Richard Manfredi, Author at Gibson Dunn

All communications between EU-qualified external lawyers and their clients benefit from Legal Professional Privilege

In a recent judgment, the European Court of Justice underlined the importance of Legal Professional Privilege in the EU and expanded its scope and nature as compared to the previous situation. The judgment underlines the importance of the fundamental right of respect of communications between a client and their lawyer, and provides reassurance to companies that irrespective of their scope or nature, such communications do not need to be provided to public authorities.

The background to the dispute

The case in question relates to EU legislation (Directive 2011/16/EU) that requires all intermediaries involved in potentially aggressive cross-border tax-planning that might lead to tax avoidance and evasion to report relevant practices to the competent tax authorities. The obligation also covers those who provide advice in that regard, although each EU Member State may grant lawyers (“lawyer-intermediaries”) a waiver from that obligation where it would breach Legal Professional Privilege (LPP) protected under national law. In such a situation, the lawyer-intermediary must nevertheless notify other intermediaries or the relevant taxpayer of their reporting obligations under the relevant legislation.

On that basis, the Flemish decree which transposed the Directive outlined that a lawyer-intermediary must inform other intermediaries that he or she could not fulfil the relevant reporting obligations him- or herself. Two lawyers’ professional organizations argued in front of the Belgian Constitutional Court that by providing even this information, lawyer-intermediaries would breach LPP. The European Court of Justice (ECJ) ruled on this issue on 8 December 2022 in response to a request for guidance from the Belgian Constitutional Court.

The ECJ judgment

The judgment first outlines a number of general principles about the sanctity of communications between lawyers and clients and the nature of LPP itself, even though this was not in itself the subject matter of the request for guidance from the Belgian Constitutional Court. It invokes both the EU Charter of Fundamental Rights as well as case-law of the European Court of Human Rights to highlight:

the confidentiality of correspondence between individuals and the strengthened protection in that regard to exchanges between lawyers and their clients;
that such protection covers not only the activity of defence but also legal advice;
the secrecy of such legal consultation must be guaranteed, both with regard to its content and to its existence;
individuals who consult a lawyer must therefore have a legitimate expectation that their lawyer will not disclose to anyone, without their consent, that they are being consulted.

Against this backdrop, the judgment goes on to answer the specific request for guidance in relation to the Directive. It holds that the obligation for a lawyer to notify other intermediaries of their obligations under the Directive is in itself an interference of the fundamental right of respect of communications between lawyer and client because those other intermediaries become aware of the identity of the notifying lawyer-intermediary, of their assessment that the arrangement at issue is reportable and of their having been consulted in connection with the arrangement

Since even fundamental rights are not absolute, the judgment then assesses whether such interference is justified in terms of whether it is necessary to achieve a general interest. It holds that the interference is not strictly necessary, inter alia because the reporting obligation of the Directive is clear and already applies to all relevant intermediaries without it being necessary for a lawyer to be involved.

The Court therefore holds that the obligation to notify set out in the Directive infringes the fundamental right of respect for communications between a lawyer and their client.

Implications of the judgment

Beyond the specific subject-matter of the case, the judgment is significant because of the importance it attaches to LPP and the expansion of its scope and nature. These issues were not the specific subject-matter of the request for guidance from the Belgian Constitutional Court and so it is noteworthy that the ECJ, sitting in its Grand Chamber composition, sought to highlight them. By importing provisions from the EU Charter of Fundamental Rights and jurisprudence of the European Court of Human Rights, the judgment significantly expands the nature of LPP in the EU. Under the previous case-law (e.g. the AM&S and Akzo cases), LPP covered only communications relating to the defence of a client or earlier communications related to the subject-matter of the investigation. In practice, this raised questions about which pre-investigation communications could benefit from LPP.

The judgment means that this question is now moot – there is no longer any potential temporal or subject-matter limitation to the notion of LPP in the EU since all communications between lawyers and clients are presumed to benefit from such protection. In practice therefore, clients will no longer be subject to any uncertainty about whether and if so which lawyer-client communications benefit from LPP in the EU. Clients continue to need to be aware that in the EU, in contrast to the situation in the United States, communications with in-house lawyers are not deemed to benefit from LPP and only EU-qualified lawyers benefit from LPP under the EU rules.

The following Gibson Dunn lawyers prepared this client alert: Nicholas Banasevic* and Christian Riis-Madsen.

Gibson Dunn’s lawyers are available to assist in addressing any questions that you may have regarding the issues discussed in this update. For further information, please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any of the following leaders and members of the firm’s Antitrust and Competition practice group:

Antitrust and Competition Group:

Nicholas Banasevic* – Managing Director, Brussels (+32 2 554 72 40, nbanasevic@gibsondunn.com)

Christian Riis-Madsen – Co-Chair, Brussels (+32 2 554 72 05, criis@gibsondunn.com)

Ali Nikpay – Co-Chair, London (+44 (0) 20 7071 4273, anikpay@gibsondunn.com)

Rachel S. Brass – Co-Chair, San Francisco (+1 415-393-8293, rbrass@gibsondunn.com)

Stephen Weissman – Co-Chair, Washington, D.C. (+1 202-955-8678, sweissman@gibsondunn.com)

*Nicholas Banasevic is Managing Director in the firm’s Brussels office and an economist by background. He is not an attorney and is not admitted to practice law.

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

The U.K. Financial Conduct Authority (the “FCA”) Final Notice against Julius Baer International Limited (“JBIL”)[1], including the imposition of a fine of more than £18 million, marks the latest in a series of enforcement actions against FCA authorised firms relating to failings in arrangements with third party intermediaries. In this alert, we draw out the key themes from those enforcement actions, highlighting particular areas of FCA concern and focus, and set out some practical steps that firms can take so as not to fall foul of regulatory requirements and expectations.

The JBIL Final Notice

JBIL, an investment advisory and wealth management firm, was found by the FCA to have failed to conduct its business with integrity, failed to take reasonable care to organise and control its affairs and failed to be open and cooperative with the FCA.[2] The finding, in particular, that JBIL failed to act with integrity stands out, with there being very few cases where the FCA has considered that there has been a breach of Principle 1 of its Principles for Businesses.[3]

The FCA concluded that JBIL facilitated finder’s arrangements between Bank Julius Baer (“BJB”) and an employee (the “Finder”) of a number of holding companies incorporated in various jurisdictions which owned the residual non-Russian assets of a Russian oil group (the “Client Group Companies”). Under these arrangements, BJB paid finder’s fees to the Finder for introducing Client Group Companies to Julius Baer. This was done on the understanding that the Client Group Companies would then place large cash sums with Julius Baer from which Julius Baer could generate significant revenues.

In particular, uncommercial FX transactions were made in which the Client Group Companies were charged far higher than standard rates, with the profits being shared between the Finder and Julius Baer. The Finder received commission payments totalling approximately USD 3m as a result of these arrangements. These fees were improper and together with the uncommercial FX transactions showed a lack of integrity in the way in which JBIL was undertaking this business.

Further, the FCA found that JBIL failed to have adequate policies and procedures in place to identify and manage the risks arising from the relationships between JBIL and finders (external third parties that introduced potential clients to Julius Baer in return for commission). This included having no policies which defined the rules surrounding the use of finders within JBIL until after June 2010. Policies introduced after that date were found to be inadequate.

Finally, JBIL became aware of the nature of these transactions – including the commission payments to the Finder – in 2012 and suspected that a potential fraud had been committed. However, it did not report these matters to the FCA immediately, as required, or at all until July 2014.

Previous FCA enforcement action against other firms

As noted above, the JBIL Final Notice follows a number of Final Notices imposed on other firms by the FCA. These range from Final Notices for not taking reasonable care to establish and maintain effective systems and controls for countering the risks of bribery and corruption associated with making payments to overseas third parties who assisted in winning business from overseas clients, to a Final Notice issued earlier this year relating to, broadly, the third-party introducers it used in its insurance business and bribes being made by such persons.

Key themes

(1) Policies and procedures

One recurring theme from the Final Notices is that the firms had failed to ensure that they had adequate policies and procedures in place to identify and manage the risks of using the third party intermediaries. For example, prior to 11 June 2010, there were no policies which defined the rules and guidelines to be adopted in respect of the use of finders within the Julius Baer group or JBIL. After that date, JBIL relied on BJB policies and procedures in relation to finders, which were inadequate, and other entities within the Julius Baer group were responsible for managing and overseeing key aspects of finder relationships, including the contractual terms and payment of fees. As a result, JBIL failed to ensure that it identified and managed potential conflicts of interests, both between finders and its clients and between the Julius Baer group and its clients. JBIL also failed to ensure that clients were properly informed of its arrangements with finders and consented to any payments made to finders. A particular similarity between the JBIL Final Notice and previous Final Notices is that firms have had an over-reliance on group procedures, which were not, on their own, sufficient. Firms should, therefore, be cognisant of their own regulatory responsibilities and not simply follow a group-wide policy without ensuring that the policies appropriately cover their own activities.

(2) Systems and controls

Principle 3 requires a firm to take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems. In the JBIL Final Notice, it was determined that the conduct of the relationship with the Client Group Companies highlighted serious issues with JBIL’s control environment. Amongst other things, the FCA found that JBIL: (i) did not have a sufficient understanding of the relationships between finders and introduced clients to enable it to identify potential conflicts of interests and did not have sufficient information or oversight to identify any other risks that might arise from relationships with finders; (ii) was not able to take steps adequately to monitor or control the risks arising from relationships with finders, or to assess whether it was appropriate for Julius Baer to maintain such relationships at all; and (iii) was not able to and did not control the disclosure of relationships with finders to clients.

Interestingly, in the JBIL Final Notice and previous Final Notices, the FCA has been critical of the firms in question for not having taken into account relevant key publications produced by the FCA that should have served as a warning and guidance to them. For example, in the JBIL Final Notice, the FCA specifically referred to the “financial crime risks presented by firms’ use of Finders [having] been highlighted by the Authority in publications and enforcement action against firms including Aon (6 January 2009), Willis (21 July 2011) and Besso (17 March 2014)”. This is a clear message that firms should be monitoring the publication of relevant guidance by the FCA and seeing if any lessons can be learned from enforcement action against other market participants.

Another recurring theme of the Final Notices in this space has been what the FCA perceives as inadequate governance, including the manner in which risks, including those relating to financial crime, were presented to certain committees did not enable them to assess the risks holistically and relevant risks and issues were not appropriately escalated to control functions. It is vital, therefore, that firms ensure: (i) the flow of appropriate MI to the relevant committees; (ii) that such information is properly scrutinised and, where necessary, challenged; (iii) that individuals with appropriate skills and experience are sitting on the Board or relevant committees; and (iv) that individuals holding important roles such as the MLRO function are at a sufficiently senior level.

(3) Communicating with the FCA

It is interesting to contrast the views of the FCA on how JBIL and other firms have communicated with it prior to and throughout the enforcement process. In the JBIL Final Notice the FCA noted that “[on] 22 May 2014, [JBIL] reported potential acts of bribery and corruption to UK law enforcement. It referred to payments made by BJB to [the Finder] in finder’s fees and stated that the payments may have been tainted by a ‘scheme’ by [the Finder] and [another individual], to defraud the [Client] Group Companies of money. [JBIL] informed the [FCA] of this on 7 July 2014”. Whilst firms will always want to take time to establish the facts before reporting potential issues to regulators, care must be taken to avoid overly long delay. In this case, the FCA highlighted the gap between the date of internal escalation of serious concerns and the date on which the FCA were notified of the issue: “The [FCA] expects to be notified of allegations of financial crime immediately and should have been promptly informed about the concerns raised on 30 November 2012”.

By contrast, in other Final Notices, the FCA has acknowledged the assistance that firms have provided to it during its investigation when coming to the amount of the fine issued. Firms should, therefore, give great consideration to how and when they communicate with the FCA. This is particularly important in the context of ensuring that firms appropriately comply with their Principle 11 notification obligations.

Practical steps

We set out below a table of examples of “good” and “poor” practice that should assist firms in their approach to ensuring they are complying with FCA expectations in the context of relationships with third party intermediaries, primarily viewed through an anti-bribery and corruption lens. It is informed by the FCA’s guidance in Chapter 13 of its “Financial Crime Thematic Reviews” guide.

Examples of “good practice”	Examples of “poor practice”
Governance
Clear, documented responsibility for anti-bribery and corruption apportioned to either a single senior manager or a committee with appropriate terms of reference and senior management membership, reporting ultimately to the Board.	Failing to establish an effective governance framework to address bribery and corruption risk.
Regular and substantive MI to the Board and other relevant senior management forums, including: an overview of the bribery and corruption risks faced by the business; systems and controls to mitigate those risks; information about the effectiveness of those systems and controls; and legal and regulatory developments.	Failing to allocate responsibility for anti-bribery and corruption to a single senior manager or an appropriately formed committee.
Where relevant, MI includes information about third parties, including (but not limited to) unusually high commission paid to third parties.	Little or no MI sent to the Board about bribery and corruption issues, including legislative or regulatory developments, emerging risks and higher risk third-party relationships or payments.
Assessing bribery and corruption risk
The firm takes adequate steps to identify the bribery and corruption risk. Where internal knowledge and understanding of corruption risk is limited, the firm supplements this with external expertise.	The risk assessment is a one-off exercise.
Risk assessment is a continuous process based on qualitative and relevant information available from internal and external sources.	Efforts to understand the risk assessment are piecemeal and lack coordination.
Firms consider the potential conflicts of interest which might lead business units to downplay the level of bribery and corruption risk to which they are exposed.	Risk assessments are incomplete and too generic.
The bribery and corruption risk assessment informs the development of monitoring programmes; policies and procedures; training; and operational processes.	Firms do not satisfy themselves that staff involved in risk assessment are sufficiently aware of, or sensitised to, bribery and corruption issues.
Policies and procedures
The firm clearly sets out the behaviour expected of those acting on its behalf.	The firm has no method in place to monitor and assess staff compliance with anti-bribery and corruption policies and procedures.
The team responsible for ensuring the firm’s compliance with its anti-bribery and corruption obligations engages with the business units about the development and implementation of anti-bribery and corruption systems and controls.	Staff responsible for the implementation and monitoring of anti-bribery and corruption policies and procedures have inadequate expertise on bribery and corruption.
There should be an effective mechanism for reporting issues to the team or committee responsible for ensuring compliance with the firm’s anti-bribery and corruption obligations.
Third party relationships and due diligence
Where third parties are used to generate business, these relationships are subject to thorough due diligence and management oversight.	A firm using intermediaries fails to satisfy itself that those businesses have adequate controls to detect and prevent staff using bribery or corruption to generate business.
Third-party relationships are reviewed regularly and in sufficient detail to confirm that they are still necessary and appropriate to continue.	The firm fails to establish and record an adequate commercial rationale for using the services of third parties.
There are higher, or extra, levels of due diligence and approval for high risk third-party relationships.	The firm is unable to produce a list of approved third parties, associated due diligence and details of payments made to them.
There is appropriate scrutiny of, and approval for, relationships with third parties that introduce business to the firm.	There is no checking of compliance’s operational role in approving new third-party relationships and accounts.
The firm’s compliance function has oversight of all third-party relationships and monitors this list to identify risk indicators, such as a third party’s political or public service connections.	A firm assumes that long-standing third-party relationships present no bribery or corruption risk.
Evidence that a risk-based approach has been adopted to identify higher risk relationships in order to apply enhanced due diligence.	A firm relies exclusively on informal means, such as staff’s personal knowledge, to assess the bribery and corruption risk associated with third parties.
Enhanced due diligence procedures include a review of the third party’s own anti-bribery and corruption controls.	No prescribed take-on process for new third-party relationships.
Inclusion of anti-bribery and corruption-specific clauses and appropriate protections in contracts with third parties.	A firm does not keep full records of due diligence on third parties and cannot evidence that it has considered the bribery and corruption risk associated with a third-party relationship.
Providing good quality, standard training on anti-bribery and corruption for all staff.

__________________________

[1] https://www.fca.org.uk/publication/final-notices/julius-baer-international-limited-2022.pdf.

[2] The FCA also published decision notices for three connected individuals (available here).

[3] The most recent instance prior to this was the Coverall Worldwide Ltd Final Notice in 2016: https://www.fca.org.uk/publication/final-notices/coverall-worldwide-ltd.pdf.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. If you wish to discuss any of the matters set out above, please contact the Gibson Dunn lawyer with whom you usually work, any member of Gibson Dunn’s Global Financial Regulatory team, or the following authors in London:

Michelle M. Kirschner (+44 (0) 20 7071 4212, mkirschner@gibsondunn.com)
Matthew Nunan (+44 (0) 20 7071 4201, mnunan@gibsondunn.com)
Martin Coombes (+44 (0) 20 7071 4258, mcoombes@gibsondunn.com)
Chris Hickey (+44 (0) 20 7071 4265, chickey@gibsondunn.com)

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

On November 21, 2022, Governor Hochul signed into law Bill A8092B, which amends the New York Labor Law (“NYLL”) to provide a new potential claim for employees who are retaliated against for taking lawful absences from work. The amendments also expressly prohibit employers from using “no-fault” attendance policies that penalize employees for taking protected absences. The new provisions of NYLL will be effective on February 20, 2023.

New Anti-Retaliation Provisions

When effective, the NYLL will prohibit employers from discharging, threatening, penalizing, discriminating or retaliating against an employee “because such employee has used any legally protected absence pursuant to federal, local, or state law.” Legally protected absences include absences taken pursuant to federal and state leave laws, such as the Family and Medical Leave Act (“FMLA”), the New York State and City Paid Sick Leave Laws, and the New York State Paid Family Leave Law.

The amendments will also restrict New York employers from maintaining “no-fault” attendance policies whereby an employer assigns “points” to employees for certain absences and imposes disciplinary action against employees who reach a certain number of points. The amended law expressly prohibits employers from imposing “any demerit, occurrence, any other point, or deductions from an allotted bank of time, which subjects or could subject an employee to disciplinary action, which may include but not be limited to failure to receive a promotion or loss of pay” when an employee takes a protected leave. This effectively prohibits no-fault attendance policies in New York to the extent that a policy penalizes employees for absences covered by an applicable leave law.

Legal Landscape

Employers are already prohibited from penalizing employees for taking protected leave under many statutes that are covered by these amendments to the NYLL. For example, the U.S. Department of Labor and some courts have interpreted the FMLA to prohibit employers from assessing points under no-fault attendance policies for FMLA-protected leave. See Woods v. START Treatment & Recovery Centers, Inc., 864 F.3d 158 (2d Cir. 2017). Moreover, the New York City Sick Leave Law specifically prohibits the “maintenance or application of an absence control policy that counts safe and sick leave as an absence that may lead to or result in an adverse action.”

New York legislators have nevertheless expressed concern that these existing protections are not sufficient to curb employers’ use of no-fault attendance policies in a manner that penalizes employees for taking protected leave. This law therefore aims to “make clear” that the practice of assessing points for any leave taken pursuant to applicable law is not permitted.

In addition to reinforcing existing law, these amendments allow employees to pursue claims against employers for retaliation for taking leave under any applicable leave law. For example, whereas the New York Paid Family Leave Law and the New York City Sick Leave Law only allow for administrative enforcement, the NYLL contains a private cause of action that allows employees to seek back pay, front pay, reinstatement, and/or liquidated damages when employees experience retaliation related to protected leaves.

The amendments will also permit the State to impose higher fines for violations of the anti-retaliation provisions of leave laws. For example, employers that violate the New York City Sick Leave Law may be fined up to $2,500 for each violation. Under the amended NYLL, the State Department of Labor is authorized to impose fines of up to $10,000 for initial violations (and up to $20,000 for subsequent violations) of the same anti-retaliation prohibitions.

Key Takeaways for Employers

In light of the impending amendments, New York employers should review their policies – and revise them if necessary – to ensure they do not penalize employees for taking protected leave. Companies that currently utilize no-fault policies might also wish to train managers and HR personnel to ensure compliance with this new law.

The following Gibson Dunn attorneys assisted in preparing this client update: Harris Mufson, Alex Downie, and Mimra Aslaoui.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. To learn more about these issues, please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Labor and Employment practice group, or the following:

Zainab N. Ahmad – New York (+1 212-351-2609, zahmad@gibsondunn.com)

Mylan Denerstein – New York (+1 212-351-3850, mdenerstein@gibsondunn.com)

Gabrielle Levin – New York (+1 212-351-3901, glevin@gibsondunn.com)

Danielle J. Moss – New York (+1 212-351-6338, dmoss@gibsondunn.com)

Harris M. Mufson – New York (+1 212-351-3805, hmufson@gibsondunn.com)

Jason C. Schwartz – Co-Chair, Labor & Employment Group, Washington, D.C.
(+1 202-955-8242, jschwartz@gibsondunn.com)

Katherine V.A. Smith – Co-Chair, Labor & Employment Group, Los Angeles
(+1 213-229-7107, ksmith@gibsondunn.com)

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

Senator Kyrsten Sinema (I-AZ) announced on December 9, 2022, that she would change her party registration from the Democratic Party to Independent. In an interview with CNN’s Jake Tapper, she explained: “I know some people might be a little bit surprised by this, but actually, I think it makes a lot of sense.” Elaborating in an op-ed in the Arizona Republic, Senator Sinema declared that she “never fit in perfectly with either national party,” and pledged to “to continue doing exactly what I promised—to be an independent voice for Arizona.”

As a result of the party switch, the question arises whether Senate Democrats will have 51 seats in the Senate (technically 48 Democrats and three Independents who caucus with the Democrats) as expected after the Georgia runoff. The answer is Senator Sinema’s switch does not necessarily change the Senate’s voting math. As detailed below, we explain what may have motivated Senator Sinema to identify as an Independent and how her switch impacts the Senate’s business going forward. In short, Senator Sinema’s switch likely won’t impact the Democrats’ narrow control of the Senate.

Background on Senator Sinema’s Party Switch

Senator Sinema’s party switch—timed to be announced after Senator Raphael Warnock’s (D-GA) runoff victory in Georgia—likely has to do with the changing politics in Arizona and Senator Sinema’s attempt to secure her own re-election in 2024. It may be an attempt to thread the needle of maintaining political support from Senate Democrats’ campaign resources while heading off a party primary challenge from the progressive left.

