Client Alert Archives

The recent lawsuits focus predominantly on three of the EEOC’s stated strategic priorities: protecting vulnerable workers, addressing selected and emerging issues, and preventing and remedying systemic harassment.

As its fiscal year wound down on September 30, the U.S. Equal Employment Opportunity Commission (EEOC) conducted its annual race to the courthouse. The EEOC filed 110 lawsuits during its past fiscal year, over 50 of which were brought in the last week of September.[1] This flurry of suits aligns with and reflects the EEOC’s continuing effort to advance the strategic aims and enforcement priorities it announced for 2024.

In September 2023, the EEOC released its Strategic Enforcement Plan for fiscal years 2024 to 2028 (the “SEP”),[2] which announced six “subject matter priorities” for enforcement. For more information on the SEP, please see Gibson Dunn’s client alert, Keeping Up with the EEOC: 10 Key Takeaways from its Just-Released Draft Strategic Enforcement Plan. The subject matter priorities announced in 2023 are:

“Eliminating Barriers in Recruitment and Hiring.” Focus will be on the use of artificial intelligence tools in job ads, recruiting, and hiring decisions; and underrepresentation of women and workers of color in certain industries and sectors (for example, construction and manufacturing, high tech, STEM, and finance, among others).
“Protecting Vulnerable Workers and Persons from Underserved Communities.” Focus will be on employer practices that affect LGBTQI+ individuals, older workers, immigrant and migrant workers, and individuals employed in low wage jobs, including teenage workers.
“Addressing Selected Emerging and Developing Issues.” This priority relates to workplace matters arising as backlash to current events, as well as enforcement related to the Pregnancy Discrimination Act and the Pregnant Workers Fairness Act and “inflexible policies or practices” that discriminate against individuals with disabilities.
“Advancing Equal Pay for All Workers.” This priority relates to employer practices related to pay secrecy, and reliance on salary history or applicants’ salary expectations to set pay.
“Preserving Access to the Legal System.” The EEOC will target employee release and confidentiality agreements and arbitration agreements that it believes improperly restrict access to the legal system.
“Preventing and Remedying Systemic Harassment.” The EEOC will continue to bring systemic harassment cases on all protected bases. The EEOC separately published new enforcement guidance on harassment in the workplace this past April, the first issued since 1999.[3]

Overall, the recent lawsuits focus predominantly on three of these strategic priorities: protecting vulnerable workers, addressing selected and emerging issues, and preventing and remedying systemic harassment:[4]

Protecting Vulnerable Workers. Multiple suits focus on discrimination and harassment towards workers who are members of what the EEOC describes as “vulnerable” populations, such as teenage workers and individuals from the LGBTQI+ community. One complaint, for instance, alleges that a hospitality employer fired a transgender housekeeper the day after the individual complained that a supervisor misgendered them and made anti-transgender statements.[5] Another lawsuit alleges that employees who identify as LGBTQI+ were sexually harassed by a retail store manager, who purportedly inquired about sexual acts relating to the employees’ sexual orientations and gender identities.[6] The EEOC also initiated suits against two companies that allegedly failed to prevent and remedy sexual harassment against teenage employees at a chain restaurant and a sports training facility.[7] The EEOC’s Acting Director of the Memphis District Office commented, “sexual harassment of young employees regardless of the industry is a serious problem, and combatting this remains a priority of the EEOC.”[8]

Addressing Selected and Emerging Issues. The EEOC sued several employers for alleged violations of the Pregnant Workers Fairness Act (PWFA) and the Americans with Disabilities Act (ADA) (as it relates to pregnancy-related disabilities). The PWFA, which went into effect on June 27, 2023, requires employers with 15 or more employees to provide reasonable accommodations for qualified applicants or employees with known pregnancy-related limitations, unless they would cause undue hardship;[9] the first EEOC lawsuit alleging a violation of the PWFA was announced on September 10, 2024.[10] The EEOC’s September filings include allegations that employers failed to accommodate pregnant employees, including by refusing to excuse absences due to a pregnancy-related condition and by forcing an employee to take unpaid leave instead of allowing her a chance to sit and take breaks at work.[11] One suit alleges that a trucking manufacturer denied a pregnant employee’s request to be transferred to a role that did not require her to lie on her stomach.[12] According to the EEOC, the employee was only offered unpaid leave, when light duty positions had purportedly been made available for non-pregnant employees who made similar accommodation requests.

In addition, several of the lawsuits allege that employers engaged in other forms of disability discrimination by maintaining inflexible policies and practices, including in recruitment and hiring. For example, one suit alleges that an employer discriminated against a blind call center employee when it took “only minimal steps to facilitate the employee’s use of screen reader software.”[13] Two other complaints allege that employers failed to hire hearing-impaired applicants who were otherwise qualified for the positions they sought.[14] Litigation in these areas is consistent with the EEOC’s release during 2023 of two guidance documents also targeted at protecting individuals with hearing and visual disabilities in the workplace.[15]

Combatting Systemic Harassment. A significant number of lawsuits initiated in the final days of the EEOC’s fiscal year allege that employees were subjected to hostile work environments based on their sex and race. Two lawsuits filed on September 30 in New York district courts allege that supervisors at a car dealership and hospitality company sexually harassed female employees, failed to take corrective action, and made conditions so intolerable that the employees were forced to resign.[16] Another suit alleges that a vehicle auctioneer forced the resignation of a Black employee who was subjected to persistent racial harassment for over a year.[17] The EEOC also accused a group of construction and auto-mechanic companies of creating a hostile work environment for Black and Hispanic employees in which the employees were allegedly subjected to racial epithets and derogatory remarks about national origin on a regular basis.[18]

The relative focus of the EEOC among its stated SEP subject matter priorities is illustrated by the distribution of its end-of-year filings among those priority areas.[19]

As for targeted industries, the EEOC’s end-of-year filings primarily target industries that employ low wage or manual workers, such as the restaurant, hospitality, retail, construction, and manufacturing industries.[20] In one lawsuit, where the EEOC alleges that a pizza chain retaliated against an employee who opposed sex-based discrimination, the Regional Attorney for the agency’s Chicago District Office stated, “retaliation in the restaurant industry remains a serious problem.”[21] Similarly, an assistant regional attorney for the EEOC’s St. Louis District Office noted that “[s]exual harassment continues to be a problem in the fast-food industry” when commenting on a lawsuit alleging sexual harassment of teenage female employees at multiple fast food franchise locations.[22] In another case alleging racial discrimination in the construction industry, the EEOC’s Miami Regional Attorney emphasized that, “Title VII applies to everyone and every industry.”[23]

Moreover, the EEOC primarily targeted smaller, private companies in its recently filed lawsuits, as depicted by the approximate distributions below.[24] And attached as Appendix A below is a chart providing additional details about the filed suits.

Overall, while the number of filings by the EEOC in fiscal year 2024 decreased from the prior year, the cases that the agency is pursuing reflect a strong continuing focus on its announced priority objectives. Given this focus, employers facing EEOC charges that raise allegations falling into these priority areas should be prepared for close scrutiny and for the agency potentially to take a more aggressive stance in handling such charges.

[1] EEOC, Newsroom, https://www.eeoc.gov/newsroom/search?page=0.

[2] EEOC, Strategic Enforcement Plan Fiscal Years 2024 – 2028 (Sept. 21, 2023), https://www.eeoc.gov/strategic-enforcement-plan-fiscal-years-2024-2028.

[3] EEOC, Enforcement Guidance on Harassment in the Workplace (Apr. 29, 2024), https://www.eeoc.gov/laws/guidance/enforcement-guidance-harassment-workplace. This guidance presents the agency’s view of the legal standards applicable to workplace harassment claims, which emphasizes, among other things, that Title VII prohibits harassment based on gender identity and that harassment can occur in a remote work environment.

[4] Indeed, the EEOC issued a press release expressly noting its focus in fiscal year 2024 on cases involving emerging issues and underserved, vulnerable populations. See Fiscal Year 2024 EEOC Litigation Focuses on Emerging Issues and Underserved, Vulnerable Populations (Oct. 9, 2024), https://www.eeoc.gov/newsroom/fiscal-year-2024-eeoc-litigation-focuses-emerging-issues-and-underserved-vulnerable.

[5] EEOC Sues Boxwood and Related Hotel Franchises for Discriminating Against Transgender Employee (Sept. 26, 2024), https://www.eeoc.gov/newsroom/eeoc-sues-boxwood-and-related-hotel-franchises-discriminating-against-transgender-employee.

[6] EEOC Sues Two Employers for Sex Discrimination (Oct. 1, 2024), https://www.eeoc.gov/newsroom/eeoc-sues-two-employers-sex-discrimination-0.

[7] EEOC Sues Two Employers for Sexual Harassment of Teens (Sept. 30, 2024), https://www.eeoc.gov/newsroom/eeoc-sues-two-employers-sexual-harassment-teens.

[8] Id.

[9] EEOC, What You Should Know About the Pregnant Workers Fairness Act, https://www.eeoc.gov/wysk/what-you-should-know-about-pregnant-workers-fairness-act.

[10] EEOC Sues Wabash National for Pregnancy Discrimination (Sept. 10, 2024), https://www.eeoc.gov/newsroom/eeoc-sues-wabash-national-pregnancy-discrimination.

[11] EEOC Sues Two Employers Under the Pregnant Workers Fairness Act (Sept. 26, 2024), https://www.eeoc.gov/newsroom/eeoc-sues-two-employers-under-pregnant-workers-fairness-act.

[12] EEOC Sues Wabash National for Pregnancy Discrimination, supra note 10.

[13] EEOC Sues The Results Companies for Disability Discrimination (Sept. 24, 2024), https://www.eeoc.gov/newsroom/eeoc-sues-results-companies-disability-discrimination.

[14] EEOC Sues Timken for Disability Discrimination (Sept. 26, 2024), https://www.eeoc.gov/newsroom/eeoc-sues-timken-disability-discrimination; EEOC Sues Heart of Texas Goodwill for Disability Discrimination (Sept. 26, 2024), https://www.eeoc.gov/newsroom/eeoc-sues-heart-texas-goodwill-disability-discrimination.

[15] See EEOC, Hearing Disabilities in the Workplace and the Americans with Disabilities Act (Jan. 24, 2023), https://www.eeoc.gov/laws/guidance/hearing-disabilities-workplace-and-americans-disabilities-act; Visual Disabilities in the Workplace and the Americans with Disabilities Act (Jul. 26, 2023), https://www.eeoc.gov/laws/guidance/visual-disabilities-workplace-and-americans-disabilities-act.

[16] EEOC Sues Two New York Area Employers for Sexual Harassment (Sept. 30, 2024), https://www.eeoc.gov/newsroom/eeoc-sues-two-new-york-area-employers-sexual-harassment.

[17] EEOC Sues Insurance Auto Auctions For Racial Harassment (Sept. 30, 2024), https://www.eeoc.gov/newsroom/eeoc-sues-insurance-auto-auctions-racial-harassment.

[18] EEOC Sues Trebor USA Corp., Colt Truck Care, LLC, and Wholesale Building Products, LLC, for Discrimination Against Hispanic and Black Employees (Sept. 30, 2024), https://www.eeoc.gov/newsroom/eeoc-sues-trebor-usa-corp-colt-truck-care-llc-and-wholesale-building-products-llc.

[19] Note that certain lawsuits were identified as falling into multiple categories of the SEP subject matter priorities.

[20] The EEOC Chair Charlotte Burrows spearheaded a hearing to examine purported discrimination in the construction sector. See EEOC, EEOC Shines Spotlight on Discrimination and Opportunities in Construction (May 17, 2022), https://www.eeoc.gov/newsroom/eeoc-shines-spotlight-discrimination-and-opportunities-construction.

[21] EEOC Sues Reggio’s Pizza for Retaliation (Sept. 25, 2024), https://www.eeoc.gov/newsroom/eeoc-sues-reggios-pizza-retaliation.

[22] EEOC Files Three Sexual Harassment Lawsuits (Oct. 1, 2024), https://www.eeoc.gov/newsroom/eeoc-files-three-sexual-harassment-lawsuits.

[23] EEOC Sues Trebor USA Corp., Colt Truck Care, LLC, and Wholesale Building Products, LLC, for Discrimination Against Hispanic and Black Employees, supra note 18.

[24] Because the EEOC sued groups of employers in certain lawsuits from the last week of September, the approximate numbers depicted in the graphs are higher than the total number of lawsuits filed that week.

Appendix A: Recent EEOC Filings

The following Gibson Dunn lawyers prepared this update: Jason C. Schwartz, Katherine V.A. Smith, Karl Nelson, Christina Andersen, and Hannah Morris*.

Gibson Dunn’s lawyers are available to assist employers who are facing EEOC charges or litigation in any of these priority areas, or who otherwise have questions regarding the EEOC’s activities and areas of focus. To learn more about these issues, please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Labor and Employment practice group, or Jason Schwartz and Katherine Smith.

Karl G. Nelson – Partner, Labor & Employment Group
Dallas (+1 214.698.3203, [email protected])

Jason C. Schwartz – Partner & Co-Chair, Labor & Employment Group
Washington, D.C. (+1 202.955.8242, [email protected])

Katherine V.A. Smith – Partner & Co-Chair, Labor & Employment Group
Los Angeles (+1 213.229.7107, [email protected])

*Hannah Morris, an associate in the firm’s Dallas office, is admitted to practice only in New York.

Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.

Europe

09/26/2024

Court of Justice of the European Union | Judgment | Corrective Powers

On September 26, 2024, the Court of Justice of the European Union (“CJEU”) published its judgment in Case C-768/21 regarding the corrective powers of the Supervisory Authorities under the GDPR.

The CJEU noted that, when a personal data breach is established, the Supervisory Authority is not obliged to exercise a corrective power in all cases, in particular if a fine does not seem necessary to remedy the breach found and ensure the enforcement of the GDPR. The Court also stated that this could be the case when, as soon as the controller became aware of the breach, it took the necessary measures to ensure that that breach was resolved and did not recur.

For more information: CJEU Press release, Curia

09/12/2024

European Commission | Public Consultation | Standard Contractual Clauses

The European Commission announced that it plans to request public feedback on a draft of Standard Contractual Clauses (“SCCs”) under the GDPR in the fourth quarter of 2024.

The European Commission specified that these SCCs are relevant in the specific case where a data importer is located in a third country but is directly subject to the GDPR. They would complement the existing clauses related to data transfers to third country importers not subject to the GDPR.

For more information: European Commission Website

09/12/2024

Court of Justice of the European Union | Judgment | Lawful Basis

On September 12, 2024, the Court of Justice of the European Union (“CJEU”) published its judgment in the Joined Cases C-17/22 and C-18/22 regarding the lawfulness of processing relying on the performance of a contract.

The performance of a contract is a lawful basis within the meaning of the GDPR that justifies processing of personal data necessary for its performance. The CJEU outlined that when a contract expressly prohibits the disclosure of personal data, it cannot be considered that such disclosure is objectively indispensable for its performance.

For more information: Curia

09/12/2024

European Data Protection Board | Call for Expression of Interest | Consent or Pay

On September 12, 2024, the European Data Protection Board (“EDPB”) announced that it launched a call for expression of interest for a remote stakeholder event on November 18, 2024, to collect stakeholders’ input on upcoming guidelines on the application of data protection legislation in the context of “Consent or Pay” models.

The guidelines will be a continuation of the EDPB Opinion 08/2024, which addressed the “Consent or Pay” model in the context of large online platforms. These guidelines will have a broader scope of application.

For more information: EDPB Website

Austria

09/03/2024

Austrian Supervisory Authority | Accreditation | GDPR Certification Body

On September 3, 2024, the Austrian Supervisory Authority (“DSB”) announced the accreditation of the first GDPR certification body in Austria.

In addition, certification criteria under Art. 42(5) GDPR have been approved, allowing certification bodies to issue certifications based on these standards. Similar to codes of conduct, certifications serve as a compliance tool. Controllers can now be certified under these criteria.

For more information: DSB Website [DE]

Belgium

09/19/2024

Belgium Supervisory Authority | Guidelines | AI

The Belgium Supervisory Authority (“APD”) introduced a section on its website focusing on artificial intelligence and published new guidelines clarifying the interplay between the GDPR requirements and AI Systems in light of the newly adopted AI Act.

This initiative aims to enhance understanding and promote responsible AI practices. The brochure identifies the GDPR requirement specifically applicable to AI Systems (e.g., lawfulness of processing, transparency).

For more information: APD Website [NL], Guidelines [EN]

09/06/2024

Belgian Supervisory Authority | Reject | Non-profit Organization Mandate

On September 6, 2024, the Belgian Supervisory Authority (“APD”) published a decision rejecting the validity of the representation mandate submitted by a non-profit organization, deeming it an abuse of rights of the latter.

For more information: APD Website [NL]

France

09/24/2024

French Supervisory Authority | Recommendation | Mobile applications

On September 24, 2024, the French Supervisory Authority (“CNIL”) published its recommendations on mobile applications.

Following a public consultation initiated in July 2023, these recommendations aim to (1) clarify the role and obligations of each stakeholder in the mobile ecosystem, (2) improve user information on the use of their data, and (3) reiterate that applications must obtain valid consent to process data that is not necessary for their operation.

For more information: CNIL Website

09/05/2024

French Supervisory Authority | Sanction | Anonymization and Pseudonymization

On September 5, 2024, the French Supervisory Authority (“CNIL”) imposed a fine of €800,000 on a software provider.

The investigation carried out by the CNIL showed that the provider processed, without authorization, health data which was provided to its clients for studies and statistics purposes. The CNIL found that the data was pseudonymized, not anonymized, as it included detailed personal data linked to unique patient identifiers, allowing potential reidentification. Consequently, the CNIL considered that the data processed by the provider did not meet the anonymization criteria.

For more information: CNIL Website [FR]

Germany

09/25/2024

Thuringia Supervisory Authority | Annual Report 2023

The Thuringia Supervisory Authority (“TLfDI”) has issued its Annual Report on its activities in 2023.

The TLfDI reports, among others, the initiation of 115 fine proceedings, which is slightly more than in the precedent year.

For more information: TLfDI Website [DE]

09/17/2024

Berlin Supervisory Authority | Annual Report 2023

The Berlin Supervisory Authority (“BlnBDI”) has issued its Annual Report on its activities in 2023.

In 2023, the BlnBDI has, among others, developed a standard process for a data protection-compliant implementation of digitization projects by Berlin authorities.

For more information: BlnBDI Website [DE]

09/15/2024

German Government | Announcement | AI Regulation

The Federal Ministry for Economic Affairs and Climate Action announced that the Federal Network Agency will take the lead in overseeing the AI Act. However, the data protection authorities will remain involved in the process.

The Federal Network Agency’s experience in product safety, rather than data protection, made it the government’s choice. While the AI oversight is aimed at reducing bureaucracy, the involvement of data protection authorities ensures that compliance with privacy regulations remains a priority.

For more information: Ministry’s Announcement [DE]

09/11/2024

German Data Protection Conference | Position Paper | Scientific Research

The German Data Protection Conference (“DSK”) issued a position paper on the GDPR’s special regime on data processing for scientific research purposes (Article 89).

The DSK established five criteria that must be fulfilled in order to fall under the special regime regarding data processing for scientific research purposes. These include requirements regarding knowledge gain, a methodical and systematic approach, public interest, verifiability and independence and autonomous research. Such regime allows for changes in processing purposes, handling of sensitive data, limited information obligations, and suspension of data deletion.

For more information: DSK Website [DE]

09/11/2024

German Data Protection Conference | Guidance | Data Transfers & Asset Deals

On September 11, 2024, the German Data Protection Conference (“DSK”) updated its guidance on data transfers in the context of asset deals.

The DSK clarified that the transfer of personal data in the context of an asset deal requires a detailed legal assessment. While data transfers during a share deal are less problematic, asset deals demand careful consideration of data protection laws, with voluntary consent or legitimate interests often needed to justify the transfer. For example, when transferring personal data during an asset deal, it is important to distinguish between active business relationships and completed ones. Data from ongoing relationships can usually be transferred under certain legal grounds, while completed relationships may require customer consent or an objection process to ensure compliance with data protection regulations.

For more information: DSK Website [DE]

09/04/2024

Federal Ministry for Digital and Transport | Ordinance | Cookie banners | Consent

The Federal Government adopted an Ordinance on Consent Management Services presented by the Federal Ministry for Digital and Transport.

This Ordinance, adopted under Section 26(2) of the Telecommunications-Digital-Services-Data Protection Act (“TDDDG”), sets out requirements relating to the use of cookie banners and the provision of user consent, and in particular provides an alternative to “cookie banners”.

For more information: BMDV Website [DE]

Ireland

09/12/2024

Irish Supervisory Authority | Inquiry | AI | Data Protection Impact Assessment

On September 12, 2024, the Irish Supervisory Authority (“DPC”) announced that it launched an inquiry into an AI model.

The Cross-Border statutory inquiry concerns the question of whether the company who developed the AI model has complied with its obligation, provided under Article 35 of the GDPR to undertake a data protection impact assessment, prior to processing personal data of EU data subjects in connection with the development of its AI model.

For more information: DPC Website

09/04/2024

Irish Supervisory Authority | Proceedings | AI

On September 4, 2024, the Irish Supervisory Authority (“DPC”) announced the conclusion of the proceedings relating to an AI tool brought before the Irish High Court on August 8, 2024.

The matter was resolved after the company agreed to comply with DPC’s terms on a permanent basis. This action, the first of its kind initiated by the DPC, was initially made considering the serious concerns that the processing of personal data of EU individuals for the purpose of AI training raised a risk to their fundamental rights and freedoms. On the same day, the DPC requested to the European Data Protection Board an opinion on certain core issues arising in the context of processing for the purpose of developing and training an AI model.

For more information: DPC Website

Netherlands

09/05/2024

Dutch Supervisory Authority | Guidance | Data Breach Notification

The Dutch Supervisory Authority (“AP”) published a report analyzing more than 50 notifications sent to data subjects following the largest data breaches in 2023, along with a set of recommendations.

The AP explains that the notifications were not sent in a timely manner (three weeks on average), lacked clarity and details on the breach, as well as alarming subject lines. The AP further describes the challenges encountered by organizations while informing data subjects, which include efforts to avoid technical language, and the time needed for the message to be approved internally. Finally, the AP provides recommendations with sample messages to guide the organizations.

For more information: AP Website [NL]

09/03/2024

Dutch Supervisory Authority | Sanction | Unlawful Database

The Dutch Supervisory Authority (“AP”) fined a company €30.5 million for unlawfully creating a facial recognition database and warned Dutch organizations not to use the company’s services.

The AP found that the company had processed biometric data without being able to rely on one of the exceptions provided by the GDPR. In addition, the company insufficiently informed data subjects on the processing of their personal data and failed to respond to their access requests. Finally, the AP noted that the company did not designate a representative in the EU. In addition to the €30.5 million fine, the AP imposed four orders to end ongoing violations, subject to a €5.1 million penalty in case of non-compliance.

For more information: AP Website [NL], EDPB Website

Poland

09/20/2024

Polish Supervisory Authority | Guidance | Data Breach

The Polish Supervisory Authority (“UODO”) issued guidance for controllers on personal data breaches caused by the recent floods in southern Poland.

The UODO recalls that the 72-hour period for notifying data breaches starts from the moment of their discovery. It clarifies that, under the current circumstances, this may only be possible once the situation is under control. In addition, in case where controllers are unable to meet the deadline, the authority recommends justifying the delay by referring to extraordinary circumstances related to the flood.

For more information: UODO Website [PL]

09/09/2024

Polish Supervisory Authority | Sanction | Breach notification

The Polish Supervisory Authority (“UODO”) published its decision of August 20, 2024, imposing a fine of PLN 4,053,173 (approx. € 948,158) on a bank for failing to notify a data breach to its customers.

The UODO noted that an employee of the bank sent by mistake customers’ documents to another financial institution. The customers were not notified of this data breach despite the fact that the UODO had informed the bank of the necessity to carry out such a notification. The bank argued that the recipient of the documents was subject to banking secrecy and data subjects’ notification was therefore not necessary. The authority rejected this argument, stressing that it could not exempt the bank from compliance with its obligations.

For more information: UODO Website [PL]

Spain

09/02/2024

Spanish Supervisory Authority | Blog Post | Probabilistic Methods

The Spanish Supervisory Authority (“AEPD”) published a blog post on probabilistic methods and GDPR compliance.

