Richard Manfredi, Author at Gibson Dunn

On October 26, 2022, the Securities and Exchange Commission (“SEC” or “Commission”), in a 3-to-2 vote, adopted final rules that will require listed companies to implement policies for recovery (i.e., “clawback”) of erroneously awarded incentive compensation, implementing Section 10D of the Securities Exchange Act, which was added by Section 954 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (the “Dodd-Frank Act”).[1] The SEC originally proposed clawback rules on July 14, 2015,[2] but the proposed rules remained dormant until October 14, 2021, when the SEC reopened the comment period[3] (and which was reopened for a second time on June 8, 2022).[4] The final rules add new Exchange Act Rule 10D-1 (“Rule 10D-1”), which largely tracks the long-pending proposed rules but also incorporate terms previewed in the 2021 release reopening the comment period.

Rule 10D-1 directs the national securities exchanges to establish listing standards that require issuers to adopt and comply with written clawback policies meeting strict conditions:

The clawback policy must provide that, in the event the company is required to prepare an accounting restatement due to the material noncompliance of the company with any financial reporting requirement under the federal securities laws, the company will recover (on a pre-tax basis) the amount of incentive-based compensation received by its current and former executive officers in excess of the amount of incentive-based compensation that would have been received had it been determined based on the restated amount, subject to limited exceptions.
Compensation recoupment is required regardless of whether the executive officer engaged in any misconduct and regardless of fault.
The policy must apply to compensation “received”—which is defined as occurring when the financial reporting measure was attained regardless of when payment is actually made—during the three-year “recovery period” preceding the date the company is required to prepare the accounting restatement (the three-year period was mandated by the Dodd-Frank Act).
The clawback policy must apply both to material accounting errors that require a restatement of prior years’ financial results (commonly known as “Big R” restatements), as well as to errors that are corrected in the current year’s results (commonly known as “little r” restatements).

In addition, the final rules require companies to file a copy of their policy as an exhibit to their Form 10-K, 20-F, 40-F or N-CSR, as applicable, and to publicly disclose how they have applied the policy whenever they experience a restatement. Rule 10D-1 also requires that issuers add two checkboxes to the cover page of their 10-Ks (or 20-Fs or 40-Fs): one checkbox to indicate whether the financial statements included in the filing reflect the correction of an error to previously issued financial statements, and one to indicate whether any of the error corrections require a recovery analysis under the company’s Rule 10D-1 clawback policy.

Almost all issuers are subject to the clawback rules, including those companies that are otherwise excluded from other SEC disclosure requirements related to executive compensation. A company would be subject to delisting if it does not adopt and comply with an exchange-compliant clawback policy.

The final rules release is available here and a Fact Sheet (Recovery of Erroneously Awarded Compensation) is available here. Set forth below is a summary of the final rules and considerations for companies.

When the Rules Take Effect

Each exchange will be required to propose rules or rule amendments consistent with Rule 10D-1 no later than 90 days following the date of the publication of the rules in the Federal Register. The listing standards must be effective no later than one year following the final rules publication date. Each company subject to such listing standards must adopt a compliant recovery policy no later than 60 days following the date on which the applicable listing standards become effective. The mandated clawback policies must apply to any incentive-based compensation that is received by current or former executive officers on or after the effective date of the applicable listing standard (which is a modification from the proposed rules). Compliance with the disclosure requirements is required in the first annual report or proxy or information statement required to be filed after the effective date of the new listing standards.

Summary of the Final Rules

All listed companies are covered by the rule, including foreign private issuers, emerging growth companies, smaller reporting companies, controlled companies and companies with only listed debt securities, but certain registered investment companies are excluded to the extent they have not provided incentive-based compensation to any current or former executive officer of the fund in the last three fiscal years.

There are five key components of the final rules:

Covered individuals. Current and former “executive officers” are subject to clawback of incentive-based compensation. “Executive officer” includes the company’s president, principal financial officer, principal accounting officer, any vice president in charge of a principal business unit, division or function, and any other person who performs policymaking functions for the company and otherwise conforms to the full scope of the Exchange Act Section 16 definition. In a change from the proposed rules, the final rules will only require recovery of incentive-based compensation received by a person (i) after beginning service as an executive officer and (ii) if that person served as an executive officer at any time during the recovery period. Recovery of compensation received prior to becoming an executive officer will not be required, although compensation received during the recovery period by former executive officers is covered.
Restatements that trigger application of clawback policy. In a change from the proposed rules, the final rules require recoupment of erroneously awarded compensation (i) when the company is required to prepare an accounting restatement that corrects an error in previously issued financial statements that is material to the previously issued financial statements (commonly referred to as “Big R” restatement) and (ii) when the company is required to prepare an accounting restatement that corrects an error that is not material to previously issued financial statements, but that would result in a material misstatement if (A) the error was left uncorrected in the current report or (B) the error correction was recognized in the current period (commonly referred to as “little r” restatements). Application of the recovery policy would not be triggered by an “out-of-period adjustment” – a situation where the error is immaterial to the previously issued financial statements and the correction of the error is also immaterial to the current period. The recovery policy also would not be triggered by changes to prior period financial statements that do not arise due to error corrections, such as retrospective revisions to financial statements due to changes in accounting principles or segments.

The Commission rejected a bright-light standard for determining when the recovery period begins, reasoning that doing so might incentivize companies to delay a restatement determination in order to manipulate the recovery date. Therefore, the final rules state that the recovery period runs from the earlier of: (i) the date the company’s board of directors, committee of the board, or the officer or officers of the company authorized to take such action, concludes, or reasonably should have concluded, that the company is required to prepare an accounting statement due to the material noncompliance with any financial reporting requirement under the securities laws; or (ii) the date a court, regulator, or other legally authorized body directs the company to prepare an accounting restatement. The SEC stated in its October 14, 2021 Notice when it reopened the comment period: “For errors that are material to the previously issued financial statements, we generally expect the date . . . to coincide with the date disclosed in the Item 4.02(a) Form 8-K filed.”

Definition of incentive compensation and when it is “received.” “Incentive-based compensation” is any compensation (including cash and equity) granted, earned or vested based in whole or in part on the attainment of a “financial reporting measure.” “Financial reporting measures” are measures that are determined and presented in accordance with the accounting principles used in preparing the company’s financial statements, and any measures derived in whole or in part from such measures, as well as stock price and total shareholder return (“TSR”). A financial reporting measure is subject to the rule even if it is not actually presented in the company’s financial statements or included in an SEC filing. Incentive-based compensation does not include compensation that is based solely on continued employment for a specified period of time (e.g., time-vesting awards, including time-vesting stock options), unless such awards were granted or vested based in whole or in part on a financial reporting measure. Incentive-based compensation also does not include base salary (however, in the preamble to the proposed rule the SEC indicated that if the executive officer receives a salary increase earned wholly or in part based upon the attainment of a financial reporting measure, such increase would be subject to recovery), compensation awarded solely at the board’s discretion, or compensation awarded upon the achievement of subjective, strategic or operational measures that are not financial reporting measures (such as the achievement of ESG goals).

The Dodd-Frank Act specified that the compensation subject to clawback is that which was received by the executive during a recovery period that is defined as “the three-year period preceding the date on which the issuer is required to prepare an accounting restatement.” The final rules provide that incentive-based compensation is “received,” and thus subject to clawback, in the fiscal period during which the applicable financial reporting measure is attained, even if the payment or grant occurs after the end of that period. In other words, the date of “receipt” of such compensation is tied to the satisfaction of the financial reporting measure goal, irrespective of applicable vesting, grant or payment dates. An award subject to both time- and performance-based vesting conditions is considered received upon satisfaction of the performance metric even if the award continues to be subject to time-based vesting criteria.

Calculating the amount of clawback. The amount required to be recouped is the amount of incentive-based compensation received by the executive in excess of what would have been received if the incentive-based compensation was determined based on the restated financial statements. To the extent the incentive-based compensation was based on stock price or TSR, such excess amount must be based on a reasonable estimate of the effect of the accounting restatement on the applicable measure. The company must maintain documentation of the determination of that reasonable estimate and provide it to the relevant exchange. In all cases, the calculation of erroneously awarded compensation would be calculated on a pre-tax basis. As discussed below, companies are required to disclose in their Form 10-K, 20-F, 40-F or N-CSR, as applicable, and proxy statement information on their calculation of the amount subject to clawback.
Minimal discretion regarding recovery and its enforcement. The rules require a company to recover erroneously awarded compensation in compliance with its recovery policy subject to limited exceptions. Recovery is not required only if the company’s board or compensation committee has determined that recovery is impracticable for one of three reasons: (1) because the direct expenses paid to third parties to assist in enforcing the policy would exceed the amount to be recovered and the company has made a reasonable attempt to recover; (2) in the case of a foreign private issuer, because pursuing such recovery would violate home country law in effect prior to publication of the final rules in the Federal Register and where the company provides an opinion of counsel to that effect to the exchange; or (3) because recovery would likely cause an otherwise tax-qualified retirement plan to fail to meet the requirements of the Internal Revenue Code.[5] Clawback must be evaluated on a “no fault” basis – e., without regard to whether any misconduct occurred or whether an executive bears responsibility. Executives may not be indemnified for the clawback, nor may companies pay premiums on an insurance policy that would cover an executive’s potential clawback obligations. The rules require that companies pursue recovery “reasonably promptly,” which suggests that boards may not allow covered executives to repay any clawed back amount in installments under a payment plan of any extended duration, barring any unreasonable economic hardship to the executive. In addition, under the new disclosure requirements (addressed further below), any amount subject to clawback from a current or former named executive officer but unpaid after 180 days must be disclosed.

New Disclosure Requirements

There are three key new disclosure requirements tied to the clawback rules:

Clawback Policy Exhibit Requirement. Each listed company must file its clawback policy as an exhibit to its annual report on Form 10-K, 20-F, 40-F or N-CSR, as applicable.
New Item 402 disclosures. Item 402 of Regulation S-K was amended to require companies to disclose how they have applied their recovery policies. If, during its last completed fiscal year, the company either completed a restatement that required recovery, or there was an outstanding balance of excess incentive-based compensation relating to a prior restatement, the company must disclose the following information for each restatement in any Form 10-K or proxy or information statements that includes executive compensation disclosure:

(i) the date on which the company was required to prepare each accounting restatement and the aggregate dollar amount of excess incentive-based compensation attributable to the restatement, including an analysis of how the recoverable amount was calculated (an expansion of the proposed rules), or if the clawback amount has not been determined yet, an explanation of the reasons why it has not, and subsequent disclosure in the next filing that is subject to Item 402 of Regulation S-K;

(ii) if the compensation is related to a stock price or TSR metric, the estimates used to determine the amount of erroneously awarded compensation attributable to such accounting restatement and an explanation of the methodology used for such estimates;

(iii) the aggregate dollar amount of excess incentive-based compensation that remained outstanding at the end of the company’s last completed fiscal year;

(iv) where a company is invoking an impracticability exception, for each current and former named executive officer and for all other current and former executive officers as a group, the amount of recovery forgone and a brief description of the reason the listed registrant decided in each case not to pursue recovery, as well as (to the extent applicable to the invoked impracticability exception) a brief explanation of the types of direct expenses paid to a third party to assist in enforcing the recovery policy, identification of the provision of foreign law the recovery policy would violate, or how the recovery policy would cause an otherwise tax-qualified retirement plan to fail to meet the requirements of the Internal Revenue Code; and

(iv) for each current and former named executive officer, the amounts of incentive-based compensation that are subject to a clawback but remain outstanding for more than 180 days since the date the company determined the amount owed.

The final rules also add a new instruction to the Summary Compensation Table to require that any amounts recovered pursuant to a company’s compensation recovery policy reduce the amount reported in the applicable column, as well as the “total” column” for the fiscal year in which the amount recovered initially was reported, with the clawback identified by footnote.

The final rules require information mirroring the above Item 402 disclosures to be included in annual reports on Form N-CSR and in proxy statements and information statements relating to the election of directors; on Form 20-F or, if the foreign private issuer elects to use the registration and reporting forms that U.S. issuers use, on Form 10-K; and on Form 40-F.

New check boxes on cover pages of Forms 10-K, 20-F and 40-F. In addition, and according to the SEC, “to assure that issuers listed on different exchanges are subject to the same disclosure requirements regarding erroneously awarded compensation recovery policies,” companies must indicate by check boxes on their annual reports whether the financial statements included in the filings reflect a correction of an error to previously issued financial statements and whether any such corrections are restatements that required a recovery analysis.

Observations and Considerations for Companies

Companies do not need to adopt a Rule 10D-1 clawback policy until after the stock exchanges’ listing standards implementing Rule 10D-1 are proposed, adopted and become effective. Nevertheless, there are important steps that companies should be taking before that time to prepare for the new rules:

Prepare for Implementation. The new listing standards will require companies to adopt “and comply” with their Rule 10D-1 clawback policies. In addition, the clawback policy needs to apply to any incentive compensation “received” on or after the effective date of the new listing standards, even if that compensation was received pursuant to an award granted before adoption of the company’s Rule 10D-1 clawback policy. Therefore, to the extent they have not done so already, companies should be adding a term to their existing incentive compensation plans or award agreements and taking any other appropriate measures to enhance the enforceability of their Rule 10D-1 clawback policy once it is adopted.
Evaluate Incentive Compensation Arrangements. Companies should evaluate their existing compensation arrangements to assess which have any element that relates to a “financial performance measure” as defined under the SEC rules. At the same time, companies may wish to evaluate whether to modify or clarify the operation of arrangements that have financial performance measure elements. For example, companies with a legacy Section 162(m) bonus pool that is based on a financial performance measure, but under which actual payments are discretionary or based on other criteria, may wish to eliminate the performance-based funding of the bonus pool component. The clawback rules may also accelerate the trend toward the use of non-financial, strategic and ESG-related performance criteria in incentive compensation arrangements.
Interaction with Existing Clawback Policies. Companies will need to determine whether to integrate the Rule 10D-1 clawback policy with their existing policies, replace their existing policies, or adopt the Rule 10D-1 policy on a stand-alone basis. Various aspects of the Rule 10D-1 clawback requirements go beyond what companies typically have adopted to date, including the mandatory nature of the clawback, the timing and length of the recovery period and the no-fault standard. At the same time, many company policies cover triggering events beyond financial restatements, may cover a larger population, and may apply to broader categories of compensation. Given the differences, companies may find it easier to adopt a stand-alone Rule 10D-1 clawback policy, and simply modify their existing clawback policies to clarify that they apply only to the extent that the Rule 10D-1 clawback policy does not. As noted above, the new rules require attaching the clawback policy as an exhibit to the annual report, so it is advisable to review the policy in light of that anticipated public disclosure.
Enhance Documentation Around Compensation Committee Determinations. Going forward, it will be more important than ever to have clear documentation around the extent to which financial performance measures affect decisions regarding granting, vesting and settlement/payout of each element of executives’ compensation. To the extent that a compensation committee is exercising discretion, particularly if awarding compensation without regard to financial results, those decisions should be documented. Finally, it will be important to enhance internal and disclosure controls so that the implications of any restatement, including a “little r” restatement, can be taken into account.

The Rule 10D-1 clawback rules are designed to enhance an environment promoting compliance with applicable accounting rules. However, their application on a no-fault basis means that executives could be subject to compensation clawbacks based on inadvertent failures to satisfy complex accounting standards. It will be important to assess whether that possibility will lead to inadvertent consequences, such as a move away from financial performance measures in compensation arrangements or the loss of talented executives who feel unfairly penalized under a clawback claim that they intend to contest.

_________________________

[1] Pub. L. No. 111-203, 124 Stat. 1900 (2010).

[2] Listing Standards for Recovery of Erroneously Awarded Compensation, Exchange Act Release No. 34-75432 (July 14, 2015), available here.

[3] Reopening of Comment Period for Listing Standards for Recovery of Erroneously Awarded Compensation, Exchange Act Release No. 34-93311 (Oct. 14, 2021), available here.

[4] Reopening of Comment Period for Listing Standards for Recovery of Erroneously Awarded Compensation, Exchange Act Release No. 34-95057 (June 8, 2022), available here, which sought review and comment on the memo prepared by the staff of the SEC’s Division of Economic and Risk Analysis, available here.

[5] With respect to this exception, Rule 10D-1(b)(1)(iv)(C) provides: “Recovery would likely cause an otherwise tax-qualified retirement plan, under which benefits are broadly available to employees of the registrant, to fail to meet the requirements of 26 U.S.C. 401(a)(13) or 26 U.S.C. 411(a) and regulations thereunder.”

The following Gibson Dunn lawyers assisted in the preparation of this alert: Sean Feller, Krista Hanvey, Elizabeth Ising, Ronald Mueller, Michael Scanlon, Lori Zyskowski, Aaron Briggs, and Christina Andersen.

Gibson Dunn’s lawyers are available to assist with any questions you may have regarding these issues. To learn more about these issues, please contact the Gibson Dunn lawyer with whom you usually work in the firm’s Executive Compensation and Employee Benefits or Securities Regulation and Corporate Governance practice groups, or any of the following practice leaders and members:

Executive Compensation and Employee Benefits Group:
Stephen W. Fackler – Palo Alto/New York (+1 650-849-5385/+1 212-351-2392, sfackler@gibsondunn.com)
Sean C. Feller – Los Angeles (+1 310-551-8746, sfeller@gibsondunn.com)
Krista Hanvey – Dallas (+ 214-698-3425, khanvey@gibsondunn.com)
Christina Andersen – New York (+1 212-351-3857, candersen@gibsondunn.com)

Securities Regulation and Corporate Governance Group:
Elizabeth Ising – Washington, D.C. (+1 202-955-8287, eising@gibsondunn.com)
Thomas J. Kim – Washington, D.C. (+1 202-887-3550, tkim@gibsondunn.com)
Ron Mueller – Washington, D.C. (+1 202-955-8671, rmueller@gibsondunn.com)
Michael J. Scanlon – Washington, D.C. (+1 202-887-3668, mscanlon@gibsondunn.com)
Michael Titera – Orange County (+1 949-451-4365, mtitera@gibsondunn.com)
Lori Zyskowski – New York (+1 212-351-2309, lzyskowski@gibsondunn.com)
Aaron Briggs – San Francisco (+1 415-393-8297, abriggs@gibsondunn.com)
Julia Lapitskaya – New York (+1 212-351-2354, jlapitskaya@gibsondunn.com)

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

In anticipation of the Financial Stability Board’s (FSB) report to the G20 Finance Ministers and Central Bank Governors in October on regulatory and supervisory approaches to stablecoins and other crypto-assets, please join us for this webcast hosted by our Global Financial Regulatory Practice Group. We discuss the latest legal and regulatory developments in digital assets markets, including:

FSB’s recommendations, and what they mean for the global regulatory and supervisory direction of travel for stablecoin arrangements and crypto-asset markets
Hong Kong and Singapore digital assets regulatory developments
UK and EU digital assets regulatory developments, including the Markets in Crypto-Assets (MiCA) regulation
US digital assets regulatory developments

We discuss how these regulatory and supervisory developments will impact on digital assets businesses operating in or providing services in these key jurisdictions, and share our views on how businesses can anticipate and prepare for the coming wave of regulatory and supervisory reforms that will impact on stablecoins and other crypto-assets. In addition, the team brings their predictions for the future of digital assets regulation, supervision and enforcement policy, based on their extensive experience in helping clients to navigate global regulations and to engage with key global regulators.

PANELISTS:

William Hallatt, a partner in our Hong Kong office and a Co-Chair of the firm’s Global Financial Regulatory Practice Group, is one of the Asia-Pacific region’s most prominent regulatory lawyers. He has close working relationships with key regulators, both at the local jurisdictional and international levels. He is heavily involved in regulatory reform initiatives and regularly leads discussions with the regulators on behalf of the financial services industry. This includes working closely with leading industry bodies, including ASIFMA and AIMA. Will has particular expertise in relation to the regulation of cryptocurrencies and other digital assets, and has advised the world’s leading cryptocurrency exchanges as well as regulated financial institutions on a range of key strategic matters in this space. This includes advising cryptocurrency exchanges on regulatory restructurings, high profile regulatory investigations and the handling of licence applications in multiple jurisdictions.

Michelle M Kirschner is a partner in the London office and Co-Chair of the firm’s Global Financial Regulatory Practice Group. Ms. Kirschner advises a broad range of financial institutions and fintech businesses on areas such as systems and controls, market abuse, conduct of business and regulatory change management, and she conducts internal investigations and reviews of corporate governance and systems and controls in the context of EU and UK regulatory requirements and expectations.

Jeffrey Steiner is a partner in the Washington D.C. office and Co-Chair of the firm’s Global Financial Regulatory Practice Group, Chair of the firm’s Derivatives Practice and co-lead of the Digital Currencies and Blockchain Technologies group. Mr. Steiner advises a range of clients on regulatory, legislative, enforcement and transactional matters related to OTC and listed derivatives, commodities and securities. He also advises clients, including exchanges, financial institutions and fintech firms, on matters related to digital assets and cryptocurrencies. Prior to joining the Firm, Mr. Steiner was a special counsel at the U.S. Commodity Futures Trading Commission (CFTC).

Grace Chong is Of Counsel in Gibson Dunn’s Singapore office and a member of the firm’s Global Financial Regulatory Group. She has been consistently named as one of Singapore’s top 10 FinTech lawyers and is highly ranked in Chambers FinTech 2022, with clients noting that she “is very savvy and shares her knowledge of the MAS and market trends.” Further, she is recommended in Financial Services Regulatory for Singapore by The Legal 500 2022 guide which notes that she “is one of the best crypto regulatory lawyers in Singapore.” Ms. Chong is an elected board member of the Singapore Association of Cryptocurrency Enterprises and Startups (ACCESS), is closely involved in regional regulatory reform initiatives and has led discussions with regulators on behalf of the financial services industry.

MCLE CREDIT INFORMATION:

This program has been approved for credit in accordance with the requirements of the New York State Continuing Legal Education Board for a maximum of 1 credit hour, of which 1 credit hour may be applied toward the areas of professional practice requirement. This course is approved for transitional/non-transitional credit.

Attorneys seeking New York credit must obtain an Affirmation Form prior to watching the archived version of this webcast. Please contact CLE@gibsondunn.com to request the MCLE form.

Gibson, Dunn & Crutcher LLP certifies that this activity has been approved for MCLE credit by the State Bar of California in the amount of 1 hour.

California attorneys may claim “self-study” credit for viewing the archived version of this webcast. No certificate of attendance is required for California “self-study” credit

On October 20, 2022, the U.S. Department of the Treasury (“Treasury”), as chair of the Committee on Foreign Investment in the United States (“CFIUS” or “Committee”), released the first-ever CFIUS Enforcement and Penalty Guidelines (the “Guidelines”).[1] As the Guidelines pointedly emphasize, CFIUS is tasked with balancing its mandate of identifying and mitigating national security implications of foreign investments with upholding U.S. openness to foreign investment.[2] As we discuss below, the Guidelines provide insight into how CFIUS will assess whether (and in what amount) to impose a penalty or undertake other enforcement action against a violating party, and also provide a non-exhaustive list of aggravating and mitigating factors that CFIUS will consider.

Importantly, the new Guidelines do not appear connected to any specific changes in statutory authority, nor do they expressly create new authorities for the Committee. They also do not appear to be connected with any reported increase in enforcement actions, as CFIUS reported in its most recent Annual Report that it did not assess or impose penalties or initiate a unilateral review of a transaction in 2021.[3] The CFIUS Monitoring and Enforcement website lists only two penalties imposed pursuant to Section 721: one in 2018 and one in 2019. Yet, these Guidelines have also been released as CFIUS has publicly announced efforts to increase its staffing, particularly to support monitoring and enforcement activities.[4] The Guidelines also include CFIUS’s first formal statement with respect to the treatment of voluntary self-disclosures.

Accordingly, the release of the Guidelines appears to be an effort to increase transparency of a committee long-viewed as secretive—and also may signal increased use by the Committee of its enforcement and penalty authorities. The issuance of the Guidelines is therefore noteworthy in several respects:

Their issuance is another in a series of signals from the U.S. government of its intense focus on protecting national security interests, inclusive of U.S. technological leadership;

The Guidelines provide a more transparent, public roadmap for how violations will be assessed and processed; and

The Guidelines establish a voluntary self-disclosure mechanism for violations that has parallels with other agencies, though stops short of offering specific incentives for such disclosures.

The Guidelines are divided into four key areas: (i) clarifications of what constitutes a violation, (ii) how the Committee obtains information to investigate a potential violation, (iii) the penalty process itself, and (iv) aggravating and mitigating factors. We discuss each in turn below:

1. Three Categories of Conduct That May Constitute a Violation:

The Guidelines identify three specific types of conduct that may be considered a violation subject to enforcement and penalty. Note that the Guidelines specifically state that not all violations will result in a penalty or other remedy, as CFIUS will exercise discretion based on certain aggravating and mitigating factors, as discussed below in section (4).

Failure to submit a mandatory declaration or notice in a timely manner;
Failure to comply with CFIUS mitigation requirements when such mitigation has been imposed; and
Material misstatements, omissions, or false/materially incomplete certifications made at any point in the CFIUS process.

2. Sources of Information Concerning Potential Violations:

The Guidelines provide transparency about how the Committee obtains information on potential violations. It has been long understood that CFIUS has access to a range of tools available within the U.S. government to identify covered transactions. In addition, CFIUS is actively searching publicly available and third party information to identify non-notified transactions that may be subject to its review. The Guidelines highlight in particular information that may come from parties to a transaction themselves, whether voluntarily or involuntarily, including information regarding failure to comply with a mitigation agreement, condition or order:

Requests for Information: CFIUS may request information from relevant parties, and such parties may earn mitigation credit by cooperating with information requests and may also provide exculpatory evidence.
Self-Disclosures: The Guidelines provide the first formal discussion by CFIUS of voluntary self-disclosures to the Committee. Similar to self-disclosure policies published by the U.S. Department of Justice, the Office of Foreign Assets Control, the Directorate of Defense Trade Controls and the Bureau of Industry and Security, the Committee encourages timely self-disclosure of potential violations and has indicated that it will consider such voluntary disclosures as one among several factors when it is determining its enforcement response to an alleged violation. Notably, CFIUS has not in these Guidelines indicated that a self-disclosure will necessarily warrant any automatic deduction in the amount of a proposed penalty nor will self-disclosure necessarily result in a presumption applied by the Committee against imposition of a monetary or other more severe form of penalty.
Tips: CFIUS solicits tips from the general public—whether in connection with a transaction currently under review, a non-notified transaction, or a mitigation agreement—and provides email and phone contacts on its website for reporting directly to the Committee.
Subpoena Authority: The Guidelines draw attention to the Committee’s statutory authority to issue subpoenas to persons who may have information or records relevant to the administration or enforcement of the Committee’s regulations.

3. Penalty Process:

The Guidelines set forth the basic procedural process that will govern a potential enforcement or penalty action. In short, the Committee will send the subject person a notice of penalty, which includes (i) the conduct to be penalized, (ii) the amount of the monetary penalty to be imposed, (iii) the legal basis for concluding the conduct constitutes a violation, and (iv) any aggravating and mitigating factors the Committee considered. The subject person can, within 15 days of receiving the notice of penalty (which may be extended upon a showing of good cause), submit a petition for reconsideration to the CFIUS Staff Chairperson. The subject person can include any defense, justification, mitigating factors, or explanation within the petition. If the petition is timely received by CFIUS, within 15 days of receipt (which may be extended), CFIUS will take such petition into account before issuing a final penalty determination. However, if no petition is timely received, CFIUS will generally issue a final penalty determination in the form of a notice to the subject person. These procedures are also set forth in the Committee’s regulations at 31 CFR Part 800 and Part 802. Pursuant to §800.901, CFIUS has the authority to issue civil penalties up to $250,000 per violation for material misstatements, omissions, or false certifications. Failure to comply with mandatory declaration requirements or violations of a material provision of a mitigation agreement may result in a civil penalty not to exceed $250,000 or the value of the transaction, whichever is greater.

4. Aggravating and Mitigating Factors:

The Guidelines provide the first public statement by CFIUS of the factors it will consider when determining the appropriate response to an alleged violation. In essence, CFIUS will adopt a fact-based approach in which it weighs all relevant aggravating and mitigating factors in the context of specific conduct giving rise to a potential violation. The list of factors provided in the Guidelines is not exhaustive. Further, the list of factors are not presented in order of priority. Nonetheless, the factors will be generally familiar to anyone who has assessed the corporate enforcement factors published by DOJ, OFAC, DDTC, or BIS.

Accountability and future compliance: The impact of the enforcement action on protecting national security and ensuring subject persons are held accountable for their conduct and incentivized to ensure compliance.
Harm: The extent to which the conduct impaired, or threatened to impair, U.S. national security.
Negligence, awareness and intent: The extent to which the conduct was the result of simple or gross negligence, intentional action, or willfulness, as well as any efforts to conceal or delay the sharing of relevant information with CFIUS, or the involvement of senior personnel.
Persistence and timing: The length of time that elapsed after the subject person became aware, or had reason to become aware, of the conduct and before CFIUS became aware of the conduct and/or its remediation, as well as the frequency and duration of the conduct.
Response and remediation: Whether the subject person submitted a self-disclosure (including the timeliness, nature and scope of information within the self-disclosure), the subject person’s cooperation during the investigation, the promptness of complete and appropriate remediation, and whether the company undertook an analysis of the root cause, extent, and consequences of the alleged violative conduct to prevent any reoccurrence.
Sophistication and record of compliance: The subject person’s history and familiarity with CFIUS (including past compliance with CFIUS mitigation), the adequacy of internal and external resources dedicating to complying with relevant legal obligations, the existence of relevant policies and procedures, the consistency of implementation, the company’s culture of compliance, and other related factors.

Conclusion

The Guidelines contribute to the U.S. government’s increasing scrutiny of transactions that involve foreign investments in U.S. companies or operations with a potential impact on national security. The Guidelines provide additional transparency with respect to how CFIUS will determine its response to potential violations of CFIUS’s regulations. While the Guidelines are non-binding and do not expand or narrow CFIUS’s authorities, they may signal an intent to enhance enforcement efforts, particularly with respect to failure to submit a mandatory notification or failure to comply with mitigation agreements, conditions, or orders designed to address national security concerns.

_______________________

[1] CFIUS Enforcement and Penalty Guidelines (October 20, 2022), https://home.treasury.gov/policy-issues/international/the-committee-on-foreign-investment-in-the-united-states-cfius/cfius-enforcement-and-penalty-guidelines.

[2] This authority is granted to the Committee under Section 721 of the Defense Production Act of 1950, as amended (50 U.S.C. § 4565) (“Section 721”).

[3] CFIUS Annual Report to Congress, 44, https://home.treasury.gov/system/files/206/CFIUS-Public-AnnualReporttoCongressCY2021.pdf.

[4] See U.S. Department of the Treasury Press Release, Treasury Releases CFIUS Annual Report for 2021 (Aug. 02, 2022), https://home.treasury.gov/news/press-releases/jy0904.

The following Gibson Dunn lawyers prepared this client alert: Stephenie Gosnell Handler, David Wolber, Christopher Timura, Samantha Sewall, and Felicia Chen.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or the following members and leaders of the firm’s International Trade practice group:

United States
Judith Alison Lee – Co-Chair, International Trade Practice, Washington, D.C. (+1 202-887-3591, jalee@gibsondunn.com)
Ronald Kirk – Co-Chair, International Trade Practice, Dallas (+1 214-698-3295, rkirk@gibsondunn.com)
Adam M. Smith – Washington, D.C. (+1 202-887-3547, asmith@gibsondunn.com)
Stephenie Gosnell Handler – Washington, D.C. (+1 202-955-8510, shandler@gibsondunn.com)
David P. Burns – Washington, D.C. (+1 202-887-3786, dburns@gibsondunn.com)
Nicola T. Hanna – Los Angeles (+1 213-229-7269, nhanna@gibsondunn.com)
Marcellus A. McRae – Los Angeles (+1 213-229-7675, mmcrae@gibsondunn.com)
Courtney M. Brown – Washington, D.C. (+1 202-955-8685, cmbrown@gibsondunn.com)
Christopher T. Timura – Washington, D.C. (+1 202-887-3690, ctimura@gibsondunn.com)
Annie Motto – Washington, D.C. (+1 212-351-3803, amotto@gibsondunn.com)
Chris R. Mullen – Washington, D.C. (+1 202-955-8250, cmullen@gibsondunn.com)
Sarah L. Pongrace – New York (+1 212-351-3972, spongrace@gibsondunn.com)
Samantha Sewall – Washington, D.C. (+1 202-887-3509, ssewall@gibsondunn.com)
Audi K. Syarief – Washington, D.C. (+1 202-955-8266, asyarief@gibsondunn.com)
Scott R. Toussaint – Washington, D.C. (+1 202-887-3588, stoussaint@gibsondunn.com)
Shuo (Josh) Zhang – Washington, D.C. (+1 202-955-8270, szhang@gibsondunn.com)

Asia
Kelly Austin – Hong Kong (+852 2214 3788, kaustin@gibsondunn.com)
David A. Wolber – Hong Kong (+852 2214 3764, dwolber@gibsondunn.com)
Fang Xue – Beijing (+86 10 6502 8687, fxue@gibsondunn.com)
Qi Yue – Beijing – (+86 10 6502 8534, qyue@gibsondunn.com)

Europe
Attila Borsos – Brussels (+32 2 554 72 10, aborsos@gibsondunn.com)
Nicolas Autet – Paris (+33 1 56 43 13 00, nautet@gibsondunn.com)
Susy Bullock – London (+44 (0) 20 7071 4283, sbullock@gibsondunn.com)
Patrick Doris – London (+44 (0) 207 071 4276, pdoris@gibsondunn.com)
Sacha Harber-Kelly – London (+44 (0) 20 7071 4205, sharber-kelly@gibsondunn.com)
Penny Madden – London (+44 (0) 20 7071 4226, pmadden@gibsondunn.com)
Benno Schwarz – Munich (+49 89 189 33 110, bschwarz@gibsondunn.com)
Michael Walther – Munich (+49 89 189 33 180, mwalther@gibsondunn.com)

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

On October 21, 2022, the IRS released its cost-of-living adjustments applicable to tax-qualified retirement plans for 2023. Many of the key limitations, including the elective deferral and catch-up contribution limits for employees who participate in 401(k), 403(b) and 457 retirement plans, have increased from current levels. The key limitations for 2023 will increase as follows:

Limitation	2023 Limit
402(g) Limit on Employee Elective Deferrals (Note: This is relevant for 401(k), 403(b) and 457 plans, and for certain limited purposes under Code Section 409A.)	$22,500 ($20,500 for 2022)
414(v) Limit on “Catch-Up Contributions” for Employees Age 50 and Older (Note: This is relevant for 401(k), 403(b) and 457 plans.)	$7,500 ($6,500 for 2022)
401(a)(17) Limit on Includible Compensation (Note: This applies to compensation taken into account in determining contributions or benefits under qualified plans. It also impacts the “two times/two years” exclusion from Code Section 409A coverage of payments made solely in connection with involuntary terminations of employment.)	$330,000 ($305,000 for 2022)
415(c) Limit on Annual Additions Under a Defined Contribution Plan	$66,000 (or, if less, 100% of compensation) ($61,000 for 2023)
415(b) Limit on Annual Age 65 Annuity Benefits Payable Under a Defined Benefit Plan	$265,000 (or, if less, 100% of average “high 3” compensation) ($245,000 for 2022)
414(q) Dollar Amount for Determining Highly Compensated Employee Status	$150,000 ($135,000 for 2022)
416(i) Officer Compensation Amount for “Top-Heavy” Determination (Note: Because Code Section 409A defines “specified employees” of public companies by reference to this provision, this amount also affects the specified employee determination, and thus, the group subject to the six-month delay under Code Section 409A.)	$215,000 ($200,000 for 2022)
Social Security “Wage Base” for Plans Integrated with Social Security	$160,200 ($147,000 for 2022)

The following Gibson Dunn lawyers assisted in the preparation of this alert: Michael Collins, Krista Hanvey, and Fanny Patel.