Democratic Primary:

Senator Sinema’s decision likely turned on concerns about a strong primary challenger from within the Democratic Party, bolstered by concerns that her recent votes have motivated the party’s campaign arm to throw its support behind a challenger. Recent polling suggests that Senator Sinema’s next primary race may be a close one, as her numbers have steadily declined with Democrats in her home state. No candidates have formally announced challenges to Senator Sinema, but Phoenix-area Representative Ruben Gallego (D-AZ) has been publicly forecasting a primary run for some time.

By leaving the Democratic Party, Senator Sinema avoids a primary challenge and possibly puts herself in a three-way general election in November 2024. The assumption may be that positioning herself as an “Independent,” rather than a Democrat, may allow her to fare better with Republican and Democratic voters in a general election and force Democrats to support her campaign. But it also runs the risk that a three-way race may lead to a Republican being elected senator from Arizona in 2024. Indeed, by abandoning the Democratic Party, a question arises whether Senator Sinema will further alienate the voters that used to be her base. And the National Democratic Party will have a decision to make on whether to support a “Democrat” in the 2024 Arizona Senate election or to back Senator Sinema. But backing Senator Sinema could upset the Democratic base who may or may not turn out to support an “Independent” and cost Democrats a U.S. Senate seat in Arizona.

Arizona:

Demographic changes and shifting ideological blocs have redrawn the map of Democratic focus—and no state perhaps better exemplifies that shift than Arizona. The state has become a critical focus for Democrats in recent years. Arizona is the most recent Sun Belt state to morph from a solidly red state to a critical purple pickup for Democrats—beginning with Senator Sinema’s own narrow defeat of then-sitting Senator Martha McSally in 2018. That victory marked Democrats’ first win of an open Arizona Senate seat since 1976, and signaled to national party leadership, per the New York Times, “a remarkable shift in Arizona’s political landscape,” after the state had been a “Republican bastion for decades.”[1]

Democrats’ strategic reorientation towards Arizona has already paid dividends. This midterm cycle, Democrats invested major talent and resources to successfully protect an endangered Senate seat, as Senator Mark Kelly (D-AZ) kept the seat he won in 2020’s special election, and even more remarkably for the once solidly-red state, picked up a governorship with the election of Secretary of State Katie Hobbs (D-AZ), with whom Senator Sinema has maintained a close relationship for years.

Senator Sinema no doubt understands these changes and the need to appeal to Independents and moderate Republicans in her state. Indeed, more than a third of Arizona’s voters identify as “other” and Republicans outnumber Democrats by more than 166,000.

Party Resources:

Senator Sinema’s move will have major consequences for continued party investments in Arizona, especially in her upcoming reelection bid. Party leadership could choose to 1) continue to back Senator Sinema, as they do with Maine’s Independent Senator Angus King, 2) sit back and watch or 3) actively support a Democratic challenger. Now that she’s formally renounced her party membership, at least nominally, the Democratic Senatorial Campaign Committee (DSCC), Senate Majority PAC, and other party campaign instruments may not support her in 2024, or choose to invest resources in a party challenger instead. However, the fact that Senate Democratic leadership is not seeking to punish Senator Sinema for her switch may suggest that—at least as of now—the DSCC is likely to back her again in 2024.

Independents have traditionally faced an uphill battle in national politics—from fundraising to organizing to marshalling the support of elected officials—that Senator Sinema herself is likely familiar with (the now-U.S. Senator ran for the Arizona House of Representatives as an Independent and lost). While Senator Sinema is known as a strong fundraiser, the DSCC standing back would mean “she would lack party resources—like a ground game—that are critical for voter turnout, particularly in a sprawling state like Arizona.”

As described above, by positioning herself as an Independent, Senator Sinema is betting that the Democratic Party will eventually support her, but if she loses that bet and the Party supports a “Democrat” and not her, she runs the risk of allowing a Republican to win the Senate race.

Personal Brand:

Senator Sinema actively practices bipartisanship, from friendships with Republican senators to playing a key role in advancing bipartisan legislation to President Biden’s desk this Congress. Her commitment to bipartisanship may also have motivated her party switch decision. In her op-ed explaining her decision, Senator Sinema wrote, “[i]n catering to the fringes, neither party has demonstrated much tolerance for diversity of thought. Bipartisan compromise is seen as a rarely acceptable last resort, rather than the best way to achieve lasting progress.”

These words are consistent with Senator Sinema’s past positions since she ran for the U.S. Senate. From her first election to the Senate, she has sworn to “be an independent voice for all Arizonans.” In her announcement interview with Tapper, she reiterated: “I’ve never fit neatly into any party box. Removing myself from the partisan structure—not only is it true to who I am and how I operate, I also think it’ll provide a place of belonging for many folks across the state and the country, who also are tired of the partisanship.”

Even before running for the Senate, Senator Sinema has done things her own way, from the beginnings of her career as a Green Party activist to more recent moves sending Democrats in the Senate back to the drawing board to gain her support for key legislation. Once a staffer on Ralph Nader’s 2000 presidential campaign, Senator Sinema has become progressively more moderate as she climbed from a 2004 win in the Arizona House of Representatives to a 2010 Arizona Senate seat, then a 2012 U.S. House of Representatives win. Senator Sinema won each of those races as a Democrat.

What This Means for the Senate

To understand the potential importance of Senator Sinema’s switch to being an Independent on the U.S. Senate, one must first understand how the change from a 50-50 Senate to a 51-49 Senate would change the overall dynamics of the institution. The Georgia U.S. Senate runoff led to a 51-49 U.S. Senate, which was supposed to change the chamber and firm up Democratic control in several ways:

Establish a real majority in committees. Democrats have chaired Senate committees the past two years, but there was equal representation on committees, which increased the chances of a tie vote that required time-consuming “discharge” votes on the Senate floor. It also meant that Democratic committee chairs could not issue subpoenas without Republican support. As a result, subpoenas were not used by Senate committees in the 117th Congress. With a 51-49 Senate, Democrats would have one more member than Republicans on all committees, ensuring legislation and nominees would advance if all Democratic caucus members stick together. Democrats would now also have a larger budget and bigger staffs.
Advancing judicial and executive nominations. For the last two years, with a 50-50 Senate, Republicans were able to slow down the nominations process since the committees had equal representation. If a tie vote occurred in committee, the full Senate must first vote to bring the nomination to the Senate floor and then vote on the nomination itself. Now, with a 51-49 Senate, a Democratic-controlled Senate may be able to more quickly advance nominations through the confirmation process and have more cushion to deal with absences at full Senate confirmation votes on nominees.
Manchin and Sinema influence. With Democrats having a 51 seat majority in the U.S. Senate, one theory is that Senators Joe Manchin (D-WV) and Sinema would have less influence over the legislative process. While 60 votes are usually required to advance most legislation in the Senate, certain items can pass on a simple majority vote using the budget reconciliation process or for nominations. But that forced Democrats to have no room for defections (or absences) and Senators Manchin and Sinema were at times difficult to win over. But with a 51 seat majority, it is more likely that Democrats can pass legislation or nominations without the support of either Manchin or Sinema if all other Democratic Senators are onboard.
Less reliance on the Vice President to break ties. A 50-50 Senate has been a weight on Vice President Kamala Harris, who has had to limit her travel in order to be available for tiebreaking votes in the Senate. In fact, Vice President Harris has broken 26 ties in the last two years, the most by a Vice President in nearly 200 years. But a 51-49 Senate, after the Georgia runoff, was supposed to lessen the burden on the Vice President who the Senate may rely on less to break legislative ties in the Senate.

The main question in Washington after Senator Sinema’s announced party switch was how would her decision impact Democratic control over the U.S. Senate. In other words, would the Senate in fact still be a 51-49 Senate or would it go back to effectively being a 50-50 Senate, effectively denying the benefits Democrats expected after the Georgia runoff victory? While Senator Sinema’s move generated significant news coverage, it is not expected to change the balance of power in the Senate. In an interview with Politico, Senator Sinema herself said, “I don’t anticipate that anything will change about the Senate structure. I intend to show up to work, do the same work that I always do. I just intend to show up to work as an independent.”

In the words of Punchbowl News, “Sinema declared that ‘nothing will change about [her] values or behavior’ in announcing her party switch, and top Democrats seem to have accepted that.” Indeed, both the White House and Majority Leader Chuck Schumer (D-NY) have released conciliatory statements regarding the switch.

Most importantly, while Senator Sinema has declined to publicly say whether she will caucus with Senate Democrats, she has stated explicitly she would not caucus with Republicans. Senator Sinema has also indicated, and Leader Chuck Schumer (D-NY) has confirmed, that she will keep her current committee assignments. As Punchbowl put it, by keeping her committee assignments, “Sinema is effectively caucusing with the Democrats,” even if she does not describe it that way.

The other two Senate Independents, Senators Angus King (I-ME) and Bernie Sanders (I-ME), both consistently vote, caucus with, and hold committee positions with Senate Democrats. At the same time, Senator Sinema has said—unlike Senators King and Sanders—she won’t attend weekly Democratic Caucus meetings (which she rarely did anyway), and isn’t sure whether her desk will remain on the Democratic side of the Senate floor.

Senator Sinema is known for bucking her party and frequently allies with Republicans on various legislative efforts. She is currently engaged in last-minute bipartisan talks with Senator Thom Tillis (R-N) on an immigration deal that she hopes could pass in the lame duck session.

Nevertheless, a review of her voting record on the Bipartisan Safer Communities Act, the CHIPS and Science Act, the Respect for Marriage Act, and other legislation shows she is farther to the left than the Republican Party on social issues, even if she is farther to the right of Democrats on economic issues. For instance, Senator Sinema has voted with the Democratic Party 93% of the time, and has publicly stated she doesn’t expect her voting record to change after her switch to become an Independent.

Moreover, Senator Sinema has supported every one of President Biden’s judicial nominees—an unlikely position for a Senate Republican—not to mention voting to impeach then-President Donald Trump twice. Underscoring this, a top aide to Minority Leader Mitch McConnell (R-KY) sent a note to lobbyists and supporters after the party switch highlighting Senator Sinema’s liberal voting record.

With Senator Sinema keeping her committee assignments, the day-to-day operation of the Senate is not expected to change. Following Senator Warnock’s reelection in the Georgia runoff, Democrats will hold a majority in the Senate beginning on January 3, 2023, and that will not change. Likewise, even with Senator Sinema’s switch, Democrats will be a majority on Senate committees—unlike in the current Congress, in which committees are tied. This means Senate Democrats will be able to move nominations more quickly, advance party legislative priorities out of committees with greater ease, and issue subpoenas without Republican support. Moreover, the Vice President will be needed less often to break tie votes.

_______________________________

[1] Senator Sinema’s 2018 victory was particularly noteworthy in a midterm Senate cycle that saw the end of much of the caucus’s moderate wing—Senators Joe Donnelly (D-IN), Heidi Heitkamp (D-ND), and Claire McCaskill (D-MO) each lost their seats after multiple terms in the Senate.

The following Gibson Dunn attorneys assisted in preparing this client update: Michael D. Bopp, Roscoe Jones, Jr., Daniel P. Smith, Amanda Neely, Wynne Leahy, and Alex Boudreau.

Gibson, Dunn & Crutcher’s lawyers are available to assist in addressing any questions you may have regarding these issues. Please contact the Gibson Dunn lawyer with whom you usually work or the following lawyers in the firm’s Congressional Investigations or Public Policy practice groups:

Michael D. Bopp – Chair, Congressional Investigations Group, Washington, D.C. (+1 202-955-8256, mbopp@gibsondunn.com)

Roscoe Jones, Jr. – Co-Chair, Public Policy Group, Washington, D.C. (+1 202-887-3530, rjones@gibsondunn.com)

Amanda H. Neely – Washington, D.C. (+1 202-777-9566, aneely@gibsondunn.com)

Daniel P. Smith* – Washington, D.C. (+1 202-777-9549, dpsmith@gibsondunn.com)

*Daniel P. Smith is admitted only in Illinois; practicing under the supervision of members of the District of Columbia Bar under D.C. App. R. 49.

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

Please join us for this 60-minute program. The panel covers key developments to be aware of headed into the 2022 Form 10-K reporting season, including recent SEC rulemaking and comment letters, disclosure trends and other developments.

PANELISTS:

Thomas J. Kim is a partner in the Washington D.C. office of Gibson, Dunn & Crutcher, LLP, where he is a member of the firm’s Securities Regulation and Corporate Governance Practice Group. Mr. Kim focuses his practice on a broad range of SEC disclosure and regulatory matters, including capital raising and tender offer transactions and shareholder activist situations, as well as corporate governance, environmental social governance and compliance issues. He also advises clients on SEC enforcement investigations – as well as boards of directors and independent board committees on internal investigations – involving disclosure, registration, corporate governance and auditor independence issues.

Mike Titera is a partner in the Orange County office of Gibson, Dunn & Crutcher and a member of the Firm’s Securities Regulation and Corporate Governance Practice Group. His practice focuses on advising public companies regarding securities disclosure and compliance matters, financial reporting, and corporate governance. Mr. Titera often advises clients on accounting and auditing matters and the use of non-GAAP financial measures. He also has represented clients in investigations conducted by the Securities and Exchange Commission and the Financial Industry Regulatory Authority. Mr. Titera’s clients range from large-cap companies with global operations to small-cap companies in the pre-revenue phase. His clients operate in a range of sectors, including the retail, technology, pharmaceutical, hospitality, and financial services sectors.

David Korvin is a corporate associate in the Washington, D.C. office of Gibson, Dunn & Crutcher, where he currently practices in the firm’s Securities Regulation and Corporate Governance Practice Group. Mr. Korvin advises public companies and their boards with respect to corporate governance, federal securities, financial reporting and accounting, insider trading, stock exchange, shareholder engagement, ESG and executive compensation matters. Prior to joining Gibson Dunn, Mr. Korvin was an attorney at the Securities and Exchange Commission in the Division of Corporation Finance, where he handled the legal review of Securities Act and Exchange Act filings and served as a member of the Shareholder Proposal Taskforce.

MCLE CREDIT INFORMATION:

This program has been approved for credit in accordance with the requirements of the New York State Continuing Legal Education Board for a maximum of 1.0 credit hour, of which 1.0 credit hour may be applied toward the areas of professional practice requirement. This course is approved for transitional/non-transitional credit.

Attorneys seeking New York credit must obtain an Affirmation Form prior to watching the archived version of this webcast. Please contact CLE@gibsondunn.com to request the MCLE form.

Gibson, Dunn & Crutcher LLP certifies that this activity has been approved for MCLE credit by the State Bar of California in the amount of 1.0 hour.

California attorneys may claim “self-study” credit for viewing the archived version of this webcast. No certificate of attendance is required for California “self-study” credit.

On December 7, 2022, President Biden signed into law the “Speak Out Act” (S.B. 4524), which prohibits the enforcement of pre-dispute non-disclosure and non-disparagement clauses in disputes relating to claims of sexual assault or sexual harassment. Among other things, the Act is intended to combat sexual harassment and assault in the workplace by ensuring that “victims and survivors have the freedom to report and publicly disclose their abuse” so that perpetrators may be held accountable and workplaces may be “safer and more productive for everyone.” S.B. 4524 § 2. The Act applies only to non-disclosure and non-disparagement clauses signed before a dispute arises, meaning that it does not prohibit such provisions in settlement or severance agreements.

In light of Congress’s findings that non-disclosure and non-disparagement provisions “can perpetuate illegal conduct by silencing those who are survivors of illegal sexual harassment and assault or illegal retaliation” and “shielding perpetrators and enabling them to continue their abuse,” the Speak Out Act makes such clauses judicially unenforceable in sexual assault or sexual harassment disputes where the conduct is alleged to have violated federal, state, or tribal law. S.B. 4524 §§ 4(a), 1(6). The Act applies to disputes alleging nonconsensual sexual acts, nonconsensual sexual contact, or sexual harassment. Id. §§ 4(a), 1(3)–(4).

A non-disclosure clause is defined as “a provision in a contract or agreement that requires the parties to the contract or agreement not to disclose or discuss conduct, the existence of a settlement involving conduct, or information covered by the terms and conditions of the contract or agreement.” S.B. 4524 § 3(1). A non-disparagement clause is defined as “provision in a contract or agreement that requires 1 or more parties to the contract or agreement not to make a negative statement about another party that relates to the contract, agreement, claim, or case.” S.B. 4524 § 3(2).

The law does not impact an employer’s right to protect trade secrets or proprietary information. S.B. 4524 § 4(d). The Act also does not impact the applicability of state laws governing pre-dispute non-disclosure and non-disparagement clauses to the extent they provide the same or greater protections than the Speak Out Act. S.B. 4524 § 4(c).

The Speak Out Act follows legislation limiting the enforcement of arbitration clauses in employment agreements for sexual assault and discrimination cases. The Ending Forced Arbitration of Sexual Assault and Sexual Harassment Act of 2021, enacted in March of 2022, prohibits the enforcement of pre-dispute agreements requiring employees to arbitrate sexual assault or harassment claims.

Notes for Employers

Does Not Prohibit Non-Disclosure and Non-Disparagement Clauses. The Act does not prohibit employers from entering into non-disclosure and non-disparagement provisions with their employees, nor does it prevent employers from enforcing such clauses in most circumstances. The Act only prevents the enforcement of non-disclosure and non-disparagement provisions in connection with disputes relating to sexual harassment and sexual assault. (Other federal and state laws and regulations, such as the Defend Trade Secrets Act and SEC Rule 21F-17, may require or provide for carve-outs from such clauses for certain protected whistleblowing activities.)
No Effect On Settlement Agreements. The Act only applies to non-disclosure and non-disparagement agreements “agreed to before the dispute arises.” S.B. 4524 § 4(a). The Act therefore does not place any limitations on non-disclosure and non-disparagement agreements reached as part of a settlement of sexual harassment and sexual assault claims. Note, however, that many states have laws, such as California’s Silenced No More Act (Cal. S.B. 331) and Section 5-336 of the New York General Obligations Law (N.Y. Gen. Oblig. § 5-336), that place limitations on the use of non-disclosure and non-disparagement provisions in settlement agreements.
Not Retroactive. The Act only applies to claims filed after its enactment, and does not affect the enforceability of non-disclosure and non-disparagement clauses in connection with disputes filed before December 7, 2022. S.B. 4524 § 5.

The following Gibson Dunn attorneys assisted in preparing this client update: Gabrielle Levin and Kelley Pettus.

Gabrielle Levin – New York (+1 212-351-3901, glevin@gibsondunn.com)

Jason C. Schwartz – Co-Chair, Labor & Employment Group, Washington, D.C.
(+1 202-955-8242, jschwartz@gibsondunn.com)

Katherine V.A. Smith – Co-Chair, Labor & Employment Group, Los Angeles
(+1 213-229-7107, ksmith@gibsondunn.com)

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

On December 7, 2022, the Legislative Council (“LegCo’) of the Hong Kong Special Administrative Region (“HKSAR”) passed the Anti-Money Laundering and Counter-Terrorist Financing (Amendment) Bill 2022 (“Amended AMLO”) into law. On the same day, the LegCo’s Bills Committee also published a report (“Report”), providing clarification on certain concepts under the Amended AMLO, and explained the postponed timeline for the commencement of the licensing regime for virtual asset service providers (“VASPs”).[1]

In our previous client alert[2], we explained the proposal by the Government of the HKSAR (“Government”) to introduce a licensing regime for VASPs by amending the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Cap. 615) (“AMLO”). In this client alert, we explain and provide our views on the additional clarification provided on the licensing regime for VASPs, the updated timeline for the commencement of the licensing regime, and next steps.

I. Recap on the Key Proposals Under the Amended AMLO

The Amended AMLO introduces a licensing regime for VASPs, and imposes statutory anti-money laundering and counter-terrorist financing (“AML/CTF”) obligations on VASPs in Hong Kong. Some of the key takeaways are as follows:

The operation of a virtual asset (“VA”) service will become a “regulated function”, such that VASPs will, in the future, be required to apply for a licence from the Securities and Futures Commission (“SFC”), before they can operate in Hong Kong.
The licensing regime for VASPs is primarily intended to capture the operation of a VA exchange. However, the Government could expand the scope of “VA service” to cover other forms of VA activities, when the Government considers it necessary to do so in the future.
The licensing requirements to be imposed on VASPs is likely to be modelled on existing requirements for the SFC’s licensing of regulated activities under the Securities and Futures Ordinance. This includes the fitness and properness requirements, and the requirement for a licensed VASP to have at least two responsible officers.
The SFC has discretion to impose a range of licensing conditions on a VASP licensee, including conditions relating to financial resources, risk management policies and procedures, management of client assets, virtual asset listing and trading policies, prevention of market manipulation and abusive activities, avoidance of conflicts of interest, among other requirements that can be imposed by the SFC as a licence condition.
Licensed VASPs will be required to comply with existing requirements under the AMLO on customer due diligence and record-keeping requirements, which will be comparable to traditional financial institutions.
A new enforcement regime applicable to VASPs will be introduced. Under the Amended AMLO it will be a criminal offence to carry on a business of providing VA service without a VASP licence and to issue advertisements relating to an unlicensed person’s provision of VA service. It will also become a criminal offence to make fraudulent or reckless misrepresentations with the intention to induce others to invest in VAs and an offence to employ deceptive or fraudulent device, scheme or act, directly or indirectly, in a transaction involving VAs (which is likely to capture market manipulation activities).
Relevantly, the offences of making fraudulent or reckless misrepresentations or employing deceptive or fraudulent devices, schemes or acts, are not limited to transactions on licensed VASPs and as such will capture all individuals and/or firms engaging in this type of conduct with a substantial nexus to Hong Kong.
The SFC will be granted a significant range of supervisory powers over licensed VASPs. This includes the power to enter the business premise of a licensed VASPs to conduct routine inspections of business records, request production of documents and other records, and to investigate non-compliance and impose disciplinary sanctions against licensed VASPs in contravention.

II. The Applicability of the VASP Regime to Non-Fungible Tokens

Under the Amended AMLO, “VA” generally captures a cryptographically secured digital representation value that:

is expressed as a unit of account or a store of economic value;
either:
- functions (or is intended to function) as a medium of exchange accepted by the public as payment for goods or services, or for the discharge of debt, or for investment purposes; or
- provides rights, eligibility or access to vote on the management, administration or governance of the affairs in connection with any cryptographically secured digital representation of value;
can be transferred, stored or traded electronically; and
satisfies other characteristics prescribed by the SFC.