The AEPD underlines that probabilistic or estimative methods are widely used in digital services and allow machine learning and artificial intelligence models to learn, improve and adapt to changing patterns. The authority states that the use of such methods raises questions regarding the principle of accuracy, as they may lead to false negatives, false positives or prediction errors. It emphasizes that the controllers should consider error thresholds and, on a case-by-case basis, alternative or complementary methods.

For more information: AEPD Website

United Kingdom

09/20/2024

UK Supervisory Authority | Statement | Generative Artificial Intelligence

The UK Supervisory Authority (“ICO”) issued a statement welcoming the suspension by a company of its processing of UK users’ personal data to train its generative AI models, pending further engagement with the ICO.

The ICO also stated that it will continue to monitor major developers of generative AI to ensure that the safeguards are in place and the rights of UK users are protected.

For more information: ICO Website

09/10/2024

UK Supervisory Authority and NCA | Memorandum of Understanding | Cyber Security

The UK Supervisory Authority (“ICO”) and the National Crime Agency (“NCA”) signed a Memorandum of Understanding that sets out their cooperation to improve the UK’s cyber resilience.

The aim is to ensure that organizations can better protect themselves from their data being stolen and held for ransom.

For more information: ICO Website

09/09/2024

UK Parliament | Bill | Automated Decision-Making

The “Public Authority Algorithmic and Automated Decision-Making Systems” Bill was introduced and passed the first reading in the House of Lords.

The Bill aims to regulate the use of automated and algorithmic tools by public authorities as part of their decision-making systems. It requires public authorities to conduct an impact assessment of such systems and introduces standards to ensure transparency.

For more information: UK Parliament Website

09/05/2024

UK Supervisory Authority | Study | Data Collection

The UK Supervisory Authority (“ICO”) released the results of its “Data Controller Study”.

The study has been carried out in order to have a deeper understanding on how organizations collect and use personal data and to inform the ICO’s strategic, regulatory and research activities. The results include both quantitative and qualitative data related to, in particular, the demographic characteristics and processing activities of controllers, the technology used by them, and the level of awareness of data protection law and the ICO.

For more information: ICO Website

This newsletter has been prepared by the European Privacy team of Gibson Dunn. For further information, you may contact us by email:

Ahmed Baladi – Partner, Co-Chair, PCCP Practice, Paris ([email protected])

Joel Harrison – Partner, Co-Chair, PCDI Practice, London ([email protected])

Vera Lukic – Partner, Paris ([email protected])

Lore Leitner – Partner, London ([email protected])

Kai Gesing – Partner, Munich ([email protected])

Clémence Pugnet – Associate, Paris ([email protected])

Thomas Baculard – Associate, Paris ([email protected])

Hermine Hubert – Associate, Paris ([email protected])

Billur Cinar – Associate, Paris ([email protected])

Christoph Jacob – Associate, Munich ([email protected])

Yannick Oberacker – Associate, Munich ([email protected])

Sarah Villani – Associate, London ([email protected])

Miles Lynn – Associate, London ([email protected])

This briefing note assesses the FCA’s proposed changes and the potential impact for payments and e-money firms.

On 26 September 2024, the Financial Conduct Authority (FCA) published its long-awaited consultation paper on proposed changes to the safeguarding regime for payments and e-money firms in the United Kingdom (CP24/20).

Payment and e-money firms are required to protect funds received in connection with making a payment or issuing e-money (“relevant funds”). The requirements are designed to protect consumers in the event of a firm failure and ensure that consumers receive the maximum value of their funds as quickly as possible.

The current safeguarding requirements are set out in the Payment Services Regulations 2017 (PSRs) and the Electronic Money Regulations 2011 (EMRs) as supplemented by Chapter 10 of the FCA’s Approach Document[1].

Why is the FCA consulting?

The FCA is consulting at this time as a result of the confluence of the following three concerns: increasing significance of the payments and e-money sector in the UK market; identified failings in safeguarding practices at a wide range of relevant firms; and legal uncertainty in the legal framework applied when a relevant firm enters an insolvency process.

The current safeguarding requirements were designed to support competition, innovation and consumer protection in a developing sector. Given the continued growth of the sector in the UK market and the consequential increasing reliance upon e-money accounts by consumers (often vulnerable consumers)[2], the risk of widespread consumer harm in the event of a large firm failure is intensifying.

The FCA has found evidence of significant failings in firms’ practices in relation to safeguarding. The FCA states in CP24/20 that of those firms that became insolvent between 2018 and 2023, there was an average shortfall of 65% in funds owed to clients (this is the difference between funds owed and funds safeguarded). Deficiencies in safeguarding rules were also noted in the Payment Services Regulations Review and Call for Evidence conducted by His Majesty’s Treasury (HMT). This prompted HMT to suggest that responsibility for developing detailed safeguarding requirements could be transferred to the FCA.

Further, two recent court judgments[3] in the UK have left many questions unanswered and significant legal uncertainty in the legal framework which applies when a payment or e-money firm safeguarding funds enters an insolvency process.

What is safeguarding?

Firms which are authorised by the FCA as payment institutions, e-money institutions and credit unions that issue e-money (collectively, “Firms”) are required under the PSRs and the EMRs to protect funds received in connection with executing a payment transaction or in exchange for e-money issued. Firms are required to do this immediately on receiving the funds. The requirements are designed to protect consumers in the event of the firm’s failure by ensuring that consumers receive the maximum value of their funds as quickly as possible.

Firms are able to safeguard relevant funds in two ways: (i) the segregation method; or (ii) the insurance or comparable guarantee method. By far the most popular method is currently the segregation method. The segregation method involves a firm segregating the relevant funds (i.e. keeping them separate from all other funds held) and, if the funds are still held at the end of the business day following the day on which they were received, to deposit the funds in a separate account with a credit institution or the Bank of England or to invest the relevant funds in secure, liquid assets approved by the FCA and place those assets in a separate account with an authorised custodian.

What is the FCA proposing?

The FCA is proposing a two-staged process to strengthen the safeguarding regime, referred to as the “interim-state” and the “end-state”. The reason for the two-stage process is that Parliamentary time is needed in order to pass new legislation for the end-state proposals to take effect. However, in light of the significant concerns identified by the FCA, the FCA is proposing to take some interim measures to strengthen safeguarding practices and increase regulatory oversight and monitoring in the shorter term.

Proposed interim-state rules

The proposed interim-state rules are designed to mitigate in the shorter term the FCA concerns which have been highlighted in CP24/20. Many of the requirements in the interim-state rules are closely related to similar concepts that appear elsewhere within the FCA armoury of rules and guidance. The new rules will be added to the Client Assets and Supervision Sourcebooks of the FCA Handbook. The measures include:

Improved books and records: Firms will be required to:
- Have adequate policies and procedures to ensure compliance with the safeguarding regime.
- Maintain accurate records and accounts to enable them, at any time and without delay, to distinguish between relevant funds and other funds.
- Perform internal reconciliations at least once each business day to ensure they are safeguarding the correct account of relevant funds and ascertain the reason for any discrepancies and resolve any excess or shortfall.
- Perform external reconciliations and ascertain the reason for any discrepancies and resolve any excess or shortfall.
- Notify the FCA (in writing and without delay) if: (i) their internal records are materially out of date, inaccurate or invalid; (ii) they will be unable to perform a reconciliation; (iii) they cannot resolve a discrepancy arising out of a reconciliation; or (iv) if, at any time during the previous year, there was a material difference between the amount which the Firm should have been but actually was safeguarding.
Resolution pack: Firms will be required to maintain a resolution pack to improve the ability to retrieve information helpful to the timely return of relevant funds in the event of the Firm’s insolvency.
Enhanced monitoring and reporting: Firms will be required to:
- Have their compliance with safeguarding requirements audited annually, with the audit report submitted to the FCA.
- Submit a new monthly regulatory return to the FCA in relation to safeguarding practices. The return will require Firms to provide data on (amongst other things) the amount safeguarded.
- Allocate responsibility for oversight of compliance with safeguarding requirements to a specific individual within the Firm.
Strengthening safeguarding practices:
- Additional safeguards will be imposed where Firms invest relevant funds in secure liquid assets.
- Firms will be required to consider diversification of third parties with which they hold, deposit, insure or guarantee relevant funds that it is required to safeguard and due diligence requirements.
- Additional safeguards and more detailed requirements on how Firms can use insurance or guarantees to safeguard relevant funds.

Proposed end-state rules

In addition to the interim-state rules, the end-state rules will impose two key requirements: (1) a statutory trust over relevant funds and assets, insurance policies and guarantees used for safeguarding; and (2) a requirement that Firms receive relevant funds directly into a designated safeguarding account. The architecture for the new statutory trust regime is strongly grounded in the statutory trust currently used in the FCA’s client assets regime applicable to investment firms.

The table below sets out a summary of the key proposals in both the interim-state and end-state[4]:

Main proposals	Interim-state proposals	End-state proposals (in addition to interim-state proposals)
Improved books and records	Enhanced record keeping and reconciliation requirements Requirement to maintain resolution pack	Updated record keeping and reconciliation requirements
Enhanced monitoring and reporting	Requirement for Firms to have safeguarding practices audited by an external auditor, with the safeguarding audit submitted to the FCA Requirement for firms to complete a monthly safeguarding regulatory return
Strengthening elements of safeguarding practices	Requirements to exercise due skill, care and diligence in selecting and appointing third parties Requirements to consider the need for diversification Additional requirements on how Firms can safeguard relevant funds by insurance or comparable guarantee	Relevant funds must be received into a designated safeguarding account at an approved bank, with limited exceptions Agents and distributors cannot receive relevant funds unless the principal firm safeguards the estimated value of funds held by agents and distributors in a designated safeguarding account Additional requirements when firms only safeguard relevant funds by insurance or comparable guarantee
Holding funds, etc. under a statutory trust		Firms will receive and hold the following under a statutory trust: Relevant funds; and Assets, insurance policies and guarantees used for safeguarding

Impact for relevant payment and e-money firms

The proposed changes, especially the interim-state requirements, do not represent a radical shift in the safeguarding requirements applicable to relevant Firms. Many of the requirements already apply and the changes are being introduced in order to support a greater level of compliance with the existing requirements, support more consistency in compliance and enhance regulatory oversight to assist with earlier identification or where risk may be building up. The end-state rules will, if implemented as proposed, result in a “CASS” style regime where relevant funds and assets are held on trust for consumers.

The impact of the interim-state rules on Firms should not be underestimated. It is clear that regulatory expectations relating to safeguarding are increasing. Firms are expected to ensure that their policies and procedures and systems and controls relating to safeguarding are robust. In particular, Firms should not underestimate the reconciliation requirements. While these are not new there are currently a wide range of practices and approaches to reconciliation across the sector. All firms will need to ensure that they review their practices and make enhancements in advance of the interim-state rules coming into force.

In advance of the interim-state rules coming into force, Firms will need to conduct a detailed gap analysis of their current practices relating to safeguarding and will need to uplift their policies and procedures and their systems and controls to ensure compliance with the new rules and regulatory expectations.

When will we know more?

The consultation period closes on 17 December 2024. Thereafter, the FCA will consider the responses received and will publish its response in the form of a policy statement and (presumably) made rules. Most of the interim-state rules will come into force following a six-month transitional period from the publication of final form rules. The FCA is currently targeting the first half of 2025 for this publication. The end-state rules will come into force following a 12-month transitional period from the date of their publication. However, the publication date is (presumably) dependent upon Parliamentary time and therefore the date is currently uncertain.

What should payments and e-money firms do now?

Impacted Firms should assess the extent of the impact of the proposals both in the interim-state and the end-state and consider whether they wish to prepare a response to the consultation.

[1] Payment Services and Electronic Money – Our Approach (November 2021)

[2] The proportion of UK consumers in the UK using an e-money account has grown from 1% in 2017 to 7% in 2022. Approximately 1 in 10 e-money holders use e-money accounts as their primary transactional accounts – Financial Lives Survey

[3] Ipagoo [2022] EWCA Civ 302 and Allied Wallet [2022] EWHC 1877 (Ch)

[4] See Table 1 CP24/20, Section 3.18 page 15

The following Gibson Dunn lawyers prepared this update: Michelle Kirschner and Martin Coombes.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. If you wish to discuss any of the matters set out above, please contact any member of Gibson Dunn’s Financial Regulatory team, including the authors in London:

Michelle M. Kirschner (+44 20 7071 4212, [email protected])
Martin Coombes (+44 20 7071 4258, [email protected])

In the last month, we have seen a surge in class action lawsuits filed against employers challenging health plan premiums charged to tobacco users. In this update, we provide a summary of the cases and an update on what’s next for plan sponsors and fiduciaries.

In recent weeks, sponsors and fiduciaries of employee benefit plans governed by the Employee Retirement Income Security Act (ERISA) have seen a rapid proliferation of class actions challenging tobacco-use surcharges adopted by such plans to incentivize smoking cessation. The wave of lawsuits has primarily targeted large, self-funded group health plans with claims that the plans are charging discriminatory premiums to tobacco users, in violation of 29 U.S.C. § 1182(b) and its implementing regulations.[1] A recent decision from the Southern District of Ohio suggests that the Supreme Court’s recent decision in Loper Bright Enterprises v. Raimondo, may play a role in how district courts respond to plaintiffs’ tobacco-use surcharge claims.

Background on Tobacco Surcharge Litigation

Corporate wellness programs have become increasingly common in the workplace. Some employers incorporate smoking cessation programs into their wellness programs as a way to encourage employees to quit smoking or using tobacco products. ERISA expressly permits these programs so long as they comply with certain requirements set out in the statute, including limits on the size of the incentive, frequency with which a participant may qualify, and availability of the incentive.

As background, to expand access to affordable health insurance coverage, the Affordable Care Act (ACA) amended ERISA to prohibit group health plans from imposing eligibility rules based on a “health status-related factor,” including “medical condition[s]” or “[m]edical history,” among other factors.[2] Under this rule, a plan “may not require any individual (as a condition of enrollment or continued enrollment under the plan) to pay a premium or contribution which is greater than such premium or contribution for a similarly situated individual enrolled in the plan based on any health-related factor in relation to the individual or to an individual enrolled under the plan as a dependent of the individual.”[3]

However, ERISA offers a safe harbor for certain wellness programs, permitting plans to “establish[] premium discounts or rebates or modify[] otherwise applicable copayments or deductibles in return for adherence to programs of health promotion and disease prevention.”[4]

The Department of Labor’s (DOL) implementing regulation addresses the method by which plan members may avoid a premium surcharge “based on whether an individual has met the standards of a wellness program.”[5] The regulation states that wellness programs must be “reasonably designed to promote health or prevent disease.”[6] A program will be regarded as reasonably designed if a reasonable alternative standard is provided to a member who does not meet the initial outcome-based standard. The regulation expressly approves programs that encourage smokers to enroll in cessation programs, regardless of whether the members stop smoking.

In other words, employers can offer incentives to wellness plan members, such as premium discounts, rebates, or adjustments to co-payments or deductibles, in exchange for their participation in wellness programs, and can surcharge plan members who do not comply with the programs. One way for plans to take advantage of the safe-harbor provisions while charging participants surcharges is to offer programs designed to increase member well-being such as, for example, a smoking cessation program, through which participants can avoid the surcharges by completing the program.

Until recently, suits challenging these surcharges were rare. But the last few weeks have seen a dramatic increase in the number of cases making such allegations. In this recent wave, plaintiffs allege that employers impermissibly collect fees—sometimes upwards of $800 – $1,150 per member, per year—from plan members who disclose that they use nicotine products in order to maintain health insurance coverage. Plaintiffs contend that the surcharges violate ERISA’s antidiscrimination and fiduciary provisions in two ways.

First, they assert that employers charge tobacco users a surcharge without providing members with a reasonable alternative standard, such as a smoking cessation program, through which the members can avoid the surcharge by completing the program. Relying on the DOL’s implementing regulations, plaintiffs contend that members must receive the full reward once they meet the alternative standard. In other words, there must be a way for members to avoid the surcharge entirely for the full plan year (retroactively and prospectively) if they complete a cessation program at any point during the year.

Second, plaintiffs assert that, even if a plan offers a reasonable alternative standard, it is not clearly communicated to members. According to plaintiffs, DOL regulations require the alternative standard be disclosed in “all plan materials.”[7]

Prognosis for Tobacco-Use Surcharge Cases: The Dismissal Order in Department of Labor v. Macy’s, Inc.

The surcharge cases in the current wave are still in early stages, but one of the few cases preceding this group—a government enforcement suit against Macy’s—might help shed light on how courts will respond to plaintiffs’ theories, and in particular, on plaintiffs’ reliance on DOL regulations.

On September 26, the U.S. District Court for the Southern District of Ohio in Secretary of Labor v. Macy’s, Inc., denied Macy’s bid to dismiss an ERISA anti-discrimination claim brought against it by the DOL.[8] Macy’s sought to dismiss a claim that its tobacco surcharge wellness program violated ERISA by discriminating against tobacco users.

In Macy’s, the Secretary of Labor took the position that the tobacco surcharge wellness program did not qualify as reasonably designed under the DOL’s implementing regulations because, inter alia, it required that a smoker be smoke-free at the conclusion of the cessation program before he or she could qualify for a refund of the surcharge.[9] According to the Secretary, being “smoke free” is not a “reasonable alternative” to the standard of being a non-smoker.[10]

After the parties had fully briefed their motion to dismiss, the Supreme Court issued the Loper Bright decision. In supplemental briefing, Macy’s argued that, when evaluated after Loper Bright, the DOL’s regulation, which would require a refund to an employee even if the member continued to smoke despite having participated in a cessation program, is invalid because it is inconsistent with ERISA, which requires “adherence to programs of health promotion and disease prevention.”[11]

In its order denying Macy’s motion, the district court ruled that Macy’s argument regarding the impact of Loper Bright warranted further consideration by the parties and the court, and granted Macy’s permission to renew its motion within 30 days to address “the significant issues presented in this litigation.”[12] We will closely monitor this case to see how, if at all, any subsequent decision on this issue could affect how courts weigh Loper Bright in assessing the viability of plaintiffs’ theories.

Notably, Macy’s is not the only employer that has been targeted by the DOL concerning tobacco-use surcharges. In September 2023, the U.S. District Court for the Northern District of Illinois entered a consent order and judgment in a suit brought by the DOL against Flying Food Group.[13] The court ruled that the company did not inform plan members that a reasonable alternative existed that would allow them to avoid paying a tobacco surcharge. The court ordered the company to reimburse plan members for the surcharges and to pay penalties under ERISA and related federal regulations. The recent explosion of private suits, however, is unprecedented.

What’s Next for Plan Sponsors and Fiduciaries

The Secretary of Labor’s litigation against Macy’s, coupled with the consent order in Flying Food Group, may further embolden plaintiffs to bring more lawsuits against employers who apply tobacco-use surcharges in their wellness plans.

In light of the recent proliferation of these suits, employers might want to consider reviewing their plan documents to assess whether they should or do offer a reasonable alternative standard, such as a smoking cessation program. Employers might also consider evaluating how and with what frequency their plans are notifying members about the availability of reasonable alternative standards.

[1] See, e.g., Williams v. Target Corp., No. 0:24-cv-03748 (D. Minn.); Baker v. 7-Eleven, Inc., No. 2:24-cv-01360 (W.D. Pa.); Bokma v. Performance Food Group, Inc., 3:24-cv-00686 (E.D. Va.); Keesler v. Tractor Supply Co., 3:24-cv-01612 (M.D. Pa.); Rogers v. Advocate Aurora Health, 1:24-cv-08864 (N.D. Ill.).

[2] 29 U.S.C. § 1182(a)(1).

[3] Id.

[4] 29 U.S.C. § 1182(b)(2)(B).

[5] 29 C.F.R. § 2590.702(c)(3).

[6] 29 C.F.R. § 2590.702(f)(4)(iii).

[7] Baker, No. 2:24-cv-01360, Dkt. 1 at 6 ¶ 21 (citing 29 C.F.R. § 2590.702(f)(4)).

[8] Sec’y of Labor v. Macy’s, Inc., No. 1:17-cv-00541, 2024 WL 4302093 (S.D. Ohio Sept. 26, 2024).

[9] Id. at *3.

[10] Id.

[11] Id. (quoting 29 U.S.C. § 1182(b)(2)).

[12] Id.

[13] U.S. Dept. of Labor, News Release, Flying Food Group Will Reimburse Health Plan Participants More Than $134,000 for Diagnostic Deductibles, Tobacco Surcharges, After Federal Investigation (Sept. 26, 2023), available at https://www.dol.gov/newsroom/releases/ebsa/ebsa20230926 (last accessed Sept. 30, 2024).

The following Gibson Dunn lawyers contributed to this update: Ashley Johnson and Jennafer Tryck.

Gibson Dunn lawyers are available to assist in addressing any questions you may have about these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any leader or member of the firm’s Labor and Employment, Executive Compensation and Employee Benefits, or Insurance and Reinsurance practice groups:

Labor and Employment / ERISA:
Karl G. Nelson – Dallas (+1 214.698.3203, [email protected])
Jason C. Schwartz – Washington, D.C. (+1 202.955.8242,[email protected])
Katherine V.A. Smith – Los Angeles (+1 213.229.7107, [email protected])
Heather L. Richardson – Los Angeles (+1 213.229.7409,[email protected])
Ashley E. Johnson – Dallas (+1 214.698.3111, [email protected])
Jennafer M. Tryck – Orange County (+1 949.451.4089, [email protected])

Executive Compensation and Employee Benefits:
Sean C. Feller – Los Angeles (+1 310.551.8746, [email protected])
Krista Hanvey – Dallas (+ 214.698.3425, [email protected])

Insurance and Reinsurance:
Geoffrey Sigler – Washington, D.C. (+1 202.887.3752, [email protected])
Deborah L. Stein – Los Angeles (+1 213.229.7164, [email protected])

Gibson Dunn’s U.S. Supreme Court Round-Up provides a preview of cases set to be argued in the October 2024 Term and highlights other key developments on the Court’s docket. During the October 2023 Term, the Court heard 61 oral arguments and released 59 opinions. The Court has granted 39 petitions thus far for the October 2024 Term.

Spearheaded by Miguel Estrada, the U.S. Supreme Court Round-Up keeps clients apprised of the Court’s most recent actions. The Round-Up previews cases scheduled for argument, tracks the actions of the Office of the Solicitor General, and recaps recent opinions. The Round-Up provides a concise, substantive analysis of the Court’s actions. Its easy-to-use format allows the reader to identify what is on the Court’s docket at any given time, and to see what issues the Court will be taking up next. The Round-Up is the ideal resource for busy practitioners seeking an in-depth, timely, and objective report on the Court’s actions.

View the Round-Up Here

Gibson Dunn has a longstanding, high-profile presence before the Supreme Court of the United States, appearing numerous times in the past decade in a variety of cases. Fifteen current Gibson Dunn lawyers have argued before the Supreme Court, and during the Court’s nine most recent Terms, the firm has argued a total of 21 cases, including closely watched cases with far-reaching significance in the areas of intellectual property, securities, separation of powers, and federalism. Moreover, although the grant rate for petitions for certiorari is below 1%, Gibson Dunn’s petitions have captured the Court’s attention; Gibson Dunn has persuaded the Court to grant 40 petitions for certiorari since 2006.

* * * *

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding developments at the U.S. Supreme Court. Please feel free to contact the following attorneys in the firm’s Washington, D.C. office, or any member of the Appellate and Constitutional Law Practice Group.

Miguel A. Estrada (+1 202.955.8257, [email protected])
Jessica L. Wagner (+1 202.955.8652, [email protected])
Reed Sawyers (+1 202.777.9412, [email protected])

As the January 1, 2025 deadline for entities that were organized prior to 2024 quickly approaches, we provide a summary of key developments in the CTA space over the past few months.

In 2024, the beneficial ownership interest reporting requirements of the Corporate Transparency Act (CTA) came into effect. Gibson Dunn has previously published a number of client updates on CTA issues.[1] As the deadline (January 1, 2025) for entities that were organized prior to 2024 quickly approaches, this update provides a summary of key developments in the CTA space over the past few months. In short, the update discusses: (1) the CTA filing deadlines, which are quickly approaching for all entities that need to file; (2) notable frequently asked questions that the U.S. Financial Crimes Enforcement Network (FinCEN) has answered regarding dissolved entities and entities that withdrew their registration for doing business in U.S. states; (3) a brief summary of the FAQs announced on October 3; (4) an update on the litigation challenging the CTA; (5) a reminder of the potential penalties under the CTA; and (6) a short preview of future CTA developments to monitor.

