR Part 19, on the subject of small businesses. (FAR 19.101(1)-(2) defines “Annual receipts” in terms of the concern’s “annual average gross revenue of the concern taken for the last 3 fiscal years.”)

For now, small businesses and overgrown, other than small business concerns operating in the federal contracting arena should consider recalculating their revenue over the past five years, and determine whether they meet the requirements to properly self-certify as small under any revenue-based NAICS Code they work under, and any SBA-administered program (e.g., 8(a), HUBZone and Economically-Disadvantaged Women-Owned Small Business). However, contractors should not be surprised to see contracting officers and SBA representatives continue to apply the old three-year average until a new SBA rule is implemented.

Given the harsh penalties for contractors who knowingly misrepresent their size for purposes of a procurement, it is crucial for all potentially affected businesses to understand the risks involved with aggressively applying the new five-year rule. (See FAR 19.301-1(d), which states: “The SBA’s regulations on penalties for misrepresentations and false statements are contained in 13 CFR 121.108 for small business, 13 CFR 124.501 for 8(a) small business, 13 CFR 124.1004 for small disadvantaged business, 13 CFR 125.29 for veteran or service-disabled veteran-owned small business, 13 CFR 126.900 for HUBZone small business, and 13 CFR 127.700 for economically disadvantaged women-owned small business concerns and women-owned small business (WOSB) concerns eligible under the WOSB Program.”)

As always, if a business determines that it no longer qualifies as small for certain NAICS code(s), or now qualifies as small under applicable NAICS code(s), the business must promptly update its certifications and representations on the System for Award Management and other federal procurement databases that rely upon self-reporting of small business status.

McGuireWoods has extensive experience advising clients on small business compliance matters, and has brought size protests on behalf of clients and defended protested concerns before SBA and its appellate authority, the Office of Hearings and Appeals. Please contact the firm’s government contracts team with any questions or to discuss further.

Enforcement and Prosecution Policy and Trends, Financial Institution Regulation, Securities and Commodities

SEC Charges Its First Robo Actions – Increasing Scrutiny of the Investment Platform

It was never a question of if, but rather, when the Securities and Exchange Commission would launch its first charges against robo-advisors and what those charges would be. Following then-SEC Chairperson, Mary Jo White’s keynote address at the SEC-Rock Center on Corporate Governance in 2016, regulators have been carefully monitoring robo-advisors’ compliance with the Investment Advisers Act of 1940 (“Advisers Act”).[1] In two recent Orders, the SEC found Wealthfront Advisers made false statements about its tax-loss harvesting program (“TLH”), and found Hedgeable made false performance comparisons about its investment performance. Both robo-advisors were also found to be in violation of the Advisers Act for their marketing use on social media platforms.

False Statement in Whitepaper Description

Wealthfront designed its TLH program to incentivize clients to sell certain assets at a loss to create tax benefits. On its website, Wealthfront provided whitepapers outlining the TLH program. However, from October 2012 through mid-May 2016, Wealthfront falsely stated in the TLH whitepaper that it monitored all client accounts to avoid any transactions that might trigger a wash sale, which prevents the tax benefit of the TLH program. (A wash sale occurs when an investor sells a security at a loss but within 30 days of the sale, buys the same or substantially identical security.) The SEC found Wealthfront did not in fact monitor all of its client accounts to prevent a wash sale prior to mid-May 2016. In fact, at least 31 percent of accounts enrolled in the TLH program experienced a wash sale. Ultimately, the failure to monitor for and prevent wash sales led to slightly lower returns: The average Wealthfront client received fewer tax losses, obtaining overall 5.6 percent in annual harvesting yield versus 5.8 percent. Despite the relatively minor impact on customers, the SEC fined the robo-advisor $250,000 for, among other things, violating Section 206(2) of the Advisers Act, which prohibits transactions or business practices that operate as a fraud or deceit upon clients or prospective clients.

Misleading Advertising and Marketing Materials

A second robo-advisor, Hedgeable, was sanctioned for its misleading marketing through the use of its “Robo Index” created to compare the performance of Hedgeable, to other unaffiliated robo-advisors. Hedgeable’s misrepresentations were egregious. Featured on its website, the index incorrectly illustrated Hedgeable’s returns by failing to account for over 96 percent of Hedgeable’s clients in its calculations. Hedgeable failed to use actual performance data and various other risk factors when depicting the average returns for the comparison robo-advisors, thereby providing incorrect return projections for its competition robo-advisors.