In our previous alert, we noted that the proposed definition of “VA” did not capture non-fungible tokens (“NFTs”). This point was picked up during the LegCo meetings. The SFC has clarified that the assessment of whether an NFT is a VA needs to take into account its terms and features. In most cases, NFTs which merely represent a “genuine digital representation of a collectable” is unlikely to be captured by the definition of “VA” under the Amended AMLO; however where the NFT go beyond the scope of a collectable, for example where it contains fungible elements or allows holders to vote on its arrangement, then this may cause the NFT to be “a medium of exchange accepted by the public” or “a digital representation of value that providers holders with rights, eligibility or access to vote”, and therefore it will fall under the ambit of a VA.[3]

The Government further explains that if a specific NFT is seen to be a VA, persons trading that specific NFT will require a licence if those dealings amount to a “VA service”, i.e., if the specific NFT is traded through the operation of an exchange. In other words, if the trading occurs on a peer-to-peer basis, the persons would not be deemed as operating an exchange and their activities would not fall within the scope of a “VA service”, and therefore a VASP licence is not required.[4]

III. The Requirement of Providing VA Services to Professional Investors Only

In our previous client alert, we noted the proposal that, in order to promote investor protection, the licensing regime for VASPs will, at the initial stage, stipulate that VASPs can only provide services to professional investors (“PI Restriction”), and that this restriction will be imposed by the SFC as a licence condition. At that time, we observed that the use of the phrase “initial stage” and the proposal to impose the PI Restriction by way of a licensing condition, rather than in the legislation itself, suggested that the SFC may possibly allow expansion of VASP services to retail investors down the track when VA markets become more mature and regulated.

It appears that the Government recognises that VA markets have become more mature since the licensing regime for VASPs was first proposed. On October 31, 2022, the Government issued its policy statement on the development of VAs in Hong Kong[5] (“Policy Statement”), where the Government stated that it recognised the increasing acceptance of VA as a vehicle for investment allocation by global investors, be they institutional or individual. It was noted in the Policy Statement that the SFC would be conducting a public consultation on how retail investors may be given a suitable degree of access to VA under the new licensing regime for VASPs, while being careful and cautious about the risks to retail investors, including by enhancing investor education and ensuring that suitable regulatory arrangements are in place.

The Report provides further clarification on the Government’s position on the PI Restriction requirement, and notes that the PI Requirement will be imposed on licensed VASPs as a licensing condition at the initial stage. However it further states that the SFC will conduct a consultation on the detailed regulatory requirements on the new VASP regime; and during the consultation the SFC will consider whether to allow non-professional investors (i.e. retail investors) to partake in VA transactions with licensed VASPs, provided that additional investor protection measures are in place.[6]

The SFC’s thinking on the investor protection measures to allow retail investors to trade VAs with licensed VASPs will likely become clearer after the SFC publishes its consultation paper on the regulatory requirements under the new VASP regime.

IV. Postponement to the Commencement of the Amended AMLO and the Licensing Regime for VASPs

In the Report, the Government proposed to postpone the commencement of the Amended AMLO and the licensing regime for VASPs. Set out below is a summary of the original timeline and the new timeline for the commencement of the Amended AMLO and the licensing regime for VASPs, as well as the timing implications for the transitional period and the deadline to submit an application to the SFC under the licensing regime for VASPs.

Event	Original timeline	New timeline
Commencement date of the Amended AMLO. Note that the criminal offences for fraudulent or reckless misrepresentations, or employing deceptive or fraudulent devices, schemes or acts, in relation to VA transactions, commences from this date.	January 1, 2023	April 1, 2023
Commencement date of the licensing regime for VASPs (“VASP Regime Commencement Date”).	March 1, 2023	June 1, 2023
Start date for the 12 months transitional period (“Transitional Period Start Date”) for any corporation that has been carrying on the business of providing a VA service in Hong Kong immediately before the VASP Regime Commencement Date (“Existing VASPs”), during which time the Existing VASP can carry on VA service in Hong Kong without a VASP licence.	Starting from March 1, 2023	Starting from June 1, 2023
Deadline of the 9 months period for Existing VASPs to file an application to the SFC for a licence under the licensing regime for VASPs, in order to be deemed to be licensed from the day after the expiry of the 12 months’ transitional period (“Application Deadline”).	By no later than December 1, 2023	By no later than March 1, 2024

Existing VASPs that file an application to the SFC by the Application Deadline will be deemed to be a licensed VASP from the day after the expiry of 12 months from the Transitional Period Start Date (i.e. June 2, 2024) until the SFC has made a decision to either approve or reject their licence application, or the licence applicant withdraws their application.

The Report notes that the postponement is intended to provide the Government and the SFC more time to work out the implementation details of the new regulatory regime, including public consultation work by the SFC on the regulatory requirements for licensed VASPs. The postponement is also intended to allow more time for the VASPs sector to prepare for the introduction of the licensing regime.

We will continue to closely monitor developments in this area, and will provide a more detailed update when the SFC publishes its public consultations on the regulatory regimes for licensed VASPs.

___________________________

[1] “Report of the Bills Committee on Anti-Money Laundering and Counter-Terrorist Financing (Amendment) Bill 2022”, LC Paper No. CB(1)855/2022 (December 7, 2022), published by the Legislative Council, available at https://www.legco.gov.hk/yr2022/english/bc/bc05/reports/bc0520221207cb1-855-e.pdf

[2] Hong Kong Introduces Licensing Regime for Virtual Asset Services Providers (June 30, 2022), published by Gibson, Dunn & Crutcher LLP, available at https://www.gibsondunn.com/hong-kong-introduces-licensing-regime-for-virtual-asset-services-providers/

[3] Paragraph 13 of the Report

[4] Paragraph 14 of the Report.

[5] “Policy Statement on Development of Virtual Assets in Hong Kong”, published by the Financial Services and the Treasury Bureau on October 31, 2022, available at https://gia.info.gov.hk/general/202210/31/P2022103000454_404805_1_1667173469522.pdf

[6] Paragraph 27 of the Report.

The following Gibson Dunn lawyers prepared this client alert: William Hallatt, Arnold Pun, and Jane Lu.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. If you wish to discuss any of the matters set out above, please contact any member of Gibson Dunn’s Digital Asset Taskforce or the Global Financial Regulatory team, including the following authors in Hong Kong:

William R. Hallatt (+852 2214 3836, whallatt@gibsondunn.com)
Grace Chong (+65 6507 3608, gchong@gibsondunn.com)
Emily Rumble (+852 2214 3839, erumble@gibsondunn.com)
Arnold Pun (+852 2214 3838, apun@gibsondunn.com)
Becky Chung (+852 2214 3837, bchung@gibsondunn.com)

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

I. Introduction

Over the last few months, several European Union (“EU”) Member States have announced that they intend to withdraw from the Energy Charter Treaty (the “ECT”). At the time of writing, Germany, Slovenia, Poland, the Netherlands, France, Spain and Luxembourg have made such announcements.

The timing of these announcements preceded the expected vote by the Contracting Parties to the ECT regarding amendments to the text of the 1994 ECT (the “Modernised ECT”). The vote was scheduled to take place on 22 November 2022. However, reportedly due to a failure by the European Commission to gain the consensus of EU Member States—a majority of which are Contracting Parties to the ECT—the vote was called off at the eleventh hour. It has now been postponed until April 2023. If adopted in April 2023, the Modernised ECT will enter into force 90 days after its ratification by three-fourths of the treaty’s Contracting Parties. The Modernised ECT, if adopted, contains notable changes to the scope of investment protection afforded by the treaty.

We provide a summary of these developments and their potential impact on international arbitration claims brought by investors in ECT Contracting Parties.

II. The ECT

The ECT is a multilateral investment treaty, that entered into force in 1998, which establishes a legal framework in order to promote long-term international cooperation in the energy sector.

The ECT obliges the states who are Contracting Parties to the treaty to encourage and create stable, equitable, favourable, and transparent conditions for investors of other Contracting Parties.[1] In order to qualify for the protection afforded by the ECT, investments must be associated with “Economic Activity in the Energy Sector”. In practice, this includes activities such as inter alia (i) oil and gas exploration, (ii) construction and operation of power generation facilities, including those powered by renewable energy sources such as wind, solar, and hydro, and (iii) decommissioning of energy related facilities, including oil rigs, oil refineries and power generating plants.[2]

Each Contracting Party gives its unconditional consent to the submission of disputes between a Contracting Party and an investor of another Contracting Party relating to an investment to international arbitration.[3]

III. Amendments to the ECT

Since 2017, discussions have been underway regarding efforts to negotiate and agree a modernised text of the ECT. On 24 June 2022, it was announced that the Contracting Parties reached an agreement in principle on the modernised text. The Modernised ECT contains certain notable changes.

As explained by the Energy Charter Secretariat, the proposed changes include:

Alignment between the ECT and the Paris Agreement, which is a legally binding international treaty on climate change.[4] For example, the EU and the UK have opted to carve-out fossil fuel related investments from investment protection under the ECT, including for existing investments after 10 years (instead of 20 years under the current ECT).[5]
A provision stating that an investor from a Contracting Party that is part of a regional economic integration organisation (“REIO”), such as the EU, cannot bring an investor-state arbitral claim against another Contracting Party member of the same REIO—i.e., prohibiting what is referred to as “intra-EU arbitration”.[6]
A narrowed definition of a qualifying “investment” and “investor” under the treaty. An “investment” must fulfil a list of characteristics, such as the commitment of capital, the expectation of gain or profit, be made for a certain duration or involve the assumption of risk. An “investor” cannot hold the nationality—or permanent residency—in the Contracting Party hosting the investment, and must demonstrate that it carries on substantial business activity in the host state.[7]
Provision for a list of measures that constitute a violation of the ECT’s fair and equitable treatment (“FET”) standard, including a description of the circumstances that give rise to an investors’ legitimate expectations.[8]
Clarification that the treaty’s expropriation provision covers indirect expropriations, identifying in this context the types of measures that cannot be considered an indirect expropriation.[9]
Provision that the treaty’s observance of undertakings clause—i.e., umbrella clause—only applies to breaches of specific written commitments made through the exercise of governmental authority.[10]

As noted, it is anticipated that the ECT Contracting Parties will vote in April 2023 on whether to formally adopt the Modernised ECT. If adopted, the Modernised ECT will enter into force 90 days after its ratification by three-fourths of the treaty’s Contracting Parties.

IV. Announced Intention by Contracting Parties to Withdraw from the ECT

In parallel to these developments, several ECT Contracting Parties—that are also EU Member States—have announced that they intend to withdraw from the ECT. At the time of writing, Germany, Slovenia, Poland, the Netherlands, France, Spain and Luxembourg have made such announcements. It is reported that Austria is also considering withdrawal.

These Contracting Parties have cited various reasons for their intention to withdraw. The reasons appear generally to centre around complaints that the ECT impedes their ability to tackle climate change. Relatedly, there are around a billion Euros’ worth of outstanding ECT arbitral awards rendered against EU Member States—a figure which continues to grow, and which EU Member States may be keen to limit insofar as possible.

Withdrawal, however, does not take immediate effect. Rather, Article 47 of the ECT (Withdrawal) contains what is referred to as a “sunset clause”, which provides that, following formal notification of a Contracting Party’s withdrawal from the ECT, the withdrawal shall take effect one year after the notification is given.[11] Further, the protections afforded by the ECT shall continue to apply to pre-existing investments made in the territory of a Contracting Party for a period of 20 years after the withdrawal has taken effect—i.e., “the sunset period”.

Additionally, in the face of the announcements regarding withdrawal, the Energy Charter Secretariat, which provides the Energy Charter Conference “with all necessary assistance for performance of its duties,”[12] issued a Guidance Note explaining that withdrawal from the ECT may need to conform with Article 62 on the Vienna Convention on the Law of Treaties[13] (the “VCLT”).

Article 62 of the VCLT only allows a state—as a matter of general international law—to withdraw from a treaty due to “fundamental changes of circumstances” that were “essential” for the decision to enter into the treaty, and which “radically” transform the obligations created by the treaty so that its further implementation becomes unduly burdensome.[14] In addition, the change of circumstance relied on as the reason for withdrawal must have been unforeseen by the contracting parties to that treaty.

The Energy Charter Secretariat also observed that the International Court of Justice, in Gabčíkovo-Nagymaros Project (Hungary/Slovakia), did “not consider that new developments in the state of environmental knowledge and of environmental law can be said to have been completely unforeseen.”[15]

As a result, the analysis as to whether an ECT Contracting Party can validly withdraw from the ECT is not straightforward. And the issue of withdrawal may be subject to challenge, for example by investors bringing claims in international arbitration against Contracting Parties that have purported to withdraw from the ECT.

Against this backdrop, the European Parliament passed a resolution on 24 November 2022, “urg[ing] the Commission to initiate immediately the process towards a coordinated exit of the EU from the ECT and calls on the Council to support such a proposal”.[16] Although this resolution is not binding on the European Commission, it is an indication of the EU’s intention as regards the ECT. For the EU to withdraw from the ECT, the Council of the EU—which is one of the EU’s legislative bodies and is comprised of representatives from the EU Member States—would need to formally approve a withdrawal from the ECT by the EU. This is a very recent development, so precise details as to the path ahead are not yet clear.

V. Implications for Potential Claims by Investors Against ECT Contracting Parties

The developments outlined above carry several implications, some of which overlap:

Investors in ECT Contracting Parties may seek to submit claims to international arbitration before a vote is passed and the Modernised ECT becomes effective, because they will presumably want their claims to come under the current ECT’s standards of investment protection.
A Contracting Party’s attempt to withdraw from the ECT altogether may not impact an investor’s ability to commence international arbitration in the short-to-medium term, given the ECT’s 20-year sunset clause.
Withdrawal is likely to become a contested issue in individual cases. The Energy Charter Secretariat suggested that Article 62 of the VCLT would apply to any attempt to withdraw from the ECT. In this context, the reasons given by a Contracting Party for its withdrawal may need to be assessed against Article 62’s criteria on an individualised basis. As a result, international arbitration tribunals confronted with claims by investors against a state that has purported to withdraw from the ECT may have to rule on the validity of that withdrawal as a jurisdictional issue.
If the Modernised ECT is adopted next year, an ECT Contracting Party can choose both to ratify the Modernised ECT and pursue withdrawal in parallel, since these are independent issues. Indeed, a Contracting Party wishing to minimise international arbitration claims against itself may well choose to vote for and ratify the Modernised ECT—with its narrower investor protections—and pursue withdrawal on a longer timeline.
Finally, it is worth noting that if the Modernised ECT is not adopted at the vote scheduled for April 2023, the scope of investment protection offered under the current ECT will continue to remain in force for Contracting Parties.

____________________________

[1] ECT, Article 10.

[2] ECT, Article 1(5).

[3] ECT, Article 26(3)(a).

[4] It was adopted by 196 Parties at COP 21 in Paris, on 12 December 2015, and entered into force on 4 November 2016. See UNFCC, The Paris Agreement, available here.

[5] See Energy Charter Secretariat, Public Communication explaining the main changes contained in the agreement in principle, 24 June 2022, 1. Definitions – Pillar 2: Flexibility, available here.

[6] Id., 6. Regional Economic Integration Organisation (REIO).

[7] Id., 2. Investment Protection – Definitions of Investment and Investor.

[8] Id., 2. Investment Protection – Definition of Fair and Equitable Treatment.

[9] Id., 2. Investment Protection – Definition of Indirect Expropriation.

[10] Id., 2. Investment Protection – Umbrella clause.

[11] ECT, Article 47(2).

[12] ECT, Article 35.

[13] VCLT, Article 62.

[14] Energy Charter Secretariat, Sunset Clause (Article 47 of the ECT) in relation to Article 62 of the Vienna Convention on the Law of Treaties (VCLT), 3 November 2022, available here.

[15] Ibid.

[16] European Parliament resolution of 24 November 2022 on the outcome of the modernisation of the Energy Charter Treaty (2022/2934(RSP)), at 20, available here.

The following Gibson Dunn lawyers assisted in the preparation of this client update: Jeff Sullivan KC, E Jin Lee, and Theo Tyrrell.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these issues. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s International Arbitration, Judgment and Arbitral Award Enforcement or Transnational Litigation practice groups, or any of the following:

Jeff Sullivan KC – London (+44 (0) 20 7071 4231, Jeffrey.Sullivan@gibsondunn.com)
Cyrus Benson – London (+44 (0) 20 7071 4239, CBenson@gibsondunn.com)
Penny Madden KC – London (+44 (0) 20 7071 4226, PMadden@gibsondunn.com)
E Jin Lee – New York (+1 212 351 5327, ELee@gibsondunn.com)
Theo Tyrrell – London (+44 (0) 20 7071 4016, TTyrrell@gibsondunn.com)

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

Join us for a 30-minute briefing covering a wide range of M&A practice topics. The goal of the program is to provide quick insights into recent market trends and practical advice on how to manage common M&A problems.

Topics discussed:

Jonathan Whalen and Matthew Wiener discuss recent developments in the representation and warranty insurance markets
Kristen Poole and David Wilf discuss how to choose among different efforts standards when drafting and negotiating covenants
Cassandra Gaedt-Sheckter and Alexander Southwell discuss practice pointers on assessing and managing cybersecurity and privacy risk in M&A transactions

PANELISTS:

Cassandra Gaedt-Sheckter is a partner in Gibson, Dunn & Crutcher’s Palo Alto office, lead of the firm’s State Privacy Law Task Force, and a Co-Chair of the firm’s Artificial Intelligence and Automated Systems Practice Group. She is an award-winning practitioner, and just in 2022, has been featured as 40 under 40 in Silicon Valley by the Silicon Valley Business Journal, Woman Leader in Tech Law by The Recorder, and Best Lawyers’ One to Watch for Technology Law for her work. Her practice focuses on data privacy, cybersecurity, AI, and data regulatory enforcement, transactional, and product and compliance counseling representations. She has significant experience advising companies on legal and regulatory compliance, diligence, and risks in transactions, particularly with respect to California’s CCPA and CPRA, and other federal and state laws and regulations.

Kristen P. Poole is a corporate partner in Gibson, Dunn & Crutcher’s New York office, where her practice focuses on mergers and acquisitions and private equity. Ms. Poole represents both public and private companies, as well as financial sponsors, in connection with mergers, acquisitions, divestitures, minority investments, restructurings, and other complex corporate transactions. She also advises clients with respect to general corporate governance matters and shareholder activism matters.

Alexander Southwell is a partner in Gibson, Dunn & Crutcher’s New York office, and he is a Co-Chair of the firm’s Privacy, Cybersecurity and Data Innovation Practice Group. He is a Chambers-ranked former federal prosecutor and was named a “Cybersecurity and Data Privacy Trailblazer” by The National Law Journal. Mr. Southwell’s practice focuses on privacy, information technology, data breach, theft of trade secrets and intellectual property, computer fraud, national security, and network and data security issues, including handling investigations, enforcement defense, and litigation. He regularly advises companies and private equity firms on privacy and cybersecurity diligence and compliance.

Jonathan Whalen is a partner in Gibson, Dunn & Crutcher’s Dallas office, and he is a member of the firm’s Mergers and Acquisitions Practice Group. Chambers USA named Mr. Whalen an Up and Coming Corporate/M&A attorney in their 2022 publication. Mr. Whalen’s practice focuses on a wide range of corporate and securities transactions, including mergers and acquisitions, private equity investments, and public and private capital markets transactions.

David Wilf is a partner in Gibson, Dunn & Crutcher’s New York office, and he is Co-Chair of Gibson Dunn’s Transportation and Space Practice Group. Mr. Wilf is recognized as a leading M&A attorney by the International Financial Law Review. His practice focuses on mergers and acquisitions, joint ventures, strategic alliances and general corporate matters, including strategic complex corporate contracts. Mr. Wilf has represented United States entities in Europe, Asia, Latin America, and Africa in acquisitions, divestitures and joint ventures, and non-U.S. entities in similar types of domestic and international transactions, in addition to his general domestic U.S. practice.

Matthew Wiener is a Managing Director, M&A and Transaction Solutions in the Houston office of Aon. He is the co-practice leader for Aon’s Transaction Solutions team. In this role, Mr. Wiener is responsible for the development and implementation of transactional-based risk solutions, including the deployment of insurance capital for M&A transactions through representations and warranties, litigation, tax and other contingent liabilities insurance. Prior to joining the Aon Transaction Solutions team, Matthew was an attorney at Vinson & Elkins LLP, where he specialized in corporate finance and securities law matters, including mergers and acquisitions, private equity, public and private securities offerings, divestitures, and general corporate representation.

MCLE CREDIT INFORMATION:

This program has been approved for credit in accordance with the requirements of the New York State Continuing Legal Education Board for a maximum of 0.5 credit hour, of which 0.5 credit hour may be applied toward the areas of professional practice requirement. This course is approved for transitional/non-transitional credit.

Attorneys seeking New York credit must obtain an Affirmation Form prior to watching the archived version of this webcast. Please contact CLE@gibsondunn.com to request the MCLE form.

Gibson, Dunn & Crutcher LLP certifies that this activity has been approved for MCLE credit by the State Bar of California in the amount of 0.5 hour.

California attorneys may claim “self-study” credit for viewing the archived version of this webcast. No certificate of attendance is required for California “self-study” credit.

As discussed in our November 21 Client Alert, following a recent interpretation by the SEC Staff regarding the application of Exchange Act Rule 15c2-11 to fixed income securities initially offered and sold by private companies, such issuers will be required to publicly disclose specified current financial and other information if they wish to allow US broker-dealers to publish quotations on their securities. Based on a December 2021 no action letter (referenced in our client alert), this interpretation was scheduled to be phased in over time, with “Phase Two” taking effect as of January 3, 2023, which would have affected trading in securities offered by non-reporting issuers in Rule 144A offerings.

On November 30, 2022, however, the SEC issued a no-action letter that delayed implementation of Phase Two until January 4, 2025 to provide non-reporting issuers and US broker-dealers more time to implement compliance systems to meet the demands of the rule. While various industry groups are expected to continue to engage with the Commission on the application of the Rule to fixed income securities, a further change in Commission policy remains uncertain.

The following Gibson Dunn lawyers prepared this client update: Alan Bannister and James Moloney.