Deadlines

As a reminder, the CTA’s beneficial ownership information reporting deadline for entities created or registered to do business in the United States prior to 2024 is coming up quickly. Specifically, companies organized in the United States or, in the case of foreign entities, registered to do business in the United States, in either case before January 1, 2024, must file beneficial ownership information reports with FinCEN by January 1, 2025, unless an exemption is available. Further, entities formed or registered to do business in the United States between January 1, 2024 and December 31, 2024 must file beneficial ownership information reports with FinCEN within 90 days of formation or registration. And in 2025, the deadline for newly formed or newly registered entities to file will decrease from 90 days to 30 days.[2] For organizations that must make a particularly large number of filings, it may be prudent to begin the filing process in the next couple of months to ensure adequate time to file.

Dissolved and De-Registered Entities

Throughout 2024, FinCEN has continued to issue guidance in the form of FAQs regarding the CTA. For instance, in February, the agency issued a notable FAQ regarding the scope of the subsidiary exemption, which we have discussed elsewhere.[3] More recently, FinCEN has issued important FAQs on the reporting obligations of entities that are dissolved or foreign entities that de-registered from doing business in U.S. states. The CTA and its implementing regulations did not squarely address situations where an entity is dissolved or, for foreign entities, withdraws its registration, before the entity’s beneficial ownership information report is due. FinCEN has subsequently released a number of FAQs, which collectively state, among other things, that:

If an entity is dissolved or a foreign entity withdrew its registration to do business in U.S. states prior to 2024, then the entity does not need to file.[4]
If, on the other hand, an entity that would have needed to report existed or was registered at any point during 2024, then it must file a report with FinCEN, even if the entity is dissolved or is a foreign entity that withdrew its registration to do business in U.S. states before its beneficial ownership information report was due.[5]

October 3 FAQs

On October 3, FinCEN announced 25 new or revised FAQs.[6] Some of the most notable FAQs include:

Beneficial Owners—FinCEN confirmed its expectation that every reporting company identify at least one beneficial owner, because, even if a natural person does not own 25% of the entity, the entity will be substantially controlled by one or more individuals.[7]
Owned or Controlled by Multiple Exempt Entities—FinCEN also confirmed that if an entity’s ownership interests are controlled or wholly owned by multiple exempt entities, “the reporting company may still qualify for the subsidiary exemption if the entities are unaffiliated,” provided that “every controlling or owning entity” is itself exempt.[8]
PIVs—When a pooled investment vehicle (PIV) is operated or advised by an exempt reporting adviser (ERA), FinCEN explained that ERAs do not qualify for the definition of an investment adviser under the CTA, because they are not registered with the SEC. Thus, a PIV that is “operated or advised” by an ERA only qualifies for the PIV exemption (#18) if the ERA meets the definition of a “venture capital fund adviser” (i.e., an entity that is described in section 203(l) of the Investment Advisers Act of 1940 (15 U.S.C. 80b-3(l)) and has filed Item 10, Schedule A and Schedule B of Part 1A of Form ADV (or any successor thereto) with the SEC). If the ERA relies on another exemption from registration with the SEC, then the PIV would not qualify for the CTA exemption.[9]
Conversion—If an entity converts from one type of entity to another (e.g., an LLC to a corporation), the conversion “may result in the creation of a ‘new’ domestic reporting company” depending on the law of the state where it occurred and the nature of the conversion.[10]
FOIA—FinCEN confirmed that beneficial ownership information reported to FinCEN is not accessible under the Freedom of Information Act (FOIA).[11]
FinCEN Identifier Updates—FinCEN confirmed that:
1. Individuals must update information they submitted to request a FinCEN identifier no later than 30 days after the date on which a change occurred, and individuals must correct any inaccuracies no later than 30 days after the date on which they became aware, or had reason to know, of an inaccuracy;
2. When information for a beneficial owner’s or company applicant’s FinCEN identifier is updated, the beneficial ownership information reports where that FinCEN identifier appears are automatically updated, with no further action needed; and
3. Reporting companies with a FinCEN identifier must update or correct the company’s information by filing an updated or corrected beneficial ownership information report, as appropriate.[12]

CTA Litigation Update

There are currently at least six pending lawsuits challenging the constitutionality of the CTA, on various grounds, including that the CTA exceeds Congress’s enumerated authorities and violates the First, Fourth, Fifth, Eighth, Ninth, Tenth, and Fourteenth Amendments.[13] Most notably, a federal district court in Alabama concluded that the CTA unconstitutionally exceeds Congress’s enumerated powers.[14] As we explained in a prior client update, the district court’s order is limited to the parties in the case, and FinCEN released a statement taking the position that any entity that is not a party to the case must continue to comply with the CTA.[15] The government appealed the district court’s decision, and the Eleventh Circuit heard oral argument on September 27, 2024. By contrast, a federal district court in Oregon recently rejected arguments challenging the constitutionality of the CTA.[16] Another lawsuit was filed in a federal district court in Texas, and there is a preliminary injunction hearing scheduled in that case for October 9, 2024. In the other cases, motions for summary judgment have either been briefed or are being briefed. Against this backdrop, companies should continue to proceed on the basis that the CTA will remain enforceable for the time being.

Penalties and Liability

As a reminder, the CTA provides for both civil and criminal penalties for “willful” violations of the law.[17] The civil penalties are currently $591 per day, and the criminal penalties can be up to $10,000 and up to two years of imprisonment.[18] Regarding who can be liable, FinCEN has made clear that “[b]oth individuals and corporate entities can be held liable for willful violations.”[19] This can include: (i) an individual who actually files (or attempts to file) false information with FinCEN, (ii) anyone who willfully provides the filer with false information to report, and (iii) individuals who either cause a willful failure to file or are a senior officer at the company at the time of the failure.[20]

Looking Ahead

The CTA space will continue to remain very active. For instance, FinCEN continues to publish FAQs clarifying its view of the law and is slated to conduct another rulemaking to harmonize the CTA and the Customer Due Diligence (CDD) Rule. In the interim, FinCEN has published a notice explaining how CDD obligations and CTA beneficial owner obligations are similar and different.[21] In the coming years, states are also set to become active in this space. New York, for instance, has passed a bill similar to the CTA that is slated to come into effect in 2026, and the legislatures in California, Massachusetts, and Maryland are considering similar bills.[22]

Gibson Dunn will continue to monitor CTA developments closely.

[1] See, e.g., Top 10 Mid-Year Developments in Anti-Money Laundering Enforcement in 2024, Gibson Dunn (Aug. 14, 2024), https://www.gibsondunn.com/top-10-mid-year-developments-in-anti-money-laundering-enforcement-in-2024/; The Corporate Transparency Act Declared Unconstitutional: What It Means for You, Gibson Dunn (Mar. 18, 2024), https://www.gibsondunn.com/corporate-transparency-act-declared-unconstitutional-what-it-means-for-you; Top 12 Developments in Anti-Money Laundering Enforcement in 2023, Gibson Dunn (Feb. 2, 2024), https://www.gibsondunn.com/top-12-developments-in-anti-money-laundering-enforcement-in-2023/; The Impact of FinCEN’s Beneficial Ownership Regulation on Investment Funds, Gibson Dunn (Aug. 10, 2023), https://www.gibsondunn.com/the-impact-of-fincens-beneficial-ownership-regulation-on-investment-funds/.

[2] See, e.g., FinCEN FAQ B.1, https://www.fincen.gov/boi-faqs (“FinCEN CTA FAQs”).

[3] Top 10 Mid-Year Developments in Anti-Money Laundering Enforcement in 2024, Gibson Dunn (Aug. 14, 2024), https://www.gibsondunn.com/top-10-mid-year-developments-in-anti-money-laundering-enforcement-in-2024/.

[4] FinCEN CTA FAQ C13 (“A company is not required to report its beneficial ownership information to FinCEN if it ceased to exist as a legal entity before January 1, 2024, meaning that it entirely completed the process of formally and irrevocably dissolving.”); C14 (“Reporting companies created or registered in 2024, no matter how quickly they cease to exist thereafter, must report their beneficial ownership information to FinCEN within 90 days of receiving actual or public notice of creation or registration.”); C16 (“A foreign company that entirely withdrew any and all registrations to do business in the United States before the beneficial ownership information reporting requirements became effective January 1, 2024, was never subject to the reporting requirements and thus is not required to report its beneficial ownership information to FinCEN.”).

[5] FinCEN CTA FAQ C13 (“If a reporting company (see Question C.1) continued to exist as a legal entity for any period of time on or after January 1, 2024 (i.e., did not entirely complete the process of formally and irrevocably dissolving before January 1, 2024), then it is required to report its beneficial ownership information to FinCEN, even if the company had wound up its affairs and ceased conducting business before January 1, 2024. Similarly, if a reporting company was created or registered on or after January 1, 2024, and subsequently ceased to exist, then it is required to report its beneficial ownership information to FinCEN—even if it ceased to exist before its initial beneficial ownership information report was due.”); C16 (“If a foreign reporting company (see Question C.1) was registered to do business in the United States on or after January 1, 2024 for any period of time (i.e., the company did not entirely complete the process of withdrawing its registration before January 1, 2024), then it is required to report its beneficial ownership information to FinCEN, even if the company had wound up its affairs and ceased conducting business before January 1, 2024.”).

[6] See generally FinCEN CTA FAQs

[7] FinCEN CTA FAQ D.1

[8] FinCEN CTA FAQ L.3; id., L.6.

[9] FinCEN CTA FAQ L.10

[10] FinCEN CTA FAQ C.18.

[11] FinCEN CTA FAQ A.6.

[12] FinCEN CTA FAQ M.6.

[13] National Small Business United et al. v. Yellen et al., No. 5:22-cv-01448 (N.D. Ala. 2024), on appeal National Small Business United et al. v. U.S. Dep’t of the Treasury et al., No. 24-10736 (11th Cir. 2024); Boyle v. Yellen et al., No. 2:24-cv-00081 (D. Me. 2024); Small Business Assn. of Mich., et al. v. Yellen, et al., 1:24-cv-00314 (D. Mich. 2024); Texas Top Cop Shop, Inc. et al. v. Garland, et al., No. 4:24-cv-00478 (E.D. Tx. 2024); Black Economic Council of Mass., et al., No. 1:24-cv-11411 (D. Mass. 2024); Firestone v. Yellen, No. 3:24-cv-1034 (D. Or.).

[14] National Small Business United et al. v. Yellen et al., No. 5:22-cv-01448, Dkt. 51 (N.D. Ala. 2024).

[15] The Corporate Transparency Act Declared Unconstitutional: What It Means for You, Gibson Dunn (Mar. 18, 2024), https://www.gibsondunn.com/corporate-transparency-act-declared-unconstitutional-what-it-means-for-you.

[16] Firestone v. Yellen, No. 3:24-cv-1034, Dkt. 18 (D. Or.).

[17] 31 U.S.C. § 5336(h).

[18] Id.; FinCEN CTA FAQ K2.

[19] FinCEN CTA FAQ K3.

[20] Id.

[21] Notice to Customers: Beneficial Ownership Information Reference Guide, FinCEN, July 26, 2024, https://www.fincen.gov/sites/default/files/shared/BOI-Notice-to-Customers-508FINAL.pdf.

[22] S.995-B/A.3484-A; CA S.B. 1201; MD S.B. 954; MA H. 3566.

The following Gibson Dunn lawyers assisted in preparing this update: Stephanie Brooker, Matt Gregory, David Ware, and Chris Jones.

Gibson Dunn has deep experience with issues relating to the Bank Secrecy Act, the Corporate Transparency Act, other AML and sanctions laws and regulations, and challenges to Congressional statutes and administrative regulations.

For assistance navigating white collar or regulatory enforcement issues, please contact any of the authors, the Gibson Dunn lawyer with whom you usually work, or any leader or member of the firm’s Anti-Money Laundering, Administrative Law & Regulatory, White Collar Defense & Investigations, or Investment Funds practice groups.

Please also feel free to contact any of the following practice group leaders and members and key CTA contacts:

Anti-Money Laundering:
Stephanie Brooker – Washington, D.C. (+1 202.887.3502, [email protected])
M. Kendall Day – Washington, D.C. (+1 202.955.8220, [email protected])
David Ware – Washington, D.C. (+1 202-887-3652, [email protected])
Ella Capone – Washington, D.C. (+1 202.887.3511, [email protected])
Chris Jones – Los Angeles (+1 213.229.7786, [email protected])

Administrative Law and Regulatory:
Stuart F. Delery – Washington, D.C. (+1 202.955.8515, [email protected])
Matt Gregory – Washington, D.C. (+1 202.887.3635, [email protected])
Eugene Scalia – Washington, D.C. (+1 202.955.8673, [email protected])
Helgi C. Walker – Washington, D.C. (+1 202.887.3599, [email protected])

White Collar Defense and Investigations:
Stephanie Brooker – Washington, D.C. (+1 202.887.3502, [email protected])
Winston Y. Chan – San Francisco (+1 415.393.8362, [email protected])
Nicola T. Hanna – Los Angeles (+1 213.229.7269, [email protected])
F. Joseph Warin – Washington, D.C. (+1 202.887.3609, [email protected])

Investment Funds:
Kevin Bettsteller – Los Angeles (+1 310.552.8566, [email protected])
Greg Merz – Washington, D.C. (+1 202.887.3637, [email protected])
Shannon Errico – New York (+1 212.351.2448, [email protected])

From the Derivatives Practice Group: On October 2, the U.S. Court of Appeals for the D.C. Circuit upheld the order that permits KalshiEX LLC to list contracts that allow Americans to bet on election outcomes.

New Developments

US Appeals Court Clears Kalshi to Restart Elections Betting. On October 2, the U.S. Court of Appeals for the D.C. Circuit upheld the D.C. District Court’s order that permitted derivatives trading platform KalshiEX LLC to list contracts that allow Americans to bet on election outcomes. The Court said that the CFTC did not show how the agency or the public interest would be harmed by the “event” contracts. The CFTC’s motion was denied “without prejudice to renewal should more concrete evidence of irreparable harm develop during the pendency of appeal.” [NEW]
CFTC’s Division of Clearing and Risk Announces Staff Roundtable Discussion on New and Emerging Issues in Clearing. On September 27, the CFTC announced that the Division of Clearing and Risk will hold a public roundtable on October 16, to discuss existing, new, and emerging issues in clearing. The roundtable will be held in the Conference Center at CFTC’s headquarters at Three Lafayette Centre, 1155 21st Street N.W., Washington, D.C. The roundtable will include participants from derivatives clearing organizations, futures commission merchants (“FCM”), FCM customers, end-users, custodians, proprietary traders, public interest groups, state regulators, and others. The goal of the roundtable is to gather information and receive expert input from a wide variety of stakeholder groups. Topics to be covered include the custody and delivery of digital assets, digital assets and margin, full collateralization, 24/7 trading, non-intermediated clearing with margin, and conflicts of interest related to vertically integrated entities. [NEW]
CFTC Requests Public Comment on a Rule Certification Filing by KalshiEX LLC. On September 26, the CFTC requested public comment on a rule certification filing by KalshiEX LLC, which would amend its rulebook to include rules for a request for quote functionality and amendments to its prohibited transactions rule. The CFTC previously stayed KalshiEX LLC’s filing because, according to the CFTC, the submission presents novel or complex issues that require additional time to analyze and is potentially inconsistent with the Commodity Exchange Act or the CFTC’s regulations. Comments must be submitted on or before October 28, 2024.
CFTC Staff Extends No-Action Position for Certain Reporting Obligations Under the Ownership and Control Reports Final Rule. On September 25, the CFTC’s Division of Market Oversight (“DMO”) issued a no-action letter that extends the current no-action position for reporting obligations under the ownership and control reports final rule (“OCR Final Rule”). The OCR Final Rule, approved in 2013, requires the electronic submission of trader identification and market participant data for special accounts and volume threshold accounts through Form 102 and Form 40. DMO said that it is extending its no-action position to address continuing compliance difficulties associated with certain ownership and control reporting obligations identified by reporting parties and market participants. The position extends DMO’s position under CFTC Letter No. 23-14, stating that DMO will not recommend the CFTC commence an enforcement action for non-compliance with certain obligations. These obligations include, among others, the timing of ownership and control report form filings; certain information required to be reported regarding trading account controllers and volume threshold account controllers on Form 102; the reporting threshold that triggers the reporting of a volume threshold account on Form 102; the filing of refresh updates for Form 102; and responses to certain questions on Form 40. The no-action position will remain in effect until the later of the applicable effective date or compliance date of a CFTC action, such as a rulemaking or order, addressing such obligations.
CFTC Announces Four Orders Granting Whistleblower Awards – Marking the Most in a Single Day. On September 23, the CFTC announced awards totaling approximately $4.5 million for whistleblowers who, collectively, provided information that led to the success of multiple enforcement actions brought by the CFTC and another authority. The four orders granting awards, to a total of seven whistleblowers, are the most the CFTC has issued on a single day.
CFTC Staff Extends Temporary No-Action Letter Regarding Capital and Financial Reporting for Certain Non-U.S. Nonbank Swap Dealers Domiciled in the EU and the UK. On September 20, the CFTC’s Market Participants Division (“MPD”) announced it issued a temporary no-action letter extending CFTC Staff Letters No. 21-20 and 22-10 to certain nonbank swap dealers (“SDs”) domiciled in the EU and the UK that are the subject of pending CFTC reviews for comparability determinations regarding capital and financial reporting requirements. As part of the capital and financial reporting requirements for nonbank SDs, the CFTC adopted a substituted compliance framework that permits certain nonbank SDs to rely on compliance with home-country capital and financial reporting requirements in lieu of meeting all or parts of the CFTC’s capital adequacy and financial reporting requirements, provided the CFTC finds the home-country requirements comparable to the CFTC’s requirements. Through CFTC Staff Letter No. 24-13, issued on September 20, MPD is extending a no-action position to eligible nonbank SDs domiciled in the EU and the UK that are not covered by existing CFTC orders addressing capital and financial reporting requirements. The no-action position is conditioned upon the nonbank SDs remaining in compliance with applicable home-country capital and financial reporting requirements and submitting certain financial reporting information to the CFTC. The no-action position will expire by December 31, 2026 or the effective date of any final CFTC action addressing the comparability of capital and financial reporting requirements applicable to the relevant nonbank SDs.
CFTC Approves Final Guidance Regarding the Listing of Voluntary Carbon Credit Derivative Contracts. On September 20, the CFTC approved final guidance regarding the listing for trading of voluntary carbon credit derivative contracts. The guidance applies to designated contract markets (“DCMs”), which are CFTC-regulated derivatives exchanges, and outlines factors for DCMs to consider when addressing certain Core Principle requirements in the Commodity Exchange Act and CFTC regulations that are relevant to the listing for trading of voluntary carbon credit derivative contracts. The guidance also outlines factors for consideration when addressing certain requirements under the CFTC’s Part 40 Regulations that relate to the submission of new derivative contracts, and contract amendments to the CFTC.

New Developments Outside the U.S.

ESMA Launches New Consultations Under the MiFIR Review. On October 3, ESMA launched two consultations on transaction reporting and order book data under the Markets in Financial Instruments Regulation (“MiFIR”) Review. ESMA is seeking input on the amendments to the regulatory technical standards (“RTS”) for the reporting of transactions and to the RTS for the maintenance of data relating to orders in financial instruments. [NEW]
Joint UK Regulators Issue Press Release on the End of LIBOR. On October 1, the Bank of England published a joint press release with the FCA and the Working Group on Sterling Risk-Free Reference Rates on the end of LIBOR. On September 30, the remaining synthetic LIBOR settings were published for the last time and LIBOR came to an end. All 35 LIBOR settings have now permanently ceased. The Working Group has met its objective of finalizing the transition away from LIBOR and will be wound down effective as of October 1. Market participants are encouraged to continue to ensure they use the most robust rates for the relevant currency and should ensure their use of term risk-free reference rates are limited and remain consistent with the relevant guidance on best practice on the scope of use. [NEW]
ESAs Appoint Director to Lead their DORA Joint Oversight. On October 1, the European Supervisory Authorities appointed Marc Andries to lead their new joint Directorate in charge of oversight activities for critical third-party providers established by the Digital Operational Resilience Act (“DORA”). In his role as DORA Joint Oversight Director, Marc Andries will be responsible for implementing and running an oversight framework for critical third-party service providers at a pan-European scale, contributing to the smooth operations and stability of the EU financial sector. [NEW]
ESMA 2025 Work Programme: Focus on Key Strategic Priorities and Implementation of New Mandates. On October 1, ESMA published its 2025 Annual Work Programme (AWP). A significant portion of ESMA’s work in 2025 will comprise policy work to facilitate the implementation of the large number of mandates received in the previous legislative cycle, and the preparation of new mandates, such as the European Green Bonds and the ESG Rating Providers Regulations. [NEW]
ESMA Announces Next Steps for the Selection of Consolidated Tape Providers. On September 30, ESMA announced it will launch the selection procedure for Consolidated Tapes Providers (“CTPs”) bonds on January 3, 2025. In June 2025, ESMA will launch the selection procedure for the CTP for shares and Exchange-Traded Funds with the objective to adopt a reasoned decision on the selected applicant by the end of 2025. [NEW]
SFC and HKMA Publish Conclusions on Enhancements to OTC Derivatives Reporting Regime for Hong Kong. On September 26, the Securities and Futures Commission and the Hong Kong Monetary Authority jointly published conclusions on proposed enhancements to the over-the-counter (“OTC”) derivatives reporting regime for Hong Kong, indicating that they will mandate (i) the use of unique transaction identifiers, (ii) the use of unique product identifiers and (iii) the reporting of critical data elements beginning on September 29, 2025.

New Industry-Led Developments

ISDA Responds to UK FCA Consultation on DTO and PTRRS. On September 30, ISDA responded to Financial Conduct Authority (“FCA”) consultation CP24/14 on the derivatives trading obligation (“DTO”) and post-trade risk reduction services (“PTRRS”). In the response, ISDA highlights its support for including certain overnight index swaps based on the US Secured Overnight Financing Rate within the classes of derivatives subject to the DTO and expanding the list of PTRRS exempted from the DTO and other obligations. [NEW]
ISDA Publishes Results of Survey on AT1 Treatment in DRM Model. On September 27, ISDA published a survey of its members on the development of the dynamic risk management (“DRM”) model. The survey sought to understand the accounting and regulatory treatment of Alternative Tier 1 (“AT1”) financial instruments and to contribute this information to the development of the International Accounting Standards Board’s DRM model. The survey shows that for balance sheet classification under International Financial Reporting Standards, the majority of respondents classify their AT1s as equity; the majority of respondents include their AT1s for interest rate risk in the banking book (“IRRBB”) as equivalent to financial liabilities; and there is strong desire for the inclusion of AT1s in the current net open position. [NEW]
ISDA Publishes Updated Best Practices for Confirming Reference Obligations or Standard Reference Obligations. On September 25, ISDA published updated Best Practices for Single-name Credit Default Swaps regarding Reference Obligations or Standard Reference Obligations. The document sets out suggested best practices for confirming the Reference Obligation or Standard Reference Obligations for single-name Credit Default Swaps and is an update to the Best Practice Statement that was published by ISDA on November 18, 2014.
Joint Trade Association Issues Statement on EMIR 3.0 Effective Implementation Dates. On September 23, ISDA, the Alternative Investment Management Association, the European Banking Federation, the European Fund and Asset Management Association and FIA sent a letter urging the European Commission and European supervisory authorities to clarify that market participants are not required to implement the European Market Infrastructure Regulation (“EMIR 3.0”) Level 1 provisions prior to the date of application of the associated Level 2 regulatory technical standards (“RTS”). In the letter, the associations state that they are seeking clarification to avoid firms being required to implement the requirements of EMIR 3.0 twice—first, to comply with the Level 1 provisions once EMIR 3.0 enters into force and then when the associated Level 2 RTS becomes applicable.
ISDA Publishes Standing Settlement Instructions Suggested Operational Practices. On September 20, ISDA published the ISDA Standing Settlement Instructions (“SSI”) suggested operational practices (“SOP”), which outlines a set of guidelines for the communication, management and usage of SSIs. According to ISDA, the document aims at increasing standardization and efficiency in performing payments for over-the-counter (“OTC”) derivatives and it is an update to the Best Practice Statement that was published by ISDA on August 11, 2010. SOPs for the exchange of SSIs for the purposes of collateral are available in section 1.7 of the Suggested Operational Practices for the OTC Derivatives Collateral Process.
ISDA Publishes Results of DC Review Consultation. On September 19, ISDA published the results of a market-wide consultation on proposed changes to the structure and governance of the Credit Derivatives Determinations Committees (“DCs”). ISDA reported that the consultation indicated broad market support to implement many of the recommendations, including establishing a separate governance body, implementing certain transparency proposals relating to the publication of DC decisions and appointing up to three independent members of the DCs. Some of the proposals received a significant minority of objections.