Stephen W. Fackler – Palo Alto/New York (+1 650-849-5385/+1 212-351-2392, sfackler@gibsondunn.com)
Michael J. Collins – Washington, D.C. (202-887-3551, mcollins@gibsondunn.com)
Sean C. Feller – Los Angeles (+1 310-551-8746, sfeller@gibsondunn.com)
Krista Hanvey – Dallas (+ 214-698-3425, khanvey@gibsondunn.com)

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

On 12 October 2022, the Hong Kong Securities and Futures Commission (“SFC”) reprimanded and imposed a HK$1.75 million fine on Asia Research & Capital Management Limited (“ARCM”), a Hong Kong licensed corporation (“LC”), for its failure to:

comply with Regulation (EU) No 236/2012 of the European Parliament and of the Council of 14 March 2012 on short selling and certain aspects of credit default swaps (“EU Regulation”); and
promptly notify the SFC of its regulatory breaches.[1]

The SFC also banned ARCM’s Manager-In-Charge (“MIC”) for Compliance, Mr. Billy Wong Yim Chi (“Wong”), for 2 months in relation to the above failures.

This disciplinary action is particularly noteworthy given that the SFC has imposed disciplinary action in relation to a licensed firm’s failure to comply with foreign regulatory requirements. [2] [3] Further, this matter is also the second time that the SFC has announced disciplinary actions against an MIC since the introduction of the MIC regime in 2017. The SFC’s first disciplinary action against an MIC was in November 2021 against Fulbright Securities Limited and its MIC.[4]

I. Disciplinary action against ARCM

The disciplinary action against ARCM by the SFC followed a similar action against the firm by the Financial Conduct Authority (“FCA”) in the United Kingdom in relation to its failures to comply with the EU Regulation in relation to disclosures of its net short position in Premier Oil Plc, a company listed on the London Stock Exchange.[5]

The SFC was unsympathetic towards ARCM’s explanations that its breach of the EU Regulation was due to ARCM’s unfamiliarity with the EU Regulation, its reliance on reference materials provided by its prime brokers rather than on legal advice regarding the EU reporting regime and the absence of alerts from ARCM’s investment bank counterparts.

Instead, the SFC attributed ARCM’s failures to:

a lack of any formal process in its compliance framework requiring its staff members to analyse and understand reporting requirements which might apply when the firm invests in a new jurisdiction and implement appropriate controls;
its failure to incorporate controls to ensure continuous compliance with the EU Regulation; and
its decision to rely on reference materials provided by its prime brokers without conducting any further analysis. The SFC noted that if ARCM had sought legal advice on its reporting obligations or taken steps to independently check on reporting obligations under the EU Regulation, it would have identified its obligations to report short positions held through swap transactions.

The SFC considered that the above failures amounted to a breach of:

General Principle 2 (Diligence) of the Code of Conduct for Persons Licensed or Registered with the Securities and Futures Commission (“Code of Conduct”)[6], which requires licensed corporations to act with due skill, care and diligence in the best interests of its clients and the integrity of the market; and
General Principle 7 (Compliance) and paragraph 12.1 of the Code of Conduct, which require licenced corporations to comply with all regulatory requirements applicable to the conduct of its business activities and to implement and maintain measures appropriate to ensuring compliance with the law, rules, regulations and codes administered or issued by the Commission, the rules of any exchange or clearing house of which it is a member or participant, and the requirements of any regulatory authority which apply to the licensed or registered person.

The SFC also found that ARCM’s notification of its breaches of the EU Regulation two months after notification of such breaches to the FCA constituted a breach of the requirement under paragraph 12.5 (Notifications to the Commission) of the Code of Conduct to notify the SFC immediately of any material breach of any regulatory requirements applicable to the licensed corporation.

II. Disciplinary action against Wong

Wong was ARCM’s Head of Compliance and Operations, and the MIC for Compliance during the relevant time periods. As MIC for Compliance, his responsibilities included handling regulatory filings in relation to ARCM’s portfolio positions, and consulting external legal advisors where necessary. The SFC took the view that ARCM’s failures were attributable to Wong’s neglect in discharging his responsibilities as MIC for Compliance and as a member of senior management. In particular, the SFC noted that Wong failed to:

implement adequate controls to ensure ARCM’s compliance with the EU Regulation; and
seek legal advice on the short position reporting obligations under the EU Regulation despite Wong and his team’s unfamiliarity with the EU regulatory regime.

Based on the above findings, the SFC held that Wong had breached General Principle 9 (Responsibility of senior management), and paragraph 14.1 of the Code of Conduct. The provisions required Wong, as senior manager, to bear primary responsibility for maintaining appropriate standards of conduct and procedures, and to properly manage risks associated with the business of the LC.

III. Conclusion

This disciplinary action serves as a reminder to LCs and their senior management of the broad scope of the Code of Conduct in relation to foreign regulatory requirements, both from a compliance perspective as well as a self-reporting perspective. In particular, it serves as an important caution to firms considering whether foreign regulatory breaches may have triggered foreign self-reporting obligations that they must also carefully consider whether a self-report under paragraph 12.5 is required. Given the stringency of the self-reporting standard under paragraph 12.5 in comparison to foreign reporting requirements, this may put some firms in the uncomfortable position that foreign regulatory breaches may not require reports to be made to foreign regulators, but will require reporting in Hong Kong to the SFC. Similarly, given the ‘immediate’ nature of the Hong Kong self-reporting requirement and the SFC’s expectation that firms report prior to completion of investigations into the relevant conduct, firms may also need to report to the SFC before reporting to foreign regulators.

Further, this case is also particularly significant given the SFC’s clear expectation that senior management will seek legal advice in relation to regulatory requirements where they and their teams are unfamiliar with these requirements, rather than relying on (for example) summaries provided by counterparts. This should serve as an important reminder to senior Compliance staff of the need to carefully assess the necessity of seeking legal advice when entering new jurisdictions and/or rolling out new product types or lines of business. We would recommend that firms review their processes in relation to new types of business activity more broadly to ensure that these processes require active consideration by senior management as to whether legal advice is required, with a particular emphasis on new types of business activity which might lead to the firm being subject to foreign regulatory requirements.

_____________________

[1] “SFC reprimands and fines Asia Research & Capital Management Limited $1.75 million and bans former senior executive Billy Wong Yim Chi for two months” (12 October 2022), published by the Securities and Futures Commission, available at: https://apps.sfc.hk/edistributionWeb/gateway/EN/news-and-announcements/news/enforcement-news/doc?refNo=22PR79

[2] Previously, the SFC had disciplined Capital Global Management Limited (“CGML”) over breaches of foreign regulatory laws. In February 2020, the SFC reprimanded and fined CGML HK$1.5 million for failing to ensure compliance with Taiwan’s Securities Investment Trust and Consulting Act when distributing investment funds and offering investment advice in Taiwan, and for failing to adequately supervise the business activities of its representatives to ensure such compliance. The SFC enforcement action followed the judgment of the Prosecution Office of the Taipei District Court which fined the owners of CGML. See “SFC reprimands and fines Capital Global Management Limited $1.5 million” (14 February 2020). Published by the SFC, available at https://apps.sfc.hk/edistributionWeb/gateway/EN/news-and-announcements/news/enforcement-news/doc?refNo=20PR16.

[3] We further note that the SFC recently suspended a Responsible Officer and CEO of a licensed firm for two years following the SFAT upholding the SFC’s disciplinary action against this individual for breaches of the SFC Code of Conduct which occurred as a result of breaches of Korean legislation. See “SFAT affirms SFC decision to suspend hedge fund manager Christopher James Aarons” (29 September 2022), published by the Securities and Futures Commission, available at https://apps.sfc.hk/edistributionWeb/gateway/EN/news-and-announcements/news/enforcement-news/doc?refNo=22PR75.

[4] “SFC reprimands and fines Fulbright Securities Limited $3.3 million and suspends its responsible officer for internal control failures” (1 November 2021), published by the Securities and Futures Commission, available at https://apps.sfc.hk/edistributionWeb/gateway/EN/news-and-announcements/news/doc?refNo=21PR107

[5] “Final Note to Asia Research and Capital Management Ltd” (14 October 2020), published by the Financial Conduct Authority, available at https://www.fca.org.uk/publication/final-notices/asia-research-and-capital-management-ltd-2020.pdf. The FCA’s disciplinary action against ARCM resulted in ARCM being fined £873,118.

[6] “Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission” (August 2022), published by the Securities and Futures Commission, available at https://www.sfc.hk/-/media/EN/assets/components/codes/files-current/web/codes/code-of-conduct-for-persons-licensed-by-or-registered-with-the-securities-and-futures-commission/Code_of_conduct_05082022_Eng.pdf

The following Gibson Dunn lawyers prepared this client alert: William Hallatt, Emily Rumble, and Jane Lu.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. If you wish to discuss any of the matters set out above, please contact any member of Gibson Dunn’s Global Financial Regulatory team, including the following members in Hong Kong:

William R. Hallatt (+852 2214 3836, whallatt@gibsondunn.com)
Emily Rumble (+852 2214 3839, erumble@gibsondunn.com)
Arnold Pun (+852 2214 3838, apun@gibsondunn.com)
Becky Chung (+852 2214 3837, bchung@gibsondunn.com)
Grace Chong (+65 6507 3608, gchong@gibsondunn.com)

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

On 27 September 2022, following a ministerial review, the Office of Financial Sanctions Implementation (OFSI) imposed a monetary penalty of £30,000 in accordance with s. 146 of the Policing and Crime Act 2017 (PACA) against Hong Kong International Wine and Spirits Competition Limited (HKIWSC) for breaching UK[1] and EU[2] sanctions regulations. According to the relevant legislative provisions, it is prohibited to make funds or economic resources available, directly or indirectly, to a sanctioned party.

Between September 2017 and August 2020 HKIWSC received three payments and seventy-eight wine bottles from the sanctioned State Unitary Enterprise of the ‘Republic of Crimea’ Production-Agrarian Union (Massandra) for entry into HKIWSC’s 2017, 2018, 2019 and 2020 competitions.

OFSI identified two types of breaches: four relating to the provision of funds and tangible economic resources (i.e. the wine bottles) and one relating to the provision of intangible economic resources in the form of the publicity that was made available to Massandra by entering its wine into competitions. OFSI imposed the monetary penalty because it was satisfied that, on the balance of probabilities, HKIWSC knew or had reasonable cause to suspect that it was in breach of the relevant prohibitions. No voluntary disclosures were made in this case, therefore a penalty discount was not applied.

Intangible Economic Resources: A Novel Interpretation

This decision represents a material development as OFSI’s determination that publicity constitutes an intangible economic resource, i.e. an asset that may be exchanged for funds, is not intuitive, nor currently envisaged by the available guidance.

OFSI based its determination on the “reasonable inference” that publicity would increase Massandra’s wine sales, and PACA expressly allows the imposition of monetary penalties when the exact financial value of the resources being made available cannot be determined[3]. However, publicity may more conventionally be construed as a service, and it does not squarely fit within the definition of ‘economic resources’, i.e. “assets of every kind, whether tangible or intangible, movable or immovable, which are not funds but can be used to obtain funds, goods or services”[4].

Publicity is not conventionally treated as an asset on a company’s balance sheet and there is no way of directly exchanging ‘publicity’ for ‘funds, goods or services’. Publicity may lead to increased sales which in turn may lead to increased profits, yet the path from publicity to funds is not linear. It would have been different – and perhaps more coherent – if OFSI were to have held that the publicity increased Massandra’s goodwill in the form of brand recognition, and that such goodwill constituted an intangible economic resource. This construction would preserve the linearity of the exchange between ‘economic resources’ and ‘funds’ envisaged by the definition in the legislation, as goodwill is conventionally recognised as an asset which can directly be used to obtain funds.

Key Takeaways

This case serves as a useful reminder of the following:

The breadth of the legislative provisions may not always be foreseeable based on a close textual reading. OFSI’s creative construction of what constitutes intangible economic resources is an example. OFSI may favour generous, over-inclusive interpretations of key terms if it is motivated to enforce.
Many categories of assets can fall under the umbrella of intangible economic resources. OFSI’s report makes an explicit reference to intellectual property rights. This inclusion is to be expected given that intellectual property rights are conventionally treated as intangible assets and can be readily exchanged for money. Other inclusions may be less conventional, as this enforcement case shows.
OFSI has the power to impose hefty penalties even in the face of relatively minor violations. The total cumulative value of tangible economic resources and funds received by HKIWSC was estimated at £3,919.62. Nevertheless, the penalty amounted to £30,000. In cases where the breach relates to funds or economic resources, OFSI is authorised to impose a monetary penalty the greater of £1 million and 50% of the estimated value of the funds or resources. In any other case, the maximum penalty is capped at £1 million[5]. Notably, penalties may be reduced if a voluntary disclosure is made. This highlights the value of proactive reporting supported by strong internal compliance systems which may detect breaches before the regulator does.
OFSI continues to investigate and impose penalties for breaches of EU regulations and UK regulations that occurred prior to 31 December 2020. The breaches in this case occurred between 2017 and 2020 and were therefore breaches of the EU regulations and the now-repealed UK regulations implementing the EU regulations. If pre-2021 breaches are identified internally, it is worth considering a voluntary disclosure as the regulator can impose penalties if it becomes aware of historic noncompliance.

________________________

[1] Regulations 3(1) and 6(1) of the Ukraine (European Union Financial Sanctions) (No. 2) Regulations 2014

[2] Articles 2(1) and 2(2) of Council Regulation (EU) No. 269/2014

[3] Policing and Crime Act 2017, s. 146(4)

[4] Sanctions and Anti-Money Laundering Act 2018, s. 60

[5] Policing and Crime Act 2017, s. 146

The following Gibson Dunn lawyers prepared this client alert: Irene Polieri, Michelle Kirschner, and Patrick Doris.

Europe
Attila Borsos – Brussels (+32 2 554 72 10, aborsos@gibsondunn.com)
Nicolas Autet – Paris (+33 1 56 43 13 00, nautet@gibsondunn.com)
Susy Bullock – London (+44 (0) 20 7071 4283, sbullock@gibsondunn.com)
Patrick Doris – London (+44 (0) 207 071 4276, pdoris@gibsondunn.com)
Sacha Harber-Kelly – London (+44 (0) 20 7071 4205, sharber-kelly@gibsondunn.com)
Michelle M. Kirschner – London (+44 (0) 20 7071 4212, mkirschner@gibsondunn.com)
Penny Madden – London (+44 (0) 20 7071 4226, pmadden@gibsondunn.com)
Irene Polieri – London (+44 (0) 20 7071 4199, ipolieri@gibsondunn.com)
Benno Schwarz – Munich (+49 89 189 33 110, bschwarz@gibsondunn.com)
Michael Walther – Munich (+49 89 189 33 180, mwalther@gibsondunn.com)

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

We are pleased to provide you with Gibson Dunn’s Accounting Firm Quarterly Update for Q3 2022. The Update is available in .pdf format at the below link, and addresses news on the following topics that we hope are of interest to you:

PCAOB Signs Cooperative Agreement with China
Sens. Warren and Lujan Push for Increased Suspension/Debarment
Ohio Supreme Court Leaves Verein Ruling in Place
SEC Adopts Whistleblower Program Enhancements
PCAOB, SEC, and DOJ Signal Continued Aggressive Enforcement
Supreme Court Grants Certiorari in Attorney-Client Privilege Case
New York Dept. of Financial Services Strengthens Corporate Cyber Requirements
Other Recent SEC and PCAOB Regulatory Developments

Read More

Accounting Firm Advisory and Defense Group:

James J. Farrell – Co-Chair, New York (+1 212-351-5326, jfarrell@gibsondunn.com)

Ron Hauben – Co-Chair, New York (+1 212-351-6293, rhauben@gibsondunn.com)

Monica K. Loseman – Co-Chair, Denver (+1 303-298-5784, mloseman@gibsondunn.com)

Michael Scanlon – Co-Chair, Washington, D.C.(+1 202-887-3668, mscanlon@gibsondunn.com)

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

Personal Data | Cybersecurity | Data Innovation

Europe

10/07/2022 – United States Government | Executive Order | EU-US Data Transfers

President Biden signed an Executive Order to implement the EU-US Data Privacy Framework, aiming to safeguard cross-border data flows.

As a reminder, the Privacy Shield framework (which used to enable transfers of personal data from the EU to the US) was declared invalid by the Court of Justice of the European Union in 2020 (Schrems II ruling). In March 2022, leaders of the EU and the US announced that they agreed “in principle” to a new trans-Atlantic data flow agreement (the EU-US Data Privacy Framework). For that purpose, the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities directs the steps that the US will take to implement the US commitments under the EU-US Data Privacy Framework.

The Framework notably aims to provide binding safeguards to limit US intelligence authorities access to data to what is necessary and proportionate to protect national security. A Data Protection Review Court will also be created to investigate and resolve complaints of Europeans on access of data by US intelligence authorities.

The White House asserts that this will provide the European Commission with a basis to adopt a new adequacy determination, but also greater legal certainty for companies using Standard Contractual Clauses to transfer personal data to the US.

For further information: White House Website

09/20/2022 – Court of Justice of the European Union | Decision | Data Retention

The Court of Justice of the European Union ruled that the general and indiscriminate retention of traffic data by operators providing electronic communications services for a year in order to combat market abuse offences including insider dealing is not compliant with European law.

However, in case of a serious threat to national security, some personal data (such as traffic and location data or IP addresses) may be retained under certain circumstances.

For further information: CJEU Website

09/15/2022 – European Commission | Regulation | Cybersecurity

The European Commission has presented its proposal for a new Cyber Resilience Act. The aim of the proposal is to protect both consumers and businesses from products with inadequate security features and thereby ensure a better level of cybersecurity.

In particular, the Cyber Resilience Act draft introduces mandatory cybersecurity requirements and obligations for manufacturers, as well as importers and distributors, of products with digital elements (i.e., software or hardware product and its remote data processing solutions, defined as any data processing at a distance for which the software is designed and developed by the manufacturer or under its responsibility and the absence of which would prevent the product from performing one of its functions) within the European Union. Any vulnerability contained in the product or any incident impacting its security will have to be reported by the manufacturer to the European Union Agency for Cybersecurity (ENISA). The “critical products” (e.g., operating systems, firewalls or network interfaces) would be subject to a specific compliance procedure.

This proposal of Regulation, if adopted, will be directly applicable in all Member States. Sanctions for violation will depend on the concerned breach (up to €15 million or 2.5% of the company’s total worldwide annual turnover of the preceding financial year, whichever is the higher).

In terms of timeline, it still has to be examined by the European Parliament and the Council and, once adopted, companies will have two years to adapt to the new requirements (one year for reporting obligations of manufacturers of incidents/vulnerabilities — if not modified in the final version of the Regulation).

For further information: European Commission Website

08/01/2022 – Court of Justice of the European Union | Decision | Special Categories of Data

The Court of Justice of the European Union ruled that indirectly revealing the sexual orientation of a natural person constitutes processing of special categories of personal data, protected under Article 9 of the GDPR.

In this case, Lithuanian legislation provided for the online publication of the declaration of private interests, required from individuals working in the public service in order to prevent corruption. This declaration contained name-specific data relating to the individual’s spouse, cohabitee or partner, thus disclosing indirectly his/her sexual orientation.

For further information: CJEU Website

07/28/2022 – European Data Protection Board and European Data Protection Supervisor | Joint Opinion | Child Sexual Abuse

The European Data Protection Board and the European Data Protection Supervisor adopted a Joint Opinion 04/2022 on the Proposal for a regulation to prevent and combat child sexual abuse.

In particular, the Opinion stresses the concerns regarding the proportionality of the interferences and limitations to the protection of the fundamental rights to privacy and the protection of personal data.

For further information: EDPB Website

07/18/2022 – European Union | Regulation | Digital Markets Act

The Council of the European Union gave its final approval to the Digital Markets Act.

Following the signature of the Digital Markets Act by the President of the European Parliament and the President of the Council, it will apply six months after publication in the Official Journal of the European Union.

For further information: Council of the European Union

07/14/2022 – European Data Protection Board | Document | Cooperation

In order to enhance cooperation between European supervisory authorities, the Board has published a set of criteria for identifying cross-border cases of strategic importance in different Member States, as well as the process followed by the Board to select these cases.

The Commission recalls that cases of strategic importance are primarily one-stop-shop cases which are likely to involve a high risk to the rights and freedoms of individuals in several Member States. In particular, several criteria have been defined by the Council (e.g., cases related to the intersection of data protection and other legal fields, where a high risk can be assumed, where a data protection impact assessment is required or where there is a large number of complaints in several Member States).

The supervisory authorities may refer to other supervisory authorities in any case that meets at least one of the criteria. The Board members will then decide which cases will be identified as cases of strategic importance at the European level. The Board already agreed on three (undisclosed) cases to start the project.

For further information: EDPB Website

07/12/2022 – European Data Protection Board and European Data Protection Supervisor | Joint Opinion | European Health Data Space

The European Data Protection Board and the European Data Protection Supervisor adopted a Joint Opinion 03/2022 on the European Commission’s Proposal for a Regulation on the European Health Data Space.

The Opinion aims to draw attention to a number of overarching concerns such as the clarification of the interplay between the Proposal and the GDPR or Member State laws.

For further information: Joint Opinion

07/12/2022 – European Data Protection Board | Statement | Data Transfers

The Board adopted a Statement on data transfers to Russia.

The Board recalls that data exporters who transfer personal data to Russia should assess and identify appropriate safeguards and the necessity for supplementary measures to ensure that data subjects are afforded a level of protection that is essentially equivalent to that guaranteed within the EU.

For further information: EDPB Website

Belgium

09/07/2022 – Belgian Supervisory Authority | Preliminary Questions | Advertising

The Belgian Supervisory Authority announced it has referred preliminary questions to the Court of Justice of the European Union (CJEU) regarding the appeal filed by IAB Europe in the case against the compliance of the so-called Transparency & Consent Framework (TCF) with the GDPR.

As a reminder, the TCF aims to contribute to the GDPR compliance of the OpenRTB protocol, which is one of the most widely used Real-Time Bidding protocols. In February 2022, the Belgian Supervisory Authority fined IAB €250.000 on the basis that the TCF infringes the GDPR.

In particular, the CJEU will have to determine whether a transparency and consent string which reflects users’ consent, objections and preferences can be considered as personal data.

For further information: CJUE Questions

08/19/2022 – Belgian Supervisory Authority | Sanction | Medical Data

The Belgian Supervisory Authority imposed a €20.000 fine on a medical analysis laboratory regarding various GDPR violations.

The Authority found that the principles of integrity and confidentiality were violated insofar as health data was processed through a website without using encryption. In addition, the argument that a privacy policy was not required on the website used as a “mere commercial showcase” was rejected as it was considered as an important operational tool for the laboratory’s activities. Finally, the Authority sanctioned the company for not having carried out a data protection impact assessment despite the fact that a large amount of health data was processed.

For further information: APD Website [NL]

08/17/2022 – Belgian Supervisory Authority | Decision | Complaint

The Belgian Supervisory Authority considered that a company may file a complaint against another one.

According to the Authority, the GDPR does not prohibit national regulations from allowing persons other than data subjects to file a complaint before a supervisory authority, for example where a personal data breach occurs in the context of a business relationship.

For further information: APD Website [NL]

Croatia

07/21/2022 – Croatian Supervisory Authority | Sanction | Security Breach

Following a personal data breach, the Croatian Supervisory Authority fined a company HRK 2.15 million (approx. €285.000) for failure to take adequate technical and organizational security measures.

In particular, the Authority highlighted that no access restrictions had been implemented and considered it an aggravating factor that the company is one of the main telecommunications services providers in Croatia.

For further information: AZOP Website [HR]

Denmark

09/21/2022 – Danish Supervisory Authority | Press Release | Data Transfers

The Danish Supervisory Authority issued a decision against a company using the analytics tool of an American company, reaffirming that said tool cannot be used in accordance with Chapter V of the GDPR without supplementary measures.

As a reminder, the Austrian, French and Italian Authorities expressed similar concerns.

For further information: Datatilsynet Website [DK]

08/18/2022 – Danish Supervisory Authority | Decision | Data Transfers

The Danish Supervisory Authority upheld the ban on a municipality’s use of a cloud-based workspace, imposed on July 14, 2022.

The Authority specified that the ban will apply until the municipality brings its processing activities in line with the GDPR and carries out a data protection impact assessment that meets the GDPR requirements.

For further information: Datatilsynet Website [DK]

07/14/2022 – Danish Supervisory Authority | Sanction | Security Breach

The Danish Supervisory Authority proposed to fine a Danish law firm DKK 500.000 (approx. €67.000) for failing to implement appropriate data security measures.

The Authority found that basic security measures (such as multifactor authentication to login to IT systems) were not implemented by the Danish law firm while a large amount of personal data was being processed.

For further information: Datatilsynet Website [DK]

Estonia, Latvia and Lithuania

07/27/2022 – Baltics States Data Supervisory Authorities | Coordination | Short-Term Vehicle Rental

Supervisory Authorities of the Baltic States initiated a coordinated inspection of privacy practices in the field of short-term vehicle rental.

The Estonian, Latvian and Lithuanian Supervisory Authorities launched a coordinated preventive supervision of companies specialized in short-term vehicle rental. The aim is to monitor compliance with the GDPR and to proactively address potential threats to privacy in this sector, in light of its increasing importance in the daily lives of many citizens over the last three years.

For further information: EDPB Website

Finland

07/05/2022 – Finnish Supervisory Authority | Sanction | Data Subject Rights

The Finnish Supervisory Authority published a decision issued on May 9, 2022, imposing a €85.000 fine on a Finnish magazine publisher for deficiencies in the implementation of data subject rights.

In particular, the decision outlines that some of the data subjects’ requests were not handled due to a technical issue in the e-mail redirect. In addition, the company gathered an excessive amount of information for identification by requiring data subjects to complete and sign a printable form to identify the customer exercising his/her right, and collecting signatures, without a justified reason (such as comparing the customer’s signature with one already in its possession, which was not the case here).

For further information: Ombudsman Website

France

09/08/2022 – French Supervisory Authority | Sanction | Data Security

The French Supervisory Authority fined the French Trade and Companies Register €250.000, for breaches relating to data security and retention periods.

In particular, strong passwords were not required to create a user account and personal data such as passwords were stored and transmitted in clear text. Besides, the data of a quarter of the service’s users was kept beyond the retention period.

For further information: CNIL Website [FR]

09/07/2022 – French Government | Regulation | Cybersecurity

A bill proposed various revisions to French legislation, with the aim to act against cybercrime.

In particular, the bill proposes a framework for insurance reimbursement clauses, making such reimbursement conditional on the filing of a complaint by the victim. Besides, in the context of a criminal procedure, and under the authorization given by the official authorities, enforcement authorities may seize digital assets.

For further information: French Senate Website [FR]

08/03/2022 – French Supervisory Authority | Sanction | Marketing Communication

The French Supervisory Authority fined a French group of hotels €600.000 for various breaches in the context of marketing activities.

The group sent marketing messages to customers without their consent, and did not comply with the exercise of data subject’s rights. For example, the box to subscribe to a marketing newsletter was pre-ticked, and technical issues prevented individuals from exercising their right to object.

For further information: CNIL Website [FR]

07/26/2022 – French Supervisory Authority | Recommendations | Age Verification Systems

The French Supervisory Authority issued its recommendations for online age verification systems.

In particular, the Authority reminded that pornographic websites shall not directly collect identity documents, estimate a visitor’s age based his/her browsing history, nor process biometric data to uniquely identify or authenticate an individual. The Authority further suggested using an independent trusted third party to prevent the direct transmission of identifying data about the user to the website or application publishing pornographic content, in accordance with the data minimization principles.

For further information: CNIL Website [FR]

07/22/2022 – French Administrative Court | Decision | Personal Data Breach Notification

The French Administrative Court (Conseil d’Etat) ruled that data controllers are not required to notify a personal data breach to the French Supervisory Authority (CNIL) if the CNIL was already aware of the breach.

On that basis, the Conseil d’Etat reduced the fine imposed by the CNIL from €3.000 to €2.500.

For further information: French Administrative Court Website [FR]

07/21/2022 – French Supervisory Authority | Sanction | Geolocation Data

The French Supervisory Authority fined a short-term vehicle rental company €175.000, in particular for having disproportionately infringed the privacy of its customers by geolocating them almost permanently.

The company also failed to identify and implement a proportionate data retention period, and to inform individuals.

For further information: CNIL Website

07/08/2022 – French Supervisory Authority | Formal Notices | Website Security

The French Supervisory Authority issued formal notices against fifteen organizations for insufficiently secured websites, amongst the twenty-one websites inspected in 2021.

The Authority highlights the lack of sufficient data encryption, including obsolete versions of the transport layer security (TSL) protocol and unsecured access (HTTP) to the website, and the lack of sufficient measures to protect users’ accounts, such as weak password policies.

For further information: CNIL Website [FR]

Germany

09/21/2022 – Baden Württemberg Supervisory Authority | Sanction | Use of Personal Data from Public Land Register

The Baden Württemberg Supervisory Authority imposed fines of €50.000 against a company and €5.000 against an individual for using personal data from a public land register for business development purposes.

The Authority highlights that there is no legitimate interest to process personal data as the register is created pursuant to a legal obligation, to ensure legal certainty and protect property interests, but not to facilitate marketing.

For further information: BfDI-BW Website [DE]

09/20/2022 – Berlin Commissioner for Data Protection and Freedom of Information | Sanction | Data Protection Officer

The Berlin Supervisory Authority imposed a €525.000 fine on the subsidiary of an e-commerce group because its data protection officer had a conflict of interest.

The Authority highlighted that the appointed data protection officer was the managing director of two service companies that processed personal data on behalf of the company for which he was the data protection officer. The Authority held that the subsidiary failed to comply with the GDPR insofar as a conflict of interest had arisen with no action being taken by the company, despite a previous warning issued in 2021.

For further information: BfDI Website [DE]

09/08/2022 – Lower Saxony Supervisory Authority | Warning | Profiling

The Lower Saxony Supervisory Authority issued a press release warning banks against profiling for advertising purposes.

In particular, payment transaction data and third-party data was used by the bank to assess whether a customer might be interested in a particular product. According to the Supervisory Authority, such processing would be unlawful insofar as legitimate interests of the controller cannot constitute the legal basis for the processing, and the consent forms used did not meet the GDPR requirements.

For further information: LfD Niedersachsen [DE]

09/07/2022 – Karlsruhe Higher Regional Court | Decision | Data Transfers

The Karlsruhe Higher Regional Court overturned the judgment of the Baden-Württemberg Procurement Chamber, which argued that a company had to be excluded from a public procurement procedure as its offer violated Chapter V of the GDPR governing data transfers.

As a reminder, the Baden-Württemberg Procurement Chamber excluded a company from a procurement procedure insofar as the company intended to employ the services of a Luxembourg subsidiary of an American cloud provider. According to the Baden-Württemberg Procurement Chamber, the mere risk of access to personal data stored in the European Union by American authorities would be considered as a data transfer.

The Regional Court overturned the judgment, considering that the sole group affiliation does not imply that illegal instructions might be received from the American cloud provider. However, the Regional Court did not address the Chamber of Public Procurement’s argument that the mere ability to access personal data from outside the European Union by a US cloud provider would be considered a transfer under Chapter V of the GDPR.

For further information: Oberlandesgericht Karlsruhe [DE]

08/18/2022 – Thuringia Data Protection Authority | Recommendation | Data Transfers

The Thuringia Data Protection Authority published a recommendation regarding the dynamic embedding of an American provider’s fonts on a website without obtaining visitors’ prior consent.

The Authority refers to recent case law regarding the dynamic embedding of fonts, which was found to constitute a data transfer to the US (of at least the IP address of a website visitor) because of the dynamic linking. Instead, the Authority recommends considering hosting these fonts locally to avoid any link to US servers.

For further information: TLfDI Thüringen Website [DE]

08/09/2022 – Federal Institute for Drugs and Medical Devices | Regulation | Data Protection Certification

The Federal Institute for Drugs and Medical Devices has published standard data protection criteria for digital health and care applications, making it one of the first authorities to establish a data protection certification under Article 42 of the GDPR.

For further information: BfArM Website [DE]

07/28/2022 – Lower Saxony Supervisory Authority | Sanction | Profiling

The Lower Saxony Supervisory Authority fined a bank €900.000 for profiling its active and former customers for advertising purposes without their consent.

For further information: LfD Niedersachsen Website [DE]

07/26/2022 – Lower Saxony Supervisory Authority | Sanction | Driver Assistance System

The Lower Saxony Supervisory Authority fined a car company €1.1 million for using a test vehicle with a driver assistance system using a surveillance camera without informing data subjects, conducting a data protection impact assessment, nor entering into an agreement with its processor.

In particular, the Authority highlights that a vehicle equipped with a driver assistance system using surveillance cameras must be equipped with magnetic signs displaying a camera symbol and other required information for the data subjects, in this case other road users.

For further information: LfD Niedersachsen Website [DE]

07/19/2022 – German Supervisory Authorities | Recommendation | Data Processing Agreements

Several German data protection authorities undertook a joint exercise to review model data processing agreements used by website hosting providers for the processing of their customers’ personal data.

The German data protection authorities have published a detailed checklist for data processing agreements in this respect.

For further information: BlnBDI Website [DE]

Greece

07/13/2022 – Hellenic Supervisory Authority | Sanction | Facial Recognition

The Hellenic Supervisory Authority fined an American AI company specialized in facial recognition €20 million for multiple breaches of the GDPR.

As a reminder, the company used data scraped from the internet for facial recognition and has already been subject to enforcement actions, including in France, Italy, Australia, the UK and Canada.

The Authority notably highlights that the Company failed to name a representative since the company is not established in the European Union, to lawfully process personal data, to inform the data subject and to ensure the right of access of data subjects.

For further information: HDPA Website [GR]

Ireland

09/15/2022 – Irish Supervisory Authority | Sanction | Protection of Minors

The Irish Supervisory Authority fined a social media company €405 million for breaches relating to the public disclosure of children’s personal data using the social media’s business features and a public-by-default setting for personal accounts of children.

As the Authority was unable to reach consensus with the concerned supervisory authorities, the European Data Protection Board issued a binding decision in accordance with the GDPR dispute resolution process. In addition to the fine, the Authority imposed a range of corrective measures, including an order to bring the processing into compliance by taking a range of specified remedial actions.

For further information: DPC website; EDPB Binding Decision

07/06/2022 – Irish Supervisory Authority | Reprimand | Erasure Request

The Irish Supervisory Authority published a reprimand issued on April 27, 2022 against a social media company, for requiring data subjects to provide copies of their IDs when submitting erasure requests.

In particular, the Authority found that the company failed to comply with the data minimization principle and to provide a valid legal basis for such processing. It also ordered the company to revise its internal policies and procedures for handling erasure requests.

For further information: DPC Decision

Italy

06/30/2022 – Italian Supervisory Authority | Sanction | Financial Data

The Italian Supervisory Authority published a decision issued on May 26, 2022, imposing a €100.000 fine on an Italian bank for the unlawful disclosure of customer data to an unauthorized third party.

The bank disclosed a data subject’s banking activity to its parent company without a valid legal basis. The Authority rejected the bank’s argument according to which the disclosure was made by an employee in good faith.

For further information: Garante Website [IT]

Netherlands

07/27/2022 – Dutch Council of State | Decision | Legitimate Interest

The Dutch Council of State upheld a decision overturning the €575.000 fine imposed by the Dutch Supervisory Authority against a video and social platform in 2020. Besides, the European Commission issued a letter, asking the Authority to change its position according to which pure commercial interest does not qualify as legitimate interest.