Gibson, Dunn & Crutcher’s lawyers are available to assist in addressing any questions you may have about these developments. To learn more about these issues, please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any of the following leaders and members of the firm’s Capital Markets or Securities Regulation and Corporate Governance practice groups:

Capital Markets Group:
J. Alan Bannister – New York (+1 212-351-2310, abannister@gibsondunn.com)
Andrew L. Fabens – New York (+1 212-351-4034, afabens@gibsondunn.com)
Hillary H. Holmes – Houston (+1 346-718-6602, hholmes@gibsondunn.com)
Douglas S. Horowitz – New York (+1 212-351-3817, dhorowitz@gibsondunn.com)
Stewart L. McDowell – San Francisco (+1 415-393-8322, smcdowell@gibsondunn.com)
Peter W. Wardle – Los Angeles (+1 213-229-7242, pwardle@gibsondunn.com)

Securities Regulation and Corporate Governance Group:
Elizabeth Ising – Washington, D.C. (+1 202-955-8287, eising@gibsondunn.com)
James J. Moloney – Orange County (+1 949-451-4343, jmoloney@gibsondunn.com)
Lori Zyskowski – New York (+1 212-351-2309, lzyskowski@gibsondunn.com)

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

The U.S. Treasury Department recently issued proposed regulations[1] to address certain concerns raised by taxpayers and other stakeholders in response to final foreign tax credit regulations published in January 2022[2]. Although the proposed regulations do not grapple with some of the more fundamental problems previously identified by commentators, they do offer taxpayers relief in certain narrow circumstances. In general, the proposed regulations are proposed to apply to tax years ending on or after November 18, 2022 (i.e., starting immediately in 2022 for calendar-year taxpayers). Once the proposed regulations are finalized, taxpayers may choose to apply “some or all of the final regulations to earlier taxable years, subject to certain conditions” described in detail in the notice of proposed rulemaking. Until the effective date of final regulations, taxpayers may rely on the proposed regulations. If a taxpayer chooses to rely on a portion of the proposed regulations, taxpayers must consistently follow all proposed rules for that portion of the regulations for all years until final regulations are effective.[3]

Royalties

One of the primary areas of concern for taxpayers after the publication of the January 2022 final foreign tax credit regulations was the introduction of a source-based attribution requirement (described in earlier iterations of the regulations as the “jurisdictional nexus” requirement) that compares foreign laws governing the source of income with United States income tax laws to determine if a foreign tax should be creditable in the United States. Under the source-based attribution requirement in Treas. Reg. § 1.901-2(b)(5)(i)(B), a foreign tax imposed on a nonresident’s income meets the attribution requirement only if the foreign tax law’s sourcing rules are reasonably similar to the United States sourcing rules.

In the case of gross income arising from royalties, the foreign tax law must impose tax on the royalties consistent with the manner in which the Internal Revenue Code (the “Code”) sources royalty income: i.e., based on the place of use or the right to use the licensed intangible property.[4] In this regard, the United States’ place-of-use rule for sourcing royalties is far from representative of a global consensus. Other jurisdictions source royalties in a manner that does not fall neatly into that category, such as the United Kingdom, where a multi-factor approach is used to source royalties. As a result, in those countries where withholding taxes on royalties are imposed on the basis of some other approach, royalty withholding taxes would not be creditable against the recipient’s U.S. tax liability even if the licensed intangible property is in fact used within the territory of the taxing jurisdiction.[5]

Complicating this inquiry is the lack of certainty that often arises when determining the location where intangible property is used. Although it may be easy to identify where certain manufacturing-related intangibles are used (e.g., at a multinational enterprise’s manufacturing facility), it is more difficult in other situations, such as where employees in one jurisdiction use intangibles to generate sales through social media to customers residing in another jurisdiction.

The proposed regulations provide a limited exception to the source-based attribution requirement of the January 2022 regulations for situations in which the taxpayer can show that a withholding tax is imposed on royalties received in exchange for the right to use intangible property pursuant to a single-country license within the territory of the taxing jurisdiction. For this purpose, a payment is made pursuant to a single-country license if the terms of the license agreement under which the payment is made characterize the payment as a royalty and limit the territory of the license to the country imposing the withholding tax. Therefore, U.S. taxpayers may need to revise existing license agreements to qualify for the single-country license exception.

Cost Recovery Requirement

The proposed regulations also provide further insight into the net gain requirements that foreign income taxes must meet to give rise to U.S. foreign tax credits. The final regulations require generally that significant items of expense—including capital expenditures, interest, rents, royalties, wages and research and experimentation—must be recovered against income, but the proposed regulations permit a foreign tax to disallow significant costs and expenses if the disallowance is consistent with any principle underlying disallowances required under the Code.

For taxpayers determining whether a disallowance is consistent with Code-based principles, the proposed regulations provide helpful guidance. Treas. Reg. § 1.901-2(b)(4)(iv)(J), Example 10, makes clear that taxpayers would be permitted to claim foreign tax credits in respect of taxes paid to foreign taxing jurisdictions that do not allow any deductions for stock based compensation because the Code “contain[s] targeted disallowances or limits on the deductibility of certain items of compensation in particular circumstances based on non-tax public policy reasons, including to influence the amount or use of a certain type of compensation in the labor market,” citing sections 162(m) and 280G. Without the inclusion of Example 10 in the proposed regulations, it would not otherwise have been obvious that a complete disallowance of deductions for stock-based compensation would be considered to be consistent with (or resemble) the limitations in sections 162(m) and 280G.

For taxpayers analyzing whether any other type of disallowance under foreign tax law resembles a Code-based disallowance, the example and its principles should provide helpful authority in determining whether the net gain requirement is satisfied.

Summary

While the recently released proposed regulations do not address many substantive issues raised by taxpayers and other stakeholders in response to the January 2022 regulations, they do represent an effort to answer narrower problems identified by taxpayers, and they are designed in a way that allows taxpayers the opportunity to make broad arguments in other areas by analogy to these narrow rules. Given the relief provided in response to high profile comments from the technology and other sectors on royalty withholding issues in particular, interested parties with other specific issues should consider communicating those issues to the Treasury Department and the IRS with proposals for relief or clarification.

Please contact any Gibson Dunn tax lawyer for updates on this issue.

__________________________

[1] 87 Fed. Reg. 71,271, 71,275 (Nov. 22, 2022).

[2] T.D. 9959, 87 Fed. Reg. 276 (Jan. 4, 2022).

[3] Until the effective date of final regulations, taxpayers may rely on the proposed regulations. If a taxpayer chooses to rely on a portion of the proposed regulations, taxpayers must consistently follow all proposed rules for that portion of the regulations for all years until final regulations are effective. 87 Fed. Reg. 71,271, 71,277 (Nov. 22, 2022).

[4] Sections 861(a)(4) and 862(a)(4) of the Code.

[5] Foreign tax on royalties can often be eliminated altogether under United States income tax treaties that eliminate royalty withholding tax, in which case there is no need to claim a foreign tax credit. But foreign taxes on royalties are a significant focus of many U.S. taxpayers, as other U.S. treaties only reduce the royalty withholding tax, and many substantial U.S. trading partners, including Brazil, Singapore, and Hong Kong, do not enjoy tax treaties with the United States. We also note that in determining the availability of a deemed paid credit to a U.S. shareholder of a CFC, the IRS and Treasury have taken the position in the January 2022 regulations that a U.S. taxpayer may not rely on a U.S. treaty provision that a country’s royalty withholding tax is creditable in a context where withholding taxes are imposed on royalties paid by one CFC to another CFC.

This alert was prepared by Jeffrey M. Trinklein, Anne Devereaux, John F. Craig III, Michael A. Benison, Eric Sloan, Sandy Bhogal, Jérôme Delaurière, and Hans Martin Schmid.

Gibson Dunn lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any of the following leaders and members of the firm’s Tax and Global Tax Controversy and Litigation practice groups:

Tax Group:
Dora Arash – Los Angeles (+1 213-229-7134, darash@gibsondunn.com)
Sandy Bhogal – Co-Chair, London (+44 (0) 20 7071 4266, sbhogal@gibsondunn.com)
Michael Q. Cannon – Dallas (+1 214-698-3232, mcannon@gibsondunn.com)
Jérôme Delaurière – Paris (+33 (0) 1 56 43 13 00, jdelauriere@gibsondunn.com)
Michael J. Desmond – Los Angeles/Washington, D.C. (+1 213-229-7531, mdesmond@gibsondunn.com)
Anne Devereaux* – Los Angeles (+1 213-229-7616, adevereaux@gibsondunn.com)
Matt Donnelly – Washington, D.C. (+1 202-887-3567, mjdonnelly@gibsondunn.com)
Pamela Lawrence Endreny – New York (+1 212-351-2474, pendreny@gibsondunn.com)
Benjamin Fryer – London (+44 (0) 20 7071 4232, bfryer@gibsondunn.com)
Brian R. Hamano – Los Angeles (+1 310-551-8805, bhamano@gibsondunn.com)
Kathryn A. Kelly – New York (+1 212-351-3876, kkelly@gibsondunn.com)
Brian W. Kniesly – New York (+1 212-351-2379, bkniesly@gibsondunn.com)
Loren Lembo – New York (+1 212-351-3986, llembo@gibsondunn.com)
Jennifer Sabin – New York (+1 212-351-5208, jsabin@gibsondunn.com)
Hans Martin Schmid – Munich (+49 89 189 33 110, mschmid@gibsondunn.com)
Eric B. Sloan – Co-Chair, New York (+1 212-351-2340, esloan@gibsondunn.com)
Jeffrey M. Trinklein – London/New York (+44 (0) 20 7071 4224 /+1 212-351-2344), jtrinklein@gibsondunn.com)
John-Paul Vojtisek – New York (+1 212-351-2320, jvojtisek@gibsondunn.com)
Edward S. Wei – New York (+1 212-351-3925, ewei@gibsondunn.com)
Lorna Wilson – Los Angeles (+1 213-229-7547, lwilson@gibsondunn.com)
Daniel A. Zygielbaum – Washington, D.C. (+1 202-887-3768, dzygielbaum@gibsondunn.com)

Global Tax Controversy and Litigation Group:
Michael J. Desmond – Co-Chair, Los Angeles/Washington, D.C. (+1 213-229-7531, mdesmond@gibsondunn.com)
Saul Mezei – Washington, D.C. (+1 202-955-8693, smezei@gibsondunn.com)
Sanford W. Stark – Co-Chair, Washington, D.C. (+1 202-887-3650, sstark@gibsondunn.com)
C. Terrell Ussing – Washington, D.C. (+1 202-887-3612, tussing@gibsondunn.com)

*Anne Devereaux is an of counsel working in the firm’s Los Angeles office who is admitted only in Washington, D.C.

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

On November 28, 2022, the European Council formally adopted the Corporate Sustainability Reporting Directive (“CSRD”), following adoption by the European Parliament on November 10, 2022. The CSRD is now due to be signed and published in the European Union (“EU”) Official Journal and will come into force 20 days after publication.[1]

The CSRD will replace and significantly broaden the scope of the existing sustainability reporting requirements under the EU’s current sustainability reporting rules, which are set out in a suite of directives and regulations, including the Non-Financial Reporting Directive[2] (“NFRD”). The NFRD currently requires that “public interest” entities, including large EU listed entities, credit institutions, insurance companies, and other entities designated as such by an EU member state, report certain sustainability information on an annual basis. While still subject to further implementation (as discussed below), the CSRD will also have important implications for non-EU groups with significant EU operations, as it will impose substantive and expanded disclosure requirements on those groups, with a resulting increase in costs. It will also likely lead to increased regulatory complexity and compliance risks.

Overview of the CSRD

The CSRD is intended to revise and strengthen the rules introduced by the NFRD by promoting relevant, comparable, reliable, and accessible sustainability information for investors and stakeholders.[3] The CSRD reporting requirements will complement and be aligned to other key EU sustainable finance initiatives that are directed principally at companies in the financial services and capital markets sectors, including the Sustainable Finance Disclosure Regulation (“SFDR”) (effective as of March 10, 2021)[4] and the EU Taxonomy Regulation (partially effective as of January 1, 2022, and fully effective as of January 1, 2023).[5]

As discussed in detail below, the CSRD will materially broaden the scope of sustainability information disclosed to stakeholders, increase the number of entities required to report such information, and introduce a new limited audit assurance requirement prior to October 1, 2026 and a new reasonable assurance requirement prior to October 1, 2028. The CSRD will apply to all large EU undertakings, both public and private. This expanded scope will apply the CSRD to, among others, U.S. entities with significant EU operations. Under the CSRD, small and medium enterprises (“SMEs”) will have delayed compliance requirements, and micro-undertakings will be excluded from compliance altogether.

Entities Covered by the CSRD and Exemptions

Entities covered by the CSRD include:

all undertakings with securities listed on EU regulated markets (other than listed micro-undertakings);
all “large undertakings” (whether listed or not), being an EU undertaking or an EU subsidiary of a non-EU entity that satisfies at least two of the three following criteria as of the relevant balance sheet date:

1. a balance sheet total exceeding €20,000,000;
2. a net turnover[6] exceeding €40,000,000; and
3. in excess of 250 employees on average during the financial year.

all parent undertakings of “large groups” (whether listed or not), being groups which on a consolidated basis satisfy two of the three criteria set out at a. through c. above; and
as of January 1, 2026 (with the ability to opt-out until 2028), “small” and “medium-sized enterprises” with transferable securities on an EU regulated market.[7]

Note that certain EU subsidiaries of non-EU entities, as well as any non-EU entities with transferable securities listed on an EU regulated market, accordingly will be subject to the CSRD.

From financial years starting on or after January 1, 2028, the CSRD will also apply to non-EU undertakings (labelled “third country undertakings”) that generate a net turnover of more than €150,000,000 in the EU and have: (i) an EU branch office with a net turnover of at least €40,000,000 in the EU; or (ii) a large or listed EU subsidiary.[8] The subsidiary or branch will be responsible for preparing a sustainability report for the third country undertaking at a consolidated level. These sustainability reports will need to be prepared according to: (i) separate standards to be adopted by the European Commission (“Commission”) by June 30, 2024; (ii) the standards applicable to EU undertakings; or (iii) standards which are deemed equivalent by the Commission. These sustainability reports of third country undertakings need to be published with an assurance opinion by a firm authorized to give such an opinion under the national law of the third country undertaking or of a member state.

A subsidiary undertaking will be exempt from reporting if that entity and its subsidiaries (if applicable) were included in the consolidated management report of the parent undertaking, provided that the parent’s report is compliant with the CSRD. This exemption would also apply where a subsidiary undertaking (and its subsidiaries) were included in the consolidated management report of a non-EU parent undertaking and that parent’s sustainability disclosures were determined to be “equivalent” to EU sustainability reporting standards. At this time, there is ambiguity on the equivalence protocol and likely outcomes of allowing non-EU parents to produce compliant consolidated reporting. Because it is not clear how this “equivalence test” will be applied (or indeed which non-EU countries will be treated as having equivalent sustainability reporting standards), non-EU entities must keep abreast of regulatory developments in this regard. While a parent in a non-EU country will be able to voluntarily choose to publish compliant consolidated management reports containing the relevant sustainability information mandated by the CSRD, this will not automatically exempt any of its EU subsidiary undertakings that fall within the scope of the CSRD.

For U.S. companies, the “equivalence” analysis adds another element of regulatory complexity, especially given that the U.S. Securities and Exchange Commission (“SEC”) has separately proposed new rules for climate change disclosure requirements for both U.S. public companies and foreign private issuers on March 21, 2022[9] (as discussed in further detail in our webcast here and our previous client alert here). There is no guarantee that those rules or any final SEC sustainability rules will be determined to be “equivalent” by the Commission for purposes of CSRD compliance,[10] and notably the proposed SEC rules deal with disclosures only for climate-related matters while disclosures under the CSRD include climate-related matters as well as other ESG-related matters.

For UK groups with substantial European operations, post-Brexit, a similar question will arise in relation to “equivalence”. The UK has arguably been leading the global landscape in relation to mandatory climate reporting pursuant to the Task Force on Climate-related Financial Disclosures (“TCFD”) and there exists a suite of specific ESG-related reporting requirements (e.g. in relation to modern slavery, consideration of broader stakeholder considerations and gender pay gap information). Nonetheless, the UK has yet to introduce a comprehensive set of mandatory non-climate related reporting requirements of the type envisaged by the CSRD.

As a practical matter, this means that EU large undertakings with non-EU parents could have to report consolidated sustainability information on a subsidiary-by-subsidiary basis if equivalence with the non-EU country’s sustainability reporting requirements is not determined. This could have wide-reaching implications for non-EU parent entities with significant subsidiary operations in the EU, not just in relation to the compliance burden of increased reporting costs across multiple entities, but also the compliance challenge and associated risks of ensuring relevance, accuracy and consistency across multiple reports.

Scope of Matters to be Reported and Relevant Reporting Standards

The CSRD will require reporting of forward-looking, retrospective, qualitative and quantitative information necessary to understand an undertaking’s impacts on sustainability matters and, from the “opposite” lens, the information necessary to understand how sustainability matters affect an undertaking’s development, performance, and position (i.e., “double materiality” reporting). The principle of double materiality requires that entities look inward to evaluate how sustainability issues affect the entity and look outward to understand how the entity impacts people and the environment.

The CSRD clarifies that entities will need to report on both elements of materiality for compliance with the reporting requirements. In particular, CSRD reporting entities will need to disclose:[11]

Strategy: Their business model and strategy, including:

- the resilience of their business model and strategy to risks related to sustainability matters;
- their opportunities related to sustainability matters;
- their plans to ensure that their business model and strategy are compatible with the transition to a sustainable economy and with the limiting of global warming to 1.5°C in line with the Paris Agreement and the objective of achieving climate neutrality by 2050;
- their business model and strategy take account of the interests of their stakeholders and of their impact on sustainability matters; and
- how their strategy has been implemented with regard to sustainability matters.

Targets: The sustainability targets set and the progress made towards achieving them.
Governance: The role of the administrative, management and governance bodies in relation to sustainability factors.
Policies: Their policies in relation to sustainability matters.
Incentives: Information about the existence of sustainability-linked incentive schemes offered to members of the administrative, management and supervisory bodies.
Due Diligence: The due diligence process implemented with regard to sustainability matters.
Impacts: Their most significant negative impacts on sustainability factors.
Remedial Actions: Any actions taken, and the results of such actions, to prevent, mitigate, remediate or bring an end to actual or potential adverse impacts.
Risks: Their principal risks related to sustainability matters, including their principal dependencies on such matters, and how those risks are managed.
Reporting Scope: The manner in which they identified the information on which the report.

Time horizons: The CSRD will also require that qualitative and quantitative, forward-looking and retrospective information be disclosed, taking into account short, medium and long-term time horizons.

Value chains: Where appropriate, undertakings will also be required to disclose information regarding their own operations as well as their value chains, including products and services, business relationships and supply chains.

Sustainability Standards: Disclosures will need to be reported in accordance with the European Sustainability Reporting Standards (“ESRS”) currently being developed by the European Financial Reporting Advisory Group (“EFRAG”), a public-private partnership tasked to advise the Commission on the adoption of international financial reporting standards into EU law. By June 30, 2023, the Commission must adopt the first set of standards and by June 30, 2024, the Commission must adopt further complementary information requirements with regards to sustainability matters, separate standards for third country undertakings and SMEs, and sector-specific standards.[12] The Commission has noted that sector-specific standards are particularly important for sectors associated with high sustainability risks and/or impacts on the environment, human rights and governance.

The standards are required to specify the information that should be disclosed regarding the following sustainability matters:

Environmental: (i) climate change mitigation; (ii) climate change adaptation; (iii) water and marine resources; (iv) resource use and circular economy; (v) pollution; and (vi) biodiversity and ecosystems (with reference to natural capital accounting to effectively monetize and quantify the cost/benefit of natural resources);
Social: (i) equal treatment and opportunities, including gender equality and equal pay for equal work, training and skills development, employment and inclusion of people with disabilities, measures against violence and harassment in the workplace, and diversity; (ii) working conditions, including secure employment, working time, adequate wages, social dialogue, freedom of association, existence of work councils, collective bargaining, the information, consultation and participation rights of workers, work-life balance and health and safety; and (iii) respect for human rights, fundamental freedoms, democratic principles and standards established in the International Bill of Human Rights and other core UN human rights conventions, the International Labor Organization’s Declaration on Fundamental Principles and Rights at Work and the ILO fundamental conventions, the European Convention of Human Rights, the revised European Social Charter, and the Charter of Fundamental Rights of the European Union; and
Governance: (i) the role of the undertaking’s administrative, management and supervisory bodies with regard to sustainability matters, and their composition, and their expertise and skills to fulfil this role or access to such expertise and skills; (ii) the main features of the undertaking’s internal control and risk management systems in relation to the sustainability reporting process; (iii) business ethics and corporate culture, including anticorruption and anti-bribery, the protection of whistle-blowers and animal welfare; (iv) engagement of the undertaking to exert its political influence, including its lobbying activities; (v) the management and quality of relationships with customers, suppliers and communities affected by the activities of the undertaking, including payment practices, especially with regard to late payment to SMEs; and (vi) the main features of the undertaking’s internal control and risk management systems, in relation to the sustainability reporting and decision-making process.

While the Commission has flagged the need for the standards to be consistent with other European legislation (i.e., EU Taxonomy Regulation and SFDR), the proposal does not point towards any one international standard or framework as a model or foundation. Instead, the proposal refers to the broad objective of taking into account existing standards and frameworks such as the Global Reporting Initiative (GRI), the Sustainability Accounting Standards Board, TCFD, the Climate Disclosure Standards Board, International Integrated Reporting Council, International Accounting Standards Board and any standards developed under the auspices of the IFRS Foundation.[13]

Audit Assurance: To help prevent greenwashing, the CSRD will also introduce a general EU-wide audit assurance requirement for reported sustainability information.[14] Previously, under the NFRD, audit assurance was optional. Under the CSRD, the Commission must adopt legislation to provide for a “limited assurance” requirement by October 1, 2026, and subsequently adopt further legislation to provide for a higher “reasonable assurance” requirement by October 1, 2028. EU member states will have the power to authorize independent assurance service providers to carry out this sustainability assurance work, which will broaden the choice of assurance providers beyond statutory auditors or audit firms.

Where to Report and Format of Reporting

The CSRD requires sustainability information to be published in an entity’s management report and not a separate, standalone report. To aid in the access, review, and comparability of sustainability information, the financial statements and management reports of CSRD reporting entities will be required to be published in a digital file format. Note that U.S. entities will likely include the management report as part of the Annual Report on Form 10-K since a separate, standalone ESG report will not comply with the CSRD.