The SEC also found Hedgeable’s online fact sheets to be misleading. The annual benchmark returns were not updated for certain years, leading clients to believe the model portfolio outperformed its benchmark greater than what actually occurred. Hedgeable also incorrectly calculated certain benchmark and portfolio returns for several ETFs in violation of Section 206(2) and Section 206(4) of the Adviser Act.

Compliance of Social Media Usage

Under Section 206(4) of the Advisers Act, it is “unlawful for any investment adviser…to engage in any act, practice, or course of business which is fraudulent, deceptive, or manipulative.” The SEC has made clear that these requirements are applicable to robo-advisors. Publishing, circulating, or distributing any advertisement that directly or indirectly provides a testimonial concerning the investment adviser that “contains any untrue statement of a material fact or which is otherwise false or misleading” is a violation of Rule 206(4)-1.

In addition to its findings with respect to Wealthfront’s TLH whitepapers, the SEC also found Wealthfront, willfully violated Section 206(4) of the Advisers Act and Rules 206(4)-1 by selectively republishing (“retweeting”) certain posts by other Twitter users that constituted positive testimonials about Wealthfront’s services. In some cases, Wealthfront knew or should have known that the Twitter users providing positive reviews had an economic interest in promoting Wealthfront, and Wealthfront failed to disclose the conflict of interest in violation of Rule 206(4)-3. These charges come as no surprise, following the SEC’s sanctions in July 2018 against two investment advisers and three investment adviser representatives for similar violations of Section 206(4) for soliciting, and publishing client testimonials on its various websites including Yelp and Facebook.

Similarly, the SEC found Hedgeable was in violation of Section 206(4) and the rules thereunder, for marketing false and misleading information on its “Robo-Index” through social media as well as its website.

Further, neither robo-advisor adopted and designed written policies and procedures with a scope that included certain social media usage in its compliance review of marketing materials and communications as required by Rule 206(4)-7.

Bottom Line

Ultimately, the SEC charged both robo-advisors with violations of the Advisers Act and required them to pay a fine. In addition, Wealthfront is required to notify its advisory clients of the Order and provide a copy of the Order to clients by January 20, 2019.[2] While, these Orders were not unique issues to robo-advisors, they serve as a reminder that the Advisers Act and its rules apply to robo-advisors. In fact, these Orders indicate that since robo-advisors are only available on electronic platforms, they may be more susceptible to misleading online marketing and social media ploys. Robo-advisors, therefore, should examine their compliance and supervision policies to ensure truthful and accurate data is being provided to clients, as well as ensuring social media platforms are being adequately monitored.

McGuireWoods’ experienced broker-dealer/investment adviser team will continue to monitor and report on important regulatory compliance updates. For more information, contact the authors of this article or any member of the team.

[1] See Financial Industry Regulatory Authority (FINRA) Report on Digital Investment Advice (2016). For state registered advisers, see, Massachusetts Securities Division Policy Statements: State-Registered Investment Advisers’ Use of Third-Party Robo-Advisers( and Robo-Advisers and State Investment Adviser Registration (April 1, 2016) (–Robo-Advisers-and-State-Investment-Adviser-Registration.pdf).


[2] Hedgeable was not also required to send its Order to advisory clients, which is most likely because the firm, as noted in the Order, is winding down its business and no longer meets the requirements to be an SEC registered adviser. Furthermore, Hedgeable is paying a significantly reduced penalty, as compared to Wealthfront, and has a payment plan, both factors indicative of reduced assets.

Financial Institution Regulation

FINRA’s 2018 Report on Cybersecurity Practices – Preventing “Spear Phishing” and “Whaling” Attacks

This article was originally posted on our sister publication, Password Protected.

On December 20, 2018, the Financial Industry Regulatory Authority (FINRA) released a report on cybersecurity practices for broker-dealers. Today’s post is the second in a series of summaries sharing essential, timely insight on how these practices impact your business. Please click here for the first post on cybersecurity practice impacts.

FINRA names “phishing” attacks as one of the most common cybersecurity threats raised by firms with the self-regulator. The goal of a phishing email is to manipulate the recipient into taking action. FINRA focuses on two types of phishing attacks in the report. The first is “spear phishing,” where the sender researches and targets the recipient(s) with a customized approach designed to get confidential information from the individual(s). The second is “whaling,” wherein the hacker sends targeted emails impersonating senior executives at the firm in order to set action in motion, typically wiring funds to specifically identified accounts.