As a reminder, the case concerned a video and social media platform that installed streaming cameras around amateur soccer fields. The Authority held that the platform could not use legitimate interest as a legal basis since its interest is exclusively commercial. On the contrary, the district court and the Council of State ruled that the platform has other interests such as the interests of players or the public watching the game.

In its letter, the European Commission considers that the Authority’s strict interpretation of legitimate interests is not in line with the GDPR and severely limits businesses’ possibilities of processing personal data for commercial interests, as they would have to collect consent from the data subject in every case where an economic interest is pursued. Against this background, the Commission invited the Authority to readjust its position and reflect that commercial interests can be regarded as legitimate interests when they are not overridden by the fundamental rights and freedoms of the data subject.

For further information: Raad van State Website [NL]; European Commission Letter

Norway

09/09/2022 – Norwegian Supervisory Authority | Sanction | Credit Assessment

The Norwegian Supervisory Authority published a decision issued on August 25, 2022, imposing a NOK 200.000 (approx. €20.000) fine on a company for performing a credit assessment on a data subject without any legal basis to do so.

The Authority notes that the data subject did not have any kind of customer relationship or other connection with the company. In particular, the Authority found that legitimate interest cannot be used a lawful basis insofar as the data subject did not expect the company to process his credit information.

For further information: Datatilsynet Website [NO]

Poland

07/06/2022 – Polish Supervisory Authority | Sanction | Personal Data Breach Notification

The Polish Supervisory Authority fined a company PLN 15.994 (approx. €3.500) for failing to notify a personal data breach.

The Authority considered that a company who loses an employment certificate must notify such breach, even if the employee does not file a complaint, since the certificate of employment contains personal data (e.g., period of employment, parental and child care leave taken).

For further information: EDPB Website

Portugal

08/16/2022 – Portuguese Supervisory Authority | Sanction | Data Security

The Portuguese Supervisory Authority announced the publication of Law No. 16/2022 of August 16, 2022 which approves the Electronic Communications Law.

The law aims to implement several EU Directives, including the Directive 2018/1972 establishing the European Electronic Communications Code. The law notably requires operators to notify the Authority of any security incident and imposes obligations to ensure an adequate level of security for public electronic communication networks and publicly available electronic communications services. This new law will come into force within 90 days as of its publication.

For further information: ANACOM Website [PT]

Romania

09/08/2022 – Romanian Supervisory Authority | Sanction | Security

The Romanian Supervisory Authority fined a digital and media company RON 39.272 (approx. €8.000) for failure to implement adequate technical and organizational measures.

The Authority found that a security incident impacting the platform managed by the company led to an unauthorized disclosure or access to personal data, including names, telephone numbers and bank data.

For further information: ANSPDCP Website [RO]

08/22/2022 – Romanian Supervisory Authority | Sanction | Security of Processing

The Romanian Supervisory Authority fined an energy company RON 49.337 (approx. €10.000) for failure to implement remedial measures to reduce risk following a personal data breach.

The Authority considered that the company, which sent an email containing personal data to the wrong person, breached Article 32 of the GDPR by not providing the Authority with sufficient information on the remedial measures taken following the incident. In addition, the Authority issued a warning against the company for failing to notify the breach.

For further information: ANSPDCP Website [RO]

08/09/2022 – Romanian Supervisory Authority | Sanction | Transparency

The Romanian Supervisory Authority fined a passenger transportation company RON 34.630,40 (approx. €7.000) for failure to provide clear, complete and accurate information to data subjects.

In particular, the company’s website did not provide information regarding the purpose and the legal basis of the processing, the identity and contact data of the data controller, the data retention periods and the conditions for the exercise of data subject’s rights.

For further information: ANSPDCP Website [RO]

Slovenia

08/05/2022 – Slovenian Supervisory Authority | Guidance | Data Protection Impact Assessments

The Slovenian Supervisory Authority published a guide for conducting data protection impact assessments (DPIA).

In particular, the guidance highlights common DPIA shortcomings, gives recommendations to data controllers, and provides a checklist to help determine if a DPIA is comprehensive.

For further information: Slovenian Supervisory Authority Website [SL]

Spain

08/04/2022 – Spanish Supervisory Authority | Sanction | Data Accuracy

The Spanish Supervisory Authority fined an electricity company €50.000 for violation of the accuracy principle.

The Authority found that the company breached the principle of accuracy by linking wrong information, and consequently causing the cancellation of the complainant’s electricity supply contract with his provider.

For further information: AEPD Website [ES]

08/02/2022 – Spanish Supervisory Authority | Sanction | Lawfulness of Processing – Spanish Supervisory Authority | Sanction | Lawfulness of Processing

The Spanish Supervisory Authority fined a bank €42.000 for violations of the lawfulness of processing principle.

The Authority found that after the claimant asked the bank several times not to send any stock market investment report by post to his home address, the bank continued to do so.

For further information: AEPD Website [ES]

07/26/2022 – Spanish Supervisory Authority | Guidance | Biometric Data

The Spanish Supervisory Authority issued guidance regarding the use of biometric data.

The guidance focuses on data protection impact assessments in relation to biometric data and the criteria used to classify biometric systems in the framework of a processing operation when assessing the risk to the rights and freedoms of individuals that the processing of such data may entail.

For further information: AEPD Website

07/22/2022 – Spanish Supervisory Authority | Sanction | Marketing Calls

The Spanish Supervisory Authority fined a telecommunications company €40.000 for unlawful marketing calls, despite a data subject’s registration in the national opt-out list and notification of his direct opt-out to the company.

For further information: AEPD Website [ES]

07/18/2022 – Spanish Supervisory Authority | Sanction | Data Processing Principles

The Spanish Supervisory Authority fined a bank €56.000 for failing to comply with various data processing principles.

In particular, the Authority ruled that the bank violated the principle of integrity and confidentiality of processing by sending a report on a data subject’s investment to the wrong recipient, due to a computer error.

For further information: AEPD Website [ES]

07/13/2022 – Spanish Supervisory Authority | Sanction | Personal Data Breach

The Spanish Supervisory Authority published a decision issued on May 3, 2022, imposing a €132.000 fine on an insurance company for repeatedly sending medical data to an unauthorized third party and failing to notify a personal data breach despite being alerted.

For further information: AEPD Website [ES]

Sweden

09/13/2022 – Swedish Supervisory Authority | Decision | Sensitive Personal Data

The Swedish Supervisory Authority sanctioned a company for offering a browsing service that allows users to access court decisions containing sensitive personal data.

In particular, the Authority highlighted that the company’s database gave users access to court decisions with information on individuals who had undergone mandatory care due to mental illness or addiction. Therefore, the Authority issued a reprimand and ordered the company to take measures to prevent such access.

For further information: IMY Website [SE]

09/06/2022 – Swedish Supervisory Authority | Investigation | Employee Monitoring

The Swedish Supervisory Authority announced that it has opened an investigation regarding a transport company for monitoring the driving behavior of some of its employees.

The Swedish Supervisory Authority asked the transport company to clarify whether it had a legal basis for processing and whether it had provided required information to its employees.

For further information: IMY Website [SE]

Switzerland

08/31/2022 – Swiss Supervisory Authority | Press Release | New Data Protection Legislation

The Swiss Supervisory Authority announced that a new data legislation will come into force on September 1, 2023.

This regulation aims to improve data protection in Switzerland and shares similarities with the GDPR, such as data processing principles, the obligation to report personal data breaches and to conduct data protection impact assessments. It differs from the GDPR in some respects as, for example, there is no obligation for companies to appoint a data protection officer.

For further information: Swiss Supervisory Authority Website [FR]

08/09/2022 – Swiss Supervisory Authority | Document | Access Request

The Swiss Supervisory Authority issued recommendations on the exercise of access requests.

The Authority published recommendations in a dispute settlement procedure between a the Federal Intelligence Service (FIS) and a claimant requesting access to documents concerning the legal basis and processing of the FIS’ facial recognition systems. The FIS refused on the basis of national law, which provides that access to official documents shall be restricted if it jeopardizes the internal or external security of Switzerland. However, the Supervisory Authority deemed the FIS’ arguments too general and unspecific to prove a threat to the internal or external security of Switzerland and recommended the FIS to grant the claimant full access to the required documents.

For further information: Swiss Supervisory Authority recommendations [DE]

United Kingdom

09/07/2022 – UK Supervisory Authority | Guidance | Privacy-Enhancing Technologies

The UK Supervisory Authority has published draft guidance on privacy-enhancing technologies (PETs).

The publication forms part of the Authority’s draft guidance on anonymization and pseudonymization. The draft guidance explains some of the different types of PETs and their benefits, as well as how they can help organizations comply with data protection law.

For further information: ICO Website

09/06/2022 – UK Supervisory Authority | Sanction | Direct Marketing

The UK Supervisory Authority fined a UK-based motoring and cycling retailer £30.000 (approx. €34.000) for sending unsolicited marketing emails to data subjects without their consent.

The Authority held that the company improperly relied on legitimate interest as a lawful basis and could not count on the soft opt-in exemption insofar as the customers who received the email had opted out of marketing.

For further information: ICO Website

08/19/2022 – UK Supervisory Authority | Guidance | Complaint

The UK Supervisory Authority published guidance for small businesses that receive data protection complaints.

The Authority issued a six-step guide to acknowledge receipt of the complaint, find out the specific issue related to the complaint, provide updates to the data subject, record actions taken in response to the complaint, formally respond to the individual regarding the outcome of the investigation, and review the lessons learned.

For further information: ICO Website

07/21/2022 – UK and US Government | Joint Statement | Data Access Agreement

UK and US Governments issued a joint statement announcing that the UK-US Data Access Agreement will come into force on October 3, 2022.

As a reminder, the Data Access Agreement allows the US and the UK law enforcement agencies to directly request data held by communications providers in the other party’s jurisdiction in order to prevent, detect, investigate and prosecute serious crimes such as terrorism and child sexual abuse and exploitation.

In October 2019, the UK and US Governments signed an agreement on cross-border law enforcement demands for data from communication service providers. Recently, the two countries have completed the procedural steps required to bring this agreement into force.

For further information: US Department of Justice Website

07/18/2022 – UK Parliament | Regulation | Data Protection and Digital Information Bill

The UK Government published a draft of the Data Protection and Digital Information Bill.

The draft Bill provides for various changes to the UK’s legal framework, including replacement of the role of data protection officer with a designated senior responsible individual, changes to record-keeping requirements, replacement of the regime for carrying out data protection impact assessments and removal of the requirement for non-UK organizations to appoint a UK representative, as well as exempting additional types of website cookies from the existing consent requirements.

Please note that the Bill may be subject to substantial change following the announcement in October by the Secretary of State that the UK will be replacing GDPR with a new data protection regime.

For further information: UK Parliament Website

07/05/2022 – UK Government | Data Transfers | Data Adequacy Agreement

The UK and the Republic of Korea reached an adequacy agreement in principle to secure the transfer of data outside of the UK.

For further information: UK Government Website

This newsletter has been prepared by the EU Privacy team of Gibson Dunn. For further information, you may contact us by email:

Ahmed Baladi – Partner, Co-Chair, PCCP Practice, Paris (abaladi@gibsondunn.com)
Vera Lukic – Partner, Paris (vlukic@gibsondunn.com)
Kai Gesing – Partner, Munich (kgesing@gibsondunn.com)
Joel Harrison – Partner, London (jharrison@gibsondunn.com)
Alison Beal – Partner, London (abeal@gibsondunn.com)
Clémence Pugnet – Associate, Paris (cpugnet@gibsondunn.com)
Léna Bionducci – Associate, Paris (lbionducci@gibsondunn.com)
Yannick Oberacker – Associate, Munich (yoberacker@gibsondunn.com)

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

On October 7, 2022, the Department of Commerce Bureau of Industry and Security (“BIS”) released broad changes in the Export Administration Regulations (“EAR”) that together will create an effective embargo against providing to China the technology, software, manufacturing equipment, and commodities that are used to make certain advanced computing integrated circuits (“ICs”) and supercomputers. These changes include new restrictions on the participation by U.S. companies on enabling any semiconductor development or production at a facility in China[1] that manufactures or even potentially manufactures certain advanced ICs. BIS explained that it developed this sweeping set of new regulations to curtail China’s use of these items in the development of weapons of mass destruction, artificial intelligence and supercomputing-enhanced war fighting, and in technologies that enable violations of human rights. BIS further noted that these broad-based controls are necessary to address China’s mobilization of vast resources to support its defense modernization and the implementation of its “military-civil fusion” development strategy in ways that are contrary to U.S. national security and foreign policy interests.

BIS framed this new set of regulations as an interim final rule, which allows it to impose immediate controls with specified effective dates. Generally speaking, the new restrictions on exports of items associated with semiconductor manufacturing activities went into effect immediately on October 7, 2022, and the new restrictions on the exports of supercomputers, as well as associated parts, software, and technology, will come into effect on October 21, 2022. In addition, a new licensing requirement for support of foreign items destined for use in Chinese company development and production of ICs will become effective between these two dates, on October 12. In the table below we summarize almost 20 separate changes that BIS’s interim final rule is implementing in the coming weeks.

Effective Fri., Oct. 7, 2022 (U.S. Time)	Effective Wed., Oct. 12, 2022 (U.S. Time)	Effective Fri., Oct. 21, 2022 (U.S. Time)
15 C.F.R. § 740.2 (NEW restriction on license exceptions for certain ECCNs)	15 C.F.R. § 744.6 (NEW and Expanded controls on U.S. person’s ability to support China development of integrated circuits)	15 C.F.R. § 734.9(e) (Revised Entity List FDP Rule to add additional restrictions to 28 Chinese entities on the Entity List)
15 C.F.R. § 740.10 (Revised recordkeeping requirement for License Exception RPL)		15 C.F.R. § 734.9(h) (NEW Advanced Computing FDP Rule)
15 C.F.R. § 742.6 (NEW Regional Stability (“RS”) Controls for semiconductor manufacturing items sent to China)		15 C.F.R. § 734.9(i) (NEW Supercomputer FDP Rule)
>15 C.F.R. § 744.11(b) (NEW criteria for adding entities to the Entity List)		15 C.F.R. Part 734, Supplement No. 1 (NEW model certification for Advanced Computing FDP Rule)
15 C.F.R. § 744.23 (NEW semiconductor manufacturing end-use prohibitions)		15 C.F.R. Part 736, Supplement No. 1 (NEW Temporary General License for certain newly controlled activities)
15 C.F.R. Part 774, Supplement No. 1 (NEW ECCN 3B090 and Revised ECCNs 3B991, 3D001, and 3E001)		15 C.F.R. § 740.2 (NEW Restriction on License Exceptions for certain ECCNs) This is an expansion of the new controls implemented on Oct. 7, 2022.
		15 C.F.R. § 742.6 (NEW RS Controls for semiconductor manufacturing and advanced computing items to China) This is an expansion of the new controls implemented on Oct. 7, 2022.
		15 C.F.R. § 744.1 (NEW restrictions on supercomputer and semiconductor manufacturing end-use prohibitions)
		15 C.F.R. § 744.11 (NEW licensing requirements concerning expansion of Entity List FDP Rule and “Footnote 4” Entity List entities)
		15 C.F.R. § 744.23 (New supercomputer and semiconductor manufacturing end-use prohibitions) This is an expansion of the new controls implemented on Oct. 7, 2022.
		15 C.F.R. Part 744, Supplement No. 4 (NEW Footnote 4 added to 28 Chinese entities on Entity List to account for expansion of Entity List FDP Rules)
		15 C.F.R. § 762.2 (NEW recordkeeping requirement to retain Advanced Computing FDP Rule supply chain certificate)
		15 C.F.R. § 772.1 (NEW definition for “supercomputer” under the Commerce Control List (“CCL”))
		15 C.F.R. Part 774, Supplement No. 1 (Revised Note 3 to Category 3, Product Group A; Revised ECCNs 3A991, 3D001, 3E001, 4A994, 4D994, 4E001, 5A992, and 5D992; NEW ECCNs 3A090, 4A090, and 4D090)

On October 7, 2022, BIS also released a final rule adding 31 Chinese technology companies to the Commerce Department’s Unverified List. It also revised the criteria for inclusion on the Entity List to include an entity’s refusal or a host country’s continued interference in the ability of the entity to provide its bona fides or information to verify end-use checks. A concurrent rule issued by Commerce’s Export Enforcement division states that it will be applying a new, staged approach to adding companies to the Entity List where a foreign government interferes in end-use checks, essentially using the Unverified List as a first step.

We explain and outline the impacts of each of the new provisions below.

New Controls for Exports to China of Advanced IC, Advanced IC Manufacturing Equipment, and Associated Commodities, Software and Technology (15 C.F.R. §§ 740.2, 740.10, 742.6, and Part 774, Supplement No. 1)

One of the most consequential changes contained in the new regulations is the imposition of unilateral “Regional Stability” or RS controls on exports to China of advanced computing ICs, computer commodities that contain such ICs, and certain semiconductor manufacturing equipment, as well as associated software and technology. These new unilateral controls impose a license requirement for exports, reexports, and in-country transfers of identified items to or within China.

The new RS-based licensing requirement will be imposed in stages on a set of new and revised items defined by Export Control Classification Numbers (“ECCNs”). The new RS controls on certain semiconductor manufacturing items, as well as associated software and technology, became effective on October 7, 2022. Similar controls on certain advanced computing items will come into effect on October 21, 2022.

Effective October 7, 2022:
- New ECCN 3B090 to control certain semiconductor manufacturing equipment and specially designed parts, component, and accessories.
- Revised ECCNs 3B991, 3D001, and 3E001 to account for new RS controls and corresponding changes in light of new ECCN 3B090.
Effective October 21, 2022:
- New ECCNs 3A090, 4A090, and 4D090 to control specified high-performance ICs; certain computers, electronic assemblies, and components containing ICs; and associated software, respectively.
- Revised ECCNs 3D001, 3E001, and 4E001 for the software and technology associated with ECCNs 3A090, 4A090, and 4D090, as well as 5A992 and 5D992 for commodities and software that meet or exceed the performance parameters of ECCNs 3A090 or 4A090.

BIS further restricted access in China to the items described by these ECCNs by limiting the availability of most license exceptions for these items, including the widely used license exception for encryption items (referred to as “ENC”). Prior to this rule change, some advanced ICs did not require licensing when exported to China solely because they incorporated an information security functionality that could qualify for license exception ENC after certain classification, filing, and/or reporting requirements were met. Under the new rules, license exception ENC will not be available to overcome the new RS license requirements for items that also meet the classification criteria for ECCNs 3A090, 4A090, and the associated software and technology in 3D001, 3E001, 4D090, and 4E001.

Importantly, the new RS controls do not apply to deemed exports or deemed reexports.

BIS will review license applications to export, reexport, and transfer in-country RS-controlled items to PRC-IC fabricators under a presumption of denial. However, BIS will review applications for semiconductor manufacturing items destined to end users in China that are headquartered in the United States or in certain closely allied nations listed in Country Groups A:5 and A:6 on a case-by-case basis.

New Controls on Specified High-Performance Computing ICs and Commodities That Contain Them (15 C.F.R. Part 774, Supplement No. 1)

BIS is also adding new unilateral “anti-terrorism” or AT controls on the export of certain high-performance ICs, and their associated software and technology. These ICs can be found in a wide range of applications, including central processing units (“CPU”), graphics processing units (“GPU”), tensor processing units (“TPU”), neural processors, in-memory processors, vision processors, text processors, co-processors/accelerators, adaptive processors, and field-programmable logic devices (“FPLDs”). These new IC controls are described under ECCNs 3A991p and 4A994.l, and their corresponding software and technology controls under ECCNs 3D991, 3E991, 4D994, and 4E992, and exports, reexports, and transfers of these items to Iran, North Korea, and Syria will now require licensing.

Impact of New AT Controls on Certain Foreign National Employees in the United States – Deemed Exports

Whenever BIS identifies new technologies for control, companies and other organizations that employ foreign nationals in the United States need to consider whether the new controls will impose a requirement for them to obtain “deemed export” licenses. With respect to these new controls on these high-performance ICs and the commodities that contain them, BIS clarified that foreign national employees who did not previously require a license, but now do, will not require licensing unless they are provided access to new technology or software that exceeds the scope of the technology or software they received previously. For example, an Iranian national technologist who lawfully accessed technology or software specified in new ECCN paragraphs 3A991.p or 4A994.l prior to the effective date would not need a new license to continue receiving the same technology or software, but would require a license for the release of controlled technology or software different from that previously released, even if the technology or software is classified under the same ECCNs.

Although this clarification creates something of a safe harbor for existing national employees who support U.S. domestic companies with the development of high-performance ICs, the harbor is not particularly deep or wide, and we expect these new export controls to pose significant deemed export compliance challenges for many. Among other challenges, few companies would have already created detailed inventories of the specific software and technology its employees have access to that Commerce now controls with the new ECCNs prior to their creation last week. Moreover, even if and when such inventories are developed, the question of what would constitute the release of a new or different software or technology to the foreign national employee will immediately present itself. For example, would foreign national’s writing of new source code for the same piece of software be considered new? What if the employee is asked to work on design changes for a similar, but different IC than a company currently sells? Not only will many companies have significant difficulties identifying access to the newly controlled technologies, and then construing what releases of technology and software are new, but once they determine a license is needed, the companies and the foreign national employees will then be faced with a protracted period of uncertainty as BIS adjudicates the deemed export license application, a process that often takes between six and twelve months.

New and Expanded Foreign Direct Product (“FDP”) Rules

BIS is also significantly expanding the application of its existing Entity List FDP rules and creating two new FDP rules on advanced computing ICs and supercomputers. These rules come into effect October 21, 2022.

Entity List FDP Rule (15 C.F.R. §§ 734.9(e), 744.11, and Part 744, Supplement No. 4)

After early attempts to cut off the flow of U.S.-origin items to Huawei, BIS modified the national security-related control known as the Foreign Direct Product Rule to enable it to target a broader range of exports to specific companies that it has designated to the EAR Entity List (“Entity List FDP rule”). The Foreign Direct Product Rule concept is at the farthest end of U.S. efforts to extend its export controls jurisdiction extraterritorially because it applies to non-U.S.-origin items that are the direct products of specified U.S.-origin software and technology, or of “major components” or whole plants that are the direct product of this software and technology. BIS also has used new FDP rule modifications to limit the access by Russian and Belarusian military end users and military intelligence end users to commodities produced with controlled U.S. software and technology.

BIS has now expanded its Entity List FDP rule to cover 28 China-based entities that it had already designated to the Entity List over the last several years for their alleged participation in nuclear and other weapons of mass destruction proliferation, as well as surveillance and other human rights violations. Thus, in addition to requiring licenses for exports of U.S. origin items, any non-U.S. based exporters also will require U.S. export licenses to export, reexport or transfer items that are direct products of technology or software classified by the following ECCNs: 3D001, 3D991, 3E001, 3E002, 3E003, 3E991, 4D001, 4D993, 4D994, 4E001, 4E992, 4E993, 5D001, 5D002, 5D991, 5E001, 5E002, or 5E991, as well as the direct product of any plant or “major component” of a plant that is the “direct product” of U.S.-origin “technology” or “software” that is specified in the ECCNs listed above. These ECCNs apply to most ICs, computers, telecommunications, and information security items controlled by Commerce.

BIS also has created two new, similarly structured FDP rules to target the export, reexport and transfer of foreign direct products used to develop or produce ICs and supercomputers for China-based manufacturers.

Advanced Computing FDP Rule (15 C.F.R. §§ 734.9(h), 762.2, and Part 734, Supplement No. 1)

The Advanced Computing FDP rule expands the scope of the EAR to certain items destined for China, as well as certain items produced in China. The rule is applicable whenever an exporter has “knowledge” (as defined under the EAR to cover actual knowledge and an awareness of a high probability, which can be inferred from acts constituting willful blindness) that the item is (1) destined for China or will be incorporated into any “part,” “component,” “computer,” or “equipment” (not designated EAR99) destined for China, or (2) the technology is developed by an entity headquartered in China for the “production” of a mask or an IC wafer or die. The foreign-produced items that are affected by this new rule include those items that are either:

(i) the “direct product” of “technology” or “software” subject to the EAR and specified in ECCNs 3D001, 3D991, 3E001, 3E002, 3E003, 3E991, 4D001, 4D090, 4D993, 4D994, 4E001, 4E992, 4E993, 5D001, 5D002, 5D991, 5E001, 5E991, or 5E002; and

- (a) are described by ECCNs 3A090, 3E001 (for 3A090), 4A090, or 4E001 (for 4A090); or
- (b) are ICs, computers, “electronic assemblies,” or “components” specified elsewhere on the CCL that meet the performance parameters of ECCNs 3A090 or 4A090;

(ii) or are produced by any complete plant or “major component” of a plant that is located outside the United States, when the plant or “major component” of a plant, whether made in the United States or a foreign country, itself is a “direct product” of U.S.-origin “technology” or “software” that meets the requirements discussed immediately above.

As a suggested compliance aid, BIS has provided a suggested (voluntary) sample certification that suppliers can complete to comply with this Advanced Computing FDP. See Supplement 1 to Part 734. In this certification, the supplier would assert that an item being provided will be subject to the EAR if a future transaction meets the destination scope outlined above. If a certificate is not provided by a supplier, BIS explains that the supplier’s customers will need to complete additional due diligence to determine if the item purchased is subject to the Advanced Computing FDP’s licensing requirement for onward exports to China. BIS further notes, however, that the certification alone should not be the only due diligence conducted before an export occurs. Moreover, BIS advises that entities outside of China that receive 3E001 for 3A090 technology from China should consider confirming that a license was obtained to export such technology from China, as the provisions of the Advanced Computing FDP also extend to certain items produced in China by China-based manufacturers. If no such license has been obtained, the item would have been exported from China in violation of the EAR. In addition, parties involved in supporting the transaction would be subject to the EAR’s General Prohibition 10, which prohibits any person from taking further action on a transaction with knowledge (see definition above) that a violation has occurred or is about to occur.

Supercomputer FDP Rule (15 C.F.R. §§ 734.9(i) and 772.1)

Similarly, BIS has now issued the Supercomputer FDP rule to expand the scope of the EAR to certain items destined for China whenever the exporter has “knowledge” that the foreign-produced item will be (1) used in the design, “development,” “production,” operation, installation (including on-site installation), maintenance (checking), repair, overhaul, or refurbishing of a “supercomputer” (as defined in the EAR) located in or destined to China; or (2) incorporated into, or used in the “development,” or “production,” of any “part,” “component,” or “equipment” that will be used in a “supercomputer” located in or destined to the China.

The foreign-produced items affected by this new rule are as follows:

foreign-produced items that are the “direct product” of “technology” or “software” subject to the EAR and specified in ECCNs 3D001, 3D991, 3E001, 3E002, 3E003, 3E991, 4D001, 4D993, 4D994, 4E001, 4E992, 4E993, 5D001, 5D991, 5E001, 5E991, 5D002, or 5E002; or

are produced by any plant or “major component” of a plant that is located outside the United States, when the plant or “major component” of a plant, whether made in the United States or a foreign country, itself is a “direct product” of U.S.-origin “technology” or “software” that is specified in the ECCNs 3D001, 3D991, 3E001, 3E002, 3E003, 3E991, 4D001, 4D994, 4E001, 4E992, 4E993, 5D001, 5D991, 5E001, 5E991, 5D002, or 5E002.

As of October 21, 2021, “supercomputer” will be specifically defined under the EAR as “a computing “system” having a collective maximum theoretical compute capacity of 100 or more double-precision (64-bit) petaflops or 200 or more single-precision (32-bit) petaflops within a 41,600 ft³ or smaller envelope.” Commerce’s definition for “supercomputer” is interesting in at least two ways. First, it appears that a large variety of advanced ICs can be used to create the level of computing power density outlined by the definition. Thus, this definition creates a kind of catch-all for computing power regardless of how it is achieved. Second, data center providers, and those who support them, may need to consider whether any specific data center could conceivably meet this computing power threshold.

Temporary General License (15 C.F.R. Part 736, Supplement No. 1)

Taken together, these new sets of RS, FDP, and ECCN-defined controls will have a significant impact on the ability of China-headquartered companies to obtain access to the commodities, technology and software required to manufacture ICs and Supercomputers. But a larger policy comes into focus when one considers a Temporary General License (“TGL”) that BIS issued alongside these controls.

The TGL authorizes companies headquartered in the United States or in a subset of other countries (those not headquartered in Country Groups D:1 or D:5 or E) to continue exporting certain ICs and associated software and technology for specified purposes to their affiliates and subsidiaries located in China through April 7, 2023, provided that none of the ultimate recipients of the items being manufactured with these products are located in China. The announced objective for the TGL is to mitigate the immediate disruption that these new controls will have on users of the TGL’s supply chains. Once the TGL expires in April 2023, exporters will need to apply for an individually validated export license to export such advanced computing chips, assemblies containing them, and related software and technology to China for supply chain-related activities, such as assembly, inspection, quality assurance, and distribution. These applications will carry a presumption of denial, although license applications for semiconductor manufacturing items destined to end users in China that are headquartered in the United States or in certain closely allied nations listed in Country Groups A:5 and A:6 will be reviewed on a case-by-case basis.

The TGL allows, at least until April 7, 2023, companies to continue exporting the following items:

ECCNs 3A090, 4A090, and associated software and technology in ECCNs 3D001, 3E001, 4D090, or 4E001; and

any item that is a computer, IC, “electronic assembly” or “component” and associated software and technology, specified elsewhere on CCL which meets or exceeds the performance parameters of ECCNs 3A090 or 4A090.

The TGL’s expiry in April 2023 provides but a short time for U.S. and other Group A:5 and A:6 headquartered companies to find alternative fabricators for ICs. Other non-China based fabricators may already be at capacity, and the timeline for bringing new fabrication facilities online and qualifying them to produce new ICs is far longer than the timelines currently contemplated by the TGL.

New End-User/End-Use Controls (15 C.F.R. §§ 744.1 and 744.23)

The new regulations also restrict China’s access to ICs and supercomputing through the imposition of new end-user and end-use controls. These controls are knowledge-based controls that require exporters to seek BIS licensing when they know, are informed, or are otherwise unable to determine that their exports will be put to certain end uses.

On October 7, 2022, these end-user/end-use prohibitions were extended to the following:

any item subject to the EAR used in the “development” or “production” of ICs at a semiconductor fabrication “facility” located in China which fabricates certain ICs such as advanced logic, NAND, and DRAM ICs;

any item subject to the EAR and classified in an ECCN in Product Groups B, C, D, or E in Category 3 of the CCL when the individual or entity knows the item will be used in the “development” or “production” of ICs at any semiconductor fabrication “facility” located in China, but for which the individual or entity does not know whether such semiconductor fabrication “facility” fabricates advanced ICs; and

any item subject to the EAR for which the individual or entity will be used in the “development” or “production” in China of any “parts,” “components” or “equipment” specified under ECCNs 3B001, 3B002, 3B090, 3B611, 3B991, or 3B992.

On October 21, 2022, these end-user/end-use prohibitions also will apply to certain “supercomputers” as defined under the EAR, namely:

any IC subject to the EAR and specified in ECCNs 3A001, 3A991, 4A994, 5A002, 5A004, or 5A992 when the individual or entity knows the item will be used in (1) the “development,” “production,” “use,” operation, installation (including on-site installation), maintenance (checking), repair, overhaul, or refurbishing of a “supercomputer” located in or destined to China; or (2) incorporation into, or the “development” or “production” of any “component” or “equipment” that will be used in a “supercomputer” located in or destined to China; and

any computer, “electronic assembly,” or “component” subject to the EAR and specified in ECCNs 4A003, 4A004, 4A994, 5A002, 5A004, or 5A992 when the individual or entity knows the item will be used for the activities described above.

Commerce notes that it will review all end-user/end-use license applications with a presumption of denial, but that it will consider license applications for semiconductor manufacturing items destined to end users in China that are headquartered in the United States or in certain closely allied nations listed in Country Groups A:5 and A:6 on a case-by-case basis.

Activities of U.S. Persons (15 C.F.R. § 744.6)

Effective October 12, U.S. persons will be prohibited from engaging in certain activities, even when dealing with items that are non-U.S. origin.

Specifically, BIS will now require U.S. persons to apply for licenses to facilitate or engage in shipping, transmitting or transferring to or within China the following products:

any item not subject to the EAR that the individual or entity knows will be used in the “development” or “production” of ICs at a semiconductor fabrication “facility” located in China that fabricates certain ICs such as advanced logic, NAND, and DRAM ICs; or in the servicing of any such items;

any item not subject to the EAR and meeting the parameters of any ECCN in Product Groups B, C, D, or E in Category 3 of the CCL that the individual or entity knows will be used in the “development” or “production” of ICs at any semiconductor fabrication “facility” located in China, but for which the individual or entity does not know whether such semiconductor fabrication “facility” fabricates certain ICs such as advanced logic, NAND, and DRAM ICs; or in the servicing of any such items; or

any item not subject to the EAR and meeting the parameters of ECCNs 3B090, 3D001 (for 3B090), or 3E001 (for 3B090) regardless of end use or end user; or in the servicing of any such items.

Commerce will review all such license applications with a presumption of denial, although license applications for semiconductor manufacturing items destined to end users in China that are headquartered in the United States or in certain closely allied nations listed in Country Groups A:5 and A:6 will be reviewed on a case-by-case basis.

Additions to Unverified List (“UVL”) and Changes to Entity List Designation Criteria (15 C.F.R. § 744.11(b))

The new final rule adds specific criteria for designation to the more restrictive Entity List:

an entity precludes access to, refuses to provide, or provides false or misleading information related to the parties to the export transaction or the underlying item; or
where there is a sustained lack of cooperation by the entity’s host government to facilitate end-use checks of entities on the UVL.

In a related statement of a new policy in line with these changes in the final rule, BIS laid out a two-step process whereby companies that do not complete requested end-use checks within 60 days will be added to the UVL, and if those companies are added to the UVL due to the host country’s interreference, after a subsequent 60 days of the end-use check not being completed, the company on the UVL will be transferred to the Entity List.

The new policy states that for all companies currently on the UVL as of the date of the policy (October 7, 2022), including the 31 new China company additions, the 60-day “escalation” clock begins immediately.

________________________

[1] As a reminder, under current U.S. export controls, China also includes the Hong Kong Special Administrative region after the United States revoked Hong Kong’s special status under U.S. law in 2020.

The following Gibson Dunn lawyers prepared this client alert: Christopher Timura, Chris Mullen, Judith Alison Lee, David A. Wolber, Adam M. Smith, and Stephenie Gosnell Handler.

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

Today the U.S. Department of Labor issued a proposed rule regarding who is an “independent contractor” under the Fair Labor Standards Act (the “FLSA” or “Act”), and thus not subject to the minimum wage and overtime requirements the Act applies to “employees.” The proposal defines independent contractor more narrowly than the 2021 Trump Administration rule it is intended to replace. Interested parties will have 45 days from the proposal’s expected October 13 Federal Register publication to submit comments.

The proposal would codify a six-factor, totality-of-the-circumstances test for who qualifies as an independent contractor, similar in some respects to the approach the Department often used before the 2021 rule. Under DOL’s proposal, independent contractor status would be determined by looking to the following factors: the worker’s opportunity for profit or loss; the worker’s investments; the permanency of the relationship; the degree of control by the employer over the worker; whether the work is an integral part of the employer’s business; and the skill and initiative required to do the work. The proposed test would not assign special weight to any of the six factors, and instead consider them “in view of the economic reality of the whole activity” in which the worker in question is engaged.