CSRD Regulatory Approval Process

In connection with the CSRD rulemaking, the Commission carried out an Impact Assessment, including a public consultation. On April 21, 2021, the Commission adopted a proposal for the CSRD, and the proposal was open for public feedback until July 14, 2021. On June 21, 2022, the member states in the European Council and the European Parliament reached a provisional political agreement on the CSRD. On November 10, 2022, The European Parliament adopted a final legislative text based on the Commission’s proposal on November 10, 2022, which was then adopted by the European Council on November 28, 2022. The CSRD is now due to be signed by the President of the European Parliament and the President of the European Council, after which it will be published in the EU Official Journal, and enter into force 20 days thereafter. Following this, member states must incorporate the CSRD into their local law within 18 months.[15]

In parallel, EFRAG set up a task force to lead the development of the sustainability standards applicable under the CSRD – the Project Task Force Non-Financial Reporting Standards (“PTF-NFRS”). The PTF-NFRS published a report in March 2021 outlining its proposed roadmap for development of a comprehensive set of EU sustainability standards. Elaboration of draft standards in project mode commenced in June 2021 and, significantly, on July 8, 2021, the EFRAG task force announced a Statement of Cooperation with the GRI. The GRI standards are currently the most commonly used sustainability reporting standards amongst EU entities.

EFRAG launched a public consultation on the ESRS exposure drafts in April 2022, with the consultation period closing on August 8, 2022. These exposure drafts corresponded to the first set of standards required under the CSRD and covered environmental, social and governance matters (described as “topical” standards) as well as cross-cutting standards (such as general principles, strategy, governance and materiality assessment disclosure requirements). On November 22, 2022, EFRAG submitted a set of twelve draft ESRS to the Commission, which take into consideration the results of the public consultation. The Commission will now consult with other EU bodies and member states on the draft ESRS, and is expected to adopt a set of final standards in June 2023. EFRAG is expected to release a second set of draft ESRS in the coming months, with a focus on sector-specific and SME standards.

The CSRD will apply to entities that are already subject to NFRD for financial years starting on or after January 1, 2024 with the new disclosures therefore appearing in reports published in 2025. In scope entities that are not already subject to NFRD will be required to apply CSRD for financial years starting on or after January 1, 2025. Reporting will be delayed for SMEs whose securities are admitted to trading on an EU regulated market until financial years starting on or after January 1, 2026 (subject to an opt-out until 2028) and for third country undertakings until financial years starting on or after January 1, 2028.[16]

Note that once adopted, the CSRD requires member state implementation into local law. Thus, it is possible that there may be divergences on both the timing of implementation and the approach between member states.

Key Takeaways

The reporting obligations arising from the CSRD are significant compared to the NFRD. In addition, the CSRD’s scope is much broader given the breadth and relative sizes of many U.S., UK and non-EU entities with significant operations in various EU jurisdictions. As a result, the CSRD may lead to a marked increase in additional substantive disclosures (and increased costs), including multiple subsidiary-level reporting obligations, and the associated risks of divergent reporting. With the CSRD’s adoption, the SEC’s proposed expanded climate change requirements in the U.S., and the UK Government and relevant agencies rolling out mandatory TCFD-aligned climate disclosure requirements while also pushing for enhanced non-climate related disclosures, it will be important for U.S. and UK companies with significant EU operations to start compiling and developing standards and procedures to confirm the accuracy of sustainability information.

____________________________

[1] Council of the European Union, Press Release, Council gives final green light to corporate sustainability reporting directive (November 28, 2022), available at https://www.consilium.europa.eu/en/press/press-releases/2022/11/28/council-gives-final-green-light-to-corporate-sustainability-reporting-directive/.

[2] The key rules and regulations are set out in the Accounting Directive (Directive 2013/34/EU) (which was amended by the NFRD), the Transparency Directive (Directive 2004/109/EC), the Audit Directive (2006/43/EC) and the Audit Regulation (Regulation (EU) 537/2014.

[3] Executive Summary of the Impact Assessment, European Commission (April 21, 2021), available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52021SC0151&from=EN.

[4] The SFDR complements corporate disclosures by providing a comprehensive reporting framework for financial products and financial entities. FAQ: what is the EU Taxonomy and how will it work in practice?, European Commission, (April 21, 2021) at page 3, available here.

[5] The EU Taxonomy Regulation is a green classification system that translates the EU’s climate and environmental objectives into criteria for specific economic activities for investment purposes and provides a common understanding of economic activities that make a substantial contribution to the EU’s environmental goals. Id at page 1.

[6] The definition of “net turnover” is “the amounts derived from the sale of products and the provision of services after deducting sales rebates and value added tax and other taxes directly linked to turnover” as defined in the Accounting Directive (see footnote 2 above).

[7] Listed micro-undertakings (those that do not satisfy two of the three following criteria: (i) a balance sheet total exceeding €350,000; (ii) a net turnover exceeding €700,000; and (iii) in excess of ten employees) will be exempt from the CSRD.

[8] Corporate Sustainability Reporting Directive (November 10, 2022), at point (14) of Article 1 (introducing Article 40a to the Accounting Directive) and point (2) of Article 5, available at https://www.europarl.europa.eu/doceo/document/TA-9-2022-0380_EN.pdf

[9] Securities and Exchange Commission, The Enhancement and Standardization of Climate-Related Disclosures for Investors, available at https://www.sec.gov/rules/proposed/2022/33-11042.pdf.

[10] “Equivalence” will be determined pursuant to the formal mechanisms established by the European Commission as envisaged under Article 23(4)(i) of Directive 2004/109/EC, available here.

[11] Corporate Sustainability Reporting Directive (November 10, 2022), at point (4) of Article 1 (replacing Article 19a of the Accounting Directive), available at https://www.europarl.europa.eu/doceo/document/TA-9-2022-0380_EN.pdf.

[12] Id. at point (8) of Article 1 (inserting Articles 29b and 29c into the Accounting Directive) and point (14) of Article 1 (inserting Article 40b into the Accounting Directive).

[13] In March 2021 the IFRS Foundation announced creation of a working group to accelerate convergence in global sustainability reporting standards focused on enterprise value and to undertake technical preparation for a potential international sustainability reporting standards board under the governance of the IFRS Foundation. Press Release, IFRS, IFRS Foundation Trustees announce working group to accelerate convergence in global sustainability reporting standards focused on enterprise value (March 22, 2021), available here.

[14] Corporate Sustainability Reporting Directive (November 10, 2022), at point (13) of Article 1 (amending Article 34 of the Accounting Directive), available at https://www.europarl.europa.eu/doceo/document/TA-9-2022-0380_EN.pdf.

[15] Id. at point (1) of Article 5.

[16] Id. at point (2) of Article 5.

The following Gibson Dunn attorneys assisted in preparing this client update: Selina Sagayam, Elizabeth Ising, Sarah Leiper-Jennings, Vivian Leong*, and Ryan Butcher*.

Gibson, Dunn & Crutcher’s lawyers are available to assist in addressing any questions you may have about these developments. To learn more about these issues, please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any of the following leaders and members of the firm’s Environmental, Social and Governance (ESG) or Securities Regulation and Corporate Governance practice groups:

Environmental, Social and Governance (ESG) Group:
Susy Bullock – London (+44 (0) 20 7071 4283, sbullock@gibsondunn.com)
Perlette M. Jura – Los Angeles (+1 213-229-7121, pjura@gibsondunn.com)
Ronald Kirk – Dallas (+1 214-698-3295, rkirk@gibsondunn.com)
Michael K. Murphy – Washington, D.C. (+1 202-955-8238, mmurphy@gibsondunn.com)
Selina S. Sagayam – London (+44 (0) 20 7071 4263, ssagayam@gibsondunn.com)
Lena Sandberg – Brussels (+32 2 554 72 60, lsandberg@gibsondunn.com)

*Vivian Leong and Ryan Butcher are trainee solicitors working in the firm’s London office who are not yet admitted to practice law.

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

In December 2021, the Securities and Exchange Commission (“SEC”) proposed amendments to Rule 10b5-1 meant to address potential abuses of the current insider trading regime. As the SEC contemplates the final form of these amendments, it has already begun to crack down on improper reliance on or abuse of Rule 10b5-1 from an enforcement perspective. In the last few months, both the SEC and Department of Justice (“DOJ”) have reportedly prioritized investigations of Rule 10b5-1 trading plan abuses, and it’s likely that heightened enforcement challenging claims of reliance on Rule 10b5-1 (whether in its current form or as amended) is soon to follow.

Proposed Changes to Rule 10b5-1

Rule 10b5-1(c) under the Securities Exchange Act of 1934 provides an affirmative defense to insider trading for parties, such as corporate executives and directors, that often have access to material nonpublic information about their companies. Rule 10b5-1(c) provides a means for these parties to sell their company stock without violating Rule 10b-5’s prohibition on insider trading so long as any trades are made pursuant to pre-determined trading plans, known as Rule 10b5-1 plans, that are entered into a time when such parties are not aware of material nonpublic information.[i]

Rule 10b5-1 has long been criticized as allowing opportunistic trading and being subject to manipulation. Citing the need to “address critical gaps in the SEC’s insider trading regime,” the SEC proposed amendments to Rule 10b5-1 in December 2021.[ii] The amendments are targeted at enhancing protections against insider trading by making the requirements more restrictive, including by requiring 120-day cooling off periods before an executive officer’s or director’s trades can be executed under new or modified plans, prohibiting overlapping plans for the same class of securities, limiting single-trade plans to one plan per 12-month period, and requiring insiders to certify that they are not aware of material nonpublic information prior to adopting or modifying a new plan.[iii] The requirement that a 10b5-1 plan be entered into in good faith would be expanded to require that the plan also be operated in good faith.[iv] The amendments would also introduce multiple new reporting requirements pertinent to insider trading, including with respect to issuer’s insider trading policies and the usage of Rule 10b5-1 plans by insiders.[v] In its regulatory agenda published in June 2022, the SEC indicated that it planned to adopt the final amendments by April 2023.[vi]

Signs of Heightened Enforcement Activity

In addition to proposing amendments aimed at curbing alleged abuses of Rule 10b5-1, the SEC—together with the DOJ—has also recently demonstrated an increased interest in investigating and enforcing potential abuses of the rule. Historically, trades made in reliance on Rule 10b5-1 have only been infrequently investigated by U.S. authorities. However, according to recent reports, the DOJ’s Fraud Section and SEC enforcement attorneys are now using computer algorithms to identify potential manipulations of Rule 10b5-1 plans, and there are some indicators in the market that these investigations have been fruitful.[vii] In September, the SEC reached a settlement with the CEO and the former President of Cheetah Mobile Inc. based on allegations that the two executives sold stock pursuant to a 10b5-1 plan that they entered into while they were aware of material nonpublic information that the company’s second quarter revenue would be lower than expected.[viii] By selling shares before the public disclosure of the negative revenue report, the executives avoided losses of approximately $300,000.[ix] Not only does this settlement indicate that insider trading enforcement is likely on the rise, it also demonstrates that the SEC will investigate and punish infractions that result in relatively small benefits for insiders. In addition, the SEC’s order stipulated that for a period of five years following the order, the CEO would include a 120-day cooling off period for trading under any new or modified Rule 10b5-1 plan, and would not maintain overlapping plans, with respect to Cheetah Mobile securities.[x] The inclusion of these restrictions in the order suggests that the SEC remains supportive of including these restrictions in the final Rule 10b5-1 amendments, as proposed.

Other signs of robust investigations suggest that increased enforcement activity is on the horizon. In October, a breast-implant company disclosed that it had received subpoenas from DOJ and the SEC seeking materials related to its former CEO’s trading activities.[xi] And, while other companies have yet to publicly disclose similar requests, we are aware that other market participants have also noticed a sudden increase in inquiries from the SEC and DOJ regarding 10b5-1 plans. In light of these indicators, companies and corporate insiders should be particularly scrupulous when adopting Rule 10b5-1 plans, remain mindful of actions or provisions that could attract scrutiny or that underlie concerns prompting the proposed SEC amendments, and consult with counsel to reduce the risk of potential investigation and enforcement.

____________________________

[i] See 17 CFR § 240.10b5-1.

[ii] U.S. Sec. & Exch. Comm’n, SEC Proposes Amendments Regarding Rule 10b5-1 Insider Trading Plans and Related Disclosures (Dec. 15, 2021), https://www.sec.gov/news/press-release/2021-256.

[iii] See Gibson Dunn Client Alert, SEC Proposes Rules on Insider Trading, Rule 10b5-1 and Share Repurchases (Dec. 23, 2021).

[iv] Id.

[v] Id.

[vi] U.S. Sec. & Exch. Comm’n, Rule 10b5-1 and Insider Trading (2022), https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202204&RIN=3235-AM86.

[vii] Bloomberg, US Probes Insider Trading in Prearranged Executive Stock Sales (Nov. 3, 2022).

[viii] U.S. Sec. & Exch. Comm’n, Order in the Matter of Sheng Fu and Ming Xu (Sep. 21, 2022).

[ix] Id.

[x] Id.

[xi] Bloomberg, US Probes Insider Trading in Prearranged Executive Stock Sales (Nov. 3, 2022).

The following Gibson Dunn attorneys assisted in preparing this client update: Joel M. Cohen, Lori Zyskowski, Nina Meyer, and Matthew Dolloff, with contributions by Ronald Mueller and Thomas Kim.

Gibson, Dunn & Crutcher’s lawyers are available to assist in addressing any questions you may have about these developments. To learn more about these issues, please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any of the following leaders and members of the firm’s Securities Enforcement or Securities Regulation and Corporate Governance practice groups:

Securities Enforcement Group:
Joel M. Cohen – New York (+1 212-351-2664, jcohen@gibsondunn.com)
Richard W. Grime – Washington, D.C. (+1 202-955-8219, rgrime@gibsondunn.com)
Mark K. Schonfeld – New York (+1 212-351-2433, mschonfeld@gibsondunn.com)

Securities Regulation and Corporate Governance Group:
Elizabeth Ising – Washington, D.C. (+1 202-955-8287, eising@gibsondunn.com)
Thomas J. Kim – Washington, D.C. (+1 202-887-3550, tkim@gibsondunn.com)
James J. Moloney – Orange County (+1 949-451-4343, jmoloney@gibsondunn.com)
Ronald O. Mueller – Washington, D.C. (+1 202-955-8671, rmueller@gibsondunn.com)
Lori Zyskowski – New York (+1 212-351-2309, lzyskowski@gibsondunn.com)

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

Following a recent interpretation of a long-standing rule, Rule 15c2-11 (the “Rule”) under the Securities Exchange Act of 1934, as amended (the “Exchange Act”), by the Staff of the Securities and Exchange Commission (the “Commission”), issuers of fixed income (e.g., debt) securities, including such securities initially offered and sold to investors in reliance on available exemptions from registration under the Securities Act of 1933, as amended (the “Securities Act”) (most notably Rule 144A under the Securities Act (“Rule 144A”)), will be required to publicly disclose specified current financial and other information in order to allow US-regulated broker-dealers (“US broker-dealers”) to publish quotations on such securities. For example, this rule will impact private companies that issue high yield or other bonds under Rule 144A and who wish to ensure that there is sufficient liquidity for their investors. Securities of issuers that do not choose to publicly disclose the information required under the Rule could suffer significant limitations in liquidity, as discussed below.

Background

The Rule, first adopted in 1971, while not directly applicable to issuers, requires US broker-dealers to collect and review certain issuer information before publishing quotes on the issuer’s securities in the Over the Counter (“OTC”) markets.[1] In 2020, the Commission adopted amendments to that Rule, substantially limiting the exceptions to such requirements and requiring that specified issuer information be current and publicly available in order for US broker-dealers to publish quotes on that issuer’s securities. As these amendments were set to come into effect in September of 2021, the Division of Trading and Markets, in a no-action letter, confirmed a new and surprising interpretation of the Rule, stating that the rule applies to all securities, including fixed income securities, despite never having been applied or enforced in fixed income securities markets.[2] Following that initial letter, the Division of Trading and Markets issued an additional no-action letter a few months later, providing for a phased-in approach to its enforcement of the amended Rule with respect to fixed income securities markets (the “No-Action Letter”).[3]

Impact on Markets for Unregistered Securities

The implications of the new interpretation of the Rule are likely to be most keenly felt in the Rule 144A market in relation to fixed income securities issued by companies (“Private Companies”) which are not registrants under the Exchange Act[4] nor otherwise required to publicly provide current financial and other information in the manner contemplated in that Rule.[5] In addition, Private Companies which issue fixed income securities in reliance on certain other exemptions, such as Section 3(a)(9) (exempting exchanges of one security previously issued by an issuer for another security of the same issuer, for no further consideration), Section 3(a)(10) (exempting exchanges of securities for existing securities or other claims pursuant to a governmental hearing) or Section 1145 of the U.S. Bankruptcy Code (exempting issuances of securities by a debtor in exchange for claims against it or an affiliate pursuant to a plan of bankruptcy under Chapter 11 of the U.S. Bankruptcy Code), will also be similarly affected.

Securities offered and resold pursuant to Rule 144A are, by their nature, restricted to qualified institutional buyers (“QIBs”) and are generally subject to highly negotiated and detailed financial reporting covenants. In addition, for Private Company issuers, Rule 144A has, since its adoption in 1990, required that QIB investors be entitled upon request to receive certain specified information (the “Rule 144A(d)(4) Information”)[6] from the issuer. Typically, such information has been provided by Private Companies only to QIBs through a secure online portal, or direct delivery to the QIB, which allows the information to be disseminated efficiently, without public disclosure. As a result of the new interpretation of the Rule, Private Companies that issue Rule 144A fixed income securities and wish to ensure that US broker-dealers may publish quotations for such securities will no longer be able to rely solely on such private dissemination methods of Rule 144A(d)(4) Information.[7]

Requirements of the Rule

Below we summarize the key requirements for Private Company issuers of fixed income securities under the Rule (as recently amended) which, for Rule 144A fixed income securities, will take effect on January 4, 2023, absent any further action by the Commission.

Current Information Required by the Rule

For US broker-dealers to be permitted to provide quotations for fixed income securities of Private Companies, the Rule requires the following issuer information, as of a date within 12 months of the date of the quotation (unless otherwise indicated), be publicly available[8]:

identifying information about the issuer and the relevant security (including the name, address, title, class, etc.) and the total amount of the securities outstanding as of the end of the issuer’s most recent fiscal year;
information about the issuer’s business (e., a description of the business, the products and services offered, names and titles of all insiders, etc.); and
the issuer’s most recent balance sheet (as of a date less than 16 months) and profit and loss and retained earnings statements for the 12 months preceding the date of the most recent balance sheet, and similar financial information for such part of the two preceding fiscal years as the issuer or its predecessors have been in existence.

The information described above is substantially similar to the Rule 144A(d)(4) Information requirement of Rule 144A for a company that is neither subject to the reporting requirements of the Exchange Act nor a foreign private issuer exempt from such reporting requirements pursuant to Rule 12g3-2(b) thereunder. However, unlike those requirements under Rule 144A, the Rule will require that the Private Company issuer make such information publicly available if they wish to permit US broker-dealers to publish quotations on the issuer’s OTC securities.

Meaning of “Publicly Available”

Under Rule 15c2-1, as amended, the relevant current information will only be deemed “publicly available” if it is “available on EDGAR; on the website of a state or federal agency, a qualified interdealer quotation system, a registered national securities association, a registered broker or dealer or an issuer; or through an electronic information delivery system that is generally available to the public in the primary trading market of a foreign private issuer…”.[9] Notably, the definition in the Rule explicitly excludes information to which access is restricted by user name, password, fees, or other restraints, which issuers of Rule 144A securities have historically used to protect information disclosed to QIBs in accordance with highly-negotiated financial reporting covenants.

Phased Implementation

The Rule is now in effect for fixed income securities. However, in response to requests from industry representatives seeking additional time to implement the operational and systems changes necessary to comply with the Rule in respect of fixed income securities, the Division of Trading and Markets issued the No-Action Letter, providing a phased-in approach to application of the amended Rule to fixed income securities markets in limited circumstances.[10] Pursuant to the No-Action Letter, the Commission confirmed that, during the period from January 3, 2022 until January 3, 2023 (“Phase 1”), it would not recommend enforcement against a US broker-dealer that provides a quotation for a fixed income security where that security or its issuer meets one of a limited number of criteria[11], including, most notably for Private Company issuers, that such securities are being offered pursuant to Rule 144A (provided the US broker-dealer reasonably believes the issuer will provide the Rule 144A(d)(4) Information to investors upon request). Under the No-Action Letter, from January 4, 2023, “Phase 2” described in the No-Action Letter will begin and run from such date, there will no longer be an exemption available for quotations relating to fixed income securities sold pursuant to Rule 144A.

Accordingly, from and after January 4, 2023, US broker-dealers will no longer be permitted to provide quotations for securities sold pursuant to Rule 144A unless there is current and publicly available financial information about the issuer meeting the requirements of the Rule.

Next Steps and Considerations

Industry groups such as the Securities Industry and Financial Markets Association (SIFMA) and the Investment Company Institute (ICI) continue to engage with the Commission regarding the application of the Rule to fixed income securities.[12] These groups are also advocating publicly against the application of the Rule to fixed income securities generally[13] and, especially, Rule 144A securities.[14] Nonetheless, a change in policy by the Commission in advance of the expiration of the current phase of the No-Action Letter regulatory regime on January 4, 2023 remains uncertain.

In the absence of any further relief from the Commission, Private Company issuers and all other market participants in these fixed income securities should now be considering the effects of the Rule (including the obligation of Private Company issuers to make certain information publicly available and the consequences of not doing so within the time-frame required by the SEC). For US broker-dealers this will mean screening for fixed income issuers that do not publicly provide current financial and other information required by Rule 15c2-11 and refraining from quoting securities from such issuers until such financial information is publicly available. Investors, similarly, will need to consider the liquidity of potential investments in the fixed income securities (including Rule 144A securities) of Private Company issuers that do not publicly provide current financial and other information required by Rule 15c2-11. Private Company issuers of fixed income securities (including Rule 144A securities) that are not otherwise required to publicly disclose current financial information must determine whether they will begin providing such information publicly in order to allow US broker-dealers to quote their securities. Failure to do so could impact the liquidity (and trading value) of such securities. For those issuers who decide to make such information publicly available in accordance with the Rule, they should be implementing proper infrastructure and controls to be ready for publication before January 4th. In addition, future Private Company issuers may also consider whether they would prefer to rely on other sources of capital raising, such as bank debt or debt securities offerings into other markets (especially for foreign private issuers), if available to them.