There is no doubt that “spear phishing” and “whaling” are very real threats to financial institutions today. As the Securities & Exchange Commission (SEC) detailed in a recent investigation report, the FBI estimates that “’business email compromises’ have caused over $5 billion in losses since 2013, with an additional $675 million in adjusted losses in 2017 – the highest estimated out-of-pocket losses from any class of cyber-facilitated crime during this period.’”

While the SEC’s 21(a) Report focuses on risk and controls for public companies, the financial services industry, even the non-public company segment of the industry, faces the same risk and similar regulator expectations and requirements of effective controls to protect customer and firm information and assets. The SEC found that emails sent to firm staff from “fake” firm executives or vendors requested funds be wired to specified accounts. Employees at nine companies fell for the spoofed emails and, together, the issuers lost nearly $100 million.

The SEC’s 21(a) Report found that the schemes were “not sophisticated in design or the use of technology: instead they relied on … weaknesses in policies and procedures and human vulnerabilities that rendered the control environment ineffective.”

The phishing segment of FINRA’s Cybersecurity Report conveys information on two topics: (1) how they do it (what to watch for — sources and types of communications) and (2) suggested best practices to combat the threat.

On the “how they do it front,” FINRA details the different types of senders (entities and individuals), as well as the typical characteristics of phishing emails. Further, the Report, recognizing the increasing sophistication of such attacks, also details several different characteristics, as well as examples, of phishing communications. Whether the phisher is seeking customer personal identifiable information or fraudulent wire transfers, if firms develop policies and procedures and focus training on the types of senders (or hackers/phishers) to watch out for and the typical variations of such communications, this will mitigate risk that of employees falling victim to the scams.

Importantly, FINRA’s Report details a dozen best practices implemented by firms to combat the phishing threat. While we commend the review of the full list of best practices to firms, we wanted to emphasize four of the recommended effective practices.

  • Creating policies and procedures that address phishing practices including identifying such emails, what to do when such emails are suspected (e.g., do not click on links, notify technology and compliance, confirming wire transfers, etc.).
  • Establishing robust confirmation policies and procedures for executing transaction requests.
  • Periodic, mandatory training of employees and associated persons on phishing practices and policies and procedures for disseminating information. Training allows the firm to provide updates on new phishing tactics and remind everyone of the specifics of the anti-phishing policies and procedures as well as the risks to customers and the firm of noncompliance.
  • Developing remedial training and imposing consequences for those who repeatedly violate firm phishing protocols. Impressing the importance of everyone’s adherence to firm policies and procedures in this area is one way to close potential gaps that hackers can exploit. This includes following up when the firm is on notice of individuals who violate the policies.

These effective or best practices are similar to those highlighted in the SEC’s 21(a) Report. For example, the SEC ultimately concluded that, while the companies involved in the matter had implemented policies and procedures and training, “weaknesses in the policies and procedures and human vulnerabilities” needed to be factored into the development of controls specifically geared to cyber threats. The SEC emphasized the need to reassess internal controls through the lens of cyber-security threats. While it is always best if that reassessment can occur in advance of a cyber-event, at a minimum, taking steps to shore up payment authorization and verification requirements and enhance training after an event, as the issuers investigated by the SEC staff did, is imperative to protect customers and the firm.

Finally, FINRA, recognizing that successful attacks may start with the customers, recommends that firms also educate their customers and direct them to resources that help them protect themselves.

FINRA’s Report provides comprehensive information for firms to combat cyber-related frauds. While the scammers continue to alter their tactics and increase the sophistication of the scams, implementing internal controls and effective policies and procedures that stay ahead of the scams and implementing effective training provide important risk mitigation strategies.

Election and Political Law, Enforcement and Prosecution Policy and Trends

Congressional Investigations: Beyond Sensational Headlines — Incoming House Leaders Announce Broad Investigative Priorities Targeting Business Community

In the politically explosive atmosphere of Washington, the talk of the town is focused on congressional investigations: who will be called before Congress, and when. Newspaper headlines blare the latest controversy — from use of personal emails for government business, to numerous investigations alleging corruption of current and former government employees, including several cabinet secretaries, and the continuing developments from Special Counsel Robert Mueller’s Russia investigation. But as the nation prepares for power in the House to change hands on Jan. 3, another question looms large: what does all this mean for the business community?