The following Gibson Dunn attorneys assisted in preparing this update: Jeffrey Steiner, Adam Lapidus, Marc Aaron Takagaki, Hayden McGovern, and Karin Thrasher.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Derivatives practice group, or the following practice leaders and authors:

Jeffrey L. Steiner, Washington, D.C. (202.887.3632, [email protected])

Michael D. Bopp, Washington, D.C. (202.955.8256, [email protected])

Michelle M. Kirschner, London (+44 (0)20 7071.4212, [email protected])

Darius Mehraban, New York (212.351.2428, [email protected])

Jason J. Cabral, New York (212.351.6267, [email protected])

Adam Lapidus – New York (212.351.3869, [email protected] )

Stephanie L. Brooker, Washington, D.C. (202.887.3502, [email protected])

William R. Hallatt , Hong Kong (+852 2214 3836, [email protected] )

David P. Burns, Washington, D.C. (202.887.3786, [email protected])

Marc Aaron Takagaki , New York (212.351.4028, [email protected] )

Hayden K. McGovern, Dallas (214.698.3142, [email protected])

Karin Thrasher, Washington, D.C. (202.887.3712, [email protected])

We are pleased to provide you with the September edition of Gibson Dunn’s digital assets regular update. This update covers recent legal news regarding all types of digital assets, including cryptocurrencies, stablecoins, CBDCs, and NFTs, as well as other blockchain and Web3 technologies. Thank you for your interest.

ENFORCEMENT ACTIONS

UNITED STATES

Court Denies Motion to Dismiss in Tornado Cash Criminal Case
On September 26, Judge Failla of the U.S. District Court for the Southern District of New York denied Tornado Cash developer Roman Storm’s motion to dismiss the criminal charges against him. The Department of Justice has charged Storm and Roman Semenov, another Tornado Cash developer, for conspiracy to commit money laundering, conspiracy to operate an unlicensed money transmitting business, and conspiracy to violate the International Emergency Economic Powers Act. In an hour-long oral opinion, Judge Failla rejected Storm’s arguments for dismissing each of the counts. She explained that: “[A]t this stage in the case the court cannot simply accept Mr. Storm’s narrative that he is being prosecuted merely for writing code. If the jury ultimately accepts this narrative, then it will acquit. But there’s no basis for me to decide as a matter of law that the government hasn’t alleged criminal conduct sufficient to satisfy each of the elements of the offenses charged.” The case will now proceed to trial, which is slated to begin on December 2. CoinDesk; Law360.
Former Alameda Research CEO Caroline Ellison Sentenced to Two Years in Prison
On September 24, Judge Kaplan of the U.S. District Court for the Southern District of New York sentenced Caroline Ellison, the former CEO of Alameda Research, to two years in prison. Ellison was one of three FTX/Alameda insiders cooperating with the government in its prosecution of former FTX CEO Sam Bankman-Fried. She pleaded guilty to seven felony counts of fraud and conspiracy. Although Ellison cooperated and provided critical testimony, Judge Kaplan cited the scale of FTX’s losses—which amounted to $8 billion—as a reason for the two-year sentence. Ellison also has an $11 billion judgment in restitution. New York Times; Bloomberg; Forbes.
Mango Markets, Blockworks Reach Settlement with SEC
On September 27, the SEC filed settled charges against Mango DAO, Mango Labs LLC, and Blockworks Foundation, resolving claims about that the MNGO token was offered as an unregistered security, among other claims. As part of the settlement, the entities have agreed to voluntarily destroy their MNGO tokens, request the token’s removal from trading platforms, and pay $700,000. The entities did not admit any wrongdoing as part of the settlement. SEC Press Release; CoinDesk.
eToro Settles Charges with SEC
On September 12, eToro agreed to pay $1.5 million to settle charges by the SEC that its crypto trading platform operated an unregistered securities broker and clearing agency. As part of the settlement, eToro will make only Bitcoin, Bitcoin Cash, and Ether available for its U.S. customers for trading. Press Release.
DeFi Platform Rari Capital Settles SEC Charges
On September 18, the SEC announced that Rari Capital, a decentralized finance platform, and its co-founders settled charges that they had misled investors and engaged in unregistered securities-broker activities. According to the SEC’s complaint, Rari Capital offered two products—Earn pools and Fuse pools—which allowed users to deposit digital assets into lending pools managed either by Rari (Earn) or user-created (Fuse) and earn returns. Without admitting the SEC’s allegations, the defendants consented to the entry of final judgments ordering various forms of relief, including permanent injunctions, civil penalties, and disgorgement. SEC Press Release; The Block.
New York Restaurant Flyfish Club Settles with SEC Over NFTs
On September 16, the Flyfish Club, a New York restaurant, settled with the SEC over issues related to its sale of NFTs. The SEC alleged that Flyfish “conducted an unregistered offering of crypto asset securities,” when it sold 1,600 NFTs to U.S. investors, generating $14.8 million, to fund the construction of an exclusive restaurant and bar called the “Flyfish Club.” Flyfish Club agreed to pay $750,000 as part of the settlement. SEC Press Release; The Block.
United Texas Bank Agrees to Cease-and-Desist Order
On September 4, United Texas Bank, a crypto-friendly bank, agreed to a cease-and-desist order with the Federal Reserve and the Texas Department of Banking. Following a May 2023 examination, the regulators found “significant deficiencies” with the bank’s risk-management practices. The order requires the bank to bolster its Bank Secrecy Act and anti-money laundering program and requires the bank’s board of directors to file a written plan on how it will strengthen its oversight of the bank’s program. Order; The Block.
CFTC Obtains $209 Million Judgment Against Operator of Crypto Ponzi Scheme
On September 3, in an enforcement action brough by the Commodity Futures Trading Commission (CFTC), Judge Rowland of the U.S. District Court for the Northern District of Illinois entered a final judgment against Sam Ikkurty, the operator of an alleged commodity-pool Ponzi scheme, and several related entities. The judgment includes a civil penalty, restitution, disgorgement, and a contempt fine. The CFTC also announced that it had recovered $18 million in digital assets that had been stolen from a court-appointed receiver. CFTC Press Release; The Block.
Robinhood Crypto, LLC and the California Department of Justice Settle for $3.9 Million
On September 4, the California Attorney General announced a $3.9 million settlement with Robinhood Crypto, LLC to resolve an investigation into the company’s consumer disclosures concerning its crypto trading and order-handling arrangements. Robinhood did not admit any wrongdoing as part of the settlement. California DOJ; The Block.
TrueUSD Stablecoin Backers Settle Fraud and Registration Charges with SEC
On September 24, TrustToken and TrueCoin settled the SEC’s accusations that the two companies knowingly misrepresented the backing of the TrueUSD stablecoin and offered securities tried to TrueUSD without properly registering with the SEC. TrueCoin was the original issuer of TrueUSD. The companies did not admit or deny wrongdoing in the settlement. The companies agreed to pay $163,766 each in fines, and TrueCoin agreed to return $400,000 in profits and interest if the settlement is approved by the court. SEC Press Release; CoinDesk.

REGULATION AND LEGISLATION

UNITED STATES

SEC Approves Listing and Trading Options for BlackRock’s Spot Bitcoin ETF
On September 20, the SEC approved the listing and trading of options for BlackRock’s spot Bitcoin ETF on an “accelerated basis,” eight months after BlackRock applied for approval. The approval has been viewed as a positive signal for the broader acceptance of Bitcoin ETFs, reflecting the growing interest in digital assets among institutional investors. Reuters; The Block.
SEC Delays Decision on 7RCC Spot Bitcoin and Carbon Credit Future ETF
On September 3, the SEC announced that it was delaying until November 21 its decision whether to approve crypto asset manager 7RCC’s application for an ETF aims to expose investors to Bitcoin and carbon credits. 7RCC filed the initial application in December 2023. SEC; The Block; CoinTelegraph.

INTERNATIONAL

New UK Bill Proposes Classifying Cryptocurrency as Personal Property
On September 11, a bill was introduced in Parliament that would classify cryptocurrencies, NFTs such as digital art, and carbon credits as personal property. The Justice Minister supported the bill. The law would give legal protection to owners and companies against fraud and scams, while helping judges deal with complex cases where digital holdings are disputed or form part of settlements. The bill aims to address a legal gap, where digital assets were previously excluded from English and Welsh property law, leaving owners of such assets with little recourse if their holdings were interfered with. UK Government Press Release; NASDAQ.
Nigerian Securities Regulator Grants Approval To Crypto Firms
On August 29, the Nigerian Securities and Exchange Commission (Nigerian SEC) announced that it granted Approval in Principle to two crypto exchanges under its Accelerated Regulatory Incubation Program and admitted five other digital asset firms into its Regulatory Incubation program. The approvals are a precursor to a full registration with the Nigerian SEC. Forbes.
Australia’s Securities Regulator To Require Licensing for Crypto Firms
On September 23, a commissioner of the Australian Securities and Investments Commission announced that the agency will require crypto firms – including but not limited to crypto exchanges – to be licensed under Australia’s corporations law. The Commission plans to release updated regulatory guidance in two months and will seek industry feedback. Westlaw; The Block.

CIVIL LITIGATION

UNITED STATES

Bitcoin Miner Swan Bitcoin Sues Former Employees for Conspiring to Steal its Mining Business
On September 26, Swan Bitcoin filed a complaint in the U.S. District for the Central District of California alleging that its former consultants, employees, and others conspired to execute a “rain and hellfire” plan to usurp Swan’s Bitcoin mining business. Swan alleges that defendants (former consultants) and former Swan employees stole “highly proprietary code” from Swan’s Bitcoin mining software, stole other confidential information related to its mining business, and conspired to resign together to create a competing company named Proton Management. Among other allegations, the complaint notes that these former Swan executives and consultants downloaded thousands of confidential and trade secret documents and, with Proton, solicited Swan’s mining personnel. With this conduct, the complaint alleges, all defendants violated the Defend Trade Secrets Act and the California Business & Professions Code; the former consultants breached their contracts with Swan (including by failing to return Swan’s computers and devices); Proton interfered with Swan’s contractual relations with its former employees and aided and abetted their breaches of the duty of loyalty; and all defendants were engaged in an ongoing conspiracy. (Gibson Dunn represents Swan Bitcoin in this lawsuit.) Law.com; Axios; CoinTelegraph.
Court Grants SEC’s Motion to Dismiss Consensys’s Declaratory Judgment Suit
On September 19, Judge O’Connor of the U.S. District Court for the Northern District of Texas granted the SEC’s motion to dismiss a lawsuit filed by Consensys, the developer of the MetaMask wallet. The lawsuit sought a declaratory judgment that transactions in Ether are not securities transactions and that two features of MetaMask (MetaMask Swaps and MetaMask Staking) do not violate the securities laws. The district court dismissed the Ethereum claims as moot because the SEC has concluded its Ethereum investigation and informed Consensys that it did not intend to recommend an enforcement action on that basis. The district court dismissed the MetaMask claims as unripe because, according to the court, neither the Wells Notice Consensys received related to those claims nor the later enforcement action the SEC initiated against Consensys constituted final agency action that would render Consensys’s claims fit for judicial review. Decision; CoinTelegraph.
Judge Dismisses Dogecoin Class Action Lawsuit Against Elon Musk and Tesla
On August 30, Judge Alvin Hellerstein of the U.S. District Court for the Southern District of New York dismissed with prejudice a class action lawsuit against Elon Musk and Tesla, which had alleged that both manipulated the Dogecoin market. Gorog v. Musk, No. 22-05037 (S.D.N.Y. Aug. 30, 2024). The district court ruled that Musk’s tweets about Dogecoin becoming the Earth’s currency or catapulting to the moon were “aspirational and puffery” and “not factual and susceptible to being falsified.” Reuters; CoinDesk.

INTERNATIONAL

England High Court Rules That Crypto Asset Recovery Requires Tracing Specific Units of Stablecoin Across Different Exchanges
On September 17, a Deputy Judge of the English High Court made the first-ever ruling under English law on the treatment and status of cryptocurrency after a full trial. The Plaintiff was targeted by fraudsters who talked him into transferring away cryptocurrency assets worth $3.3 million. His lawyers alleged that the money ended up in an exchange in Thailand, called Bitkub, and tried to hold that exchange liable. But the Judge ruled that the evidence given by a blockchain tracing expert was inadequate, because the Plaintiff needed to show how parts of his stolen stablecoin was offloaded through a range of cryptocurrency exchanges after being mixed with money from other sources, through a range of fourteen transactions on the blockchain. The Judge ruled that the Plaintiff would have to track a specific unit of a stablecoin as it moves from wallet to wallet, to hold the receiving exchange liable. Law360.

SPEAKER’S CORNER

UNITED STATES

New Paper Argues that Bitcoin Is Protected by the First Amendment
On September 25, Ross Stevens, the founder and CEO of Stone Ridge Holdings Group and founder and executive chairman of NYDIG, released a paper arguing that bitcoin is speech and expressive association protected by the First Amendment of the U.S. Constitution. Based on a thorough analysis of bitcoin’s functionality and First Amendment precedents, the paper argues that bitcoin “constitutes a highly communicative and at times boisterous community dedicated to winning greater freedom from government fiat,” and that regulators therefore should “conside[r] the First Amendment implications of targeting bitcoin.” Gibson Dunn attorneys Theodore J. Boutrous, Jr., Eugene Scalia, and Nick Harper worked closely with Stevens in preparing the paper. Paper.
Maxine Waters Calls for Comprehensive Agreement on Stablecoin Regulations This Year
On September 24, Rep. Maxine Waters (D-CA) called for a comprehensive agreement on stablecoin regulations before the end of 2024. Waters has been working with Rep. Patrick McHenry (R-NC), who chairs the House Financial Services Committee, to create a regulatory framework for stablecoins since 2022. Waters said she believes lawmakers could reach a deal on the bill that “prioritizes strong protections” for consumers and has “strong federal oversight.” Waters Press Statement; The Block.
SEC Commissioner Uyeda Recommends “Customized” S-1 Forms for Digital Assets
On September 3, during a discussion at Korea Blockchain Week 2024, SEC commissioner Mark T. Uyeda said that the agency needs to create a S-1 registration form that is tailored to digital asset securities. Uyeda noted such a form could help provide regulatory certainty for the digital-asset industry. Axios, The Block.
House Legislators Urge SEC to Clarify How It Treats Crypto Airdrops
In a September 17 letter to SEC Chair Gary Gensler, House Financial Services Committee Chair Patrick McHenry (R-NC) and House Majority Whip Tom Emmer (R-MN) accused the SEC of “putting its thumb on the scale” by making hostile assertions about airdrops and creating an unforgiving regulatory environment regarding crypto and blockchain technology. The letter requests that the SEC answer whether “giving away non-security digital assets for free” implicates the Howey test. The letter also asks how crypto airdrops are any different from airline miles or credit card points that are “distributed freely to encourage engagement,” much like “airdrops aim to engage users and developers” in growing blockchain networks. Letter; The Block.

OTHER NOTABLE NEWS

Court Invalidates CFTC Restriction on Prediction Markets; CFTC Appeals
On September 12, Judge Cobb of the U.S. District Court for the District of Columbia vacated an order issued by the CFTC that prohibited Kalshi, a prediction market, from offering “event contracts”—a type of derivative contract whose payoff is based on the outcome of a contingent event. Kalshi has offered event contracts for a broad range of events, including the outcomes of U.S. political races. Judge Cobb rejected the CFTC’s arguments that Kalshi’s events contracts violate the Commodity Exchange Act or the CFTC’s regulations. The CFTC has appealed to the D.C. Circuit, which granted a temporary emergency stay of the district court’s order pending appeal. Oral argument took place on September 19. District Court Opinion; CoinDesk.
Japanese Banks Lauch Stablecoin for Cross-Border Transactions
On September 6, three Japanese banks launched the trial phase for “Project PAX,” a stablecoin-based platform that aims to speed up cross-border settlements for enterprises. The initiative aims to develop regulated stablecoins that can be integrated with existing financial frameworks. The project plans to use SWIFT’s API framework, already used by banks, to settle payments on the blockchain while complying with anti-money laundering regulations. Yahoo Finance; The Block; Datachain.
University of Chicago Professors Release Desk Reference for Legal Matters in Web 3
On September 19, Professors Anup Malani and Todd Henderson, professors at the University of Chicago Law School, published Legal Matters in Web 3: A Desk Reference, which is a comprehensive, open-access legal desk reference about crypto-related legal topics. The publication provides a deep dive on those businesses and technologies, sketches a range of legal risks associated with them, and provides a deeper dive on specific legal topics and use a range of projects to illustrate how they interest the Web3 ecosystem. Publication.

The following Gibson Dunn lawyers contributed to this issue: Jason Cabral, Kendall Day, Jeff Steiner, Sara Weed, Chris Jones, Nick Harper, Amanda Goetz, Emma Li, Peter Moon, Henry Rittenberg, and Apratim Vidyarthi.

FinTech and Digital Assets Group Leaders / Members:

Ashlie Beringer, Palo Alto (+1 650.849.5327, [email protected])

Michael D. Bopp, Washington, D.C. (+1 202.955.8256, [email protected]

Stephanie L. Brooker, Washington, D.C. (+1 202.887.3502, [email protected])

Jason J. Cabral, New York (+1 212.351.6267, [email protected])

Ella Alves Capone, Washington, D.C. (+1 202.887.3511, [email protected])

M. Kendall Day, Washington, D.C. (+1 202.955.8220, [email protected])

Michael J. Desmond, Los Angeles/Washington, D.C. (+1 213.229.7531, [email protected])

Sébastien Evrard, Hong Kong (+852 2214 3798, [email protected])

William R. Hallatt, Hong Kong (+852 2214 3836, [email protected])

Martin A. Hewett, Washington, D.C. (+1 202.955.8207, [email protected])

Michelle M. Kirschner, London (+44 (0)20 7071.4212, [email protected])

Stewart McDowell, San Francisco (+1 415.393.8322, [email protected])

Mark K. Schonfeld, New York (+1 212.351.2433, [email protected])

Orin Snyder, New York (+1 212.351.2400, [email protected])

Ro Spaziani, New York (+1 212.351.6255, [email protected])

Jeffrey L. Steiner, Washington, D.C. (+1 202.887.3632, [email protected])

Eric D. Vandevelde, Los Angeles (+1 213.229.7186, [email protected])

Benjamin Wagner, Palo Alto (+1 650.849.5395, [email protected])

Sara K. Weed, Washington, D.C. (+1 202.955.8507, [email protected])

We are pleased to provide you with the September edition of Gibson Dunn’s monthly U.S. bank regulatory update. Please feel free to reach out to us to discuss any of the below topics further.

KEY TAKEAWAYS

In coordinated actions, the Federal Deposit Insurance Corporation (FDIC) and Office of the Comptroller of the Currency (OCC) issued a final policy statement and final rule, respectively, updating the agencies’ approach to evaluating transactions subject to approval under the Bank Merger Act (BMA) and the U.S. Department of Justice (DOJ) announced its withdrawal from the 1995 Bank Merger Guidelines and confirmed that its 2023 Merger Guidelines “remain its sole and authoritative statement across all industries.” The DOJ also issued a 2024 Banking Addendum identifying those portions of the 2023 Merger Guidelines frequently relevant to the DOJ’s consideration of bank mergers.
In a speech on September 10, 2024 at the Brookings Institution, Vice Chair for Supervision Michael Barr stated that the federal bank regulatory agencies planned “broad and material changes” to the Basel III endgame proposal and the GSIB surcharge proposal and that he intended “to recommend that the [Federal Reserve] Board re-propose” the rules. No re-proposal has been issued as of the date of publication.
The intersection of banks and fintechs remains a focus:
- The FDIC issued a proposal intended to enhance insured depository institutions’ recordkeeping requirements for certain types of custodial accounts. Comments are due on the proposal 60 days after publication in the Federal Register.
- Senators Warren (D-MA) and Van Hollen (D-MD) sent a letter to the Board of Governors of the Federal Reserve System (Federal Reserve), FDIC and OCC urging the agencies to (i) prohibit entities that provide products only eligible for FDIC pass-through deposit insurance from using the FDIC name or logo in any materials, (ii) establish rules for bank partners that offer deposit-style products to safeguard customer funds and (iii) supervise, examine and take enforcement actions against those bank partners under the Bank Service Company Act.

DEEPER DIVES

FDIC Adopts Final Statement of Policy on Bank Merger Transactions. In coordination with the OCC and DOJ, on September 17, 2024 the FDIC adopted its final Statement of Policy on Bank Merger Transactions (SOP) substantially as proposed, with limited adjustments. The SOP supersedes the prior Statement of Policy on Bank Merger Transactions 30 days after publication in the Federal Register. The SOP is more principles based than the current Statement of Policy, last updated in 2008, affirms the FDIC’s view concerning the broad applicability of the BMA to merger transactions, including mergers in substance, involving an insured depository institution and any non-insured entity, and revises how the FDIC evaluates applicable statutory factors under the BMA, including competition, convenience and needs, financial stability, and financial and managerial resources.

Insights. The SOP provides no clarity as to the timing for the FDIC’s review and approval of BMA applications. Contrary to current practice, the SOP retains the language from the proposal enabling the FDIC Board of Directors to release a statement regarding its concerns with any transaction for which a BMA application has been withdrawn “if such a statement is considered to be in the public interest for purposes of creating transparency for the public and future applicants.” In addition, the SOP retains the proposed language that the FDIC may require divestitures to mitigate competitive concerns before allowing a merger to be consummated, a departure from historical precedent. As raised by commenters, a divestiture could itself require a separate BMA approval, thus delaying significantly the merger transaction. In sum, the SOP revises how the FDIC evaluates the statutory factors for a BMA application, in certain instances seemingly beyond the statutory factor on its face—as raised by FDIC Director Jonathan McKernan in his statement in opposition to the proposal and FDIC Director Travis Hill in his statement in opposition to the final SOP.
A few key points to highlight:
- On financial stability, the SOP focuses in part on large bank mergers, highlighting that, although “size alone is not dispositive,” the FDIC would “generally expect” to hold a hearing for any “application resulting in an institution with greater than $50 billion in assets or for which a significant number of CRA protests are received” and adds that transactions resulting in institutions with total assets in excess of $100 billion “will be subject to added scrutiny.”
- On competition, the SOP deemphasizes the longstanding 1,800/200 HHI thresholds (although the FDIC does intend to coordinate with other relevant agencies regarding any potential changes to the calculation of, or thresholds for, HHI usage). Although deposits will serve “as an initial proxy for commercial banking products and services,” the FDIC “may consider concentrations in any specific products or customer segments” (e.g., small business or residential loan originations volume, activities requiring specialized expertise). The SOP also provides that the FDIC generally will require that the selling institution not enter into non-compete agreements with any employee of the divested entity nor enforce any existing non-compete agreements with any of those entities.
- On convenience and needs, the SOP would require the resulting institution “to better meet the convenience and the needs of the community to be served” than would occur without the merger. To establish this, applicants will be required to provide “specific and forward-looking information” to the FDIC for purposes of evaluating the statutory factor, and the FDIC will evaluate all projected or anticipated branch expansion, closings, or consolidations for the first three years following consummation of the merger. Job losses or lost job opportunities from branching changes will be “closely evaluated” under the SOP.
- On the financial and managerial resources factors, the SOP does not incorporate the proposal’s assertion that the FDIC will not find favorably on the financial resources factor if the merger would result in a weaker institution from a financial perspective. According to the preamble, this statement was removed to avoid the suggestion that an institution that reflects a very strong financial condition would be precluded from absorbing a weaker target. That language was replaced with language affirming that a favorable finding on the financial resources factor would only be appropriate in cases where the merger results in a combined institution “that presents less financial risk than the financial risk posed by the institutions on a standalone basis.”