____________________________

[1] The Rule does not (and the prohibition on US broker-dealers discussed herein does not), however, apply to publications or submissions by a US broker-dealer, solely on behalf of a customer, of certain quotations for an OTC security that represent customers’ unsolicited indications of interest. See Rule 15c2-11(f)(2).

[2] Letter from Josephine Tao, Assistant Director, Office of Trading Practices, Division of Trading and Markets to Racquel Russell, Senior Vice President and Director of Capital Markets Policy, Office of the General Counsel, FINRA (Sept. 24, 2021) (Temporary Staff No-action Letter Regarding Rule 15c2-11 and Fixed Income Securities), available here.

[3] Letter from Josephine Tao, Assistant Director, Office of Trading Practices, Division of Trading and Markets to Racquel Russell, Senior Vice President and Director of Capital Markets Policy, Office of the General Counsel, FINRA (Dec. 16, 2021) (Temporary Staff No-action Letter 2 Regarding Rule 15c2-11 and Fixed Income Securities), available here.

[4] Issuers that offer fixed income or other securities in public offerings registered under the Securities Act, and/or which otherwise register a class of securities under Section 12 of the Exchange Act, are require to file annual and interim reports with the Commission pursuant to Sections 15(d) and/or 13 of the Exchange Act until such time, if any, that the issuer validly suspends or terminates such reporting requirements. The issuer’s annual and interim reports timely filed with the Commission in accordance with Sections 15(d) or 13 of the Exchange Act will also satisfy the publicly available current information requirement of Rule 15c2-11. However, notwithstanding any valid suspension and/or termination of its Exchange Act reporting requirements, for so long as any of the issuer’s OTC securities (including fixed income securities) remain outstanding thereafter, Rule 15c2-11 will require that issuer publicly disclose the required current information in accordance with the Rule if it wishes for US broker-dealers to be able to provide quotations for such securities.

[5] See below under “Meaning of Publicly Available.”

[6] 17 CFR § 230.144A(d)(4).

[7] In contrast to Rule 144A issuers, issuers of fixed income securities under certain other exemptions from registration under the Securities Act, such as Sections 3(a)(9) and 3(a)(10) under the Securities Act and Section 1145 of the Bankruptcy Code, are not required, by the terms of those exemptions, to provide or otherwise make public any information on an ongoing basis after issuance. Following this new interpretation of the Rule, however, such Private Company issuers that wish to ensure that US broker-dealers may provide quotations in such securities will similarly be required to publicly provide the financial and other information required by the Rule.

[8] For companies that are not Private Companies, such current information requirement alternatively may, if sufficiently current for purposes of the Rule, be met, for example, by any of the following (i) a prospectus or offering circular filed by the issuer as part of a registered public offering or offering under Regulation A under the Securities Act, (ii) an annual report or statement filed pursuant to Sections 15(d) and/or 13 of the Exchange Act, or pursuant to Regulation A or Regulation Crowd Funding under the Securities Act, or (iii) a copy of the information that, since the first day or its most fiscal year that a foreign private issuer has published in order to establish or maintain its exemption from registration under Section 12(g) of the Exchange Act provided by Rule 12g3-2(b) thereunder.

[9] Additionally, note that the Rule does not provide any limitation on liability or safe harbor for issuers who make the financial and other information publicly available in order to permit US broker-dealers to provide quotations for such issuer’s securities pursuant to the Rule.

[10] See supra note 4.

[11] In Phase 1, these criteria include fixed income securities (i) issued by an issuer that is not a Private Company, (ii) issued by certain foreign private issuers, which are foreign sovereign debt or are guaranteed by a foreign government, (iii) for which current and publicly available information about the issuer, (iv) issued by a by a bank, a bank holding company or a credit union with certain reporting requirements, and (v) offered and sold in accordance with Rule 144A (see Appendix A of the No-Action Letter). Phase 2 covers the same list, with the exception of fixed income securities offered and sold in accordance with Rule 144A, which will no longer be exempted (see Appendix B of the No-Action Letter). In Phase 3, a US broker-dealer will need to have determined that the security or its issuer satisfies the requirements of Phase 2 and either (i) the fixed income security is foreign sovereign debt or a debt security guaranteed by a foreign government; or (ii) there is a link on the quotation medium to the on which the security is being quoted, directly to the current and publicly available information about the issuer.

[12] See ICI Joint Letter to SEC on Application of Rule 15c2-11 to Fixed Income (Sept. 23, 2021), available here; see also
ICI Follow-Up Letter to SEC on Rule 15c2-11 and Rule 144A Debt Securities (Oct. 25, 2022), available here.

[13] See The Detriment of Rule 15c2-11’s Application to Fixed Income Markets (Sept. 12, 2022), available here.

[14] See The Collision of Rule 15c2-11 and Rule 144A (Sept. 19, 2022), available here.

The following Gibson Dunn lawyers prepared this client update: Alan Bannister and Thomas Canny*.

*Mr. Canny is an associate working in the firm’s New York office who is admitted only in Texas.

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

First published on Thomson Reuters Regulatory Intelligence on 14th November 2022

Transitioning the world to “net zero” is one of the greatest global challenges that all – governments, corporates, investors and individuals – are called to rise up to and commit to deliver. To this end, we are seeing the move globally, across different regulatory regimes, towards increased transparency on the steps being taken by organisations to deliver on efforts to reduce green-house gas emissions coupled with a move from voluntary to mandatory climate-related disclosure requirements.

As organisations enhance their efforts to grapple with the challenge of setting and delivering upon their climate related action plans (whether to achieve net zero or carbon neutrality), we have also seen mounting frustration of investors and other stakeholders with the quality of climate-related disclosures being published by issuers resulting, in some cases, in activist actions and litigation. Regulatory bodies are addressing these concerns and now, having set their regulatory expectations, are moving sharply into substantive scrutiny of disclosures and initiating enforcement actions for “greenwashing”.

The UK regulator, the Financial Reporting Council (FRC), whose ambit includes setting the UK’s corporate governance code and supporting (through enhancing the transparency and integrity of corporate reporting) investors and others who rely on company reports, published in October 2022 a Net Zero Disclosures Report. The FRC recognises the desire of many investors and other stakeholders to understand the commitments being made by companies and their abilities to deliver against targets and through this lens has set out in this report guidance for organisations when setting and disclosing their plans to deliver upon their climate related commitments. Selina Sagayam discusses with Thomson Reuters insights from the Report and the key takeaways for organisations who are looking to enhance the quality and breath of their disclosures of ‘net zero’ commitments.

TRRI’s OpenWeb pages https://regintel-content.thomsonreuters.com/document/I5CEB5A905F6F11EDAD8A97919921B9B4.

For additional information, please contact London partner Selina S. Sagayam –
(+44 (0) 20 7071 4263, ssagayam@gibsondunn.com).

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

Originally published in The Hill

The recently released National Security Strategy sets forth the Biden administration’s approach to a changing world at an inflection point providing a roadmap for the administration and for Congress. The administration’s national security priorities largely echo those of past administrations, but they diverge with their focus on a “modern industrial and innovation strategy” that promises deep use of industrial and economic tools to create a bulwark against autocracies like Russia and China. The resulting message is clear: The administration’s national security goals are inherently tied to, and will necessarily impact, a broad swath of American companies.

Five areas of the strategy stand-out for their potential impact on companies.

First, increased investment scrutiny will ensure the Committee on Foreign Investment in the United States (CFIUS), with its expansive authority to review foreign investments, continues to be a prominent national security tool. The strategy also contemplates new outbound investment restrictions, which have been gaining congressional momentum as well. Should “reverse-CFIUS” come into effect, companies will need to transform their outbound investment strategies, planning for increased investment timelines, heightened scrutiny for investments in certain sectors and in certain countries, and potentially restrictions on certain outbound investments deemed to pose national security risk. Further, increased export controls will require companies to reinforce compliance programs and reevaluate offshoring operations. As the Commerce Department’s recent semiconductor restrictions demonstrate, new regulations can quickly reverberate across an industry, in some cases having a material impact.

Second, foreign policy and domestic policy lines blur with the focus on making strategic public investments in strategic sectors and supply chains, especially critical and emerging technologies. New laws, including the CHIPS and Science Act and the Inflation Reduction Act, illustrate the administration’s commitment — and congressional support — for such investments. These investments can be a significant catalyst for technological innovation for the private sector. However, companies will need to be clear on the tradeoffs that such subsidies present, as business decisions may be impacted, such as whether certain operations can be offshored.

Third, the administration’s focus on supply chain integrity and resilience means that companies — especially those in critical technology industries — may leverage this support to further optimize their supply chains and improve resilience. But it also means that in the short-term, as the administration focuses on countering Chinese influence, companies may feel pressure to improve knowledge of their supply chain, identify geographically diverse suppliers, and develop shorter-term, more flexible contracts with suppliers to better adapt to changes in supply chains. Many companies began laying the foundation for improved supply chain resilience with the COVID-19 pandemic. These efforts may need to accelerate, and companies will need to develop a sound business and legal strategy to enable operations relying on complex global supply chains in a fracturing geopolitical environment. The impact of the new semiconductor restrictions underscore supply chain complexity and the need to quickly adapt to changing regulatory requirements to minimize operational impact.

Fourth, securing critical infrastructure and strengthening cybersecurity will significantly impact the private sector, given the common cite that 85 percent of critical infrastructure is in the private sector. We have seen this start to play out with the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) giving the Cybersecurity and Infrastructure Security Agency (CISA) an increased mandate to develop critical infrastructure cybersecurity regulations, the setting of minimum security standards for federal software use, and recent White House announcements that communications, water and health care sectors are next on the administration’s cyber priority list. Companies in critical infrastructure must not only prepare for incoming cyber regulations, but ensure they properly invest in cybersecurity, adopting a “shields up” posture to defend against attacks perpetrated by a range of threat actors, including Russia.

Finally, the push to develop an inclusive international technology ecosystem likely means companies will need to navigate an increasingly regulated environment. An important prong of “transformative cooperation“ with Europe will focus on adequate privacy protections, building on the recent executive order on EU-U.S. data transfers. Practically, this means that companies should ensure transfer impact assessments are updated, evaluate the sufficiency of data transfer mechanisms, and adjust their commercial models as appropriate. There is also likely to be renewed focus on regulation of internet operating standards to ensure that standards governing the internet continue to promote core tenets of democracy, such as free speech.

Top Democrats support the administration’s strategy. Republicans have criticized the strategy. The midterm elections will play a key role in determining the likelihood of translating the strategy into legislative action. If the Democrats retain control of Congress, expect to see more legislative activity. However, if either the House or the Senate flips, then the administration’s national security priorities may not materialize in congressional action. Instead, the administration will likely focus more on executive national security authorities to progress the strategy’s objectives. The recent National Biotechnology and Biomanufacturing Initiative could serve as a blueprint. Regulatory agencies have also been assertive in issuing new regulations to achieve national security goals, such as the recent export control restrictions on advanced semiconductors and supercomputing. But, as Republicans are already calling for a congressional review of the handling of export controls should the House flip, there could be greater scrutiny of regulatory agencies should the Republicans gain control.

Regardless of how events play out on Election Day, the strategy’s focus on industrial and economic tools of national power portends significant impact on companies.

Stephenie Gosnell Handler is a partner in Gibson Dunn’s Washington, D.C. office, where she is a member of the International Trade and Privacy, Cybersecurity and Data Innovation practices. She advises clients on complex legal, regulatory and compliance issues relating to international trade, cybersecurity and technology matters. Handler’s legal advice is deeply informed by her operational cybersecurity and in-house legal experience at McKinsey & Company, as well as by her active-duty service in the U.S. Marine Corps.

Roscoe Jones Jr. is a partner in Gibson, Dunn & Crutcher’s Washington, D.C. office and co-chairs the firm’s Public Policy Group and serves as a core member of the Congressional Investigations practice group. Recognized in 2022 as one of Lawdragon’s “500 Leading Lawyers in America,” Jones has represented companies, nonprofits and individuals in legislative and policy matters before the Congress and executive branch. Jones has almost a decade of Capitol Hill experience advising three U.S. senators and a member of Congress and political experience in the executive branch.

Additional contributors include Michael D. Bopp, Daniel P. Smith*, and Apratim Vidyarhi*.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s International Trade or Public Policy practice groups, or the following:

Stephenie Gosnell Handler – Partner, International Trade Group, Washington, D.C. (+1 202-955-8510, shandler@gibsondunn.com)

Roscoe Jones, Jr. – Co-Chair, Public Policy Group, Washington, D.C. (+1 202-887-3530, rjones@gibsondunn.com)

Michael D. Bopp – Co-Chair, Public Policy Group, Washington, D.C. (+1 202-955-8256, mbopp@gibsondunn.com)

*Mr. Smith is admitted only in Illinois and practicing under the supervision of members of the District of Columbia Bar under D.C. App. R. 49. Mr. Vidyarhi is a recent law graduate in the firm’s New York office who is not admitted to practice law.

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

This quarter marked demonstrable progress toward sector-specific approaches to the regulation of artificial intelligence and machine learning (“AI”). As the EU continues to inch toward finalizing its draft Artificial Intelligence Act—the landmark, cross-sector regulatory framework for AI/ML technologies—the White House published a “Blueprint for an AI Bill of Rights,” a non-binding set of principles memorializing the Biden administration’s approach to algorithmic regulation. The AI Bill of Rights joins a number of recent U.S. legislative proposals, both at the federal and state levels,[1] and the Federal Trade Commission’s (“FTC”) Advanced Notice of Proposed Rulemaking to solicit input on questions related to potentially harmful data privacy and security practices, including automated decision-making systems.

Our 3Q22 Artificial Intelligence and Automated Systems Legal Update focuses on these regulatory efforts and also examines other policy developments within the U.S. and Europe.

I. U.S. REGULATORY & POLICY DEVELOPMENTS

A. AI Bill of Rights

The past several years have seen a number of new algorithmic governance initiatives take shape at the federal level, building on the December 2020 Trustworthy AI Executive Order that outlined nine distinct principles to ensure agencies “design, develop, acquire and use AI in a manner that fosters public trust and confidence while protecting privacy.”[2]

On October 4, 2022—almost a year after announcing its development[3]—the White House Office of Science and Technology Policy (“OSTP”) released a white paper titled “Blueprint for an AI Bill of Rights” intended to guide the design, use, and deployment of automated systems to “protect the American public in the age of artificial intelligence.”[4] It provides practical guidance to government agencies and a call to action for technology companies, researchers, and civil society to build protections towards human-centric AI that is “designed to proactively protect [people] from harms stemming from unintended, yet foreseeable, uses or impacts of automated systems.” The Blueprint identifies five non-binding principles to act as a “backstop” in order to minimize potential harms stemming from certain applications of AI:

Safe and Effective Systems. To protect individuals from unsafe or ineffective systems, the Blueprint recommends proactive and ongoing consultation with the public and experts, risk identification and mitigation (which includes potentially not deploying a system or removing it from use), oversight mechanisms, and “adherence to domain-specific standards.” The use of inappropriate, low-quality, or irrelevant data should be avoided, and data the AI system derives from other data should be identified and tracked to avoid feedback loops, compounded harms, and inaccurate results. AI systems should be subject to independent evaluations and reporting.
Algorithmic Discrimination Protections. AI systems should be designed and used in an equitable way and not discriminate on the basis of a characteristic protected by law. Systems should be subject to proactive equity and disparity assessments, reflect a representative and robust data set used for the development of AI, ensure accessibility for people with disabilities, and guard against the use of non-representative data or proxies that contribute to algorithmic discrimination. There should be independent evaluation of potential algorithmic discrimination and reporting, including making assessments public “whenever possible.”
Data Privacy. Individuals should have agency over how their data is used and should not be subject to surveillance. To that end, AI systems should process data consistent with data privacy principles, including privacy by design, data minimization, consents for collection, use, access, transfer and deletion of data, and proactively identifying and mitigating privacy risks. Systems should not use AI for design decisions that “obfuscate user choice or burden users with defaults that are privacy invasive.” Surveillance and monitoring systems should be subject to heightened oversight, including an assessment of potential harms, and should not be used in contexts such as housing, education, or employment, or where the surveillance would monitor the exercise of democratic rights in a way that limits civil rights and liberties.
Notice and Explanation. Designers, developers, and deployers of automated systems should provide generally accessible plain language documentation, including clear descriptions of the overall system functionality and the role automation plays, notice that such systems are in use, the individual or organization responsible for the system, and explanations of outcomes that are clear, timely, and accessible. Individuals should know how and why an outcome impacting them was determined by an automated system, including when the automated system is not the sole input determining the outcome. Automated systems should provide explanations that are technically valid, meaningful, useful, and calibrated to the level of risk.
Human Alternatives, Consideration, and Fallback. People should be able to opt out of automated systems in favor of a human alternative, where appropriate, with a focus on ensuring broad accessibility and protecting the public from especially harmful impacts. There must be access to timely human consideration and remedy by a fallback and escalation process. Automated systems with an intended use within sensitive domains (e.g., criminal justice, employment, education, and health) should additionally be tailored to the purpose, provide meaningful access for oversight, include training for any people interacting with the system, and incorporate human consideration for adverse or high-risk decisions.

The principles apply broadly to “ automated systems that … have the potential to meaningfully impact the American public’s rights, opportunities, or access to critical resources or services.” “Automated systems” are themselves defined very broadly, encompassing essentially any system that makes decisions using computation.[5] The Blueprint is intended to further the ongoing discussion regarding privacy among federal government stakeholders and the public, but its impact on the private sector is likely to be limited because—unlike the wide-ranging EU AI Act, which is inching towards an implementation date—it lacks prohibitions on AI deployments and details or mechanisms for enforcement. The Blueprint is accompanied by supporting documentation, including a set of real-life examples and a high-level articulation of how the five principles can “move into practice.”[6]

B. FTC Rulemaking on “Harmful Commercial Surveillance and Lax Data Security”

On August 11, 2022, the FTC announced an Advance Notice of Proposed Rulemaking (“ANPRM”) to seek public comment on data privacy and security practices (“commercial surveillance”) that harm consumers.[7] Specifically, the FTC invites comment on “whether it should implement new trade regulation rules or other regulatory alternatives concerning the ways in which companies collect, aggregate, protect, use, analyze, and retain consumer data, as well as transfer, share, sell, or otherwise monetize that data in ways that are unfair or deceptive.”[8]

Notably, the ANPRM also solicits public input on algorithmic decision-making, including the prevalence of algorithmic error, discrimination based on protected categories facilitated by algorithmic decision-making systems, and how the FTC should address algorithmic discrimination through the use of proxies.[9] On September 27, the FTC continued the rulemaking process by hosting a virtual “Commercial Surveillance and Data Security Public Forum (the “Public Forum”)” to gather public feedback on the proposed rulemaking.[10]

The FTC is undertaking this rulemaking under Section 18 of the FTC Act (also known as “Magnuson-Moss”),[11] a lengthy and complicated hybrid rulemaking process that goes beyond the Administrative Procedure Act’s standard notice-and-comment procedures.[12] In light of these procedural hurdles, any new proposed rules likely will take considerable time to develop. The ANPRM notes that, if new rules are not forthcoming, the record developed in response to the ANPRM nevertheless will “help to sharpen the Commission’s enforcement work and may inform reform by Congress or other policymakers.” The inclusion of algorithmic decision-making in the scope of the potential rulemaking underscores the FTC’s continued focus on taking the lead in the regulation of automated systems at federal level.[13]

C. National Institute of Standards and Technology (“NIST”)

On August 18, 2022, NIST published and sought comments on a second draft of the NIST Artificial Intelligence Risk Management Framework (“AI RMF”).[14] The AI RMF, as mandated by Congress, is intended for voluntary use to help incorporate trustworthiness considerations into the design, development, use, and evaluation of AI products, services, and systems.[15] NIST plans to publish AI RMF in January 2023. NIST also sought comments on the draft NIST AI RMF Playbook, an online resource providing recommended actions on how to implement the AI RMF.

D. New York City Artificial Intelligence Law

On September 19, 2022, the New York City Department of Consumer and Worker Protection (“DCWP”) proposed rules in an attempt to clarify numerous ambiguities in New York City’s AI law, which takes effect on January 1, 2023.[16]

New York City’s law will restrict employers from using AEDT in hiring and promotion decisions unless it has been the subject of a bias audit by an “independent auditor” no more than one year prior to use.[17] The law also imposes certain posting and notice requirements to applicants and employees. The DCWP’s proposed rules are currently under consideration and may well invite more questions than answers as uncertainty about the requirements lingers. The proposed rules attempt to clarify certain key terms, specify the requirements for and provide examples of bias audits, and outline several different ways by which, if passed, employers may provide the advance notice to candidates and employees regarding the use of an AEDT.[18]

A public hearing was held on November 4, 2022, and the record for comments is now closed, but DCWP has not provided a firm date on which the proposed rules will be finalized. We will continue to monitor further guidance that will emerge as the January 1, 2023 effective date nears.

II. INTELLECTUAL PROPERTY

A. Federal Circuit Rules Inventors Must Be Natural Human Beings

On August 11, 2022, The U.S. Court of Appeals for the Federal Circuit affirmed a lower court’s ruling in Thaler v. Vidal that the plain text of the Patent Act requires that inventors must be human beings.[19] Attorneys for Steven Thaler, the creator of the AI system “DABUS” (Device for the Autonomous Bootstrapping of Unified Sentience), argued that an AI system that has “created” several inventions should be granted a patent application, and that inventorship requirements should not be a bar to patentability. The argument followed the U.S. Patent and Trademark Office’s rejection of two DABUS patent applications. A Virginia federal court affirmed that ruling last year, finding AI cannot be an inventor under U.S. patent law.[20] The DABUS project has also lodged several unsuccessful test cases in Australia, the EU, and the UK.[21]

III. EU REGULATORY & POLICY DEVELOPMENTS

A. AI Act Developments

Following the agreement on a common European AI strategy in 2018, the establishment of a high-level expert group in 2019, and various other publications, including a 2020 White Paper, on April 21, 2021, the EU Commission published its proposal for “the world’s first legal framework on AI”—the EU Artificial Intelligence Act (“AI Act”).[22] In September 2022, the Czech Presidency of the Council of the European Union published a new proposal and may be on the cusp of finalizing the text for the proposed AI Act.[23] The recent proposed changes to the draft legislation were relatively minor but notably included narrowing the definition of AI to focus on an AI system’s degree of autonomy and adding a chapter on General Purpose AI (“GPAI”)—large, multipurpose data models—indicating that obligations for these systems will likely be imposed through an implementing act.