Though the priorities of incoming House committee chairs may be relegated to smaller print below the fold, according to their own public commentary and reporting, the new House is poised to commence oversight hearings and congressional inquiries aimed at key segments of the business community. This article highlights the prerogatives of some of the most important committees and industry areas likely to see significant activity from the new House of Representatives.

In the House Judiciary Committee, multiple press outlets report that incoming chair Rep. Jerry Nadler (D-N.Y.) will focus on a variety of healthcare issues, such as consolidation in three major areas — healthcare insurers, the hospital market, and pharmacy benefit managers — as well as investigating the Trump Administration’s decision not to defend the Affordable Care Act against a lawsuit from 20 Republican-led states. According to David Cicilline (D-R.I.), poised to chair the antitrust subcommittee, “We will get to work immediately to promote competition and address monopoly power in health-care markets.” Additionally, spurred by the most recent and widely publicized shootings at the Tree of Life Synagogue in Pittsburgh and the Marjory Stoneman Douglas High School in Parkland, Florida, Nadler will likely take up gun control as it relates to mass shootings, implicating the gun manufacturing industry and retail outlets. Finally, while Nadler said he will not move to impeach Justice Brett Kavanaugh, he indicated plans to examine other issues associated with Kavanaugh’s confirmation process.

Because the House Oversight and Government Reform Committee’s jurisdiction is broad, incoming chair Elijah Cummings (D-M.D.) is likely to investigate numerous issues spanning several industries. Media reports indicate that these investigations will include the high cost of prescription drugs; the continuing water crisis in Flint, Michigan; and Commerce Secretary Wilbur Ross’ decision to include a citizenship question on the 2020 census. On immigration, Cummings plans to investigate the Trump Administration’s policies on the separation of migrant children from their undocumented parents at the Mexican border. Press reports also confirm Cummings is expected to investigate the General Services Administration’s decision to keep the FBI headquarters in downtown Washington, D.C., as opposed to a suburban headquarters in Maryland or Virginia, thus preventing the land from being developed commercially, in potential competition with the Trump International Hotel.

In the House Financial Services Committee, press reports indicate that incoming chair Rep. Maxine Waters (D-C.A.) will investigate consumer finance issues involving the big banks and credit reporting agencies, as well as the Trump Organization’s ties to large financial institutions. While major legislation rolling back bank deregulation is unlikely given Republican control of the Senate, Waters likely will focus on financial institutions’ conduct — particularly, the conduct of the largest banks — toward consumers during the financial crisis. In Waters’ own words: “I have not forgotten that you sold us those exotic products. … What am I going to do to you? … I’m going to do to you what you did to us.”

There also will likely be substantial investigations activity focused on the energy and environmental arena. For example, incoming chair Rep. Raúl Grijalva (D-A.Z.) for the House Natural Resources Committee said he will hold hearings regarding rule changes promulgated by the Trump Administration, including rules addressing climate change, federal waters and waterways, the Endangered Species Act, and the Wilderness Act. Additionally, Rep. Frank Pallone (D-N.J.), who will take over the House Energy and Commerce Committee, said seismic testing, a process where compressed air is shot into the ocean to try to locate oil and gas deposits and is thought to be a precursor of offshore oil drilling testing, “has disastrous consequences for marine wildlife.”

News reports also indicate that incoming chair Rep. Richard Neal (D-M.A.) of the House Ways and Means Committee will lead the House’s consideration of the United States–Mexico–Canada Agreement (the revised NAFTA deal), which will affect the auto, tech, retail, agriculture, labor and environmental sectors of the economy, though reporting requirements will likely delay a vote until the beginning of the second quarter. Press reports also indicate that the House Energy and Commerce Committee plans to hold oversight hearings regarding transparency and data security at some of the nation’s biggest technology companies.

Other commentary suggests that House Education and Workforce Committee incoming chair Rep. Bobby Scott (D-V.A.) will likely examine Education Secretary Betsy DeVos’ efforts to overturn a variety of Obama-era education regulations, implicating the private and for-profit college industry, veterans hiring, and the defense industry writ large. Based on recent press and commentary from incoming House leadership, we also anticipate significant investigative activity from House Permanent Select Committee on Intelligence incoming chair Adam Schiff (D-C.A.), House Foreign Affairs Committee incoming chairman Elliot Engel (D-N.Y.), House Armed Services incoming chairman Adam Smith (D-W.A.), and House Transportation and Infrastructure Committee incoming chair Rep. Peter DeFazio (D-O.R.).