Apart from jettisoning the framework of the 2021 rule—which relied on five factors, not six, and gave particular weight to “control” and the “opportunity for profit or loss”—the new proposal would make important adjustments to how the six traditional factors are applied. For example, DOL proposes considering the worker’s investments on a relative basis with the employer’s investments. The proposed rule states, “If the worker’s investment does not compare favorably to the employer’s investment, then that fact suggests that the worker is economically dependent and an employee of the employer.” Likewise, the proposal would reformulate the factor concerning whether a worker’s activities are part of an “integrated unit of production” into an assessment of whether the activity is important or “central” to a business’s operations. The proposal would also treat control measures implemented by a company to comply with “legal obligations, safety or health standards, or requirements to meet contractual or quality control obligations” as indicative of employee status.

The proposed rule does not adopt either the common-law test or the “ABC test” for determining independent contractor status. DOL stated that it “continues to believe that legal limitations prevent the Department from adopting either of those alternatives.”

If finalized, these changes could reduce the number of workers who can be treated as independent contractors.

In its proposal, DOL acknowledges that the proposed rule is an “interpretive” rule, meaning that if finalized it would be entitled only to “Skidmore deference” from the courts, rather than the more robust “Chevron deference” that sometimes is given to binding substantive rules.

The terms of the Department’s final rule will depend on its response to comments submitted by interested parties during the notice-and-comment period, including legal objections raised to the Department’s proposed six-part test, and commenters’ description and substantiation of any significant adverse consequences expected under the proposed approach. Until a final rule is issued—possibly in mid-to-late 2023—the Department’s 2021 rule will remain in place. Legal challenges are possible once a final rule is adopted.

The following Gibson Dunn attorneys assisted in preparing this client update: Gene Scalia, Michael Holecek, and Blake Lanning.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. To learn more about these issues, please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Labor and Employment or Administrative Law and Regulatory practice groups, or the following authors or practice leaders:

Eugene Scalia – Co-Chair, Administrative Law and Regulatory Group, Washington, D.C. (+1 202-955-8210, escalia@gibsondunn.com)

Michael Holecek – Los Angeles (+1 213-229-7018, mholecek@gibsondunn.com)

Blake Lanning – Washington, D.C. (+1 202-887-3794, blanning@gibsondunn.com)

Jason C. Schwartz – Co-Chair, Labor & Employment Group, Washington, D.C.
(+1 202-955-8242, jschwartz@gibsondunn.com)

Katherine V.A. Smith – Co-Chair, Labor & Employment Group, Los Angeles
(+1 213-229-7107, ksmith@gibsondunn.com)

Helgi C. Walker – Co-Chair, Administrative Law and Regulatory Group, Washington, D.C. (+1 202-887-3599, hwalker@gibsondunn.com)

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

On September 27, 2022, Governor Newsom signed California’s new pay transparency and pay scale disclosure law. This Alert summarizes the new requirements and enforcement mechanisms, including how they depart from California’s previous pay transparency laws, as well as their impact on employers’ pay reporting and disclosure obligations.

The new requirements are set to become effective January 1, 2023, with the first pay data reports due to the California Civil Rights Department (the “Department,” formerly the Department of Fair Employment and Housing) in May 2023.

Pay Scale Disclosures in Job Postings to Employees and Applicants

The law expands California’s existing salary history law to impose new pay scale disclosure requirements on covered employers.

Under the existing law, California employers were required to provide the pay scale, meaning the salary or hourly wage range, only upon request by an applicant who completed an initial interview. The new law maintains that applicant disclosure requirement and adds that, upon a current employee’s request, covered employers will be required to provide the pay scale the employer reasonably expects to pay for such employee’s currently-held position.

California employers with 15 or more employees will also be required to include a position’s pay scale, meaning the salary or hourly rate an employer reasonably expects for the position, in any job posting, whether the employer itself posts the job or engages a third party to manage job postings.

The new law also imposes recordkeeping requirements on all employers, regardless of size, in that employers must maintain job title and salary history for all employees during their employment and for three years thereafter.

New Enforcement Mechanisms, Including Private Right of Action and Civil Penalties

The California Labor Commissioner is authorized to order civil penalties ranging from $100 to $10,000 for violations of the pay scale disclosure requirements. The Labor Commissioner will determine the penalty based on the totality of the circumstances, including prior violations.

Fortunately, the law provides that the Labor Commissioner will not assess a penalty for the first violation of the job posting requirements so long as the employer demonstrates that all job postings are updated to include the required disclosures.

Employers must also make available job title and salary history records for inspection upon request by the Labor Commissioner, with violations being subject to the same civil penalties as the pay data disclosure provisions, ranging from $100 to $10,000.

Finally, the Legislature created a private right of action for violations of the pay scale transparency law within a year of learning of such violations, giving aggrieved parties the right to seek injunctive and “any other appropriate relief.” Perhaps most significantly, the law creates a rebuttable presumption in favor of an employee’s claim should an employer fail to maintain the records of each employee’s job titles and pay rate history for the specified timeframe.

More Employers Covered, and Additional Data Required

The new law also dramatically expands the scope of potential employers covered as well as their pay data reporting obligations.

Covered Employers

Previously, only private employers with 100 or more employees were required to submit pay data reports to the Department if they were already required to file an annual EEO-1 Employer Information Report. Employers were also permitted to submit their annual EEO-1 report to satisfy the state’s pay data reporting obligations.

Now, all private employers with 100 or more employees will be required to submit pay data reports, without regard to federal EEO-1 reporting status. And employers are no longer permitted to submit an EEO-1 in lieu of a pay data report.

Although the Department has not yet published guidance interpreting the new law, the Department’s guidance on the existing law provides that employers are covered by these requirements if they have 100 or more total employees with at least one employee in California. Existing guidance also directs employers to include remote employees in the pay data reports if the employees are assigned to a California establishment, regardless whether they reside in California, or the employees reside in California but are assigned to an establishment in another state.

In addition, under the new law, employers with multiple establishments must continue to submit a separate report for each establishment. Employers will no longer be required to submit a consolidated report that includes all employees across establishments as the existing law required.

Data Required

Similar to requirements under existing law, employers’ pay data reports are to be based on a “snapshot” of W-2 earnings during a single pay period from October through December of the previous calendar year.

The pay data report must break out the number of employees by race, ethnicity, and sex in a series of job categories, and must report the number of employees by race, ethnicity, and sex whose earnings fall within each of the pay bands prescribed in the Bureau of Labor Statistics’ Occupational Employment Statistics survey. Significantly, there is a new requirement that employers identify the median and mean hourly pay rate for each combination of race, ethnicity and sex (inter-sectionally) for each job category.

Contract Workers

In a further departure from existing requirements, private employers with over 100 employees hired through labor contractors in the prior year will also be required to submit a separate pay data report covering contract workers. The new law broadly defines “labor contractors” to include both individuals and entities “that supply workers, either with or without a contract,” “to perform labor within the client employer’s usual course of business.”

Although the new law requires each labor contractor to provide employers with the necessary pay data to complete the reports, covered employers are ultimately responsible for the reports and must disclose the ownership names of any labor contractors who supplied workers in the previous year.

New Civil Penalties

Starting next year, employers who fail to submit the required annual reports may face fines of up to $100 per employee for initial violations, and up to $200 per employee for subsequent violations, in addition to potentially being responsible for the Department’s costs associated with obtaining a court order to ensure compliance.

Key Takeaways

Covered employers should take steps to comply with the new requirements, including to disclose pay scales in job postings, as well as to maintain job title and pay rate history records, in advance of the January 1, 2023 effective date. Covered employers should be mindful of the fact that obtaining the required information from labor contractors may prove time consuming so employers should plan in advance of the May reporting deadline. In addition, preparing the requisite pay data reports will also require careful consideration and preparation to comply with the Department’s guidance. Employers located in multiple states should also be mindful of other state salary transparency requirements such as those for Washington, Colorado, and New York City.

The following Gibson Dunn attorneys assisted in preparing this client update: Amanda R. Sansone, Jason C. Schwartz, Katherine V.A. Smith, Danielle J. Moss, Harris M. Mufson and Tiffany Phan.

Tiffany Phan – Los Angeles (+1 213-229-7522, tphan@gibsondunn.com)

Harris M. Mufson – New York (+1 212-351-3805, hmufson@gibsondunn.com)

Danielle J. Moss – New York (+1 212-351-6338, dmoss@gibsondunn.com)

Jason C. Schwartz – Co-Chair, Labor & Employment Group, Washington, D.C. (+1 202-955-8242, jschwartz@gibsondunn.com)

Katherine V.A. Smith – Co-Chair, Labor & Employment Group, Los Angeles (+1 213-229-7107, ksmith@gibsondunn.com)

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

In making a winding-up order against Carnival Group International Holdings Limited (the “Company”), Hong Kong Court emphasizes the importance for the directors of an insolvent company to carefully consider whether they should procure the company to oppose the winding-up petition otherwise they could be personally liable to pay costs arising from the opposition.[1]

The Hon Linda Chan J ordered the winding up of the Company after hearing the petition (the “Petition”) presented in March 2020 by one of the unsecured creditors of the Company (the “Petitioner”), which the Company opposed on the basis that there were pending restructuring proposals. The Court noted that there is a duty on the directors to protect and safeguard the interests of the unsecured creditors. In circumstances where the directors became aware that the restructuring proposals would not come to fruition, it would be incumbent upon them to cause the Company to be wound up. As the directors had failed to do so and incurred costs to oppose the Petition, the Court considered that it may be appropriate to make an adverse costs order against the directors personally, and they were directed to file evidence/submissions to demonstrate why they should not be liable. After considering the directors’ submissions, the Court ordered that the four directors who remained in office on the date of the winding-up order to be personally liable for the costs of and occasioned by Company’s opposition to the Petition at the hearing before the Hon Linda Chan J on 23 August 2022.[2]

1. Background

The Company was listed on The Stock Exchange of Hong Kong. It was incorporated in Bermuda and, until its being wound up, had since February 1994 been registered as an oversea company in Hong Kong under the former Companies Ordinance. The Company was an investment holding company and held a number of subsidiaries incorporated in Hong Kong, the Mainland and the BVI (together, the “Group”).

Since 2018, the Company and the Group had been in financial difficulty and they were unable to meet their debts using the income generated from the business. As at 31 December 2019, the Company’s net liabilities were HK$1 billion, and the total outstanding interest-bearing debts of the Group (consisting of both secured and unsecured debts) was RMB 7.6 billion.

The Petitioner was a holder of a number of unsecured bonds (with an outstanding principal of over HK$30 million at the date of the Petition) which the Company had defaulted. The Petition was supported by other unsecured creditors (the “Supporting Creditors”) to whom an aggregate amount of over HK$878 million was owed by the Company. In addition, one of the 12 institutional (and secured) creditors which had in the past signed letters to support an adjournment of the Petition also indicated support of the Petition before the hearing. No creditor had filed any notice to oppose the Petition.

2. Winding-up order made by the Court

The Petition averred, among other things, that the three core requirements for the Court to exercise its discretionary jurisdiction to wind up the Company were satisfied.[3] Even though in all of its affirmation filed in opposition to the Petition, the Company did not dispute such averments and only relied upon the ground that there had been ongoing restructuring effort which, if implemented, would result in higher return to the unsecured creditors, the Company sought to contend at the hearing (held on 23 August 2022) that the second core requirement (i.e. there must be a reasonable possibility that the winding-up order would benefit those applying for it) was not satisfied.

The Court held that it was not open to the Company to raise the jurisdictional challenge 2.5 years after the Petition was presented and, in any event, there was no merit in such argument.

The Court also noted that there was no evidence to show that the Company had made any real effort in pursuing the restructuring proposals, and that the history of the matter showed that the Company had used the so-called restructuring effort to obtain multiple adjournments and yet failed to comply with a number of orders requiring the Company to file affidavit evidence to deal with the progress of such restructuring.

In the circumstances, the Court was satisfied that it should exercise its discretionary jurisdiction under s.327(3) of the Companies (Winding Up and Miscellaneous Provisions) Ordinance (Cap. 32) (“CWUO”) and made a winding-up order against the Company.

3. Duty of the directors of an insolvent company and potential costs order against the Company’s directors

The Hon Linda Chan J emphasized that the directors of an insolvent company are duty bound to (a) consider whether there is any reasonable prospect of the company avoiding going into insolvent liquidation, and (b) take step to put the company into liquidation where there is no viable restructuring proposal supported by the requisite majorities of creditors. Such duty is enshrined in the avoidance provisions under the CWUO (such as s.266, which renders debts paid subject to unfair preferences voidable, and s.275, which imposes liability on directors for fraudulent trading). Where a company is insolvent or of doubtful solvency, the directors in carrying out their duty to the company must take into account the interests of the creditors, which should be regarded as paramount. This is because the interests of the company are in reality the interests of the creditors, whose money is at stake.

The Court held that it must have been clear to the directors of the Company, who were said to be in discussion with the institutional creditors concerning the restructuring proposals, that there was no reasonable prospect for the Company to be able to implement any proposals to compromise its debts so as to avoid liquidation. As soon as they became aware that the restructuring proposal would not be implemented, the directors should have taken step to cause the Company to be wound up so as to protect and safeguard the interests of the unsecured creditors. When pressed upon by the Court, the Company was unable to identify any justification as to how it was in the interests of the Company and the creditors to oppose the Petition, mindful of the Company’s insolvent state, the directors’ duty to protect the interests of the creditors and the lack of any viable restructuring proposals.

4. Adverse costs order against the directors

The Court further criticized the directors for causing the Company to continue to oppose the Petition by raising the jurisdictional challenge that was devoid of merits. The Court concluded that it may be appropriate to depart from the usual costs order (which is that the costs of the Petitioner and one set of costs for the Supporting Creditors be paid out of the assets of the Company) and to consider ordering the directors to pay for the costs of and occasioned by the Company’s opposition to the Petition from the time when they became aware that the restructuring proposals would not be implemented. The directors of the Company were joined as respondents to the Petition for costs purpose only, and the Court directed them to file and serve evidence and/or submission to explain why they should not be liable for costs.

Upon considering the submissions subsequently filed by the six relevant directors, the Hon Linda Chan J concluded that there was no basis for them to cause the Company to oppose the petition on jurisdictional ground, which was advanced as the only ground in opposition to the Petition at the 23 August 2022 hearing.

The Court ordered three Independent Non-Executive Directors and an Executive Director, who were directors of the Company at the materials times and who remained in office on the date when the Company was ordered to wind up, to pay to the Petitioner, the Supporting Creditors (with one set of costs) and the Official Receiver their costs of and occasioned by the Company’s opposition to the Petition at the hearing on 23 August 2022. As to the two Executive Directors who had ceased to be directors of the Company from 4 September 2021 and 15 May 2021 respectively, the Court was satisfied that after their resignation, they were not involved in causing the Company to oppose the Petition, and hence they were not ordered to pay the costs occasioned by such opposition.

5. Conclusion

This judgment serves as a useful reminder of the directors’ duty where a company is insolvent or of doubtful solvency. When discharging their duty, directors of an insolvent company must consider the creditors’ interests as paramount and take those into account in exercising their discretion. They are duty bound to consider whether there is any reasonable prospect of the company avoiding insolvent liquidation, and should take step to wind up the company where there is no viable option.

If the directors fail to discharge such duty and yet cause the company to oppose a winding-up petition unreasonably, they may face adverse costs consequence and may be held liable for the costs of and occasioned by opposing the winding-up petition.

________________________

[1] Re Carnival Group International Holdings Limited [2022] HKCFI 2668, available here.

[2] Re Carnival Group International Holdings Limited [2022] HKCFI 3097, available here.

[3] Please refer to paragraph 2 of our client alert “Hong Kong Court of Final Appeal Confirms That ‘Leverage’ Satisfies the ‘Benefit’ Requirement for Winding Up Foreign Companies”, available here, for an explanation of the three core requirements.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, or the authors and the following lawyers in the Litigation Practice Group of the firm in Hong Kong:

Brian Gilchrist (+852 2214 3820, bgilchrist@gibsondunn.com)
Elaine Chen (+852 2214 3821, echen@gibsondunn.com)
Alex Wong (+852 2214 3822, awong@gibsondunn.com)
Celine Leung (+852 2214 3823, cleung@gibsondunn.com)

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

On October 3, 2022, in In re Stream TV Networks, Inc. Omnibus Agreement Litigation,[1] Vice Chancellor Laster of the Delaware Court of Chancery issued an extraordinary order unwinding a transaction by divesting a party’s ownership of shares in a Delaware corporation and vesting ownership of those same shares in another litigant. Finding the divested party in contempt because of its efforts to undermine the Court of Chancery’s earlier orders in the case, Vice Chancellor Laster accomplished this result in reliance on a Court of Chancery rule that does not appear to have been relied on in any previously reported decision, but which empowers the Court to reassign ownership of Delaware property. This decision should serve as a powerful wake-up call to Delaware litigants as to both the extent of the Court of Chancery’s authority and the dangers of being “too clever by half” in attempting to narrowly construe its orders.

Facts and Procedural History

In re Stream involved an agreement between Stream TV Networks, Inc. (“Stream”), its secured creditors, including Hawk Investment Holdings Ltd. (“Hawk”), and certain of its shareholders, that was entered into after Stream had defaulted on its secured debt. The creditors’ debt was secured by all of Stream’s assets, which primarily consisted of shares in an operating subsidiary incorporated in Delaware (the “Shares”). In the agreement, Stream agreed to transfer all of its assets to SeeCubic, Inc. (“SeeCubic”), a newly formed entity controlled by the secured creditors, while Stream’s minority shareholders received the right to exchange their shares in Stream for shares in SeeCubic.[2] Stream’s majority shareholders objected, leading to litigation in the Delaware Court of Chancery concerning the agreement’s validity.

In December 2020, the Court of Chancery held that the agreement was enforceable and preliminarily enjoined the parties from “taking any action to interfere with it,”[3] after which SeeCubic acquired Stream’s assets, including the Shares. The Court of Chancery subsequently granted summary judgment as to the validity of the agreement and issued a permanent injunction in September 2021.[4] The Delaware Supreme Court reversed, however, holding that the agreement was invalid because it had not been approved by Stream’s majority shareholders, and remanded the case for further proceedings.[5] Because the agreement was invalid, the Court of Chancery directed that the disputed assets be returned to Stream, including the Shares.[6] Hawk then sought permission to immediately exercise its rights as a secured creditor prior to that transfer, which the Court of Chancery denied.[7] Vice Chancellor Laster explained that returning the parties to the same positions they had enjoyed prior to the since-reversed rulings was “not possible” due to the passage of time, but “unwinding the transfer of the [assets was] nevertheless the closest possible alternative” and would allow Stream “to conduct business and make efforts to satisfy the claims of Hawk and Stream’s other creditors.”[8]

According to the Court of Chancery, on September 30, 2022, SeeCubic and Hawk next engaged in “a series of coordinated acts in which SeeCubic would transfer the Shares to Stream in a manner that would enable Hawk to seize them by acting before Stream could respond,” ensuring that they would end up in Hawk’s possession.[9]

First, SeeCubic informed the Court that the assets had been returned to Stream. Next, twenty-three minutes later, Hawk sent a letter consisting of “dense legalese”—replete with defined terms, as well as citations to and quotations from several contracts and court orders—that “could not have been drafted in the twenty-three minutes that [had] elapsed,” which demanded that title to the Shares immediately be registered in Hawk’s name.[10] That registration occurred three minutes after the letter was sent, so quickly that the letter’s recipient “could not have reviewed Hawk’s letter, considered its implications, and updated [its] stock ledger.”[11] Finally, one hour later after the shares were registered in Hawk’s name, Hawk wrote to the Court that it now owned the Shares and had exercised various rights as shareholder of the operating subsidiary, including changing the subsidiaries bylaws and the constitution of its board of directors.

In all, “[t]he choreographed sequence of events took place during an extended lunch hour, starting at 11:45am and ending at 1:18 p.m.,” causing Vice Chancellor Laster to comment that “[i]t was not possible for [the parties] to have taken the actions they did without advance notice, preparation, and an overarching plan.”[12] Later that same day, Stream filed an emergency motion with the Court of Chancery, which the Court granted.

The Court’s Ruling

On October 3, 2022, the Court of Chancery held SeeCubic and Hawk in contempt because they had acted in concert to undermine the Court’s earlier orders. Vice Chancellor Laster divested Hawk’s ownership of the Shares, vested their ownership in Stream, and temporarily enjoined SeeCubic and Hawk from interfering with Stream’s ownership of the Shares.

The Delaware Court of Chancery exercises discretion in imposing contempt sanctions, employing an equitable standard in deciding whether a party failed to obey the court’s orders “in a meaningful way.”[13] SeeCubic argued that it complied with the earlier order because it had transferred the Shares to Stream, but the Court focused on the intentionally transitory nature of Stream’s ownership, which lasted for only minutes before title was further transferred to Hawk as a result of SeeCubic and Hawk’s coordination. Vice Chancellor Laster explained that he had intended for Stream to have ownership of the Shares that afforded it a meaningful opportunity to engage with its secured creditors.[14] SeeCubic and Hawk deprived Stream of this intended opportunity, however, ignoring that Vice Chancellor Laster’s earlier decisions “did not envision a choreographed transfer” by SeeCubic and Hawk to “seize the Shares before Stream could react.”[15] By purposefully frustrating the intended result, SeeCubic and Hawk acted in contempt.

Employing an apparently unprecedented remedy, the Court of Chancery divested Hawk’s ownership of the Shares, vesting their ownership in Stream instead. The Court’s rules provide that, “in proper cases” in which a “party [is] in contempt,” the Court “may enter a judgment divesting the title of any party” to “real or personal property . . . within the jurisdiction of the Court” and “vesting it in others.”[16] Because “[s]hares of stock in a Delaware corporation are personal property within the jurisdiction of the Court,” it was empowered to transfer the Shares’ ownership.[17] Vice Chancellor Laster commented that the pertinent rule has never before been invoked in a reported Court of Chancery opinion. He reasoned that “[e]xtraordinary facts will sometimes call for extraordinary remedies” in order “to give the parties that to which they are entitled,” however, and “the fact that a particular form of relief is unprecedented does not mean it is unwarranted or unavailable.”[18]

Further, the Court of Chancery granted a ten-day injunction barring SeeCubic and Hawk from interfering with Stream’s ownership of the Shares, in an effort to restore the parties to roughly the same state they had occupied before the Court of Chancery’s since-reversed December 2020 decision.[19] Because Hawk had not yet exercised its rights as a secured creditor at that time, Stream was entitled to some period of time to act as owner of the Shares without Hawk’s interference. Reassigning the Shares’ ownership and granting a temporary injunction, Vice Chancellor Laster explained, would achieve the outcome envisioned by the earlier order that SeeCubic and Hawk sought to evade.

CONCLUSION

Despite the Delaware Court of Chancery’s observation that this case involved “[e]xtraordinary facts,” In re Stream may have significant implications. And, at a minimum, is a powerful reminder to litigants in all courts of the dangers inherent in playing fast and loose in adherence with court orders. As demonstrated by In re Stream, technical attempts to abide by the letter of the law while ignoring its spirit may not end well.

_____________________________

[1] — A.3d —-, 2022 WL 4675753 (Del. Ch. 2022) (“In re Stream”).

[2] Id.

[3] Stream TV Networks, Inc. v. SeeCubic, Inc., 250 A.3d 1016 (Del. Ch. 2020).

[4] Stream TV Networks, Inc. v. SeeCubic, Inc., 2021 WL 4352732 (Del. Ch. Sept. 23, 2021).

[5] Stream TV Networks, Inc. v. SeeCubic, Inc., 279 A.3d 323 (Del. 2022).

[6] Stream TV Networks, Inc. v. SeeCubic, Inc., 2022 WL 3283863 (Del. Ch. Aug. 22, 2022).

[7] In re Stream TV Networks, Inc. Omnibus Agreement Litig., 2022 WL 4491925 (Sept. 28, 2022).

[8] Id. at *3-4.

[9] In re Stream, 2022 WL 4675753 , at *6.

[10] Id. at *4.

[11] Id.

[12] Id. at *7.

[13] Id. at *6.

[14] Id. at *7.

[15] Id. at *1.

[16] Ct. Ch. R. 70(a).

[17] In re Stream, 2022 WL 4675753, at *8.

[18] Id.

[19] Id. at *9.

The following Gibson Dunn attorneys assisted in preparing this client update: Shireen Barday, Michael Nadler, Priya Datta, and Emma Li*.

Gibson Dunn lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Securities Litigation practice group, or the authors:

Shireen A. Barday – New York (+1 212-351-2621, sbarday@gibsondunn.com)
Michael Nadler – New York (+1 212-351-2306, mnadler@gibsondunn.com)

Securities Litigation Group:
Monica K. Loseman – Co-Chair, Denver (+1 303-298-5784, mloseman@gibsondunn.com)
Brian M. Lutz – Co-Chair, San Francisco/New York (+1 415-393-8379/+1 212-351-3881, blutz@gibsondunn.com)
Craig Varnen – Co-Chair, Los Angeles (+1 213-229-7922, cvarnen@gibsondunn.com)
Shireen A. Barday – New York (+1 212-351-2621, sbarday@gibsondunn.com)
Christopher D. Belelieu – New York (+1 212-351-3801, cbelelieu@gibsondunn.com)
Jefferson Bell – New York (+1 212-351-2395, jbell@gibsondunn.com)
Michael D. Celio – Palo Alto (+1 650-849-5326, mcelio@gibsondunn.com)
Paul J. Collins – Palo Alto (+1 650-849-5309, pcollins@gibsondunn.com)
Jennifer L. Conn – New York (+1 212-351-4086, jconn@gibsondunn.com)
Thad A. Davis – San Francisco (+1 415-393-8251, tadavis@gibsondunn.com)
Ethan Dettmer – San Francisco (+1 415-393-8292, edettmer@gibsondunn.com)
Jason J. Mendro – Washington, D.C. (+1 202-887-3726, jmendro@gibsondunn.com)
Alex Mircheff – Los Angeles (+1 213-229-7307, amircheff@gibsondunn.com)
Robert F. Serio – New York (+1 212-351-3917, rserio@gibsondunn.com)
Jessica Valenzuela – Palo Alto (+1 650-849-5282, jvalenzuela@gibsondunn.com)
Robert C. Walters – Dallas (+1 214-698-3114, rwalters@gibsondunn.com)

* Emma Li is a recent law graduate practicing in the firm’s New York office and not yet admitted to practice law.

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

On September 23, 2022, the U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”) issued General License D-2 (“GL D-2”), expanding a prior authorization to further facilitate the free flow of information over the internet to, from, and among residents of Iran. GL D-2 authorizes the exportation to Iran of certain services, software, and hardware incident to the exchange of internet-based communications. GL D-2 supersedes and replaces an existing license, General License D-1 (“GL D-1”), that had been in place without update for over eight years. According to the Treasury Department, the updated license is designed to bring the scope of the license in line with modern technology and ultimately to expand internet access for Iranians, providing them with “more options of secure, outside platforms and services.” As noted below, even though GL D-2 certainly expands upon the types of software and services allowed to be exported, one of its principal effects will likely be the enhanced comfort parties may have in providing such technology to Iran. GL D-1 was often not fully leveraged by the exporting community that was concerned about the extent of coverage. GL D-2 is an evident attempt to right this balance, making sure that exporters remain aware of limitations while also providing more certainty to those who wish to leverage the exemption.

GL D-2 is the latest Biden Administration effort to support the Iranians protesting the death of Mahsa Amini, a 22-year-old woman who was arrested by Iran’s Morality Police for allegedly violating the country’s laws on female dress and who died in police custody on September 16. Iranian protest-related videos and messages on the internet and social media have captured local and global attention. The United Nations Secretary-General, among others, has called for an independent investigation into Amini’s death. The Iranian government, meanwhile, has violently responded to protests and cut off internet access for most of its nearly 80 million citizens. OFAC’s initial response on September 22 was to impose blocking sanctions on Iran’s Morality Police and on seven senior leaders of Iran’s security organizations that have overseen the suppression of peaceful protests. The next day, OFAC issued GL D-2 and published accompanying FAQ guidance. The State Department highlighted the development as a step toward ensuring that the “Iranian people are not kept isolated and in the dark.”

GL D-2 retains much of the core operative language from GL D-1, including certain limitations. For example, the expansion in authorized services does not apply to the Government of Iran, for which there is still no authorization for fee-based services, and the license does not authorize services to most Iranian Specially Designated Nationals (“SDNs”). At the same time, as described by the Treasury Department, GL D-2 has modernized and broadened the authorization originally granted in GL D-1 in a number of meaningful ways. We highlight below the most notable updates.

Authorized Communications No Longer Need to Be “Personal”

As mentioned, GL D-2 authorizes the exportation to Iran of certain services, software, and hardware incident to the exchange of “communications over the [i]nternet.” Notably absent throughout the license is the requirement, previously present in GL D-1, that required the internet-based communications be “personal.” This is a significant change, because what exactly qualified as a “personal communication” under GL D-1 has been a gray area that caused many compliance questions. Indeed, a Treasury Department official confirmed that the change was motivated by feedback from industry that the “personal” limitation was “a sticking point.” This update makes clear that technology companies need not assess the “personal” nature of communications, which may make such companies and others more comfortable relying on the license.

This is also not the first time OFAC has omitted or removed the “personal” requirement in a communications-related general license authorizing internet-based activities. This past July, for example, OFAC issued General License No. 25C under its Russia Harmful Foreign Activities Program (promulgated in response to Russia’s invasion of Ukraine). This General License also allows the exportation of communications-related services to Russia without requiring that such communications be “personal.” Another example is the 2015 amendment by OFAC of the Cuba sanctions regulations which also dropped the “personal” requirement from that program’s internet-communications license.

Casting a Wider Net Over Supporting Software

The new license has also further expanded the authorization of software. GL D-2 now allows the export of certain supporting software that is “incident to” or “enables” internet communications. Previously, GL D-1 only permitted software “necessary to enable” internet communications. By removing the requirement that software be “necessary” to support authorized services, GL D-2 expands the types of software covered by the exemption and provides an additional measure of confidence to exporters of internet-based communications software.

Additional Activities Are Now Expressly Covered

Compared to its predecessor license, the authorizing language in GL D-2 is broader and more explicit regarding the types of services that U.S. persons may offer to people in Iran. Previously, OFAC’s guidance listed only six examples of permitted activities: “instant messaging, chat and email, social networking, sharing of photos and movies, web browsing, and blogging.” GL D-2 expands on that illustrative list, adding “social media platforms, collaboration platforms, video conferencing, e-gaming, e-learning platforms, automated translation, web maps, and user authentication services.” In our view, many of the newly added activities were likely already authorized under the prior GL D-1, but their addition to GL D-2 helps to confirm that they are indeed covered.

Entirely New Cloud-Based Authorization That Extends Beyond GL D-2

GL D-2 authorizes the provision of cloud-based services in support of both the activities enumerated in GL D-2 and “any other transaction authorized or exempt under the [Iranian Transactions and Sanctions Regulations (‘ITSR’)].” As a Treasury Department official explained, cloud-based services are key to aiding Iranians’ access to the internet because “today so many VPNs and other [sorts] of anti-surveillance tools are delivered via cloud.”

This cloud-based authorization is among the most significant expansions of GL D-1’s original authorization, because it applies to a variety of transactions, parties, and services beyond those listed in GL D-2. For instance, as described in FAQ 1087, the cloud-based services provision applies to “news outlets and media websites covered by the exemption for information or informational materials in section 560.210(c) of the ITSR.” Treasury also highlights that the cloud-based services provision applies to other transactions authorized under the ITSR, including:

transactions “necessary and ordinarily incident to publishing authorized pursuant to [ITSR] section 560.538”;
transactions “for the conduct of the official business of certain international organizations pursuant to [ITSR] section 560.539”;
the “sale and exportation of agricultural commodities, medicine, medical devices, and certain software and services pursuant to [ITSR] section 560.530”; and
transactions “authorized pursuant to any [other] general or specific licenses issued under the ITSR.”

Coverage of “No-Cost” Services and Software

Under the prior regime, GL D-1 authorized fee-based services and software, while the general license at ITSR section 560.540 contained a parallel authorization for services and software provided at no cost. GL D-2 explicitly covers both fee-based and no-cost activity, but no-cost services to the Government of Iran continue to be limited to those described in Section 560.540, which retains the “personal” communications requirement that has been dropped from GL D-2. This combination of restrictions means that it is permissible, for example, to provide the Government of Iran with a no-cost instant messaging service, but not with a fee-based collaboration platform supporting a commercial endeavor.

Clarification of Providers’ Due Diligence Obligations

In conjunction with the expansion of permitted activities under GL D-2, the Treasury Department released guidance regarding cloud-based providers’ due diligence obligations under the new license. In FAQ 1088, OFAC explained that providers whose non-Iranian customers provide services or software to persons in Iran may rely on GL D-2 as long as the provider conducts due diligence based on information available to it in the “ordinary course of business.” This “ordinary course of business” formulation is not new, and OFAC has increasingly used this standard in describing its due diligence expectations. See, for example, FAQ 901 on complying with the Chinese Military Companies Sanctions under Executive Order 13959.

In FAQ 1088, OFAC provides several hypotheticals to further articulate its expectations: If a U.S.-based provider supports non-Iranian customers that supply access to activities authorized under GL D-2—such as providing access to Iranian news sites or VPNs—then the U.S.-based provider need not evaluate whether providing access to Iranian end users is related to communications. On the other hand, if a U.S.-based provider supports non-Iranian customers providing services or software not incident to communications under GL D-2—for instance, if the non-Iranian customer provides payroll-management software to Iran—then the U.S.-based provider must evaluate whether the service or software is a prohibited export.

Expansion of Specific Licensing Policy

GL D-2 also expands OFAC’s policy for reviewing applications for specific licenses for activities not authorized by the license. In FAQ 1089, the Treasury Department encourages specific license applications by those seeking to export items or “conduct other activities in support of internet freedom in Iran” that are not authorized by GL D-2.

In particular, GL D-2 expands OFAC’s specific licensing policy by encouraging applications for specific licenses for “activities to support internet freedom in Iran, including development and hosting of anti-surveillance software by Iranian developers.” A Treasury Department official described the agency’s specific licensing policy under GL D-2 as “forward-leaning” and “supportive,” noting that “OFAC will expedite [specific license applications]” by working with the State Department for foreign policy guidance.

Key License Features That Have Remained the Same

While GL D-2 uses a number of mechanisms to increase internet access for Iranians, certain exceptions and other limitations have carried over from GL D-1:

The updated license still provides (1) no coverage for most Iranian SDNs and (2) coverage of only no-cost services or software for the Iranian government (as opposed to those that are fee-based). These exclusions do not represent a change in OFAC’s licensing scheme, as GL D-1 contained the same prohibitions.

The license’s Annex—which contains the various categories of additional authorized software and hardware—is unchanged. GL D-2 continues to permit the provision of anti-virus, anti-malware, and anti-tracking software, as well as VPN client software and anti-censorship tools under certain conditions.

GL D-2’s software/hardware authorization is still largely limited to items either classified as EAR99 or mass-market (i.e., 5D992.c or 5A992.c) under the Commerce Control List, or to items that would be so classified if in the United States.

* * *

GL D-2 is a welcome upgrade and enhancement to GL D-1, and should encourage the private sector to be more forward leaning with respect to tools and technologies incident to internet-based communications that are now listed or otherwise covered by the license. It remains to be seen whether corresponding changes will be made to communications-related licenses under other OFAC programs. We will continue to report on, and advise on, these nuances as well as any further developments in this evolving area of sanctions law.

The following Gibson Dunn lawyers prepared this client alert: Audi Syarief, Samantha Sewall, Lanie Corrigan*, Judith Alison Lee, Adam M. Smith, and Stephenie Gosnell Handler.