The Committee of the Permanent Representatives of the Governments of the Member States to the European Union is expected to approve the final version on November 18, 2022, before ministers in the Transport, Telecommunications and Energy Council sign off on December 6, 2022.[24]

B. Draft AI Liability Directive and New Draft Product Liability Directive

On September 28, 2022, the European Commission (“EC”) published a set of proposals aiming to modernize the EU’s existing liability regime and adapt it to AI systems, give businesses legal certainty, and harmonize member states’ national liability rules for AI. The EC had previewed the draft rules in its February 2020 Report on Safety and Liability, emphasizing the specific challenges posed by AI products’ complex, opaque, and autonomous characteristics.[25] The draft EU AI Act, the AI Liability Directive (“ALD”) [26] and the updated Product Liability Directive (“PLD”)[27] are intended to be complementary[28] and, together, are set to significantly change liability risks for developers, manufacturers and suppliers who place AI-related products on the EU market.[29]

The draft Product Liability Directive (“PLD”) establishes a framework for strict liability for defective products across the EU—including AI systems—meaning claimants need only show that harm resulted from the use of a defective product. Notably, the mandatory safety requirements set out in the draft AI Act can be taken into account by a court for the purpose of determining whether a product is defective.

The AI Liability Directive (ALD”), which would apply to fault-based liability regimes in the EU, would create a rebuttable “presumption of causality” against any AI system’s developer, provider, or user, and would make it easier for potential claimants to access information about specific “High-Risk” AI Systems—as defined by the draft EU AI Act. Of particular significance to companies developing and deploying AI-related products is the new disclosure obligation related to “High-Risk” AI systems, which could potentially require companies to disclose technical documentation, testing data, and risk assessments—subject to safeguards to protect sensitive information, such as trade secrets. Failure to produce such evidence in response to a court order would permit a court to invoke a presumption of breach of duty.

The PLD and ALD will be subject to review and approval by the European Council and Parliament before taking effect. Once implemented, Member States will have two years to implement the requirements into local law. We are monitoring developments closely and stand ready to assist clients with preparing for compliance with the emerging EU AI regulatory framework.

IV. UK REGULATORY AND POLICY DEVELOPMENTS

A. UK Unveils Data Reform Bill, Proposes Approach to AI Regulation

On July 18, 2022, the UK government introduced several data reform initiatives aimed at guiding responsible use of data while promoting innovation, and regulating the use of AI.

The Data Protection and Digital Information Bill (“DPDI”),[30] which includes measures to “use AI responsibly while reducing compliance burdens on businesses to boost the economy,” is now facing delays[31] and a new public consultation, but would, if enacted, amend the current rules on data protection and privacy, including AI. As introduced, DPDI clarifies the circumstances in which organizations can use automated decision-making. If a decision produces a legal or similarly significant effect for an individual and involves the processing of sensitive
“special category” data, it cannot (other than in very specific circumstances) be taken solely on an “automated decision basis” with no “meaningful” human involvement. Otherwise, automated decision-making systems can be used, subject to safeguards intended to “protect the rights and freedoms of the individual.” These safeguards include requirements that the organization deploying the automated decision-making system can provide information about the decisions and provide individuals about whom a decision is being made with an opportunity to make representations about the decision, escalate to human intervention, and contest any decisions.

In parallel with the new legislation, the government also released a set of policy initiatives outlining the government’s approach to regulating AI in the UK, reiterating a commitment to sector-specific regulation and a “less centralized approach than the EU.”[32] Its “AI Action Plan” highlights the UK government’s “focus on supporting growth and avoiding unnecessary barriers being placed on businesses,” emphasizing that the proposal will “allow different regulators to take a tailored approach to the use of AI in a range of settings . . . [which] better reflects the growing use of AI in a range of sectors.”[33] The guidance sets out six core principles, which require developers and users to: (1) ensure that AI is used safely; (2) ensure that AI is technically secure and functions as designed; (3) make sure that AI is appropriately transparent and explainable; (4) consider fairness; (5) identify a legal person to be responsible for AI; and (6) clarify routes to redress or contestability.

A range of regulators—Ofcom, the Competition and Markets Authority, the Information Commissioner’s Office, the Financial Conduct Authority, and the Medicine and Healthcare Products Regulatory Agency—will be asked to interpret and implement the principles and encouraged to consider “lighter touch options which could include guidance and voluntary measures or creating sandboxes.”[34]

B. UK ICO Publishes Guidance on Privacy Enhancing Technologies

On September 7, 2022, the UK Information Commissioner’s Office (“ICO”) published draft guidance on privacy-enhancing technologies (“PETs”) intended to “help organisations unlock the potential of data by putting a data protection by design approach into practice.”[35] PETs are technologies that are intended to help organizations share and use people’s data responsibly, lawfully, and securely, including by minimizing the amount of data used and by encrypting or anonymizing personal information.

The ICO’s draft PETs guidance explains the benefits and different types of PETs currently available, as well as how they can help organizations comply with data protection law. For example, the guidance contains information on the benefits and risks of using synthetic data to train large models. This guidance forms part of the ICO’s draft guidance on anonymization and pseudonymization, and the ICO is seeking feedback to help refine and improve the final guidance.

_________________________

[1] See, e.g., the American Data Privacy Protection Act (“ADPPA”), which would require certain types of businesses developing and operating AI to undertake risk assessments. For more details, please see our Artificial Intelligence and Automated Systems Legal Update (2Q22).

[2] For more details, please see President Trump Issues Executive Order on “Maintaining American Leadership in Artificial Intelligence.”

[3] White House, Join the Effort to Create a Bill of Rights for an Automated Society (Nov. 10, 2021), available at https://www.whitehouse.gov/ostp/news-updates/2021/11/10/join-the-effort-to-create-a-bill-of-rights-for-an-automated-society/.

[4] White House, Office for Science and Technology, available at https://www.whitehouse.gov/ostp/ai-bill-of-rights/.

[5] “An “automated system” is any system, software, or process that uses computation as whole or part of a system to determine outcomes, make or aid decisions, inform policy implementation, collect data or observations, or otherwise interact with individuals and/or communities. Automated systems include, but are not limited to, systems derived from machine learning, statistics, or other data processing or artificial intelligence techniques, and exclude passive computing infrastructure. “Passive computing infrastructure” is any intermediary technology that does not influence or determine the outcome of decision, make or aid in decisions, inform policy implementation, or collect data or observations, including web hosting, domain registration, networking, caching, data storage, or cybersecurity. Throughout this framework, automated systems that are considered in scope are only those that have the potential to meaningfully impact individuals’ or communities’ rights, opportunities, or access.” See The White House, OSTP, Blueprint for an AI Bill of Rights, Definitions, https://www.whitehouse.gov/ostp/ai-bill-of-rights/definitions/.

[6] The White House, OSTP, Blueprint for an AI Bill of Rights, From Principles to Practice, https://www.whitehouse.gov/ostp/ai-bill-of-rights/safe-and-effective-systems-3/.

[7] Federal Register, Trade Regulation Rule on Commercial Surveillance and Data Security, https://www.federalregister.gov/documents/2022/08/22/2022-17752/trade-regulation-rule-on-commercial-surveillance-and-data-security.

[8] Id.

[9] Public comments are available at https://www.federalregister.gov/documents/2022/08/22/2022-17752/trade-regulation-rule-on-commercial-surveillance-and-data-security.

[10] For more details, please see FTC Launches Commercial Surveillance and Data Security Rulemaking, Holds a Public Forum, and Seeks Public Input.

[11] Magnuson-Moss Warranty Federal Trade Commission Improvement Act, 15 U.S.C. § 57a(a)(1)(B).

[12] The FTC may promulgate a trade regulation rule to define acts or practices as unfair or deceptive “only where it has reason to believe that the unfair or deceptive acts or practices which are the subject of the proposed rulemaking are prevalent.” The FTC may make a determination that unfair or deceptive acts or practices are prevalent only if: “(A) it has issued cease and desist orders regarding such acts or practices, or (B) any other information available to the Commission indicates a widespread pattern of unfair or deceptive acts or practices.” That means that the agency must show (1) the prevalence of the practices, (2) how they are unfair or deceptive, and (3) the economic effect of the rule, including on small businesses and consumers.

[13] For more detail on the FTC’s activities in this space, please see our 2021 Artificial Intelligence and Automated Systems Annual Legal Review.

[14] NIST Seeks Comments on AI Risk Management Framework Guidance, Workshop Date Set, https://www.nist.gov/news-events/news/2022/08/nist-seeks-comments-ai-risk-management-framework-guidance-workshop-date-set; NIST, AI Risk Management Framework: Second Draft, https://www.nist.gov/system/files/documents/2022/08/18/AI_RMF_2nd_draft.pdf.

[15] NIST Risk Management Framework, https://www.nist.gov/itl/ai-risk-management-framework.

[16] NYC Dep’t Consumer & Worker Prot., Notice of Public Hearing and Opportunity to Comment on Proposed Rules, https://rules.cityofnewyork.us/wp-content/uploads/2022/09/DCWP-NOH-AEDTs-1.pdf.

[17] For more details, please see Gibson Dunn’s New York City Enacts Law Restricting Use of Artificial Intelligence in Employment Decisions.

[18] For more details regarding the proposed rules, please see Gibson Dunn’s New York City Proposes Rules to Clarify Upcoming Artificial Intelligence Law for Employers.

[19] Thaler v. Vidal, 43 F.4th 1207 (Fed. Cir. 2022).

[20] Thaler v. Hirshfeld, 558 F. Supp. 3d 238 (E.D. Va. 2021).

[21] See, e.g., 2021 Artificial Intelligence and Automated Systems Annual Legal Review.

[22] For more details, please see 2021 Artificial Intelligence and Automated Systems Annual Legal Review.

[23] EURActiv, AI Act: Czech EU presidency makes final tweaks ahead of ambassadors’ approval (Nov. 4, 2022), https://www.euractiv.com/section/digital/news/ai-act-czech-eu-presidency-makes-final-tweaks-ahead-of-ambassadors-approval/.

[24] Euractiv, Last-minute changes to EU Council’s AI Act text ahead of general approach (Nov. 14, 2022), available at https://www.euractiv.com/section/digital/news/last-minute-changes-to-eu-councils-ai-act-text-ahead-of-general-approach/.

[25] EC, Report on the safety and liability implications of Artificial Intelligence, the Internet of Things and robotics, COM(2020) 64 (Feb. 19, 2020), available at https://ec.europa.eu/info/files/commission-report-safety-and-liability-implications-ai-internet-things-and-robotics_en; see also European Commission, Questions & Answers: AI Liability Directive, available at https://ec.europa.eu/commission/presscorner/detail/en/QANDA_22_5793 (“Current national liability rules are not equipped to handle claims for damage caused by AI-enabled products and services. In fault-based liability claims, the victim has to identify whom to sue, and explain in detail the fault, the damage, and the causal link between the two. This is not always easy to do, particularly when AI is involved. Systems can oftentimes be complex, opaque and autonomous, making it excessively difficult, if not impossible, for the victim to meet this burden of proof.”)

[26] European Commission, Proposal for a Directive on adapting non contractual civil liability rules to artificial intelligence (Sept. 28, 2022), available at https://ec.europa.eu/info/files/proposal-directive-adapting-non-contractual-civil-liability-rules-artificial-intelligence_en.

[27] European Commission, Proposal for a directive of the European Parliament and of the Council on liability for defective products (Sept. 28, 2022), available at https://single-market-economy.ec.europa.eu/document/3193da9a-cecb-44ad-9a9c-7b6b23220bcd_en.

[28] The AI Liability Directive uses the same definitions as the AI Act, keeps the distinction between high-risk/non-high risk AI, recognizes the documentation and transparency requirements of the AI Act by making them operational for liability through the right to disclosure of information, and incentivizes providers/users of AI-systems to comply with their obligations under the AI Act.

[29] European Commission, Questions & Answers: AI Liability Directive, available at https://ec.europa.eu/commission/presscorner/detail/en/qanda_22_5793 (“Together with the revised Product Liability Directive, the new rules will promote trust in AI by ensuring that victims are effectively compensated if damage occurs, despite the preventive requirements of the AI Act and other safety rules.”).

[30] Data Protection and Digital Information Bill, available at https://publications.parliament.uk/pa/bills/cbill/58-03/0143/220143.pdf.

[31] Spencer, M. (2022, September 5). Business Statement [Hansard]. (Vol. 719), available at https://hansard.parliament.uk/commons/2022-09-05/debates/FB4997E6-14A2-4F25-9472-E2EE7F00778A/BusinessStatement (“the Government will not move the Second Reading and other motions relating to the Data Protection and Digital Information Bill today to allow Ministers to consider the legislation further”).

[32] Gov.UK, Press Release, UK sets out proposals for new AI rulebook to unleash innovation and boost public trust in the technology, available at https://www.gov.uk/government/news/uk-sets-out-proposals-for-new-ai-rulebook-to-unleash-innovation-and-boost-public-trust-in-the-technology.

[33] Id.

[34] Id.

[35] ICO, ICO publishes guidance on privacy enhancing technologies (Sept. 7, 2022), available at https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2022/09/ico-publishes-guidance-on-privacy-enhancing-technologies/. See also https://ico.org.uk/media/about-the-ico/consultations/4021464/chapter-5-anonymisation-pets.pdf.

The following Gibson Dunn lawyers prepared this client update: H. Mark Lyon, Frances Waldmann, and Emily Lamm.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Artificial Intelligence and Automated Systems Group, or the following authors:

H. Mark Lyon – Palo Alto (+1 650-849-5307, mlyon@gibsondunn.com)
Frances A. Waldmann – Los Angeles (+1 213-229-7914,fwaldmann@gibsondunn.com)

Please also feel free to contact any of the following practice group leaders and members:

Artificial Intelligence and Automated Systems Group:
J. Alan Bannister – New York (+1 212-351-2310, abannister@gibsondunn.com)
Patrick Doris – London (+44 (0)20 7071 4276, pdoris@gibsondunn.com)
Cassandra L. Gaedt-Sheckter – Co-Chair, Palo Alto (+1 650-849-5203, cgaedt-sheckter@gibsondunn.com)
Kai Gesing – Munich (+49 89 189 33 180, kgesing@gibsondunn.com)
Joel Harrison – London (+44(0) 20 7071 4289, jharrison@gibsondunn.com)
Ari Lanin – Los Angeles (+1 310-552-8581, alanin@gibsondunn.com)
Carrie M. LeRoy – Palo Alto (+1 650-849-5337, cleroy@gibsondunn.com)
H. Mark Lyon – Co-Chair, Palo Alto (+1 650-849-5307, mlyon@gibsondunn.com)
Vivek Mohan – Co-Chair, Palo Alto (+1 650-849-5345, vmohan@gibsondunn.com)
Alexander H. Southwell – New York (+1 212-351-3981, asouthwell@gibsondunn.com)
Christopher T. Timura – Washington, D.C. (+1 202-887-3690, ctimura@gibsondunn.com)
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, evandevelde@gibsondunn.com)
Michael Walther – Munich (+49 89 189 33 180, mwalther@gibsondunn.com)

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

A proposed rule published in the Federal Register on November 14, 2022 would amend the Federal Acquisition Regulation (FAR) to require certain Federal contractors to provide data regarding their greenhouse gas (GHG) emissions and climate-based financial risks, and to establish “science-based targets” for reducing their GHG emissions.[1] The proposed rule implements President Biden’s May 20, 2021 Executive Order (EO) 14030, Climate-Related Financial Risk, which directed the FAR Council to consider amending the FAR to “require major Federal suppliers to publicly disclose greenhouse gas emissions and climate-related financial risk and to set science-based reduction targets.”[2] The comment period for the proposed rule is open until January 13, 2023.

The FAR Council’s proposed rule would significantly expand the GHG reporting obligations for federal contractors, and reflects the Biden Administration’s “whole of government” approach to addressing climate change. The preamble to the proposed rule notes, for example, similarities the proposal bears to the Securities and Exchange Commission’s March 21, 2022 proposal to impose climate-related disclosure requirements on U.S. public companies and foreign private issuers.[3] Like the SEC’s proposed rule, which has been controversial, the proposed amendment to the FAR aims to standardize the disclosure of climate-related financial risks and leverage existing standards, such as those of the Task Force on Climate-Related Financial Disclosures (TCFD).[4] Unlike the SEC’s proposed rule, the proposed FAR amendment requires certain companies to establish emissions reduction targets, although the SEC did propose that registrants disclose such targets if they have them.[5]

The FAR Council’s proposed GHG reporting rule would apply to “significant contractors,” defined as contractors that receive at least $7.5 million, but less than $50 million, in Federal contract obligations during the prior fiscal year, and “major contractors,” defined as contractors that received more than $50 million in Federal contract obligations during the prior fiscal year.[6] The proposed rule articulates baseline compliance requirements that would apply to both significant contractors and major contractors, as well as additional compliance requirements that would apply to major contractors only.[7] The baseline compliance requirements would begin one year after the publication of a final rule, while major contractors would have two years from the publication of a final rule to come into compliance with their additional reporting obligations.[8] Overall, the FAR Council’s proposed rule would (1) create a new FAR subpart at 23.XX, “Public Disclosure of Climate Information,” that would outline annual climate-related inventory and disclosure requirements for certain contractors, (2) amend existing annual climate-related representations in certain FAR solicitation clauses, and (3) amend the standard of responsibility for prospective significant and major contractors such that they are presumed to be nonresponsible if they have not complied with the new GHG disclosure requirements described in subpart 23.XX, unless “the noncompliance resulted from circumstances properly beyond the prospective contractor’s control,” they have “provided documentation sufficient for purposes of award that demonstrates substantial efforts taken to comply” with the requirements, they have “made a public commitment to comply as soon as possible (within [one] calendar year) on a publicly accessible website,” or a valid exception, exemption, or waiver applies.[9]

The disclosure scheme outlined in the FAR Council’s proposed rule represents a substantial expansion of the FAR’s current GHG-related provisions. Promulgated in 2016, FAR 23.802(d) currently requires only that contractors that receive $7.5 million or more in Federal contract obligations in a fiscal year represent whether they publicly disclose their GHG emissions and quantitative GHG emissions reduction goals.[10] While the current GHG-related provisions were promulgated to “assist agencies in developing strategies to engage with offerors to reduce supply chain emissions,”[11] the FAR Council now appears prepared to make affirmative use of the information it collects from contractors regarding their GHG emissions, stating in the preamble to the proposed rule that its purpose is to “ensure major Federal suppliers make the required disclosures and set targets to reduce their GHG emissions.”[12] As outlined in Section 23.XX03, the proposed rule would require a significant or major contractor, itself or through its immediate owner or highest-level owner, to complete an annual GHG inventory of its Scope 1 emissions, which are “emissions from sources that are owned or controlled” by the contractor, and its Scope 2 emissions, which “include GHG emissions associated with the generation of electricity, heating and cooling, or steam” purchased by the contractor but produced elsewhere.[13] The proposed rule also directs a significant contractor or major contractor to disclose its total Scope 1 and Scope 2 emissions in the Federal Government’s System for Award Management (SAM) each year.[14]

In addition to the requirements that apply to both significant and major contractors, the FAR Council’s proposed rule would require a major contractor to complete an “annual climate disclosure,” which is “a set of disclosures by an entity that aligns with recommendations of the TCFD,” and to publish the disclosure on a publicly accessible website.[15] The proposal states that the TCFD annual climate disclosure “includes a GHG inventory of not only Scope 1 and Scope 2 emissions, but also relevant Scope 3 emissions, which are emissions [(other than Scope 2 emissions)] that are a consequence of the operations of the reporting entity but occur at sources other than those owned or controlled by the entity.”[16] Additionally, the TCFD framework calls for the annual climate disclosure to “describe[] the entity’s climate risk assessment process and any risks identified.”[17]

The proposed rule would also require major contractors to develop “science-based targets” for GHG emission reductions.[18] A “science-based target” is an emissions reduction target that is consistent with the goals of the 2015 Paris Agreement, namely, “to limit global warming to well below 2^oC above pre-industrial levels and pursue efforts to limit warming to 1.5^oC.”[19] Under the proposed rule, the science-based targets developed by major contractors must have been validated by the Science-Based Targets Initiative (SBTi) within the last five calendar years, and the major contractors must publish the targets on publicly accessible websites.[20]

The proposed rule indicates that the Government would enforce these new requirements by instructing contracting offerors “to treat a prospective contractor that is a significant or major contractor as nonresponsible under [FAR] 9.104-3(e),” unless the prospective contractor satisfies its GHG inventory and reporting obligations.[21] Only contractors deemed responsible are eligible to receive Federal Government contracts or subcontracts.[22] However, the proposed rule also provides for the issuance of exemptions from, and waivers to, the procedures for determining a contractor’s responsibility, outlined at Section 23.XX05, and the corresponding new responsibility standards at FAR 9.104-3(e), under certain circumstances.[23]

The FAR Council’s proposed rule is representative of the Biden Administration’s willingness to use the federal procurement process to address cross-cutting policy issues like climate change. For example, we have previously written about the Biden Administration’s mandate that federal contractor employees be vaccinated against COVID-19,[24] an initiative that was first announced in EO 14042 of September 9, 2021 to “promote[] economy and efficiency in Federal procurement.”[25] That mandate drew a number of legal challenges, including one that resulted in a decision by the U.S. Court of Appeals for the Eleventh Circuit that upheld a district court preliminary injunction blocking the implementation of the contractor vaccine mandate, but that narrowed the injunction’s scope to limit it to contracts with the specific plaintiffs in that case (Georgia, Alabama, Idaho, Kansas, South Carolina, Utah, West Virginia, and a construction trade group).[26] It remains to be seen how the federal contractor community will respond to the FAR Council’s GHG reporting rule in the notice and comment process, and whether the final rule will spark litigation.

As noted, the comment period for the FAR Council’s proposed rule runs through January 13, 2023.