The public statements of the incoming House chairs make it clear that businesses will confront an active period for congressional investigations.  In fact, such activity is likely to continue some of the pitched battles encountered during the Obama Administration, as well as open up new fronts.

For more detail regarding the stated priorities of these committees or more information about this article generally, please contact any of the authors or other members of our congressional investigations practice.

Enforcement and Prosecution Policy and Trends

DOJ Loosens Yates Memo Requirements For Corporate Cooperation Credit

Yesterday, Deputy Attorney General Rod Rosenstein announced a series of changes to Department of Justice (DOJ) policy that clarified DOJ’s expectations for cooperation in investigations of corporate wrongdoing. The changes are sensible and should be welcomed by the business community as an improvement over the prior policy, commonly known as the Yates Memo.

As Rosenstein noted, the changes are intended to recognize how the Yates Memo has been applied on the ground, at least in many cases. Even so, the changes should provide companies with greater comfort in several respects.

Under the revised policy, corporations are now expected to identify individuals who were “substantially involved” in or responsible for the underlying misconduct. Whereas the Yates memo, at least on paper, required the cooperating company to identify for the government every individual in the organization involved in the misconduct – no matter their role in the organization or in the misconduct, before a settlement could be finalized. To be sure, that requirement was sometimes honored in the breach. But in combination, the threat of withheld cooperation credit on an all or nothing basis, plus the requirement that all potentially culpable individuals be identified before a settlement could be finalized, gave the government significant leverage to demand that target companies bend to the prosecutors’ view of the world about individual employees’ culpability. For companies, this dynamic sometimes created pressure to err on the side of over-inclusion in designating culpable individuals.

That pressure has not gone away, but it is lessened. The revised policy is an attempt, as Rosenstein recognized, to conserve resources – both for the government and the company involved – and prevent unnecessary delay in resolving corporate liability. For companies under investigation, this change may help to reduce the significant time and cost required to conduct an investigation deemed sufficient for cooperation credit. Now, if the government team disagrees with a target company about which employees are culpable and to what degree, the government attorneys have discretion to recommend partial cooperation credit as part of a settlement. More importantly, that discretion now exists as official DOJ policy, and not just an informal deviation from the rule.

Rosenstein also reported similar changes in civil cases. The new policy provides that corporate cooperation credit in civil cases can be awarded on a sliding scale – it need not be all or nothing. And in prepared remarks accompanying the rollout of the changes, Rosenstein noted that cooperation credit can still be awarded, in appropriate cases, where a company assists the government’s investigation, but the parties cannot reach agreement about the identity or culpability of every line employee potentially involved in misconduct. (Senior employees are different – as before, the company must identify all wrongdoers in senior management to receive any cooperation credit.)

All else equal, the changes modestly strengthen the hand of companies who sincerely seek to cooperate with the government to resolve investigations, but cannot reach agreement with the government over the role of particular individual employees in corporate misconduct. Companies now have a little bit more leeway to “agree to disagree” with the government about the status of lower-level employees while retaining the benefits of cooperation. Before, such a disagreement was (at least in principle) fatal to a successful settlement. Now it need not be. And that’s unquestionably a salutary development.

Energy Enforcement

Lessons From FERC Staff Reversal In Footprint Power

This post recently appeared in Law360, available for subscribers here.

Anyone practicing in the Federal Energy Regulatory Commission enforcement arena should sit up and take notice of the recent developments in the Footprint case at FERC. The most public step in an enforcement procedure before FERC is the issuance of an order to show cause, or OSC, by the commission. An OSC is FERC’s formal announcement that its Office of Enforcement, or OE, staff has found the respondent to have committed statutory or regulatory violations. The OSC includes a report from OE reciting the facts that support such a conclusion, as well as any recommended civil penalty and disgorgement amount.

The OSC invites the respondent to “show cause” why it should not be penalized. This OSC is usually followed by an answer filed by the respondent, which is typically followed by a reply brief from OE. From the inception of the OSC process in 2007, FERC has never found cause for not imposing a penalty to have been shown, giving OE a perfect track record in OSC proceedings of obtaining a final FERC order that adopted OE’s position.