United States
Judith Alison Lee – Co-Chair, International Trade Practice, Washington, D.C. (+1 202-887-3591, jalee@gibsondunn.com)
Ronald Kirk – Co-Chair, International Trade Practice, Dallas (+1 214-698-3295, rkirk@gibsondunn.com)
Courtney M. Brown – Washington, D.C. (+1 202-955-8685, cmbrown@gibsondunn.com)
David P. Burns – Washington, D.C. (+1 202-887-3786, dburns@gibsondunn.com)
Stephenie Gosnell Handler – Washington, D.C. (+1 202-955-8510, shandler@gibsondunn.com)
Nicola T. Hanna – Los Angeles (+1 213-229-7269, nhanna@gibsondunn.com)
Marcellus A. McRae – Los Angeles (+1 213-229-7675, mmcrae@gibsondunn.com)
Adam M. Smith – Washington, D.C. (+1 202-887-3547, asmith@gibsondunn.com)
Christopher T. Timura – Washington, D.C. (+1 202-887-3690, ctimura@gibsondunn.com)
Annie Motto – Washington, D.C. (+1 212-351-3803, amotto@gibsondunn.com)
Chris R. Mullen – Washington, D.C. (+1 202-955-8250, cmullen@gibsondunn.com)
Samantha Sewall – Washington, D.C. (+1 202-887-3509, ssewall@gibsondunn.com)
Audi K. Syarief – Washington, D.C. (+1 202-955-8266, asyarief@gibsondunn.com)
Scott R. Toussaint – Washington, D.C. (+1 202-887-3588, stoussaint@gibsondunn.com)
Shuo (Josh) Zhang – Washington, D.C. (+1 202-955-8270, szhang@gibsondunn.com)

* Lanie Corrigan is a recent law graduate practicing in the firm’s Washington, D.C. office and not yet admitted to practice law.

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

Finally, some welcome news for employers who utilize automated employment decision tools (“AEDT”) in New York City: the Department of Consumer and Worker Protection (“DCWP”) has proposed rules in an attempt to clarify numerous ambiguities in New York City’s Artificial Intelligence (“AI”) law, which takes effect on January 1, 2023.[1]

New York City’s law will restrict employers from using AEDT in hiring and promotion decisions unless it has been the subject of a bias audit by an “independent auditor” no more than one year prior to use.[2] The law also imposes certain posting and notice requirements to applicants and employees.

As detailed below, the DCWP’s proposed rules are currently under consideration and may well invite more questions than answers as uncertainty about the requirements lingers. Comments can be submitted to the DCWP, and a public hearing will be held on October 24, 2022 to determine whether any or all of the rules will be formally adopted. Below is a brief summary of the proposed rules.

Clarifying Definitions: Several key terms that are not defined in the law itself will be defined if the proposed rules are passed.

For example, the proposed rules define “independent auditor” as “a person or group that is not involved in using or developing an AEDT that is responsible for conducting a bias audit of such AEDT.” Although the proposed definition signals that a vendor who developed the AEDT may not be a sufficiently “independent” auditor (depending on the facts and circumstances), the proposed rules provide an example of a vendor permissibly providing data for a bias audit. It remains to be seen whether there will be further clarification regarding which vendors may conduct the required bias audit.

The proposed rules define “candidate for employment” as “a person who has applied for a specific employment position by submitting the necessary information and/or items in the format required by the employer or employment agency.” As such, the proposed rules clarify that potential applicants who have not yet applied for a position would not be covered by the new law.

The AI law itself defines an AEDT as “any computational process, derived from machine learning, statistical modeling, data analytics, or artificial intelligence, that issues simplified output, including a score, classification, or recommendation, that is used to substantially assist or replace discretionary decision making for making employment decisions that impact natural persons.” The proposed rules clarify that the phrase “to substantially assist or replace discretionary decision making” means that the covered tool (a) relies “solely on a simplified output,” (b) uses “a simplified output as one set of criteria where the output is weighted more than any other criterion in the set,” or (c) uses “a simplified output to overrule or modify conclusions derived from other factors including human decision-making.”

Bias Audit: The proposed rules also specify the requirements for a bias audit, which include calculating the selection rate and impact ratio for each EEO-1 category on an employer’s Equal Employment Opportunity Commission Employer Information Report (i.e., race, ethnicity, and sex).

The calculations set forth in the proposed rules are generally consistent with the EEOC’s Uniform Guidelines on Employee Selection Procedures. Notably, the proposed rules explain that the selection rate is “the rate at which individuals in a category are either selected to move forward in the hiring process or assigned a classification by an AEDT” as compared to the total number of individuals in the category who applied for a position or were considered for promotion. Meanwhile, the impact ratio is defined as “either (1) the selection rate for a category divided by the selection rate of the most selected category or (2) the average score of all individuals in a category divided by the average score of individuals in the highest scoring category.”

The proposed rules provide examples of bias audits that indicate that such audits must conduct an intersectional analysis of protected categories (e.g., examining the impact rate for race and sex combined) in addition to analyzing each category independently. The proposed rules do not address situations in which data may be incomplete for certain categories. Nor do the proposed rules address circumstances where the data set is too small to give rise to a statistically significant impact ratio.

With respect to publishing the results of the bias audit, the proposed rules would require the posting be made “publicly available on the careers or job section of their website in a clear and conspicuous manner,” and include the date of the audit, the distribution date of the tool, and the selection rates and impact ratios for all categories.

Notice: The New York City law requires employers to provide advance notice to individuals who reside in New York City at least 10 business days before use of the AEDT, the opportunity to request an alternative selection process or accommodation, the job qualifications or characteristics that the AEDT will use in connection with the assessment, the employer’s retention policy, and the type and source of data collected for the AEDT. The proposed rules outline several different ways by which, if passed, employers may provide notice for candidates and employees.

For the law’s requirement of notice regarding the use of an AEDT, instructions for how to request an alternative selection process or accommodation, and the job qualifications and characteristics used by the AEDT, the proposed rules would allow employers to provide notice to applicants (a) “on the careers or jobs section” of an employer’s website, (b) “in a job posting,” or (c) “via U.S. mail or e-mail” at least 10 business days prior to use of the AEDT. For employees, employers would be able to provide this notice “in a written policy or procedure” at least 10 business days prior to use or through the mechanisms outlined in (b) and (c) above.

Under the proposed rules, an employer would satisfy the law’s requirement of notices regarding the type of data collected, the source of the data, and the data retention policy by posting this information “on the careers or jobs section” of their website or by providing it in writing “via U.S. mail or e-mail” within 30 days of receiving a request to provide such information.

* * *

Legislatures and regulatory agencies have continued to focus on employers’ use of AEDT.[3] Most recently, on September 13, 2022, the EEOC co-hosted an event with the OFCCP titled Decoded: Can Technology Advance Equitable Recruiting and Hiring?. During the event, EEOC Chair Charlotte A. Burrows and OFCCP Director Jenny R. Yang underscored the need for employers to think carefully about the factors that AEDT are assessing, including whether those factors are tailored to the skills and abilities required by the specific position, and to ensure that AEDT do not have a disparate impact based on protected categories. Accordingly, employers who have already implemented or may implement AEDT in the workplace should consider the impact of these legislative and regulatory developments to ensure compliance with upcoming laws and enhanced regulatory scrutiny.

_________________________

[1] NYC Dep’t Consumer & Worker Prot., Notice of Public Hearing and Opportunity to Comment on Proposed Rules, https://rules.cityofnewyork.us/wp-content/uploads/2022/09/DCWP-NOH-AEDTs-1.pdf.

[2] For more details, please see Gibson Dunn’s New York City Enacts Law Restricting Use of Artificial Intelligence in Employment Decisions.

[3] For more details, please see Gibson Dunn’s Keeping Up with the EEOC: Artificial Intelligence Guidance and Enforcement Action and Danielle Moss, Harris Mufson, and Emily Lamm, Medley Of State AI Laws Pose Employer Compliance Hurdles, Law360 (Mar. 30, 2022), available at https://www.gibsondunn.com/wp-content/uploads/2022/03/Moss-Mufson-Lamm-Medley-Of-State-AI-Laws-Pose-Employer-Compliance-Hurdles-Law360-Employment-Authority-03-30-2022.pdf.

The following Gibson Dunn attorneys assisted in preparing this client update: Harris Mufson, Danielle Moss, and Emily Maxim Lamm.

Harris M. Mufson – New York (+1 212-351-3805, hmufson@gibsondunn.com)

Danielle J. Moss – New York (+1 212-351-6338, dmoss@gibsondunn.com)

Jason C. Schwartz – Co-Chair, Labor & Employment Group, Washington, D.C.
(+1 202-955-8242, jschwartz@gibsondunn.com)

Katherine V.A. Smith – Co-Chair, Labor & Employment Group, Los Angeles
(+1 213-229-7107, ksmith@gibsondunn.com)

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

On September 15, 2022, Deputy Attorney General Lisa Monaco announced updates, new policies, and clarifications to the U.S. Department of Justice’s (“DOJ”) corporate criminal enforcement policies. After seeking feedback from industry stakeholders and practitioners, the announcement touches on six key areas: (1) voluntary self-disclosure; (2) cooperation credit; (3) compliance programs; (4) prior corporate misconduct; (5) corporate monitors; and (6) individual prosecutions.[1]

This announcement was followed by the release of a memorandum, titled Further Revisions to Corporate Criminal Enforcement Policies Following Discussions With Corporate Criminal Advisory Group.[2] The announcement and memorandum (collectively, the “New Policy”) also builds upon and clarifies the Deputy Attorney General’s policy announcements from October 2021 (collectively, the “2021 Policy”), following the Deputy Attorney General’s consultation with key stakeholders including members of the defense bar.[3] Later speeches by Assistant Attorney General Kenneth Polite[4] and Principal Associate Deputy Attorney General Marshall Miller[5] further expounded on the New Policy.

Based on our collective experience and tracking of DOJ actions over decades, the New Policy is notable for both what it does and what it does not do. As discussed below, for example, while the New Policy broadens the use of written policies on voluntary self-disclosure credit across the Department, it leaves undisturbed DOJ’s prior guidance that cooperation credit cannot be conditioned on waiver of attorney-client privilege. And the New Policy does not rescind or revisit one of the prior administration’s more notable criminal policy pronouncements, the so-called anti-“piling on” policy that directs DOJ to avoid duplicative fines or penalties for the same underlying conduct. Moreover, much of what the New Policy articulates underscores priorities and guidance previously enunciated by the Department.

Nevertheless, both its language and the precision of some elements make clear that the Department intends for the New Policy to be viewed as a meaningful pivot in several important ways. Accordingly, the New Policy is bound to affect how companies conduct risk assessments; build, test, and refine their compliance programs; investigate potential misconduct; and structure compensation plans and the type of incentives and clawbacks implemented. It will also change the voluntary self-disclosure calculus. For prosecutors, the New Policy will likely affect charging assessments and the imposition and management of corporate monitorships.

Below we provide a summary of the key policy changes and clarifications, along with our observations regarding their potential implications.

1. Voluntary Self-Disclosure

DOJ will institute transparent policies and procedures ensuring that voluntary self-disclosure will result in more favorable resolutions than if DOJ learned of the misconduct through other means and that the benefit of such a disclosure is clear and predictable.

To this end, every DOJ component that prosecutes corporate crime must have a formal written policy that incentivizes voluntary self-disclosure.

Absent “aggravating factors,” prosecutors will not seek a guilty plea in instances where the company has voluntarily self-disclosed the misconduct, cooperated, and remediated the misconduct. The Department will not require an independent compliance monitor for such a corporation if, at the time of resolution, it has also implemented and tested an effective compliance program.

Although DOJ has long strived to incentivize voluntary self-disclosure, this is the first policy statement that articulates the promised benefits so clearly and concretely and on a Department-wide basis. Although some individual DOJ components have policies encouraging self-disclosure, such as the Foreign Corrupt Practices Act (“FCPA”) Unit’s Program, the National Security Division’s disclosure policy, and the Antitrust Division’s Leniency Program, this is the first time DOJ has required all components that prosecute corporate crime to draft and publicly share a formal written voluntary self-disclosure policy. DOJ components that currently investigate and prosecute corporate crime without such a policy include, for example, the Consumer Protection Branch, the Money Laundering & Asset Forfeiture Section, and U.S. Attorneys’ Offices.

Although DOJ has committed not to seek a guilty plea in instances where the company has self-disclosed, cooperated, and remediated, DOJ has preserved some flexibility for itself with the phrase “absent the presence of aggravating factors.”[6] Assistant Attorney General Polite clarified that the aggravating factors the Criminal Division will consider include involvement of executive management in the misconduct, significant profit to the company from the misconduct, or “pervasive or egregious” misconduct.[7] Notwithstanding the considerable flexibility this leaves the Department, this commitment is significant if for no other reason than that it appears to foreclose, absent aggravating factors, the possibility of the Department seeking a guilty plea even from a subsidiary—a course that DOJ has sometimes taken instead of parent-level guilty pleas. Voluntary self-disclosure has now become the fundamental gating issue under the New Policy. Consequently, consideration of whether disclosure is truly voluntary will be hotly debated in this context.

2. Cooperation Credit

DOJ will update its Justice Manual, a comprehensive collection of standards that guide prosecutors from the start of an investigation through prosecution, to ensure greater consistency across components regarding the standard to receive maximum cooperation credit.

Regarding the 2021 Policy’s reinstatement of a requirement that corporations must provide all non-privileged information about all culpable individuals to qualify for cooperation credit, DOJ now expects prompt delivery of such information.

DOJ will provide cooperation credit to companies that find solutions to address data privacy laws, blocking statutes, and other foreign restrictions and may draw adverse inferences if companies improperly use such restrictions to prevent detection or hinder a DOJ investigation.

Updating the Justice Manual to create consistent standards for cooperation credit across DOJ components and U.S. Attorney’s Offices is a welcome change that will better ensure corporate defendants are not held to uneven standards by different components.

DOJ’s willingness to provide cooperation credit to companies that find creative solutions to address privacy laws, blocking statutes, and other restrictions to evidence collection in foreign jurisdictions is likely an outgrowth of DOJ’s perception, albeit mistaken, that companies are hiding behind foreign legal restrictions for self-serving purposes. When DOJ proposes a potential solution to address complications presented by foreign law restrictions—based at least in part on DOJ’s experience with cooperating companies in other investigations—companies risk losing cooperation credit in rejecting such solutions without a persuasive explanation as to why they are infeasible.

In his speech, Principal Deputy Attorney General Marshall Miller underscored the importance of “timeliness” in obtaining cooperation credit, noting that “delay is the prosecutor’s enemy.”[8]

3. Corporate Compliance Programs

When assessing a company’s compliance program, prosecutors must consider whether the company’s compensation systems include clawback or deferred compensation provisions for bad actors and incentivize compliant behavior.

The Department will scrutinize policies and procedures to ensure that business-related communications on employees’ personal devices and third-party messaging platforms are preserved and provided to DOJ in an investigation.

Deputy Attorney General Monaco directed the Criminal Division to provide further guidance by the end of this year on how to reward corporations that develop and apply compensation clawback policies and place the burden of financial penalties onto those responsible for misconduct. The day after the guidance was released, Assistant Attorney General Polite further noted that the DOJ would work with agency partners and experts on executive compensation to help develop this guidance.[9]

The New Policy’s changes regarding the preservation and production of communications are likely a manifestation of DOJ’s frustration with companies that are unable to retrieve communications stored on employees’ personal devices or third-party platforms. The use of personal devices for work has become an increasingly challenging issue in corporate criminal investigations. Assistant Attorney General Polite offered more background on this policy, noting that the Criminal Division has seen a rise in companies and individuals using messaging applications offering ephemeral (or disappearing) messaging and that companies must ensure the ability to appropriately monitor and retain these communications.[10] DOJ is now willing to offer the carrot of cooperation credit to companies that have policies to retain and provide such communications. To obtain cooperation credit, companies will be expected to implement company-wide policies and procedures that prevent employees from using personal devices and third-party messaging applications to conduct business or otherwise find a way to preserve such communications. The Criminal Division will examine whether additional guidance is needed regarding best practices on use of personal devices and third-party messaging applications.

Also notable is the fact that the New Policy does not address certifications regarding a company’s compliance program, a topic that has raised concerns from industry experts and the defense bar. In his March 2022 speech, Assistant Attorney General Polite stated that he was considering requiring that both the Chief Executive Officer and the Chief Compliance Officer certify as part of any settlement that the company’s compliance program is effective, reasonably designed, and implemented to detect and prevent legal violations.[11] Assistant Attorney General Polite also addressed this issue in his speech on September 16, following the announcement of the New Policy. DOJ has imposed these certifications in prior resolutions on a case-by-case basis, including in two recent resolutions, but has not gone so far as to adopt a policy of requiring such certifications in every resolution. The New Policy leaves that approach undisturbed.

4. Prior Misconduct

With respect to the 2021 Policy announcement that prosecutors must consider a corporation’s full criminal, civil, and regulatory record, even if dissimilar from the conduct at issue, DOJ articulated standards regarding the kind of prior misconduct that will receive greater weight—for example, conduct involving the same personnel or management.

Dated prior conduct, measured by the time that conduct was addressed in a resolution, will be afforded less weight—in the case of a criminal or civil/regulatory resolution, the timing is 10 years and 5 years, respectively.

DOJ’s clarification that the history of highly regulated companies should be compared to other similarly situated companies is particularly important. This messaging is an important clarification of Deputy Attorney General Monaco’s announcement in October 2021 that prosecutors should consider “all” prior civil and regulatory actions in assessing whether a company is a recidivist. Many in the white-collar defense bar have been concerned about the consequences of such an open-ended inquiry into prior non-criminal actions involving our largest, most heavily regulated clients, and the delineation of which prior actions should be given greater weight is welcome.

5. Corporate Monitorships

Regarding the 2021 Policy announcement that prosecutors are free to impose monitors whenever appropriate, the Deputy Attorney General clarified that there is no presumption in favor of monitorships and that it will not seek to impose a monitor if the company has implemented and tested an effective compliance program.

All DOJ components will adopt a consistent, transparent and public monitor selection process that ensures there are no conflicts of interest in the selection of the monitor and the process adheres to DOJ’s commitment to diversity and inclusion. Prosecutors must follow new standards to ensure the monitorship is tailored to the misconduct, adheres to its anticipated scope, and remains on budget.

The New Policy significantly ratchets up incentives for companies to create robust compliance programs by reducing the specter of prolonged and costly compliance monitorships. DOJ has previously commented on what it means to have an effective and “tested” compliance program. In March 2022, Assistant Attorney General Polite noted the importance of seeing a company’s compliance program working in practice and “compliance success stories,” including rewarding positive behavior, disciplining poor behavior, rejecting transactions due to compliance risk, positive trends in whistleblower reporting, and other positive developments.[12]

6. Individual Prosecutions

In the Deputy Attorney General’s speech, she noted that the “Department’s number one priority is individual accountability” and linked expedited voluntary self-disclosures and production of key documents and information involving individuals to cooperation credit.[13]

Prosecutors must seek warranted criminal charges against individuals prior to or at the same time as entering a resolution against a corporation or, if it makes more sense to resolve the corporate case first, have a full investigation plan to bring individual charges.

The extent to which this new guidance practically affects the outcomes of particular criminal investigations remains unclear. The Yates Memorandum, issued during the Obama Administration in 2015, called for a similar work plan where corporate cases should not be resolved without a clear plan to resolve related individual cases, though the Yates Memorandum did not explicitly require prosecutors to work toward sequencing their investigations in this way.[14] In addition, one advantage of corporate resolutions is that prosecutors and corporate defendants need only reach a generally agreed-upon understanding of the facts and legal standard. This approach allows for speedier resolutions while avoiding endless and costly investigations. But the level of investigation to resolve a corporate matter is often insufficient to prevail against individuals who are far more inclined to fight charges in court. Thus, it remains to be seen whether prosecutors will actually succeed in bringing individual criminal charges before or concurrently with corporate resolutions.

As a result of this DOJ reset, we recommend:

An examination of compensation policies to more tightly align compliance goals with pay;
An implementation of a clawback policy for misconduct that would mirror in material respect the clawback policies associated with financial restatements;
Refreshing the board of directors of its Caremark responsibilities;
Updating compliance training materials to underscore an employee’s obligation to escalate to the company’s legal and compliance departments any problematic conduct; and
Broadening values and compliance training company wide and to selected third parties (consultants, lobbyists, logistical advisors, technical experts, etc.).

* * *

Over the coming weeks and months, we will carefully monitor DOJ’s implementation of these aspects of the revised guidance.

_____________________________

[1] Speech, U.S. Dep’t of Justice, Deputy Attorney General Lisa O. Monaco Delivers Remarks on Corporate Criminal Enforcement, (September 15, 2022), https://www.justice.gov/opa/speech/deputy-attorney-general-lisa-o-monaco-delivers-remarks-corporate-criminal-enforcement [hereinafter Deputy Attorney General Monaco Speech (September 15, 2022)].

[2] Memorandum, Dep’t of Justice, Further Revisions to Corporate Criminal Enforcement Policies Following Discussions with Corporate Crime Advisory Group (September 15, 2022), https://www.justice.gov/opa/speech/file/1535301/download [hereinafter DOJ Memorandum (September 15, 2022)].

[3] See Client Alert, Gibson Dunn, Deputy Attorney General Announces Important Changes to DOJ’s Corporate Criminal Enforcement Policies (October 29, 2021), https://www.gibsondunn.com/deputy-attorney-general-announces-important-changes-to-doj-corporate-criminal-enforcement-policies/.

[4] Speech, U.S. Dep’t of Justice, Assistant Attorney General Kenneth A. Polite Delivers Remarks at the University of Texas Law School (September 16, 2022), https://www.justice.gov/opa/speech/assistant-attorney-general-kenneth-polite-delivers-remarks-university-texas-law-school [hereinafter Assistant Attorney General Polite Speech (September 16, 2022)].

[5] Speech, U.S. Dep’t of Justice, Principal Associate Deputy Attorney General Marshall Miller Delivers Live Keynote Address at Global Investigations Review (September 20, 2022), https://www.justice.gov/opa /speech/principal-associate-deputy-attorney-general-marshall-miller-delivers-live-keynote-address [hereinafter Principal Associate Deputy Attorney General Miller Speech (September 20, 2022)].

[6] DOJ Memorandum (September 15, 2022).

[7] Assistant Attorney General Polite Speech (September 16, 2022).

[8] Principal Associate Deputy Attorney General Miller Speech (September 20, 2022).

[9] Id.

[10] Assistant Attorney General Polite Speech (September 16, 2022).

[11] Speech, U.S. Dep’t of Justice, Assistant Attorney General Kenneth A. Polite Jr. Delivers Remarks at NYU Law’s Program on Corporate Compliance and Enforcement (PCCE) (March 25, 2022), https://www.justice.gov/opa/speech/assistant-attorney-general-kenneth-polite-jr-delivers-remarks-nyu-law-s-program-corporate [hereinafter Assistant Attorney General Polite Speech (March 25, 2022)].

[12] Assistant Attorney General Polite Speech (March 25, 2022).

[13] Deputy Attorney General Monaco Speech (September 15, 2022).

[14] Memorandum, Dep’t of Justice, Individual Accountability for Corporate Wrongdoing (September 9, 2015), https://www.justice.gov/archives/dag/file/769036/download.

The following Gibson Dunn lawyers assisted in preparing this client update:
F. Joseph Warin, Stephanie Brooker, Joel M. Cohen, Nicola T. Hanna, Charles Stevens, Kendall Day, Robert K. Hur, Nicholas Murphy*, Jason H. Smith, and Sarah Hafeez.

Gibson Dunn has deep experience with corporate criminal enforcement matters. We have more than 250 attorneys, including a number of former federal prosecutors and SEC and other regulatory agency enforcement officials, spread throughout the firm’s domestic and international offices. For assistance navigating white collar or regulatory enforcement issues, please contact any of the authors, the Co-Chairs of the White Collar Defense and Investigations practice group Stephanie Brooker, Joel Cohen, Nicola Hanna, Charles Stevens, and F. Joseph Warin, or any of the following:

Washington, D.C.
Stephanie Brooker (+1 202-887-3502, sbrooker@gibsondunn.com)
Courtney M. Brown (+1 202-955-8685, cmbrown@gibsondunn.com)
David P. Burns (+1 202-887-3786, dburns@gibsondunn.com)
John W.F. Chesley (+1 202-887-3788, jchesley@gibsondunn.com)
Daniel P. Chung (+1 202-887-3729, dchung@gibsondunn.com)
M. Kendall Day (+1 202-955-8220, kday@gibsondunn.com)
David Debold (+1 202-955-8551, ddebold@gibsondunn.com)
Michael S. Diamant (+1 202-887-3604, mdiamant@gibsondunn.com)
Richard W. Grime (+1 202-955-8219, rgrime@gibsondunn.com)
Scott D. Hammond (+1 202-887-3684, shammond@gibsondunn.com)
Robert K. Hur (+1 202-887-3674, rhur@gibsondunn.com)
Judith A. Lee (+1 202-887-3591, jalee@gibsondunn.com)
Adam M. Smith (+1 202-887-3547, asmith@gibsondunn.com)
Patrick F. Stokes (+1 202-955-8504, pstokes@gibsondunn.com)
Oleh Vretsona (+1 202-887-3779, ovretsona@gibsondunn.com)
F. Joseph Warin (+1 202-887-3609, fwarin@gibsondunn.com)
Ella Alves Capone (+1 202-887-3511, ecapone@gibsondunn.com)
Nicholas U. Murphy* (+1 202-777-9504, nmurphy@gibsondunn.com)
David C. Ware (+1 202-887-3652, dware@gibsondunn.com)
Melissa Farrar (+1 202-887-3579, mfarrar@gibsondunn.com)
Amy Feagles (+1 202-887-3699, afeagles@gibsondunn.com)
Jason H. Smith (+1 202-887-3576, jsmith@gibsondunn.com)
Pedro G. Soto (+1 202-955-8661, psoto@gibsondunn.com)

New York
Zainab N. Ahmad (+1 212-351-2609, zahmad@gibsondunn.com)
Reed Brodsky (+1 212-351-5334, rbrodsky@gibsondunn.com)
Joel M. Cohen (+1 212-351-2664, jcohen@gibsondunn.com)
Mylan L. Denerstein (+1 212-351-3850, mdenerstein@gibsondunn.com)
Barry R. Goldsmith (+1 212-351-2440, bgoldsmith@gibsondunn.com)
Karin Portlock (+1 212-351-2666, kportlock@gibsondunn.com)
Mark K. Schonfeld (+1 212-351-2433, mschonfeld@gibsondunn.com)
Orin Snyder (+1 212-351-2400, osnyder@gibsondunn.com)
Alexander H. Southwell (+1 212-351-3981, asouthwell@gibsondunn.com)
Brendan Stewart (+1 212-351-6393, bstewart@gibsondunn.com)

Denver
Ryan T. Bergsieker (+1 303-298-5774, rbergsieker@gibsondunn.com)
Robert C. Blume (+1 303-298-5758, rblume@gibsondunn.com)
Kelly Austin (+1 303-298-5980, kaustin@gibsondunn.com)
John D.W. Partridge (+1 303-298-5931, jpartridge@gibsondunn.com)
Laura M. Sturges (+1 303-298-5929, lsturges@gibsondunn.com)

Los Angeles
Michael H. Dore – Los Angeles (+1 213-229-7652, mdore@gibsondunn.com)
Michael M. Farhang (+1 213-229-7005, mfarhang@gibsondunn.com)
Diana M. Feinstein (+1 213-229-7351, dfeinstein@gibsondunn.com)
Douglas Fuchs (+1 213-229-7605, dfuchs@gibsondunn.com)
Nicola T. Hanna (+1 213-229-7269, nhanna@gibsondunn.com)
Poonam G. Kumar (+1 213-229-7554, pkumar@gibsondunn.com)
Marcellus McRae (+1 213-229-7675, mmcrae@gibsondunn.com)
Eric D. Vandevelde (+1 213-229-7186, evandevelde@gibsondunn.com)
Debra Wong Yang (+1 213-229-7472, dwongyang@gibsondunn.com)

San Francisco
Winston Y. Chan (+1 415-393-8362, wchan@gibsondunn.com)
Thad A. Davis (+1 415-393-8251, tadavis@gibsondunn.com)
Charles J. Stevens (+1 415-393-8391, cstevens@gibsondunn.com)
Michael Li-Ming Wong (+1 415-393-8333, mwong@gibsondunn.com)

Palo Alto
Benjamin Wagner (+1 650-849-5395, bwagner@gibsondunn.com)

London
Patrick Doris (+44 20 7071 4276, pdoris@gibsondunn.com)
Charlie Falconer (+44 20 7071 4270, cfalconer@gibsondunn.com)
Sacha Harber-Kelly (+44 20 7071 4205, sharber-kelly@gibsondunn.com)
Michelle Kirschner (+44 20 7071 4212, mkirschner@gibsondunn.com)
Matthew Nunan (+44 20 7071 4201, mnunan@gibsondunn.com)
Philip Rocher (+44 20 7071 4202, procher@gibsondunn.com)

Paris
Benoît Fleury (+33 1 56 43 13 00, bfleury@gibsondunn.com)
Bernard Grinspan (+33 1 56 43 13 00, bgrinspan@gibsondunn.com)

Frankfurt
Finn Zeidler (+49 69 247 411 530, fzeidler@gibsondunn.com)

Munich
Benno Schwarz (+49 89 189 33 110, bschwarz@gibsondunn.com)
Michael Walther (+49 89 189 33 180, mwalther@gibsondunn.com)
Mark Zimmer (+49 89 189 33 115, mzimmer@gibsondunn.com)

Hong Kong
Kelly Austin (+852 2214 3788, kaustin@gibsondunn.com)
Oliver D. Welch (+852 2214 3716, owelch@gibsondunn.com)

Singapore
Joerg Biswas-Bartz (+65 6507 3635, jbiswas-bartz@gibsondunn.com)

* Nicholas Murphy is of counsel practicing in the firm’s Washington, D.C. office who currently is admitted only in New York.

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

The German Ministry of Economic Affairs and Climate Action published the draft of the 11th amendment to the Act against Restraints on Competition. It will further strengthen the German competition watchdog’s powers to investigate market sectors and to impose remedies even in the absence of an infringement of competition law.

On 26 September 2022, the German Ministry of Economic Affairs and Climate Action (“Ministry”) published the first draft of the 11th amendment of the Act against Restraints on Competition (“German Competition Act”) (the “draft bill”). The draft bill is not an immediate reaction to the current crisis on the energy markets but is a longer planned amendment, which has already been reflected in the 2021 coalition agreement between the government parties SPD, Bündnis 90/Die Grünen and FDP. The draft bill marks another step in the direction of a new era of antitrust law enforcement in Germany. This trend continues to shift competition law enforcement from a more traditional approach, where an infringement of competition law (e.g., a cartel/abuse of dominance) is required, to a more extensive market protection tool intended to address perceived distortions to competition that can already operate below the “infringement threshold”. The draft bill in particular refers to experiences of the UK competition authority CMA and to the European Commission’s Impact Assessment for the New Competition Tool (NCT).

The main aspects of the draft bill are: (i) a complete revision of the sector inquiry tool of the Federal Cartel Office (“FCO”); (ii) the implementation of the DMA in the national framework of public and private enforcement; and (iii) the facilitation of benefits disgorgements:

(i) Sector inquiries. The sector inquiries tool enables the FCO to investigate the competitive conditions on markets unrelated to a specific competition law infringement. The tool was initially introduced in 2005 and has been used around twenty times, inter alia in the sectors fuels, buyer power in food retailing, cement and ready-mix concrete, waste disposal and hospitals. In 2007 the tool was also extended into the area of consumer protection – in particular in the digital space. The draft bill identifies and addresses two main weaknesses of the current tool:

Timing. Sector inquiries usually take a very long time. According to the draft bill, this has a negative impact on the usability of the findings. The draft bill now sets a time limit for sector inquiries of 18 months.

Remedies. The FCO currently does not have the power to impose remedial actions in response to the results of a sector inquiry. The draft bill changes this – for a time period of (another) 18 months after the publication of the respective sector inquiry report:
- Merger control. The FCO can impose an obligation on specific undertakings to notify concentrations under the German merger control regime, even if they are below the regular notification thresholds. The prerequisite is that there are “objectively verifiable indications that future mergers could significantly impede effective competition in Germany in one or more of the economic sectors” specified in the sector inquiry report. A de minimis exception applies to transactions in which the buyer generated turnover with customers in Germany in its last completed financial year of less than EUR 50 million and/or the target of less than EUR 500,000. This “special notification obligation” expires after three years, but it can be renewed.
- Structural/behavioral remedies. The FCO can impose remedies of behavioral or structural nature, if there is a “significant, [i] continuous or [ii] repeated disturbance of competition in at least one market or across markets”. The draft bill provides the following examples for potential objectives of such remedies: access to data, rights of use to intellectual property, requirements for certain types of contracts or the organizational separation of business units.
- Unbundling. Lastly, the FCO will also get the ultima ratio power to unbundle undertakings, if no other remedy of structural or behavioral nature would be equally effective or if such alternative remedy would impose an even greater burden on the undertaking. This ultima ratio remedy will be subject to a comprehensive proportionality assessment. Also, the FCO cannot impose an obligation to divest assets which have been subject to a final merger control clearance by the European Commission or by the FCO in the past five years.

(ii) Digital Markets Act. The Digital Markets Act (DMA) of the European Union has just been adopted by the EU Council and is expected to be published in the EU Official Journal soon. It will come into force 20 days later and then fully applies to so-called “gatekeepers” six months after it entered into force.

Public enforcement. The European Commission is the sole authority empowered to enforce the DMA but the DMA left a possibility for EU Member States to empower their national competition authorities to conduct investigations of possible non-compliance of gatekeepers with DMA rules. The draft bill paves the way for a public enforcement of the DMA by the FCO in Germany. However, the FCO can only conduct investigations and forward the results to the European Commission. It has no powers of its own to sanction non-compliance with the DMA.

Private enforcement. The DMA is an EU Regulation and therefore directly (e., without the need for transposition) applies in all EU Member States. In addition, various DMA provisions prerequisite its private enforceability in national courts. The draft bill implements the relevant provisions of the DMA into the German Competition Act’s provisions on private antitrust enforcement (injunctive relief, damage claims).

(iii) Disgorgement of economic benefit. The draft bill also improves the FCO’s possibilities to order the disgorgement of economic benefits resulting from the violation of competition law. In order to do that, the draft bill removes the requirement for the authority to prove that the violation of competition law has been carried out intentionally or negligently. Furthermore, the draft bill provides for a statutory presumption that a competition law infringement caused an economic benefit of at least 1% of the turnover generated in Germany with the products or services connected to the infringement. A rebuttal of this presumption requires that neither the legal entity directly involved in the infringement nor its group (the undertaking) generated a profit in the respective amount in the relevant period. However, the amount to be paid must not exceed 10% of the total turnover of the undertaking in the fiscal year preceding the decision of the authority.

Conclusions and outlook. The draft bill follows the overall trend in Europe and overseas to equip competition authorities with more powers beyond the “classic” competition law enforcement tools. It can be expected that the draft bill will be passed by the government’s cabinet rather soon so that the readings in the German parliament can begin. When (and whether) an 11th amendment will eventually come into force is currently hard to predict given various other political priorities and economic challenges.

The Ministry is already working on a draft for a 12th amendment of the German Competition Act (!) which shall implement topics mentioned in a White Paper on competition law priorities from February this year (Wettbewerbspolitische Agenda des BMWK bis 2025). Details are yet unknown but the focus could be, inter alia, on establishing more legal certainty for sustainability cooperation between companies as well as stronger consumer protection.

The following Gibson Dunn lawyers assisted in preparing this client update: Georg Weidenbach, Michael Walther, Kai Gesing, Jan Vollkammer, Linda Vögele, and Elisa Degner.