OCC Issues Final Rule Amending its Bank Merger Reviews. In coordination with the FDIC and DOJ, on September 17, 2024 the OCC issued a final rule to amend its procedures for reviewing applications under the BMA and add a policy statement that summarizes the principles the OCC uses when it reviews proposed bank merger transactions under the BMA. The final rule is effective January 1, 2025. Like the FDIC’s SOP, the OCC’s policy statement provides no clarity as to the timing for the review and approval of BMA applications, although the agency acknowledges it is “mindful of the effects of the length of review periods on all relevant parties.”

Insights. The OCC’s final rule and accompanying policy statement eliminate some of the ambiguity contained in the proposed version and suggests that the OCC does not intend a material departure from the approach it has taken in reviewing BMA applications in recent years. Although the key characteristics considered in a BMA application remain consistent, there are a few notable items to highlight:
- Transactions in which the resulting bank will exceed $50 billion in total assets and transactions where the target’s total assets are 50% of more of the acquirer’s assets should expect additional scrutiny and time for review, but are not precluded from approval under the policy statement. The financial and managerial resources and future prospects factors within the context of the prevailing economic and operating environment will be considered in a BMA application.
- The OCC specifically provides that it will focus on the integration process and that it is less likely to approve applications involving an acquirer that has engaged in multiple acquisitions with overlapping integration periods, experienced rapid growth, or is functionally the target in the transaction.
- The ability of the resulting bank to meet the convenience and needs of the community should be forward-looking and distinct from the bank’s record in complying with the Community Reinvestment Act – in other words, while historic practices are indicative of a commitment, the future efforts and plan will be important in the BMA process. For instance, the OCC will more explicitly consider job losses or reduced job opportunities, community investment and development initiatives and efforts to support affordable housing and small business when reviewing a BMA application.

DOJ Announces that 2023 Merger Guidelines will be the “Sole and Authoritative Statement Across all Industries”. Although the DOJ issuance does not provide detailed discussion of how the 2023 Merger Guidelines apply to the banking industry specifically, the DOJ will look to expand bank merger analysis beyond the traditional—and more predictable—assessment of local branch overlaps and HHI screens, into a “comprehensive and flexible framework” contained in the 2023 Merger Guidelines. DOJ will look to consider issues such as the impact at the branch level with respect to individual lines of business, particular customer segments, or the quality/nature of customer service, and across broader geographic regions.

Insights. The commentary does not include any reference to the 1995 Bank Merger Guidelines’ HHI thresholds currently used to screen bank merger applications for possible competitive impacts or possible data sources for analyzing a wider array of product markets outside of the FDIC’s Summary of Deposits data. However, the 2023 Merger Guidelines do contain a HHI threshold (1,800/100) and a market share threshold (30% plus change in HHI of 100) for establishing a rebuttable presumption of anticompetitive harm. Importantly, the commentary also specifically states that the “banking agencies may, at their discretion, use their own methods for screening and evaluating bank mergers.”

Vice Chair for Supervision Barr Previews the Federal Banking Agencies’ Revised Basel III Endgame and GSIB Surcharge Proposals. On September 10, 2024, in a speech titled “The Next Steps on Capital,” Vice Chair for Supervision Michael Barr indicated that “broad and material changes” to the Basel III endgame and GSIB surcharge proposals “are warranted” and that he “intend[s] to recommend that the Board re-propose the Basel endgame and GSIB surcharge rules.” Notably, Barr’s remarks evidence a return to tiering. Large banks with assets between $100 and $250 billion would no longer be subject to the endgame changes, other than the requirement to recognize unrealized gains and losses of their securities in regulatory capital. For large banks with assets between $250 and $700 billion that are not GSIBs or internationally active, the re-proposal would apply the new credit risk and operational risk requirements; however, it would apply the frameworks for market risk and CVA frameworks only to firms that engage in significant trading activity. Further, the re-proposal would revert to the simpler definition of capital – the numerator in the capital ratio – for firm’s currently within that capital framework, with the exception of applying the requirement to reflect unrealized losses and gains on certain securities and other aspects of AOCI. GSIBs and other internationally active banks would be subject to the most stringent set of requirements as may be re-proposed (e.g., the re-proposal would (i) no longer adjust a firm’s operational risk charge based on its operational loss history, (ii) reduce operational risk capital requirements for investment management activities to reflect smaller historical operational losses, (iii) extend the reduced risk weight for low-risk corporate exposures to certain regulated entities that a bank judges to be investment grade but which are not publicly traded).

Insights. As signaled by Vice Chair for Supervision Barr, the changes are potentially significant, particularly for non-GSIBs, and reflect an understanding across agency leadership of the potentially broad and significant unintended consequences of the proposals. Thus far, no re-proposal has been issued, with some media reports citing competing objections to any re-proposal from members of the FDIC Board of Directors resulting in any re-proposal not having sufficient votes in support. The re-proposal would also delay any final rule until after the election, putting its path to finality at risk if there is a change in the administration. Any final rulemaking also potentially remains subject to legal challenge.

FDIC Proposes Deposit Insurance Recordkeeping Rule for Banks’ Third-Party Accounts. On September 17, 2024, the FDIC issued a proposed rule that would establish new recordkeeping requirements at insured depository institutions (IDIs) for “custodial deposit accounts with transactional features.” The proposal would define a “custodial deposit account with transactional features” as a deposit account that meets three requirements: (1) the account is established for the benefit of beneficial owner(s); (2) the account holds commingled deposits of multiple beneficial owners; and (3) a beneficial owner may authorize or direct a transfer through the account holder from the account to a party other than the account holder or beneficial owner. IDIs holding deposits in such accounts would be required to maintain records identifying (i) the beneficial owners of those deposits, (ii) the balance attributable to each beneficial owner, and (ii) the ownership category in which the deposits are held. IDIs that hold such accounts would be required to establish and maintain written policies and procedures and complete an annual certification of compliance that the IDI has implemented and tested compliance with the rule’s recordkeeping requirements. IDIs also would be required to complete an annual report that (1) describes any material changes to information technology systems relevant to compliance with the rule; (2) lists account holders that maintain such accounts, the total balance of those custodial deposit accounts, and the total number of beneficial owners; (3) sets forth the results of the institution’s testing of its recordkeeping requirements; and (4) provides the results of the required independent validation of any records maintained by third parties. Comments on the proposal will be due 60 days from the date of publication in the Federal Register.

Insights. Although by its nature a recordkeeping rule, the proposal, if finalized substantially as proposed, could require significant compliance uplifts for IDIs and their third-party partners. For example, an IDI could maintain account records itself or through a direct contractual arrangement with a third party. To do so through a third party, the IDI would be required to (1) have direct, continuous, and unrestricted access to the records, (2) have continuity plans, including backup recordkeeping, (3) implement internal controls to (i) accurately determine the respective beneficial ownership interests associated with the accounts and (ii) conduct reconciliations against the beneficial ownership records no less frequently than as of the close of business daily, and (4) have a contractual arrangement that would (i) define roles and responsibilities for recordkeeping and (ii) require periodic validation of the third party’s records by a person independent of the third party.

OTHER NOTABLE ITEMS

Speech by Governor Michelle Bowman on the Future of Stress Testing and the Stress Capital Buffer Framework. On September 10, 2024, Governor Michelle W. Bowman gave a speech titled “The Future of Stress Testing and the Stress Capital Buffer Framework.” In her speech, Governor Bowman highlighted the value of stress testing on bank safety and soundness and financial stability, her concerns about the current implementation of the stress test, and the need for a “fundamental rethink and strategic reform of stress testing.” Governor Bowman then shared four principal issues—volatility, the link between stress testing results and capital and the short capital implementation compliance time frame, the lack of transparency, and the overlap between the global market shock in stress testing with the market risk test of Basel III—that should be “addressed” and “prioritized” in the “ongoing evolution of the stress testing framework and stress capital buffer requirements.”

FDIC, Federal Reserve and OCC Extend Comment Period on RFI on Bank-Fintech Arrangements. On September 13, 2024, the federal bank regulatory agencies announced they will extend until October 30, 2024 the comment period on the request for information on bank-fintech arrangements involving banking products and services.

Federal Reserve Board Requests Comment Around Operational Practices of the Discount Window. On September 9, 2024, the Federal Reserve issued a request for information and comment regarding the operational uses of the Discount Window and intraday credit. In particular, the request solicits feedback regarding the collection of legal documentation, processes associated with pledging and withdrawing collateral, processes associated with requesting, receiving, and repaying discount loans, intraday credits and Federal Reserve communication practices. Comments on the request are due by December 9, 2024.

CFPB Proposes Amendment to Remittance Transfer Rule. On September 20, 2024, the Consumer Financial Protection Bureau (CFPB) proposed amendments to the Remittance Transfer Rule concerning disclosure requirements associated with certain international remittances. Specifically, the proposed amendment would require clearer disclosures about the kinds of inquiries that should first be submitted to the remittance provider before contacting the CFPB or applicable state regulator. Comments on the proposed rule are due by November 4, 2024.

CFPB Publishes Guidance on Overdraft Fees Highlighting the Importance of Obtaining and Retaining Client Affirmative Consent to Opt-in. On September 17, 2024, the CFPB published guidance directed at state and federal consumer protection agencies concerning overdraft fees based on “phantom opt-in arrangements” which, according to the published guidance, occur when financial institutions assert they have customer consent to charge overdraft fees but there is no proof they obtained such consent. The thrust of the guidance emphasizes that the Electronic Funds Transfer Act and its counterpart Regulation E are violated if overdraft fees are charged without proof of affirmative consent to enroll in services involving overdraft fees. In its press release announcing the guidance, the CFPB encourages regulators to “assume consumers have not opted into overdraft unless the banks can prove otherwise.”

The following Gibson Dunn lawyers contributed to this issue: Jason Cabral, Ro Spaziani, Zach Silvers, Karin Thrasher, and Nathan Marak.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding the issues discussed in this update. Please contact the Gibson Dunn lawyer with whom you usually work or any of the member of the Financial Institutions practice group:

Jason J. Cabral, New York (212.351.6267, [email protected])

Ro Spaziani, New York (212.351.6255, [email protected])

Stephanie L. Brooker, Washington, D.C. (202.887.3502, [email protected])

M. Kendall Day, Washington, D.C. (202.955.8220, [email protected])

Jeffrey L. Steiner, Washington, D.C. (202.887.3632, [email protected])

Sara K. Weed, Washington, D.C. (202.955.8507, [email protected])

Ella Capone, Washington, D.C. (202.887.3511, [email protected])

Rachel Jackson, New York (212.351.6260, [email protected])

Chris R. Jones, Los Angeles (212.351.6260, [email protected])

Zack Silvers, Washington, D.C. (202.887.3774, [email protected])

Karin Thrasher, Washington, D.C. (202.887.3712, [email protected])

To continue assisting US companies with planning for SEC reporting and capital markets transactions into 2025, we offer our annual SEC Desktop Calendar. This calendar provides both the filing deadlines for key SEC reports and the dates on which financial statements in prospectuses and proxy statements must be updated before use (a/k/a financial staleness deadlines).

You can download a PDF of Gibson Dunn’s SEC Desktop Calendar for 2025 at the link below.

Read More

The following Gibson Dunn lawyers assisted in preparing this update: Hillary Holmes, Andrew Fabens, Lori Zyskowski, Peter Wardle, David Korvin, and Kyle Clendenon.

Gibson Dunn’s lawyers are available to assist with any questions you may have regarding these developments. To learn more, please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any leader or member of the firm’s Capital Markets or Securities Regulation and Corporate Governance practice groups:

Capital Markets:
Andrew L. Fabens – New York (+1 212.351.4034, [email protected])
Hillary H. Holmes – Houston (+1 346.718.6602, [email protected])
Stewart L. McDowell – San Francisco (+1 415.393.8322, [email protected])
Peter W. Wardle – Los Angeles (+1 213.229.7242, [email protected])

Securities Regulation and Corporate Governance:
Elizabeth Ising – Washington, D.C. (+1 202.955.8287, [email protected])
James J. Moloney – Orange County (+1 949.451.4343, [email protected])
Lori Zyskowski – New York (+1 212.351.2309, [email protected])
Aaron Briggs – San Francisco (+1 415.393.8297, [email protected])
Thomas J. Kim – Washington, D.C. (+1 202.887.3550, [email protected])
Brian J. Lane – Washington, D.C. (+1 202.887.3646, [email protected])
Julia Lapitskaya – New York (+1 212.351.2354, [email protected])
Ronald O. Mueller – Washington, D.C. (+1 202.955.8671, [email protected])
Michael Scanlon – Washington, D.C.(+1 202.887.3668, [email protected])
Mike Titera – Orange County (+1 949.451.4365, [email protected])

Although this latest round of updates is not as extensive as the 2023 iteration, it includes significant additions that may have meaningful implications for companies as they seek to align their compliance programs with DOJ’s expectations.

On September 23, 2024, the Criminal Division of the U.S. Department of Justice (“DOJ”) announced the latest revision of its Evaluation of Corporate Compliance Programs (the “ECCP”) since its last update in March 2023. The ECCP serves as the Criminal Division’s guidance for its prosecutors to evaluate companies’ compliance programs when making corporate enforcement decisions. This guidance is also often consulted by companies seeking to ensure their compliance programs are effective and would hold up under DOJ’s scrutiny. Principal Deputy Assistant Attorney General (“DAAG”) Nicole M. Argentieri announced the revision of the ECCP during her remarks at the Society of Corporate Compliance and Ethics 23rd Annual Compliance & Ethics Institute held in Grapevine, Texas on September 23, 2024.

The most significant revisions of the ECCP center on three areas: (1) evaluation and management of risk related to new technologies, such as artificial intelligence (“AI”); (2) further emphasis on the role of data analysis; and (3) whistleblower protection and anti-retaliation. The key updates in these three areas are discussed below, and a comparison between the 2023 and 2024 ECCP versions can be found here.

(1) AI and Emerging Technologies

Perhaps the most significant update in this new iteration of the ECCP is the heightened focus on how organizations proactively identify, assess, mitigate, and manage the risks associated with their use of emerging technologies, including AI. This emphasis reflects DOJ’s increasing focus on companies’ use of data and technology and its stated expectation that companies’ approach to risk management will be proactive rather than reactive.

AI and more advanced data analytics tools hold great promise for companies’ management of risk. Nevertheless, these capabilities also create risk. Although DOJ appears to recognize the promise, the revisions to the ECCP track DOJ’s concerns about how AI and other technologies can be misused. For example, in February 2024, Deputy Attorney General (“DAG”) Lisa Monaco announced that DOJ would seek sentencing enhancements where offenses were made significantly more dangerous by the misuse of AI. The following month, DAG Monaco drew a parallel to corporate criminal prosecutions, stating that “[w]hen our prosecutors assess a company’s compliance program . . . they consider how well the program mitigates the company’s most significant risks,” emphasizing that for a growing number of businesses, this “now includes the risk of misusing AI.” In the same remarks, DAG Monaco announced that she had directed the Criminal Division to “incorporate assessment of disruptive technology risks—including risks associated with AI—into its guidance on Evaluation of Corporate Compliance Programs.”

The position taken by DOJ in the latest ECCP is summarized by DAAG Argentieri in her recent remarks: “prosecutors will consider whether the company is vulnerable to criminal schemes enabled by new technology, such as false approvals and documentation generated by AI. If so, we will consider whether compliance controls and tools are in place to identify and mitigate those risks, such as tools to confirm the accuracy or reliability of data used by the business. We also want to know whether the company is monitoring and testing its technology to evaluate if it is functioning as intended and consistent with the company’s code of conduct.”

The updated ECCP outlines how companies will be expected to tailor their compliance programs to identify and manage the risks of AI. Corporations deploying AI will need to consider whether:

their risk assessment processes consider and appropriately document their use of AI and other new technologies and how the risk level for intended use cases has been determined (e.g., in circumstances where the particular use of AI creates particular risks, such as confidentiality, privacy, cybersecurity, quality control, bias, etc.);
the AI systems they are deploying have a sufficient degree of human oversight, especially for high-risk uses, and whether the performance of those systems is being assessed by reference to an appropriate “baseline of human decision-making” (e.g., the expected standard to which human decision-makers would be held for a given use case);
appropriate steps have been taken to prioritize and minimize the identified risks—including the potential for misuse of those technologies by company insiders—by implementing compliance tools and controls (e.g., through monitoring, alerts, technical guardrails, continuous testing, human review, or confirming the accuracy or reliability of data); and
they are continuously monitoring and testing their technology to evaluate if it is functioning “as intended,” both in their commercial business and compliance program, and consistent with the laws and the company’s code of conduct. If there are significant deviations in performance, for example where an AI tool makes an inappropriate decision, prosecutors will look at how quickly a company is able to detect and subsequently correct errors and any subsequent decisions.

(2) Emphasis on Data

Another key area of revisions to the ECCP confirms DOJ’s increasing focus on the use of data for compliance purposes, expanding on DOJ’s existing guidance:

The most extensive revisions in this area stress the importance of ensuring that compliance personnel maintain access to company data to assess the effectiveness of the compliance program—including leveraging data analytics tools to create efficiencies in compliance operations and measure the effectiveness of compliance components. This is an area on which DOJ’s Matt Galvin, Counsel for Compliance & Data Analytics at the Criminal Division’s Fraud Section, has focused, including with regard to DOJ’s own use of data analytics and the government’s expectation that companies will incorporate data-driven approaches to compliance as well. During a PLI program in June 2023, Galvin referred to data as “a function of transparency” in an organization. The revisions to the ECCP make clear that compliance personnel should have access equal to that of the business teams to all relevant data, assets, resources, and technology. This expectation on DOJ’s part was previewed by Galvin during the recent 15th Annual Global Ethics Summit in April 2024, where he emphasized that a delta between the use of data analytics by business and compliance teams will draw DOJ’s attention. The ECCP now includes additional questions testing whether the company is appropriately using data analytics tools to measure the effectiveness of compliance programs, the quality of its data sources, and the accuracy of any data analytics models it employs.
Other revisions in the ECCP concern data in the context of third-party management with a particular focus on vendor risk. Prosecutors will gauge whether the third-party risk management process allows for the review of vendors in a timely manner, and whether the company leverages available data to evaluate vendor risk in the course of its relationship with the vendor. This is consistent with DOJ’s increasing scrutiny of companies’ approach to third-party management practices and their ability to assess risks associated with broader categories of third parties emerging as potential new sources of compliance risk.
With regard to M&A transactions, among several revisions, DOJ now guides prosecutors to consider whether companies “account for migrating or combining critical enterprise resource planning systems as part of the integration process.” This again demonstrates an emphasis on control over and access to corporate information.
In examining whether the compliance program works in practice, the revised guidance spells out more specifically that prosecutors should “consider whether the company’s compliance program had a track record of preventing or detecting other instances of misconduct, and whether the company exercised due diligence to prevent and detect criminal conduct.” Prosecutors are now instructed to look at how a company uses data to “gain insights into the effectiveness of its compliance program” and the breadth of non-compliant conduct, beyond criminal conduct, that it is able to prevent.

(3) Whistleblower Reporting

In early August this year, the Criminal Division released guidance regarding the new DOJ Corporate Whistleblower Awards Pilot Program. This month’s revisions to the ECCP align it with the pilot program’s goals by including a paragraph on companies’ “Commitment to Whistleblower Protection and Anti-Retaliation” under the “Confidential Reporting Structure and Investigation Process” section.

In that paragraph, the new guidance advises prosecutors to consider several factors, including whether the company has an anti-retaliation policy; whether it trains employees on both internal and external anti-retaliation and whistleblower protection laws; and how employees who reported misconduct are disciplined in comparison to others involved in the misconduct (meaning whether reporting misconduct is a mitigator impacting a company’s disciplinary response). It also asks whether the company trains employees on both internal reporting systems and “external whistleblower programs and regulatory regimes.”

The ECCP also now directs prosecutors to consider whether and how an organization “incentivize[s] reporting” and whether an organization trains its employees on “external whistleblower programs and regulatory regimes.” Both of these concepts may prove tricky for organizations to address.

Other Notable Additions

In addition to the three main areas discussed above, the revised guidance contains a few other noteworthy revisions in other areas:

The revised guidance makes the paragraph dealing with “Risk-Tailored Resource Allocation” in the “Risk Assessment” section more general, removing examples of “low risk” and “high risk areas,” and instead opting for a broader consideration of whether the company “deploy[s] its compliance resources in a risk-based manner with greater scrutiny applied to greater areas of risk.”
The revisions specify that compliance training should be tailored specifically to the “particular needs, interests, and values of relevant employees,” including being tailored to the relevant industry and geographical region.
Under “Autonomy and Resources,” and particularly in relation to funding and resources, the revised guidance now asks whether the company has “a mechanism to measure the commercial value of investments in compliance and risk management.” In our experience, this is not a common activity of corporate compliance functions, although some certainly do undertake such efforts.

Six Key Takeaways

The updated ECCP is likely to impact significantly how companies tailor their compliance programs to address risks arising out of AI and emerging technologies, reflecting the rapid and dynamic adoption of these technologies across business sectors. To put these requirements into practice, companies will need to build effective governance frameworks and internal policies dealing with emerging technologies and specifically addressing the new challenges and risks they pose.

Here are six other key takeaways from our reading of the updates:

Scope. Companies will need to assess and consider carefully whether technical solutions they deploy may fall under the expanded ambit of the guidance. The ECCP defines AI broadly in accordance with the Office of Management and Budget’s March 2024 memo, which expressly states that “no system should be considered too simple to qualify as covered AI due to a lack of technical complexity,” and where the definition includes “systems that are fully autonomous, partially autonomous, and not autonomous, and it includes systems that operate both with and without human oversight.” Companies will need to assess and consider carefully whether technical solutions they deploy may fall within this definition.
Risk-based compliance. The guidance continues to emphasize that compliance resources should be deployed based on the degree of risk, with greater scrutiny applied to greater areas of risk. The threshold for effective compliance will therefore rely on the design and execution of proactive and effective risk assessments that focus on the actual use cases in which new technologies are being deployed. For example, the risks associated with certain AI tools may vary substantially depending on the use cases for which they are deployed. The guidance also refers to the “baseline of human decision-making” that is used to assess the risk of an AI tool. This concern is reflected in prior comments by DAG Monaco that “[d]iscrimination using AI is still discrimination.” That will require companies to think carefully about the purpose for which they are deploying new technologies such as AI, and whether such technology is effectively meeting that purpose (without running afoul of legal requirements). Strategies employed by companies in this area should be designed for accountability, transparency, and continuous evolution.
Accountability and transparency. Companies are expected to ensure that their new technologies function transparently, and that decisions influenced by these technologies are subject to human review where necessary. The guidance emphasizes that the “black box” nature of some AI systems, and the fact that they might require more third-party management, is not an excuse for failing to meet legal standards. Any compliance program that deploys AI will therefore need to include effective and consistent diligence and procurement standards for third-party models or tools used, staff internal experts with technical competence, ensure that the compliance function is using the data at the company’s disposal to detect risks, and maintain sufficient visibility of how new technologies are functioning in practice and how they are impacting the business.
Continuous monitoring and access to data. The dynamic nature of new technologies, and in particular AI, reinforces the need for regular and possibly more frequent risk assessments and re-evaluation of compliance program effectiveness and monitoring (including testing, which may encompass automated risk detection and real-time monitoring, for high-risk use cases). Moreover, in addition to detecting decisions made by AI that do not meet compliance standards, companies must also be prepared to correct those decisions quickly. Organizations will need to be nimble in adapting compliance systems to fast-evolving legal and technical standards related to AI, as well as rapid technological development. There is already an abundance of practical guidance, including by federal agencies, on best practices in AI governance and compliance, but it has largely been intended for voluntary use (for example, the AI Risk Management Framework released by the National Institute of Standards and Technology (NIST), which the ECCP expressly cites as a resource). The new DOJ guidance indicates that there will be increased regulatory scrutiny on how companies deploying new technologies are choosing to interpret and implement these best practices. Beyond the realm of emerging technologies though, simply articulating an expectation that compliance functions access and monitor corporate data as, for example, a finance or audit function may, could signal a shift in compliance staffing, with compliance officers more often needing to have accounting or technological backgrounds.
Resource allocation. The guidance puts companies on notice that in making charging decisions DOJ may now examine whether companies are devoting adequate resources and technology to AI risk management and compliance and to gathering and leveraging company data for compliance purposes. This suggests that any company investing in new technology development or deployment will need to consider whether appropriately proportional resources are being allocated to compliance, including as compared with overall expenditure on such new technologies.
Approach to compliance reporting. The revisions and additions in relation to whistleblower reporting and anti-retaliation may result in a gradual increase in whistleblower reports by encouraging enhancements to reporting systems that enable employees to feel more secure in reporting misconduct. In addition to ensuring that their anti-retaliation policies are robust and effectively communicated to employees, companies will likely feel the need to allocate additional resources to handle a potential rise in whistleblower reporting in the long term. They will also need to grapple with what they could do to “incentivize” whistleblowing, and whether and how to train employees to report to third parties, in addition to internal corporate channels. While companies typically train employees on the internal procedures for reporting and anti-retaliation protections, it remains to be seen how companies put into practice DOJ’s guidance to train employees on “external whistleblower programs and regulatory regimes” and how DOJ will react to those practices in the context of enforcement.