That streak may end in light of an unusual filing by OE staff on Sept. 19, 2018, when OE recommended that FERC drop its case against Footprint Power LLC.[1] Footprint operates the Salem Harbor Station in Salem, Massachusetts, which provides generation to the ISO-New England electricity market.

Briefly stated, OE alleged that Footprint had not maintained sufficient fuel reserves to run its oil-fueled generation unit at the output level at which it had offered into the day-ahead market. OE claimed that these offers were therefore false and misleading, in violation of several commission rules, because, according to OE, the plant could not run at the levels at which it had offered.

In its answer, Footprint raised several arguments related to the methods by which OE calculated the amount of available fuel, including an argument that OE had not taken into account the start-up time required for the unit to reach full generating capacity. Footprint argued that during this start-up period, the unit burned less fuel, and thus the unit did have sufficient fuel to meet its obligations during the period under review — and that ISO-NE knew this.

In its reply brief, OE accepted this “new” argument regarding the start-up period, reconsidered the fuel volume and concluded that Footprint had not violated the applicable rules for all but a few days during the period under review.

We note that in its answer, Footprint characterized the start-up argument as having been made in prior nonpublic submissions and having been discussed in a deposition. Yet in its reply, OE characterized this argument as being made for the first time in Footprint’s answer. Upon reconsidering the evidence and arguments presented, OE recommended vacatur — essentially the complete withdrawal — of the entire OSC, having determined that further pursuit of the case would not be a “prudent use of Staff’s resources.”

Notably, OE made a point of only accepting Footprint’s argument regarding the start-up time and related fuel use — explicitly rejecting Footprint’s other arguments related to emissions limits, the statute of limitations and whether ISO-NE was actually misled by the offers.

At this time, the commission has not yet issued a final order, so it is possible that it will decide to issue an order assessing civil penalties against Footprint for the one week in which the start-up argument did not apply. However, we believe it is more likely that the commission will follow OE’s recommendation and drop the case.

While it is tempting to so conclude, we do not think this is a signal of any general enforcement retrenchment on the part of OE, nor of any influence on the part of the new members of the commission prodding OE to be more industry-friendly.

For starters, unless someone violated commission ex parte communications and separation of functions rules (which we doubt), the OE change in position could not have originated from direct commission intervention. This is because the staff making the recommendation should not have been in contact with any commissioners about the matter. Instead, we think the change in direction in Footprint came from the so-called “non-decisional” staff within OE, who are “walled off” from the commissioners and who would have had to further litigate the case if Footprint did not pay any penalty assessed.

On some level, OE’s reconsideration of the facts and merits of Footprint’s arguments is necessarily specific to this case, and not readily transferable to other fact patterns. OE’s reply puts great emphasis on the compelling — and “new” — factual argument made by Footprint. Faced with this new presentation of the compelling facts in Footprint’s answer, OE staff may have simply reconsidered issues of prosecutorial discretion and concluded that if they were to have proceeded to litigate in federal court, they would likely lose.

But there may be more in play than just a reconsideration of the facts and the merits. This recommendation may also be an effort by OE to appear fair and reasonable in the face of criticism that the OSC process has become a guaranteed win for OE and the commission. By accepting a compelling fact-based argument here, OE may be seeking to bolster the importance and appearance of fairness of the OSC process, pushing back against calls from some to skip a heretofore seemingly “rubber stamp” OSC process altogether and move straight to litigation of such cases in federal district court.

Furthermore, this result may be an effort to beat back arguments in the federal courts that the OSC process is not meaningful — which matters when courts are confronted with defense arguments relating to statutes of limitations, the nature of de novo review under the Federal Power Act and other matters that could affect the scope of FERC’s authority.

One lesson for respondents is to make every argument you can at every stage, and to never stop making arguments in which you believe. An argument may be initially dismissed by OE, or simply buried within a lengthy brief filed early in the investigation. OE’s position suggests that, in its view, had Footprint put greater emphasis on the start-up argument from the outset of the investigation, it may have been able to avoid the order to show cause stage. But because it apparently did not, at least from OE’s perspective, it is now clear that once these new or forgotten arguments are aired in a different forum, such as with the commission, or in a public way, they can take on more significance.