Gibson Dunn lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any of the following leaders or members of the firm’s Antitrust and Competition practice group:

Kai Gesing – Munich (+49 89 189 33 180, kgesing@gibsondunn.com)
Michael Walther – Munich (+49 89 189 33 180, mwalther@gibsondunn.com)
Georg Weidenbach – Frankfurt (+49 69 247 411 550, gweidenbach@gibsondunn.com)
Christian Riis-Madsen – Co-Chair, Brussels (+32 2 554 72 05, criis@gibsondunn.com)
Ali Nikpay – Co-Chair, London (+44 (0) 20 7071 4273, anikpay@gibsondunn.com)
Rachel S. Brass – Co-Chair, San Francisco (+1 415-393-8293, rbrass@gibsondunn.com)
Stephen Weissman – Co-Chair, Washington, D.C. (+1 202-955-8678, sweissman@gibsondunn.com)

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

U.S. anti-corruption enforcement has continued apace through the first eight months of 2022. Although some will point to declining numbers of Foreign Corrupt Practices Act (“FCPA”) enforcement actions in 2022 to date, particularly against corporations, as compared to the heights of recent years, our view from the trenches is that enforcement is evolving, not fading. As evidenced by the bevvy of activity catalogued in the pages that follow, our experience is prosecutors at the U.S. Department of Justice (“DOJ”) and enforcers at the U.S. Securities and Exchange Commission (“SEC”) remain acutely focused on international anti-corruption enforcement and that the compliance challenges faced by global corporations are as complicated today as they have ever been. In addition, the expanded employment of money laundering charges has broadened prosecutors’ reach.

This client update provides an overview of the FCPA and other domestic and international anti-corruption enforcement, litigation, and policy developments from the first eight months of 2022. In January 2023, we will publish our comprehensive year-end update on 2022 FCPA developments.

FCPA OVERVIEW

The FCPA’s anti-bribery provisions make it illegal to corruptly offer or provide money or anything else of value to officials of foreign governments, foreign political parties, or public international organizations with the intent to obtain or retain business. These provisions apply to “issuers,” “domestic concerns,” and those acting on behalf of issuers and domestic concerns, as well as to “any person” who acts while in the territory of the United States. The term “issuer” covers any business entity that is registered under 15 U.S.C. § 78l or that is required to file reports under 15 U.S.C. § 78o(d). In this context, foreign issuers whose American Depositary Receipts (“ADRs”) or American Depositary Shares (“ADSs”) are listed on a U.S. exchange are “issuers” for purposes of the FCPA. The term “domestic concern” is even broader and includes any U.S. citizen, national, or resident, as well as any business entity that is organized under the laws of a U.S. state or that has its principal place of business in the United States.

In addition to the anti-bribery provisions, the FCPA also has “accounting provisions” that apply to issuers and those acting on their behalf. First, there is the books-and-records provision, which requires issuers to make and keep accurate books, records, and accounts that, in reasonable detail, accurately and fairly reflect the issuer’s transactions and disposition of assets. Second, the FCPA’s internal accounting controls provision requires that issuers devise and maintain reasonable internal accounting controls aimed at preventing and detecting FCPA violations. Prosecutors and regulators frequently invoke these latter two sections when they cannot establish the elements for an anti-bribery prosecution or as a mechanism for compromise in settlement negotiations. Because there is no requirement that a false record or deficient control be linked to an improper payment, even a payment that does not constitute a violation of the anti-bribery provisions can lead to prosecution under the accounting provisions if inaccurately recorded or attributable to an internal accounting controls deficiency.

International corruption also may implicate other U.S. criminal laws. Frequently, prosecutors from DOJ’s FCPA Unit charge non-FCPA crimes such as money laundering, mail and wire fraud, Travel Act violations, tax violations, and even false statements, in addition to or instead of FCPA charges. Without question, the most prevalent amongst these “FCPA-related” charges is money laundering—a generic term used as shorthand for statutory provisions that generally criminalize conducting or attempting to conduct a transaction involving proceeds of “specified unlawful activity” or transferring funds to or from the United States, in either case to promote the carrying on of specified unlawful activity, to conceal or disguise the nature, location, source, ownership or control of the proceeds, or to avoid a transaction reporting requirement. “Specified unlawful activity” includes over 200 enumerated U.S. crimes and certain foreign crimes, including the FCPA, fraud, and corruption offenses under the laws of foreign nations. Although this has not always been the case, in recent history, DOJ has frequently deployed the money laundering statutes to charge “foreign officials” who are not themselves subject to the FCPA. It is not unusual for DOJ to charge the alleged provider of a corrupt payment under the FCPA and the alleged recipient with money laundering violations.

FCPA AND FCPA-RELATED ENFORCEMENT STATISTICS

The below table and graph detail the number of FCPA enforcement actions initiated by DOJ and the SEC, the statute’s dual enforcers, during the past 10 years.

Table 1

Chart 1

But as our readers know, the number of FCPA enforcement actions represents only a piece of the robust pipeline of international anti-corruption enforcement efforts by DOJ. Indeed, the increasing proportion of “FCPA-related” charges in the overall enforcement docket of FCPA prosecutors is a trend we have been remarking upon for years. In total, DOJ brought 11 such FCPA-related actions in the first eight months of 2022, bringing the overall count to 22 cases that DOJ’s FCPA unit filed, unsealed, or otherwise joined since the beginning of the year. The past 10 years of FCPA plus FCPA-related enforcement activity is illustrated in the following table and graph.

Table 2

Chart 2

2022 MID-YEAR FCPA + FCPA-RELATED ENFORCEMENT ACTIONS

CORPORATE ENFORCEMENT ACTIONS

Through August, there were three corporate FCPA enforcement actions from each of DOJ and the SEC in 2022, which is on par with the corporate enforcement activity for all of 2021 but still down from recent historical trends. There have been additional resolutions in September not covered herein, and we will continue tracking the pace of corporate FCPA enforcement in our forthcoming year-end update and beyond to see if this is a momentary lull or a longer-term trend. In the meantime, the five companies subject to FCPA enforcement in the year to date follow.

Tenaris S.A.

Most recently, on June 2, 2022, Luxemburg-based global steel pipe supplier Tenaris, an ADR-issuer, consented to the entry of an administrative cease-and-desist order by the SEC to resolve FCPA bribery, books and records, and internal controls charges. According to the SEC’s Order, between 2008 and 2013, agents and employees of Tenaris’s Brazilian subsidiary paid approximately $10.4 million in bribes to a high-ranking procurement manager at Brazil’s state-owned oil and gas company Petróleo Brasileiro S.A. (“Petrobras”) to persuade the procurement manager not to open up the subsidiary’s ongoing pipe supply project to competition, ultimately leading to the award of over $1 billion in contracts. To resolve the charges, Tenaris agreed to pay more than $78 million, consisting of approximately $42.84 million in disgorgement, $10.26 million in prejudgment interest, and a $25 million civil money penalty. Tenaris also agreed to self-report to the SEC for two years on the status of its remediation and implementation of compliance measures related to its compliance program and accounting controls. As we have discussed in earlier updates, Gibson Dunn represented Petrobras and successfully negotiated a non-prosecution agreement with DOJ and an SEC resolution and navigated seamlessly a three-year self-monitorship.

According to a statement released by Tenaris, DOJ closed its investigation into this matter without taking action. Notably, this is Tenaris’s second brush with the FCPA, having resolved dual FCPA enforcement actions with DOJ and the SEC in 2011 arising out of alleged corruption in Uzbekistan.

Glencore International A.G.

Undoubtedly the bombshell FCPA enforcement matter of 2022-to-date came on May 24, when Swiss multinational commodity trading and mining company Glencore resolved criminal FCPA bribery charges in seven African and Latin American countries. Simultaneously, Glencore entered into a parallel criminal and civil market manipulation resolution with a different unit of DOJ’s Fraud Section and the U.S. Commodity Futures Trading Commission (“CFTC”) founded, in part, on the same conduct, in addition to separate anti-corruption resolutions with Brazilian and UK authorities. According to the corruption-related allegations, from 2007 to 2018, Glencore provided more than $100 million in payments and other items of value to intermediaries for the purpose of bribing foreign officials in Brazil, Cameroon, the Democratic Republic of the Congo, Equatorial Guinea, Ivory Coast, Nigeria, and Venezuela to obtain contracts and other benefits.

The assessment of criminal and civil penalties against Glencore for the web of related resolutions involves a complex set of credits and offsets, but in total Glencore is expected to pay approximately $1.5 billion to resolve all of the matters. The total payment to U.S. enforcement agencies is expected to be $1.02 billion, of which approximately $700.7 million is allocable to the FCPA case comprised of a criminal fine of $428.521 million and criminal forfeiture of $272.186 million. On top of that, Glencore agreed to pay $39.6 million to the Brazilian Federal Prosecutor’s Office, and as discussed below in our UK Enforcement Update, a subsidiary pleaded guilty to UK Bribery Act charges and is scheduled to be sentenced in November 2022. Glencore has stated that the resolution in the UK, and other pending proceedings in the Netherlands and its home country of Switzerland, are together expected to increase the overall resolution to $1.5 billion. Additionally, Glencore agreed to a three-year compliance monitor in connection with the FCPA resolution and a separate three-year compliance monitor in connection with the market manipulation resolution, the scope of which are still being negotiated.

Beyond the sheer size of the matter, there are numerous notable aspects to the Glencore resolution:

First, Glencore is neither a U.S. company nor issuer (hence, no SEC resolution), and DOJ’s FCPA jurisdiction appears to be premised loosely on the approval of certain payments by employees (including former West African oil trader Anthony Stimler, who pleaded guilty to FCPA charges as covered in our 2021 Year-End FCPA Update) while in the United States, the transmittal of at least one email from the United States by Stimler, and the use of U.S. correspondent banking accounts for at least some of the alleged bribe payments. The details of DOJ’s allegations and jurisdictional theories are not fully fleshed out in the corporate charging documents, but DOJ’s approach seems to be that a multi-country corruption conspiracy taking place largely outside of the United States may be brought within U.S. jurisdiction in its entirety due to correspondent banking transactions or through a single act taken by one co-conspirator while in the United States, potentially even a low-level trader involved in one spoke of the alleged conspiracy.
Second, although there is precedent in corporate FCPA enforcement actions for relatively modest criminal forfeiture actions to accompany criminal fines, generally offset in the criminal fine calculation, Glencore is the first of which we are aware in which the amount of gain was used by DOJ both as the primary input for the Guidelines fine and, on top of that, disgorged by DOJ through parallel forfeiture. In this manner, DOJ not only applied a criminal penalty, which is customary, but it also disgorged all allegedly tainted profits, which is not customary in a non-issuer case (i.e. where the SEC is not involved). While DOJ has applied forfeiture in a limited way in some FCPA cases, this appears to be the first time it has required a company to disgorge all ill-gotten gain in the absence of a parallel SEC action. This practice has precedent in other types of white collar corporate cases, particularly by prosecutors in the Southern District of New York, but not to our knowledge in the FCPA cases.
Third, as noted above, a part of the CFTC’s charges were founded on the same alleged corruption conduct covered in the DOJ FCPA resolution, making this the second time that the CFTC has charged corruption as “manipulative and deceptive conduct” under the Commodity Exchange Act. The first instance was the case against Vitol, Inc., covered in our 2020 Year-End FCPA Update, which arose out of the same fact pattern.

Stericycle, Inc.

The only dual FCPA enforcement action to date in 2022 came on April 20, when Illinois-based waste management company Stericycle resolved FCPA bribery and accounting charges with DOJ and the SEC arising from allegations of corruption in Argentina, Brazil, and Mexico. The charging documents collectively allege that, between 2011 and 2016, Stericycle representatives paid approximately $10.5 million in bribes to government officials to obtain contracts and other benefits that cumulatively netted the company approximately $21.5 million in profits.

To resolve the criminal charges, Stericycle entered into a deferred prosecution agreement with a $52.5 million penalty and requiring the imposition of a compliance monitor for a two-year term. The SEC resolution requires the disgorgement of approximately $28 million in profits and prejudgment interest, together with the imposition of the same compliance monitor. In addition, Stericycle entered into a parallel $9.3 million resolution with Brazil’s Controladoria-Geral da União and the Advocacia-Geral de União, which after offsets in the DOJ / SEC resolutions will net out to a total resolution of approximately $84 million. Parallel United States and Brazilian enforcement actions, such as seen here, have become commonplace.

Jardine Lloyd Thompson Group Holdings Ltd.

On March 18, 2022, DOJ announced its first “declination with disgorgement” FCPA resolution in nearly two years, with UK insurance company JLT Group. DOJ’s declination letter asserted that it had found evidence that JLT Group, through an employee and its agents, paid approximately $3.15 million in alleged bribes to Ecuadorian officials between 2014 and 2016, through an intermediary based in Florida, in order to obtain or retain insurance contacts with Ecuadorian state-owned surety Seguros Sucre. The underlying conduct is the same covered in our 2020 Mid-Year FCPA Update where we reported on the prosecution of four defendants—including former JLT Group executive Felipe Moncaleano Botero—in the Southern District of Florida for money laundering conspiracy.

DOJ declined to prosecute based on JLT Group’s voluntary disclosure of the misconduct, full and proactive cooperation, prompt and comprehensive remediation, and agreement to disgorge just over $29 million in alleged improper gains. JLT Group affiliates also reached resolutions with Colombian and UK authorities, as covered below in our international enforcement developments section. Gibson Dunn represented JLT Group in obtaining the DOJ declination, and in the international resolutions.

KT Corporation

First in but last up, the initial FCPA corporate enforcement action of 2022 came on February 17, when Korea’s largest telecommunications operator and ADS issuer KT Corporation resolved FCPA books-and-records and internal controls charges with the SEC. According to the administrative cease and desist order, KT Corporation maintained multiple “slush funds” between 2009 and 2017, from which it made illegal contributions to legislative officials in Korea who sat on committees with influence over the telecommunications industry and also to Vietnamese government officials to receive contracts.

Without admitting or denying the allegations, KT Corporation agreed to settle with a $3.5 million civil penalty and the disgorgement of $2.8 million in profits plus prejudgment interest. KT Corporation also will self-report on FCPA compliance remediation for a two-year term. There is no indication to date of a parallel DOJ enforcement action.

INDIVIDUAL ENFORCEMENT ACTIONS

There were FCPA and FCPA-related charges filed or unsealed, or in which DOJ FCPA prosecutors first entered an appearance, against 19 individual defendants during the first eight months of 2022.

Additional PDVSA Charges

In recent years, we have covered numerous corruption-related fact patterns arising out of international business dealings with Venezuela’s state-owned and state-controlled oil company, Petróleos de Venezuela, S.A. (“PDVSA”). The first eight months of 2022 was no exception to this longstanding trend.

On March 8, 2022, a grand jury sitting in the Southern District of Florida indicted two former senior prosecutors from the anti-corruption division of the Venezuelan Attorney General’s Office, Daniel D’Andrea Golindano and Luis Javier Sanchez Rangel, for allegedly laundering $1 million in bribes through a bank account in Florida. The indictment asserts that Rangel and Golindano accepted payments from a contractor that was itself under investigation by the Attorney General’s Office for allegedly receiving over $150 million in contracts from PDVSA entities, in exchange for closing the investigation without seeking criminal charges against the contractor. The defendants have yet to make an appearance in court and have been transferred to fugitive status.

In a separate alleged PDVSA-related scheme, on June 23, 2022, Jhonnathan Marin, former Mayor of Guanta, Venezuela, pleaded guilty to a single count of money laundering conspiracy. According to the criminal information, between 2015 and 2017, Marin accepted $3.8 million in bribes from an unnamed PDVSA contractor to influence several PDVSA joint ventures operated in the port town area to award tens of millions of dollars’ worth of business to the contractor. Marin currently awaits a September 2022 sentencing date before the Honorable Robert N. Scola, Jr. of the U.S. District Court for the Southern District of Florida.

In a third case involving PDVSA, on July 12, 2022 a grand jury sitting in the Southern District of Florida returned an indictment charging financial asset managers—Ralph Steinmann and Luis Fernando Vuteff—with participating in the $1.2 billion “Operation Money Flight” PDVSA currency conversion / embezzlement scheme that we first covered in our 2018 Year-End FCPA Update. The genesis of the scheme arises from the substantial difference between the official and unofficial rates at which Venezuelan bolivars could be exchanged for U.S. dollars, with members of the scheme causing PDVSA to enter into contracts to convert bolivars at the “unofficial rate” of 60:1, then back into dollars at the official rate of 6:1, thereby instantly increasing the outside investment tenfold at the expense of PDVSA and with the assistance of corrupt payments. For their part, Steinmann and Vuteff are each charged with one count of money laundering, with the indictment alleging that between 2014 and 2018 they laundered more than $200 million in proceeds from the scheme, including by opening bank accounts on behalf of Venezuelan government officials to receive the alleged bribe payments. Vuteff has reportedly been arrested and is pending extradition from Switzerland. Steinmann is not before the court and DOJ has asserted that he is a fugitive.

Finally, in yet another case involving a still different PDVSA corruption fact pattern, on August 24, 2022, a grand jury sitting in the Southern District of Florida returned an indictment charging Venezuelan businessman Rixon Rafael Moreno Oropeza with money laundering offenses in connection with an alleged bribery scheme involving Petropiar, a joint venture between PDVSA and a U.S. oil company. Moreno is alleged to have paid millions in bribes from bank accounts in Florida to a senior Venezuelan government official and senior Petropiar employees to obtain as much as $30 million in contracts from Petropiar at prices that were inflated as much as 100-times market value. Based on public records, it does not appear that Moreno is yet in U.S. custody.

Additional Vitol & Sargeant Marine Defendants

We have been covering ongoing, and at times overlapping, investigations in Latin America involving energy trading firm Vitol Inc. and asphalt company Sargeant Marine, Inc., as well as numerous individual defendants, since our 2020 Year-End Update. In March 2022, there were several additional developments, including new charges and new FCPA Unit connections to existing charges.

On March 16, 2022, DOJ charged Dutch citizen and former Vitol trader Lionel Hanst with a single count of conspiracy to commit money laundering alleging that, from November 2014 to September 2020, Hanst laundered bribes from and on behalf of Vitol for the benefit of officials at Ecuadorian, Mexican, and Venezuelan state oil companies Empresa Publica de Hidrocarburos del Ecuador (“PetroEcuador”), Petróleos Mexicanos (“PEMEX”), and PDVSA. Hanst pleaded guilty and is awaiting sentencing before the Honorable Eric N. Vitaliano of the U.S. District Court for the Eastern District of New York.

Right around the same time, from March through May 2022, DOJ FCPA Unit prosecutors involved in the Hanst case entered appearances in several ongoing cases. Although these cases were filed in earlier years, there were no press releases nor entries of appearance by FCPA Unit members to identify them as FCPA-related enforcement actions—until this year.

In May 2021, Eastern District of New York prosecutors charged Gonzalo Guzman Manzanilla and Carlos Espinosa Barba, former employees of PEMEX’s procurement subsidiary, with conspiracy to commit money laundering in connection with the Vitol bribery scheme. The allegations are that, between 2017 and 2020, Guzman and Espinosa agreed to provide a Vitol trader with confidential, inside information on PEMEX-related bids in exchanges for bribes. Both have pleaded guilty to single counts of conspiracy to commit money laundering and also await sentencing before Judge Vitaliano.

The same DOJ FCPA Unit prosecutors entered their appearances in March 2022 in 2020 cases against brothers Antonio and Enrique Ycaza, who have each been charged with conspiracy to violate the FCPA and money laundering statutes in connection with alleged bribery that straddles the Sargeant Marine and Vitol investigations. The allegations are that, between 2011 and 2019, the brothers operated purported consulting companies that were used to funnel approximately $22 million in bribes to PetroEcuador officials on behalf of Sargeant Marine and Vitol. Like the others, the Ycaza brothers have pleaded guilty and await sentencing before Judge Vitaliano.

Finally, in May 2022, FCPA Unit prosecutors entered their appearances in additional 2020 cases against a different set of brothers, Bruno and Jorge Luz. The Luz brothers have each pleaded guilty to a single count of conspiracy to violate the FCPA’s anti-bribery provisions, associated with a scheme to create shell companies that were allegedly used to launder more than $5 million in bribes to Petrobras officials on behalf of Sargeant Marine. Like the others, the Luz brothers await sentencing before Judge Vitaliano.

Additional Odebrecht-Related Charges

We have been covering an ongoing stream of corruption charges arising from the 2016 blockbuster FCPA resolution with Brazilian construction conglomerate Odebrecht S.A. since our 2016 Year-End FCPA Update, including most recently in our 2021 Year-End FCPA Update. On March 24, 2022, another case was added to the pile with the indictment of former Comptroller General of Ecuador Carlos Ramon Polit Faggioni on six counts of money laundering. According to the indictment, between 2010 and 2016, Polit solicited and received over $10 million in bribes from Odebrecht in exchange for using his political position to benefit Odebrecht’s business in Ecuador. Although the bribery scheme took place substantially outside of the United States, the U.S. nexus is that Polit allegedly directed a member of the conspiracy to launder certain of the payments through Florida-based companies to be used to purchase and renovate properties in Florida.

Polit has pleaded not guilty and currently awaits a May 2023 trial date in the U.S. District Court for the Southern District of Florida.

Additional Corsa Coal Defendant

We covered in our 2021 Year-End FCPA Update the FCPA guilty plea of Frederick Cushmore, Jr., former Head of International Sales for an unnamed Pennsylvania-based coal company. That coal company has since identified itself as Corsa Coal, and on March 31, 2022 further charges were announced. On that date, a grand jury sitting in the U.S. District Court for the Western District of Pennsylvania indicted former Vice President Charles Hunter Hobson on seven counts of FCPA bribery, money laundering, and wire fraud conspiracy. The indictment alleges that Hobson participated in a scheme to pay $4.8 million to an agent with the intention that a portion would be used to pay bribes to officials of state-owned Egyptian company Al Nasr Company for Coke and Chemicals to procure $143 million in coal delivery contracts, and also sought to procure a percentage of the illicit payments as kickbacks for his own benefit. The indictment further alleges that Hobson and his co-conspirators communicated via encrypted messaging services, such as WhatsApp, and personal email addresses in an effort to conceal the scheme.

Hobson has pleaded not guilty and no trial date has yet been set. Corsa Coal has reported that it is cooperating with DOJ and also the Royal Canadian Mounted Police, but no public charges have yet been filed against the entity as of the date of publication.

Additional Seguros Sucre Defendants

We covered above DOJ’s ongoing investigation of suspected corruption involving Seguros Sucre, Ecuador’s state-owned insurance company, with the corporate JLT Group declination with disgorgement. Seemingly independent of that matter, at least in part, we saw developments in two other Seguros Sucre-related corruption cases during the first eight months of 2022.

First, on March 24, 2022, financial advisor Fernando Martinez Gomez pleaded guilty to one count of money laundering associated with alleged corrupt payments to officials of Seguros Sucre and Seguros Rocafuerte, another Ecuadorian state-owned insurer, as well as a separate wire fraud scheme involving the misuse of client assets held by Martinez’s employer, Biscayne Capital, in a pyramid scheme that ultimately led to the liquidation of Biscayne. The FCPA-related money laundering charge arises out of the same scheme leading to the charges against four individuals—including Chairman of Seguros Sucre and Rocafuerte Juan Ribas Domenech—covered in our 2020 Mid-Year FCPA Update. Martinez awaits sentencing before the Honorable Carol Bagley Amon of the U.S. District Court for the Eastern District of New York.

On July 14, 2022, in another seemingly separate Seguros Sucre investigation, a grand jury sitting in the Southern District of Florida returned an indictment against three insurance brokers—Luis Lenin Maldonado Matute, Esteban Eduardo Merlo Hidalgo, and Christian Patricio Pintado Garcia—charging them each with seven counts of FCPA and money laundering violations associated with alleged bribes paid to officials of Seguros Sucre and Seguros Rocafuerte. Merlo, a Florida resident, has been arrested and currently faces a September 2022 trial date. Maldonado and Pintado, both Ecuadorian citizens residing in Costa Rica, have been transferred to fugitive status, although Pintado has made an appearance through counsel.

2022 MID-YEAR CHECK-IN ON FCPA-RELATED ENFORCEMENT LITIGATION

As our readership knows, following the filing of FCPA or FCPA-related charges, criminal and civil enforcement proceedings can take years to wind their way through the courts. The substantial number of enforcement cases from prior years, especially involving contested criminal indictments of individual defendants, has led to an active first eight months of enforcement litigation in 2022. A selection of prior-year matters that saw material enforcement litigation developments follows.

Second Circuit Affirms Dismissal of Hoskins FCPA Charges

For years, we have been following the case of Lawrence Hoskins, the UK citizen working for a UK subsidiary of French multinational Alstom S.A. on a project in Indonesia without ever setting foot in the United States and who yet somehow ended up in U.S. court answering FCPA and money laundering charges. Most recently, in our 2020 Mid-Year FCPA Update, we covered the grant of Hoskins’s Rule 29 Motion for a Judgment of Acquittal on the FCPA charges, but denial as to the money laundering charges, by the Honorable Janet Bond Arterton of the U.S. District Court for the District of Connecticut, following the jury trial conviction on all of those counts in November 2019. Cross-appeals followed and the case wound its way back to the U.S. Court of Appeals for the Second Circuit for a second time.

On August 12, 2022, in an opinion authored by the Honorable Rosemary S. Pooler, a split panel of the Second Circuit affirmed the district court’s ruling rejecting the jury’s FCPA convictions but affirming the jury’s money laundering convictions. To understand this opinion, however, one must go back to the first time Hoskins’s case was before the Second Circuit. As covered in our 2018 Year-End FCPA Update, the Second Circuit in large part affirmed the lower court’s pretrial ruling that DOJ could not charge a defendant under the FCPA based on conspiracy or aiding-and-abetting theories if that defendant does not himself fall within one of the “three clear categories of persons who are covered by [the FCPA’s anti-bribery] provisions,” which Hoskins as a foreign national acting outside of the United States did not himself fall into. The Second Circuit did, however, hold that the government should be permitted to make a showing that Hoskins acted as an agent of a domestic concern (namely, Alstom’s U.S. subsidiary), which would bring him within the statute’s reach. That set the stage for the 2019 trial, where DOJ persuaded the jury that Hoskins acted on behalf of Alstom Power, Inc. (the U.S. entity), but could not then get over the hurdle of Judge Arterton’s searching exegesis of the FCPA on Rule 29. This was the decision now up for review by the Second Circuit.

Fundamentally, the Second Circuit majority agreed with Judge Arterton that there was no agency relationship as between Hoskins and the U.S. Alstom entity. There was no real question after the trial as to whether corrupt payments were made to Indonesian government officials to assist Alstom obtain a major power plant contract, or whether Hoskins participated in procuring the agents through which those payments were made, knowing the purpose of those payments. The question, rather, was whether under common law principles of agency, the U.S. subsidiary and Hoskins established a fiduciary relationship whereby Hoskins would act as an agent on behalf of the U.S. entity as the principal. And the Second Circuit majority found that “[c]onspicuously missing from the evidence is anything indicating that [Alstom Power] representatives actually controlled Hoskins’s actions as Hoskins and his [] counterparts operated under separate, parallel employment structures.” Although Hoskins received certain tasks from Alstom Power representatives, the Second Circuit found insufficient evidence for the jury to find beyond a reasonable doubt that Hoskins had authority to act on behalf of the U.S. entity or that the U.S. entity was able to hire, fire, or otherwise control him. The one dissenting vote, from the Honorable Raymond J. Lohier, Jr., focused principally on the deference accorded to jury verdicts coupled with a belief that there was sufficient (if not uncontroverted) evidence of agency in this case.

Although the case represents an important affirmance of the limits of FCPA jurisdiction and agency law, for Hoskins himself it must not be lost that the money laundering counts were affirmed by all three judges on the panel. The Second Circuit turned away his Speedy Trial Act and related Sixth Amendment claims, finding that although more than six years elapsed from indictment to trial, the vast majority of that time was properly excludable for Speedy Trial Act purposes and insufficient prejudice was shown from the delay. And the Court affirmed the jury instructions on withdrawal from conspiracy and venue for the money laundering counts. On that last point, as DOJ’s money laundering appetite grows it is noteworthy that the Second Circuit held that for venue purposes a multi-part wire transfer (in this case from Alstom Power in Connecticut to the agent in Maryland and then on to Indonesia) may be prosecuted as a single, continuing transaction in any of the U.S. districts through which the transaction traversed.

Roger Ng Trial Conviction

On April 8, 2022, following a nearly two-month trial and three days of deliberation, a federal jury in Brooklyn returned a guilty verdict on all three counts against former Goldman Sachs affiliate managing director Ng Chong Hwa (“Roger Ng”). The convictions of conspiracy to commit FCPA bribery, conspiracy to commit money laundering, and knowing circumvention of the FCPA’s internal controls provision, arose from the massive corruption scheme involving 1Malaysia Development Bank (“1MDB”) that we have been following for years.

According to the Government’s trial evidence, between 2009 and 2014, Ng participated in a scheme to launder billions of dollars from the Malaysian state-controlled economic development fund, including by misleading his firm into backing three bond transactions that were, in part, procured through the payment of more than $1 billion in bribes to government officials in Malaysia and the United Arab Emirates. The fund proceeds were allegedly laundered through the U.S. banking system, including famously for backing Hollywood blockbuster “The Wolf of Wall Street,” and other high-profile investments. Ng himself reportedly received $35 million for his role in the scheme.

As discussed in our 2021 Year-End FCPA Update, the Court previously denied Ng’s pretrial motion to dismiss the internal controls count, which argued that Ng could not have circumvented issuer Goldman Sachs’s internal accounting controls because the alleged bribes used 1MDB (and not bank) funds. The Honorable Margo K. Brodie of the U.S. District Court for the Eastern District of New York affirmed that ruling in denying Ng’s Rule 29 motion for a judgment of acquittal from the bench at the close of DOJ’s case, and explained her reasoning in a written post-trial opinion issued on April 8, the day of the jury’s verdict. Judge Brodie explained that the trial evidence was sufficient to show beyond a reasonable doubt that Ng and cooperating co-defendant Timothy Leissner, who testified against Ng, purposefully hid from various approval committees within the bank the involvement of well-known politically exposed person Low Taek Jho (“Jho Low”) in the 1MDB investment, as well as that the approval of various government officials in the investment was procured through bribery. While acknowledging that the term “internal accounting controls” could be read literally to apply only to safeguards concerning an issuer’s own accounting entries, the Court held that such a narrow reading would frustrate the overall intent of the statute and read out the explicit requirement in the statute that issuers establish controls to authorize specific transactions.

Ng is currently scheduled to be sentenced in November 2022.

Baptiste and Boncy FCPA Charges Dismissed on the Eve of Retrial

We covered in our 2021 Year-End FCPA Update the reversal of FCPA jury trial convictions of retired U.S. Army colonel Joseph Baptiste and businessperson Roger Richard Boncy, premised on an FBI sting simulating a bribery scheme involving Haitian port project investments, based on the ineffective assistance of Baptiste’s counsel infecting the fundamental fairness of the joint trial. The retrial was set to begin in July, but on June 27, 2022 DOJ moved to dismiss all charges with prejudice, and DOJ’s motion was granted by the Honorable Allison D. Burroughs of the U.S. District Court for the District of Massachusetts the following day.

The cause for the collapse of the prosecution stems from a December 2015 phone call with Boncy that an undercover FBI agent recorded during the investigation. The FBI inadvertently did not preserve the recording, which became a flashpoint during the initial trial as Boncy insisted that he made exculpatory statements during that conversation that would show he did not believe the investment in question was corrupt. That claim found late vindication when, leading up to the second trial, the FBI discovered text messages on an FBI server that contemporaneously described the contents of the December 2015 phone call, including a statement by Boncy that the money at issue would not be used to pay bribes. Aggressive discovery requests were the key driver to achieve this dismissal.

Baptiste and Boncy are now discharged and free from charges.

Eleventh Circuit Remands Case to Address Foreign Diplomat Immunity Defense

In our 2021 Year-End FCPA Update we covered the denial of motion to make a special appearance and challenge the money laundering indictment facing Alex Nain Saab Moran, a joint Colombian and Venezuelan national charged with money laundering offenses in connection with a $350 million construction-related bribery scheme in Venezuela. The Honorable Robert N. Scola, Jr. of the U.S. District Court for the Southern District of Florida rejected the motion on the basis of the fugitive disentitlement doctrine, given that Saab was not present in the United States himself.

On June 2, 2022, the U.S. Court of Appeals for the Eleventh Circuit in a per curiam order declined to address the merits of Saab’s appeal. With respect to the request to make a special appearance to challenge the indictment, the issue had been mooted by Saab’s interceding extradition from Cabo Verde. But with respect to Saab’s claim that he was a foreign diplomat immune from prosecution, the Eleventh Circuit remanded the case for the district court to address that issue in the first instance. Saab’s renewed motion to dismiss is now set for a week-long evidentiary hearing back before Judge Scola, beginning in October 2022.

District Court Finds Broad Privilege Waiver From Cooperation with DOJ

In our 2019 Year-End and 2020 Mid-Year FCPA updates, we covered the FCPA charges against and extensive post-indictment litigation involving the former Cognizant Technology Solutions President and Chief Legal Officer. The case is currently set for trial in the U.S. District Court for the District of New Jersey in October 2022, but the pretrial disputes continue apace. The individual defendants have moved to compel discovery on a number of issues, which the Honorable Kevin McNulty addressed in five separate memorandum opinions dated January 24 (two), March 23, April 27, and July 19, 2022.

Chief among the issues in dispute concerns the recurring dilemma of how companies are to navigate cooperation with government investigations without waiving the attorney-client privilege. Here, as part of its substantial cooperation efforts that ultimately led to a criminal declination, Cognizant provided DOJ with “detailed accounts” of numerous company employee witness interviews conducted by outside counsel. The individual defendants sought access to all materials associated with those interviews, which Judge McNulty in large part granted. The Court held that by disclosing privileged information to DOJ, Cognizant waived attorney-client privilege and work product protection “as to all memoranda, notes, summaries, or other records of the interviews themselves,” regardless of whether the interview summaries were conveyed orally or in writing. Further, “to the extent the summaries directly conveyed the contents of documents or communications, those underlying documents or communications themselves are within the scope of the waiver.” Finally, Judge McNulty held that “the waiver extends to documents and communications that were reviewed and formed any part of the basis of any presentation, oral or written, to the DOJ in connection with this investigation.”

As noted above, the former executives are currently scheduled to go to trial in October 2022. But this date may be imperiled by defendants’ recent motion to conduct numerous Rule 15 depositions in India, including through the compulsion of letters rogatory. We will undoubtedly return to this matter in future FCPA updates.

SEC Obtains Default Judgment in 2019 Case

In another development this year in a case initiated in 2019, on June 27, 2022 the Honorable J. Paul Oetken of the U.S. District Court for the Southern District of New York issued a default judgment against Yanliang “Jerry” Li. As discussed in our 2019 Year-End FCPA Update, Li, the former China Managing Director of a “multi-level marketing company,” later identified as Herbalife Nutrition Ltd., was indicted by DOJ and charged by the SEC for FCPA bribery and accounting violations arising from an alleged scheme to bribe Chinese government officials to obtain direct sales licenses and stifle negative media coverage about the company. Li has yet to make an appearance in U.S. court, even though he was served with the SEC’s complaint in China, and Judge Oetken assessed an Exchange Act Tier II penalty (ranging from $80,000 to $97,523) for each of five violations—(1) falsifying an expense report; (2) falsifying a SOX sub-certification; (3) endorsing a false audit report; (4) submitting a second false SOX certification; and (5) giving false testimony to the SEC—for a total of $550,092 in penalties.