Conclusion

While the regulatory landscape for AI and other emerging technologies remains unsettled, it is all but certain from the latest revisions of the ECCP that DOJ has its eyes firmly set on the way these new technologies will shape and increase companies’ risk exposure. Along with the other changes in the ECCP outlined here, companies will have to consider carefully and proactively the compliance implications new technologies will bring to their business.

DOJ’s updated guidance underscores the need for companies to evaluate their programs, update their policies and procedures where needed, and stay abreast of how technology can be used to boost—as well as skirt—compliance controls. Our team has deep experience with these issues and is well positioned to assist companies with tackling them as DOJ is set to intensify its focus on this area.

The following Gibson Dunn lawyers prepared this update: F. Joseph Warin, Patrick Stokes, Stephanie Brooker, Michael Diamant, Eric Vandevelde, Oleh Vretsona, Frances Waldmann, Victor Tong, José Madrid, and Kate Goldberg.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these issues. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any leader or member of Gibson Dunn’s White Collar Defense and Investigations, Anti-Corruption and FCPA, or Artificial Intelligence practice groups:

Artificial Intelligence:

Keith Enright – Palo Alto (+1 650.849.5386, [email protected])
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650.849.5203, [email protected])
Vivek Mohan – Palo Alto (+1 650.849.5345, [email protected])
Robert Spano – London/Paris (+33 1 56 43 13 00, [email protected])
Eric D. Vandevelde – Los Angeles (+1 213.229.7186, [email protected])
Frances A. Waldmann – Los Angeles (+1 213.229.7914,[email protected])

White Collar Defense and Investigations / Anti-Corruption and FCPA:

Washington, D.C.
F. Joseph Warin (+1 202.887.3609, [email protected])
Stephanie Brooker (+1 202.887.3502, [email protected])
Courtney M. Brown (+1 202.955.8685, [email protected])
David P. Burns (+1 202.887.3786, [email protected])
John W.F. Chesley (+1 202.887.3788, [email protected])
Daniel P. Chung (+1 202.887.3729, [email protected])
M. Kendall Day (+1 202.955.8220, [email protected])
Stuart F. Delery (+1 202.955.8515, [email protected])
Michael S. Diamant (+1 202.887.3604, [email protected])
Gustav W. Eyler (+1 202.955.8610, [email protected])
Melissa Farrar (+1 202.887.3579, [email protected])
Amy Feagles (+1 202.887.3699, [email protected])
Scott D. Hammond (+1 202.887.3684, [email protected])
George J. Hazel (+1 202.887.3674, [email protected])
Adam M. Smith (+1 202.887.3547, [email protected])
Patrick F. Stokes (+1 202.955.8504, [email protected])
Oleh Vretsona (+1 202.887.3779, [email protected])
David C. Ware (+1 202.887.3652, [email protected])
Ella Alves Capone (+1 202.887.3511, [email protected])
Nicole Lee (+1 202.887.3717, [email protected])
Lora Elizabeth MacDonald (+1 202.887.3738, [email protected])
Bryan Parr (+1 202.777.9560, [email protected])
Pedro G. Soto (+1 202.955.8661, [email protected])

New York
Zainab N. Ahmad (+1 212.351.2609, [email protected])
Reed Brodsky (+1 212.351.5334, [email protected])
Mylan L. Denerstein (+1 212.351.3850, [email protected])
Karin Portlock (+1 212.351.2666, [email protected])
Mark K. Schonfeld (+1 212.351.2433, [email protected])
Orin Snyder (+1 212.351.2400, [email protected])

Dallas
David Woodcock (+1 214.698.3211, [email protected])

Denver
Ryan T. Bergsieker (+1 303.298.5774, [email protected])
Robert C. Blume (+1 303.298.5758, [email protected])
John D.W. Partridge (+1 303.298.5931, [email protected])
Laura M. Sturges (+1 303.298.5929, [email protected])

Houston
Gregg J. Costa (+1 346.718.6649, [email protected])

Los Angeles
Michael H. Dore (+1 213.229.7652, [email protected])
Michael M. Farhang (+1 213.229.7005, [email protected])
Diana M. Feinstein (+1 213.229.7351, [email protected])
Douglas Fuchs (+1 213.229.7605, [email protected])
Nicola T. Hanna (+1 213.229.7269, [email protected])
Poonam G. Kumar (+1 213.229.7554, [email protected])
Marcellus McRae (+1 213.229.7675, [email protected])
Eric D. Vandevelde (+1 213.229.7186, [email protected])
Debra Wong Yang (+1 213.229.7472, [email protected])

San Francisco
Winston Y. Chan (+1 415.393.8362, [email protected])
Charles J. Stevens (+1 415.393.8391, [email protected])

Palo Alto
Benjamin Wagner (+1 650.849.5395, [email protected])

London
Patrick Doris (+44 20 7071 4276, [email protected])
Sacha Harber-Kelly (+44 20 7071 4205, [email protected])
Michelle Kirschner (+44 20 7071 4212, [email protected])
Allan Neil (+44 20 7071 4296, [email protected])
Matthew Nunan (+44 20 7071 4201, [email protected])
Philip Rocher (+44 20 7071 4202, [email protected])

Paris
Benoît Fleury (+33 1 56 43 13 00, [email protected])
Bernard Grinspan (+33 1 56 43 13 00, [email protected])

Frankfurt
Finn Zeidler (+49 69 247 411 530, [email protected])

Munich
Kai Gesing (+49 89 189 33 285, [email protected])
Katharina Humphrey (+49 89 189 33 155, [email protected])
Benno Schwarz (+49 89 189 33 110, [email protected])

Hong Kong
Kelly Austin (+1 303.298.5980, [email protected])
Oliver D. Welch (+852 2214 3716, [email protected])

Newsom committed to working with legislators, academics, and other partners to “find the appropriate path forward, including legislation and regulation.”

Update: On September 29, 2024, Governor Newsom vetoed SB 1047 by returning it to the legislature without his signature, criticizing the bill as “a solution that is not informed by an empirical trajectory analysis of AI systems and capabilities.”[1] Building on concerns he previously expressed about the bill,[2] Newsom explained in a statement accompanying his veto that SB 1047 regulates models based only on their cost and size, rather than function, and fails to “take into account whether an Al system is deployed in high-risk environments, involves critical decision-making or the use of sensitive data.”[3]

Despite the veto, Newsom voiced support for AI regulation and California’s role in these efforts, stating, “Safety protocols must be adopted. Proactive guardrails should be implemented, and severe consequences for bad actors must be clear and enforceable,” and that California “cannot afford to wait for a major catastrophe to occur before taking action to protect the public.”[4] Newsom committed to working with legislators, academics, and other partners to “find the appropriate path forward, including legislation and regulation.”[5]

On August 28, 2024, the California State Assembly passed proposed bill SB 1047, the Safe and Secure Innovation for Frontier Artificial Intelligence Models Act, through which California seeks to regulate foundational AI models and impose obligations on companies that develop, fine-tune or provide compute resources to train such models. The bill purports to regulate only the most powerful AI models, trained using large computing capacity, but its requirements are likely to have a broader impact, including on open source models.

SB 1047 currently sits with Governor Newsom. As of September 24, it is unclear whether the Governor will sign the bill or veto it; on September 17, Newsom signaled some discomfort with the bill, but stated that he remained undecided even as he signed several other AI-related bills into law.[6] Gov. Newsom has until the end of September to sign or veto the bill; if he does not veto or return the bill to the legislature, SB 1047 will become law and take effect on January 1, 2026, even if he does not sign it.

Controversial since its introduction, SB 1047 represents a major shift in how U.S. states have sought to regulate AI to date, and the novel approach–including its requirements for developers to implement a “kill switch” and subject themselves to third-party compliance audits, and its applicability to startups and open source AI developers–has caused many major players in the technology sector to oppose the bill or work to weaken its provisions.

Below are 8 key takeaways that highlight the most important aspects of SB 1047 and the ways it may shape the AI landscape if it becomes law.

Expansive definitions of “covered models” and “covered model derivatives” are likely to capture many frontier AI models and subsequent modifications. SB 1047 broadly applies to “covered models,” which are AI models that either:
- Cost over $100 million to develop and are trained using computing power “greater than 10^26 integer or floating-point operations” (FLOPs); or
- Are based on covered models and fine-tuned at a cost of over $10 million and using computing power of three times 10^25 integer or FLOPs.[7]

The frontier models that are publicly available are just below the covered AI model threshold, but the next generation of models will most likely hit that regulation mark.

Certain of SB 1047’s requirements also apply to “covered model derivatives,” which include copies of covered models (whether or not they have been modified).

SB 1047’s requirements apply only to companies that develop or provide compute power to train covered models or covered model derivatives, not to companies that merely use covered models. The law’s principal requirements apply to “developers” that initially train a covered model or that fine-tune a covered model or covered model derivative, all based on the applicable cost and compute requirements. Additional requirements apply to operators of computing clusters when one of their customers “utilizes compute resources that would be sufficient to train a covered model[.]
Before training a covered model, developers are required to implement technical and organization controls designed to prevent covered models from causing “critical harms.” These critical harms include creating or using certain weapons of mass destruction to cause mass casualties; causing mass casualties or at least $500 million in damages by conducting cyberattacks on critical infrastructure or acting with only limited human oversight and causing death, bodily injury, or property damage in a manner that would be a crime if committed by a human; and other comparable harms.
- Kill switch or “shutdown capabilities.” Developers are required to implement a means through which to “promptly enact a full shutdown” of all covered models and covered model derivatives in their control, such that all model operations, including further training, are stopped. In determining whether to enact a full shutdown, developers are required to consider whether it may cause any potential disruptions to critical infrastructure.
- Cybersecurity protections. Developers are required to implement protections “appropriate in light of the risks” to prevent unauthorized access, misuse, or “unsafe post-training modifications” of the covered model and all covered model derivatives in their control.
- Safety protocols. Developers are required to develop a written document safety and security protocol (SSP) and to designate a senior individual to implement the SSP in a manner that complies with the developer’s obligation to exercise reasonable care to mitigate the risk of “foreseeable” downstream misuse of covered models, including by reviewing the SSP for sufficiency on an annual basis. Developers are required to retain an unredacted version of their SSP for the life of the covered model to which it applies plus 5 years, publish a redacted version of the SSP, and to provide an unredacted version to the Attorney General upon request. The SSP is required to:
  - Specify the means through which the developer will comply with its duty to exercise reasonable care as set out above and describe in detail how the developer will comply with SB 1047;
  - Describe how the SSP may be modified;
  - Describes when the developer would implement a full shutdown;
  - Set out testing procedures to determine whether the covered model and its derivatives pose an unreasonable risk of causing or enabling a critical harm or whether the covered model and its derivatives may be modified in a manner that poses such a risk; and
  - States the developer’s compliance obligations in sufficient detail to allow the developer or a third party to determine whether the SSP has been followed.
Developers are subject to rigorous testing, assessment, reporting, and audit obligations.
- Testing and Assessment. Before using a covered model or making it publicly available, a developer is required to assess, including through testing as set out in the SSP, whether there is a possibility that the model could cause critical harm and to record and retain test results from these assessments such that third-parties are capable of duplicating these tests.
- Audits and Reports. Beginning in 2026, developers are required to retain a third-party auditor to perform an independent, annual audit of their compliance with SB 1047. Developers are required to publish redacted copies of their audit reports and to provide unredacted copies to the Attorney General on request. The bill further requires developers to submit annual compliance statements to the Attorney General and to report safety incidents within 72 hours of discovery.
Compute providers are required to implement policies and procedures for customers that use compute sufficient to train a covered model. These procedures are required to include the ability to enact a full shutdown of compute used to train covered models, collecting and verifying identifying information for any customer that uses compute sufficient to train a covered model and assessing whether the customer intends to use the compute resources to train a covered model. Such information is required to be retained for 7 years and shall be provided to the Attorney General on request.
Developers are prohibited from preventing employees from reporting noncompliance internally, to the Attorney General, or to the Labor Commissioner and may not retaliate against employees who do so. These whistleblower protections include requirements that developers inform any employee or contractor working on covered models of their rights and to retain any complaints or reports made by employees or contractors for 7 years. Developers also are required to develop processes through which employees or contractors may make internal reports on an anonymous basis.
Enforcement is exclusively by the Attorney General and does not include a private right of action. The Attorney General may bring a civil action for violations of the bill that cause death or bodily harm; damage, theft, or misappropriation of property; or imminent public safety risks. The Attorney General may seek civil penalties, monetary damages (including punitive damages), injunctive or declaratory relief. Civil penalties for certain violations are capped at 10% of the cost of computing power used to train the covered model.
Certain provisions of SB 1047 may be vulnerable to legal challenge based on constitutional principles. While many of the bill’s provisions will likely pass constitutional muster, including those requiring developers to take technical steps in relation to their covered models, SB 1047 remains subject to legal challenge based on its extraterritorial reach and its assessment requirements.
- No nexus to California. SB 1047 does not have any textual nexus requiring that developers be located in California nor any requirements that covered models be developed, trained, or offered in California for the provisions to apply, standing in opposition to the general presumption that state laws do not apply outside of that state’s borders.
- Assessments may violate the First Amendment. The bill’s assessment provisions may be subject to legal challenge that they are unconstitutional government mandates for developers to create speech, in violation of the First Amendment. The likelihood of such challenges may be increased by the Ninth Circuit’s latest holdings that similar assessment provisions in California’s Age-Appropriate Design Code Act and AB 587 (relating to social media platforms) are facially unconstitutional on First Amendment grounds.[8]

[1] Statement of Gavin Newsom, p. 2 (Sept. 29, 2024), https://www.gov.ca.gov/wp-content/uploads/2024/09/SB-1047-Veto-Message.pdf.

[2] See note 4, infra.

[3] See note 1, supra, at p. 2.

[4] Id.

[5] Id. at p. 3. Contemporaneous with his veto, Newsom announced new partnerships and initiatives for responsibly deploying generative AI and directing state agencies more closely to examine issues surrounding critical harms. The Office of Gov. Gavin Newsom, Governor Newsom announces new initiatives to advance safe and responsible AI, protect Californians (Sept. 29, 2024), https://www.gov.ca.gov/2024/09/29/governor-newsom-announces-new-initiatives-to-advance-safe-and-responsible-ai-protect-californians/.

[6] See Jeremy B. White, Gavin Newsom signals concerns about major AI safety bill, Politico (Sept. 17, 2024), https://subscriber.politicopro.com/article/2024/09/gavin-newsom-signals-concerns-about-major-ai-safety-bill-00179727 (setting out Newsom’s concerns that the bill may create a “chilling effect” and make it harder for California to maintain its status as the home of tech innovation).

[7] The proposed computing threshold mirrors the Biden administration’s Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence.

[8] NetChoice v. Bonta, No. 23-2969 (9th Cir. Aug. 16, 2024); X Corp. v. Bonta, No. 24-271 (9th Cir. Sept. 4, 2024).

The following Gibson Dunn lawyers assisted in preparing this update: Christopher Rosina, Frances Waldmann, Emily Maxim Lamm, Cassandra Gaedt-Sheckter, Vivek Mohan, and Eric Vandevelde.

Gibson, Dunn & Crutcher’s lawyers are available to assist in addressing any questions you may have regarding these issues. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any leader or member of the firm’s Artificial Intelligence practice group:

Christopher Rosina – New York (+1 212.351.3855, [email protected])
Frances A. Waldmann – Los Angeles (+1 213.229.7914,[email protected])
Keith Enright – Palo Alto (+1 650.849.5386, [email protected])
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650.849.5203, [email protected])
Vivek Mohan – Palo Alto (+1 650.849.5345, [email protected])
Robert Spano – London/Paris (+33 1 56 43 13 00, [email protected])
Eric D. Vandevelde – Los Angeles (+1 213.229.7186, [email protected])

From the Derivatives Practice Group: This week, the CFTC requested public comment on a rule certification filing and extended two no-action letters in connection with reporting obligations.

New Developments

CFTC Requests Public Comment on a Rule Certification Filing by KalshiEX LLC. On September 26, the CFTC requested public comment on a rule certification filing by KalshiEX LLC, which would amend its rulebook to include rules for a request for quote functionality and amendments to its prohibited transactions rule. The CFTC previously stayed KalshiEX LLC’s filing because, according to the CFTC, the submission presents novel or complex issues that require additional time to analyze and is potentially inconsistent with the Commodity Exchange Act or the CFTC’s regulations. Comments must be submitted on or before Oct. 28, 2024. [NEW]
CFTC Staff Extends No-Action Position for Certain Reporting Obligations Under the Ownership and Control Reports Final Rule. On September 25, the CFTC’s Division of Market Oversight (“DMO”) issued a no-action letter that extends the current no-action position for reporting obligations under the ownership and control reports final rule (“OCR Final Rule”). The OCR Final Rule, approved in 2013, requires the electronic submission of trader identification and market participant data for special accounts and volume threshold accounts through Form 102 and Form 40. DMO said that it is extending its no-action position to address continuing compliance difficulties associated with certain ownership and control reporting obligations identified by reporting parties and market participants. The position extends DMO’s position under CFTC Letter No. 23-14, stating that DMO will not recommend the CFTC commence an enforcement action for non-compliance with certain obligations. These obligations include, among others, the timing of ownership and control report form filings; certain information required to be reported regarding trading account controllers and volume threshold account controllers on Form 102; the reporting threshold that triggers the reporting of a volume threshold account on Form 102; the filing of refresh updates for Form 102; and responses to certain questions on Form 40. The no-action position will remain in effect until the later of the applicable effective date or compliance date of a CFTC action, such as a rulemaking or order, addressing such obligations. [NEW]
CFTC Announces Four Orders Granting Whistleblower Awards – Marking the Most in a Single Day. On September 23, the CFTC announced awards totaling approximately $4.5 million for whistleblowers who, collectively, provided information that led to the success of multiple enforcement actions brought by the CFTC and another authority. The four orders granting awards, to a total of seven whistleblowers, are the most the CFTC has issued on a single day. [NEW]
CFTC Staff Extends Temporary No-Action Letter Regarding Capital and Financial Reporting for Certain Non-U.S. Nonbank Swap Dealers Domiciled in the EU and the UK. On September 20, the CFTC’s Market Participants Division (“MPD”) announced it issued a temporary no-action letter extending CFTC Staff Letters No. 21-20 and 22-10 to certain nonbank swap dealers (SDs) domiciled in the European Union (“EU”) and the United Kingdom (“UK”) that are the subject of pending CFTC reviews for comparability determinations regarding capital and financial reporting requirements. As part of the capital and financial reporting requirements for nonbank SDs, the CFTC adopted a substituted compliance framework that permits certain nonbank SDs to rely on compliance with home-country capital and financial reporting requirements in lieu of meeting all or parts of the CFTC’s capital adequacy and financial reporting requirements, provided the CFTC finds the home-country requirements comparable to the CFTC’s requirements. Through CFTC Staff Letter No. 24-13, issued on September 20, MPD is extending a no-action position to eligible nonbank SDs domiciled in the EU and the UK that are not covered by existing CFTC orders addressing capital and financial reporting requirements. The no-action position is conditioned upon the nonbank SDs remaining in compliance with applicable home-country capital and financial reporting requirements and submitting certain financial reporting information to the CFTC. The no-action position will expire by December 31, 2026 or the effective date of any final CFTC action addressing the comparability of capital and financial reporting requirements applicable to the relevant nonbank SDs. [NEW]
CFTC Approves Final Guidance Regarding the Listing of Voluntary Carbon Credit Derivative Contracts. On September 20, the CFTC approved final guidance regarding the listing for trading of voluntary carbon credit derivative contracts. The guidance applies to designated contract markets (“DCMs”), which are CFTC-regulated derivatives exchanges, and outlines factors for DCMs to consider when addressing certain Core Principle requirements in the Commodity Exchange Act (“CEA”) and CFTC regulations that are relevant to the listing for trading of voluntary carbon credit derivative contracts. The guidance also outlines factors for consideration when addressing certain requirements under the CFTC’s Part 40 Regulations that relate to the submission of new derivative contracts, and contract amendments to the CFTC.
CFTC Approves Part 40 Final Rule to Simplify and Enhance Rule and Product Submission Processes. On September 12, the CFTC approved a final rule to amend Part 40 of the CFTC’s regulations. The regulations in Part 40 implement Section 5c(c) of the CEA and govern how registered entities submit self-certifications, and requests for approval, of their rules, rule amendments, and new products for trading and clearing, as well as the CFTC’s review and processing of such submissions. The amendments are intended to clarify, simplify and enhance the utility of the Part 40 regulations for registered entities, market participants and the CFTC. The final rule is effective 30 days after publication in the Federal Register.
DC Circuit Court Orders Temporary Stay Suspending Trading on Election Contracts. On September 12, the United States Court of Appeals for the District of Columbia Circuit (the “DC Circuit Court”) ordered a temporary stay suspending trading on election contracts offered by KalshiEx LLC (“KalshiEx”) “to give the court sufficient opportunity to consider the emergency motion for stay pending appeal.” Prior to the temporary stay from the DC Circuit Court, the United States District Court for the District of Columbia (the “DC District Court”) overturned an order blocking KalshiEx from allowing election contract trading on its platform and denied the CFTC’s request for a stay pending appeal. KalshiEx filed a response to the CFTC’s emergency motion on September 12 and the CFTC’s reply is due to the DC Circuit Court by 6:00 pm on September 14.
CFTC Approves Final Rule Regarding Exemptions from Certain Compliance Requirements for Commodity Pool Operators, Commodity Trading Advisors, and Commodity Pools. On September 12, the CFTC published a final rule that amends CFTC Regulation 4.7, a provision that provides exemptions from certain compliance requirements for commodity pool operators (“CPOs”) regarding commodity pool offerings to qualified eligible persons (“QEPs”) and for commodity trading advisors (“CTAs”) regarding trading programs advising QEPs. The final rule amends various provisions of the regulation that have not been updated since the rule’s original adoption in 1992. Specifically, the final rule: (1) increases the monetary thresholds outlined in the “Portfolio Requirement” definition that certain persons may use to qualify as Qualified Eligible Persons; (2) codifies exemptive letters allowing CPOs of Funds of Funds operated under Regulation 4.7 to choose to distribute monthly account statements within 45 days of the month-end; (3) includes technical amendments designed to improve its efficiency and usefulness for intermediaries and their prospective and actual QEP pool participants and advisory clients, as well as the general public; and, (4) updates citations within 17 CFR Part 4, and throughout the CFTC’s rulebook, to reflect the new structure of Regulation 4.7.

New Developments Outside the U.S.