A second lesson stems from prior claims in other cases by OE, and even the commission, that have dismissed arguments in OSC proceedings or in court cases because they were supposedly not advanced during the investigation phase and therefore, in their view, were after-the-fact inventions. After Footprint, OE will be hard-pressed to ignore or discount an argument or evidence simply because it was truly made for the first time in a respondent’s answer to order to show cause or at another stage.

A final lesson relates to the possibility that in the past, parties responding to an OSC who desired to move quickly on to a de novo proceeding in federal court may have considered de-emphasizing certain arguments in order to focus their presentation or just save on litigation costs. They may also have considered not submitting additional evidence at the commission level that was not sought or submitted in the investigation phase, thus “saving” it for the federal court.

This might be based on the belief that the material would be “wasted” in the seemingly fait accompli OSC process, and would merely educate the OE staff on the respondent’s litigation strategy. Setting aside whether this approach may risk a “waiver” argument by OE (later, in court), OE’s reply in Footprint challenges the wisdom of this approach on the merits. The reply suggests that OE may — and in some cases will — change its mind when presented with the right argument (or at least fears that the commission may do so on its own).

[1] Reply of Enforcement Litigation Staff to the Answer of Footprint Power LLC and Footprint Salem Harbor Operations LLC and Recommendation to Vacate Order to Show Cause, Footprint Power LLC, FERC Docket No. IN18-7-000 (Sep. 19, 2018).

Financial Institution Regulation

CFPB Signals Potential for Fair Lending Rulemaking

This post recently appeared in our sister publication, Consumer FinSights.

In its recently published Fall 2018 Rulemaking Agenda, the Bureau of Consumer Financial Protection announced that it is considering future rulemaking activity regarding the requirements of the Equal Credit Opportunity Act (“ECOA”) – specifically, “concerning the disparate impact doctrine in light of recent Supreme Court case law and the Congressional disapproval of a prior Bureau bulletin concerning indirect auto lender compliance with ECOA and its implementing regulations.”

In May, President Trump signed a joint resolution passed by Congress disapproving the Bureau’s March 21, 2013 Bulletin titled “Indirect Auto Lending and Compliance with the Equal Credit Opportunity Act.” The Bulletin’s purpose was to “provide[] guidance for indirect auto lenders within the Bureau’s jurisdiction on ways to limit fair lending risk under the ECOA.” The Bulletin had been controversial from the start, suggesting that indirect auto lenders — who purchase and service loans made by auto dealers that fit criteria agreed to between the dealer and lender — consider imposing controls on dealer markup and eliminate the dealer’s discretion to markup buy rates.

Acting Bureau Director Mick Mulvaney praised the congressional resolution, continuing the Bureau’s move away from the fair lending enforcement priorities of the Bureau’s first Director, Richard Cordray (who, as an aside, was just defeated this past Election Day as the Democratic nominee for Governor of Ohio). Mulvaney thanked President Trump and Congress “for reaffirming that the Bureau lacks the power to act outside of federal statutes.” Mulvaney also referred to the Bulletin as an “instance of Bureau overreach,” and asserted that the initiative “seemed like a solution in search of a problem.” He indicated then that Bureau rulemaking on disparate impact would reflect another theme of his approach: a move toward formal rulemaking in lieu of bulletin issuance or “regulation by enforcement.”

Although the Bureau’s Rulemaking Agenda does not address the details of the contemplated rulemaking activity around ECOA, the Agenda’s reference to “recent Supreme Court case law” suggests that any rulemaking may be designed to address unanswered questions following the Supreme Court’s 2015 decision in Tex. Dep’t of Housing & Community Aff. v. Inclusive Communities Project, Inc., 135 S. Ct. 2507 (2015), in which the Court upheld the concept of disparate impact liability under the other principal federal lending discrimination law, the Fair Housing Act, but also emphasized that disparate impact litigants must prove causation – in other words, proof of a statistical disparity among racial groups alone is not sufficient. Inclusive Communities also imposed other restrictions on disparate impact liability.

Potential Bureau rulemaking might focus on application of the Court’s holdings to ECOA. Such a rule would be more durable than the Bureau’s earlier fair lending bulletin, remaining in effect unless altered by later rulemaking (and thus surviving any future leadership change at the Bureau). A rule would also be binding on other federal agencies and the courts, and thus could provide much-desired clarity for lenders.


We use cookies to enhance your experience of our website. By continuing to use this website, you agree to the use of these cookies. For more information and to learn how you can change your cookie settings, please see our policy.