_____________________________

[1] See generally Federal Acquisition Regulation: Disclosure of Greenhouse Gas Emissions and Climate-Related Financial Risk, 87 Fed. Reg. 68312 (Nov. 14, 2022) (to be codified at 48 C.F.R. pts. 1, 4, 9, 23, and 52).

[2] Executive Order 14030 of May 20, 2021: Climate-Related Financial Risk, 86 Fed. Reg. 27967 (May 25, 2021).

[3] Federal Acquisition Regulation: Disclosure of Greenhouse Gas Emissions and Climate-Related Financial Risk, 87 Fed. Reg. at 68312; see also The Enhancement and Standardization of Climate-Related Disclosures for Investors, 87 Fed. Reg. 21334 (Apr. 11, 2022) (to be codified at 17 C.F.R. pts. 210, 229, 232, 239, and 249).

[4] Federal Acquisition Regulation: Disclosure of Greenhouse Gas Emissions and Climate-Related Financial Risk, 87 Fed. Reg. at 68312.

[5] Id.

[6] Id. at 68313.

[7] Id. at 68329.

[8] Id. at 68316.

[9] Id. at 68327.

[10] 48 C.F.R. § 23.802(d).

[11] Federal Acquisition Regulation: Public Disclosure of Greenhouse Gas Emissions and Reduction Goals—Representation, 81 Fed. Reg. 83092 (Nov. 18, 2016) (to be codified at 48 C.F.R. pts. 1, 4, 23, and 52).

[12] Federal Acquisition Regulation: Disclosure of Greenhouse Gas Emissions and Climate-Related Financial Risk, 87 Fed. Reg. at 68312.

[13] Id. at 68313, 68329.

[14] Id. at 68329.

[15] Id. at 68313-14, 68329.

[16] Id. at 68314.

[17] Id.

[18] Id.

[19] Id.

[20] Id. at 68329.

[21] Id.

[22] 48 C.F.R. § 9.103(a) (“Purchases shall be made from, and contracts shall be awarded to, responsible prospective contractors only.”)

[23] Federal Acquisition Regulation: Disclosure of Greenhouse Gas Emissions and Climate-Related Financial Risk, 87 Fed. Reg. at 68316.

[24] Eugene Scalia et al., President Biden Announces COVID-19 Vaccine Mandates, with Legal Challenges Likely to Follow, Gibson Dunn (Sept. 10, 2021), https://www.gibsondunn.com/president-biden-announces-covid-19-vaccine-mandates-with-legal-challenges-likely-to-follow/.

[25] Executive Order 14042 of September 9, 2021: Ensuring Adequate Safety Protocols for Federal Contractors, 86 Fed. Reg. 50985 (Sept. 14, 2021).

[26] Georgia v. Pres. of the U.S., 46 F.4th 1283 (11th Cir. 2022).

The following Gibson Dunn attorneys assisted in preparing this client update: Eugene Scalia, Lindsay M. Paulin, Rachel Levick, and Nick Perry.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. To learn more about these issues, please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any of the following leaders and members of the firm’s Administrative Law and Regulatory, Environmental Litigation and Mass Tort, or Government Contracts practice groups:

Government Contracts Group:
Dhananjay S. Manthripragada – Los Angeles (+1 213-229-366, dmanthripragada@gibsondunn.com)
Lindsay M. Paulin – Washington, D.C. (+1 202-887-3701, lpaulin@gibsondunn.com)
Joseph D. West – Washington, D.C. (+1 202-955-8658, jwest@gibsondunn.com)

Environmental Litigation and Mass Tort Group:
Stacie B. Fletcher – Washington, D.C. (+1 202-887-3627, sfletcher@gibsondunn.com)
Daniel W. Nelson – Washington, D.C. (+1 202-887-3687, dnelson@gibsondunn.com)
Rachel Levick – Washington, D.C. (+1 202-887-3574, rlevick@gibsondunn.com)

Administrative Law and Regulatory Group:
Eugene Scalia – Washington, D.C. (+1 202-955-8543, escalia@gibsondunn.com)
Helgi C. Walker – Washington, D.C. (+1 202-887-3599, hwalker@gibsondunn.com)

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

This course covers the rise of nationwide injunctions and their effect on public perception of the judicial system. We discuss the differentiation between nationwide injunctions in private law cases and public law cases, and take a deeper look into the arguments both for and against nationwide injunctions. Finally, we address the increase in appellate skepticism and proposals for reform.

Topics discussed:

The rise of nationwide injunctions
Nationwide injunctions in private law cases
Nationwide injunctions in public law cases
Arguments for and against nationwide injunctions
Increased appellate skepticism and proposals for reform

PANELISTS:

Gregg Costa is a partner in the Houston office of Gibson, Dunn & Crutcher and co-chair of the firm’s Global Trial Practice Group. Mr. Costa previously served on the U.S. Court of Appeals for the Fifth Circuit from 2014 to 2022, following his nomination by President Obama and confirmation by the U.S. Senate with a vote of 97-0. His broad experience – having handled complex civil and criminal matters, at trial and on appeal, as advocate and judge – allows him to offer invaluable skills and strategic insights.

Collin Cox is a partner in the Houston office of Gibson, Dunn & Crutcher, where he represents plaintiffs and defendants in high-stakes commercial cases. He has been a lead trial lawyer in computer software trade secrets cases, several actions related to the Bernard L. Madoff fraud, royalty disputes, patent litigation, and other business crisis situations. He continues to be one of the youngest trial lawyers in Texas to receive band ranking recognition in commercial litigation from Chambers USA.

Miguel A. Estrada is a partner in the Washington, D.C. office of Gibson, Dunn & Crutcher, where he represents clients before federal and state courts on a broad range of matters and has also argued 24 cases before the United States Supreme Court. Mr. Estrada is the lead appellate counsel in two securities-fraud appeals from jury verdicts that are currently pending in the Second Circuit. From 2014-2022, Chambers & Partners has named him as one of a handful of attorneys that it ranked in the top tier among the nation’s leading appellate lawyers.

MCLE CREDIT INFORMATION:

This program has been approved for credit in accordance with the requirements of the New York State Continuing Legal Education Board for a maximum of 1 credit hour, of which 1 credit hour may be applied toward the areas of professional practice requirement. This course is approved for transitional/non-transitional credit.

Attorneys seeking New York credit must obtain an Affirmation Form prior to watching the archived version of this webcast. Please contact CLE@gibsondunn.com to request the MCLE form.

Gibson, Dunn & Crutcher LLP certifies that this activity has been approved for MCLE credit by the State Bar of California in the amount of 1 hour.

California attorneys may claim “self-study” credit for viewing the archived version of this webcast. No certificate of attendance is required for California “self-study” credit.

On November 9, 2022, the New York Department of Financial Services (“DFS”) announced proposed amendments (“Proposed Amendments”) to DFS’ Part 500 Cybersecurity Rules (the “Cybersecurity Rules”). The Proposed Amendments reflect a revised set of amendments based on the draft Part 500 amendments released on July 29, 2022 (“Draft Amendments”). The initial Draft Amendments were covered in our prior alert. The Proposed Amendments continue to reinforce DFS’ forward-leaning, “catalytic” role in strengthening cybersecurity practices, but reflect that DFS did consider the comments received in response to the Draft Amendments as they clarify certain security requirements, strengthen some requirements to protect consumers and covered entities, and soften others to make them more closely aligned with industry standards and better account for public concerns.

We highlight seven key takeaways of the Proposed Amendments:

Continue the Draft Amendments’ stringent 72-hour and 24-hour notification requirements—and add new provisions that would require covered entities to (i) notify DFS within 72 hours if affected by a third-party service provider cybersecurity event, and (ii) respond within 90 days to any requests by DFS in connection with DFS’ investigation of the cybersecurity event;
Modify the definition of Class A companies, likely reducing the scope of those subject to heightened requirements;
Soften some of the increased requirements on boards and senior management;
Ease the heightened requirements for incident preparedness and operational resilience;
Adjust certain technical requirements and their implementation timelines to be less aggressive;
Expand requirements for risk assessments; and
Reinforce new enforcement considerations.

We discuss each in turn below.

Even More Stringent Notification Obligations

The Draft Amendments previously proposed new, more stringent, cybersecurity event notification obligations, including:

Requiring notification to DFS within 72 hours of unauthorized access to privileged accounts or the deployment of ransomware within a material part of a covered entity’s information systems; and
Imposing a new 24-hour notification obligation in the event a ransom payment is made and a 30-day requirement to provide a written description of why the payment was necessary, alternatives considered, and sanctions diligence conducted.

The Proposed Amendments maintain these tight timetables, as well as add other obligations for incident notification, which reinforces DFS’ desire to be promptly kept informed about cybersecurity events at covered entities. These additional obligations include:

Requiring covered entities to provide DFS with any information requested regarding the investigation of the notified cybersecurity event within 90 days; and
Requiring covered entities affected by a cybersecurity event at a third-party service provider to notify DFS within 72 hours from the time the covered entity becomes aware of the event.

Revised Definition of “Class A” Companies with Heightened Requirements

The Draft Amendments increased cybersecurity obligations for a newly defined group of larger DFS covered entities, termed “Class A companies.” Although some requirements were removed or altered under the Proposed Amendments, the heightened requirements on this class of covered entities under the Draft Amendments included to:

Conduct weekly systematic scans or reviews reasonably designed to identify publicly known cybersecurity vulnerabilities and document and report any material gaps in testing to the board and senior management;
Implement an endpoint detection and response solution to monitor anomalous activity and a solution that centralizes logging and security event alerting;
Monitor privileged access activity and implement a password vaulting solution for privileged accounts and an automated method of blocking commonly used passwords;
Conduct an annual, independent audit of their cybersecurity programs; and
Use external experts to conduct a risk assessment at least once every three years.

After considering public comments, DFS modified its proposed scope for the new category of “Class A companies,” likely reducing the number of covered entities that would fall within this definition. The new definition for Class A companies under the Proposed Amendments include covered entities with:

In-state gross annual revenue of $20 million in each of the last two fiscal years from business operations of the covered entity and its affiliates, and that have:
- averaged over 2,000 employees over the last two fiscal years; or
- over $1 billion in gross annual revenue in each of the last two fiscal years.

While this is a broad definition that will still cover a large number of entities, it is a material narrowing of the Draft Amendments, which would have covered any entity with over 2,000 employees or companies with a three-year average of over $1 billion in gross annual revenue. Notably, the changes in the Proposed Amendments may result in excluding from the Class A definition certain covered entities that have a small presence in New York, and also shifts the Draft Amendments’ focus on gross annual revenues averaged over three years.

Under the Draft Amendments, Class A companies were required to conduct weekly systematic scans or reviews with respect to vulnerability assessments. The Proposed Amendments remove this requirement, instead requiring covered entities more broadly to have a monitoring process that ensures prompt notification of any new security vulnerabilities. The Proposed Amendments also revise certain technical and audit requirements included in the Draft Amendments for Class A companies, requiring:

A privileged access management solution along with an automated method of blocking commonly used passwords, or a reasonable equivalent of such blocking if approved annually by the CISO and if there is a reasonably equivalent or more secure compensating control; and
Independent audits to be conducted by external auditors, modifying the initial proposal that an internal auditor would suffice, and thereby reducing flexibility on how such audits should be conducted.

Softened Increased Obligations on Company Governing Bodies

Under the Proposed Amendments, DFS re-commits to its focus on the accountability of boards and senior management, but softens and removes some of the previously proposed obligations. These revised obligations:

Continue to require that the CISO has adequate authority and now also the “ability to direct sufficient resources to implement and maintain a cybersecurity program” (notably, the Proposed Amendments remove the Draft Amendments’ requirement for adequate “independence”);
Only require that the CISO’s annual board reports consider certain factors (i.e., the confidentiality of nonpublic information and the integrity and security of the covered entity’s information systems, the covered entity’s cybersecurity policies and procedures, plans for remediating material inadequacies, etc.) in the report, but no longer require those factors be expressly addressed;
Remove the obligation included in the Draft Amendments that the CISO review the feasibility of encryption of nonpublic information at rest and the effectiveness of compensating controls annually;
Change the obligation that both the CEO and CISO sign an annual certification or acknowledgement of noncompliance to a requirement that the “highest-ranking executive” and the CISO sign—the Proposed Amendments now also require that such certification or acknowledgement include remediation plans and a timeline for their implementation; and
Clarify that the role of the board (or its equivalent or the appropriate committee) shall also include exercising oversight of and providing direction to management on cybersecurity risk management.

These changes in the Proposed Amendments help clarify some ambiguities. For example, changing the obligation for signing certifications or acknowledgements of noncompliance to the CISO and the “highest-ranking executive” clarifies that all companies, even those without a CEO, are required to have and sign annual certifications or acknowledgements of noncompliance.

Eased Expanded Requirements for Incident Response and Operational Resilience

The Draft Amendments expanded measures requiring covered entities to have written plans for business continuity and disaster recovery (“BCDR”), including requiring certain measures to mitigate disruptive events. DFS also increased its requirements for incident response plans (“IRPs”) in the Draft Amendments, requiring certain additional content requirements for IRPs, such as clearly defined roles. These requirements for BCDR and IRPs have remained largely the same in the Proposed Amendments, with a few practical changes. Specifically, the Proposed Amendments:

Remove the Draft Amendments’ requirement that covered entities provide relevant personnel with copies of the IRPs and BCDR plans and maintain these plans “offsite,” instead requiring only that these plans be distributed to or otherwise accessible to relevant personnel; and
Replace the requirement that backups be “isolated from network connections” with a requirement that backups be “adequately protected from unauthorized alterations or destruction.”

Practically implemented, there may not be a significant difference concerning the changes to distribution of the IRPs and BCDR plans, as the Proposed Amendments require that the plans be accessible during a cybersecurity event, but the revised requirement will afford more flexibility for covered entities to develop an approach most effective for them. Further, in the Proposed Amendments, training is still required for personnel involved in implementing the plans, as are incident response and BCDR exercises, which are required at least annually. However, the changes to the requirement concerning backups is a significant technical change that will reduce the burden of compliance for many covered entities who do not have backups fully isolated from network connections.

Modified Enhanced Technology and Policy Requirements

The Proposed Amendments make significant changes to the strengthened technical and written policy requirements proposed by the Draft Amendments. Changes to technical requirements—focused on penetration testing, vulnerability management, and access controls—include:

Requiring user access privileges for privileged accounts be reviewed at least annually and terminated upon employee departures, supplementing the Draft Amendments’ requirements (i.e., that privileged accounts have multi-factor authentication and be limited to only users who need it to perform their job and when performing functions requiring such access);
Clarifying that penetration testing should be conducted both inside and outside the covered entity’s information systems’ boundaries and can be conducted by a qualified internal or external independent party;
Replacing the Draft Amendments’ exception to multi-factor authentication for service accounts with an exception where the CISO approves a reasonably equivalent or more secure control, and otherwise requiring multi-factor authentication for: (i) remote access to the covered entity’s information systems, (ii) remote access to third-party applications from which nonpublic information is accessible, and (iii) all privileged accounts; and
Replacing the Draft Amendments’ requirement for “strong, unique passwords” with a requirement to implement a “written password policy that meets industry standards.”

Many of these revisions, such as allowing the CISO to approve reasonably equivalent controls to replace multi-factor authentication, provide covered entities with more flexibility in achieving compliance with these regulations.

Amendments focused on covered entities’ written policies include:

Replacing the Draft Amendments’ requirement for “strong, unique passwords” with a requirement to implement a “written password policy that meets industry standards”;
Removing the requirement that covered entities’ written policies and procedures include all information systems and their components, such as such as hardware, operating systems, applications, infrastructure devices, APIs, and cloud services;
Requiring that the covered entity’s cybersecurity policies, based on its risk assessment, additionally cover data retention, systems and network monitoring, security awareness and training, systems and application security, and incident notification;
Requiring that incident responses plans include measures to investigate, in addition to mitigate, disruptive events;
Requiring that cybersecurity awareness training be conducted annually, at a minimum, and cover social engineering exercises rather than just “phishing training”; and
Requiring that the senior officers and the “highest-ranking executive,” rather than the CEO, of the covered entity revise the incident response plan as necessary.

These measures provide important clarification for covered entities. Certain measures, such as allowing for a written password policy that meets industry standards, also demonstrate DFS’ consideration of industry best practices in revising these regulations.

Additional Requirements for Risk Assessments

The Draft Amendments expanded the requirements for and definition of “risk assessments.” These changes have been maintained in the Proposed Amendments. The Draft Amendments required that covered entities review and update risk assessments annually and conduct impact assessments whenever a change in the business or technology causes a material change to the covered entity’s cyber risk. The requirement for impact assessments has since been removed, so covered entities now only have to review and update risk assessments annually and whenever such a change in business or technology occurs.

The Proposed Amendments also add a requirement that covered entities’ written policies and procedures for vulnerability management mandate automated scans of information systems and a manual review of systems not covered by such scans to identify vulnerabilities. The frequency of these scans and reviews is to be determined by the risk assessment and where there are any major system changes.

Reinforced New Enforcement Considerations

The Draft Amendments contained two significant provisions regarding the enforcement of the Cybersecurity Rules, specifically that:

Violations occur when a covered entity commits any act prohibited by the regulations or fails to satisfy a required obligation, which includes failing to: (i) comply for more than 24 hours with any part of the regulations, or (ii) prevent unauthorized access to nonpublic information due to noncompliance with the regulations; and
DFS may consider certain aggravating and mitigating factors when assessing the severity of penalties, for example: cooperation, prior violations, provision of false or misleading information, harm to customers, etc.

The Proposed Amendments do not materially change these requirements.

Next Steps

The Proposed Amendments illustrate DFS’ stated commitment to ensuring the Cybersecurity Rules continue to “keep[] pace with new threats and technology purpose-built to steal data or inflict harm,” as Superintendent Adrienne Harris stated in announcing the Proposed Amendments. The publication of the Proposed Amendments triggered a 60-day comment period that will end on January 9, 2023. Covered entities who have views on the proposed changes to the DFS Cybersecurity Rules should consider submitting comments. The Proposed Amendments demonstrate that DFS took into account prior comments as part of their “data-driven approach to amending the regulation to ensure that regulated entities address new and increasing cybersecurity threats with the most effective controls and best practices to protect consumers and businesses.” Following this comment period, DFS will review submitted comments and decide whether to re-propose revised amendments or adopt the Proposed Amendments as final regulations.

Covered entities should assess their cybersecurity practices to ensure they have adequate controls in place to comply with these anticipated regulatory changes. We are available to assist in those efforts and will continue to monitor and report on developments during and after the comment period.

This alert was prepared by Alexander Southwell, Stephenie Gosnell Handler, Vivek Mohan, Amanda Aycock, Snezhana Stadnik Tapia, Terry Wong, and Ruby Lang.

Gibson Dunn lawyers are available to assist in addressing any questions you may have about these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any member of the firm’s Privacy, Cybersecurity & Data Innovation practice group:

United States
Matthew Benjamin – New York (+1 212-351-4079, mbenjamin@gibsondunn.com)
Ryan T. Bergsieker – Denver (+1 303-298-5774, rbergsieker@gibsondunn.com)
S. Ashlie Beringer – Co-Chair, PCDI Practice, Palo Alto (+1 650-849-5327, aberinger@gibsondunn.com)
David P. Burns – Washington, D.C. (+1 202-887-3786, dburns@gibsondunn.com)
Gustav W. Eyler – Washington, D.C. (+1 202-955-8610, geyler@gibsondunn.com)
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650-849-5203, cgaedt-sheckter@gibsondunn.com)
Svetlana S. Gans – Washington, D.C. (+1 202-955-8657, sgans@gibsondunn.com)
Lauren R. Goldman– New York (+1 212-351-2375, lgoldman@gibsondunn.com)
Stephenie Gosnell Handler – Washington, D.C. (+1 202-955-8510, shandler@gibsondunn.com)
Nicola T. Hanna – Los Angeles (+1 213-229-7269, nhanna@gibsondunn.com)
Howard S. Hogan – Washington, D.C. (+1 202-887-3640, hhogan@gibsondunn.com)
Robert K. Hur – Washington, D.C. (+1 202-887-3674, rhur@gibsondunn.com)
Kristin A. Linsley – San Francisco (+1 415-393-8395, klinsley@gibsondunn.com)
H. Mark Lyon – Palo Alto (+1 650-849-5307, mlyon@gibsondunn.com)
Vivek Mohan – Palo Alto (+1 650-849-5345, vmohan@gibsondunn.com)
Karl G. Nelson – Dallas (+1 214-698-3203, knelson@gibsondunn.com)
Rosemarie T. Ring – San Francisco (+1 415-393-8247, rring@gibsondunn.com)
Ashley Rogers – Dallas (+1 214-698-3316, arogers@gibsondunn.com)
Alexander H. Southwell – Co-Chair, PCDI Practice, New York (+1 212-351-3981, asouthwell@gibsondunn.com)
Deborah L. Stein – Los Angeles (+1 213-229-7164, dstein@gibsondunn.com)
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, evandevelde@gibsondunn.com)
Benjamin B. Wagner – Palo Alto (+1 650-849-5395, bwagner@gibsondunn.com)
Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, mwong@gibsondunn.com)
Debra Wong Yang – Los Angeles (+1 213-229-7472, dwongyang@gibsondunn.com)

Europe
Ahmed Baladi – Co-Chair, PCDI Practice, Paris (+33 (0) 1 56 43 13 00, abaladi@gibsondunn.com)
James A. Cox – London (+44 (0) 20 7071 4250, jacox@gibsondunn.com)
Patrick Doris – London (+44 (0) 20 7071 4276, pdoris@gibsondunn.com)
Kai Gesing – Munich (+49 89 189 33-180, kgesing@gibsondunn.com)
Bernard Grinspan – Paris (+33 (0) 1 56 43 13 00, bgrinspan@gibsondunn.com)
Joel Harrison – London (+44(0) 20 7071 4289, jharrison@gibsondunn.com)
Vera Lukic – Paris (+33 (0) 1 56 43 13 00, vlukic@gibsondunn.com)
Penny Madden – London (+44 (0) 20 7071 4226, pmadden@gibsondunn.com)
Michael Walther – Munich (+49 89 189 33-180, mwalther@gibsondunn.com)

Asia
Kelly Austin – Hong Kong (+852 2214 3788, kaustin@gibsondunn.com)
Connell O’Neill – Hong Kong (+852 2214 3812, coneill@gibsondunn.com)
Jai S. Pathak – Singapore (+65 6507 3683, jpathak@gibsondunn.com)

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.