SFC and HKMA Publish Conclusions on Enhancements to OTC Derivatives Reporting Regime for Hong Kong. On September 26, the Securities and Futures Commission and the Hong Kong Monetary Authority jointly published conclusions on proposed enhancements to the over-the-counter (“OTC”) derivatives reporting regime for Hong Kong, indicating that they will mandate (i) the use of unique transaction identifiers, (ii) the use of unique product identifiers and (iii) the reporting of critical data elements beginning on September 29, 2025. [NEW]
ESAs Warn of Risks From Economic and Geopolitical Events. On September 10, the three European Supervisory Authorities (“ESAs”) issued their Autumn 2024 Joint Committee Report on risks and vulnerabilities in the EU financial system. In the report, the ESAs underlined ongoing high economic and geopolitical uncertainties, warned of the financial stability risks that they believe stem from these uncertainties and called for continued vigilance from all financial market participants. For the first time, the report also includes a cross-sectoral deep dive into credit risks in the financial sector.
EC Publishes Draghi Report on the Future of European Competitiveness. On September 9, the European Commission (“EC”) published a report, Future of European Competitiveness, authored by former Italian prime minister and head of the European Central Bank Mario Draghi. The report, which was commissioned by EC president Ursula von der Leyen, outlines the EU’s new industrial strategy. Part A of the report outlines the overarching strategy, while Part B discusses sectoral and horizontal policies and related recommendations in more detail. The report covers topics that include energy derivatives, sustainable finance, EU supervision, Basel framework, and collateral. The EC president indicated that she will aim to form a cabinet, with related mission letters that she expects to cover certain aspects of the report as part of future EU policies.

New Industry-Led Developments

ISDA Publishes Updated Best Practices for Confirming Reference Obligations or Standard Reference Obligations. On September 25, ISDA published updated Best Practices for Single-name Credit Default Swaps regarding Reference Obligations or Standard Reference Obligations. The document sets out suggested best practices for confirming the Reference Obligation or Standard Reference Obligations for single-name Credit Default Swaps and is an update to the Best Practice Statement that was published by ISDA on November 18, 2014. [NEW]
Joint Trade Association Issues Statement on EMIR 3.0 Effective Implementation Dates. On September 23, ISDA, the Alternative Investment Management Association, the European Banking Federation, the European Fund and Asset Management Association and FIA sent a letter urging the European Commission and European supervisory authorities to clarify that market participants are not required to implement the European Market Infrastructure Regulation (“EMIR 3.0”) Level 1 provisions prior to the date of application of the associated Level 2 regulatory technical standards (“RTS”). In the letter, the associations state that they are seeking clarification to avoid firms being required to implement the requirements of EMIR 3.0 twice—first, to comply with the Level 1 provisions once EMIR 3.0 enters into force and then when the associated Level 2 RTS becomes applicable. [NEW]
ISDA Publishes Standing Settlement Instructions Suggested Operational Practices. On September 20, ISDA published the ISDA Standing Settlement Instructions (“SSI”) suggested operational practices (“SOP”), which outlines a set of guidelines for the communication, management and usage of SSIs. According to ISDA, the document aims at increasing standardization and efficiency in performing payments for over-the-counter (“OTC”) derivatives and it is an update to the Best Practice Statement that was published by ISDA on August 11, 2010. SOPs for the exchange of SSIs for the purposes of collateral are available in section 1.7 of the Suggested Operational Practices for the OTC Derivatives Collateral Process. [NEW]
ISDA Publishes Results of DC Review Consultation. On September 19, ISDA published the results of a market-wide consultation on proposed changes to the structure and governance of the Credit Derivatives Determinations Committees (“DCs”). ISDA reported that the consultation indicated broad market support to implement many of the recommendations, including establishing a separate governance body, implementing certain transparency proposals relating to the publication of DC decisions and appointing up to three independent members of the DCs. Some of the proposals received a significant minority of objections.
ISDA Submits Letter to US Treasury Department on Listed Transactions. On September 11, ISDA submitted a letter in response to the US Department of the Treasury’s proposal to identify certain basket contract transactions as listed transactions. In the letter, ISDA arguesd that ISDA believes the proposed regulations would apply to many non-abusive transactions, would inappropriately take the place of substantive guidance and would generate compliance burdens and uncertainty for taxpayers.

The following Gibson Dunn attorneys assisted in preparing this update: Jeffrey Steiner, Adam Lapidus, Marc Aaron Takagaki, Hayden McGovern, and Karin Thrasher.

Jeffrey L. Steiner, Washington, D.C. (202.887.3632, [email protected])

Michael D. Bopp, Washington, D.C. (202.955.8256, [email protected])

Michelle M. Kirschner, London (+44 (0)20 7071.4212, [email protected])

Darius Mehraban, New York (212.351.2428, [email protected])

Jason J. Cabral, New York (212.351.6267, [email protected])

Adam Lapidus – New York (212.351.3869, [email protected] )

Stephanie L. Brooker, Washington, D.C. (202.887.3502, [email protected])

William R. Hallatt , Hong Kong (+852 2214 3836, [email protected] )

David P. Burns, Washington, D.C. (202.887.3786, [email protected])

Marc Aaron Takagaki , New York (212.351.4028, [email protected] )

Hayden K. McGovern, Dallas (214.698.3142, [email protected])

Karin Thrasher, Washington, D.C. (202.887.3712, [email protected])

This update provides a high-level summary of meaningful similarities and differences between the CFTC’s proposed and final guidance regarding the listing of voluntary carbon credit derivative contracts.

On September 20, 2024, the Commodity Futures Trading Commission (the CFTC or the Commission) approved final guidance (the VCC Guidance)[1] outlining factors for consideration by CFTC-regulated exchanges, such as designated contract markets (DCMs) and swap execution facilities,[2] regarding the listing for trading of voluntary carbon credit (VCC) derivative contracts.[3] The CFTC did not depart significantly from its proposed guidance on the same topic, issued on December 4, 2023 (the VCC Proposal), and focused on key considerations when addressing certain requirements in the Commodity Exchange Act (the CEA) and CFTC regulations applicable to the design and listing of such contracts.

This update provides a high-level summary of meaningful similarities and differences between the VCC Proposal and the VCC Guidance.[4]

Overview

The VCC Guidance does not establish new obligations for DCMs or modify or supersede the existing regulatory framework regarding the listing of derivative products by DCMs. Rather, it provides the CFTC’s views and guidance on factors potentially relevant to its evaluation of DCM compliance and outlines matters for consideration by a DCM when designing and listing a VCC derivative contract. In the context of VCC derivatives, the VCC guidance applies the already applicable “DCM Core Principles”[5] to VCC derivatives contracts. In particular, DCM Core Principle 3, a requirement that a DCM only list for trading contracts that are not readily susceptible to manipulation, and DCM Core Principle 4, a requirement that a DCM prevent manipulation, price distortion and disruptions of the physical delivery or cash-settlement process through market surveillance, compliance and enforcement practices and procedures, form the foundation of the VCC Guidance. The VCC Guidance also addresses product submission requirements under Part 40 of the CFTC’s regulations and CEA section 5c(c), insofar as such requirements relate to VCC derivatives.

The CFTC and Voluntary Carbon Markets

The VCC Guidance represents the “culmination of over five years of work” and the first time that a U.S. financial regulator has issued “regulatory guidance for contract markets that list financial contracts aimed at providing tools to manage risk, promote price discovery, and foster the allocation of capital towards decarbonization efforts,” according to Commissioner Behnam, who detailed many of the CFTC’s efforts in its supporting statement.[6] According to the VCC Guidance, more than 150 derivative contracts on mandatory emissions program instruments are listed on DCMs[7] and 29 derivative contracts on voluntary carbon market products had been listed for trading by DCMs as of August 2024,[8] up from 18 as of November 2023[9] (only three of which currently have open interest).[10]

The VCC Guidance sits alongside many initiatives, both public and private, designed to encourage standards in VCC derivatives markets and promote transparency and liquidity. There is no primary regulator of the VCC markets; however, the CFTC has regulatory authority over environmental commodity derivatives, as established in a joint product definition rulemaking with the Securities Exchange Commission following the passage of the Dodd-Frank Wall Street Reform and Consumer Protection Act.[11] Although the CFTC does not have regulatory authority over the spot trading of VCCs, it has enforcement authority over fraud and manipulation in the spot VCC market.[12] The VCC Guidance should also be understood in the context of the U.S. federal government’s efforts to promote enhance VCC derivatives markets.[13]

But the proper role of the federal government, and the CFTC itself, in VCC derivatives markets remains unsettled. For example, Commissioner Mersinger issued a dissenting statement on the VCC Guidance, stating that it “is a solution in search of a problem,” constituting “guidance on an emerging class of products that have very little open interest and comprise a miniscule percentage of trading activity on CFTC-regulated DCMs” that includes “veiled attempts to propagate controversial political ideologies.”[14] Commissioner Mersinger stated that the inclusion of Environmental and Social Governance compliance and Net Zero goals in the VCC Guidance was misplaced, calling such focus “a backdoor attempt to inject and memorialize certain political ideologies into CFTC regulatory decisions.”[15]

CFTC Guidance for DCMs Regarding the Listing of VCC Derivative Contracts

The VCC Guidance focuses mainly on physically-settled VCC derivative contracts. However, like in the VCC Proposal, the CFTC noted that its discussion of “VCC commodity characteristics for consideration by a DCM in connection with the design and listing of a physically-settled VCC derivative contract[] would also be relevant for cash-settled derivative contracts that settle to the price of a VCC, unless otherwise noted.”[16]

1. A DCM Shall Only List Derivative Contracts That Are Not Readily Susceptible to
Manipulation

The CFTC maintained the position it put forth in the VCC Proposal that, at a minimum, a DCM should address quality standards, delivery points and facilities, and inspection provisions in the design of a VCC derivative contract and that addressing such criteria in the contract’s terms and conditions will assist in promoting accurate pricing and reducing susceptibility to manipulation. In addition to maintaining its position, the CFTC explained in the VCC Guidance that industry-recognized standards for high-integrity VCCs can assist in preventing manipulation and that DCMs should consider identifying the standards program and related crediting program in the contract’s terms and conditions.

A. Quality Standards

The VCC Guidance follows the VCC Proposal in recommending that a DCM should consider transparency, additionality, permanence and risk of reversal, and robust quantification of emissions reductions or removals when addressing quality standards in connection with the design of a VCC derivative contract. In addition to what the CFTC set forth in the VCC Proposal, it recognized that:

a DCM may determine that it is appropriate to consider, when addressing quality standards in connection with derivative contract design, whether the crediting program for underlying VCCs has implemented measures to help ensure that credited mitigation projects or activities: (i) meet or exceed best practices on social and environmental safeguards, and (ii) would avoid locking in levels of [greenhouse gas (“GHG”)] emissions, technologies or carbon intensive practices that are incompatible with the objective of achieving net zero GHG emissions by 2050.[17]

The CFTC substantively revised its recommendations with respect to transparency and additionality, as described immediately below, but carried forward its proposed recommendations with respect to permanence and risk of reversal and robust quantification of emissions reductions or removals.

Transparency. The CFTC supplemented the VCC Proposal on transparency to provide that the terms and conditions of a physically-settled VCC derivative contract should “clearly identify what is deliverable under the contract.”[18]
Additionality. The CFTC refined the VCC Proposal on additionality, explicitly declining to define the term,[19] to provide that a DCM should consider “whether the crediting program for underlying VCCs has procedures in place to test for additionality” and whether such procedures “provide reasonable assurance that GHG emission reductions or removals will be credited only if they are additional.”[20]

B. Delivery Points and Facilities

The CFTC maintained its position set forth in the VCC Proposal that a DCM should consider a crediting program’s governance, tracking mechanisms and measures to prevent double-counting when addressing delivery procedures.

C. Inspection Provisions – Third Party Validation and Verification

In the VCC Guidance, the CFTC indicated that a DCM should look for “reasonable assurances” that crediting programs are validating and verifying credit mitigation projects and activities appropriately, replacing the VCC Proposal’s guidance that DCMs should directly consider a crediting program’s policies and procedures.

In the VCC Proposal, the CFTC proposed that a DCM should consider “how the crediting programs for the underlying VCCs require validation and verification that credited mitigation projects or activities meeting the crediting program’s rules and standards.”[21] The CFTC revised that recommendation in the VCC Guidance and indicated that a DCM consider “whether there is reasonable assurance that the crediting programs for the underlying VCCs have up-to-date, robust and transparent procedures for validating and verifying that credited mitigation projects or activities meet the crediting program’s rules and standards,”[22] including “whether there is reasonable assurance that the crediting program’s procedures reflect best practices with respect to third party validation and verification.”[23]

2. A DCM Shall Monitor a Derivative Contract’s Terms and Conditions as They Relate to
the Underlying Commodity Market.

With respect to monitoring the terms and conditions of a physically-settled VCC derivative contract, the VCC Proposal and Guidance both stated that a DCM should (i) ensure that the underlying VCC reflects the latest certification standard applicable for that VCC and (ii) maintain rules that require its market participants to keep certain records and make them available to the DCM upon request.

3. A DCM Must Satisfy the Product Submission Requirements Under Part 40 of the
CFTC’s Regulations and CEA Section 5c(c).

The VCC Guidance and the VCC Proposal both maintained that that product submissions should be complete and thorough and include:

“[A]n ‘explanation and analysis’ of the contract and the contract’s ‘compliance with applicable provisions of the [CEA], including core principles and the Commission’s regulations thereunder.’”[24]
“[T]hat the explanation and analysis of the contract ‘either be accompanied by the documentation relied upon to establish the basis for compliance with applicable law, or incorporate information contained in such documentation, with appropriate citations to data sources[.]’”[25]
“[I]f requested by Commission staff, . . . any ‘additional evidence, information or data that demonstrates that the contract meets, initially or on a continuing basis, the requirements’ of the CEA or the Commission’s regulations or policies thereunder.”[26]

Conclusion

The VCC Guidance, like the VCC Proposal, is non-binding and limited to exchange-traded VCC derivative contracts. However, it suggests implications for the over-the-counter VCC derivatives market and VCC spot markets. More generally, the VCC Guidance is the CFTC’s latest effort to promote structure and standards and influence the development of global VCC markets.

[1] See “CFTC Approves Final Guidance Regarding the Listing of Voluntary Carbon Credit Derivative Contracts,” Release No. 8969-24, Sept. 20, 2024. Previously, the CFTC issued proposed guidance and a request for public comment regarding the listing for trading of voluntary carbon credit derivative contracts on December 4, 2023. The request for comment elicited approximately 90 comments from derivatives exchanges, industry and trade associations, carbon credit rating agencies and standard setting bodies, among others, during a 75-day public comment period. Our client update on the VCC Proposal is available at https://www.gibsondunn.com/cftc-issues-proposed-guidance-regarding-the-listing-of-voluntary-carbon-credit-derivative-contracts/.

[2] The CFTC stated that, while the VCC Guidance “focuses on the listing of VCC derivative contracts by DCMs, the Commission believes that the factors outlined for consideration also would be relevant for consideration by any SEF that may seek to permit trading in swap contracts that settle to the price of a VCC, or in physically-settled VCC swap contracts.” VCC Guidance, Pre-Print Version at 82.

[3] The statement of support by the Chairman and statement of dissent by Commissioner Mersinger are available at https://www.cftc.gov/PressRoom/PressReleases/8969-24.

[4] Further information on the VCC Proposal can be found In Gibson Dunn’s previous alert, available at: https://www.gibsondunn.com/cftc-issues-proposed-guidance-regarding-the-listing-of-voluntary-carbon-credit-derivative-contracts/

[5] See, e.g., https://www.cftc.gov/LawRegulation/DoddFrankAct/Rulemakings/DF_12_DCMRules/index.htm

[6] Statement of Support of Chairman Rostin Behnam on the Commission’s Final Guidance Regarding the Listing of Voluntary Carbon Credit Derivatives Contracts (September 20, 2024), available at https://www.cftc.gov/PressRoom/SpeechesTestimony/behnamstatement092024.

[7] See VCC Guidance, Pre-Print Version at 14-15.

[8] See Id. at 15.

[9] See Commission Guidance Regarding the Listing of Voluntary Carbon Credit Derivative Contracts; Request for Comment, 88 Fed. Reg. 89410, 89414 (December 27, 2023).

[10] See VCC Guidance, Pre-Print Version at 15.

[11]Further Definition of “Swap,” “Security-Based Swap,” and “Security-Based Swap Agreement”; Mixed Swaps; Security-Based Swap Agreement Recordkeeping; Final Rule, 77 Fed Reg 48208, 48233-48235 (August 13, 2012). (“An agreement, contract or transaction in an environmental commodity may qualify for the forward exclusion from the “swap” definition set forth in section 1a(47) of the CEA, 7 U.S.C. 1a(47), if the agreement, contract or transaction is intended to be physically settled.”)

[12] See 7 U.S.C. § 9; 17 CFR § 180.1.

[13] See e.g., Gibson Dunn’s previous client alert on the Biden-Harris Administration’s Joint Statement of Policy and new Principles for Responsible Participation in Voluntary Carbon Markets, available at: https://www.gibsondunn.com/us-department-of-treasury-releases-joint-policy-statement-and-principles-on-voluntary-carbon-markets/

[14] Dissenting Statement of Commissioner Summer K. Mersinger on Guidance Regarding the Listing of Voluntary Carbon Credit Derivative Contracts (September 20, 2024), available at https://www.cftc.gov/PressRoom/SpeechesTestimony/mersingerstatement092024.

[15] Id.

[16] VCC Guidance, Pre-Print Version at 81.

[17] Id. at 86.

[18] Id. at 86.

[19] Id. at 88.

[20] Id. at 87.

[21] Commission Guidance Regarding the Listing of Voluntary Carbon Credit Derivative Contracts; Request for Comment, 88 Fed. Reg. 89410, 89419 (December 27, 2023).

[22] VCC Guidance, Pre-Print Version at 94.

[23] Id. at 95.

[24] Id. at 98 (quoting 17 CFR 40.2(a)(3)(v) (for self-certification) and 40.3(a)(4) (for Commission approval)).

[25] Id.

[26] Id. at 98 (quoting 17 CFR 40.2(b) (for self-certification) and 40.3(a)(10) (for Commission approval)).

The following Gibson Dunn lawyers assisted in preparing this update: Jeffrey Steiner, Adam Lapidus, and Hayden McGovern.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding the issues discussed in this update. Please contact the Gibson Dunn lawyer with whom you usually work, any leader or member of the firm’s Derivatives practice group, or the following authors:

Jeffrey L. Steiner – Washington, D.C. (+1 202.887.3632, [email protected])

Adam Lapidus – New York (+1 212.351.3869, [email protected])

New Developments

CFTC Approves Final Guidance Regarding the Listing of Voluntary Carbon Credit Derivative Contracts. On September 20, the CFTC approved final guidance regarding the listing for trading of voluntary carbon credit derivative contracts. The guidance applies to designated contract markets (“DCMs”), which are CFTC-regulated derivatives exchanges, and outlines factors for DCMs to consider when addressing certain Core Principle requirements in the Commodity Exchange Act (“CEA”) and CFTC regulations that are relevant to the listing for trading of voluntary carbon credit derivative contracts. The guidance also outlines factors for consideration when addressing certain requirements under the CFTC’s Part 40 Regulations that relate to the submission of new derivative contracts, and contract amendments to the CFTC. [NEW]
CFTC Approves Part 40 Final Rule to Simplify and Enhance Rule and Product Submission Processes. On September 12, the CFTC approved a final rule to amend Part 40 of the CFTC’s regulations. The regulations in Part 40 implement Section 5c(c) of the CEA and govern how registered entities submit self-certifications, and requests for approval, of their rules, rule amendments, and new products for trading and clearing, as well as the CFTC’s review and processing of such submissions. The amendments are intended to clarify, simplify and enhance the utility of the Part 40 regulations for registered entities, market participants and the CFTC. The final rule is effective 30 days after publication in the Federal Register. [NEW]
DC Circuit Court Orders Temporary Stay Suspending Trading on Election Contracts. On September 12, the United States Court of Appeals for the District of Columbia Circuit (the “DC Circuit Court”) ordered a temporary stay suspending trading on election contracts offered by KalshiEx LLC (“KalshiEx”) “to give the court sufficient opportunity to consider the emergency motion for stay pending appeal.” Prior to the temporary stay from the DC Circuit Court, the United States District Court for the District of Columbia (the “DC District Court”) overturned an order blocking KalshiEx from allowing election contract trading on its platform and denied the CFTC’s request for a stay pending appeal. KalshiEx filed a response to the CFTC’s emergency motion on September 12 and the CFTC’s reply is due to the DC Circuit Court by 6:00 pm on September 14.
CFTC Approves Final Rule Regarding Exemptions from Certain Compliance Requirements for Commodity Pool Operators, Commodity Trading Advisors, and Commodity Pools. On September 12, the CFTC published a final rule that amends CFTC Regulation 4.7, a provision that provides exemptions from certain compliance requirements for commodity pool operators (“CPOs”) regarding commodity pool offerings to qualified eligible persons (“QEPs”) and for commodity trading advisors (“CTAs”) regarding trading programs advising QEPs. The final rule amends various provisions of the regulation that have not been updated since the rule’s original adoption in 1992. Specifically, the final rule: (1) increases the monetary thresholds outlined in the “Portfolio Requirement” definition that certain persons may use to qualify as Qualified Eligible Persons; (2) codifies exemptive letters allowing CPOs of Funds of Funds operated under Regulation 4.7 to choose to distribute monthly account statements within 45 days of the month-end; (3) includes technical amendments designed to improve its efficiency and usefulness for intermediaries and their prospective and actual QEP pool participants and advisory clients, as well as the general public; and, (4) updates citations within 17 CFR Part 4, and throughout the CFTC’s rulebook, to reflect the new structure of Regulation 4.7.
CFTC Staff Issues No-Action Letter Related to Reporting and Recordkeeping Requirements for Fully Collateralized Binary Options. On September 4, 2024, the CFTC announced the Division of Market Oversight (“DMO”) and the Division of Clearing and Risk have taken a no-action position regarding swap data reporting and recordkeeping regulations in response to a request from LedgerX LLC d/b/a MIAX Derivatives Exchange LLC (“MIAXdx”), a designated contract market and derivatives clearing organization. The Divisions will not recommend the CFTC initiate an enforcement action against MIAXdx or its participants for certain swap-related recordkeeping requirements and for failure to report data associated with fully collateralized binary option transactions executed on or subject to the rules of MIAXdx to swap data repositories. The no-action letter is comparable to no-action letters issued for other similarly situated designated contract markets and derivatives clearing organizations.

New Developments Outside the U.S.

ESAs Warn of Risks From Economic and Geopolitical Events. On September 10, the three European Supervisory Authorities (“ESAs”) issued their Autumn 2024 Joint Committee Report on risks and vulnerabilities in the EU financial system. In the report, the ESAs underlined ongoing high economic and geopolitical uncertainties, warned of the financial stability risks that they believe stem from these uncertainties and called for continued vigilance from all financial market participants. For the first time, the report also includes a cross-sectoral deep dive into credit risks in the financial sector.
EC Publishes Draghi Report on the Future of European Competitiveness. On September 9, the European Commission (“EC”) published a report, Future of European Competitiveness, authored by former Italian prime minister and head of the European Central Bank Mario Draghi. The report, which was commissioned by EC president Ursula von der Leyen, outlines the EU’s new industrial strategy. Part A of the report outlines the overarching strategy, while Part B discusses sectoral and horizontal policies and related recommendations in more detail. The report covers topics that include energy derivatives, sustainable finance, EU supervision, Basel framework, and collateral. The EC president indicated that she will aim to form a cabinet, with related mission letters that she expects to cover certain aspects of the report as part of future EU policies.
MAS Updates FAQs on OTC Derivatives Reporting Regulations. On September 4, the Monetary Authority of Singapore (“MAS”) further updated the Frequently Asked Questions (FAQs) on the Securities and Futures (Reporting of Derivatives Contracts) Regulations 2013. MAS indicated that the FAQs are to aid implementation of the reporting obligations and elaborate on its intentions for some of the requirements. The new Singapore reporting rules will take effect on October 21, 2024.