PDVSA-related Defendants Move to Dismiss Indictments on Jurisdictional Grounds

We covered in our 2021 Year-End FCPA Update the seismic grant of Daisy Teresa Rafoi Bleuler’s motion to dismiss the FCPA and money laundering charges against her in the U.S. District Court for the Southern District of Texas by the Honorable Kenneth M. Hoyt. Judge Hoyt found that, as a matter of law, the indictment was deficient in alleging the actions abroad by Swiss citizen Rafoi, who did not set foot in the territory of the United States during the alleged PDVSA-related corruption scheme (and was challenging her indictment from abroad), were insufficient to bring her within the scope of U.S. jurisdiction. DOJ has appealed this dismissal, arguing that “a foreign national who actively participated in a US-linked scheme to pay bribes, can be liable for FCPA conspiracy even if she is not an enumerated FCPA actor who is liable as a principal,” and further that whether Rafoi qualified as an agent was a question of fact for a jury to decide.

On the heels of Judge Hoyt’s decision in the Rafoi case, co-defendant Paulo Jorge Da Costa Casqueiro Murta filed a motion to dismiss his own charges, raising many of the same jurisdictional arguments. On July 11, 2022, Judge Hoyt granted the motion for much the same reasoning as in the Rafoi case, but additionally on statute-of-limitations grounds and also granting a motion to suppress statements made by Casqueiro during a custodial interview in Spain. With respect to the statute-of-limitations matter, the Court waded through the complexities of multiple 28 U.S.C. § 3292 tolling orders and found that the return of an indictment against a co-defendant in 2017 ended the tolling period as to the subsequently indicted Casqueiro even though a later tolling order was issued and further Mutual Legal Assistance Treaty responses were filed by Swiss authorities. With respect to the suppression of statements, Judge Hoyt found that the circumstances of Casqueiro’s interview were impermissibly coercive where the defendant was summoned to the interview in Portugal by a local prosecutor, did not feel like he was permitted to leave the interview under Portuguese law, and was not advised of his protections under the U.S. constitution by the U.S. Department of Homeland Security agents who conducted the interview.

DOJ immediately filed a motion to stay the Casqueiro dismissal pending appeal, arguing that the defendant had been extradited to the United States to face these charges and would likely leave the United States if he was not maintained on pretrial release pending appeal. Judge Hoyt denied the stay request at the district court level, but on August 3, 2022 the U.S. Court of Appeals issued a stay pending resolution of the merits appeal, coupled with an order to expedite that appeal. On DOJ’s request, the Casqueiro and Rafoi appeals were then consolidated for argument, which is currently scheduled for October 2022. We expect these appeals will lead to a further important appellate ruling on the breadth of FCPA and money laundering statutes’ jurisdiction over foreign nationals, supplementing the Second Circuit’s decision in Hoskins discussed above.

Finally, a third co-defendant in the same sprawling case—Nervis Gerardo Villalobos Cárdenasg—filed his own motion to dismiss the indictment in February 2022, like Rafoi doing so from abroad. For reasons that may only be explained in a series of sealed orders, the Villalobos motion has proceeded on a slower track than the Casqueiro motion. DOJ makes many of the same arguments opposing dismissal as in the other cases, including renewing the same “fugitive disentitlement” challenge to the propriety of a court addressing a motion to dismiss filed by a so-called fugitive not before the court as it made (and was rejected) in Rafoi’s case. The motion to dismiss remains pending as of the date of publication.

Former Venezuelan National Treasurer Extradited; Motion to Dismiss Denied

On May 24, 2022, former Venezuelan National Treasurer Claudia Patricia Díaz Guillén made her initial appearance in the U.S. District Court for the Southern District of Florida and entered a not guilty plea to the money laundering charges against her. As described in our 2020 Year-End FCPA Update, Díaz is alleged to have accepted bribes to facilitate more favorable rates for foreign exchange transactions. Promptly following her extradition, Díaz moved to dismiss the charges on jurisdictional grounds similar to those raised by the PDVSA defendants in Houston described above. But the Honorable William P. Dimitrouleas, unpersuaded by Judge Hoyt’s rulings in Rafoi and Casqueiro, made short work of the motion by disposing of the matter as an issue for the jury in a two-page opinion dated July 12, 2022. Díaz currently faces an October 2022 trial date.

Fourth Circuit Affirms Lambert FCPA Trial Conviction

In our 2019 Year-End FCPA Update we covered the trial conviction of former Transport Logistics International, Inc. President Mark T. Lambert. On July 21, 2022, the U.S. Court of Appeals for the Fourth Circuit, in a per curiam opinion, affirmed the FCPA bribery and wire fraud convictions. The court found no error by the trial court in ruling on various evidentiary exclusions, nor in issuing an Allen charge when the jury initially could not agree on a verdict. On the substance of the charges, the Fourth Circuit found sufficient evidence to support the wire fraud convictions based on DOJ’s evidence that Lambert actively concealed material facts from the victim customer by virtue of quoting inflated costs that secretly included the costs of bribing one of the customer’s representatives, Vadim Mikerin, who also was prosecuted by DOJ.

Fifth Circuit Declares SEC Practice of Imposing Civil Monetary Penalties in Administrative Proceedings Unconstitutional

Those who have followed our client updates over the years may recall that many of the SEC’s settled FCPA enforcement actions for the first three decades of the statute were filed as civil complaints in federal district court. That all changed with the Dodd-Frank Wall Street Reform Act of 2010 (“Dodd-Frank”), which among many other important reforms granted the SEC authority to impose civil monetary penalties in administrative proceedings in which the SEC seeks a cease-and-desist order. Soon thereafter, the vast majority of settled enforcement actions (in FCPA and other cases) began being filed as administrative cease-and-desist proceedings.

Potentially imperiling that practice, on May 18, 2022 a three-judge panel from the U.S. Court of Appeals for the Fifth Circuit held in Jarkesy v. SEC that the SEC imposing civil monetary penalties in administrative proceedings is unconstitutional because Congress delegated its legislative power to the SEC without providing an intelligible principle by which the SEC could exercise that power. The Honorable Jennifer Walker Elrod, writing for the Court, recognized that Congress had authority to assign disputes to agency adjudication in “special circumstances,” but here found that Congress had given the SEC “exclusive authority and absolute discretion to decide whether to bring securities fraud enforcement actions within the agency instead of in an Article III court” while saying “nothing at all indicating how the SEC should make that call.” The Fifth Circuit further concluded that the SEC’s in-house adjudication violated the Petitioners’ Seventh Amendment right to a jury trial.

This decision does not involve FCPA enforcement directly, but its reverberations will certainly be felt in FCPA as well as other SEC enforcement areas until the law settles. For more on the Jarkesy decision, please see our separate article, “Jarkesy Wins Relief from ALJ Control After Years of Fighting for his Right to a Jury Trial.”

Continued Deferred Prosecution Agreement Scrutiny

We covered in our 2021 Year-End FCPA Update Deputy Attorney General Lisa O. Monaco’s October 2021 announcement that DOJ was modifying certain of its corporate criminal enforcement policies, and simultaneously highlighting increasing scrutiny that DOJ was giving to companies’ compliance with pretrial diversion (deferred and non-prosecution) agreements. The thrust of Monaco’s statements in the latter category was to express a concern that some companies continued to violate the law or otherwise failed to live up to their obligations during the period of their deferred and non-prosecution agreements. As we noted in our last update, close in time to this speech a number of companies announced that DOJ was conducting so-called “breach investigations,” including in the FCPA context such as the following example (among others):

On March 3, 2022, Mobile TeleSystems Public Joint Stock Company (“MTS”) announced a one-year extension of its 2019 FCPA deferred prosecution agreement (also covered in our 2019 Year-End FCPA Update), together with the monitorship that accompanied it. MTS reported that there had been no determination that it had breached the terms of its agreement, but that the extension was due to a variety of factors, including the COVID-19 pandemic and to allow sufficient time for MTS to implement enhancements to its anti-corruption compliance program and have those enhancements reviewed by the monitor.

There is no question that DOJ and the SEC are applying increased scrutiny to companies under the supervision (active as in a monitorship, or passive as in self-reporting) that comes with deferred and non-prosecution agreements. We expect additional developments in this area in the months and years to come.

CEO and CCO Certifications of Compliance Programs

When the May 2022 Glencore FCPA resolution described above required the company’s Chief Executive Officer and Chief Compliance Officer each to certify at the conclusion of the three-year term of the monitorship that the company’s compliance program is reasonably designed and implemented to meet the requirements of the plea agreement the compliance industry sat up and took notice. Compliance-focused advocacy organizations have argued that imposing this requirement on CCOs puts them in an untenable position, and, in effect, puts a target on their back for any imperfections in the corporate compliance program they oversee.

DOJ officials have gone on the speaking circuit in defense of this new policy. On May 26, 2022, Deputy Attorney General Monaco asserted at a SIFMA event that this was in fact DOJ’s “effort to empower the gatekeepers” and ensure that CCOs are kept in the loop on compliance matters. Echoing this sentiment, DOJ FCPA Unit Chief David Last said at a June 14, 2022 International Bar Association event that this certification “is not meant to be a gotcha game,” but rather designed to “incentivize” CEOs and CCOs to “make sure they’re checking that [their] compliance program is up to snuff.” And DOJ Fraud Section Assistant Chief Lauren Kootman said at a Women’s White Collar Defense Association event on June 22, 2022 that “[t]he intention is not to put a target on the back of a chief compliance officer,” but rather to ensure that companies appropriately resource their compliance departments. These assurances have provided cold comfort to many in the compliance industry, and likely this will be a continuing source of discussion as the policy is implemented more broadly. On that note, Kootman has confirmed that this requirement “most likely” will be incorporated into all corporate FCPA resolutions going forward.

2022 MID-YEAR FCPA-RELATED LEGISLATIVE AND POLICY DEVELOPMENTS

In addition to the enforcement developments covered above, the first eight months of 2022 saw numerous important developments in FCPA-related legislative and policy areas.

DOJ Issues Increasingly Rare FCPA Opinion Procedure Release (22-01)

By statute, DOJ must provide a written opinion at the request of an issuer or domestic concern stating whether DOJ would prosecute the requestor under the anti-bribery provisions for prospective (not hypothetical) conduct it is considering. Once a common staple of FCPA practice, this procedure has seen seldom use in recent years. Indeed, DOJ’s last opinion procedure release (covered in our 2020 Year-End FCPA Update) was issued in August 2020, and was itself then the first since 2014. On January 21, 2022, DOJ issued a new opinion procedure release (its 63rd overall) interpreting how the FCPA applies to payments made under physical duress in response to extortionate demands by foreign officials.

Requestor is a U.S. domestic concern that owns and operates maritime vessels. While awaiting entry to the port of Country B, one of Requestor’s vessels inadvertently anchored in the territorial waters of Country A, where it was intercepted by that country’s navy. The vessel’s captain was detained in a local jail without access to care needed to address his “serious medical conditions,” at which point a third party who claimed to be acting on behalf of Country A’s navy contacted Requestor and demanded $175,000 in cash in exchange for the captain’s release and permission to leave Country A’s territorial waters. After unsuccessfully trying to obtain formal documentation explaining the legal basis for the payment, and failed attempts at obtaining intervention by other agencies of the U.S. government, Requestor sought DOJ’s opinion that it would not be prosecuted for making the payment to obtain the release of its vessel’s captain and crew.

In light of the exigent, life-threatening circumstances, DOJ acted swiftly and issued an initial response within two days of the October 2021 request, following up with the full opinion in January 2022 upon the submission of additional information. DOJ concluded that it would not pursue an enforcement action on these facts because “Requestor would not be making the payment ‘corruptly’ or to ‘obtain or retain business.’” With respect to the “corrupt intent” element of the FCPA, DOJ concluded it would not be met here because Requestor’s primary motivation in making this payment was to “avoid imminent and potentially serious harm to the captain and the crew.” Notably, DOJ distinguished this circumstance of physical duress from the more commonly experienced circumstance of economic duress—where companies are “shaken down” for corrupt payments at the risk of unjust financial consequences—observing that payments made in response to financially coercive demands may well be illegal under the FCPA. With respect to the “obtain or retain business” element of the FCPA, DOJ concluded that it would not be met here because Requestor had no ongoing or anticipated business in Country A. DOJ further noted Requestor’s transparent efforts to address this situation in response to the payment demand, which did not evince a corrupt intent.

While FCPA Opinion Procedure Release 2022-01 does not break any genuinely new ground and, like other opinion releases, is expressly limited to the specific facts at hand, it does nonetheless offer useful guidance to companies and practitioners alike regarding DOJ’s interpretation of these two important elements of the FCPA. In particular, the ability to make even a large cash payment under questionable circumstances to preserve the physical safety and wellbeing of employees is genuinely helpful. Nonetheless, we must caution our readers to exercise caution in expanding the logic of this opinion into the realm of economic coercion, which DOJ does treat differently as expressed in its opinion.

FinCEN Advisory Regarding Kleptocracy and Foreign Public Corruption

On April 14, 2022, the Department of Treasury’s Financial Crimes Enforcement Network (“FinCEN”) released its “Advisory on Kleptocracy and Foreign Public Corruption,” which was developed to provide guidance to financial institutions in identifying and disclosing transactions involving the proceeds of foreign public corruption. As detailed in our 2021 Year-End FCPA Update and standalone client alert, “U.S. Strategy on Countering Corruption Signals Focus on Enforcement,” in December 2021, the Biden Administration—which previously identified the fight against corruption as a “core national security interest of the United States”—released a United States Strategy on Countering Corruption, articulating an ambitious, whole-of-government approach to combating corruption and its downstream societal effects. FinCEN describes this latest Advisory as part of the Biden Administration’s broader anti-corruption efforts.

Unsurprisingly, the Advisory describes Russia as a jurisdiction of “particular concern” in this area given “the nexus between corruption, money laundering, malign influence and armed interventions abroad, and sanctions evasion,” which is consistent with the United States’ broader efforts to combat and disrupt Russia-related financial activity following its invasion of Ukraine, including asset freezes and seizures conducted through Task Force KleptoCapture, discussed further in our separate client alert “United States Responds to the Crisis in Ukraine with Additional Sanctions and Export Controls.” The Advisory describes two typologies and patterns of activity associated with kleptocracy and foreign public corruption. First, “wealth extraction,” or the “siphoning off” of national resources by oligarchs and elites, is characterized as being conducted through bribery and extortion schemes involving foreign public officials or the misappropriation of embezzlement of public assets for private enrichment, which can commonly be accomplished through public procurement in the defense and health sectors or through bribes and kickbacks paid in the context of large infrastructure or development projects. Second, the Advisory notes that kleptocrats and other corrupt public officials will engage in similar activity to drug traffickers or other criminal actors to launder the proceeds of corruption, such as through the use of complex networks of shell companies or offshore accounts or the conversion of ill-gotten gains into the purchase of high-value assets such as luxury real estate, private jets and yachts, art and antiquities, or hotels.

The Advisory concludes with a set of 10 common “red flag” indicators that financial institutions should look out for in an effort to identify, prevent, and report potentially suspicious transactions involving the proceeds of kleptocracy or foreign public corruption. These include transactions involving multiple government contracts being awarded to the same entity or entities with common ownership, transactions in which government business is being conducted through personal accounts, transactions involving foreign public officials and the purchase of high-value or luxury assets and/or jurisdictions with which the officials do not have known ties, the use of third parties or shell companies to obscure the involvement of foreign public officials, transactions involving excessive charges or inconsistent or incomplete documentation, and transactions involving entities beneficially owned by individuals connected to known kleptocrats or their family members.

2022 MID-YEAR CHECK-IN ON THE FCPA SPEAKER’S CORNER

U.S. government anti-corruption enforcement personnel were active on the speaking circuit in the first eight months of 2022, offering a glimpse into DOJ and SEC priorities and expectations for the companies that appear before them. In many instances, these statements are more broadly focused on white collar crime in general, but the lessons may be applied in the FCPA context. We will cover the September 15, 2022 speech by U.S. Deputy Attorney General Lisa Monaco in a separate, forthcoming client alert.

Attorney General Merrick Garland

Speaking to the ABA Institute on White Collar Crime in Washington D.C. on March 3, 2022, Attorney General Merrick Garland made clear that DOJ’s first priority in corporate criminal cases is the prosecution of individuals who “commit and profit from corporate malfeasance.” Garland stated that DOJ’s focus on individual accountability is the best way to deter corporate crimes in the first place because corporations are only able to act through individuals. In addition, Garland argued that the prosecution of individuals is necessary because it bolsters Americans’ trust in the rule of law. Toward the end of his remarks, Garland noted that over the long course of his career he has seen DOJ’s interest in prosecuting corporate crime “wax and wane,” and concluded that “today, it is waxing again.”

Assistant Attorney General Kenneth Polite

In a March 25, 2022 speech before NYU Law’s Program on Corporate Compliance and Enforcement, Assistant Attorney General for the Criminal Division Kenneth Polite provided details on how DOJ evaluates corporate compliance programs. He stated that DOJ’s goal with such evaluations is to ensure that “companies are designing and implementing effective compliance systems and controls, creating a culture of compliance, and promoting ethical values.” First, according to Polite, a company’s compliance program must be well-suited to the company’s specific risk profile. Second, a compliance program must demonstrate a company’s commitment to compliance at all levels of the company. Third, DOJ wants to see evidence that the corporate compliance program actually works in practice. Finally, Polite emphasized that companies should be able to demonstrate an “ethical culture” that permeates all areas of the corporate structure.

Principal Deputy Assistant Attorney General Nicholas McQuaid

In a speech delivered at a forum hosted by the American Conference Institute on January 27, 2022, Criminal Division Principal Deputy Assistant Attorney General Nicholas McQuaid admonished attendees to not focus on the number of prosecutions of FCPA violations in the last year. Although as noted in our 2021 Year-End FCPA Update, FCPA resolutions in 2021 fell to their lowest level since 2015, McQuaid stated that DOJ entered 2022 with a “robust pipeline” of cases and that he expects there to be “significant resolutions” over the next year.

2022 MID-YEAR CHECK-IN ON FCPA-RELATED PRIVATE CIVIL LITIGATION

Although the FCPA does not provide for a private right of action, our readership knows well that civil litigants have pursued a variety of causes of action in connection with FCPA-related conduct, with varying degrees of success. A selection of matters with material developments in the first eight months of 2022 follows.

Select Shareholder Lawsuits / Class Actions

Mobile TeleSystems PJSC – As covered in our 2021 Year-End FCPA Update, shortly following MTS’s 2019 joint FCPA resolution with DOJ and the SEC for alleged corruption in Uzbekistan, the company found itself a defendant in a class action suit filed in the U.S. District Court for the Eastern District of New York, alleging that the company issued false and misleading statements about the its inability to predict the outcome of the U.S. government’s investigations, the effectiveness of its internal controls and compliance systems, and its cooperation with U.S. regulatory agencies. In March 2021, the Honorable Ann M. Donnelly dismissed the lawsuit, finding that the plaintiffs did not demonstrate that the challenged claims were false or misleading, that MTS could have predicted the outcome of the investigation, or that its disclosures about the existence of the investigation were insufficient. Just over a year later, on March 31, 2022, the U.S. Court of Appeals for the Second Circuit issued a summary order affirming Judge Donnelly’s dismissal. The Second Circuit held that the complaint was “devoid of any factual allegations that with particularity establish that MTS executives knew that they could reasonably estimate their potential liability arising from the government investigations but opted not to do so.”

Select Civil Fraud / RICO Actions

Stryker / Zimmer Biomet – In March 2022, Mexican government healthcare agency Instituto Mexican del Seguro Social (“IMSS”) lost two appeals of lawsuits involving alleged bribery of foreign officials. In both suits, one in the Sixth Circuit (Stryker) and the other in the Seventh Circuit (Zimmer Biomet), the Circuit Court affirmed the respective district court’s decision to grant a motion to dismiss on forum non conveniens grounds in cases where the relevant agents, evidence, and injury were all found to be based in Mexico and there was no showing that the Mexican court system was an inadequate forum.
Olympus Latin America – IMSS suffered another litigation defeat, this time for different reasons and in the U.S. District Court for the Southern District of Florida, when on August 31, 2022 the Honorable Kathleen M. Williams dismissed with prejudice the Mexican state agency’s fraud claim against Olympus arising from a portion of the facts that led to Olympus’s 2016 FCPA resolution described in our 2016 Year-End FCPA Update. Judge Williams determined that IMSS’s 2021 complaint was untimely because it was filed more than four years after Olympus’s 2016 deferred prosecution agreement. The Court rejected IMSS’s arguments that it did not know that its contracts with Olympus were covered in the FCPA resolution because they were not named specifically, holding that there was a duty to exercise diligence upon the public release of the deferred prosecution agreement.
Odebrecht S.A. – We last caught up on the bevvy of civil litigation filed against Brazilian construction conglomerate Odebrecht in the wake of its 2016 anti-corruption settlements with U.S., Brazilian, and Swiss authorities in our 2018 Year-End FCPA Update. On July 19, 2022, in a civil fraud case brought by bond purchasers that was allowed to proceed to discovery, U.S. Magistrate Judge Barbara Moses of the U.S. District Court for the Southern District of New York imposed severe sanctions on Odebrecht for discovery violations. The Court had previously ordered Odebrecht to provide discovery to the bondholders concerning materials previously provided to U.S. and Brazilian authorities but, without seeking a protective order or otherwise objecting, Odebrecht simply failed for more than a year to turn over the documents on the grounds that they were prohibited from doing so under Brazilian law. As a consequence, Judge Moses imposed Rule 37 sanctions establishing as a fact in the matter that the Odebrecht defendants made material misrepresentations to plaintiff bondholders with scienter. One week later the parties requested a settlement conference with Judge Moses.

Select Anti-Terrorism Act Suits

Certain Pharmaceutical and Medical Device Companies – We reported in our 2020 Year-End FCPA Update on a decision by the Honorable Richard J. Leon of the U.S. District Court for the District of Columbia dismissing a lawsuit brought by U.S. service members and their families alleging that certain pharmaceutical and medical device companies violated the Anti-Terrorism Act (“ATA”) by paying bribes to officials at the Iraqi Ministry of Health, which was controlled by the terrorist group Jaysh al-Mahdi (“JAM”), which JAM then used to fund attacks against the plaintiffs. Judge Leon ruled that the Court lacked personal jurisdiction over the foreign defendants, and the plaintiffs had failed to adequately plead a violation under the ATA as to the rest. On January 4, 2022, the U.S. Court of Appeals for the District of Columbia, in an opinion by Honorable Cornelia T.L. Pillard, reversed the dismissal and revived the case, finding that causation was adequately alleged and the district court’s jurisdictional analysis was “unduly restrictive.” Defendants have petitioned for a rehearing en banc, which remains pending as of the date of publication.

Other Civil Lawsuits

Cicel (Beijing) Science & Tech. Co. – We last covered the breach-of-contract lawsuit brought by Cicel against Misonix, Inc. in our 2017 Year-End FCPA Update. Cicel claimed wrongful termination of a distribution contract with Misonix, which then defended by arguing that it terminated only after discovering potentially corrupt conduct and disclosing it to DOJ and the SEC. On October 7, 2017, the Honorable Arthur D. Spatt of the S. District Court for the Eastern District of New York denied Misonix’s motion to dismiss, allowing the case to proceed to discovery. But earlier this year, on January 20, 2022, the Honorable Gary R. Brown granted Misonix’s motion for summary judgment, finding that undisputed facts conclusively proved Cicel’s involvement in illegal conduct, which Misonix moved swiftly to remediate upon discovery by conducting an internal investigation, terminating the relationship, and disclosing the matter to DOJ and the SEC. No prosecution was brought against Misonix, as both DOJ and the SEC closed their investigations in 2019.

2022 MID-YEAR INTERNATIONAL ANTI-CORRUPTION DEVELOPMENTS

World Bank

The World Bank has been quite active during the first eight months of 2022 in debarring companies and individuals for corrupt practices:

On January 4, 2022, the World Bank announced a 12-month debarment followed by a 12-month conditional non-debarment of ADP International S.A., a French-based airport developer, operator, and manager, for allegedly attending improper meetings with government officials during the tender for a contract and failing to disclose that fees paid to a retained agent were partially transferred to a non-contracted consultant. Colas Madagascar S.A. was also debarred for two years for arranging the improper meetings with government officials, and Bouygues Bâtiment Int’l was sanctioned with conditional non-debarment for 12 months for attending the meetings.
On February 23, 2022, the World Bank announced a 34-month debarment followed by an 18-month conditional non-debarment of AIM Consultants Limited, a consultancy company based in Nigeria, and its managing director, Amin Moussali. According to the World Bank, AIM through Moussali paid approximately $45,500 in kickbacks to various project officials after receiving payment for a service contract in connection with a $908 million World Bank-funded project designed to reduce soil vulnerability and erosion in certain sub-watersheds in Nigeria. As part of a settlement agreement, Moussali agreed to complete corporate ethics training, and AIM agreed to implement an integrity compliance program in accordance with the principles set out in the World Bank Group’s Integrity Compliance Guidelines.
On March 30, 2022, the World Bank debarred a Nigerian technology consulting company and its managing director for 50 months and 5 years, respectively, for acting as a consultant and making “appreciation” payments to project officials. According to the World Bank, SofTech IT Solutions and Services Ltd., under the direction of its managing director Isah Salihu Kantigi, served as a conduit through which he and other consultants made illegal payments to project officials in connection with a $1.8 billion project funded by the World Bank, which was designed to provide targeted cash transfers to poor and vulnerable households under an expanded national social safety net. As part of a settlement, Kantigi committed to taking corporate ethics training that demonstrates a commitment to personal integrity and business ethics, and SoftTech committed to implementing a corporate ethics training program.

On April 14, 2022, the World Bank sanctioned Germany-based Voith Hydro Holding GmbH & Co. KG and two subsidiaries for their alleged corrupt practices in power projects in the Democratic Republic of The Congo and Pakistan. According to the World Bank, between 2012 and 2016, Voith Hydro took actions to gain unfair tender advantages, including making improper payments to a commercial agent to gain favorable decisions in contract executions and failing to disclose those payments. The Voith Hydro entities face a range of 15-34 months of debarment, followed by conditional non-debarment terms.

Inter-American Development Bank

On March 18, 2022, The Inter-American Development Bank (“IDB”), which provides financing in Latin America, announced a three-year debarment of Brazilian construction company Construtora COESA and 26 subsidiaries for simulating competition for a contract, failing to act upon knowledge of corruption, and making illicit payments totaling $1.7 million to public officials involved in supervising and managing the contracts. In 2019, an affiliated entity settled with Brazilian authorities in relation to these and other matters for $460 million. The IDB credited the prior fine and Construtora COESA’s cooperation for a reduced sanction.

Europe

United Kingdom

JLT Specialty Limited

On June 22, 2022, the UK Financial Conduct Authority (“FCA”) announced a resolution with JLT Specialty, a UK subsidiary of JLT Group which, as noted above, reached a declination with disgorgement resolution with the U.S. DOJ and, as covered below, also reached a resolution with Colombian authorities. JLT Specialty agreed to pay the FCA £7.8 million for alleged failings concerning the risk management systems that it had in place between 2013 and 2017 that were responsible for countering the risks of bribery and corruption, which fine was reduced based on the assistance the company provided throughout the investigation, as well its self-report to relevant authorities and remediation. The FCA also commented that this was its second anti-corruption enforcement action against JLT Specialty, with the first occurring in 2013 as covered in our 2013 Year-End FCPA Update. Gibson Dunn represented JLT Group in connection with the FCA and U.S. investigations.

Glencore Energy (UK) Limited

On June 21, 2022, UK Glencore subsidiary Glencore Energy pleaded guilty to seven counts of bribery in connection with the same coordinated, multi-jurisdictional resolution with the U.S. DOJ and Brazilian authorities described above, but with the slightly different five-country line-up of Cameroon, Equatorial Guinea, Ivory Coast, Nigeria, and South Sudan. The SFO alleged that Glencore Energy paid over $28 million in bribes for preferential access to oil in these countries, including increased cargoes, valuable grades of oil, and preferable dates of delivery. Sentencing is currently scheduled to take place in November 2022.

KPMG Audit plc and Anthony Sykes

On May 24, 2022, the UK Financial Reporting Council (“FRC”) announced that it had imposed sanctions against a KPMG network firm in the United Kingdom and the responsible Audit Engagement Partner Anthony Sykes, in relation to the 2010 statutory audit of Rolls-Royce Group plc. According to the FRC, the respondents did not adequately respond to matters arising during the audit that indicated a risk of corruption by Rolls-Royce, including payments made by Rolls-Royce to agents in India that formed part of the company’s 2017 resolution with the Serious Fraud Office (“SFO”) and other authorities as covered in our 2017 Mid-Year FCPA Update.

Petrofac-Related Seizures

On April 28, 2022, the SFO recovered over £567,000 from three personal bank accounts linked to deceased UAE businessman Basim Al Shaikh, who allegedly paid bribes to secure contracts for Petrofac while working as a so-called “fixer agent.” As covered in our 2021 Year-End FCPA Update, in October 2021 Petrofac admitted to failing to prevent former senior executives of the group’s subsidiaries from using agents to pay bribes of £32 million to win oil contracts worth approximately £2.6 billion in Iraq, Saudi Arabia, and the United Arab Emirates between 2011 and 2017 and was ordered to pay over £77 million to settle the claims.

Unaoil Defendants Convictions Overturned

We covered most recently in our 2021 Year-End FCPA Update the several individual prosecutions arising out of the SFO’s Unaoil-related investigation of corruption in Iraq. For example, SBM Offshore Sales Manager Paul Bond was convicted in March 2021, though that conviction was then called into question when the conviction of co-defendant and former Unaoil Manager Ziad Akle was overturned in December 2021. The issue leading to the conviction reversal was the interaction between senior SFO officials and a “fixer” working on behalf of Unaoil founders Cyrus Allen Ahsani and Saman Ahsani, who themselves pleaded guilty to FCPA charges in the United States as discussed in our 2019 Year-End FCPA Update and hired the so-called fixer to place pressure on other defendants, unbeknownst to their lawyers, to likewise plead guilty. On March 24, 2022, the Court of Appeal of England and Wales also overturned Bond’s conviction. Then, on July 21, 2022, a third defendant, former SBM Offshore Vice President Stephen Whiteley, had his conviction overturned.

The same day as the reversal of Whiteley’s conviction, the UK Attorney General’s Office released a 100-plus-page report it commissioned by former high court judge Sir David Calvert-Smith detailing the lapses in the SFO’s handling of the case and making recommendations for enhanced controls going forward, which enhancements the SFO has said are in the process of being implemented. Notably, the report includes the nugget that Ata Ahsani—father to Cyrus and Saman—himself reached a non-prosecution agreement with the U.S. DOJ pursuant to which he agreed to a penalty of $2.25 million but suffer no further sanction. This non-prosecution agreement with Ata Ahsani has not been made public nor, to our knowledge, been confirmed by DOJ.

UK Government Guidance regarding Bribery and Corruption in Trade

On May 20, 2022, the UK government published new guidance for international businesses to demonstrate that their business and supply chain is free from bribery and corruption in order to trade with UK partners. The guidance notes that UK businesses must comply with the UK Bribery Act 2010, which extends to trading relationships and supply chains. Therefore, UK businesses expect international partners to be “aware of the risks of bribery and corruption” and “committed to communicating awareness to [their] employees and business partners.” To avoid bribery and corruption, businesses are advised to assess their risks; conduct thorough due diligence on potential trading partners; train staff to identify and avoid the risks of bribery and corruption; and keep records of avoidance, training, and mitigation procedures as proof that appropriate action has been taken where necessary.

European Union

European Public Prosecutor`s Office

The European Public Prosecutor’s Office (“EPPO”), the newly established authority charged with investigating criminal offenses affecting the financial interests of the European Union, has left its mark in its first year. Since its inception in June 2021, it has processed more than 4,000 crime reports and opened more than 900 investigations. Its efforts have led to 28 indictments, four convictions, and several orders to freeze assets valued at €259 million.One of the EPPO’s first anti-corruption cases concerned an official of the Bulgarian State Agriculture Fund who was indicted for accepting bribes. Further investigations in Bulgaria led to the arrest of several politicians in March 2022, including the former Prime Minister of Bulgaria.

Germany

COVID-19 Mask Scandal

The so-called “COVID-19 mask scandal” has been a source of great controversy in Germany, where it is alleged that politicians of federal and state parliaments used their influence and their connections to have ministries buy protective masks at inflated costs, allegedly in return for personal commissions. In several decisions, the Federal Court of Justice and the Higher Regional Court of Munich has held that the conduct did not meet the definition of elected officials taking bribes because it was not sufficiently clear that the defendants were acting in their capacity as members of parliament. The judges in unusually clear words called upon the legislature to change the law.

New Plans on Corporate Sanctions, Compliance, and Internal Investigations

Although the recently proposed Corporate Criminal Sanctions bill did not pass, the coalition agreement of the new federal government still plans to reform corporate criminal sanctions law. In this context, the coalition is also determined to enhance legal certainty with respect to compliance duties and to establish a precise legal framework for internal investigations. In a recent media statement, Federal Minister of Justice Marco Buschmann stated that the government intends to systematically revise the Criminal Code and Criminal Procedure Code in 2023, specifically highlighting changes relating to corporate criminal liability.

Russia & Former CIS

Kazakhstan

In June 2022, the Council of Europe’s Group of States Against Corruption (“GRECO”) published its first evaluation report on Kazakhstan. The report found that corruption in Kazakhstan remains a serious concern and is not limited to a specific sector or sphere. Although Kazakhstan’s Agency for Civil Service Affairs and Corruption was transformed into the Anti-Corruption Agency in 2019, and this agency has undertaken a number of positive initiatives such as establishing a hotline where the public can report allegations of corruption, much remains to be done. The report pointed to a flawed anti-corruption framework, state control of the media, and lack of responsiveness in policymaking as the key issues prohibiting Kazakhstan’s advancement on the anti-corruption front. GRECO will reevaluate Kazakhstan’s progress at the end of 2023.

Kyrgyzstan

In January 2022, the head of Kyrgyzstan’s State Customs Service, Adilet Kubanychbekov, was arrested on accusations of corruption. The State Committee for National Security announced that Kubanychbekov and his subordinates accepted bribes from certain private companies in exchange for allowing favorable conditions on the import of these companies’ goods. The Customs Service has been criticized for widespread corruption and this arrest occurred only three years after the disclosure of an estimated $700-million bribery scheme that implicated the former deputy chief of the Customs Service in allegations of bribery, evasion of customs fees, and money laundering.

Russia

Following Russia’s invasion of Ukraine, as part of its effort to quell dissent, the Russian government initiated an aggressive crackdown on essentially all independent media outlets, blocking access in Russia to websites of key investigative journalism outfits. As a side effect of these actions, access to independent information about anti-corruption efforts in Russia has been curtailed, particularly as the remaining media outlets devote much of their coverage to the war.

Russia’s General Prosecutor’s Office reported 12,000 corruption-related crimes in the first three months of 2022, roughly flat as compared to the same period a year ago, with bribery accounting for more than half of all corruption-related offenses. The total reported damage from all crimes in this period was 77.8 billion rubles (approximately $113 million).

On the legislative front, on February 16, 2022 the Russian Duma adopted an amendment to the laws “On Banks and Banking Activities” and “On Combating Corruption.” Under this amendment, the government is empowered to confiscate funds from government officials or employees of state-owned entities—as well as their spouses and minor children—if the legality of the source of these funds cannot be confirmed and if the amount in the account exceeds the income of the official for the past three years.

Ukraine

The focus of the Ukrainian government in the first part of 2022 has been on repelling the Russian invasion. Accordingly, progress on domestic policies—including with regards to rooting out corruption—has come to a halt except where those policies have a direct impact on the war effort. Certain anti-corruption policies have, however, become part of the war effort as they are conditions of Ukraine’s potential entry into the European Union—which Ukraine views as vital to its future success.

On June 17, 2022, the European Commission praised Ukraine for its progress in ensuring political and economic stability, but outlined seven steps that Ukraine should take in order to be further considered for acceptance into the European Union. Those steps include implementing laws that Ukraine has already passed, such as by appointing a new head of the Specialized Anti-Corruption Prosecutor’s office and by applying the Anti-Oligarch law to limit the excessive influence of oligarchs in economic, political, and public life. Other steps require Ukraine to further enact new legislation which would guarantee an independent media and judiciary. Although before the war, President Zelensky struggled to pursue his anti-corruption agenda with only 30% public support, the president now enjoys 90% approval among Ukrainians and appears to be highly motivated to take all steps that will allow Ukraine to prevail in the war and rebuild after, including through EU membership.

The Americas

Argentina

On April 25, 2022, the Transparency Policy Planning Directorate of Argentina’s Anti-Corruption Office approved a sweeping new System for Monitoring Private and Public Activities Before and After the Exercise of Public Function (“MAPPAP,” per its initials in Spanish). The purpose of the MAPPAP is collating and verifying compliance with public ethics regulations of individuals who enter and leave high-ranking public positions in the National Executive Branch. One of the stated goals of the MAPPAP is to limit potentially improper information sharing and the possible lack of impartiality that comes from so-called “revolving-door” employment in the private sector of former public sector officials.

Brazil

Our prior updates have covered at length the ongoing saga of Operation Car Wash, or Lava Jato, undoubtedly the most influential anti-corruption probe in Brazil’s history and one of the most significant globally as well. Perhaps the highest-profile target of the probe was former Brazilian President Luiz Inácio Lula da Silva, who was initially convicted and sentenced to nine years in prison in 2017. But then in 2021, Lula’s conviction was vacated by the Supreme Federal Court on the grounds that the original judge lacked jurisdiction to investigate and try the cases, and further was not considered to be impartial.

In the latest chapter, Lula brought his case to the U.N. Office of the High Commissioner on Human Rights, which in April 2022 found that “[t]he investigation and prosecution of former President Lula da Silva violated his right to be tried by an impartial tribunal, his right to privacy and his political rights,” and “that the actions and public statements by the former judge and the prosecutors violated his right to presumption of innocence.” The Commission further concluded that a prohibition against a future run for another presidential term was “arbitrary” and “urged Brazil to ensure that any further criminal proceedings against Lula comply with due process guarantees and to prevent similar violations in the future.”

Lula announced his pre-candidacy for president on May 7, 2022, and was officially nominated in July 2022 as Brazil’s Workers Party candidate to run against Brazil’s incumbent president in the October election.

Canada

As reported in our 2021 Year-End FCPA Update, Montreal-based engineering and construction firm SNC-Lavalin was charged together with two of its executives—Normand Morin and Kamal Francis—by the Royal Canadian Mounted Police (“RCMP”) with fraud and forgery in connection with a $100 million contract to refurbish a significant bridge in Montreal. At the time, SNC-Lavalin’s CEO reported it was the first company to receive an offer to negotiate for the settlement of charges under the new deferred prosecution agreement legislation passed in Canada, which was confirmed when, on May 6, 2022, the company announced that it agreed to a settlement and remediation agreement with the Quebec Crown Prosecutors’ Office. Pursuant to the deferred prosecution agreement, which was approved by Quebec’s Superior Court a week later, SNC-Lavalin will pay approximately $29.5 million and undergo a three-year compliance monitorship. The case against Morin and Francis remains ongoing.

Colombia

As discussed above, in March 2022 DOJ announced a declination with disgorgement resolution with British multinational insurance corporation JLT Group arising from alleged corruption involving Ecuadorian state surety company Seguros Sucre. Affiliated company Carpenter Marsh Fac Colombia agreed to a settlement with Colombian authorities pursuant to which it agreed to pay $2.1 million to resolve allegations arising from the same conduct.

Asia

China

In January 2022, the Nineteenth Central Commission for Discipline Inspection (“CCDI”) of the Chinese Communist Party held its Sixth Plenary Session, which emphasized the Party’s continued commitment to combating corruption. In particular, the communiqué of the plenary session highlighted anti-corruption efforts involving state-owned entities and in the financial and the public infrastructure sectors.

In March 2022, the National Supervisory Commission and the Supreme People’s Procuratorate (“SPP”) published synopses of five recent prosecutions as illustrative cases, each of which was focused on criminal liability of those providing bribe payments. The publication is in line with the ongoing shift in the government enforcement focus to the “supply side” of bribery. The cases concerned bribe-giving in various sectors, such as public procurement and healthcare, and all individual bribe-givers in these cases were found criminally liable. In addition, a precious metal company in Zhejiang province was found criminally liable for a bribe payment provided by its legal representative, with the Procuratorate arguing that the representative made the improper payment for the entity’s benefit and the funds for bribe-giving were generated from the entity’s operating business.

We continue to see active anti-corruption enforcement actions in China’s financial sector. Dozens of government officials and senior executives of state-owned banks have been investigated, charged, and/or penalized since the beginning of 2022. For example, in April 2022, enforcement authorities announced a corruption probe into Tian Huiyu, the former president of China Merchants Bank, and arrested Zeng Changhong, a former official at the China Securities Regulatory Commission, on suspicion of accepting bribes. In May 2022, Sun Guofeng, the former head of the monetary policy department at the People’s Bank of China, was removed from office and investigated on suspicion of accepting bribes. In the same month, the Beijing Municipal People’s Procuratorate charged He Xingxiang, the former vice president of China Development Bank, for allegedly accepting bribe payments, and in August 2022, he pleaded guilty to accepting bribe payments and valuables worth over $9.6 million.

The healthcare sector likewise remains at the center of China’s anti-corruption campaign. In May 2022, nine ministries of the Chinese Central Government jointly issued the 2022 Key Tasks on Safeguarding the Integrity of Medical Procurement and Medical Services. This document instructs local governments to identify and rectify misconduct in the healthcare sector and highlights the government’s focus on combating corruption in the healthcare sector, including illegal kickbacks and commercial bribery. In June 2022, the National Healthcare Security Administration added five medical device and pharmaceutical companies to a “blacklist” as a result of kickbacks and other improper payments allegedly provided to hospital employees through sales representative. Companies added to the “blacklist” may be prohibited or restricted from participating in the government’s public procurement process.

Finally, as reported in our 2021 Year-End FCPA Update, China’s SPP, along with other national authorities, launched the Third-Party Supervision and Evaluation Mechanism under which the SPP can refer a company that qualifies for the program to a third-party organization to investigate, evaluate, supervise, and inspect compliance commitments made by the company. In 2022, additional national authorities, including the China Securities Regulatory Commission, joined the Third-Party Supervision and Evaluation Mechanism. As of June 2022, the mechanism has been applied in over 1,000 cases involving both entities and individuals.

India

In January 2022, India’s Central Bureau of Investigation (“CBI”) arrested six executives of the Gas Authority of India Limited (“GAIL”), a state-owned natural gas explorer and producer. The executives are alleged to have demanded and received bribes from private companies in return for providing them with discounts on products sold by GAIL.The bribe payments are reported to be valued at INR 5 million (approximately $64,000).

In April 2022, the CBI arrested former Home Minister of the State of Maharashtra Anil Deshmukh in connection with allegations of corruption and money laundering. The case is one of the most high-profile corruption enforcement actions involving action by the CBI against a former member of the state cabinet. In June, the CBI filed a 59-page charge sheet with the special court, alleging that the former minister directed senior police officers in Mumbai to extort large sums of money from bars and restaurants.

Also in April 2022, the CBI registered its first anti-corruption case based on directions from the Lokpal, India’s anticorruption ombudsman tasked with investigating complaints of corruption against public servants. Despite enabling legislation for the Lokpal being passed in 2014, its functioning has been stalled by a lack of political will. Members of the Lokpal were only appointed in 2019 and key officers in its prosecution wing are still yet to be appointed. The allegations in this first Lokpal’s anti-corruption case involve irregularities in the tender, award, and execution of a construction contract between VK Singh Construction Company and the National Research Laboratory for Conservation of Cultural Property. The case was filed against the former director-general of the NRLC and the owner of the construction company.

Finally, on February 21, 2022, the Supreme Court of India reiterated that conclusive proof of demand and acceptance of a bribe by a public servant is essential in order convict that public servant for the offense of taking bribes under India’s Prevention of Corruption Act. The case involved a commercial tax officer who was arrested after undercover officers offered her cash in exchange for the favourable assessment. But the Supreme Court held that she could not be convicted of the offence of accepting a bribe since the prosecution had not established that the defendant had demanded a bribe in the first place.

Indonesia

In June 2022, Indonesia’s Corruption Eradication Commission (“KPK”) launched a grass-roots program to fight corruption nationwide. Under the pilot scheme, the KPK selected 10 pilot villages, each from a different province, to take part in the Village Anti-Corruption Program, which aims to educate participants about the importance of integrity and increase participation of rural communities in efforts to prevent and eradicate corruption. Speaking at the launch event, the KPK’s Deputy for Education and Community Participation noted that from 2015 to 2021, the Indonesian central government disbursed IDR 468.9 trillion (~ $32 million) to villages throughout Indonesia, and that much of these funds were misused as a result of corrupt practices by village officials. According to a KPK press release, there were 601 corruption cases involving village funds with a total of 686 suspects during the period from 2015 to 2021.

Japan

In June 2022, amendments to Japan’s Whistleblower Protection Act came into force, creating a mandatory obligation for companies with over 300 regular employees to establish an internal whistleblowing system. Under the amended law, covered companies must designate personnel to receive whistleblowing reports, investigate allegations, take corrective measures, and establish an internal report response system. Japan’s Consumer Affairs Agency will have authority to, inter alia: (i) make inquiries; (ii) give guidance to business operators who fail to meet the requirements; and (iii) publish the names of business operators who fail to follow their recommendations. By contrast, companies with 300 employees or less must “make efforts” to establish a whistleblowing system, but are not required to do so.

Malaysia

In January 2022, the Malaysian Anti-Corruption Commission (“MACC”) charged Mohd Yusof Ab Rahman, a manager of Aker Solutions, an engineering company listed on the Oslo Stock Exchange, for allegedly submitting false documents to Petronas, a Malaysian state-owned energy company, to secure a license renewal. Rahman pleaded not guilty to the allegations. The charge followed a similar case against an Aker manager in June 2021, which was ultimately dropped.

As reported in our 2020 Year-End FCPA Update, in 2020, former Prime Minister Najib Razak was found guilty of three counts of money laundering, three counts of breach of trust, and one count of abuse of power and sentenced to 12 years imprisonment in connection with the 1MDB corruption scheme. After two years of appeals, in August 2022, Malaysia’s highest court upheld his convictions, and Razak began his sentence. On September 1, 2022, Razak’s wife, Rosmah Mansor, was found guilty of three charges of soliciting and receiving bribes and sentenced to 10 years imprisonment arising from a matter unrelated to 1MDB in which Mansor allegedly assisted a company in receiving government contracts. Mansor also faces 17 charges of money laundering and tax evasion in a separate matter linked to 1MDB that has not yet begun. Mansor has pleaded not guilty to those charges.

South Korea

In May 2022, Korea’s new Act on the Prevention of Public Officials’ Conflict of Interest came into force. The key purpose of the law is to prohibit public officials from using their official authority or confidential information gained in the course of their public duties for personal gain. The law was passed following a string of high-profile conflicts of interest cases in South Korea, including a scandal involving Korea’s state run housing developer, Korea Land & Housing Corporation. In addition to the prohibition on the use of confidential confirmation, the new law creates requirements for public officials to disclose and report their ownership of real estate assets, their private sector work, and any contact with retired public officials. The maximum penalties under the law are seven years in prison or a fine of KRW 70 million ($55,000).

Africa

South Africa

South Africa’s Judicial Commission of Inquiry into Allegations of State Capture, Corruption, and Fraud in the Public Sector including Organs of State, also known as the “Zondo Commission,” released its report in 2022. The Commission was established in 2018 to investigate allegations of high-level corruption in the administration of former president Jacob Zuma. After more than 400 days of formal hearings, over 300 witness testimonies, and more than 1.7 million pages of documentary evidence, the Commission’s work has culminated in a five-part report.

The Zondo Commission report accuses high-ranking officials, including Zuma, of adversely interfering in the operations of important government departments and state-owned enterprises to make them amenable to their private interests and those of close allies. Among these allies is the Gupta family, whose many businesses held lucrative contracts with the South African government and state-owned enterprises. The Commission alleges that members of the Gupta family exerted significant influence over Zuma and played a central role in the state-capture of South Africa. While the Commission does not hold prosecutorial powers, it recommends that Zuma, members of the Gupta family, and several senior government officials be subjected to further investigations and prosecution. The report prescribes various reforms to address corruption in South Africa, including major changes to the public procurement system and strengthened protections for whistleblowers. Notably, it recommends the establishment of an independent anti-corruption body dedicated to combating misconduct and corruption.

The following Gibson Dunn lawyers participated in preparing this client update: F. Joseph Warin, John Chesley, Richard Grime, Patrick Stokes, Kelly Austin, Patrick Doris, Matthew Nunan, Oleh Vretsona, Oliver Welch, Claire Aristide, Ella Alves Capone, Josiah Clarke, Bobby DeNault, Andreas Dürr, Nathan Eagan, Derek Kraft, Nicole Lee, Allison Lewis, Ramona Lin, Andrei Malikov, Jacob McGee, Megan Meagher, Katie Mills, Sandy Moss, Jaclyn Neely, Ning Ning, Rick Roeder, Jason Smith, Hayley Smith, Pedro Soto, Laura Sturges, Karthik Ashwin Thiagarajan, Katie Tomsett, Alyse Ullery-Glod, Dillon Westfall, and Caroline Ziser Smith.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these issues. We have more than 110 attorneys with Anti-Corruption and FCPA experience, including a number of former federal prosecutors and SEC officials, spread throughout the firm’s domestic and international offices. Please contact the Gibson Dunn attorney with whom you work, or any of the following:

Washington, D.C.
F. Joseph Warin (+1 202-887-3609, fwarin@gibsondunn.com)
Richard W. Grime (+1 202-955-8219, rgrime@gibsondunn.com)
Patrick F. Stokes (+1 202-955-8504, pstokes@gibsondunn.com)
Judith A. Lee (+1 202-887-3591, jalee@gibsondunn.com)
David P. Burns (+1 202-887-3786, dburns@gibsondunn.com)
David Debold (+1 202-955-8551, ddebold@gibsondunn.com)
Michael S. Diamant (+1 202-887-3604, mdiamant@gibsondunn.com)
John W.F. Chesley (+1 202-887-3788, jchesley@gibsondunn.com)
Daniel P. Chung (+1 202-887-3729, dchung@gibsondunn.com)
Stephanie Brooker (+1 202-887-3502, sbrooker@gibsondunn.com)
M. Kendall Day (+1 202-955-8220, kday@gibsondunn.com)
Robert K. Hur (+1 202-887-3674, rhur@gibsondunn.com)
Adam M. Smith (+1 202-887-3547, asmith@gibsondunn.com)
Oleh Vretsona (+1 202-887-3779, ovretsona@gibsondunn.com)
Courtney M. Brown (+1 202-955-8685, cmbrown@gibsondunn.com)
Ella Alves Capone (+1 202-887-3511, ecapone@gibsondunn.com)
Pedro G. Soto (+1 202-955-8661, psoto@gibsondunn.com)
Jason H. Smith (+1 202-887-3576, jsmith@gibsondunn.com)

Denver
Robert C. Blume (+1 303-298-5758, rblume@gibsondunn.com)
John D.W. Partridge (+1 303-298-5931, jpartridge@gibsondunn.com)
Ryan T. Bergsieker (+1 303-298-5774, rbergsieker@gibsondunn.com)
Laura M. Sturges (+1 303-298-5929, lsturges@gibsondunn.com)

Los Angeles
Debra Wong Yang (+1 213-229-7472, dwongyang@gibsondunn.com)
Marcellus McRae (+1 213-229-7675, mmcrae@gibsondunn.com)
Michael M. Farhang (+1 213-229-7005, mfarhang@gibsondunn.com)
Douglas Fuchs (+1 213-229-7605, dfuchs@gibsondunn.com)
Nicola T. Hanna (+1 213-229-7269, nhanna@gibsondunn.com)

Palo Alto
Benjamin Wagner (+1 650-849-5395, bwagner@gibsondunn.com)

Paris
Benoît Fleury (+33 1 56 43 13 00, bfleury@gibsondunn.com)
Bernard Grinspan (+33 1 56 43 13 00, bgrinspan@gibsondunn.com)

Munich
Benno Schwarz (+49 89 189 33 110, bschwarz@gibsondunn.com)
Michael Walther (+49 89 189 33 180, mwalther@gibsondunn.com)
Mark Zimmer (+49 89 189 33 115, mzimmer@gibsondunn.com)

Hong Kong
Kelly Austin (+852 2214 3788, kaustin@gibsondunn.com)
Oliver D. Welch (+852 2214 3716, owelch@gibsondunn.com)

São Paulo
Lisa A. Alfaro (+55 11 3521 7160, lalfaro@gibsondunn.com)

Singapore
Joerg Biswas-Bartz (+65 6507 3635, jbiswas-bartz@gibsondunn.com)

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

Gibson Dunn’s Supreme Court Round-Up provides a preview of cases set to be argued during the October 2022 Term and other key developments on the Court’s docket. During the October 2021 Term, the Court heard argument in 63 cases, including 1 original-jurisdiction case.

Spearheaded by former Solicitor General Theodore B. Olson, the Supreme Court Round-Up keeps clients apprised of the Court’s most recent actions. The Round-Up previews cases scheduled for argument, tracks the actions of the Office of the Solicitor General, and recaps recent opinions. The Round-Up provides a concise, substantive analysis of the Court’s actions. Its easy-to-use format allows the reader to identify what is on the Court’s docket at any given time, and to see what issues the Court will be taking up next. The Round-Up is the ideal resource for busy practitioners seeking an in-depth, timely, and objective report on the Court’s actions.

To view the Round-Up, click here.

Gibson Dunn has a longstanding, high-profile presence before the Supreme Court of the United States, appearing numerous times in the past decade in a variety of cases. During the Supreme Court’s 6 most recent Terms, 9 different Gibson Dunn partners have presented oral argument; the firm has argued a total of 15 cases in the Supreme Court during that period, including closely watched cases with far-reaching significance in the areas of intellectual property, separation of powers, and federalism. Moreover, although the grant rate for petitions for certiorari is below 1%, Gibson Dunn’s petitions have captured the Court’s attention: Gibson Dunn has persuaded the Court to grant 33 petitions for certiorari since 2006.

* * * *

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding developments at the Supreme Court. Please feel free to contact the following attorneys in the firm’s Washington, D.C. office, or any member of the Appellate and Constitutional Law Practice Group.

Theodore B. Olson (+1 202.955.8500, tolson@gibsondunn.com)
Amir C. Tayrani (+1 202.887.3692, atayrani@gibsondunn.com)
Katherine Moran Meeks (+1 202.955.8258, kmeeks@gibsondunn.com)
Jessica L. Wagner (+1 202.955.8652, jwagner@gibsondunn.com)

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

On August 11, 2022, the Federal Trade Commission (the “FTC” or the “Commission”) launched one of the most ambitious rulemaking processes in agency history with its 3-2 vote to initiate an Advance Notice of Proposed Rulemaking (“ANPR”) on “commercial surveillance” and data security.[1] On September 8, the Commission continued the rulemaking process by hosting a virtual “Commercial Surveillance and Data Security Public Forum (the “Public Forum”)” to gather public feedback on the proposed rulemaking.[2]

As explained in more detail in our prior article, the ANPR lays out a sweeping project to rethink the regulatory landscape governing nearly every facet of the U.S. internet economy, from advertising to anti-discrimination law, and even to labor relations. Any entity that uses the internet, even for internal purposes, is likely to be affected by this FTC action.

FTC Rulemaking Process

The FTC is undertaking this rulemaking under Section 18 of the FTC Act (also known as “Magnuson-Moss”), a hybrid rulemaking process that goes beyond the Administrative Procedure Act’s standard notice-and-comment procedures.[3] The FTC may promulgate a trade regulation rule to define acts or practices as unfair or deceptive “only where it has reason to believe that the unfair or deceptive acts or practices which are the subject of the proposed rulemaking are prevalent.” 15 U.S.C. § 57a(b)(3) (emphasis added). The FTC may make a determination that unfair or deceptive acts or practices are prevalent only if: “(A) it has issued cease and desist orders regarding such acts or practices, or (B) any other information available to the Commission indicates a widespread pattern of unfair or deceptive acts or practices.” 15 U.S.C. § 57a. That means that the agency must show (1) the prevalence of the practices, (2) how they are unfair or deceptive, and (3) the economic effect of the rule, including on small businesses and consumers.

Since the FTC published the ANPR, the Commission has posted 123 comments received thus far.[4] The Commission will continue to accept public comments until October 21. After the FTC’s review of comments, the next step in the Magnuson-Moss rulemaking process would be to publish a Notice of Proposed Rulemaking (“NPR”), which would set forth the proposed rule text, a description of its reasons supporting the proposed rules, any alternatives, and a preliminary regulatory analysis assessing the costs and benefits of the proposal and alternatives. This proposal would be submitted to Congress 30 days before public issuance. The FTC would then be required to convene a public comment opportunity after the issuance of the NPR and provide interested parties an opportunity for an informal hearing to present its views and resolve disputed factual issues. Finally, the FTC would publish its Final Rule, accompanied by a Statement of Basis of Purpose detailing the prevalence of the practices being regulated, how they are unfair or deceptive, and the economic effect of the rule, including an assessment of the rule’s costs and benefits and why it was chosen over alternatives. Any person could then seek review of the rule in the D.C. Court of Appeals within 60 days of promulgation. If an NPR is published, challenges will be likely.

Commercial Surveillance and Data Security Public Forum

The September 8 Public Forum included (i) statements from Chair Lina M. Khan, Commissioners Rebecca Slaughter and Alvaro Bedoya, and the Commission’s Assistant General Counsel Josephine Liu; (ii) a panel of industry representatives; (iii) a panel of consumer advocates; and (iv) over 65 public commenters.

Key topics discussed during the Public Forum included data minimization, data security, algorithmic discrimination and ethical Artificial Intelligence (“AI”), and the protection of teenagers over 13 years old, among others.

Below are highlights from the sessions:

Commissioner Statements.

Chair Lina Khan noted that the hearing will inform whether the agency proceeds with the rulemaking process. She noted that the FTC has a long record of using its enforcement tools to combat commercial surveillance and “lax” data security practices in instances where they are illegal, but that the FTC is “seeking to determine whether unfair or deceptive data practices may now be so prevalent that we need to move beyond case by case adjudication and instead have market wide rules.” She explained that the public record will be “critical” for the Commission to determine if it has the evidentiary basis to proceed with rulemaking, and meet the legal requirements to craft those rules. Chair Khan also stated that these issues are “urgent” given the ability for companies to track and surveil individuals throughout their day to day lives, without transparency for the average consumer regarding the data collection and use, and without any real power for Americans to opt-out of that surveillance.
The Commission’s Assistant General Counsel Josephine Liu provided an overview of the rulemaking process, and in particular highlighted three of the questions from the ANPR on which the Commission most wants public input:
- Which practices used to surveil customers are most prevalent? She explained that this question will help the FTC focus on particular areas of concern, for both enforcement purposes and determining whether rulemaking will occur. To move on in the rulemaking process, the FTC needs reason to believe such surveillance practices are prevalent.
- How should the Commission identify and evaluate commercial surveillance harms or potential harms? Public input on this will help the FTC identify and address specific ways Americans are being harmed.
- Lastly, which areas or kinds of harm has the FTC failed to address through enforcement? Public input on this will provide the FTC with evidence about the areas in which it has less enforcement experience, and areas that rulemaking may better address.
Commissioner Rebecca Slaughter remarked that she supports strong federal privacy legislation, but until it is passed, the Commission has a duty to act to address and investigate unlawful behavior. She encouraged industry representatives to engage with the Commission to ensure that the rules are effective and not merely a burdensome compliance exercise.
Commissioner Alvaro Bedoya emphasized that the Commission is not just looking for a collection of “expert” opinions, but instead wants to hear from the public how it is has been impacted by commercial surveillance and poor data security practices. He also noted that the ANPR goes beyond the conception of notice and choice, the usual “caricature” of American privacy law.

Commissioners Phillips and Wilson did not participate in the Public Forum.

Industry Representative Panel.

In addition to the Commissioners’ remarks, the FTC convened a panel of industry representatives moderated by Professor Olivier Sylvain, now Senior Advisor on Technology to Chair Khan. Professor Sylvain, whose academic work has focused on Section 230 of the Communications Decency Act, joined the FTC in 2021 from Fordham University where he served as Professor of Law.

Panelists included four senior executives and policy counsel from (1) a trade association for the digital content industry; (2) a web browser provider; (3) a retail trade association; and (4) a nonprofit coalition researching the use of artificial intelligence. Below are key themes from the industry panel:

Context Matters. The panel’s key theme was that the Commission should calibrate future rulemaking to different levels of risk presented by particular types of data collection and uses. Specifically, several panelists emphasized the need for future regulations to treat first-party data collected and used by consumer-facing apps and websites differently from third-party data collected by third parties for behavioral advertising. The Commission was urged to be careful not to inadvertently craft such broad regulations that they interfere with consumer freedoms and choices on the Internet.
Shift Away From Behavioral Advertising. Similar to the above, panelists emphasized the need to shift away from behavioral advertising completely. Instead, they recommended shifting towards other methods of advertising that utilize first-party data.
Big Data. One panelist mentioned that the “terms” of data use are established by “just a few big companies,” and that special attention needs to be paid to the dominant companies in the industry, who can set the tone for how rules are interpreted and implemented.
Best Practices. The Commission moderator asked panelists what “best practices” and business models have been developed to mitigate consumer harm and protect data. Responses included: (i) maintaining internal and public-facing documentation and benchmarking across the AI lifecycle; (ii) implementing risk assessment processes and basic security controls, such as encryption in transit, strong access controls (such as multi-factor authentication and strong password requirements), and security awareness training.
Global Insight. Panelists encouraged the FTC to review global legislation, such as the EU’s General Data Protection Regulation (“GDPR”) and the UK’s Children’s Code for guidance on what has worked, and has not worked, globally.
Protecting Teens Over 13. Protecting teens online over 13 years old, who have aged out of protections by the Children’s Online Privacy Protection Act (“COPPA”), was another key theme. Panelists urged the Commission to be sure the rules do not just create child safety “theater.”
Global Privacy Control/Single Opt-Out. Lastly, a key theme was implementing a browser setting, called a Global Privacy Control, that lets consumers tell websites their privacy preferences through a single opt-out, without having to manually reach out or make choices on each website. The Global Privacy Control was touted by some panelists as an important measure to protect privacy and choice. Others, however, worried that the single opt-out approach creates the potential to frustrate consumer choice and efforts for businesses to serve customers if consumers want to specifically consent to data collection and use for particular businesses.

Consumer Advocate Panel.

The Consumer Advocate Panel was moderated by Rashida Richardson, an Attorney Advisor to Chair Khan. This panel included members of non-profits and thinktanks focused on consumer privacy and digital innovation. In general, the moderator’s questions assumed harmful impacts of data use to consumers.

Algorithmic Discrimination. Panelists expressed that the FTC should protect disadvantaged communities. Panelists claimed that barriers in housing and employment are exacerbated by targeted advertisements.
Sensitive Information and Dark Patterns. The Supreme Court decision in Dobbs was discussed extensively. Concerns were raised about data brokers being able to sell consumer data to foreign governments, with consumers allegedly being harmed through an inability to opt-out of data being collected and companies selling sensitive health information.
API Misuse. The panelists stated that unwanted observation – through a single Software Development Kit (“SDK”) that can be found in hundreds of apps – can lead to sensitive data being transferred across many companies without consent. Alleged associated harms include data breaches, misuse, unwanted secondary data uses, and inappropriate government access.
Data Minimization and Targeted Advertisements. Data minimization, increased transparency, and regulating third-party targeted advertisements were key ideas raised throughout the panel as a means to FTC enforcement in this area. However, one panelist highlighted that targeted advertisements can actually play a positive role in society, such as to build community, mobilize voters, and disseminate health information to groups most likely to be effected. In this way, while data minimization is positive in theory, “color blindness” towards all data collection and use is not always the answer, as data can be used for good.
Harm to Minors. Panelists raised the harms of targeted advertising to teens who allegedly cannot distinguish between commercial content and entertainment content online. A key recommendation was raising protections for minors beyond COPPA, in line with global trends, such as instituting a mechanism for teens to easily delete their online data.
Consent Framework. Panelists generally expressed that, in their view, the concept of “notice and consent” is not a useful framework given the alleged power dynamics between consumers and those collecting their data online, and the purportedly asymmetric information provided to consumers when making those choices.
Concepts Missing From the ANPR. In response to the moderator’s question on whether the ANPR was missing anything, panelists raised the following topics: the FTC should (i) explore enumerating a list of sensitive categories of data, and define how precise location data needs to be for its collection to count as “unfair”; (ii) promulgate rules to regulate service provider relationships; (iii) set forth standards for data deidentification; and (iv) implement rules to prevent discrimination of marginalized communities, combined with strengthening the FTC’s civil rights expertise.

Public Commenters.

The FTC presented an array of public commenters after the two panels. Commenters included individuals from organizations like the U.S. Chamber of Commerce Technology Engagement Center, TechFreedom, the Centre for Information Policy Leadership, the Center for Democracy and Technology, Human Rights Watch, and the Electronic Privacy Information Center (“EPIC”). Some commenters were deeply concerned by the FTC’s broad-based expansion of its enforcement authority, while other commenters noted that the FTC’s expansion of its authority was necessary because of the privacy harms that the public allegedly suffers.
Industry participants emphasized that the FTC was mandating economy-wide changes relating to privacy, data security, and algorithms which would step on Congressional authority. According to these participants, this would trigger the Supreme Court’s Major Questions doctrine since the FTC does not have clear authorization from Congress to make such a broad-based rule.
Other members of the public noted that the FTC should take far-reaching action to protect personal data, with an emphasis on controls to safeguard children, student, health, and education data.

The ANPR and the public workshop are just initial steps in the lengthy FTC rulemaking process. Given the broad-based scope of the potential rules, the rulemaking process will be closely watched and analyzed. Gibson Dunn attorneys are closely monitoring these developments, and are available to discuss these issues as applied to your particular business.

__________________________

[1] Federal Trade Commission Press Release, FTC Explores Rules Cracking Down on Commercial Surveillance and Lax Data Security Practices (Aug. 11, 2022), https://www.ftc.gov/news-events/news/press-releases/2022/08/ftc-explores-rules-cracking-down-commercial-surveillance-lax-data-security-practices.

[2] Federal Trade Commission Event, Commercial Surveillance and Data Security Public Forum (Sept. 8, 2022), https://www.ftc.gov/news-events/events/2022/09/commercial-surveillance-data-security-anpr-public-forum.

[3] Magnuson-Moss Warranty Federal Trade Commission Improvement Act, 15 U.S.C. § 57a(a)(1)(B). The FTC had largely abandoned the promulgation of new trade regulation rules because the Magnuson-Moss process was perceived as too cumbersome and the agency generally preferred case-by-case enforcement over rulemaking. The Biden Administration, however, has revitalized the interest in promulgating trade regulation rules, to “provide much needed clarity about how our century-old statute applies to contemporary economic realities [allowing] the FTC to define with specificity what acts or practices are unfair or deceptive under Section 5 of the FTC Act.” Statement of Commissioner Rebecca Kelly Slaughter, Regarding the Adoption of Revised Section 18 Rulemaking Procedures (July 1, 2021), here.

[4] Public comments are available at, https://www.federalregister.gov/documents/2022/08/22/2022-17752/trade-regulation-rule-on-commercial-surveillance-and-data-security.

This alert was prepared by Svetlana S. Gans, Samantha Abrams-Widdicombe, and Kunal Kanodia.

Gibson Dunn lawyers are available to assist in addressing any questions you may have about these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any member of the firm’s Privacy, Cybersecurity & Data Innovation practice group:

United States
Matthew Benjamin – New York (+1 212-351-4079, mbenjamin@gibsondunn.com)
Ryan T. Bergsieker – Denver (+1 303-298-5774, rbergsieker@gibsondunn.com)
S. Ashlie Beringer – Co-Chair, PCDI Practice, Palo Alto (+1 650-849-5327, aberinger@gibsondunn.com)
David P. Burns – Washington, D.C. (+1 202-887-3786, dburns@gibsondunn.com)
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650-849-5203, cgaedt-sheckter@gibsondunn.com)
Svetlana S. Gans – Washington, D.C. (+1 202-955-8657, sgans@gibsondunn.com)
Lauren R. Goldman– New York (+1 212-351-2375, lgoldman@gibsondunn.com)
Stephenie Gosnell Handler – Washington, D.C. (+1 202-955-8510, shandler@gibsondunn.com)
Nicola T. Hanna – Los Angeles (+1 213-229-7269, nhanna@gibsondunn.com)
Howard S. Hogan – Washington, D.C. (+1 202-887-3640, hhogan@gibsondunn.com)
Robert K. Hur – Washington, D.C. (+1 202-887-3674, rhur@gibsondunn.com)
Kristin A. Linsley – San Francisco (+1 415-393-8395, klinsley@gibsondunn.com)
H. Mark Lyon – Palo Alto (+1 650-849-5307, mlyon@gibsondunn.com)
Vivek Mohan – Palo Alto (+1 650-849-5345, vmohan@gibsondunn.com)
Karl G. Nelson – Dallas (+1 214-698-3203, knelson@gibsondunn.com)
Rosemarie T. Ring – San Francisco (+1 415-393-8247, rring@gibsondunn.com)
Ashley Rogers – Dallas (+1 214-698-3316, arogers@gibsondunn.com)
Alexander H. Southwell – Co-Chair, PCDI Practice, New York (+1 212-351-3981, asouthwell@gibsondunn.com)
Deborah L. Stein – Los Angeles (+1 213-229-7164, dstein@gibsondunn.com)
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, evandevelde@gibsondunn.com)
Benjamin B. Wagner – Palo Alto (+1 650-849-5395, bwagner@gibsondunn.com)
Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, mwong@gibsondunn.com)
Debra Wong Yang – Los Angeles (+1 213-229-7472, dwongyang@gibsondunn.com)

Europe
Ahmed Baladi – Co-Chair, PCDI Practice, Paris (+33 (0) 1 56 43 13 00, abaladi@gibsondunn.com)
James A. Cox – London (+44 (0) 20 7071 4250, jacox@gibsondunn.com)
Patrick Doris – London (+44 (0) 20 7071 4276, pdoris@gibsondunn.com)
Kai Gesing – Munich (+49 89 189 33-180, kgesing@gibsondunn.com)
Bernard Grinspan – Paris (+33 (0) 1 56 43 13 00, bgrinspan@gibsondunn.com)
Joel Harrison – London (+44(0) 20 7071 4289, jharrison@gibsondunn.com)
Vera Lukic – Paris (+33 (0) 1 56 43 13 00, vlukic@gibsondunn.com)
Penny Madden – London (+44 (0) 20 7071 4226, pmadden@gibsondunn.com)
Michael Walther – Munich (+49 89 189 33-180, mwalther@gibsondunn.com)

Asia
Kelly Austin – Hong Kong (+852 2214 3788, kaustin@gibsondunn.com)
Connell O’Neill – Hong Kong (+852 2214 3812, coneill@gibsondunn.com)
Jai S. Pathak – Singapore (+65 6507 3683, jpathak@gibsondunn.com)

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.