New Industry-Led Developments

ISDA Publishes Results of DC Review Consultation. On September 19, ISDA published the results of a market-wide consultation on proposed changes to the structure and governance of the Credit Derivatives Determinations Committees (“DCs”). ISDA reported that the consultation indicated broad market support to implement many of the recommendations, including establishing a separate governance body, implementing certain transparency proposals relating to the publication of DC decisions and appointing up to three independent members of the DCs. Some of the proposals received a significant minority of objections. [NEW]
ISDA Submits Letter to US Treasury Department on Listed Transactions. On September 11, ISDA submitted a letter in response to the US Department of the Treasury’s proposal to identify certain basket contract transactions as listed transactions. In the letter, ISDA arguesd that ISDA believes the proposed regulations would apply to many non-abusive transactions, would inappropriately take the place of substantive guidance and would generate compliance burdens and uncertainty for taxpayers. [NEW]
ISDA Responds to Australia’s CFR on Bonds and Repo Clearing. On September 4, ISDA submitted a response to a consultation from Australia’s Council of Financial Regulators (“CFR”) on the central clearing of bonds and repos in Australia. In response to changes in the size and structure of the Australian bond and repo markets, the CFR sought feedback on the costs and benefits of introducing a central counterparty (“CCP”) in the Australian bond and repo markets. It also sought views on the circumstances under which a bond and repo CCP could be operated safely and efficiently by an overseas operator and what additional protections may be required in Australia. ISDA said that it welcomes the fact that the CFR is not considering the introduction of a clearing mandate. In its response, ISDA set out its opinion on the costs and benefits of voluntary central clearing for the Australian bond and repo markets. ISDA also commented on participation and other factors to consider for a bond and repo clearing offering to be viable. On location, the response states it is not uncommon for an overseas operator to provide clearing services related to non-domestic markets and ISDA indicated that it does not see any increased risk for an overseas operator to provide clearing services for the Australian bond and repo markets, as long as the overseas CCP is appropriately supervised and risk-managed.
ISDA Suggested Operational Practice “P43 Reporting of Post-Trade Events: Trades with no prior P43 Reporting.” On September 5, ISDA republished a Suggested Operational Practice (“SOP”) from July 2024 on approaches (e.g., for partial or full unwinds, partial or full novation, or partial or full exercises) under the CFTC amendments for allocated trades. The SOP recommends reporting the first Part 43 reportable post-trade event on an allocated trade with Action type “NEWT” and Event type “TRAD.”

The following Gibson Dunn attorneys assisted in preparing this update: Jeffrey Steiner, Adam Lapidus, Marc Aaron Takagaki, Hayden McGovern, and Karin Thrasher.

Jeffrey L. Steiner, Washington, D.C. (202.887.3632, [email protected])

Michael D. Bopp, Washington, D.C. (202.955.8256, [email protected])

Michelle M. Kirschner, London (+44 (0)20 7071.4212, [email protected])

Darius Mehraban, New York (212.351.2428, [email protected])

Jason J. Cabral, New York (212.351.6267, [email protected])

Adam Lapidus – New York (212.351.3869, [email protected] )

Stephanie L. Brooker, Washington, D.C. (202.887.3502, [email protected])

William R. Hallatt , Hong Kong (+852 2214 3836, [email protected] )

David P. Burns, Washington, D.C. (202.887.3786, [email protected])

Marc Aaron Takagaki , New York (212.351.4028, [email protected] )

Hayden K. McGovern, Dallas (214.698.3142, [email protected])

Karin Thrasher, Washington, D.C. (202.887.3712, [email protected])

Gibson, Dunn & Crutcher LLP is pleased to announce with Global Legal Group the release of the International Comparative Legal Guide to Sanctions 2025 – Germany Chapter. Gibson Dunn partner Benno Schwarz and associate Nikita Malevanny are co-authors of the publication which provides an overview of the EU sanctions regime as applied by Germany and covers relevant government agencies, applicable guidance, sanctions jurisdiction, export controls, criminal and civil enforcement, recent developments, and other topics. The chapter was co-authored with Veit Bütterlin-Goldberg and Svea Ottenstein from AlixPartners.

You can view this informative and comprehensive chapter via the link below:

CLICK HERE to view Sanctions 2025 – Germany Chapter.

For further information, please feel free to contact the authors, the Gibson Dunn lawyer with whom you usually work, or any leader or member of the firm’s International Trade practice group.

About Gibson Dunn’s International Trade Practice Group:

Gibson Dunn’s International Trade practice includes some of the most experienced practitioners in the field. Our global experience is unparalleled – the practice’s lawyers have worked extensively across Asia, Europe, the Gulf, and the Americas and many have served in senior government and enforcement roles as principal architects of key sanctions and export controls regimes and relief, including with respect to U.N. sanctions, and U.S. measures against Iran, Russia, Cuba, and Myanmar.

Please visit our International Trade practice page or contact Benno Schwarz (+49 89 189 33-210, [email protected]) or Nikita Malevanny (+49 89 189 33-224, [email protected]) in Munich.

About the Authors:

Benno Schwarz is a partner in the Munich office of Gibson, Dunn & Crutcher and co-chair of the firm’s Anti-Corruption & FCPA Practice Group. He focuses on white collar defense and compliance investigations in a wide array of criminal regulatory matters. For more than 30 years, he has handled sensitive cases and investigations concerning all kinds of compliance issues, especially in an international context, advising and representing companies and their executive bodies. He coordinates the German International Trade Practice Group of Gibson Dunn and assists clients in navigating the complexities of sanctions and counter-sanctions compliance. He is regularly recognized as a leading lawyer in Germany in the areas of white-collar crime, corporate advice, compliance and investigations.

Nikita Malevanny is an associate in the Munich office of Gibson, Dunn & Crutcher, and a member of the firm’s International Trade, White Collar Defense and Investigations, and Litigation Practice Groups. He focuses on international trade compliance, including EU sanctions, embargoes and export controls. He also carries out internal and regulatory investigations in the areas of corporate anti-corruption, anti-money laundering and technical compliance. Handelsblatt / The Best LawyersTM in Germany 2024/2025 have recognized him in their list “Ones to Watch” for litigation and intellectual property law. The Legal 500 Deutschland 2024 and The Legal 500 EMEA 2024 have recommended him for Foreign Trade Law. He holds both German and Russian law degrees and speaks German, English, Russian and Ukrainian. He is a regular member of Gibson Dunn’s cross-border teams supporting and advising clients on global sanctions and export control aspects.

On September 5, 2024, Institutional Shareholder Services (ISS) released its 2024 Proxy Season Review: United States – Executive Compensation. The below chart summarizes our observations of the 2024 data and key takeaways as we look to the 2025 proxy season. While these trends are positive for issuers overall, they underscore that issuers, their boards, compensation committees, and management should continue to take an active role in compensation programs, disclosure, and shareholder engagement practices.

Observations	Key Takeaways
Increased shareholder support for say-on-pay and equity plan proposals. Median say-on-pay support levels rebounded after steadily declining since 2017, though median say-on-pay support did not quite reach 95% (hovering at 94.9%, well below the highs of 2015-2017). Instances of low (less than 70%) say-on-pay support and failed say-on-pay votes each also decreased to 5.1% and 1%, respectively in 2024. Likewise, after declining in 2022 and 2023, equity plan support improved in 2024 and equity plan failure rates normalized at just under 1% (down from 1.6% in 2023).	ISS notes that this is the lowest proxy season say-on-pay failure rate ever observed. We attribute this positive trend to continued transparency in compensation program disclosures and increased attention on shareholder engagement efforts. Issuers should continue to address in their disclosures (1) how their compensation practices affect shareholder dilution and reflect and respond to broader market conditions, including inflationary pressures and economic volatility, and (2) how these factors impact their approach to designing and administering their compensation programs.
Continued positive correlation between pay-for-performance quantitative screen and ISS say-on-pay vote recommendation. Unsurprisingly, higher quantitative screen concern levels correlated to a higher likelihood of an “against” recommendation, with over half of issuers flagged with a “high” concern level receiving “against” recommendations.	Interestingly, the 3% of issuers with a “low” concern level that received “against” recommendations generally were cited for problematic contractual provisions, non-CEO executive pay, insufficient board responsiveness, or severance payouts.
Rising CEO pay. After dipping slightly in 2023, median CEO pay in the S&P 500 reached its highest level since say-on-pay votes began over a decade ago – $15.6 million. The Russell 3000 (excluding the S&P 500) median CEO pay also trended up slightly to $5.3 million, but was still below the high-water mark set in 2021.	ISS notes that the record low say-on-pay failure rates combined with the record high S&P CEO median pay level suggest that investors are considering factors beyond pay magnitude in their voting decisions. Consistent with ISS’s proxy voting guidelines, many large investors’ say-on-pay votes can be swayed by problematic pay practices (such as one-time awards or application of discretion in pay decisions) without clear disclosure of a compelling rationale.
Compensation plan design continues to favor formulaic and performance-based compensation. Annual and long-term incentive awards trended towards non-discretionary and performance-based design, respectively.	ISS’s focus on formulaic performance-based compensation, including the impact of ISS’s pay-for-performance quantitative screen noted above, continues to correlate with the say-on-pay vote recommendation.
Specific sectors and the Russell 3000 continue to use discretionary compensation. While discretionary compensation across all sectors and indices has generally declined or remained steady year-over-year, financial sector CEOs and a higher percentage of Russell 3000 (excluding S&P 500) CEOs continued to receive discretionary bonuses.	Discretionary compensation may still have specific appropriate use cases, though issuers should consider clearly disclosing the business or sector-specific rationale when deploying discretionary compensation. Based on these trends, benchmarking against sector-specific peers may also be helpful.
Higher perquisite numbers driven by aircraft perks and security costs. Median values of CEO “all other compensation” reported in 2024 climbed markedly in the S&P 500, particularly in the upper percentiles of perquisite values.	The ISS report noted that increases in CEO “all other compensation” levels appeared to be primarily driven by larger corporate aircraft perks and security costs. And at the same time, issuers have seen an enhanced focus by the SEC and IRS on reporting and disclosure of these benefits.
Equity plan design trends include continuing rise of evergreen provisions, use of discretion to accelerate vesting, and no minimum vesting requirement. While “problematic” provisions like repricings or cash buyouts of equity awards without shareholder approval, and liberal change in control vesting provisions continued to decline overall, evergreen provisions in equity plans continued a steady rise and were observed in over 15% of 2024 plans up for approval. Issuers seeking plan approval in 2024 continued to eschew limitations on flexibility to accelerate vesting and set vesting schedules.	The prevalence of evergreen provisions is likely attributable in part to the repeal of Section 162(m) of the Internal Revenue Code in 2017 and an increase in SPAC/de-SPAC transactions since 2021. Favoring the ability to set and adjust vesting schedules is unsurprising as issuers balance the need for flexibility in equity plan administration.
No surprises in pay-versus-performance disclosure. Consistent with 2023, most industries used earnings as their most important performance metric and technology, media and telecom looked to revenue. Compensation actually paid (CAP) trended upwards in most industries.	The overall increase in CAP is not surprising given its correlation to increases in stock prices and the year-over-year performance of the relevant industries from fiscal year 2022 to fiscal year 2023.
Modest increases in CEO pay ratio. Median CEO pay ratio in the S&P 500 saw a small increase year-over-year while the other indices (S&P 400, S&P 600, and remaining Russell 3000) remained steady.	Consistent with the trends in CEO pay levels, the median CEO pay-to-median employee ratios in the S&P 500, S&P 400, S&P 600 and remaining Russell 3000 were 189, 111, 73, and 45, respectively.
Say-on-golden parachute failure rate increased. In 2024, proposals seeking advisory approval of compensation payable in connection with a change of control dipped below 80% average support for the first time since 2017, and the failure rate for these proposals hit an all-time-high of 17%.	Say-on-golden parachute support/failure rates have generally correlated to changes in median golden parachute value, which increased 35% year-over-year from 2023 to 2024.

The following Gibson Dunn lawyers assisted in preparing this update: Krista Hanvey, Elizabeth Ising, Ronald Mueller, Ekaterina Napalkova, and Lori Zyskowski.

Gibson Dunn’s lawyers are available to assist with any questions you may have regarding these issues. To learn more about these developments, please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any leader or member of the firm’s Executive Compensation and Employee Benefits or Securities Regulation and Corporate Governance practice groups:

Executive Compensation and Employee Benefits:
Sean C. Feller – Los Angeles (+1 310.551.8746, [email protected])
Krista Hanvey – Dallas (+ 214.698.3425, [email protected])
Kate Napalkova – New York (+1 212.351.4048, [email protected])

Securities Regulation and Corporate Governance:
Elizabeth Ising – Washington, D.C. (+1 202.955.8287, [email protected])
James J. Moloney – Orange County (+1 949.451.4343, [email protected])
Ronald O. Mueller – Washington, D.C. (+1 202.955.8671, [email protected])
Lori Zyskowski – New York (+1 212.351.2309, [email protected])

I. Introduction

For fiscal years beginning on or after April 1, 2023, domestic public companies are required to disclose whether they have adopted insider trading policies and procedures governing the purchase, sale, and/or other dispositions of their securities by their directors, officers and employees, or the companies themselves, and if so to file those policies and procedures as an exhibit to their annual reports on Form 10-K.[1] While calendar year companies must comply with these requirements in their Form 10-K for, or proxy statement following, the fiscal year ending December 31, 2024, 49 S&P 500 companies had addressed these requirements in filings as of June 30, 2024.[2]

As discussed in the summary of our preliminary observations below, while specific provisions vary from company to company, certain common approaches are emerging with respect to key policy terms. That said, company policies and procedures can vary based on a company’s particular circumstances, some companies may have interpretive materials that were not filed but elaborate on the operation of their policies and procedures, and some companies are updating their policies and procedures in light of the new filing requirements. As a result, we caution companies against treating these early observations as “best practices.” Your Gibson Dunn contacts are available to discuss the specifics of your policy and answer any questions you may have.

II. Persons Subject to the Insider Trading Policies

Nearly all policies we reviewed (96%) cover all company personnel (i.e., directors, officers and all employees of companies and their subsidiaries and, in some cases, certain affiliates) and their family members. Additionally, a significant majority of the policies (82%) expressly state that they apply to legal entities such as trusts whose securities transactions are controlled or influenced by company personnel and, in some cases, their family members. A majority of the policies (63%) also apply insider trading restrictions to contractors and/or consultants.[3]

III. Transactions in Company Securities Subject to the Insider Trading Policies

All of the policies specify types of transactions that are subject to, or are exempt from, the policy terms. Aside from open market sales or purchases, which are addressed in all of the policies, the most commonly addressed transactions include the following:

A significant majority of the policies (86%) provide some level of restriction on gifts, addressing to one degree or another the SEC’s position that gifts can constitute a form of insider trading.[4] A majority (61%) specifically address gifts as being subject to the policy for all covered persons (i.e., prohibiting gifts when an individual subject to the policy is in possession of material nonpublic information (“MNPI”) and/or applying window periods and/or pre-clearance restrictions to gifts),[5] although a handful of companies (8%) restrict gifts only if the donor has reason to believe the donee will sell while the donor has MNPI. Of the policies that do not apply gift restrictions to all employees, a majority restrict gifts only for certain covered persons that are subject to additional restrictions, such as blackout periods and/or pre-clearance procedures.
Option Exercises. A majority of the policies (69%) exempt exercises of options when there is no associated sale on the market; however, exercises of options where there is a sale of some or a portion of shares delivered upon exercise (e.g., cashless broker exercise) are typically treated like any other sale. Of this group, approximately a quarter of the policies specifically provide that withholding of shares for tax withholding purposes is exempt, and a smaller minority of policies provide that withholding of shares for tax withholding purposes and/or the payment of exercise price is exempt.
Vesting and Settlementof Other Equity Awards. A majority of the policies (59%) exempt vesting and settlement of equity awards, such as RSUs and restricted stock, and 51% of the policies specifically provide that withholding of shares for tax purposes (i.e., net share settlement) is exempt.

IV. Transactions in Other Company Securities

Nearly all policies (96%) specifically include some form of restriction on trading in the securities of another company when the person is aware of MNPI about that company or its securities. A significant majority of the policies (82%) prohibit trading in the securities of another company when the person is aware of MNPI about such company that was learned in the course of or as a result of the covered person’s employment or relationship with the company. The rest apply the prohibition more broadly to trading in the securities of another company while aware of MNPI about that company, without specifically addressing how the information was learned. Of the 82%, a minority tailor the prohibition to apply only to trading in the securities of another company that has some sort of a business relationship with the company (e.g., customers, vendors, or suppliers) or that is engaged in a potential business transaction with the company, and a smaller subset of these policies also include a specific reference to “competitors” in this prohibition.

V. Blackout Periods and Preclearance Procedures

Persons subject to quarterly blackout periods. A significant majority of the policies (88%) subject directors, executive officers and a designated subset of employees to regular quarterly blackout periods, with a few policies applying two different blackout periods to different groups of employees. Although the groups of persons (other than directors and executive officers) who are subject to quarterly blackout periods tend to be company-specific, most of the policies identify the “restricted persons” to include employees by title (e.g., all Vice Presidents or higher) and/or by department or role (e.g., all officers in accounting, financial planning and analysis, investor relations, legal and finance departments, etc.) as well as other employees who have been identified as having access to systems that have MNPI. Some policies take a less specific approach and identify restricted persons as those who are designated as such by the officer administering the insider trading policy. A minority of the policies (6%) subject all covered persons under the policy to quarterly blackout periods.
Start and end of quarterly blackout periods. The start date of the quarterly blackout periods ranges from quarter end to four weeks or more prior to quarter end. Under almost half of the policies (45%), the quarterly blackout periods start approximately two weeks prior to quarter end, 14% start the blackout periods three to four weeks prior to quarter end, and 18% start four weeks or more prior to quarter end. A significant majority of the policies (76%) end the quarterly blackout periods one to two full trading days after the release of earnings, with more policies ending after one trading day (51%) than two trading days (24%).[6] Additionally, nearly all policies specifically state that from time to time the company may implement additional special blackout periods.
Preclearance procedures. Nearly all policies require that certain covered persons must preclear their transactions with the appropriate officer administering the insider trading policy prior to execution. There is, however, variation in the persons subject to preclearance procedures—for 65% of the policies, the preclearance persons are a subset of the persons subject to blackout periods, while for a minority of the policies (29%), they are the same as the persons subject to the blackout periods. Of the 65% of the policies, a minority (38%) require preclearance only from the company’s directors and executive officers.[7] Regardless of scope, nearly all of the policies provide that directors and executive officers are subject to preclearance procedures.

VI. Special Prohibitions Under the Insider Trading Policies

All of the policies prohibit or otherwise restrict certain types of transactions regardless of whether they involve actual insider trading, in some cases stating that such transactions present a heightened risk of securities law violations or the potential appearance of improper or inappropriate conduct. The most common prohibitions addressed: hedging transactions (96%);[8] speculative transactions (96%); pledging securities as collateral for a loan (90%); and trading on margin or holding securities in margin accounts (82%). Although a significant majority of the policies apply the prohibition on hedging and speculative transactions to all persons subject to the policy, prohibitions on pledging and/or margin trading/accounts are sometimes limited to sub-categories of persons subject to the insider trading policies (39% and 27%, respectively): for instance, some policies apply the prohibition only to directors and executive officers or persons subject to quarterly blackout periods and/or preclearance procedures.[9]

A significant majority of the policies do not specifically address standing or limit orders or short-term trading, but of the ones that do, a significant majority take the approach of discouraging such transactions rather than strictly prohibiting them. Even where standing or limit orders are not strictly prohibited, some policies require that such orders be cancelled if the person becomes aware of MNPI (or prior to the start of a blackout period, if applicable). A few policies prohibit standing or limit orders if they go beyond a specified duration.

VII. Rule 10b5-1 Plans

All of the policies address the availability of Rule 10b5-1 plans. A significant majority of the policies (86%) do not set forth restrictions on who can enter into a Rule 10b5-1 plan so long as approval and other requirements are met, but a minority of the policies (12%) limit the use of 10b5-1 plans to directors and designated officers. A small minority of the policies (6%) require directors and designated officers to trade only pursuant to Rule 10b5-1 plans.

All of the policies require that Rule 10b5-1 plans be approved prior to adoption, but the policies tend to vary in approach when describing the guidelines for entering into Rule 10b5-1 plans (or modifying or terminating them). A significant majority (71%) of the policies describe the specified conditions under the SEC rules for a plan to qualify as a Rule 10b5-1 plan, although some do so in a more streamlined manner than others. Of these policies, a majority include Rule 10b5-1 plan requirements within the body of the policy, although a minority do so in an appendix and one company filed the plan guidelines as a separate exhibit. A minority of the policies (29%) do not describe the specified conditions under Rule 10b5-1, but provide a general statement regarding the affirmative defense from insider trading liability under the securities laws for transactions under a compliant Rule 10b5-1 plan and refer covered persons to the officer administering the policy for more information and guidelines on how to establish such a plan.

VIII. Policies Addressing Company Transactions

As noted above, Item 408(b) of Regulation S-K requires a public company to disclose whether it has adopted insider trading policies and procedures governing transactions in company securities by the company itself, and, if so, to file the policies and procedures, or if not, to explain why. Of the 23 S&P 500 companies subject to Item 408(b) that filed a Form 10-K and proxy statement prior to June 30, 2024, a significant majority (78%) did not address insider trading policies or procedures governing companies’ transactions in their own securities.[10] Of the ones that did, most included a brief sentence or two about the company’s policy of complying with applicable laws in trading in its own securities. Only one company in our surveyed group filed a company repurchase policy as a separate exhibit.

IX. Filing Practices Regarding Related Policies or Documents

A significant majority (88%) of the companies filed only a single insider trading policy and no other related policies or documents (even where they referenced other related policies in their insider trading policy).[11] In the few cases where multiple policies were filed, they appear to be supplemental guidelines/policies covering topics not generally applicable to all employees (e.g., trading windows, preclearance, 10b5-1 plans).

* * * *

We will continue to monitor public company filings of insider trading policies and procedures and expect to update our survey in early 2025 once calendar year-end companies’ Forms 10-K are on file, as we expect disclosure and filing practices to evolve as companies go through the first full year of complying with the new Item 408(b) disclosure and filing requirements.

[1]See Items 408(b) and 601(b)(19) of Regulation S-K, adopted by the SEC in connection with the Rule 10b5-1 amendments in December 2022. If a company has not adopted such policies and procedures, it is required to explain why it has not done so. Disclosure about the adoption (or not) of policies or procedures must appear in a company’s proxy statement (and must also be included in, or incorporated by reference to, Part III of a company’s Form 10-K), whereas the policies and procedures are to be filed as exhibits to the company’s Form 10-K.

[2] This group of 49 S&P 500 companies includes 23 companies that made Item 408(b) disclosures and 26 companies that were not subject to the disclosure requirements but voluntarily filed their insider trading policies and procedures with a Form 10-K filed prior to June 30, 2024.

[3] A minority of policies also include other service providers specific to their businesses.

[4] See Final Rule: Insider Trading Arrangements and Related Disclosures, Release No. 33-11138 (Dec. 14, 2022). In its adopting release, the SEC stated its view that the terms “trade” and “sale” in Rule 10b5-1 include bona fide gifts of securities and that gifts can be subject to Section 10(b) liability, since the Securities Exchange Act of 1934 does not require that a “sale” be for value and instead provides that the terms “sale” or “sell” each include “any contract to sell or otherwise dispose of.”

[5] A small minority of these policies also provide certain exceptions for gifts, including gifts to family members and/or controlled entities that are already subject to the policy, or exceptions on a case by case basis.

[6] Some policies use business days instead of trading days, but many policies do not define either term. We treated them as the same for purposes of our data analysis.

[7] The remaining 6% includes two policies that do not address preclearance procedures and one policy which is unclear.

[8] Item 407(i) of Regulation S-K requires companies to disclose practices or policies they have adopted regarding the ability of employees (including officers) or directors to engage in certain hedging transactions.

[9] A few policies allow for exceptions, subject to preclearance.

[10] For the purposes of this survey, we limited our review to Exhibit 19 filings and did not review the companies’ disclosures in the body of the proxy statement or Form 10-K addressing Item 408(b)(1) of Regulation S-K.

[11] Under Regulation S-K Item 408(b)(2), if all of a company’s insider trading policies and procedures are included in its code of ethics that is filed as an exhibit to the company’s Form 10-K, that satisfies the exhibit requirement. However, many companies do not file their code of ethics and instead rely on one of the alternative means of making the code available allowed under S-K Item 406(c)(2) and (3).

The following Gibson Dunn lawyers assisted in preparing this update: Aaron K. Briggs, Thomas Kim, Brian Lane, Julia Lapitskaya, James Moloney, Ronald Mueller, Michael Titera, Lori Zyskowski, and Stella Kwak.

Gibson Dunn’s lawyers are available to assist with any questions you may have regarding these developments. To learn more, please contact the Gibson Dunn lawyer with whom you usually work, or any leader or member of the firm’s Capital Markets or Securities Regulation and Corporate Governance practice groups: